Adverse Event Privacy Notice

Definitions used in this Privacy Notice



Term Definition
Adverse event An unwanted, unintended or harmful event in relation to the use of a Key product. With respect to medical devices, it also includes “incidents” and for cosmetics “serious undesirable effects”. Only the term “adverse event” is used in this Privacy Notice.
Personal Data Information in any format that can be used, directly or indirectly, alone or in combination with any other information, to identify a person.



Key and your privacy


Ensuring patient safety is extremely important to Key and we take the safe use of all our products seriously. Key needs to be able to get in touch with people who contact Key about our products in order to:

  • follow-up
  • obtain further information
  • give answers to requests, or
  • send requested material.

This Privacy Notice describes how we collect and use Personal Data to help us:

  • fulfil our duty to monitor the safety of all products including medicines we market (also known as our pharmacovigilance obligations)
  • ensure the quality and safety of all our products.

The Notice is also applicable to medical devices, cosmetic products and other consumer products that Key markets, since the international regulations on such products require similar safety and quality monitoring.

We are committed to protecting your privacy. When a suspected adverse event concerning one of our products is reported to us, we will collect certain information (Personal Data) that can be used to identify you.


Scope of this Privacy Notice


This Privacy Notice applies to information we collect from or about you online, by phone, fax, e-mail or post, or as part of the adverse event or quality reporting regulations applicable to Key. We may also collect this information about you through specific forms submitted by you on a site that is owned or controlled by Key.

If you are a patient, we may also be provided with information about you by a third party reporting an adverse event that affected you. Such third parties may include medical professionals, lawyers, relatives or other members of the public.

This Privacy Notice explains how we use the Personal Data we receive in connection with a suspected adverse event. It also explains your rights in relation to your Personal Data.


Information we collect and why we collect it


As the marketing authorisation holder of the medicinal product Key is the “data controller” of the Personal Data we collect in relation to reporting suspected adverse events concerning one of our products. This means that we are responsible for decisions about the collection and use of Personal Data. It also means that we are responsible for responding to your questions and requests in relation to the Personal Data we hold about you.

Key is under a legal obligation to collect specific data for reasons of public interest in the area of public health. In accordance with law, pharmaceutical companies, as market authorisation holders of medicinal products, must retain adverse event reports for at least the time period of the market authorisation for the relevant medicinal products, plus 10 years. Therefore, personal information related to the safety of our products will be retained for this time period. However, if there are legal obligations for us to keep the data for longer, we may do this.

In some circumstances we may anonymise your Personal Data so that it can no longer be associated with you, and we may use such information without further notice to you.


Patients (subject of report)


We collect Personal Data about you when you or a third party provides us with information in relation to an adverse event that affected you or someone else. Where you are reporting the adverse event yourself, please also refer to the Reporters section.

Pharmacovigilance (and other relevant) laws require us to take “detailed records” of every adverse event passed to us to allow the event to be evaluated and collated with other adverse events recorded about that product. The Personal Data that we may collect about you when you are the subject of an adverse event report is:

  • name or initials
  • age and date of birth
  • gender
  • weight and height
  • details of the product causing the reaction, including the dosage you have been taking or were prescribed, the reason you have been taking or were prescribed the product and any subsequent change to your usual regimen
  • details of other medicines or remedies you are taking or were taking at the time of the reaction, including the dosage you have been taking or were prescribed, the period of time you were taking that medicine, the reason you have been taking that medicine and any subsequent change to your regimen
  • details of the adverse reaction you suffered, the treatment you received for that reaction, and any long-term effects the reaction has caused to your health, and
  • other medical history considered relevant by the reporter, including documents such as lab reports, medication histories and patient histories.

Some of this information is considered by law to be “sensitive Personal Data” about you. This information is only processed where relevant and necessary to document your reaction properly and for the purpose of meeting our pharmacovigilance, safety, and any other legal requirements. These requirements exist to allow us and international/national/local regulatory authorities to evaluate adverse events and make efforts to prevent similar events from happening in the future.




We collect information about you when you provide us with information in relation to an adverse event you report.

Pharmacovigilance (and other relevant) laws require us to ensure that adverse events are traceable and available for follow-up. As a result, we must keep sufficient information about reporters to allow us to contact you once we have received the report. The Personal Data that we may collect about you when you report an adverse event is your:

  • name
  • contact details (which may include your address, e-mail address, phone number or fax number)
  • profession (this information may determine the questions you are asked about an adverse event, depending on your assumed level of medical knowledge), and
  • relationship with the subject of the report.

Where you are also the subject of a report, this information may be combined with the information you provide in relation to your reaction.


How we use and share Personal Data


As part of our pharmacovigilance obligations, we may use and share Personal Data to:

  • investigate the adverse event
  • contact you for further information about the adverse event you reported
  • collate the information about the adverse event with information about other adverse events received by Key to analyse the safety of a batch, Key product or active ingredient as a whole, and
  • provide mandatory reports to national and/or regional authorities so that they can analyse the safety of a batch, Key product, active ingredient as a whole alongside reports from other sources.

Personal Data collected from you in accordance with this Privacy Notice may also be transferred to a third party in the event of a sale, assignment, transfer, or acquisition of the company or a specific product or therapeutic area, in which case we would require the buyer, assignee or transferee to treat that Personal Data in accordance with applicable data protection laws.

We may also share Personal Data with other pharmaceutical companies who are our co-marketing, co-distribution, or other license partners, where pharmacovigilance obligations for a product require such exchange of safety information.

We share information with national and/or regional authorities, as required, in accordance with relevant pharmacovigilance laws. We are unable to control their use of any information we share, however note that in these circumstances, we do not share any information that directly identifies any individual (such as names or contact information), but we only share pseudonymised information.

We may publish information about adverse events (such as case studies and summaries). In this case, we will remove identifiers from any publications so that no individual can be recognised easily.

We may also share information with third parties that provide us with your Personal Data when making a report. This may include doctors or other healthcare professionals, distributors of our products or any person who reports an event on your behalf. They may receive Personal Data from us as we communicate with them about the adverse event report they have made. We will only share your Personal Data with these parties where we need to do this to meet our regulatory and industry obligations with respect to responding to suspected adverse event reports.


Your rights


Because patient safety is so important, we retain all the information we gather about you as a result of an adverse event report to ensure that we can properly assess the safety of our products over time.

Note: For legal reasons, we cannot delete information that has been collected as part of an adverse event report unless it is inaccurate. Also, we may require you to provide proper identification before we comply with any request to access or correct Personal Data.

Under certain circumstances you have the right to: 

  • Request access to your Personal Data. This enables you to receive a copy of the Personal Data we hold about you and to check that we are processing it lawfully.
  • Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate Personal Data we hold about you corrected.
  • Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below). 
  • Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
  • Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you under certain circumstances, for example if you want us to restrict processing while the accuracy of the Personal Data is being established.
  • Request not to be subjected to automated decision-making. However, we do not use automated decision-making or profiling as part of our business operations in relation to suspected adverse event reporting.

We hope that we can satisfy any queries you may have about the way in which we process your Personal Data. If you have any concerns about how we process your Personal Data, you can get in touch with Key’s product complaints department at

If you have unresolved concerns, you also have the right to complain to the data protection authority in the location in which you are based.




Key have appropriate security measures in place to prevent your Personal Data from being accidentally lost or used, accessed, altered or disclosed in an unauthorised way.

Additionally, we take further information security measures including access controls, stringent physical security and robust information collection, storage and processing practices.

In addition, we limit access to your Personal Data by our employees and service providers, to individuals who have a legitimate need to know for the job or service they provide to us. They will only process your Personal Data on our instructions and are required to keep your Personal Data confidential.

We have procedures in place to deal with suspected data security breaches and will notify you and any applicable regulators of breaches in accordance with relevant legal requirements.

You can exercise your rights by contacting us using the contact information at the end of this Privacy Notice. We will always aim to help you when you wish to exercise your rights but, in some instances, we may have lawful grounds to reject your request.

We will investigate any request you make immediately and will respond to you within a month of your request. That period may be extended by us for a further two months where this is needed to help us respond properly (for example if the request is complicated for us to deal with and we need more time) but we will let you know the reasons for the delay. 

If we decide to not take action on the request, we will inform you of the reasons for not taking action. 

If you do not agree with a decision we make in relation to a rights request or believe that we are in breach of data protection laws, you can lodge a complaint with the relevant data protection regulator.


Changes to this Privacy Notice


If we decide to change the substance of this Privacy Notice materially, we will post those changes through a prominent Notice on our website.


Contact Information


Personal Data is submitted to Key and is hosted and stored in databases on servers situated in Australia, which are owned and maintained by Key Pharmaceuticals Pty Ltd, an Australian limited liability company.

If, at any time, you have questions or concerns about this Privacy Notice, please e-mail We will use reasonable endeavours to answer your question promptly or resolve your problem.

Effective: February 2022