pdf (38.41 KB)

Review of Guidelines under Section 95 of the Privacy Act 1988

Report on Commonwealth agencies’ responses to the OFPC survey

BACKGROUND

Section 95 of the Privacy Act 1988 (the Privacy Act) permits the National Health and Medical Research Council (NHMRC), with the approval of the Privacy Commissioner, to issue guidelines for the protection of privacy in the conduct of medical research. These are the Guidelines under Section 95 of the Privacy Act 1988 (s. 95 Guidelines). Guidelines are only approved where the Commissioner is satisfiedthat the public interest in the promotion of research of the kind to which theGuidelines relate outweighs “to a substantial degree” the public interest in adhering to the Information Privacy Principles in the Privacy Act.

The Australian Health Ethics Committee (AHEC) is a principal committee of the NHMRC and advises on the functioning of Human Research Ethics Committees (HRECs), which review the proposed research projects where the Guidelines may need to be applied. The NHMRC issued revised s. 95 Guidelines in March 2000.

Section 95 Review

Under Guideline 7.1, the NHMRC is required to initiate a review of the adequacy andoperation of the Guidelines twelve months from their date of issue. The aim of the review is to investigate how the Guidelines have been operating for all parties who are involved in their use and also to determine whether further assistance on the use of the Guidelines is required by researchers, HRECs or Commonwealth agencies.

To ensure a complete review, AHEC asked the OFPC to survey Commonwealth agencies (that receive requests for disclosure of data), while AHEC surveyed registered HRECs (that consider research proposals, which seek approval for access to identified data without consent).

METHODOLOGY

Stage 1

The OFPC wrote to 99 Commonwealth agencies and Statutory Authorities enclosing a ten-question survey (see Appendix 1 – List of Agencies). These agencies were considered by the OFPC as possibly holding databases of identifiable personal information.

Questions asked in the survey addressed the various stages of compliance with thes. 95 Guidelines by Commonwealth agencies, including ethics approval and release authorisation. The ten questions included in the survey were developed by the OFPC and AHEC, with AHEC suggesting questions 1, 2, 5, 6 & 7 (Appendix 2 – Survey and covering letter). The survey was circulated on 13 September 2001 and agencies were given one month to respond.

The initial closing date for responses was 19 October 2001, with some agencies asking for an extension as they had internal divisions and branches to consult. After 19 October 2001, the Office contacted those agencies that had not responded, deferring the final closing date for responses to 12 November 2001.

Stage 2

Seventy-seven (78%) of the agencies responded via email, telephone and letter. These responses were categorised according to the questions asked within the survey.

Further contact was made via telephone and email with the 19 agencies where aresponse was still outstanding. Although an indication was given that a response would be forthcoming, these agencies did not respond to the survey. Later analysis, in liaison with AHEC, showed that surveyed HRECs did not list any of these agencies as being those from which personal information had been sought for the research proposals they had considered during the survey period.

Two of the original letters were sent to individual agencies within a larger portfolio agency, as well as to the larger agency. In these instances the responses sent by thelarger portfolio/agency covered both and were counted and categorised as one response.

Stage 3

In October 2002 a further agency was identified and surveyed, taking the total to 100 agencies.

In February 2003, AHEC and the OFPC discussed the reports of their respective outcomes, with a view to the joint publication of a final report.

During this re-analysis, one government agency revised its October 2001 response.

FINDINGS

Q. 1 How many times was your agency approached to release personalinformation in accordance with the s. 95 Guidelines?

Review timeframe

March 2000 – June 2001

Approaches to agencies

29

Releases

22

Approaches

For the period covering March 2000 – June 2001, a total of 29 approaches were made to Commonwealth agencies to release information under s. 95 of the Privacy Act.

Releases

For the period covering March 2000 – June 2001, there were 22 releases of identified personal information made by Commonwealth agencies under s. 95 of the Privacy Act.

Q. 2 On how many occasions had HREC approval been granted prior to youragency being approached by the researcher to release personal information inaccordance with s. 95 Guidelines?

On all 29 occasions HREC approval had been granted prior to the researcherapproaching the Commonwealth agency.

Q. 3 Did your agency verify that the HREC was registered with the NHMRC?

All releases under the s. 95 Guidelines were made based on HREC approval, without the agency knowing whether the HREC was registered with the NHMRC.

Some agencies raised concerns about whether they needed to verify that the HREC which had granted approval for the conduct of the medical research was registered with the NHMRC.

Q. 4 Who is responsible in your department for approving disclosures ofpersonal information under the s. 95 Guidelines (eg. the Privacy Contact Officeror a particular program area)?

14 agencies gave sole responsibility for releases under the s. 95 Guidelines to theirPrivacy Contact Officer (PCO). A further six agencies did indicate that their PCO was consulted during the disclosure process, but final approval was given by a more senior section/officer. These six instances have not been included in the total for the PCO, but are distributed through Legal/Policy; Head of Division and GeneralManger/CEO totals.

Privacy Contact Officer (PCO) 14

Legal/Policy Division 7

Head of Division (where the request is directed) 10

General Manager/CEO 8

No citation 32

Other 6

TOTAL 77

‘Other’ includes those agencies with statutory impediments to releasing personal information.

Q. 5 On how many occasions had HREC approval not been granted prior to your agency being approached by a researcher to release personal information(where this would have involved a breach of the Information Privacy Principles), and if so what action was taken?

There was one occasion reported by a Commonwealth agency, where prior approval had not been granted by an HREC before an approach by a researcher. The study was not pursued by the researcher.

One agency received a preliminary approach from an international researcher to release personal information, but the approach was not subsequently followed up.

Q. 6 How many requests for the release of personal information under the s. 95 Guidelines were approved or rejected by your agency?

In addition to the 22 releases, there were four further approaches made under s. 95 Guidelines, that did not eventuate in the release of personal information.

Q. 7 What were the reasons provided by your agency on those occasions (if any) where a HREC had granted approval for a research project, but your agency chose not to release the personal information concerned to the researcher?

Reasons given by Commonwealth agencies for these non-releases are:

• Inadequate privacy protocols within the study design
• Researcher did not proceed with the study
• Two studies had gained HREC approval and were pending approval by theCommonwealth agency.

Q. 8 Has your department received any complaints regarding the release of personal information under the s. 95 Guidelines?

There were no complaints reported from any Commonwealth agency regarding the release of personal information under the s. 95 Guidelines.

In addition, the OFPC has not received any complaints regarding the release of personal information under the s. 95 Guidelines.

Q. 9 If so, what was the general nature of those complaints, what actions were taken to resolve the complaints, and was the complaint resolved to the satisfaction of the complainant?

Not applicable - See Question 8 .

Q. 10 Have you identified a need for further information or training about any aspect of the application of the s. 95 Guidelines?

Four agencies identified areas of need for further training and information.

ADDITIONAL FINDINGS

Registration

Commonwealth agencies have indicated a need for further clarification regarding whether HRECs which approve requests to release personal information under the s. 95 Guidelines are registered with the AHEC, and whether there is any requirement for them to be.

Currently, there is no accessible list of HRECs registered with AHEC, and there is no legal requirement that a HREC be registered with AHEC. This is significant, in part, because there is no obligation for an unregistered HREC to comply with the National Statement on Ethical Conduct in Research Involving Humans .

AHEC has advised that when an agency seeks confirmation of HREC registration, itdoes so by telephone. AHEC is developing a policy to publish or make available the list of registered HRECs.

Medical Research

One agency had 17 successful approaches for the release of personal information under s. 95 of the Privacy Act. The agency noted that some of these research proposals may relate to social or community research rather than medical research as such.

Agency HRECs

Some Commonwealth agencies have their own HRECs – currently there are five (5) agencies whose HRECs are registered with AHEC. One agency, in the process of answering the survey, came to realise that its HREC was not registered with AHEC.The agency has indicated that it is proceeding to register the HREC.

Coordination of OFPC Agency Survey and AHEC Survey of HRECs

OFPC and AHEC discussed the draft reports from AHEC’s survey of HRECs and OFPC’s survey of agencies in early 2003. Significantly, the list of agencies indicated by HRECs as being nominated by researchers seeking approval under the s. 95 Guidelines overlapped to only a small degree with the responses from agencies reporting approaches under the s. 95 Guidelines.

Five primary possible reasons for this discrepancy were identified. First, HRECs differ in whether or not they require researchers to have gained ‘in-principle’ approval from an agency, before submitting the research proposal to the HREC. As a consequence, the HRECs may have listed agencies nominated in research proposals that were approved by the HREC, but that did not proceed for some reason unrelated to HREC approval.

Secondly, of the agencies listed by HRECs as being those nominated by researchers in research proposals, some reported no record of approaches or releases under the s. 95 Guidelines. This may be because not all agencies keep a record of unsuccessful approaches from researchers for such releases. In addition, some of the agencies nominated by an HREC reported that there was a statutory impediment, other than the Privacy Act, to releasing personal information.

Thirdly, a period of time may elapse between an HREC approving a research proposal, and the researcher approaching the agency for release of information. The survey, however, reflects a ‘snapshot’ period (March 2000 – June 2001). As a consequence, research proposals considered by HRECs in the survey period may not have come to agencies until after June 2001. Similarly, approaches to agencies duringthe survey period may have related to research proposals considered by HRECs prior to March 2000.

Fourthly, the most notable discrepancy related to one Commonwealth agency that reported 17 releases under s. 95 of the Privacy Act, but was nominated by HRECs in regard to only 1 research proposal. Along with the three reasons above, a fourth consideration applies to this particular agency. The governing act of this agency allows for releases of personal information for medical research according to regulations that refer to the Guidelines Under Section 95 of the Privacy Act . As a consequence, HRECs and/or researchers may not view such releases as coming under s. 95 of the Privacy Act as such.

Fifthly, of the nine agencies listed by HRECs as those nominated by researchers seeking approval under the s. 95 Guidelines, one – the Australian Twin Register – is not a Commonwealth agency (the Twin Register is apparently held at the University of Melbourne), and was not surveyed by the OFPC. The remaining eight agencies all submitted responses to the OFPC.

FUTURE STEPS ARISING

• Agencies be encouraged to find out whether the HREC considering theresearch proposal is registered with AHEC, or have a criterion for establishing the HREC’s status before releasing information under s. 95 of the Privacy Act. Internal assessment of requests by researchers should be co-ordinated through the PCO.
• OFPC will collaborate with AHEC in providing guidance to agencies that areasked to deal with research proposals under the s. 95 Guidelines and that do not appear to the agency to involve ‘medical research’.
• The OFPC and AHEC will continue to provide assistance to Commonwealth agencies regarding their obligations under s. 95 of the Privacy Act. An important step in this direction was taken in the first half of 2002 with the national series of privacy workshops for HRECs and the research community, conducted by AHEC with OFPC participation.

APPENDIX 1 – List of Commonwealth agencies surveyed

1. Aboriginal and Torres Strait Islander Commission
2. Aboriginal Hostels Limited
3. Administrative Appeals Tribunal
4. Airservices Australia
5. Attorney-General's Department
6. Australia New Zealand Food Authority
7. Australian Agency for International Development (AusAID)
8. Australian Bureau of Agricultural and Resource Economics
9. Australian Bureau of Statistics
10. Australian Centre for International Agricultural Research
11. Australian Competition and Consumer Commission
12. Australian Customs Service
13. Australian Electoral Commission
14. Australian Federal Police
15. Australian Geological Survey Organisation
16. Australian Hearing Services
17. Australian Indigenous HealthInfonet
18. Australian Industrial Registry
19. Australian Industrial Relations Commission
20. Australian Institute of Aboriginal & Torres Strait Islander Studies
21. Australian Institute of Criminology
22. Australian Institute of Family Studies
23. Australian Institute of Health and Welfare
24. Australian Institute of Police Management
25. Australian Law Reform Commission
26. Australian Maritime Safety Authority
27. Australian National Training Authority
28. Australian Nuclear Science and Technology Organisation
29. Australian Prescriber
30. Australian Protective Service
31. Australian Quarantine and Inspection Service
32. Australian Radiation Protection and Nuclear Safety Agency
33. Australian Safeguards and Non-Proliferation Office
34. Australian Sports Commission
35. Australian Sports Foundation
36. Australian Surveying and Land Information Group
37. Australian Taxation Office
38. Australian Transport Safety Bureau
39. Australian War Memorial
40. Business and Community Partnerships
41. Centrelink
42. Child Support Agency
43. Civil Aviation Safety Authority
44. Commonwealth Ombudsman
45. Communications, Information Technology and the Arts
46. ComSuper
47. CrimTrac
48. CSIRO
49. Defence Force Remuneration Tribunal
50. Defence Housing Authority
51. Department of Defence
52. Department of Education, Training and Youth Affairs
53. Department of Employment, Workplace Relations and Small Business
54. Department of Family and Community Services
55. Department of Foreign Affairs and Trade
56. Department of Health and Aged Care
57. Department of Industry, Science and Resources
58. Department of the Environment and Heritage Australia
59. Department of Transport and Regional Services
60. Department of Veterans' Affairs
61. Emergency Management Australia
62. Employment National
63. Equal Opportunity for Women in the Workplace Agency
64. Federal Court of Australia
65. Federal Magistrates Service
66. Health Insurance Commission
67. Health Services Australia
68. High Court of Australia
69. Human Rights and Equal Opportunity Commission
70. Immigration and Multicultural Affairs
71. Medibank Private
72. Migration Review Tribunal
73. National Archives of Australia
74. National Childcare Accreditation Council
75. National Competition Council
76. National Environment Protection Council Service Corporation
77. National Gallery of Australia
78. National Institute of Forensic Science
79. National Library of Australia
80. National Museum of Australia
81. National Native Title Tribunal
82. National Occupational Health and Safety Commission
83. National Registration Authority
84. National Road Transport Commission
85. Office of Asset Sales and Commercial Support
86. Office of National Assessments
87. Office of the Employment Advocate
88. Office of Vocational Education & Training, Tasmania
89. Private Health Insurance Administration Council
90. Private Health Insurance Ombudsman
91. Productivity Commission
92. Public Service and Merit Protection Commission
93. Reconciliation and Aboriginal and Torres Strait Islander Affairs
94. Refugee Review Tribunal
95. Remuneration Tribunal
96. Safety, Rehabilitation & Compensation Commission
97. Seafarers Safety, Rehabilitation and Compensation Authority (Seacare)
98. Snowy Mountains Hydro-electric Authority
99. Social Security Appeals Tribunal
100. Torres Strait Regional Authority

APPENDIX 2 – Questionnaire and covering letter

REQUEST FOR INFORMATION - Guidelines Under Section 95 of the Privacy Act .

I am writing to seek your assistance in a review of the Guidelines under Sectio n 95 of the Privacy Act 1988 (the Act). Section 95 permits the National Health and Medical Research Council (NHMRC), with the approval of the Privacy Commissioner, to issue guidelines for the protection of privacy in the conduct of medical research. The Commissioner may only approve the Guidelines if satisfied that the public interest in the promotion of research of the kind to which the Guidelines relate outweighs “to a substantial degree” the public interest in adhering to the Information Privacy Principles in the Act. The Guidelines provide a framework for the conduct of medical research using information held by Commonwealth agencies where identified information needs to be used without the consent of the research subjects.

The Australian Health Ethics Committee (AHEC) is a principal committee of the NHMRC and advises on the functioning of Human Research Ethics Committees(HRECs) which review the proposed research projects where the Guidelines may need to be applied. AHEC provides an annual report on the operation of the Guidelines to my Office.

The NHMRC issued revised s. 95 Guidelines in March 2000 after they were approved in December 1999. Under Guideline 7.1 the NHMRC was required to initiate are view of the adequacy and operation of the Guidelines twelve months from the date of issue.

The aim of the review is to investigate how the Guidelines have been operating for allparties who are involved in their use and also whether further assistance on the use ofthe Guidelines is required by researchers, HRECs or agencies. AHEC will beconducting a survey of HRECs and examining its own records in relation to complaints and requests from HRECs for assistance in applying the Guidelines. In order to form a complete picture of all aspects of the use of the Guidelines we have agreed to survey all the Commonwealth agencies who have released (or declined to release) data for research under the Guidelines for the 1999-2000 and 2000-2001 reporting periods. I am therefore writing to request details regarding disclosures of personal information made by your agency in accordance with the Guidelines.

If you could provide a response to the questions in Attachment 1. it would greatly assist the NHMRC and my Office to gain a better understanding of how the Guidelines are applied. We would appreciate your response by 19 October. If you anticipate having any difficulty in meeting this deadline please contact Brian Cox on (02) 9284 9790.

Yours sincerely

Malcolm Crompton

Federal Privacy Commissioner

13 September 2001

1. How many times was your agency approached to release personal information in accordance with the s. 95 Guidelines?
2. On how many occasions had HREC approval been granted prior to your agency being approached by the researcher to release personal information in accordance with the s. 95 Guidelines?
3. Did your agency verify that the HREC was registered with the NHMRC?
4. Who is responsible in your department for approving disclosures of personal information under the s. 95 Guidelines (e.g. the Privacy Contact Officer or a particular program area)?
5. On how many occasions had HREC approval not been granted prior to your agency being approached by a researcher to release personal information (where this would have involved a breach of the Information Privacy Principles), and if so what action was taken?
6. How many requests for the release of personal information under the s. 95 Guidelines were approved or rejected by your agency?
7. What were the reasons provided by your agency on those occasions (if any) where a HREC had granted approval for a research project, but your agency chose not to release the personal information concerned to the researcher?
8. Has your department received any complaints regarding the release of personal information under the s. 95 Guidelines?
9. If so what was the general nature of those complaints, what actions were taken to resolve the complaints, and was the complaint resolved to the satisfaction of the complainant?
10. Have you identified a need for further information or training about any aspect of the application of the s. 95 Guidelines?