Under the National Privacy Principles (NPPs) sensitive information cannot usually be collected without the person's consent (NPP 10). Health information is one type of sensitive information (as defined in section 6 of the Privacy Act, 1988 (Cth) (the Privacy Act)). However NPP 10.3 permits organisations to collect health information without consent in some circumstances where the information is for:

• research or the compilation or analysis of statistics relevant to public health or public safety; or
• the management, funding or monitoring of a health service.

The NPPs also include a specific provision addressing the use or disclosure of health information without consent for research or the compilation or analysis of statistics relevant to public health or public safety (NPP 2.1(d)).

Health information

Health information is defined in section 6 of the Privacy Act. It is

1. information or an opinion about:
   1. the health or a disability (at any time) of an individual; or
   2. an individual's expressed wishes about the future provision of health services to him or her; or
   3. a health service provided, or to be provided, to an individual; that is also personal information; or
2. other personal information collected to provide, or in providing, a health service; or
3. other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.

'Health service' is also defined in section 6 of the Privacy Act.

Collecting health information

This section deals with the requirements that organisations need to satisfy to collect health information without consent for research relevant to public health or public safety or health service management activities. Health information may only be collected without consent for these purposes if seeking consent is impracticable, and de-identified information would not be sufficient. Where these preconditions exist, collection must be carried out either according to guidelines issued under section 95A of the Privacy Act, or in accordance with binding rules of confidentiality issued by a competent health or medical body, or as required by law.

The diagram at Attachment 1 to this information sheet outlines the factors organisations will need to consider when collecting health information in these circumstances. It should be read in conjunction with the NPPs.

Organisations collecting information will also have to comply with the other NPPs that deal with collection (NPPs 1, 3, 7 and 8). Further information on these is available in the Guidelines to the National Privacy Principles.

Research and statistics 'relevant to public health or public safety'

To be relevant to public health or public safety the outcome of the research or the compilation or analysis of statistics should have an impact on, or provide information about, public health or public safety.

'Public health or public safety' is not defined in the Privacy Act. Examples of research and statistics that could fall into this category are research and statistics on communicable diseases, cancer, heart disease, mental health, injury control, diabetes and the prevention of childhood diseases.

The management, funding or monitoring of a health service

These terms are not defined in the Privacy Act. Whether an activity falls within the 'management, funding or monitoring of a health service' will depend on the circumstances. Factors that might ordinarily be relevant to this question include whether the organization provides a health service (health services are defined in section 6 of the Privacy Act) or whether the organisation has a role in funding or monitoring the quality or other aspects of a health service. 'Management, funding or monitoring of a health service' may include some quality assurance and audit activities.

An example of collection for these purposes might be an incident monitoring body collecting information about dangerous incidents occurring in a private hospital.

Information that does not identify the person

Organisations will need to consider if it is possible to achieve the research, statistical or management aims by collecting information that does not identify the person or from which a person's identity cannot reasonably be ascertained. An example of a circumstance in which non-identified health information might not achieve the purpose is where a project involves linking information about individuals from two or more sources and identified information is needed to correctly link records from each data source.

Tip for compliance As a security measure, an organisation collecting identified or identifiable information (that is, personal information) may wish to take steps to de-identify the information once the identified information is no longer needed. In the example above organisations might de-identify the information once the information from two different sources has been linked.

Impracticable to seek consent

The question of whether it is impracticable to seek consent ftiwill depend on the particular circumstances of the case. Impracticability should be something more than incurring some expense or effort in seeking an individual's consent. An example of where it may be impracticable to seek consent might be where there are no current contact details and where there is insufficient information to get up-to-date contact details. This might occur in longitudinal studies of old records. Another example could be in blind trials where consent would compromise the integrity of research.

Tip for compliance Organisations arguing that consent is impracticable because it would invalidate the research methodology should consider if this is the conclusion that a reasonable person, independent of the research project, would come to. For example, evidence that an appropriate Human Research Ethics Committee had come to that conclusion may be relevant here.

Collection as required by law

Information is collected as required by law if a law compels an organisation to collect the information. (This is distinct from the situation where a law authorises or permits collection but the organisation can choose whether or not to collect the information.) In this case 'law' refers to Commonwealth and State or Territory law.

Collection in accordance with binding rules of confidentiality issued by competent health or medical bodies

The two key elements of this requirement are that the rules dealing with obligations of professional confidentiality are binding and that they are issued by competent health and medical bodies. Binding rules are rules that must be followed, and generally, will give rise to some sort of adverse consequence if breached. Competent bodies might include medical boards and other rule-making bodies recognised in Commonwealth, State or Territory legislation.

Collection in accordance with Section 95A Guidelines

Section 95A of the Privacy Act gives the Privacy Commissioner (the Commissioner) power to approve guidelines issued by the National Health and Medical Research Council (NHMRC) or a 'prescribed authority' for:

• the collection, or use and disclosure, of health information for research or the compilation or analysis of statistics relevant to public health or public safety; or
• the collection of health information for the management, funding or monitoring of a health service.

The Commissioner may approve guidelines only if satisfied that the public interest in the use and disclosure or the collection of health information for the purposes listed above substantially outweighs the public interest in maintaining the level of privacy protection afforded by the (other) NPPs.

More information about the NHMRC's Section 95A Guidelines is available at www.privacy.gov.au/health/guidelines/#3

The Section 95A Guidelines are relevant only where it is proposed to collect, use or disclose health information for the listed purposes without the person's consent.

The NHMRC's Section 95A Guidelines essentially set out a process for determining if the public interest in the proposed activity substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs (other than the NPPs that refer to these guidelines). The NHMRC Section 95A Guidelines go on to spell out the processes to be followed if the proposed activity passes this public interest test.

The NHMRC Section 95A Guidelines are expected to be finalised before 21 December 2001. They could include:

• a process to assess proposals;
• information that will need to be provided as part of the process; and
• factors that might be relevant to determining the public interest. For example:
  • the degree to which the relevant activity is likely to contribute to
    • the identification, prevention or treatment of illness, injury or disease;
    • scientific understanding relating to public health or safety;
    • the protection of the health of individuals or communities;
    • the improved delivery of health services;
  • the public importance of the activity;
  • whether the risk of harm to an individual whose health information is involved in the proposal is minimal; and
  • the standards of conduct to be observed during the activity.

Taking reasonable steps to de-identify information before it is disclosed

This means that where an organisation has collected health information without consent for the purposes listed in NPP 10.3, the organisation must ordinarily de-identify the information before it discloses it. The information should be de-identified in a manner that does not allow it to be re-identified.

For example, health information collected for a research project should be modified so that the identities of the subjects are not reasonably apparent when the results of the research are published or otherwise disclosed.

Organisations should note that simply removing the person's name may not be enough to satisfy this criterion. In some circumstances a person's identity may reasonably be ascertained from other information - for example from an identity number, or other details held about the person, or from the context in which the information is collected.

Tip for compliance Determining what are reasonable steps will depend on the circumstances. Considerations that may be relevant in determining what steps are reasonable include: whether unit or aggregate information is being released; the 'cell size' of aggregate data; the context into which the information is being released; the capacity of the collecting organisation to re-identify the information; and the content and nature of any assurances given by, or agreement with, the receiving organisation about not attempting to re-identify information.

Using or disclosing health information

Organisations may use or disclose health information for research or statistical purposes relevant to public health or public safety or health service management activities where NPP 2 is satisfied. This includes where:

• the person has consented to the use or disclosure (NPP 2.1(b)); or
• the organisation is using or disclosing the information for the same (primary) purpose for which the information was collected (NPP 2.1); or
• the organisation is using or disclosing the information for a purpose directly related to the primary purpose for which the organisation collected the information and the person would reasonably expect the organisation to use or disclose the information for that purpose (NPP 2.1(a)).

In addition to the above, NPP 2.1(d) allows health information to be used or disclosed for a secondary purpose without consent where it is necessary for:

• research relevant to public health or public safety; or
• the compilation or analysis of statistics relevant to public health or public safety;

if:

• it is impracticable to seek consent before the use or disclosure; and
• the use or disclosure is in accordance with guidelines made under section 95A of the Privacy Act on use and disclosure of health information; and
• an organisation is considering disclosing the health information for these purposes, it must reasonably believe the recipient will not then disclose it or other personal information.

The flow chart at Attachment 2 summarises these options and requirements. It should be read in conjunction with the NPPs.

Many of the terms used in NPP 2.1(d) are the same as those in NPP 10.3, and have been explained in the first part of this information sheet. Others terms are explained below.

Use or disclosure of health information is necessary for the purpose

When considering whether use or disclosure of health information is 'necessary' for the research or statistical purposes listed in NPP 2.1(d), organisations should consider if it is necessary to use identified health information for these purposes. If de-identified information will serve the purpose then the 'necessary' criterion would not ordinarily be fulfilled.

There is a short discussion above of the meaning of 'relevant to public health and public safety'.

Using or disclosing health information for health service management activities

While NPP 10 specifically addresses the collection of health information for the management, funding and monitoring of a health service, the use and disclosure principle, NPP 2, does not.

Identified information may be used or disclosed for managing, funding or monitoring a health service in limited circumstances. It may be used or disclosed for these purposes where:

• the person has consented to the use or disclosure (NPP 2.1(b));
• the information is being used or disclosed for the same (primary) purpose for which the information was collected (NPP 2.1);
• the information is being used or disclosed for a purpose directly related to the primary purpose for which the information was collected and the person would reasonably expect the organisation to use for disclose the information for that purpose (NPP 2.1(a)); or
• another exception to NPP 2 applies.

Some management, funding and monitoring purposes are likely to be 'directly related' to the purpose of collection, where the primary purpose of collecting information was to provide particular health services to a person. For more information refer to the Guidelines on Privacy in the Private Health Sector, Part B Chapter 2: Use and Disclosure, Section 2.1. Attachment 1

Requirements when collecting health information without consent:

• for research or the compilation and analysis of statistics relevant to public health or public safety, or
• for the management, funding or monitoring of a health service.

Attachment 2

Options for using or disclosing health information for research or the compilation or analysis of statistics relevant to public health or public safety or for health service management activities.

About Information Sheets Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bind organisations.) Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation. Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with. Organisations may also wish to consult the Commissioner's guidelines and other information sheets.

Office of the Privacy Commissioner ISBN 1-877079-35-9 Privacy Hotline 1300 363 992 (local call charge)