Site Changes
- Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
- Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.
Types
Review of guidelines under Section 95 of the Privacy Act 1988: Report on Commonwealth agencies? responses to the OFPC survey (October 2001)
pdf (38.41 KB)
Review of Guidelines under Section 95 of the Privacy Act 1988
Report on Commonwealth agencies’ responses to the OFPC survey
BACKGROUND
Section 95 of the Privacy Act 1988 (the Privacy Act) permits the National Health and Medical Research Council (NHMRC), with the approval of the Privacy Commissioner, to issue guidelines for the protection of privacy in the conduct of medical research. These are the Guidelines under Section 95 of the Privacy Act 1988 (s. 95 Guidelines). Guidelines are only approved where the Commissioner is satisfiedthat the public interest in the promotion of research of the kind to which theGuidelines relate outweighs “to a substantial degree” the public interest in adhering to the Information Privacy Principles in the Privacy Act.
The Australian Health Ethics Committee (AHEC) is a principal committee of the NHMRC and advises on the functioning of Human Research Ethics Committees (HRECs), which review the proposed research projects where the Guidelines may need to be applied. The NHMRC issued revised s. 95 Guidelines in March 2000.
Section 95 Review
Under Guideline 7.1, the NHMRC is required to initiate a review of the adequacy andoperation of the Guidelines twelve months from their date of issue. The aim of the review is to investigate how the Guidelines have been operating for all parties who are involved in their use and also to determine whether further assistance on the use of the Guidelines is required by researchers, HRECs or Commonwealth agencies.
To ensure a complete review, AHEC asked the OFPC to survey Commonwealth agencies (that receive requests for disclosure of data), while AHEC surveyed registered HRECs (that consider research proposals, which seek approval for access to identified data without consent).
METHODOLOGY
Stage 1
The OFPC wrote to 99 Commonwealth agencies and Statutory Authorities enclosing a ten-question survey (see Appendix 1 – List of Agencies). These agencies were considered by the OFPC as possibly holding databases of identifiable personal information.
Questions asked in the survey addressed the various stages of compliance with thes. 95 Guidelines by Commonwealth agencies, including ethics approval and release authorisation. The ten questions included in the survey were developed by the OFPC and AHEC, with AHEC suggesting questions 1, 2, 5, 6 & 7 (Appendix 2 – Survey and covering letter). The survey was circulated on 13 September 2001 and agencies were given one month to respond.
The initial closing date for responses was 19 October 2001, with some agencies asking for an extension as they had internal divisions and branches to consult. After 19 October 2001, the Office contacted those agencies that had not responded, deferring the final closing date for responses to 12 November 2001.
Stage 2
Seventy-seven (78%) of the agencies responded via email, telephone and letter. These responses were categorised according to the questions asked within the survey.
Further contact was made via telephone and email with the 19 agencies where aresponse was still outstanding. Although an indication was given that a response would be forthcoming, these agencies did not respond to the survey. Later analysis, in liaison with AHEC, showed that surveyed HRECs did not list any of these agencies as being those from which personal information had been sought for the research proposals they had considered during the survey period.
Two of the original letters were sent to individual agencies within a larger portfolio agency, as well as to the larger agency. In these instances the responses sent by thelarger portfolio/agency covered both and were counted and categorised as one response.
Stage 3
In October 2002 a further agency was identified and surveyed, taking the total to 100 agencies.
In February 2003, AHEC and the OFPC discussed the reports of their respective outcomes, with a view to the joint publication of a final report.
During this re-analysis, one government agency revised its October 2001 response.
FINDINGS
Q. 1 How many times was your agency approached to release personalinformation in accordance with the s. 95 Guidelines?
Review timeframe
March 2000 – June 2001
Approaches to agencies
29
Releases
22
Approaches
For the period covering March 2000 – June 2001, a total of 29 approaches were made to Commonwealth agencies to release information under s. 95 of the Privacy Act.
Releases
For the period covering March 2000 – June 2001, there were 22 releases of identified personal information made by Commonwealth agencies under s. 95 of the Privacy Act.
Q. 2 On how many occasions had HREC approval been granted prior to youragency being approached by the researcher to release personal information inaccordance with s. 95 Guidelines?
On all 29 occasions HREC approval had been granted prior to the researcherapproaching the Commonwealth agency.
Q. 3 Did your agency verify that the HREC was registered with the NHMRC?
All releases under the s. 95 Guidelines were made based on HREC approval, without the agency knowing whether the HREC was registered with the NHMRC.
Some agencies raised concerns about whether they needed to verify that the HREC which had granted approval for the conduct of the medical research was registered with the NHMRC.
Q. 4 Who is responsible in your department for approving disclosures ofpersonal information under the s. 95 Guidelines (eg. the Privacy Contact Officeror a particular program area)?
14 agencies gave sole responsibility for releases under the s. 95 Guidelines to theirPrivacy Contact Officer (PCO). A further six agencies did indicate that their PCO was consulted during the disclosure process, but final approval was given by a more senior section/officer. These six instances have not been included in the total for the PCO, but are distributed through Legal/Policy; Head of Division and GeneralManger/CEO totals.
Privacy Contact Officer (PCO) 14
Legal/Policy Division 7
Head of Division (where the request is directed) 10
General Manager/CEO 8
No citation 32
Other 6
TOTAL 77
‘Other’ includes those agencies with statutory impediments to releasing personal information.
Q. 5 On how many occasions had HREC approval not been granted prior to your agency being approached by a researcher to release personal information(where this would have involved a breach of the Information Privacy Principles), and if so what action was taken?
There was one occasion reported by a Commonwealth agency, where prior approval had not been granted by an HREC before an approach by a researcher. The study was not pursued by the researcher.
One agency received a preliminary approach from an international researcher to release personal information, but the approach was not subsequently followed up.
Q. 6 How many requests for the release of personal information under the s. 95 Guidelines were approved or rejected by your agency?
In addition to the 22 releases, there were four further approaches made under s. 95 Guidelines, that did not eventuate in the release of personal information.
Q. 7 What were the reasons provided by your agency on those occasions (if any) where a HREC had granted approval for a research project, but your agency chose not to release the personal information concerned to the researcher?
Reasons given by Commonwealth agencies for these non-releases are:
- Inadequate privacy protocols within the study design
- Researcher did not proceed with the study
- Two studies had gained HREC approval and were pending approval by theCommonwealth agency.
Q. 8 Has your department received any complaints regarding the release of personal information under the s. 95 Guidelines?
There were no complaints reported from any Commonwealth agency regarding the release of personal information under the s. 95 Guidelines.
In addition, the OFPC has not received any complaints regarding the release of personal information under the s. 95 Guidelines.
Q. 9 If so, what was the general nature of those complaints, what actions were taken to resolve the complaints, and was the complaint resolved to the satisfaction of the complainant?
Not applicable - See Question 8 .
Q. 10 Have you identified a need for further information or training about any aspect of the application of the s. 95 Guidelines?
Four agencies identified areas of need for further training and information.
ADDITIONAL FINDINGS
Registration
Commonwealth agencies have indicated a need for further clarification regarding whether HRECs which approve requests to release personal information under the s. 95 Guidelines are registered with the AHEC, and whether there is any requirement for them to be.
Currently, there is no accessible list of HRECs registered with AHEC, and there is no legal requirement that a HREC be registered with AHEC. This is significant, in part, because there is no obligation for an unregistered HREC to comply with the National Statement on Ethical Conduct in Research Involving Humans .
AHEC has advised that when an agency seeks confirmation of HREC registration, itdoes so by telephone. AHEC is developing a policy to publish or make available the list of registered HRECs.
Medical Research
One agency had 17 successful approaches for the release of personal information under s. 95 of the Privacy Act. The agency noted that some of these research proposals may relate to social or community research rather than medical research as such.
Agency HRECs
Some Commonwealth agencies have their own HRECs – currently there are five (5) agencies whose HRECs are registered with AHEC. One agency, in the process of answering the survey, came to realise that its HREC was not registered with AHEC.The agency has indicated that it is proceeding to register the HREC.
Coordination of OFPC Agency Survey and AHEC Survey of HRECs
OFPC and AHEC discussed the draft reports from AHEC’s survey of HRECs and OFPC’s survey of agencies in early 2003. Significantly, the list of agencies indicated by HRECs as being nominated by researchers seeking approval under the s. 95 Guidelines overlapped to only a small degree with the responses from agencies reporting approaches under the s. 95 Guidelines.
Five primary possible reasons for this discrepancy were identified. First, HRECs differ in whether or not they require researchers to have gained ‘in-principle’ approval from an agency, before submitting the research proposal to the HREC. As a consequence, the HRECs may have listed agencies nominated in research proposals that were approved by the HREC, but that did not proceed for some reason unrelated to HREC approval.
Secondly, of the agencies listed by HRECs as being those nominated by researchers in research proposals, some reported no record of approaches or releases under the s. 95 Guidelines. This may be because not all agencies keep a record of unsuccessful approaches from researchers for such releases. In addition, some of the agencies nominated by an HREC reported that there was a statutory impediment, other than the Privacy Act, to releasing personal information.
Thirdly, a period of time may elapse between an HREC approving a research proposal, and the researcher approaching the agency for release of information. The survey, however, reflects a ‘snapshot’ period (March 2000 – June 2001). As a consequence, research proposals considered by HRECs in the survey period may not have come to agencies until after June 2001. Similarly, approaches to agencies duringthe survey period may have related to research proposals considered by HRECs prior to March 2000.
Fourthly, the most notable discrepancy related to one Commonwealth agency that reported 17 releases under s. 95 of the Privacy Act, but was nominated by HRECs in regard to only 1 research proposal. Along with the three reasons above, a fourth consideration applies to this particular agency. The governing act of this agency allows for releases of personal information for medical research according to regulations that refer to the Guidelines Under Section 95 of the Privacy Act . As a consequence, HRECs and/or researchers may not view such releases as coming under s. 95 of the Privacy Act as such.
Fifthly, of the nine agencies listed by HRECs as those nominated by researchers seeking approval under the s. 95 Guidelines, one – the Australian Twin Register – is not a Commonwealth agency (the Twin Register is apparently held at the University of Melbourne), and was not surveyed by the OFPC. The remaining eight agencies all submitted responses to the OFPC.
FUTURE STEPS ARISING
- Agencies be encouraged to find out whether the HREC considering theresearch proposal is registered with AHEC, or have a criterion for establishing the HREC’s status before releasing information under s. 95 of the Privacy Act. Internal assessment of requests by researchers should be co-ordinated through the PCO.
- OFPC will collaborate with AHEC in providing guidance to agencies that areasked to deal with research proposals under the s. 95 Guidelines and that do not appear to the agency to involve ‘medical research’.
- The OFPC and AHEC will continue to provide assistance to Commonwealth agencies regarding their obligations under s. 95 of the Privacy Act. An important step in this direction was taken in the first half of 2002 with the national series of privacy workshops for HRECs and the research community, conducted by AHEC with OFPC participation.
APPENDIX 1 – List of Commonwealth agencies surveyed
- Aboriginal and Torres Strait Islander Commission
- Aboriginal Hostels Limited
- Administrative Appeals Tribunal
- Airservices Australia
- Attorney-General's Department
- Australia New Zealand Food Authority
- Australian Agency for International Development (AusAID)
- Australian Bureau of Agricultural and Resource Economics
- Australian Bureau of Statistics
- Australian Centre for International Agricultural Research
- Australian Competition and Consumer Commission
- Australian Customs Service
- Australian Electoral Commission
- Australian Federal Police
- Australian Geological Survey Organisation
- Australian Hearing Services
- Australian Indigenous HealthInfonet
- Australian Industrial Registry
- Australian Industrial Relations Commission
- Australian Institute of Aboriginal & Torres Strait Islander Studies
- Australian Institute of Criminology
- Australian Institute of Family Studies
- Australian Institute of Health and Welfare
- Australian Institute of Police Management
- Australian Law Reform Commission
- Australian Maritime Safety Authority
- Australian National Training Authority
- Australian Nuclear Science and Technology Organisation
- Australian Prescriber
- Australian Protective Service
- Australian Quarantine and Inspection Service
- Australian Radiation Protection and Nuclear Safety Agency
- Australian Safeguards and Non-Proliferation Office
- Australian Sports Commission
- Australian Sports Foundation
- Australian Surveying and Land Information Group
- Australian Taxation Office
- Australian Transport Safety Bureau
- Australian War Memorial
- Business and Community Partnerships
- Centrelink
- Child Support Agency
- Civil Aviation Safety Authority
- Commonwealth Ombudsman
- Communications, Information Technology and the Arts
- ComSuper
- CrimTrac
- CSIRO
- Defence Force Remuneration Tribunal
- Defence Housing Authority
- Department of Defence
- Department of Education, Training and Youth Affairs
- Department of Employment, Workplace Relations and Small Business
- Department of Family and Community Services
- Department of Foreign Affairs and Trade
- Department of Health and Aged Care
- Department of Industry, Science and Resources
- Department of the Environment and Heritage Australia
- Department of Transport and Regional Services
- Department of Veterans' Affairs
- Emergency Management Australia
- Employment National
- Equal Opportunity for Women in the Workplace Agency
- Federal Court of Australia
- Federal Magistrates Service
- Health Insurance Commission
- Health Services Australia
- High Court of Australia
- Human Rights and Equal Opportunity Commission
- Immigration and Multicultural Affairs
- Medibank Private
- Migration Review Tribunal
- National Archives of Australia
- National Childcare Accreditation Council
- National Competition Council
- National Environment Protection Council Service Corporation
- National Gallery of Australia
- National Institute of Forensic Science
- National Library of Australia
- National Museum of Australia
- National Native Title Tribunal
- National Occupational Health and Safety Commission
- National Registration Authority
- National Road Transport Commission
- Office of Asset Sales and Commercial Support
- Office of National Assessments
- Office of the Employment Advocate
- Office of Vocational Education & Training, Tasmania
- Private Health Insurance Administration Council
- Private Health Insurance Ombudsman
- Productivity Commission
- Public Service and Merit Protection Commission
- Reconciliation and Aboriginal and Torres Strait Islander Affairs
- Refugee Review Tribunal
- Remuneration Tribunal
- Safety, Rehabilitation & Compensation Commission
- Seafarers Safety, Rehabilitation and Compensation Authority (Seacare)
- Snowy Mountains Hydro-electric Authority
- Social Security Appeals Tribunal
- Torres Strait Regional Authority
APPENDIX 2 – Questionnaire and covering letter
REQUEST FOR INFORMATION - Guidelines Under Section 95 of the Privacy Act .
I am writing to seek your assistance in a review of the Guidelines under Sectio n 95 of the Privacy Act 1988 (the Act). Section 95 permits the National Health and Medical Research Council (NHMRC), with the approval of the Privacy Commissioner, to issue guidelines for the protection of privacy in the conduct of medical research. The Commissioner may only approve the Guidelines if satisfied that the public interest in the promotion of research of the kind to which the Guidelines relate outweighs “to a substantial degree” the public interest in adhering to the Information Privacy Principles in the Act. The Guidelines provide a framework for the conduct of medical research using information held by Commonwealth agencies where identified information needs to be used without the consent of the research subjects.
The Australian Health Ethics Committee (AHEC) is a principal committee of the NHMRC and advises on the functioning of Human Research Ethics Committees(HRECs) which review the proposed research projects where the Guidelines may need to be applied. AHEC provides an annual report on the operation of the Guidelines to my Office.
The NHMRC issued revised s. 95 Guidelines in March 2000 after they were approved in December 1999. Under Guideline 7.1 the NHMRC was required to initiate are view of the adequacy and operation of the Guidelines twelve months from the date of issue.
The aim of the review is to investigate how the Guidelines have been operating for allparties who are involved in their use and also whether further assistance on the use ofthe Guidelines is required by researchers, HRECs or agencies. AHEC will beconducting a survey of HRECs and examining its own records in relation to complaints and requests from HRECs for assistance in applying the Guidelines. In order to form a complete picture of all aspects of the use of the Guidelines we have agreed to survey all the Commonwealth agencies who have released (or declined to release) data for research under the Guidelines for the 1999-2000 and 2000-2001 reporting periods. I am therefore writing to request details regarding disclosures of personal information made by your agency in accordance with the Guidelines.
If you could provide a response to the questions in Attachment 1. it would greatly assist the NHMRC and my Office to gain a better understanding of how the Guidelines are applied. We would appreciate your response by 19 October. If you anticipate having any difficulty in meeting this deadline please contact Brian Cox on (02) 9284 9790.
Yours sincerely
Malcolm Crompton
Federal Privacy Commissioner
13 September 2001
- How many times was your agency approached to release personal information in accordance with the s. 95 Guidelines?
- On how many occasions had HREC approval been granted prior to your agency being approached by the researcher to release personal information in accordance with the s. 95 Guidelines?
- Did your agency verify that the HREC was registered with the NHMRC?
- Who is responsible in your department for approving disclosures of personal information under the s. 95 Guidelines (e.g. the Privacy Contact Officer or a particular program area)?
- On how many occasions had HREC approval not been granted prior to your agency being approached by a researcher to release personal information (where this would have involved a breach of the Information Privacy Principles), and if so what action was taken?
- How many requests for the release of personal information under the s. 95 Guidelines were approved or rejected by your agency?
- What were the reasons provided by your agency on those occasions (if any) where a HREC had granted approval for a research project, but your agency chose not to release the personal information concerned to the researcher?
- Has your department received any complaints regarding the release of personal information under the s. 95 Guidelines?
- If so what was the general nature of those complaints, what actions were taken to resolve the complaints, and was the complaint resolved to the satisfaction of the complainant?
- Have you identified a need for further information or training about any aspect of the application of the s. 95 Guidelines?



Get RSS feeds