Guidelines under Section 95 of the Privacy Act 1988

2014

Publication Details

Publication title: Guidelines Under Section 95 of the Privacy Act 1988

Published: November 2014

Publisher: National Health and Medical Research Council

NHMRC Publication reference: PR1

Online version: www.nhmrc.gov.au/guidelines/publications/pr1

ISBN Online: 978-1-925129-06-9

Suggested citation:

All material presented in this publication is provided under a Creative Commons Attribution Non-commercial 4.0 Australia licence (http://creativecommons.org.au), with the exception of the Commonwealth Coat of Arms, NHMRC logo and content identified as being owned by third parties. The details of

the relevant licence conditions are available on the Creative Commons website (http://creativecommons.org.au), as is the full legal code for the CC BY NC 4.0 AU licence.

Attribution

Creative Commons Attribution 4.0 Australia Licence is a standard form license agreement that allows you to copy, distribute, transmit and adapt this publication provided that you attribute the work. The NHMRC’s preference is that you attribute this publication (and any material sourced from it) using the following wording: Source: National Health and Medical Research Council.

Use of images

Unless otherwise stated, all images (including background images, icons and illustrations) are copyrighted by their original owners.

GUIDELINES UNDER SECTION 95 OF THE PRIVACY ACT 1988

2014

ABBREVIATIONS	v
INTRODUCTION	1
Privacy and medical research	1
Application of the Privacy Act 1988 (Cth) to medical research involving use or disclosure of
personal information held by agencies	1
Guidelines for the protection of privacy in the conduct of medical research	2
Other legislation and regulations	2
The Australian Health Ethics Committee, the National Health and Medical Research Council
and the National Statement on Ethical Conduct in Human Research	2
Guidelines under Section 95 of the Privacy Act 1988	3
APPENDIX 1
Glossary of definitions	8

GUIDELINES UNDER SECTION 95 of the PRIVACY ACT 1988	iv
National Health and Medical Research Council	iv
National Health and Medical Research Council

GUIDELINES UNDER SECTION 95 of the PRIVACY ACT 1988	v
National Health and Medical Research Council	v
National Health and Medical Research Council

INTRODUCTION

Privacy and medical research

An individual’s right to privacy is a fundamental human right. This is recognised in a number of international instruments, in particular, the International Covenant on Civil and Political Rights (Article 17) and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Australia adopted the OECD Guidelines in 1984 and the principles in those guidelines were incorporated in the Commonwealth Privacy Act 1988 (Privacy Act), which deals with personal information privacy protection, a component of the broader concept of privacy.

However, the right to privacy is not an absolute right. In some circumstances, it must be weighed against the equally justified rights of others and against matters that benefit society as a whole.

The conduct of medical research presents one of these circumstances. Medical research is important for providing information to help the community make decisions that have an impact on the health of individuals and the community. However, it should be carried out in such a way as to minimise the intrusion on people’s privacy. Optimally, this is done by obtaining the informed consent of participants prior to using their personal information. Where this is not practicable, de-identified information should be used. Where neither of these options are available, it may be that identified information needs to be used, even though consent of the individual or individuals has not been obtained, in order for the medical research to proceed.

In these latter cases, there is a need to balance the public interest in medical research against the public interest in privacy. These guidelines provide a framework in which such decisions can be made.

Asterisked terms in these guidelines are defined in Appendix 1.

Application of the Privacy Act 1988 (Cth) to medical research involving use or disclosure of personal information held by agencies

Schedule 1 of the Privacy Act sets out the 13 Australian Privacy Principles (APPs)1 that govern the conduct of agencies (as well as certain private sector organisations) in their collection, management, use and disclosure of personal information*. The APPs do not permit agencies to use or disclose personal information for medical research purposes, unless the individual has consented to the use or disclosure or the use or disclosure is allowable through an exception contained in the Privacy Act. Certain exceptions are included in APP 6.2 and 6.3.

Section 95 of the Privacy Act2 also provides a process to resolve conflicts that may arise between the public interest in protecting privacy and the public interest in the conduct of medical research, where medical research using personal information or sensitive information* held by an agency would involve an interference with privacy under the Privacy Act.

Under Section 95, the CEO of the National Health and Medical Research Council (NHMRC) may, with the approval of the Australian Information Commissioner (Commissioner*), issue guidelines for the protection

1 Available at www.oaic.gov.au

2 Available at www.comlaw.gov.au/Current/C2013C00482

GUIDELINES UNDER SECTION 95 of the PRIVACY ACT 1988	1
National Health and Medical Research Council	1
National Health and Medical Research Council

of privacy in the conduct of medical research. The Commissioner will not approve the issue of guidelines unless he or she is satisfied that the public interest in the promotion of research of the kind to which the guidelines relate outweighs to a substantial degree the public interest in maintaining adherence to the APPs.

The Guidelines Under Section 95 of the Privacy Act 1988 provide a framework for the conduct of medical research using information held or collected by agencies where personal information needs to be used and where it is not practicable to obtain the individual’s consent. In these situations, an agency may collect, use or disclose records containing personal information for medical research purposes without breaching the Privacy Act if the proposed medical research has been approved by a properly constituted Human Research Ethics Committee (HREC) in accordance with the Guidelines under Section 95 of the Privacy Act 1988.

The NHMRC is required to provide an annual report to the Commissioner on agencies’ use and disclosure of personal information.

Guidelines for the protection of privacy in the conduct of medical research

The Guidelines for the Protection of Privacy in Medical Research were first issued on 1 July 1991. These guidelines remained in force until July 1995 when, following a review by the NHMRC, the then Privacy Commissioner approved a revised set of guidelines. The revised guidelines featured minor amendments to the previous guidelines, with the major change being the presentation of the guidelines in the context of an information paper, produced by the NHMRC, titled Aspects of Privacy in Medical Research (endorsed by the NHMRC in 1995). The Guidelines under Section 95 of the Privacy Act 1988 replaced the document Aspects of Privacy in Medical Research in 2000. The March 2014 guidelines were made to take account of amendments made to the Privacy Act by the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

The Guidelines set out in this document replace the March 2014 Guidelines, to correct some minor errors and address some formatting issues.

Other legislation and regulations

Researchers and others using these guidelines should be aware that there is also some regulation at State and Territory level, either in the form of legislation related to privacy generally, health records, administration of agencies or in administrative codes of practice, that may have a bearing on either access to personal information to be used in research or the way in which proposed research must be conducted. Some jurisdictions have included stricter limitation on the handling of personal information as part of the administrative structure of health departments and agencies.

The Australian Health Ethics Committee, the National Health and Medical Research Council and the National Statement on Ethical Conduct in Human Research

The Australian Health Ethics Committee (AHEC) is a principal committee of the NHMRC. AHEC advises the NHMRC on ethical issues relating to health and medical research.

The National Health and Medical Research Council Act 1992 requires AHEC to develop and give the NHMRC guidelines for the conduct of medical research involving humans. The most recent version of these

guidelines was released in 2007 as the National Statement on Ethical Conduct in Human Research (National Statement).

The National Statement contains some guidelines on protection of privacy of personal information in research and generally refers to the relevant laws and standards of conduct. The following Guidelines under Section 95 of the Privacy Act 1988 should be read together with the National Statement.

Guidelines under Section 95 of the Privacy Act 1988

The use of the guidelines

1.1 Where medical research* involves the use of personal information* including sensitive information* held by an agency*, the processes that are set out in these guidelines must be followed, in order for the information to be lawfully used or disclosed.

1.2 Where an agency seeks to rely on these guidelines to lawfully disclose personal information for the purpose of medical research where this would otherwise involve a breach of an APP or the Privacy Act, the agency must satisfy itself that research involving the use of the personal information

has been approved by a Human Research Ethics Committee (HREC), for the particular research purpose in accordance with these guidelines.

1.3 Agencies may decide to decline to disclose personal information for use in medical research even where the medical research has been approved by an HREC in accordance with these guidelines.

2. Procedures to be followed by researchers

2.1 An overriding obligation for the researcher is at all times to respect the dignity and personal privacy of the individual.

2.2 The researcher must give a written proposal for the research to an HREC, with any information necessary for members of that HREC to meet their responsibilities under these guidelines. Guidance on the information to be included in the written proposal is set out in paragraph 2.4 of these guidelines.

2.3 When research may involve a breach of one or more APPs, the proposal for that research to be submitted to an HREC must contain a reference to the relevant APP(s) and must also state

reasons for believing that the public interest in the research outweighs, to a substantial degree, the public interest in complying with the APP(s). The proposal must provide the HREC with information necessary to enable the HREC to weigh the public interest considerations in accordance with section 3.3 of these guidelines.

While Section 95 refers to the APPs generally, the most common breach or potential breach of the APPs requiring the use of these guidelines will be one involving disclosure, which would otherwise be prohibited by APP 6.

2.4 In the proposal for the conduct of each research project, the researcher should state:

a) the aims or purpose of the research

b) the credentials and technical competence of the researcher

c) the data needed and how it will be analysed

d) if sensitive information* is to be used, why it is necessary

e) the source of the data

f) the study period

g) the target population

h) the reasons why de-identified* information, cannot achieve the relevant purpose of the research activity

i) the reasons why it is impracticable to seek consent from the individual for the use or disclosure of the personal information

[Note: Any genetic research should be conducted in accordance with the guidelines in ‘Chapter 3.5 of the National Statement on Ethical Conduct in Human Research, 2007.]

j) the specific uses or disclosures that will be made of the personal information

k) the proposed method of publication of results of the research and a statement that any personal information* to be used or disclosed will not be published unless in de-identified form

l) the estimated time of retention of the personal information

m) the identity of the custodian(s) of the personal information used during the research

n) security standards to be applied to the personal information. In particular, that personal information will be retained in accordance with Chapter 2 of the Australian Code for the Responsible Conduct of Research, 2007, and in a form that is at least as secure as it was in the sources from which the personal information was obtained unless more stringent legislative or contractual provisions apply

o) a list of personnel with access to the personal information including any contractors or subcontractors

p) the standards that will be applied to protect personal information disclosed by an agency. These should include the:

terms of any disclosure agreement between the agency and the researcher to govern the limits on use and disclosure of that personal information

ii. proposed methods of disposal of the personal information on the completion of the research, and that these are in accordance with the Archives Act 1983 for Commonwealth records and relevant legislative requirements of a State or Territory

iii. standards that will be applied to protect privacy of personal information where it is made available to other researchers or third parties if that is proposed

q) any proposal to send data overseas for the purpose of the research project including the names of the countries to which it is proposed the data be sent and how the research project will comply with APP 8 of the Privacy Act.

2.5 A researcher should provide to the agency from which personal information is sought written notification of the decision of an HREC made in accordance with these guidelines.

2.6 If a researcher uses personal information obtained from an agency in accordance with these guidelines to contact a person, the researcher must inform that person:

• that personal information has been provided by that agency in accordance with these guidelines

• how that information will be used

• that he or she is free at any time to withdraw consent for further involvement in the research [See Chapter 2.2: General Requirements for Consent, National Statement]

• of the standards that will apply to protect the privacy of that person

• of existing complaint mechanisms to HRECs and the Commissioner.

2.7 The researcher must immediately report to the HREC anything that might warrant review of ethical approval of the research proposal [See Chapter 5.5 of the National Statement].

3. Consideration by Human Research Ethics Committees (HREC)

3.1 Before making a decision under these guidelines, an HREC must assess whether it has sufficient information, expertise and understanding of privacy issues, either amongst the members of the HREC or otherwise available to it, to make a decision that takes proper account of privacy.

3.2 In making a decision under these guidelines, an HREC must consider the following matters:

a) identify and consider the APP or APPs that might be breached in the course of the proposed research, including whether it is necessary for the research to use identified or potentially identifiable data, and whether it is reasonable for the research to proceed without the consent of the individuals to whom the information relates

b) ensure that the committee has the competence to determine if the public interest in the proposed research outweighs, or does not outweigh, to a substantial degree, the public interest in the protection of privacy. If the public interest in the proposed research does not outweigh, to a substantial degree, the public interest in the protection of privacy, then the research should not be carried out.

Weighing the public interest

3.3 In reaching a decision under 3.2 (b) an HREC should consider the following matters:

a) the degree to which the medical research is likely to contribute to:

• the identification, prevention or treatment of illness or disease

• scientific understanding relating to health

• the protection of the health of individuals and/or communities

• the improved delivery of health services

• scientific understanding or knowledge.

b) any likely benefits to individuals, to the category of persons to which they belong, or the wider community that will arise from the medical research being undertaken in the manner proposed

c) whether the medical research design can be satisfied without risking infringement of an APP and the scientific defects in the medical research that might arise if the medical research was not conducted in the manner proposed

d) the financial costs of not undertaking the medical research (to government, the public, the health care system, etc)

e) the public importance of the medical research

f) the extent to which the data being sought are ordinarily available to the public from that agency

whether the medical research involves use of data in a way which is inconsistent with the purpose for which the data was made public

ii. whether the medical research requires an alteration of the format of the data of a kind that would, if used by an agency, involve a breach of an APP

g) whether the risk of harm to a person whose personal information is to be used in proposed research is minimal, having regard to the elements of that research provided in response to paragraph 2.3 of these guidelines

h) the standards of conduct that are to be observed in the medical research, including:

the study design and the scientific credentials of the researchers

ii. if the research involves contact with participants, the procedures or controls which will apply to ensure that participants are treated with integrity and sensitivity, including whether questions to be asked or procedures to be employed are intrusive

iii. whether access to personal information is restricted to appropriate researchers

iv. the risk that a person or group could be identified in the published results

v. the procedures that are to be followed at the completion of the research to ensure that all data containing personal information are at least as secure as they were in the sources from which the data were obtained, including the date when the data will be destroyed or returned.

Recording, notification and monitoring of decisions

3.4 The decision of the HREC under 3.2 (b) must be recorded in accordance with paragraph 5.2.24 of the National Statement.

Wherever access to personal information from an agency is being considered, the HREC must also record the following:

• the agency from which the information will be sought

• the data items sought from the agency and approved by the HREC

• the number of records involved

• which APPs would be breached, or likely to be breached

• how and on what grounds the HREC came to the conclusion that it had sufficient information, expertise and understanding of privacy issues either amongst the members of the HREC or otherwise available to it, to make a decision that takes proper account of privacy.

3.5 It is an obligation of the HREC to monitor the research in accordance with ‘Chapter 5.5: Monitoring approved research’, National Statement.

3.6 When the HREC approves a research proposal, it must decide whether the research should commence within a defined period from the date of approval and whether the project should be completed within a set period, and notify the researcher of that decision.

4. The responsibilities of the NHMRC

4.1 The NHMRC may request, at any time, information in relation to paragraphs 3.4, 3.5 and 3.6 above.

4.2 When there has been a failure to comply with the guidelines NHMRC will:

• report details of the failure to the Commissioner and may name the researcher or the HREC responsible

• where that failure involves use of personal information disclosed by an agency, inform that agency of details of the failure.

5. Reports to or for the Commissioner

5.1 NHMRC will annually report details to the Commissioner of the research projects conducted under these guidelines and shall include evaluation of the operation of these guidelines for the year of reporting.

5.2 NHMRC will also provide to the Commissioner, at his or her request, additional information about the operation of the guidelines, research projects conducted under these guidelines and/or any failures to comply with these guidelines.

6. Complaint mechanisms

6.1 Complaints may be made to:

a) HRECs concerning the researcher’s and/or the institution’s conduct of an approved research project that may interfere with the privacy of the individual,

[See Chapter 5.6: Handling Complaints, of the National Statement] and/or

b) the Commissioner concerning the use of personal information by agencies.

Under section 36 of the Privacy Act 1988, an individual may complain to the Commissioner about an act or practice that may be an interference with the privacy of the individual. Where an agency seeks to rely on these guidelines in order to lawfully disclose personal information for the purpose of medical research under section 95, an individual may complain if the procedures set out in these guidelines are not followed.

GUIDELINES UNDER SECTION 95 of the PRIVACY ACT 1988	7
National Health and Medical Research Council	7
National Health and Medical Research Council

APPENDIX 1

Glossary of definitions3

Agency

Agency means a Minister, Department, body established under a Commonwealth act, or a person appointed by the Governor-General or holding office under a Commonwealth act, a federal Court, the Federal Police, a Norfolk Island agency, the nominated AGHS company (under Part 2 of the Hearing Services and AGHS Reform Act 1997), an eligible hearing service provider, or the service operator under the Healthcare Identifiers Act 2010.

De-identified samples or data

De-identified information is defined in the Privacy Act as personal information that is no longer about an identifiable individual or an individual who is reasonably identifiable.

De-identification involves permanently removing characteristics that do, or may, identify an individual taking into account information other than the record itself. In some cases, data may have been provided in de-identified form.

Identified samples or data

Data that enables the identification of a specific individual is referred to as ‘identified data’. Examples of identifiers may include the individual’s name, date of birth or address. In particularly small sets of data even information such as a postcode or particular medical or health characteristics may be an identifier.

Commissioner

Commissioner means the Australian Information Commissioner established under the Australian Information Commissioner Act 2010 (Cth), or if that Act is repealed, the Commonwealth officer exercising the privacy functions under the Privacy Act 1988 (Cth).

Health information

Health information is a subcategory of personal information. It is defined in s 6 of the Privacy Act 1988 as:

a) information or an opinion about:

the health or a disability (at any time) of an individual; or

ii. an individual’s expressed wishes about the future provision of health services to him or her; or

iii. a health service provided, or to be provided, to an individual; that is also personal information; or

b) other personal information collected to provide, or in providing, a health service; or

3 Definitions from the Privacy Act were current at 12 March 2014.

GUIDELINES UNDER SECTION 95 of the PRIVACY ACT 1988	8
National Health and Medical Research Council	8
National Health and Medical Research Council

c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or

d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

Medical research

As defined in the Privacy Act 1988 medical research includes epidemiological research.

Personal information

Personal information is defined in the Privacy Act 1988 (Cth) as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

Potentially identifiable (coded, re-identifiable) samples or data

Data may have identifiers removed and replaced by a code. In such cases it is possible to use the code to re-identify the person to whom the data relates, that is, the process of de-identification is reversible. In these cases the data are referred to as ‘potentially identifiable’.

Research

As defined in the National Statement on Ethical Conduct in Human Research, 2007 this involves at least systematic investigation undertaken to gain knowledge and understanding or to train researchers.

Sensitive Information

Sensitive information is defined in the Privacy Act 1988 (Cth) as meaning:

a) information or an opinion about an individual’s:

racial or ethnic origin; or

ii. political opinions; or

iii. membership of a political association; or

iv. religious beliefs or affiliations; or

v. philosophical beliefs; or

vi. membership of a professional or trade association; or

vii. membership of a trade union; or

viii. sexual orientation or practices; or

ix. criminal record;

that is also personal information; or

b) health information about an individual; or

c) genetic information about an individual that is not otherwise health information; or

d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or

e) biometric templates.