Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Other

Research Study into Public Support for Science and Innovation; Submission to the Productivity Commission (August 2006)

document icon pdf (195.46 KB)

August 2006

Office of the Privacy Commissioner
Introduction
Overview of Privacy Legislation
The Privacy Act and health information
- Application of the Information Privacy Principles to health information
- Application of the National Privacy Principles to health information
Mechanisms for the handling of health information for research purposes without individuals'' consent
- Application of the section 95 guidelines to agencies
- Application of section 95A Guidelines to the private sector
Community Attitudes to Privacy in Medical Research
Findings of the 2005 review of the private sector provisions of the Privacy Act concerning medical research
The Australian Law Reform Commission''s Review of the Privacy Act
Appendix A: Privacy legislation in Australian states and territories.
Appendix B: Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988
Endnotes

Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (Cth) (Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Introduction

The submission comes in response to a request from the Productivity Commission (''the Commission'') for advice on the interaction between privacy regulation and medical research. This advice has been requested to inform the Commission''s Research Study into Public Support for Science and Innovation (''the Study'').

The Office''s understanding is that the Study was prompted by increased Government funding for science and innovation, and a resulting Government interest in the economic impacts of public support for this area.[1] While many of the matters raised in the Productivity Commission''s Issues Paper are not directly connected with privacy, one area of intersection lies in the role of Australia''s institutional and regulatory framework in creating an environment conducive to research.[2]

In particular, under item 2 of the Study''s terms of reference, the Commission is requested to:

''Identify impediments to the effective functioning of Australia's innovation system including knowledge transfer, technology acquisition and transfer, skills development, commercialisation, collaboration between research organisations and industry, and the creation and use of intellectual property, and identify any scope for improvements.''[3]

As privacy regulation is relevant to the handling of individuals'' personal information for the purpose of medical research, an understanding of it may usefully inform the Study.

Overview of Privacy Legislation

The Privacy Act regulates how federal and ACT government agencies, [4] as well as many private sector organisations, collect, store, use and disclose personal information. It also provides individuals with a right to access and, where necessary, correct such information.

The Privacy Act establishes privacy regulation over government agencies by prescribing eleven Information Privacy Principles (IPPs), These principles impose general rules over, amongst other things, how personal information may be used or disclosed (including for medical research).

The Privacy Act also prescribes ten National Privacy Principles (NPPs) which cover parts of the private sector, including businesses with a turnover greater than $3 million and all health service providers. While these principles are similar to the IPPs, there are some notable differences relevant to health and medical research, which will be discussed in more detail below.

It should be noted that ''health information'' is defined relatively broadly in section 6 of the Privacy Act as:

information or an opinion about:
1. the health or a disability (at any time) of an individual; or
2. an individual''s expressed wishes about the future provision of health services to him or her; or
3. a health service provided, or to be provided, to an individual
that is also personal information; or
other personal information collected to provide, or in providing, a health service; or
other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.

In recognition of the special sensitivity of health information, the Parliament has afforded additional protections to how it is handled, including by defining it to be a form of ''sensitive information''. These are discussion further below under ''The Privacy Act and medical research''.

Relevantly, medical research is also defined in section 6 to include epidemiological research.

In considering the impact of the Privacy Act on medical research, it is important to note that the Privacy Act''s coverage is not exhaustive. The Privacy Act does not apply to state and Northern Territory government bodies or to their private sector contractors (for the purposes of those contracts). Medical research conducted in public health systems and by most public universities,[5] for example, would not fall under the jurisdiction of the Privacy Act.

Some of these jurisdictions have their own privacy legislation or other regulation. The Commission may wish to consult with the relevant bodies in these jurisdictions. A list privacy legislation and the bodies responsible for their implementation is provided at Appendix A.

The Privacy Act and health information

There is a social interest in enabling medical researchers to have access to health information in certain circumstances. The Privacy Act is not intended to prevent important medical research. Since its passage in 1988, the Privacy Act has ''recognise[d] the special nature of medical research, especially epidemiological research''.[6] Accordingly, while health information is afforded extra protection, the Privacy Act recognises the desirability of medical research by providing mechanisms that allow health information to be collected, used and disclosed for medical research purposes, including, in some circumstances, without the consent of the individual.

The protection of privacy in the conduct of medical research in Australia is facilitated through a combination of ethical and legal structures, including the Privacy Act and the framework of guidelines and approval processes provided through the NHMRC and the Australian Health Ethics Committee (AHEC).

Application of the Information Privacy Principles to health information

Information Privacy Principles 10 and 11 establish the general requirement on agencies that personal information may only be used or disclosed, respectively, for the purpose for which it was collected. Exceptions are available to these general principles. These exceptions include:

where the use is directly related (IPP 10.1(e)) or the disclosure is one that the individual would reasonably be aware of (IPP 11.1(a));
where the individual has consent to that use (IPP 10.1(a)) or disclosure (IPP 11.1(b); or
where that use (IPP 10.1(c)) or disclosure (IPP 11.1(d)) is required or authorised by law.

The IPPs do not include a specific provision permitting Australian Government agencies to use or disclose personal information for medical research. However, there is a mechanism available in section 95 of the Privacy Act which allows, in certain circumstances, agencies to handle personal information for the purpose of medical research, including without having to seek the consent of the individual. This is discussed further below under ''Medical research guidelines and the public sector''.

Application of the National Privacy Principles to health information

National Privacy Principle 2 establishes the general rule that personal information may only be used or disclosed for the purpose for which it was collected (that is, the ''primary purpose''). There are exceptions to this principle, a number of which may be directly relevant to medical research.

NPP 2.1(a) provides that an organisation may use or disclose personal health information for a secondary purpose, where:

the use or disclosure is directly related to the primary purpose of collection (the threshold for non-health information is merely that the use or disclosure be related to the primary purpose); and
the individual would reasonably expect that the organisation which collected the information would use or disclose that information for that purpose.

Organisations would need to exercise care in ensuring that both of these requirements are met.

Additionally, organisations may use or disclose personal health information where the individual has given their consent (see NPP 2.1(b)). The Privacy Act provides that consent may be express or implied, however the Office generally advises that, for the handling of health information, it is good privacy practice to seek the express consent of the individual.

Accordingly, where health information is collected for one purpose, such as clinical care, it may be used or disclosed for a secondary purpose, such as medical research, to the extent that the above exceptions apply.

In addition, NPP 2.1(d) allows health information to be used or disclosed, without an individual''s consent, if certain requirements are met, including that the use of disclosure has been conducted in accordance with the section 95A guidelines. This is discussed further below under ''Application of section 95A Guidelines to the private sector.''

Mechanisms for the handling of health information for research purposes without individuals'' consent

Application of the section 95 guidelines to agencies

Section 95 of the Privacy Act allows the National Health and Medical Research Council (NHMRC) to issue guidelines for the protection of privacy in the conduct of medical research (''the section 95 guidelines''), subject to the approval of the Privacy Commissioner.[7] The guidelines relate to the conduct of medical research using information held by Commonwealth agencies where identified information needs to be used without consent. The guidelines provide a framework for deciding how to balance the public interest in medical research and the public interest in protecting privacy.

The section 95 guidelines allow Commonwealth agencies to use and disclose health information in ways that would ordinarily breach the IPPs, for the purpose of medical research, as long as the medical research is conducted in accordance with the guidelines.

A key element of the section 95 guidelines is the oversight provided by Human Research Ethics Committees (HRECs). As well as establishing the need for any relevant research proposal to be considered by a HREC, the guidelines also instruct HRECs as to what matters must be considered in when weighing the public interest in the medical research with the public interest in protecting privacy.

For example, an agency may use or disclose personal health information, without satisfying a prescribed exception to IPPs 10 or 11, for the secondary purpose of medical research and not breach the Privacy Act provided that the use or disclosure is in accordance with the guidelines.

Application of section 95A Guidelines to the private sector

Section 95A establishes a legal basis for guidelines similar to those establish under section 95. Section 95A allows the Privacy Commissioner to approve for the purposes of the NPPs guideline issued by the NHMRC (''the section 95A guidelines''). The section 95A guidelines are specifically tied to those NPPs which refer to them, namely, NPP 2.1(d) (on use and disclosure) and NPP 10.3 (on collection of health information).

The effect of the section 95A guidelines is to permit private sector organisations to collect, use and disclose health information for a range of health-related research purposes without gaining individuals'' consent.

Collecting health information for research under the section 95A guidelines

NPP 10 generally prohibits an organisation from collecting health information, unless a prescribed exception to this rule is met. Relevantly, NPP 10.3 regulates the collection of health information for a range of research purposes. This principle allows organisations to collect health information about an individual, without an individual''s consent, if the collection is necessary for:

research relevant to public health and safety;
the compilation or analysis of statistics relevant to public health or safety;
the management, funding or monitoring of a health service.

However, such collection is limited to where:

the purpose cannot be met by the collection of information that does not identify an individual; and
it is impracticable to seek the individual''s consent.

Further, the information must be collected in accordance with the section 95A guidelines or other prescribed criteria.[8]

The question of when it is impracticable to seek individuals'' consent is a key issue in applying the section 95A guidelines. The Office has explained previously that impracticability should be something more than incurring some expense or effort in seeking an individual's consent.[9] An example of where it may be impracticable to seek consent might be where there are no current contact details and where there is insufficient information to get up-to-date contact details.

Using and disclosing health information for health and medical research under the section 95A guidelines

NPP 2.1(d) governs non-consensual use or disclosure of health information. Such information may be used for research purposes, or for the compilation or analysis of statistics where these activities are relevant to public health or public safety. That is, the research must be about, or the statistics related to, public health or safety. Health information may be used or disclosed only if the research is necessary for research, or the compilation or analysis of statistics, relevant to public health and public safety, and each of the following apply:

It is impracticable to seek individuals'' consent;
The use or disclosure is in accordance with the section 95A guidelines; and
In the case of disclosure, the organisation reasonably believes that the organisation to which they disclose the information will not further disclose the health information or any personal information derived from it.

What is notable about the section 95A guidelines is the wider range of purposes for which they may apply when compared to the section 95 guidelines (ie research relevant to public health and safety, as opposed to the narrower purpose of medical research).

Both the section 95 and section 95A guidelines should be read in conjunction with the National Statement on Ethical Conduct in Research Involving Humans.[10] For further information on health information research, refer to the Office''s Information Sheet 9: Handling Health Information for Research and Management.[11]

Accordingly, what can be seen by the section 95 and 95A mechanisms, as well as the other exceptions that exist in the IPPs and NPPs, is a framework intended to ensure that important medical research can be undertaken in a manner that affords appropriate respect and oversight to individuals'' personal health information.

Community Attitudes to Privacy in Medical Research

Strong privacy protections are essential for sustaining the community confidence needed to make medical research viable. Research conducted by the Office indicates that many individuals are particularly sensitive about the use of their health information. Twenty one percent of individuals surveyed reported reluctance to provide their medical history or health information to any organisation and 11% reported reluctance concerning providing genetic information.[12]

Other research broadly supports this view. For example, qualitative research conducted by AC Nielsen indicates a strong preference for health information to be only used for the direct clinical care of the individual, with any other uses being premised on obtaining the individual''s informed consent.[13]

Research from New Zealand identifies specific community concerns regarding sharing information with health researchers. In this research, 23% gave an unqualified positive response to their general health information being shared with researchers, with this figure falling to 12% for ''sensitive'' health information (in this context, meaning related to sexual health).[14]

While many individuals are willing for their personal information to be used for medical research, international research indicates that they expect to be able to choose how their health information is handled.[15] The Office''s own research shows that the strong community preference for consent-based research extends even to de-identified information. In particular, 64% of respondents felt that their permission should be sought before de-identified information is used for health research purposes.[16] This finding is supported by the AC Nielsen research.[17] Thus, individuals retain an interest in their health information, even where the identifying links are obscured or erased.

From the perspective of researchers, the Privacy Act plays a crucial role in negotiating community concerns surrounding the handling of health information. From the community''s perspective, the controls and safeguards contained within the Privacy Act play a crucial role in sustaining community confidence about how their information will be handled. Research has shown that individuals may change the way they engage with agencies and organisations, including health service providers, if they are not satisfied that their privacy will be protected. For example, 33% of individuals surveyed for the Office''s research have, at some point, decided not to deal with a private organisation because of concerns over the protection of the use of their personal information, while 18% decided not to deal with a government department or agency.[18]

The possibility of individuals altering how they interact with health service providers has serious implications. Individuals may avoid treatment, or may supply partial or inaccurate information, to the detriment of their clinical well-being, as well as to broader public health (particularly if an individual avoids treatment for serious or highly contagious conditions). Additionally, the quality of data available to health researchers, and the resulting scope for innovation in health research, may also suffer in these circumstances.

The Privacy Act, by placing controls on the flow of health information, provides a structure to support individual's confidence in how their information will be handled. Far from obstructing research, the Privacy Act provides a valuable control on the flow of information, helping to support its long-term viability.

Findings of the 2005 review of the private sector provisions of the Privacy Act concerning medical research

In May 2005, the Attorney-General released the report of the review by the Privacy Commissioner into the operation of the private sector provisions of the Privacy Act.[19] This report was titled Getting in on the Act: The Review of the Private Sector Provisions of the Private Sector Provisions of the Privacy Act 1988 (''Getting in on the Act''). Medical research was among the topics considered by the review. Several submissions pointed to the complexity of Australia''s privacy regulation system.[20]

Particular areas of concern for the health-research sector were:

the lack of a national uniform privacy regime leading to complex interactions between Commonwealth, State and Territory privacy regulation;
the lack of an agreed definition of key terms (for example, ''medical research''); and
difficulties arising from the application of section 95 and section 95A guidelines, including the way in which HREC''s interpret the guidelines.

Submissions stated that these factors were not conducive to research. Organisations experiencing difficulty interpreting the legislation might make incorrect decisions or, as a precaution, adopt a highly conservative approach to privacy compliance.[21]

In its findings, the review report recognised that the lack of national consistency in privacy regulation has had consequences for business efficiency.[22]

The Privacy Commissioner responded to the specific concerns of medical researchers with a number of recommendations. A key finding in this regard was that, as part of a broader inquiry into the Privacy Act, the Australian Government consider a number of specific matters concerning research and privacy, including:

to achieve greater consistency in regulating research activities under the Privacy Act.
where the balance of public interest lies between health research and protecting privacy, including individual''s capacity to choose how their information is handled for research purposes; and
undertaking further research and education work with the broader community to ensure that the balance between research and privacy accords with what the community expects and understands.

Further, in recognition that the perceived difficulties created by privacy regulation for researchers may be due to a misunderstanding of obligations, the Office''s review report also recommended that that the Office issue guidance in relation to NPP 2 to clarify the circumstances in which health information can be disclosed.[23]

The full text of the Recommendations is included in Appendix B.

The Australian Law Reform Commission''s Review of the Privacy Act

In January 2006, the Attorney-General announced the Australian Law Reform Commission''s would conduct an inquiry into privacy. The terms of reference cover many of the issues raised in the Office''s 2005 review of the private sector provisions, including the roles of Commonwealth, State and Territory legislation and the need to minimise the regulatory burden on business.[24]

The Office anticipates that further examination of issues raised in this submission could be usefully progressed by the Australian Law Reform Commission''s inquiry.

ACT Community and Health Services Complaints Commissioner: responsible for health information privacy in the ACT under the Health Records (Privacy and Access) Act 1997 http://www.healthcomplaints.act.gov.au/c/hcc

Office of the NSW Privacy Commissioner: responsible for Privacy and Personal Information Protection Act 1998 and Health Records and Information Privacy Act 2002. http://www.lawlink.nsw.gov.au/privacynsw

Office of the Northern Territory Information Commissioner: responsible for Information Act 2002 (Information Act). http://www.privacy.nt.gov.au/

Tasmanian Ombudsman: responsible for complaints under Personal Information and Protection Act 2004 http://www.ombudsman.tas.gov.au/

Office of the Victorian Privacy Commissioner: responsible for the Information Privacy Act 2000 http://www.privacy.vic.gov.au/dir100/priweb.nsf

Victorian Health Services Commissioner: responsible for privacy regulation of health information in the state under the Health Records Act (HRA) 2001 http://www.health.vic.gov.au/hsc/

Recommendations: Research[25]

60. As part of a broader inquiry into the Privacy Act (see recommendation 1), the Australian Government should consider:

how to achieve greater consistency in regulating research activities under the Privacy Act
whether regulatory reform is needed to address the issue of de?identification in the context of research and the handling of health information
where the balance lies between the public interest in comprehensive research that provides overall benefits to the community, and the public interest in protecting individuals'' privacy (including individuals having choices about the use of their information for such research purposes)
whether there is a need to amend NPP 2 to permit the use and disclosure of personal information for research that does not involve health information
undertaking further research and education work with the broader community to ensure that the balance between research and privacy accords with what the community expects and understands.

61. The Office will issue guidance in relation to NPP 2 to clarify that organisations can disclose health information for the management, funding and monitoring of a health service.

62. The Office will work with the National Health and Medical Research Council to simplify the reporting process for human research ethics committees under the section 95A guidelines.

Endnotes

[1] Productivity Commission(2006), Public Support for Science and Innovation: Issues Paper, page 22. Available at http://www.pc.gov.au/study/science/issuespaper/index.html
[2] The Study gives a broad definition of public support, as ''extending beyond financial support to such aspects as dealing with barriers and impediments to innovation arising from the institutional and regulatory framework (the innovation system) in which it occurs.'' Productivity Commission, above, note 1 at page 7.
[3] Productivity Commission, above note 1 at page 22.
[4] Except in regard to the handling of health information by ACT Government agencies which are subject to the Health Records (Privacy and Access) Act 1997.
[5] A exception to this would be those universities, mainly in the ACT, which have been established under Acts of the Commonwealth or ACT legislatures.
[6] The Hon Nigel Bowen MP, Attorney General, Australia, House of Representatives, Hansard, 1 November 1988.
[7] National Health and Medical Research Council, Guidelines Issued under s 95 of the Privacy Act. Available at http://www.privacy.gov.au/materials/types/download/8659/6503
[8] The information may also be collected as required by law or in accordance with rules established by competent health or medical bodies.
[9] See Information Sheet 9-2001, Handling Health Information for Research and Management, available at http://www.privacy.gov.au/materials/types/infosheets/view/6568.
[10] National Health and Medical Research Council, National Statement on Ethical Conduct in Research Involving Humans. Available at http://www.nhmrc.gov.au/publications/synopses/e35syn.htm.
[11] Available at http://www.privacy.gov.au/materials/types/download/8757/6568
[12] See Office of the Privacy Commissioner (2004), Community Attitudes to Privacy, at 6.2. Available at http://www.privacy.gov.au/publications/rcommunity.
[13] AC Nielsen (1998), Community Consultation: Health Information Privacy: A Research Report, page 8.
[14] Whiddett, R; Hunter, I; Engelbrect, J and Handy, J (2004). Sharing Patient Information: A Survey of Patients' Views. Health Informatics Conference 2004, pages 59-64.
[15] UK National Health Service (2004) Share with care:People's Views on Consent and Confidentiality of Patient Information available at http://www.connectingforhealth.nhs.uk/publications/share_with_care.pdf ; Whiddett, R, Hunter I and Engelbrecht J, above note 14.
[16] See, Office of the Privacy Commissioner (2004), Community Attitudes to Privacy, above note 12 at 8.4.
[17] AC Nielsen (1998), above note 13 at page 8.
[18] See Office of the Privacy Commissioner, above note 12 at 6.3.
[19] For details of submissions, see Office of the Privacy Commissioner: Getting in on the Act: Review of the Private Sector Provisions of the Privacy Act (May 2005) Available at http://www.privacy.gov.au/law/reform/review/
[20] For details of submissions, see Office of the Privacy Commissioner, above note 19 at page 201.
[21] See National Health and Medical Research Council (2005), Submission to the Review of the Private Sector Provisions of the Privacy Act. Available at http://www.privacy.gov.au/ See also Professor Mark Israel, Ethics and the Governance of Criminological Research in Australia, NSW Bureau of Crime Statistics and Research, December 2004.
[22] Office of the Privacy Commissioner (2005) Getting in on the Act: Review of the Private Sector Provisions of the Privacy Act, above note 19 at page 4.
[23] Office of the Privacy Commissioner (2005), above note 19 at page 212.
[24] See Australian Law Reform Commission (2006) About the Inquiry. Available at http://www.alrc.gov.au/inquiries/current/privacy/about.html .
[25] Office of the Privacy Commissioner (2005) Getting in on the Act: Review of the Private Sector Provisions of the Privacy Act, page 212. Available at http://www.privacy.gov.au/law/reform/review/#bac.