Guidelines Under Section 95

of the Privacy Act 1988

March 2000

ISBN 1864960981

This work i s copyrig ht. Apart from any use as permi tted under the C opyright Ac t 1 96 8, no part m ay be reproduc ed by any process without pri or written permiss ion from AusInfo. Requests and enquiries con cerning reproduc tion and ri g hts shoul d be

addressed to the Manag er, Leg is lative Ser vices, AusI nfo, G PO Box 1920, Canberra ACT

2601.

The strateg ic intent of the NH MRC is to work with other s for the health of all

Australi ans, by prom oting inform ed debate o n ethic s a nd polic y, provi ding knowl edg e based advi ce, foster ing a hig h qua lity and internation ally rec og nised res earch base, a nd applying researc h ri g our to heal th is sues.

NH MRC documents are prepared by panels of ex perts drawn from a ppropriate

Australi an academ ic, professional, co mmun ity and g overnment organisati ons. NH MRC is g rateful to these people for the ex cellent work they do on its b ehalf. This wor k is

usuall y performed on an honora ry basis and in add ition to their us ual work

c om m itm ents.

This doc ument is sold throug h AusInfo G overnment I nfo Booksh ops at a pri ce whic h covers the cos t of printing and distri bution onl y. F or publi catio n purcha ses pleas e contac t AusI nfo on their tol l-free num ber 132 447, or throug h their internet addr ess:

http:// www. ausi nfo.g ov. au/g ener al/ g en_hottobu y.htm

CONTENTS

Abbreviations 5

Introduction 7

Privacy and medical research 7

Application of the Privacy Act 1988 (Cth) to medical research 7

Guidelines for the protection of privacy in the conduct

of medical research 8

Other legislation and regulations 8

The Australian Health Ethics Committee, the National

Health and Medical Research Council and the National

Statement on Ethical Conduct in Research Involving Humans 8

The future 9

Guidelines under section 95 of the Privacy Act 1988 11

Appendix 1

Information Privacy Principles 17

Appendix 2

Privacy Act 1988 (Commonwealth), Section 95 22

Appendix 3

Joint NHMRC/AVCC Statement and Guidelines on

Research Practice, Section 2 23

Appendix 4

Glossary of definitions 25

Appendix 5

Information about the National Statement on Ethical

Conduct in Research Involving Humans 26

Guidelines Under Section 95 of the Privacy Act 1988 3

ABBREVIATIONS

AHEC Australian Health Ethics Committee AVCC Australian Vice-Chancellors Committee HREC Human Research Ethics Committee

IPP Information Privacy Principles

NHMRC National Health and Medical Research Council

OECD Organisation for Economic Cooperation and

Development

Guidelines Under Section 95 of the Privacy Act 1988 5

I N T R O D U C T I O N

Privacy and medical research

An individual’s right to privacy is a fundamental human right. This is recognised in

a number of international instruments, in particular, the International Covenant on Civil and Political Rights (Article 17) and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Australia adopted the OECD Guidelines in 1984 and the principles in those guidelines were incorporated in the federal Privacy Act 1988 (Privacy Act), which deals with personal information

privacy protection, a component of the broader concept of privacy.

However, the right to privacy is not an absolute right. In some circumstances, it must be weighed against the equally justified rights of others and against matters that benefit society as a whole.

The conduct of medical research presents one of these circumstances. Medical research is important for providing information to help the community make decisions that impact on the health of individuals and the community. However, it should be carried out in such a way as to minimise the intrusion on people’s privacy. Optimally, this is done by obtaining the informed consent of participants

prior to using their personal information. Where this is not practicable, de-identified information should be used. Where neither of these options are available, it may be that identified information must be used without consent in order for the medical research to proceed.

In these latter cases, there is a need to balance the public interest in medical research against the public interest in privacy. These guidelines provide a framework in which such decisions can be made.

Application of the Privacy Act to medical research

Section 14 of the Privacy Act sets out eleven Information Privacy Principles (IPPs)

(Appendix 1), that govern the conduct of Commonwealth agencies in their collection, management and use of data containing personal information. The IPPs do not permit agencies to use or disclose in identifiable form records of personal information for research and statistical purposes, unless specifically authorised or required by another law, or the individual has consented to the use or disclosure.

Section 95 of the Privacy Act (Appendix 2) provides a process to resolve such

conflict that may arise between the public interest in privacy and the public interest

in medical research, where medical research using personal information held by a Commonwealth agency would otherwise involve a breach of privacy under the Privacy Act.

Under Section 95, the National Health and Medical Research Council (NHMRC) may, with the approval of the Privacy Commissioner, issue guidelines for the protection

of privacy in the conduct of medical research. The Commissioner may only approve the guidelines if she/he is satisfied that the public interest in the promotion of

Guidelines Under Section 95 of the Privacy Act 1988 7

research of the kind to which the guidelines relate outweighs to a substantial

degree the public interest in maintaining adherence to the IPPs.

The Guidelines Under Section 95 of the Privacy Act 1988 provide a framework for

the conduct of medical research using information held by Commonwealth agencies where identified information needs to be used without consent. In these situations,

a Commonwealth agency may collect or disclose, in identifiable form, records for medical research purposes without infringing the Privacy Act if the proposed medical research has been approved by a properly constituted Human Research

Ethics Committee (HREC) in accordance with the Guidelines Under Section 95 of the

Privacy Act 1988.

As part of these guidelines, NHMRC is required to provide an annual report to the Privacy Commissioner on Commonwealth agencies’ release and subsequent use of personal information.

Guidelines for the protection of privacy in the conduct of medical research

The Guidelines for the Protection of Privacy in Medical Research were first issued

on 1 July 1991. These guidelines remained in force until July 1995 when, following

a review by the NHMRC, the Privacy Commissioner approved a revised set of guidelines. The revised guidelines featured minor amendments to the previous guidelines, with the major change being the presentation of the guidelines in the context of an information paper, produced by the NHMRC, titled Aspects of Privacy

in Medical Research (endorsed by the NHMRC in 1995).

The guidelines set out in this document will replace Aspects of Privacy in Medical

Research.

Other legislation and regulations

Researchers and others using these guidelines should be aware that there is also

some regulation at State and Territory level, either in the form of legislation related

to privacy generally, administration of agencies or in administrative codes of practice, that may have a bearing on either access to personal information to be

used in research or the way in which proposed research must be conducted. Some jurisdictions have included stricter limitation on the handling of personal

information as part of the administrative structure of health departments and agencies.

The Australian Health Ethics Committee, the National Health and Medical

Research Council and the National Statement on Ethical Conduct in Research

Involving Humans

The Australian Health Ethics Committee (AHEC) is a principal committee of the NHMRC. AHEC advises the NHMRC on ethical issues relating to health and monitors and advises on the functioning of HRECs that review proposed research projects involving human participants.

8 Guidelines Under Section 95 of the Privacy Act 1988

The National Health and Medical Research Council Act 1992 requires AHEC to

develop and give the NHMRC guidelines for the conduct of medical research involving humans. These guidelines were issued in June 1999 as the National

Statement on Ethical Conduct in Research Involving Humans, (National Statement), superseding the NHMRC Statement on Human Experimentation and Supplementary Notes 1992.

The National Statement contains some guidelines on protection of privacy of

personal information in research and references are made to the IPPs as the relevant standards of conduct. The following Guidelines Under Section 95 of the

Privacy Act 1988 should be read together with the National Statement. It is intended at a future date to integrate the Guidelines Under Section 95 of the Privacy Act 1988 with the National Statement.

The future

On 16 December 1998 the federal government announced that it intends to legislate

to support and strengthen self-regulatory privacy protection in the private sector, and that a light-touch legislative regime would be introduced. The scheme will involve amendment of the Privacy Act and will be based on the revised National Principles for the Fair Handling of Personal Information, (National Principles) which are in turn based on the IPPs. These were released by the Privacy Commissioner in January 1999 and are available on the Privacy Commissioner’s website at http://www.privacy.gov.au.

If the amendments are passed, the Privacy Act will apply to many private sector bodies and some universities which conduct research. This will mean that there is a question to resolve as to whether the IPPs or the National Principles will be the standard to be applied to the handling of information in non-federal agency

research. This may mean that the following guidelines and/or the National

Statement need to be further revised.

Guidelines Under Section 95 of the Privacy Act 1988 9

G U I D E L I N E S U N D E R S E C T I O N 9 5 O F

T H E P R I V A C Y A C T 1 9 8 8

1. The use of the guidelines

1.1 Where medical research* involves the use of personal information* held by a

Commonwealth agency*, the processes that are set out in these guidelines must be followed, in order for the information to be lawfully used or released.

1.2 Where a Commonwealth agency seeks to rely on these guidelines to lawfully release personal information for the purpose of medical research where this would otherwise involve a breach of an IPP, the agency must satisfy itself that research on which the personal information is to be used has been approved

by an Human Research Ethics Committee (HREC)1 for the particular purpose in accordance with these guidelines.

1.3 Agencies may always decline to disclose personal information for use in medical research even where the medical research has been approved by an HREC in accordance with these guidelines.

2. Procedures to be followed by researchers

2.1 An overriding obligation for the researcher is at all times to respect the dignity and personal privacy of the individual.

2.2 The researcher must give a written proposal for the research to an HREC, with any information necessary for members of that HREC to meet their responsibilities under these guidelines. Guidance on the information to be included in the written proposal is set out in paragraph 2.4.

2.3 When research may involve a breach of an IPP or IPPs, the proposal for that research to be submitted to an HREC must contain a reference to that IPP or IPPs, and must also state reasons for believing that the public interest in the research outweighs, to a substantial degree, the public interest in adhering to that IPP(s). In that proposal, the researcher must provide the HREC with necessary information to enable the HREC to weigh the public interest considerations in accordance with section 3.2 of these guidelines.

While Section 95 refers to the IPPs generally, the most common breach or potential breach of the IPPs requiring the use of these guidelines will be one involving disclosure, which would otherwise be prohibited by IPP 11.

* See Appendix 4: Glossary

1. See ‘2. Human Research Ethics Committees’, National Statement on Ethical Conduct in Research Involving Humans (1999) that explains terms of reference, membership constitution and committee procedures, etc for HRECs.

Guidelines Under Section 95 of the Privacy Act 1988 11

2.4 In the proposal for the conduct of each such research project, the researcher

should state:

(a) the aims of the research;

(b) the credentials and technical competence of the researcher;

(d) the source of the data;

(e) the study period;

(f) the target population;

(g) the reasons why identified* or potentially identifiable* information is needed rather than de-identified* information, and the reasons why it is not proposed to seek consent to the use of personal information.

[Note: Any genetic research should be conducted in accordance with the principles in ‘16. Human Genetic Research’ of the National Statement on Ethical Conduct in Research Involving Humans (1999) when considering the release of personal information, and genetic testing.]

(h) the specific uses to which the personal information used during the study will be applied;

(i) the proposed method of publication of results of the research;

(j) the estimated time of retention of the personal information;

(k) the identity of the custodian(s) of the personal information used during the research;

(l) security standards to be applied to the personal information. In

particular, that personal information will be retained in accordance with the Joint NHMRC/AVCC Statement and Guidelines on Research Practice

(Appendix 3), and in a form that is at least as secure as it was in the sources from which the personal information was obtained unless more stringent legislative or contractual provisions apply;

(m) a list of personnel with access to the personal information;

(n) the standards that will be applied to protect personal information disclosed by a Commonwealth agency. These should include the:

(i) terms of any disclosure agreement between the agency and the researcher to govern the limits on use and disclosure of that personal information; and

(ii) proposed methods of disposal of the personal information on the completion of the research, and that these are in accordance with the Archives Act, 1983 for Commonwealth records and legislative requirements of a State or Territory; and

* See Appendix 4: Glossary

12 Guidelines Under Section 95 of the Privacy Act 1988

(iii) standards that will be applied to protect privacy of personal

information where it is made available to other researchers or third parties if that is proposed.

2.5 A researcher should provide to the agency from which personal information

is sought written notification of the decision of an HREC made in accordance with these guidelines.

2.6 If a researcher uses personal information obtained from a Commonwealth agency in accordance with these guidelines to contact a person, the researcher must inform that person:

• that personal information has been provided by that Commonwealth agency in accordance with these guidelines; and

• how that information will be used; and

• that he or she is free at any time to withdraw consent for further involvement in the research [See ‘1. Principles of Ethical Conduct’; subheading ‘Consent’, National Statement on Ethical Conduct in Research Involving Humans (1999)]; and

• of the standards that will apply to protect the privacy of that person, and

• of existing complaint mechanisms to HRECs and the Commonwealth

Privacy Commissioner.

2.7 The researcher must immediately report to the HREC anything that might warrant review of ethical approval of the research proposal [See ‘2. Human Research Ethics Committees’; subheading ‘Monitoring’, paragraph 2.37

National Statement on Ethical Conduct in Research Involving Humans (1999)].

3. Consideration by Human Research Ethics Committees (HREC)

3.1 Before making a decision under these guidelines, an HREC must assess whether it has sufficient information, expertise and understanding of privacy issues, either amongst the members of the HREC or otherwise available to it,

to make a decision that takes proper account of privacy. [See ‘2. Human Research Ethics Committees’ and 18. ‘Privacy of Information’, National Statement on Ethical Conduct in Research Involving Humans (1999)].

3.2 In making a decision under these guidelines, an HREC must consider the following matters:

(a) identify and consider the IPP or IPPs that might be breached in the course of the proposed research, including whether it is necessary for the research to use identified or potentially identifiable data, and whether it is reasonable for the research to proceed without the

consent of the individuals to whom the information relates, and

(b) ensure that the committee has the competence to determine if the public interest in the proposed research outweighs, or does not outweigh, to a substantial degree, the public interest in the protection

Guidelines Under Section 95 of the Privacy Act 1988 13

of privacy. If the public interest in the proposed research does not

outweigh, to a substantial degree, the public interest in the protection of privacy then the research should not be carried out.

Weighing the public interest

3.3 In reaching a decision under 3.2 (b) an HREC should consider the following matters:

(a) the degree to which the medical research is likely to contribute to:

• the identification, prevention or treatment of illness or disease; or

• scientific understanding relating to health; or

• the protection of the health of individuals and/or communities; or

• the improved delivery of health services, or

• scientific understanding or knowledge.

(b) any likely benefits to individuals, to the category of persons to which they belong, or the wider community that will arise from the medical research being undertaken in the manner proposed;

(c) whether the medical research design can be satisfied without risking infringement of an IPP and the scientific defects in the medical research that might arise if the medical research was not conducted in the

manner proposed;

(d) the financial costs of not undertaking the medical research (to government, the public, the health care system, etc);

(e) the public importance of the medical research;

(f) the extent to which the data being sought are ordinarily available to the public from that Commonwealth agency; and

(i) whether the medical research involves use of the data in a way which is inconsistent with the purpose for which the data were made public; and

(ii) whether the medical research requires an alteration of the format of the data of a kind that would, if used by an agency, involve a

breach of an IPP.

(g) whether the risk of harm to a person whose personal information is to be used in proposed research is minimal, having regard to the elements

of that research provided in response to paragraph 2.3 of these guidelines;

(h) the standards of conduct that are to be observed in medical research, including:

(i) the study design and the scientific credentials of the researchers;

(ii) if the research involves contact with participants, the procedures or

14 Guidelines Under Section 95 of the Privacy Act 1988

controls which will apply to ensure that participants are treated with

integrity and sensitivity, including whether questions to be asked or procedures to be employed are intrusive;

(iii) whether access to personal information is restricted to appropriate researchers;

(iv) the risk that a person or group could be identified in the published results; and

(v) the procedures that are to be followed at the completion of the research to ensure that all data containing personal information are

at least as secure as they were in the sources from which the data were obtained, including the date when the data will be destroyed or returned.

Recording, notification and monitoring of decisions

3.4 The decision of the HREC under 3.2 (b) will be recorded in accordance with paragraph 2.30 of the National Statement on Ethical Conduct in Research Involving Humans (1999).

Wherever access to personal information from a Commonwealth agency is being considered, the HREC must also record the following:

• the Commonwealth agency from which the information will be sought;

• the data items sought from the Commonwealth agency and approved by the HREC;

• the number of records involved;

• which IPPs would be infringed, and

• how and on what grounds the HREC came to the conclusion that it had sufficient information, expertise and understanding of privacy issues

either amongst the members of the HREC or otherwise available to it, to make a decision that takes proper account of privacy.

3.5 It is an obligation of the HREC to monitor the research in accordance with ‘2. Human Research Ethics Committees’; subheading ‘Monitoring’, National Statement on Ethical Conduct in Research Involving Humans (1999).

3.6 When the HREC approves a research proposal, it must decide whether the research should commence within a defined period from the date of approval and whether the project should be completed within a set period, and notify

the researcher of that decision.

4. The responsibilities of the NHMRC

4.1 The AHEC will report annually to NHMRC in relation to HRECs generally, based on the annual compliance report. The report will also include specific decisions and information as required by paragraph 3.4 of these guidelines.

Guidelines Under Section 95 of the Privacy Act 1988 15

4.2 The AHEC of the NHMRC may request, at any time, information in relation to

paragraphs 3.4, 3.5 and 3.6 above.

4.3 When there has been a failure to comply with the guidelines the AHEC of the

NHMRC will:

• report details of the failure to the Privacy Commissioner and may name the researcher or the HREC responsible, and

• where that failure involves use of personal information disclosed by a

Commonwealth agency, inform that agency of details of the failure.

5. Reports to or for the Privacy Commissioner

5.1 AHEC will annually report details to the Privacy Commissioner of the research projects conducted under these guidelines and shall include evaluation of the operation of these guidelines for the year of reporting.

5.2 AHEC will also provide to the Privacy Commissioner, at his or her request, additional information about the operation of the guidelines, research projects conducted under these guidelines and/or any failures to comply with these guidelines.

6. Complaint mechanisms

6.1 Complaints may be made to:

(a) HRECs concerning the researcher’s and/or the institution’s conduct of

an approved research project that may interfere with the privacy of the individual,

[See Principle ‘2. Human Research Ethics Committees’; subheading

‘Complaints’ (National Statement on Ethical Conduct in Research

Involving Humans 1999)]

and/or

(b) the Privacy Commissioner concerning the use of personal information by Commonwealth agencies.

Under Section 36 of the Privacy Act 1988, an individual may complain to the Privacy Commissioner about an act or practice that may be an

interference with the privacy of the individual. Where a Commonwealth agency seeks to rely on these guidelines in order to lawfully release personal information for the purpose of medical research under Section

95, an individual may complain if the procedures set out in these guidelines are not followed.

7 Date of review

7.1 The NHMRC is required to initiate a review of the adequacy and operation of the guidelines twelve months from the date of issue.

16 Guidelines Under Section 95 of the Privacy Act 1988

A P P E ND IX 1

I N F O R M AT I O N P R I V A C Y P R I N C I P L E S

[from the Privacy Act 1988 (Commonwealth)]

Principle 1

Manner and purpose of collection of personal information

1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:

(a) the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and

(b) the collection of the information is necessary for or directly related to that purpose.

2. Personal information shall not be collected by a collector by unlawful or unfair means.

Principle 2

Solicitation of personal information from individual concerned

Where:

(a) a collector collects personal information for inclusion in a record or in a generally available publication; and

(b) the information is solicited by the collector from the individual concerned;

the collector shall take such steps (if any) as are, in the circumstances, reasonable

to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:

(d) if the collection of the information is authorised or required by or under law—the fact that the collection of the information is so authorised or required; and

(e) any person to whom, or any body or agency to which, it is the collector’s usual practice to disclose personal information of the kind so collected, and

(if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first mentioned person, body or agency

to pass on that information.

Guidelines Under Section 95 of the Privacy Act 1988 17

Principle 3

Solicitation of personal information generally

Where:

(a) a collector collects personal information for inclusion in a record or in a generally available publication; and

(b) the information is solicited by the collector;

the collector shall take such steps (if any) as are, in the circumstances, reasonable

to ensure that, having regard to the purpose for which the information is collected;

(d) the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Principle 4

Storage and security of personal information

A record-keeper who has possession or control of a record that contains personal information shall ensure:

(a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and

(b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within

the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.

Principle 5

Information relating to records kept by record-keeper

1. A record-keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain:

(a) whether the record-keeper has possession or control of any records that contain personal information; and

(b) if the record-keeper has possession or control of a record that contains such information:

(i) the nature of that information;

(ii) the main purposes for which that information is used; and

18 Guidelines Under Section 95 of the Privacy Act 1988

(iii) the steps that the person should take if the person wishes to obtain

access to the record.

2. A record-keeper is not required under clause 1 of this Principle to give a person information if the record-keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any

law of the Commonwealth that provides for access by persons to documents.

3. A record-keeper shall maintain a record setting out:

(a) the nature of the records of personal information kept by or on behalf of the record-keeper;

(b) the purpose for which each type of record is kept;

(d) the period for which each type of record is kept;

(e) the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and

(f) the steps that should be taken by persons wishing to obtain access to that information.

4. A record-keeper shall:

(a) make the record maintained under clause 3 of this Principle available for inspection by members of the public; and

(b) give the Commissioner, in the month of June in each year, a copy of the record so maintained.

Principle 6

Access to records containing personal information

Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

Principle 7

Alteration of records containing personal information

1. A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:

(a) is accurate; and

Guidelines Under Section 95 of the Privacy Act 1988 19

(b) is, having regard to the purpose for which the information was

collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.

2. The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents.

3. Where:

(a) the record-keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or

addition, in accordance with a request by the individual concerned; and

(b) no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

the record-keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the

record any statement provided by that individual of the correction, deletion or addition sought.

Principle 8

Record-keeper to check accuracy etc of personal information before use

A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are,

in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.

Principle 9

Personal information to be used only for relevant purposes

A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.

Principle 10

Limits on use of personal information

1. A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless:

(a) the individual concerned has consented to use of the information for that other purpose;

20 Guidelines Under Section 95 of the Privacy Act 1988

(b) the record-keeper believes on reasonable grounds that use of the

information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person;

(d) use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or

(e) the purpose for which the information is used is directly related to the purpose for which the information was obtained.

2. Where personal information is used for enforcement of the criminal law or of

a law imposing a pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include in the record containing that information a note of that use.

Principle 11

Limits on disclosure of personal information

1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:

(a) the individual concerned is reasonably likely to have been aware or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency;

(b) the individual concerned has consented to the disclosure;

(c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life

or health of the individual concerned or of another person;

(d) the disclosure is required or authorised by or under law; or

(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.

2. Where personal information is disclosed for the purposes of enforcement of

the criminal law or of a law imposing a pecuniary penalty or for the purpose

of the protection of the public revenue, the record-keeper shall include in the record containing that information a note of the disclosure.

3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.

Guidelines Under Section 95 of the Privacy Act 1988 21

A P P E ND IX 2

Privacy Act 1988 (Commonwealth), Section 95

(1) The National Health and Medical Research Council may, with the approval of the Commissioner, issue guidelines for the protection of privacy in the

conduct of medical research.

(2) The Commissioner shall not approve the issue of guidelines unless he or she

is satisfied that the public interest in the promotion of research of the kind to which the guidelines relate outweighs to a substantial degree the public

interest in maintaining adherence to the Information Privacy Principles.

(3) Guidelines shall be issued by being published in the Gazette.

(4) Where:

(a) but for this subsection, an act done by an agency would breach an

Information Privacy Principle; and

(b) the act is done in the course of medical research and in accordance with guidelines under subsection (1);

the act shall be regarded as not breaching that Information Privacy Principle.

(5) Where the Privacy Commissioner refuses to approve the issue of guidelines under subsection (1), an application may be made to the Administrative Appeals Tribunal for review of the Commissioner’s decision.

22 Guidelines Under Section 95 of the Privacy Act 1988

A P P E N D I X 3

Joint NHMRC/AVCC Statement and Guidelines on Research Practice, Section 2

Data storage and retention

2.1 Data (including electronic data) must be recorded in a durable and

appropriately referenced form. Data management should comply with relevant privacy protocols, such as the Australian Standard on Personal Privacy Protection.1

2.2 The department or research unit must establish procedures for the retention of data and for the keeping of records of data held.

2.3 Data must be held for sufficient time to allow reference. For data that is published this may be for as long as interest and discussion persists following publication. It is recommended that the minimum period for retention is at

least five years from the date of publication but for specific types of research, such as clinical research, fifteen years may be more appropriate.2

2.4 Wherever possible, original data must be retained in the department or

research unit in which they were generated. Individual researchers should be able to hold copies of the data for their own use. Retention solely by the individual researcher provides little protection to the researcher or the institution in the event of an allegation of falsification of data.

2.5 Data related to publications must be available for discussion with other researchers. Where confidentiality provisions apply (for example, where the researchers or institution have given undertakings to third parties, such as the subjects of the research), it is desirable for data to be kept in a way that reference to them by third parties can occur without breaching such confidentiality.

2.6 Confidentiality agreements to protect intellectual property rights may be agreed between the institution, the researcher and a sponsor of the research. Where

such agreements limit free publication and discussion, limitations and restrictions must be explicitly agreed.

2.7 It is the obligation of the researcher to enquire whether confidentiality agreements apply and of the Head of the Department or research unit to inform researchers of their obligations with respect to these provisions.

2.8 All confidentiality agreements should be made known at an early stage to the head of the research institution, or nominated representative.

1. Personal Privacy Protection in Health Care Information Systems, Australian Standard AS

4400-1995.

2. The December 1991 Guidelines for Good Clinical Research Practice in Australia.

Published by the Therapeutic Goods Administration of the Commonwealth Department

of Health and Family Services, recommends retention of data for at least 15 years.

Guidelines Under Section 95 of the Privacy Act 1988 23

2.9 The procedures formulated by institutions must include guidelines on the

establishment and ownership of and access to databases containing confidential information, and any limits on this.

2.10 When the data are obtained from limited access databases, or via a contractual arrangement, written indication of the location of the original

data, or key information regarding the database from which it was collected, must be retained by the researcher or research unit.

2.11 Researchers must be responsible for the ensuring appropriate security for any confidential material, including that held in computing systems. Where computing systems are accessible through networks, particular attention to security of confidential data is required. Security and confidentiality must be assured in a way that copes with multiple researchers and the departure of individual researchers.

24 Guidelines Under Section 95 of the Privacy Act 1988

A P P E ND IX 4

G L O S S A R Y O F D E F I N I T I O N S

Commonwealth agency

Commonwealth agency means a Commonwealth Minister, Department, body established under a Commonwealth act, or a person appointed by the Governor- General or holding office under a Commonwealth act, a federal Court and the Federal Police.

De-identified samples or data

The process of de-identification can be irreversible if the identifiers have been removed permanently or the data have never been identified.

Identified samples or data

Data that allow the identification of a specific individual are referred to as

‘identified data’. Examples of identifiers may include the individual’s name, date of birth or address. In particularly small sets of data even information such as a postcode may be an identifier.

Medical research

As defined in the Privacy Act 1988 medical research includes epidemiological research.

Personal information

Information by which individuals or collectivities can be identified. This is defined

in the Privacy Act 1988 (Cth) as information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded

in a material from or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Potentially identifiable (coded, re-identifiable) samples or data

Data may have identifiers removed and replaced by a code. In such cases it is possible to use the code to re-identify the person to whom the data relates, that is, the process of de-identification is reversible. In these cases the data are referred to

as ‘potentially identifiable’.

Research

As defined in the National Statement on Ethical Conduct in Research Involving Humans this involves systematic investigation to establish facts, principles, and knowledge.

Guidelines Under Section 95 of the Privacy Act 1988 25

A P P E N D I X 5

Information about the National Statement on Ethical Conduct in Research

Involving Humans

The National Statement on Ethical Conduct in Research Involving Humans replaces the NHMRC Statement on Human Experimentation and Supplementary Notes (1991).

The National Statement is a significant advance for research in Australia. It is issued by the National Health and Medical Research Council (NHMRC) under the NHMRC Act. It has also been endorsed or supported by the Australian Vice-Chancellors’ Committee, the Australian Research Council, and the Academies of Humanities, Science, Social Sciences, and Technological Science and Engineering.

The National Statement applies to all disciplines of research involving or impacting upon humans. It should be used by all individuals, institutions and organisations conducting research which involves human participants.

The National Statement provides general ethical principles which should be applied

to all research involving humans, as well as guidelines on specific research types, participant groups and other issues.

The National Statement can be downloaded free of charge from the NHMRC web site at http://www.nhmrc.health.gov.au/ethics/statemen.htm

It can also be purchased from AusInfo Government Bookshops for $12.95 by phoning their toll free number 132 447 (catalogue no. 9818566).

26 Guidelines Under Section 95 of the Privacy Act 1988

The National Health and Medical Research Council

The National Health and Medical Research Council (NHMRC) is a statutory authority within the portfolio of the Commonwealth Minister for Health and Aged Care, established by the

National Health and Medical Research Council Act 1992. The NHMRC advises the Australian community and Commonwealth; State and Territory Governments on standards of individual and public health, and supports research to improve those standards.

The NHMRC advises the Commonwealth Government on the funding of medical and public

health research and training in Australia and supports many of the medical advances made by Australians.

The NHMRC also develops guidelines and standards for the ethical conduct of health and medical research.

The Council comprises nominees of Commonwealth, State and Territory health authorities, professional and scientific colleges and associations, unions, universities, business,

consumer groups, welfare organisations, conservation groups and the Aboriginal and Torres

Strait Islander Commission.

The Council meets four times a year to consider and make decisions on reports prepared by committees and working parties following wide consultation on the issue under

consideration.

A regular publishing program ensures that Council’s recommendations are widely available to governments, the community, scientific, industrial and educational groups.

The Council publishes extensively in the following areas:

•	Aged care	•	Health promotion
•	Child health	•	Infection control
•	Clinical practice guidelines	•	Men’s health
•	Communicable diseases	•	Mental health
•	Dentistry	•	NHMRC – National Health
•	Diabetes		and Medical Research Council
•	Drugs and poisons	•	Nutrition
•	Drug and substance abuse	•	Public health
•	Environmental health	•	Research
•	Ethics – Animal	•	Sport/Injury
•	Ethics – Human	•	Women’s health
•	Health procedures	•	Workforce

A list of current publications is available from:

The Publications Officer

ONHMRC MDP 100

GPO Box 9848

Canberra ACT 2601

Phone: (02) 6289 9520 (24-hour answering machine)

Toll free: 1800 020 103

Fax: (02) 6289 9197

E-mail: nhmrc.publications@health.gov.au

Internet: http://www.nhmrc.health.gov.au