Review of the National Statement on Ethical Conduct in Human Research – Second Consultation

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (Cth) (Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Introduction

2. The Office welcomes the opportunity to make this submission as part of the second consultation on the draft National Statement on Ethical Conduct in Human Research (the draft Statement), conducted jointly by the National Health and Medical Research Council (NHMRC), the Australian Research Council and the Australian Vice Chancellors’ Committee. The Office did not make a submission during the first consultation.

3. The document under revision is the 1999 National Statement on Ethical Conduct in Research Involving Humans (the existing National Statement). The document contains an agreed set of values, principles and guidelines for the conduct of human research. It furnishes national standards for the design, review and conduct of research and for the protection of participants.

4. The Office notes that, in the draft Statement, the issue of privacy is interwoven in various places with discussions of related matters, such as consent. Overall, the Office believes this does not provide as clear and comprehensive a statement on the important role of privacy in human research as in the existing National Statement. In the existing National Statement, the inclusion of the chapter on ‘Privacy of Information’ provides a more explicit overview of relevant privacy issues.

The Privacy Act and research

5. The Privacy Act provides a regulatory framework for the protection of personal information in many fields including human research. Since its passage in 1988, the Privacy Act has ‘recognise[d] the special nature of medical research, especially epidemiological research’.[1]

6. The protection of privacy in the conduct of medical research in Australia is facilitated through a combination of ethical and legal structures, including the Privacy Act and the framework of guidelines and approval processes provided through the NHMRC and the Australian Health Ethics Committee (AHEC).[2]

Review of the Privacy Act and medical research

7. In May 2005, the Attorney-General released a report of the review by the Privacy Commissioner into the operation of the private sector provisions of the Privacy Act.[3] Medical research was among the topics considered by the review. Numerous submissions were received and recommendations made.[4] The recommendations dealing with research privacy matters include:

• The need for a broader inquiry into how to achieve national consistency in regulating research activity under the Privacy Act and into regulatory issues around de-identification of personal information; and
• The Office’s working with the NHMRC to simplify the reporting process for human research ethics committees under the section 95A guidelines.

8. The report contains the following statement as to the law and policy in this area, which, though it refers to the private sector provisions of the Privacy Act, remains of broader application for the purposes of this submission:

There is a social interest in enabling medical researchers to have access to health information in certain circumstances. The Privacy Act is not intended to restrict important medical research. While health information, being sensitive information, is generally afforded extra protection under [National Privacy Principles] 2 and 10, the [National Privacy Principles] recognise the desirability of medical research by enabling health information to be collected, used and disclosed in certain circumstances without consent. [5]

9. It is against that background that the privacy-related issues in the draft Statement are now addressed.

Section 1 Values and principles of ethical conduct

10.Under ‘Ethics and law in human research’ in the ‘Introduction’, the draft Statement notes the role of Australian law generally in regulating research and, in particular, the protection of privacy by Commonwealth laws.

11.The Office understands that the draft Statement deals primarily with ethical standards for human research and does not discuss in detail the legal rights and obligations of participants and researchers.

12.As noted in the draft Statement, as well as the legal obligations, researchers have fundamental ethical obligations to research participants. One of these is to respect the privacy of research participants.[6] Accordingly, the Office supports the inclusion of paragraph 1.9 within the section on the ‘Values and Principles of Ethical Conduct’ in Section 1 of the draft Statement.

Categories of “personal information”

13. The Existing National Statement has a ‘Preamble’ containing informative advice and guidance on a range of matters. The section ‘Research’ provides a discussion on the ‘Categories of personal information’, offering a distinction between identified, re-Identifiable and de-identified data.[7] Since the Privacy Act defines personal information as information about an individual whose identity is apparent, or reasonably ascertainable,[8] the distinction between these categories is crucial in the context of privacy regulation. This was also recognised in the NHMRC’s submission to the Office’s review of the private sector provisions of the Privacy Act.[9]

14. The draft Statement, however, re-locates the material referred to in paragraph 13 above to Chapter 3.3 of the draft Statement (concerning ‘Databanks’). The Office believes that the guidance on the categories of personal information is of general application beyond the more limited topic of databanks and the positioning of this advice in the draft Statement should reflect this. Further, the positioning of this discussion in Chapter 3.3 may cloud the important link between categories of information and the application of privacy principles.

Omission of privacy chapter from draft Statement

15. Chapter 18 of the existing National Statement, titled ‘Privacy of Information’,[10] explains the concepts of privacy and confidentiality and distinguishes between them. The Information Privacy Principles in the Privacy Act and their relationship to medical research are also explained. Further, an Appendix to the existing National Statement contains the relevant Privacy Principles.[11]

16.The draft Statement omits this information currently provided in the existing National Statement. The Office believes that this represents a significant decrease in the guidance to researchers, HREC members and the community on a significant legal and ethical issue.

17.The Office strongly recommends that, in the interests of assisting stakeholders’ understanding of the concept of privacy and the relationship between human research and the Privacy Act, the draft Statement include explanatory information in the nature of the guidance described in paragraphs 13 and 15.

Chapter 2.2 Consent

18.The Office notes the expanded section on consent in the draft Statement and supports the inclusion of additional guidance on this topic and the maintenance of the generally high standards for consent required for the conduct of research.

19. The Office holds that the key elements of consent are

• it must be provided voluntarily;
• the individual must be adequately informed; and
• the individual must have the capacity to understand, provide and communicate their consent.

20.Further, while consent may be express or implied, in the handling of personal health information, deemed ‘sensitive’ under the Privacy Act, undue reliance should not be placed upon implied consent.[12]

21. Broadly speaking, under the Privacy Act, personal information can be used for research purposes:

• with the individual’s consent; or
• where the data has been anonymised; or
• with HREC approval

22. These elements of consent, anonymisation or HREC oversight can be described as the ‘three pillars’ of the regulatory framework for human research involving personal information.[13]

Consent to future use of data and tissue in research

23.The Office notes the provisions of paragraphs 2.2.13 – 2.2.15 and in particular the proposal that:

‘participants may give their consent for the use of their data in future unspecified research that may not be related to the original project (unspecified consent)’.

24.The Office is concerned that reliance on “unspecified consent”, while possibly advanced for practical reasons, may disturb the critical balance that underpins the legal and policy framework for human research involving personal information.

25.Whether a researcher has obtained consent of sufficient specificity to comply with the legal requirements for consent will depend on the circumstances of each case. Drawing from the elements of consent discussed above at paragraph 19, it may be questionable whether unspecified ‘consent’ can be adequately informed so as to be valid. Given the diversity of possible classes of human research, the Office cautions against the reliance by researchers on a form of ‘unspecified consent’ that affords the individual with no guidance as to what their personal health information may be used for in the future.

26.Further, the suggestion in paragraph 2.2.14 that ‘research proposals that rely on unspecified consent to the use of data may still require approval from a Human Research Ethics Committee (HREC)’ appears to reflect the problematic nature of ‘unspecified consent’. As discussed in paragraphs 21 and 22 above, consent and HREC review are distinct pillars of regulatory oversight for the handling of personal information in human research. The suggestion that unspecified consent may still require HREC approval appears to introduce an internal inconsistency to the draft Statement, and suggests, in accordance with the Office’s view, that unspecified consent may not be valid in some circumstances.

27.From a public policy perspective, the Office is concerned that research activities involving personal information that are inconsistent with a respect for privacy may erode public confidence and trust in the conduct of research generally. In the context of the debate around unspecified consent to the secondary uses of data, it has been said:

As consent of any form implies confidence, and confidence implies trust, the ramifications of confidentiality and trust must be considered along with consent.[14]

‘Low risk’ research without consent

28. The draft Statement also proposes that some types of research, described as low risk, using personal information without consent might be conducted without HREC approval. Research protocols can be exempted from HREC review under paragraph 5.1.9.

29.Paragraph 5.1.9 provides four categories of research that may be exempted by institutions from ethical review on the grounds that they involve low levels of risk. In effect, the categories of research require neither the consent of the individual from whom the information was initially collected, nor HREC oversight.

30.The Office notes that, insomuch as research concerns the handling of ‘personal information’ as defined by the Privacy Act, then agencies or organisations regulated by the Privacy Act will need to meet their obligations under that Act.

31.In particular, the Office notes that the collection of personal information from publicly available sources, as discussed in subparagraph 5.1.9(a), will generally be associated with obligations under the Privacy Act. For organisations collecting personal health information, this may include obligations under NPP 10 generally requiring consent for that collection.

32.The Office has published an Information Sheet concerning Privacy and Personal Information that is Publicly Available, which is available from its website at http://www.privacy.gov.au/publications/is17_03.pdf.

Chapter 3.5 Human genetics

33. The Office welcomes the expanded guidance in the draft Statement with respect to genetic research and its ethical implications. The interweaving of the material relating to privacy and confidentiality through the chapter is noted as being consistent with the approach to other issues, such as consent, adopted throughout the draft Statement.

Chapter 4.3 People in dependent or unequal relationships

34.Paragraph 4.3.8 advises that special care should be taken in certain settings where conversations with participants may be overheard. The wording of the paragraph includes ‘privacy’ which, as we understand it, refers to a capacity to prevent conversations being overheard by ensuring physical or spatial separation from others.

35.It has been suggested elsewhere that the notion of ‘privacy’ can be expressed in terms of four separate but related concepts.[15] In the draft Statement, the term has been consistently used as referring to the privacy of personal information. The Office recommends that paragraph 4.3.8 be re-worded in order to avoid possible confusion with respect to the term ‘privacy’.

Chapter 5.2 Responsibilities of HRECs

36.The Office notes the expanded guidance to HRECs generally including in relation to record-keeping. These records are the subject of statutory reporting obligations by AHEC to the Office regarding HREC use of the guidelines under the Privacy Act.

37.In Chapter 18 of the existing National Statement, the responsibilities of HREC in relation to research that may breach provisions of the Privacy Act are itemised in paragraphs 18.1 – 18.5. The Office acknowledges that the advice relating to privacy obligations is interwoven through the draft Statement. However, Chapter 5.2 does not have any statement advising HRECs of their obligations which would have the force and effect of paragraph 18.3 of the existing National Statement. Paragraph 5.2.17(m) merely requires the recording of the ‘relevance if any’ of legislation and guidelines relating to privacy of personal or health information.

38.The Office recommends that the draft Statement include within Chapter 5.2 a paragraph that specifically requires HRECs to consider the implications of approving research that may involve breaches of privacy legislation and the necessity of following the appropriate guidelines.