Submission Home | Executive Summary | Submission Summary | Summary of Positions | Part A | Part B | Part C | Part D | Part E | Part F | Part G | Part H | Part I | Part J | Bibliography

PART H

HEALTH SERVICES AND RESEARCH

CHAPTER 56

REGULATORY FRAMEWORK FOR HEALTH INFORMATION

Proposal 56-1 The Privacy Commissioner should consider delegating the power to handle complaints under the Privacy Act in relation to interferences with health information privacy by organisations to state and territory health complaint agencies.

1. The Office does not support this proposal. This position is also expressed by the Office in chapter 45 of this submission.

2. The Office is aware of other regulatory environments where such models have been adopted, resulting in significant complexity, uncertainty and funding difficulties. Such a model would require the Privacy Commissioner to be confident that the other complaint handling agency would interpret and apply the principles consistently, as well as follow the same processes as the Office. It would also be necessary to ensure that, where breaches were found, any decisions regarding remedies would be equivalent to the decision that would be made by the Privacy Commissioner. Such consistency would be essential to ensure fairness to both the complainant and the respondent, as well as to promoting regulatory predictability.

3. The Commissioner would also need to be confident that the privacy element of a complex matter was not marginalised by other elements of the same complaint, such as questions of clinical conduct.

4. The suggestion that state and territory complaint bodies may have a greater understanding of the local system does not appear to be convincing, particularly when it is recognised that the complaint handling in question concerns the private sector, not local public health systems.

5. In addition, this local knowledge is more likely to be of the respondent organisation rather than the circumstances of individual complainants. Accordingly, any ongoing relationships or understanding will be with the organisation, rather than the individual who will likely only ever make one complaint. The perception, if not the reality, of being an impartial regulator may be better advanced by a complaint being handled by an entity that does not have a close ongoing relationship with the respondent.

6. Further, in an era of cheap, fast and efficient communications, including email, voice and video teleconferencing, the benefits of providing a facility in close proximity to the respondent and complainant are far less than they may have been historically. The Office already uses these technologies in complaint handling.

7. Accordingly, while this proposal has some superficial benefits, the potential complexity and uncertainty mean that it would rarely, if ever, be exercised. In turn, it seems unnecessary to create a power that is unlikely to ever be exercised.

Proposal 56-2 Health information should continue to be regulated under the general provisions of the Privacy Act and the proposed Unified Privacy Principles (UPPs). Amendments to the proposed UPPs that relate specifically to the handling of health information should be promulgated in regulations under the Privacy Act-the Privacy (Health Information) Regulations.

8. The Office supports elements of this proposal.

9. In responding to the ALRC's Issues Paper 31 (IP 31), the Office argued that the existing framework under the Privacy Act for the regulation of health information had generally functioned well. The Office repeats the view that much of the complexity that exists in health privacy regulation is due to uncertainty regarding the interaction of the Privacy Act 1988 (Cth) (Privacy Act) with other health information privacy laws in those jurisdictions that purport to regulate the private health sector.

10. The Office noted that the proposed National Health Privacy Code (NHPC) would be an inadequate response to address unnecessary complexity in health privacy regulation. A detailed assessment of the NHPC illustrates that the protections it would afford, even if adopted uniformly by all jurisdictions, would be less than those currently provided to health information under the Privacy Act.[515] The NHPC is also notably prescriptive and complex.[516]

11. The Office reiterates its overall view that the arrangements under the Privacy Act for health information should be refined rather than reinvented.

12. It appears that DP 72 endorses the general approach suggested by the Office. In particular, the Office welcomes the clear statement that adopting the proposed NHPC would not be an appropriate reform and that a completely new set of health-specific principles would add to regulatory complexity and is unjustified.

13. However, there are specifics areas where improvements can be made to existing health privacy regulation under the Privacy Act, including in regard to the transfer of records when a practice closes, as well as a number of health specific access issues and other matters of detail that address specificities in the health sector. These proposals are discussed in detail in the Office's previous submission,[517] as well as in chapter 57 of this submission.

14. The Office has suggested that these matters be addressed within the existing structure of the principles.

Incorporating amendments into the privacy principles

15. Proposal 56-2 diverges from the Office's position by suggesting that a number of health specific amendments be introduced in the form the Privacy (Health Information) Regulations (‘the Regulations'). While the Office generally supports the specific matters proposed for the Regulations (see chapter 57 for detailed discussion), it is unclear whether this approach remains preferable to simply incorporating these amendments into the existing principle framework.

16. In considering whether a number of additional health specific provisions should sit beside the Unified Privacy Principles (UPPs) (such as the Regulations) or within the principles themselves, DP 72 acknowledges that each approach has advantages and disadvantages.[518] The Office agrees that arguments can be proffered in support of either approach.

17. In this regard, DP 72 expresses a number of cogent reasons why there should not be two sets of principles, one each for health and non-health information. In the Office's view, many of these reasons equally argue against having any separate form of instrument that gives effect to additional health-specific regulation.

18. In particular, DP 72 notes that many organisations and agencies will handle both health and non-health information.[519] Notably, if the employee records exemption were removed then these will increase significantly, as many employee records will hold health information. The proposed framework would require these organisations and agencies to refer to two different regulatory instruments. A single consolidated instrument provides a single source of obligations.

19. At the same time, the Office recognises that many agencies and organisations will not handle health information. Clearly, significantly expanding the Information Privacy Principles (IPPs), NPPs or proposed UPPs by the introduction of health-specific provisions may create an excessively long and complex set of principles. However, the Office suggests that the outstanding health privacy issues can be addressed through a modest number of discrete amendments or additional provisions. The Office's specific proposals have been presented in its submission to IP 31 and are reiterated in chapter 57 of this submission. The Office does not believe that the adoption of its proposed amendments would result in the UPPs becoming an excessively long or cumbersome set of principles.

20. The Office also notes that incorporating the provisions into the primary legislation to sit within the UPPs affords the added benefit that any decision to amend or vary the protections would require the active consideration by Parliament of an amendment bill. Including these additional health protections into a regulation, amendment to which would require a disallowance period to pass rather than a Parliamentary vote, would seem to afford them lesser status than if those protections were enacted.

Proposal 56-3 The Office of the Privacy Commissioner should publish a document bringing together the proposed UPPs and the amendments set out in the Privacy (Health Information) Regulations. This document will contain a complete set of the proposed UPPs as they relate to health information.

21. The Office supports this proposal.

22. While the Office does not, on balance, support the proposal of making the Regulations, if proposal 56-2 were made and adopted, then such guidance material would fall within the Office's responsibilities. The Office recognises that this material would be important for reducing complexity introduced through having two sources of regulation.

Proposal 56-4 The Office of the Privacy Commissioner-in consultation with the Australian Government Department of Health and Ageing and other relevant stakeholders-should develop guidelines on the handling of health information under the Privacy Act and the Privacy (Health Information) Regulations

23. If proposal 56-2 is adopted then the Office agrees with this proposal.

24. The Office would also expect to develop such material if its preferred model of health privacy reform is adopted, whereby any health specific changes are incorporated within the proposed UPPs.

Proposal 56-5 The national Unique Healthcare Identifiers (UHIs) scheme and the national Shared Electronic Health Records (SEHR) scheme should be established under specific enabling legislation. The legislation should address information privacy issues, such as:

(a) the nomination of an agency or organisation with clear responsibility for managing the respective systems, including the personal information contained in the systems;

(b) the eligibility criteria, rights and requirements for participation in the UHI scheme and the SEHR scheme by health consumers and health service providers, including consent requirements;

(c) permitted and prohibited uses and linkages of the personal information held in the system; 

(d) permitted and prohibited uses of UHIs and sanctions in relation to misuse; and

(e) safeguards in relation to the use of UHIs; for example, that it is not necessary to use a UHI in order to access health services.

25. The Office supports this proposal.

26. The proposal is consistent with the view expressed by the Office in a 2004 submission to Australian Government Department of Health & Ageing regarding the former HealthConnect SEHR initiative, wherein the Office endorsed the need for:

...specific establishing legislation for HealthConnect setting out primary uses of data, authority and processes for approval of secondary uses of data, consent processes, penalties and sanctions and complaints mechanisms.[520]

27. This view has been reiterated in later submissions,[521] including in response to IP 31.[522]

28. In regard to the UHI initiative, the Office has provided a submission to the National E-Health Transition Authority (NEHTA) concerning its Privacy Blueprint for Unique Health Identifiers. [523]

29. This submission raised a number of privacy risks, including the risks posed by the backend UHI Service database. As the Office understands the proposal, this database would be a national database of names and addresses of individuals with UHIs. The Office noted that while other similarly large databases exist in Australia, such as those maintained by Medicare Australia and the Australian Taxation Office, what would seem to make this repository unique is the potential for it to be accessible to a large number of users who work in the health sector. In regard to privacy protections, users will interact with the database in different jurisdictions, some of which may have no privacy legislation.[524]

30. While DP 72 notes that the Office welcomed NEHTA's attention to privacy issues, it is relevant to note that the Office also suggested that further work may be required to ensure that the protections being envisaged are fully commensurate with the risks posed by such a database.[525]

31. The privacy risks posed by unique identifiers, as well as their potential benefits, are discussed in the Office's submission to IP 31 at chapter 12 (‘Unique Multi-purpose identifiers'), as well as at chapter 27 of this submission. Health identifiers, including the UHI, are specifically discussed in the Office's response to question 12-2 of IP 31.[526] The Office submitted that:

...the challenge for such an initiative is to ensure that such a highly reliable identifier is not usurped for purposes beyond the health system and the clinical care of individuals. If such identifiers were used expansively outside of the health system, particularly in ways the community may be uncomfortable with, then the trust individuals place in the system may be undermined.

CHAPTER 57

THE PRIVACY ACT AND HEALTH INFORMATION

Proposal 57-1  The definition of ‘health information' in the Privacy Act should be amended to make express reference to information or an opinion about the physical, mental or psychological health or disability of an individual.

1. The Office does not consider it necessary to amend the Privacy Act 1988 (Cth) (Privacy Act) definition of ‘health information' to expressly refer to ‘physical, mental or psychological health', as in proposal 57-1. However, the Office would not oppose such an amendment.

2. In the Office's view, the existing definition of ‘health information' already accommodates physical, mental and psychological health. This accords with common usage of the term ‘health'.[527] The Office considers mental health to be a very important aspect of health information. This matter was discussed in the Office's submission to the ALRC's Issues Paper 31 (IP 31) at question 8-7.[528]

3. In effect, proposal 57-1 would appear to explicitly incorporate types of health information that are already recognised implicitly by the current definition of ‘health information' in s 6 of the Privacy Act, and therefore does not appear necessary. The Australian Government Department of Health and Ageing (DoHA) has expressed a similar view in support of the current definition.[529]

4. In assessing proposal 57-1, the Office also suggests the following issues be considered:

• whether the proposal may be narrowing the definition and reducing its flexibility by offering a list of examples that may be interpreted as comprehensive (whereas some stakeholders have referred to the proposal as ‘expanding' the existing definition);
• whether ‘psychological' health information would include anything that would not be encompassed by ‘mental' health information; and
• whether the proposed definitions of ‘health information' and ‘health service' would be adequately consistent. In contrast to proposal 57-1, proposal 57-2 (on the definition of ‘health service') refers to an individual's ‘health', without qualifying this as including ‘physical, mental or psychological' health. This reflects the current definition of ‘health service', which already includes these aspects of health.

Proposal 57-2 The Privacy Act should be amended to define a ‘health service' as:

(a) an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the service provider to:

assess, record, maintain or improve the individual's health;

diagnose the individual's illness, injury or disability; or

treat the individual's illness, injury or disability or suspected illness, injury or disability; or

(b) a disability service, palliative care service or aged care service; or

(c) the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

5. The Office agrees with some aspects of proposal 57-2.

6. The Office agrees that the verb ‘record' should be retained in the definition of ‘health service', to cover handling of health information that may not otherwise be encompassed. Nevertheless, the Office notes the potential ambiguity between organisations which record an individual's health in the course of providing a health service, and entities which may record or document health information in ways that would not ordinarily be considered to be health service provision. The second category may include the recording of health information by health insurance companies, employers and others.

7. The Office agrees that the definition of ‘health service' could usefully include the term ‘injury' in addition to illness or disability. This aligns with the Office's view in its submission to IP 31, at question 8-7.

8. In relation to paragraph (b) of the definition in proposal 57-2, the Office notes that certain health providers may be concerned that their services may not fit comfortably with the existing ‘health service' definition. However, the Office believes the references to disability, palliative care and aged care services would need to be further qualified if they were considered necessary for inclusion.

9. In particular, the terms ‘disability service' and ‘aged care service' could include services that may not be primarily (or at all) health-related. For example, disability advocacy services and aged care domestic service arrangements (such as gardening or maintenance) are not generally considered to be health services, but may be caught by paragraph (b) of the proposed definition.

10. Finally, it is not clear to the Office why any palliative care service would not be considered to either ‘assess, record, maintain or improve' an individual's health, and therefore fit comfortably into the existing definition of ‘health service'.

Proposal 57-3 The Privacy (Health Information) Regulations should provide that a health service provider may collect health information from a health consumer, or a person responsible for the health consumer, about third parties without consent when:

(a) the collection of third party's information into a health consumer's social, family or medical history is necessary to enable health service providers to provide a health service directly to the consumer; and

(b) the third party's information is relevant to the family, social or medical history of that consumer.

11. The Office agrees with the policy intent of proposal 57-3. As a preferred option, the Office believes such an amendment (to facilitate family history collection) could be incorporated into National Privacy Principle (NPP) 10.2 or equivalent Unified Privacy Principles (UPP) exception, rather than in separate health regulations. The issue of health regulations is discussed in detail at proposal 56-2 of this submission.

12. The policy intent of this proposal aligns with the findings in the Office's Private Sector Review,[530] and the Office's submission to IP 31 at question 8-13. In both cases the Office recommended that legislative amendments to NPP 10 should replace the need for public interest determinations (PIDs) currently issued by the Privacy Commissioner on this matter.

13. The proposed amendments would clarify the ability of health service providers to collect relevant third party health information, without the third party's consent, where this information is necessary for inclusion in an individual's family, social or medical history in order to provide the individual with a health service.

14. The Office's Private Sector Review, and its submission to IP 31, suggested further consideration be given to the exclusion of genetic information from medical history collection without consent. Having reviewed the ALRC's reasoning in DP 72, the Office agrees that such information should not be excluded at this time.

15. However, given the vast amount of third-party information that could be collected from electronic health record systems, which will often be far beyond that which an individual may recall about their family and may even include information about which the individual is unaware, the Office remains of the view that collection from such sources should remain outside of the provision.

16. Since the NPPs came into effect in December 2001, these practices have been permitted by PIDs, including temporary PIDs, issued by the Privacy Commissioner under Part VI of the Privacy Act. The Office notes the statement in DP 72 that ‘The ALRC agrees that, in general, PIDs 9 and 9A are preferable to NHPP1 of the draft National Health Privacy Code.'[531]

17. In brief, PIDs 9 and 9A permitted health service providers to collect third party health information for an individual's family, social or medical history without the third party's consent. PIDs 9 and 9A were enacted for a period of five years, expiring in December 2007.

18. PIDs 10 and 10A, issued by the Privacy Commissioner to replace PIDs 9 and 9A, permit the collection of third party health information for family, social or medical history purposes from an individual, or from a person ‘responsible'[532] for that individual where the individual is incapacitated.[533] PIDs 9 and 9A did not expressly refer to collection from ‘responsible' persons, although proposal 57-3 does so.

19. The Office notes the ALRC's agreement that the public interest considerations around collecting family history information for health insurance purposes, without consent, ‘are not the same' as for the existing PIDs, which relates to the diagnosis, treatment and health care of an individual.[534] This issue was explored further in the Office's submission to IP 31.[535]

Question 57-1 Should the proposed Privacy (Health Information) Regulations provide that health information may be collected without consent where it is necessary to provide a health service to the individual and the individual would reasonably expect the agency or organisation to collect the information for that purpose?

20. The Office supports the policy intent of this suggestion, although such provisions would preferably be located in the general privacy principles, rather than in separate health regulations. The issue of health regulations is discussed generally in response to proposal 56-2.

21. The Office believes that NPP 10.2 (or an equivalent UPP exception) could usefully include an amendment to the privacy principles similar to that outlined in question 57-1.

22. The utility of such an amendment was raised in the Office's submission to IP 31 at question 8-15.[536] The Office submits that such an amendment would:

• enhance consistency between existing disclosure and collection provisions (NPPs 2 and 10); and
• facilitate the appropriate flow of health information in the health service delivery context; and
• maintain appropriate privacy protections through a relatively narrow, two-pronged test for collection of health information.

Aligning disclosure and collection principles in a ‘treating' team context

23. In the Office's view, the amendment suggested in question 57-1 would help to address a perceived inconsistency in a health services delivery context: between disclosures of health information under NPP 2, and collections under NPP 10.

24. For example, NPP 2.1(a) permits certain disclosures of health information by a health service provider, such as in a ‘treating team' scenario, that are for directly-related purposes within the individual's reasonable expectations (rather than by consent). However, it is not always clear how the ‘recipient' health service provider could collect that information under NPP 10 without consent, because NPP 10 does not contain a ‘reasonable expectations' test.

25. While it has been suggested that the recipient provider could rely on ‘implied' consent under NPP 10.1(a),[537] the Office believes that the limited exception suggested in question 57-1 would provide a more appropriate and definitive clarification of this issue.

Any amendment should reflect a limited purpose for collecting health information

26. In the Office's view, any ALRC proposal to give effect to the amendment in question 57-1 should reflect the position that the primary purpose of collection in a health services context is specific rather than general. For example, the proposal could usefully refer to the individual's reasonable expectation of collection for that ‘particular' or ‘specific' purpose. Alternatively, the requirement could be that the individual would reasonably expect the information to be collected ‘to provide that health service', avoiding the term ‘purpose' altogether.

NPP 10.2(b)(ii) and other issues relating to the collection of health information

27. The Office notes the ALRC's intention in DP 72 that NPP 10.2(b)(ii) be removed.[538] That provision relates to collection of health information where necessary to provide a health service, and in accordance with binding rules that deal with professional confidentiality. The Office's submission to IP 31, along with that from the NHMRC, noted the absence of any existing rules which met the criteria of NPP 10.2(b)(ii).[539]

28. The Office's submission to IP 31 raised several options to address NPP 10.2(b)(ii), concluding that the most effective option was to replace the provision with the more straightforward, two-pronged test outlined in question 57-1. That is, the collection of the information is:

• a) necessary to provide a health service (as in NPP 10.2(a)); and
• b) within the individual's reasonable expectations (as in NPP 2.1(a)(ii)).

29. The Office would support substituting the existing the NPP 10.2(b)(ii) with and the amendment as envisaged in DP 72 question 57-1.

30. As noted above, the Office envisages that the amendment raised in question 57-1 would fit comfortably under the existing NPP 10.2.

31. Other matters concerning NPP 10 in a non-health context are discussed in response proposal 19-2 of chapter 19.

Proposal 57-4 The provisions of National Privacy Principle 2 dealing with the disclosure of health information in the health services context to a person responsible for an individual should be moved to the Privacy (Health Information) Regulations.  The proposed regulation should:

(a)  be expressed to apply to both agencies and organisations;

(b) provide that an agency or organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if the individual is ‘incapable of giving consent' to the disclosure and all the other circumstances currently set out in NPP 2.4 are met;

(c) include a definition of a person ‘responsible' for an individual amended to incorporate the term ‘authorised representative'; and

(d) refer to ‘de facto partner' rather than ‘de facto spouse'.

32. The Office generally supports proposal 57-4, but suggests that the provisions be retained in the general privacy principles, avoiding the need for separate health regulations.

33. However, if the Privacy (Health Information) Regulations model is adopted, it would seem appropriate that this provision be moved to those regulations, as NPP 2.4 relates to health information in the context of health service provision. The health regulations are discussed more generally in response to proposal 56-2 above.

34. Proposal 57-4 largely reflects the existing NPPs 2.4-2.6, with some amendments. The Office has observed that NPP 2.4 is an appropriate and effective provision which could be bolstered by greater awareness amongst health service providers, carers and consumers (see the Office's submission to IP 31, at questions 8-11 and 9-3).

35. In relation to paragraph (a) of proposal 57-4, the Office agrees that this provision could usefully apply to both organisations and agencies under the UPPs or equivalent principles. Nevertheless, the Office notes that most health information disclosed in a health services context under the Privacy Act's jurisdiction is still likely to occur in the private sector. The Office also notes that Part XI of the Privacy Act, enacted in 2006 following the Boxing Day Tsunami of 2004, clarifies and facilitates the appropriate handling of victims' personal information by agencies during declared emergencies and disasters, including appropriate disclosures to relatives about their loved ones.[540]

36. Paragraph (b) of proposal 57-4 generally reflects NPP 2.4, although the ALRC proposes that the current term ‘physically or legally incapable of giving consent' be replaced by the defined term ‘incapable of giving consent'. The Office discusses that proposed definition in response to proposal 61-1.

37. In relation to paragraph (c) of proposal 57-4, the Office generally agrees that the definition of person ‘responsible' should incorporate ‘authorised representatives' (as defined in proposal 61-2 of DP 72). ‘Authorised representatives' would include a number of formal representatives currently recognised under NPP 2.5, which defines persons ‘responsible' for an incapacitated individual. The Office discusses the definition of ‘authorised representative' itself in response to proposal 61-1 and question 61-2.

38. In relation to paragraph (d), the Office does not oppose the change from ‘de facto spouse' to ‘de facto partner'.[541]

Further issues regarding NPP 2.4-2.6 or equivalents: Young carers, information of deceased persons and terminology issues

39. The ALRC may also wish to assess the appropriateness of other terms in the definition of persons ‘responsible'. In particular, the Office notes that while NPP 2.5 refers to children ‘at least 18 years of age', a significant number of carers are under 18 years of age, including some primary carers.[542] Carers Australia provides anecdotal evidence that young carers may in some cases be ‘overlooked or not consulted by health practitioners in discussions about the care or treatment of the person they care for, because they are children.' Unless carers under 18 years are recognised as ‘authorised representatives', they would not be able to receive information from providers for treatment or compassionate reasons under NPP 2.4 or its equivalent.[543]

40. In its submission to IP 31, the Office also raised the possibility of an additional clause in NPP 2.4 relating to the health information of deceased persons. Such a clause could apply in lieu of an express right of access, by permitting the discretionary disclosure of health information about deceased individuals to persons ‘responsible' for the individual, for ‘compassionate' or other appropriate reasons, where this was not contrary to the deceased individual's wishes.[544]

41. Finally, the Office is aware that some terminology used in NPP 2.4 may be a source of confusion to providers and others. In particular, NPP 2.4 uses the term ‘carer' to signify the health professional who is providing care, rather than the everyday day usage of that term, which generally aligns more with the person ‘responsible' for the individual.

42. In the second half of 2007, the Office has conducted targeted consultation on draft guidance material relating to NPP 2.4, following commitments to provide further guidance in this area.[545] This draft guidance material includes an explanation of the term ‘carer' in the context of NPP 2.4. However, the ALRC might usefully consider whether the use of this terminology should be revised in any future amendments to these provisions.

Proposal 57-5 National Privacy Principle 2.1(ea) on the use and disclosure of genetic information should be moved to the Privacy (Health Information) Regulations and amended to apply to both agencies and organisations.  Any use or disclosure under the proposed regulation should be in accordance with binding rules issued by the Privacy Commissioner.

43. The Office does not agree with proposal 57-5, to the extent that it advocates the creation of separate health regulations and that binding rules be issued (rather than approved) by the Privacy Commissioner.

44. The Office agrees that NPP 2.1(ea) should be retained under the Privacy Act, and suggests that the provisions on disclosure of genetic information remain part of the general privacy principles, rather than being promulgated in separate health regulations. As discussed below, the proposal should clarify that the NHMRC should continue to develop the binding rules on this issue, with the Privacy Commissioner approving them once satisfied that the rules adequately address individual privacy protections.

45. For clarity and consistency, it is appropriate that NPP 2.1(ea) apply equally to agencies and organisations under a unified set of privacy principles, although additional rules or guidance may be appropriate where practices differ markedly between sectors.

46. The Office believes that proposal 57-5 should state that binding rules on the disclosure of genetic information be issued by the NHMRC and approved by the Privacy Commissioner. This would reflect the current process prescribed in the Privacy Act for the purposes of NPP 2.1(ea), enacted in 2006.[546]

47. The Office believes this approach appropriately draws on the expertise of both the NHMRC and the Office itself. The Office is aware that the NHMRC is currently developing binding guidelines, which, once approved by the Privacy Commissioner, would give effect to NPP 2.1(ea).

Proposal 57-6 The Privacy (Health Information) Regulations should provide that, if an organisation denies an individual access to his or her own health information on the ground that providing access would be reasonably likely to pose a serious threat to the life or health of any individual, the:

(a) organisation must advise the individual that he or she may nominate a registered medical practitioner to be given access to the health information;

(b) individual may nominate a registered medical practitioner and request that the organisation provide access to the information to the nominated medical practitioner;

(c) organisation must provide access to the health information to the nominated medical practitioner; and

(d) nominated medical practitioner may assess the grounds for denying access to the health information and may provide the individual with sufficient access to the information to meet the individual's needs if he or she is satisfied that to do so would not be likely to pose a serious threat to the life or health of any individual.

48. The Office supports the intent to provide a more robust intermediary provision where access to health information is denied. In addition to the detailed comments below, the Office also suggests that such a measure be given effect through the privacy principles themselves, rather than through the proposed regulations.[547]

49. Elements of this proposal are consistent with the Office's submission to IP 31, question 8-20.[548] In particular, the Office notes that this provision would strengthen individuals' rights to access their information through an intermediary compared with existing NPP 6.3. The Office particularly welcomes the suggestion that organisations should have a positive obligation to inform an individual of their right to nominate an intermediary.

50. In addition, as the Office suggested in its submission to IP 31, proposal 57-6 reflects the more appropriate test of ‘reasonably likely to pose a serious threat' in relation to the access exception (rather than ‘would pose a serious threat', which may be an unnecessarily high test to meet).[549]

Nominating an ‘appropriate intermediary' rather than a ‘registered medical practitioner'

51. The Office is unsure as to whether the nominated intermediary need always be a registered medical practitioner. In some circumstances, an appropriate intermediary might be a person that is not registered by a medical board, but who has sufficient clinical knowledge of a condition, as well as the individual's circumstances, to adequately and appropriately serve in that role. For example, a counsellor in a support group for a specific condition might be a suitable intermediary.

52. Accordingly, the Office suggests that an enhanced intermediary provision should incorporate the concept of an ‘appropriate intermediary'. This could include a medical practitioner, counsellor or other support person who is appropriately qualified to assess the denial of access, and the health information itself.

53. DP 72 sought feedback on whether an organisation should have the opportunity to object to the individual's choice of nominated medical practitioner.[550] The Office suggests that an organisation should have such opportunity, however this mechanism could form a part of the existing complaint process available under the Privacy Act.

54. If a provider did not reasonably believe that a nominated intermediary is appropriate in the circumstances, then it could refuse to provide access through the intermediary mechanism. In such a case, the individual could nominate an alternative intermediary, or have the option to complain to the Office. In assessing such a complaint, the Office would ask the provider to provide its reasons as to why the nominated intermediary was not appropriate. The Office would determine the merits of the provider's assessment of the nominated intermediary and whether there were valid grounds to deny allowing the individual to use that nominee as an intermediary. In many instances, the Office would likely seek expert clinical advice in resolving such disputes.

55. If the ALRC adopts the concept of an ‘appropriate intermediary' (rather than limiting intermediaries to being medical practitioners), the Office would be prepared to develop guidance on what constitutes an ‘appropriate intermediary'.

56. Accordingly, it does not appear necessary to the Office to provide a discrete mechanism which permits the health service provider to object to the nominated intermediary. Such a mechanism may result in undue delay and complication in negotiating access arrangements. In addition, when providing access to the nominee, the provider would have the opportunity to explain their reasons for denying access to the individual, and indicate why they believe access should continue to be denied.

57. The ALRC may wish to consider whether proposal 57-6(b) or (c) should clarify that access should only be provided to the nominee where that nominee accepts the individual's nomination.

Proposal 57-7 The Privacy (Health Information) Regulations should provide that where a health service practice or business is sold, amalgamated or closed down and a health service provider will not be providing health services in the new practice or business, or the provider dies, the provider, or the legal representative of the provider, must take all reasonable and appropriate steps to:

(a) make individual users of the health service aware of the sale, amalgamation or closure of the health service or the death of the health service provider; and

(b) inform them about proposed arrangements for the transfer or storage of individuals' health information.

58. The Office supports the intent of proposal 57-7, subject to the comments below. As discussed in response to proposal 56-2, the Office suggests that it would be preferable for any changes to health privacy regulation to be made through a discrete number of amendments to the privacy principles, rather than through a separate instrument.

59. This policy objective outlined in this proposal generally aligns with the Office's position in its response to question 8-22 of IP 31.[551]

60. In that submission, the Office noted the need to ensure adequate notice was provided to patients about practice sales or closures, without placing excessive regulatory requirements on providers. The Office notes that while many obligations under the NPPs, IPPs and the proposed UPPs are expressed to require ‘reasonable steps', proposal 57-7 requires ‘all reasonable and appropriate steps' to be taken. The degree to which this requirement would impose additional obligations beyond ‘reasonable steps' is unclear.

61. The Office acknowledges the importance of providers acting diligently in fulfilling their Privacy Act obligations. Nevertheless, in the interests of regulatory consistency, the ALRC may wish to consider whether ‘reasonable steps' provides an appropriate threshold in this case, as elsewhere in the current and proposed principles.

62. The Office notes that in some instances it may be difficult for the Privacy Commissioner to investigate privacy complaints about practice closures, because the respondent ‘organisation' (such as a sole practitioner) may no longer exist as an entity, or may not be able to be found.

Proposal 57-8 The Privacy (Health Information) Regulations should provide that if an individual:

(a) requests that a health service provider, or the health service provider's legal representative, make the individual's health information available to another health service provider; or

(b) authorises a health service provider to request that another health service provider transfers the individual's health information to the requesting health service provider,

the health service provider must transfer the individual's health information as requested.  The health information may be provided in summary form.

63. The Office supports proposal 57-8.

64. This proposal is consistent with the Office's position in response to IP 31, at question 8-24.

65. The Office suggests that greater specificity could be provided around the ability to transfer the information ‘in summary form'. In the Office's view, it is important that a summarised version contains sufficient detail from the original records to be of assistance to the patient and provider.

66. The ALRC and Australian Government may wish to consider whether the proposed provision on transfer of records should provide for relevant exceptions (similar to NPP 6.1), and requirements around permissible charges (similar to NPP 6.4).

Proposal 57-9 The Privacy (Health Information) Regulations should make express provision for the collection, use and disclosure of health information without consent where necessary for the funding, management, planning, monitoring, improvement or evaluation of a health service where:

(a) the purpose cannot be achieved by the collection, use or disclosure of information that does not identify the individual;

(b) it is impracticable for the agency or organisation to seek the individual's consent before the collection, use or disclosure; and

(c) the collection, use or disclosure is conducted in accordance with rules issued by the Privacy Commissioner.

67. The Office supports that the general effect of proposal 57-9, though suggests it could be accommodated within the existing collection provisions of NPP 10, or any equivalent proposed UPP, rather than in a separate instrument.

68. The Office discussed the Privacy Act's coverage of management, funding and monitoring of a health service (management purposes) in its submission to IP 31, at question 8-9. That question focused on the issue of disclosure of health information for management purposes, which - unlike collection - is not expressly provided for under the NPPs.

69. In the submission to IP 31, the Office noted that such management activities are an essential and expected part of health services operating in the community. Accordingly, in the Office's view, disclosures for management purposes would usually fall within the ‘directly related to primary purpose, and within reasonable expectations' test under NPP 2.1(a). The Office has provided guidance to this effect in guidelines and information sheets, including an information sheet that is currently in development following targeted consultation.[552]

70. While the Office submitted that such guidance was a sufficient response, several submitters to DP 72 indicated that guidance would not be enough to clarify the ambiguity regarding disclosure of health information for management purposes. The ALRC itself reached the same conclusion. Given the considerable support for addressing this matter in legislation, the Office is not opposed to expressly providing for use and disclosure of health information in the relevant circumstances, in addition to collection.

Paragraphs (a), (b), and (c) of proposal 57-9

71. The criteria in proposal 57-9 - which agencies and organisations must satisfy before they can collect, use or disclose health information without consent for management purposes - are of very similar effect to the existing criteria for organisations under NPP 10.3. That NPP requires that:

• deidentified information would not suffice;
• it is impracticable to seek the individual's consent; and
• the information is collected as required by law, or in accordance with binding guidelines approved by the Privacy Commissioner under s 95A of the Privacy Act.[553]

The Office submits that these criteria are appropriate and effective, and as proposal 57-9 generally suggests, these should continue to operate in the future provisions for collection, use and disclosure under the Privacy Act.

72. Paragraph (c) of 57-9 indicates that the Commissioner should ‘issue' rules to regulate the handling of health information for management purposes. In the Office's view, proposal 57-9 should reflect the existing requirements of section 95A of the Privacy Act, including by:

• clarifying that the Privacy Commissioner may approve rules that are issued by the CEO of the NHMRC or a prescribed authority; and
• requiring that the rules be approved only if the Commissioner is satisfied that the public interest in permitting the collection, use or disclosure of health information, for the purposes mentioned, ‘substantially outweighs' the public interest in maintaining the level of privacy protection afforded by the other privacy principles.

Rules issues for these purposes are discussed further below in response to proposal 57-10.

Proposed addition of ‘planning', ‘improvement' and ‘evaluation'

73. As noted above, NPP 10.3 currently permits the collection of health information without the individual's consent where necessary for the management, funding or monitoring of a health service, subject to certain criteria.

74. Proposal 57-9 recommends the addition of other terms beyond management, funding and monitoring of a health service. Specifically, ‘planning', ‘improvement' and ‘evaluation' are proposed to be added.

75. The Office's Guidelines on Privacy in the Private Health Care Sector (NPP Health Guidelines) refer to both ‘planning' and ‘evaluation' as aspects of management, funding and monitoring in the context of permitted uses and disclosures.[554] If the ALRC believes these two terms should expressly be included in the Privacy Act, the Office is not opposed to their inclusion.

76. However, in relation to adding the term ‘improvement', the Office submits that this may have overly broad connotations compared with the other proposed terms. It is almost always possible to ‘improve' existing practices, but this may not necessarily warrant collection, use or disclosure of health information without consent. In addition, it is unclear to the Office what the term ‘improvement' would usefully add that is not already encompassed by funding, management, planning, monitoring or evaluation. Accordingly, the Office does not support the addition of the term ‘improvement' in these provisions.

77. The Office notes that DP 72 considered whether to permit collection, use and disclosure of health information for training purposes without consent. The ALRC believed that the balance of public interest did not support the inclusion of training in these provisions.[555] The Office supports this view, and believes that individuals should be given the choice to consent to their information being used for training purposes.

Proposal 57-10 The Privacy Act should be amended to empower the Privacy Commissioner to issue rules in relation to the handling of personal information for the funding, management, planning, monitoring, improvement or evaluation of a health service.

78. The Office does not support proposal 57-10.

79. The Office's submission to IP 31 discusses issues relating to management, funding and monitoring of a health service (management purposes).[556] These issues are discussed further in the current submission, at proposal 57-9 above.

80. As noted in response to proposal 57-9, NPP 10.3 requires that health information collected for management purposes is collected as required by law, or in accordance with binding guidelines approved by the Privacy Commissioner under s 95A of the Privacy Act.[557] The Office submits that these criteria are appropriate and effective, and should continue to operate in the future provisions for collection, use and disclosure under the Privacy Act.

81. In the Office's view, proposals 57-9 and 57-10 should reflect the existing requirements of s 95A of the Privacy Act, including by:

• clarifying that the Privacy Commissioner may approve rules that are issued by the CEO of the NHMRC or a prescribed authority; and
• requiring that the rules be approved only if the Commissioner is satisfied that the public interest in permitting the collection, use or disclosure of health information, for the purposes mentioned, ‘substantially outweighs' the public interest in maintaining the level of privacy protection afforded by the other privacy principles.

82. At present, proposals 57-9 and 10 do not prescribe a role for the NHMRC or other authority in developing rules for management purposes. However, DP 72 does not suggest that the current arrangement - whereby the Privacy Commissioner may approve rules issued by the NHMRC or other prescribed authority - is not functioning well. Accordingly, the rationale for changing the current arrangements remains unclear.

CHAPTER 58

RESEARCH

Proposal 58-1 The Privacy Commissioner should issue one set of rules under the proposed exceptions to the ‘Collection' principle and the ‘Use and Disclosure' principle in the Unified Privacy Principles (UPPs) to replace the Guidelines Under Section 95 of the Privacy Act 1988 and the Guidelines Approved Under Section 95A of the Privacy Act 1988.

1. The Office agrees that a single set of rules should replace the binding guidelines currently made under sections 95 and 95A of the Privacy Act 1988 (Cth) (‘Privacy Act'). The Office does not agree that the Privacy Commissioner should ‘issue' the guidelines, but should retain an approval function.

2. The proposal for one set of rules to regulate both public and private sectors aligns with the Office's position 8-32 in its submission to the ALRC's Issues Paper 31 (IP 31).[558] At present, separate sets of guidelines under sections 95 and 95A of the Privacy Act apply to the non-consensual handling of personal information for health-related research. The Office agrees that a single set of guidelines would resolve uncertainty that may exist in the research community now, including by establishing uniform rules for agencies and organisations.

3. The Office does not agree that such rules should be issued by the Privacy Commissioner. Currently, the section 95 and 95A guidelines are issued by the National Health and Medical Research Council (NHMRC), and approved by the Privacy Commissioner. In the Office's view, this arrangement has worked appropriately and the Office suggests that it be reflected in any new mechanism.

4. In addition, it is noted that the basis for the proposal that the Privacy Commissioner issue the guidelines is not made clear in DP 72. In the absence of a compelling rationale to depart from present practice, the Office believes that the existing issuing and approval processes should be maintained under the Privacy Act.

Retaining the role of the NHMRC or other appropriate bodies in issuing the research rules

5. In the Office's view, the development of the existing binding guidelines has been aided by the NHMRC's expertise in both the practice of research, including ethical issues, and the operation of the research community. Accordingly, in the Office's view, the NHMRC (particularly the Australian Health Ethics Committee (AHEC)), would seem well placed to develop rules concerning research in the future.

6. Further, as the rules will be followed by Human Research Ethics Committees (HRECs), it will be important that these bodies are closely consulted during the development of the rules.

7. While the research rules will not bind HRECs (rather, they will bind the organisations and agencies seeking to rely on the relevant research exception), they will provide a basis under which HRECs will conduct their deliberations. If the NHMRC were to assume responsibility for issuing these research rules, it could draw upon existing relationships with HRECs in developing appropriate procedures and standards of protection.

8. In addition, many of those HRECs, particularly those in most public universities and public health systems, will not fall under the purview of the Privacy Act. Accordingly, as the NHMRC has a more clearly defined oversight role over HRECs' activities, it again seems appropriate that the NHMRC have primary carriage for making the research rules (possibly in collaboration with other appropriate entities as discussed below), and the Privacy Commissioner retain an approval function.

Rules for human research other than health and medical research

9. As explored below, the Office does not agree with the ALRC's proposal 58-2 to significantly expand the non-consensual handling of personal information for research purposes from health and medical research to all forms of human research more broadly.

10. However, the Office understands that if proposal 58-2 were adopted, it may be beyond the NHRMC's existing statutory functions to issue guidelines for matters beyond health and medical research. In this regard, the Office notes that the NHMRC developed the current version of the National Statement on Ethical Conduct in Human Research (National Statement) in collaboration with the Australian Research Council and Australian Vice-Chancellors' Committee. Such a collaboration may provide a useful model for the development and issuing of research rules for wider research involving personal information, with the Privacy Commissioner retaining an approval and oversight function.

Proposal 58-2 The Privacy Act should be amended to extend the existing arrangements relating to the collection, use or disclosure of personal information without consent in the area of the health and medical research to cover the collection, use or disclosure of personal information without consent in human research more generally.

Permit the non-consensual use of personal information, not just health information, for health and medical research

11. The Office agrees that personal information generally, not just health information, should be available for health-related research under the new rules. This element of proposal 58-2 is consistent with the Office's submission to IP 31, expressed at position 8-32(iii).[559]

12. In that submission, the Office noted an unnecessary inconsistency in the existing mechanisms between agencies being able to use any personal information for health and medical research, while organisations are limited to the narrower category of ‘health information'. The Office also acknowledged that there is often value in being able to link health and non-health information for health-related research.[560]

13. The Office suggested this amendment as part of a series of proposals that would significantly reduce complexity in the non-consensual use of personal information for health-related research, while maintaining an appropriate balance with the public interest in protecting privacy.[561]

Do not extend the non-consensual research mechanism to all human research

14. The Office does not believe that personal information should be handled, without consent, for all forms of human research.

15. Rather, the Office believes that non-consensual handling should be limited to health and medical research, as expressed in chapters 4 and 8 of the Office's submission to IP 31.[562] Importantly, ‘health and medical research' should be expressed to include all of the existing elements in both the section 95 and 95A mechanisms, including research relevant to ‘public health or public safety' (also referred to in National Privacy Principle (NPP) 10.3(a)(i)).

16. This view is based on a fundamental principle of privacy law and good privacy practice, that personal information should generally only be used or disclosed for the purpose for which it was collected. If an agency or organisation has a secondary purpose in mind, this should generally be done with consent, or be for a related purpose within the individual's reasonable expectations. Any departure from this approach requires clear justification.

17. In this regard, the existing arrangements for non-consensual health-related research recognise ‘the special nature of medical research, especially epidemiological research', including research and statistics relevant to public health or public safety.[563] Accordingly, the guidelines allow for the non-consensual collection, use and disclosure of personal information for research in those areas, subject to certain criteria being met.

18. The Office is concerned that if the exceptions were expanded to apply to any human research, then this may lead to the non-consensual handling of personal information for research in areas that may be unforeseen, unexpected and potentially undesirable. This concern is heightened by proposal 58-4 that the public interest test for the approval of the guidelines by the Privacy Commissioner be removed altogether, and that the equivalent test imposed on HRECs be lowered from ‘substantially outweigh' to ‘outweigh'. Taken together, these changes would appear to represent a substantial diminution of existing protections.

Other types of research discussed in DP 72

19. In regard to other types of research that may involve the handling of personal information, DP 72 notes that there is a strong public interest in certain forms of research, such as sociology and criminology. The Office does not dispute that research of this type may offer considerable public benefits. Submissions cited in DP 72 provide examples of potentially valuable research, including ‘significant social issues such as child abuse, family violence or homelessness'[564].

20. In the Office's view, much of this research could be facilitated by including research relevant to ‘public health or public safety' in the permitted types of research under a new research mechanism, rather than expanding the scope to all human research. This expression reflects the current wording of the use and disclosure exception in NPP 2, and the collection principle in NPP 10.3(a)(i).

21. Including ‘public health and public safety' as permitted types of research under the rules would also represent an expansion of the current regime for agencies, which are currently unable to conduct non-consensual research for such purposes. The Office believes that this expansion, particularly to the extent that it harmonises the regulation of agencies and organisations, is reasonable and appropriate.

22. ALRC DP 72 also asserts that there ‘is no in-principle reason to limit arrangements for research in the Privacy Act to health and medical research'. The Office does not agree with this position, which appears to understate the provisions in the Privacy Act that function to permit other forms of research.

23. As the Office noted in its previous submission to IP 31, there are a number of existing mechanisms in the Privacy Act that would allow personal information to be used or disclosed for non-health related research. For example, NPP 2 would allow use or disclosure for the purpose of social research where:

• the personal information was collected for the primary purpose of social research (NPP 2);
• the social research is related to the primary purpose of collection (or directly related, for sensitive information) and is within the individual's reasonable expectations (NPP 2.1(a));
• the individual has given their consent (NPP 2.1(b));
• the use or disclosure is required or authorised by or under a law of any Australian jurisdiction (NPP 2.1(g)).

24. In addition, an organisation or agency may apply for a Public Interest Determination (PID) where there is a particularly compelling public interest in a research project, as has happened on two occasions.[565] (It is unclear whether PIDs would have been necessary for these research projects if the ‘public health or public safety' test had been available to agencies).

25. It should also be noted that the information will not be regulated if it is ‘de-identified'. Accordingly, there is ample scope for non-health related research to be conducted under the Privacy Act.

26. In regard to whether non-consensual handling of personal information should be permitted for non-health related research, the Office reiterates its opposition to this recommendation with the following comments:

• In general, the overall public interest in health-related research is likely to be greater than the public interest in other forms of social research. While the latter will undoubtedly offer benefits to the community, these benefits, taken collectively, are likely to pose a less compelling public benefit than health-related research.
• Non-consensual use of personal information for social research may not sit comfortably with community attitudes. Community attitude research indicates that individuals' desire to retain control over the use of their personal information extends to non-health fields.
• For example, a US survey found that 77% of respondents wanted opt-in 'all the time' before information about browsing habits or shopping patterns could be collected. In addition, 86% of those polled wanted opt-in consent arrangements for all collection of personally identifiable information such as name, address, and phone number.[566] A New Zealand survey found that 22% of individuals surveyed did not want their general information (name, address, occupation etc) shared with researchers.
• In addition, the Office noted in its previous submission that attitudinal research suggests that while individuals may support research being conducted, and may even be willing to participate, they still expect to be asked for their consent.
• For example, research conducted in the US, using patients of the Department of Veterans' Affairs, found that 73% of respondents believed it was critically or very important to get consent for each research study.[567] At the same time, 83% of this same sample believed such research was critically or very important. Put another way, even though these individuals recognise the importance of such research, they still believed that consent should be sought.

27. Further, in the Office's view, ensuring that research that is ‘relevant to public health and public safety' remains within the non-consensual research mechanism, as suggested above, would allow many of those research projects currently identified as being potentially prohibited. In particular, permitting agencies to conduct such forms of research may address the concerns raised in a number of cited submissions.

28. If proposal 58-2 is adopted and the circumstances under which personal information may be used without consent for research were expanded to research for social research generally, the Office would expect that appropriate reporting mechanisms would need to be established to promote public confidence in the operation of the research exceptions by promoting transparency.

29. The issue of reporting requirements that should accompany research exceptions are discussed further at proposal 58-7.

Proposal 58-3 The Privacy Act should be amended to provide that ‘research' is any activity, including the compilation or analysis of statistics, subject to review by a Human Research Ethics Committee under the National Statement on Ethical Conduct in Human Research (2007).

30. The Office does not support the ALRC's proposal to define ‘research', even in the form proposed, according to the National Statement.

31. This issue was discussed in the Office's submission to IP 31.[568] The Office does not support defining ‘research' given the breadth of what, in practice, is considered to constitute research. A rigid definition that seeks to capture research would seem to be problematic. In contrast, allowing the definition to be determined contextually is responsive to the rapid changes in the field of research.

32. In the Office's view, the proposal to define research as any activity subject to review by a HREC under the National Statement raises a number of issues, discussed below.

33. The National Statement is neither legally binding nor, more significantly, subject to Parliamentary scrutiny (it is not, for example, a legislative instrument). Accordingly, importing the meaning by reference would establish a statutory meaning that is not, unlike the Privacy Act, subject to Parliamentary oversight. This may open up the possibility that, should the National Statement be altered in the future, the meaning of ‘research' in the Privacy Act would alter too. This would not promote regulatory stability.

34. The Office believes that regulatory stability is important in privacy law, and would be concerned about entrenching a provision which is inherently open to amendment. The Office has noted, for example, that changes in the recently revised National Statement have brought in to question the functioning of some provisions of the existing section 95 and 95A guidelines where those guidelines incorporate provisions of the National Statement by reference.

35. Further, under proposal 58-3 the definition of research would be dependent upon any activity subject to review by a HREC under the National Statement. Relevantly, the National Statement says, at paragraph 5.1.6, that the types of research requiring HREC review are:

• all research that involves more than low risk;
• research falling under the following chapters (except where research on collections of non-identifiable data under these chapters satisfies the conditions for exemption from review - see paragraphs 5.1.22 and 5.1.23):
• Chapter 3.3: Interventions and therapies, including clinical and non-clinical trials, and innovations
• Chapter 3.5: Human genetics,
• Chapter 3.6: Human stem cells,
• Chapter 4.1: Women who are pregnant and the human foetus,
• Chapter 4.4: People highly dependent on medical care who may be unable to give consent,
• Chapter 4.5: People with a cognitive impairment, an intellectual disability, or a mental illness,
• Chapter 4.7: Aboriginal and Torres Strait Islander Peoples,
• and some categories of research falling under Chapter 4.6: People who may be involved in illegal activities (see bolded paragraph on page 79 for details).

36. This categorisation raises a number of issues. It is noted that the expression does not actually ground the concept of ‘research' by explaining the term, and so offers little clarity in that regard.

37. The first element of paragraph 5.16 establishes that all research must receive HREC approval if it ‘involves more than low risk'. Left at this point, any non-consensual research mechanism would exclude low risk research. Only research that involved more than low risk could use the research exception, while low risk research would need to rely on another exception. It seems paradoxical that low risk research would be the only form of research for which the non-consensual mechanism would not apply.

38. However, perhaps more significantly, there appears to be some internal inconsistency within DP 72 on how this paragraph would be applied, as later in DP 72, it is stated that:

• The ALRC is of the view that any research that requires:
• the collection of identified or reasonably identifiable sensitive information without consent;
• the use or disclosure of such information without consent for a purpose that is not directly related to the purpose of collection and within the reasonable expectations of the individual; or
• the use or disclosure of identified or reasonably identifiable non-sensitive information without consent for a purpose that is not related to the purpose of collection and within the reasonable expectations of the individual,
• is likely to involve more than a low level of risk for individuals and should always be reviewed by an HREC.[569]

39. It would appear that DP 72 has determined that, in effect, any research that handles personal information would be deemed ‘more than low risk' and subject to HREC approval. This seems to bring into question the purpose of importing the meaning from the National Statement, as the ‘low risk research' exception is effectively omitted (albeit appropriately, in the Office's view). What is left is, effectively, a requirement that any research that requires the handling of personal information must be subject to HREC approval. This seems a simple requirement that could be given direct effect in either the Privacy Act or proposed research rules. Accordingly, it is unclear whether proposal 58-3 would contribute anything that might not be done more simply.

Proposal 58-4 The research exception to the proposed ‘Collection' principle and the proposed ‘Use and Disclosure' principle should provide that before approving an activity that involves the collection, use or disclosure of sensitive information or the use or disclosure of other personal information without consent, Human Research Ethics Committees must be satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the proposed UPPs.

40. The Office notes that this proposal would move the requirement to seek HREC approval from being located within the rules, as is currently the case, to being a requirement of the Privacy Act itself. The Office supports the certainty of giving statutory effect to this requirement.

41. However, the Office has concerns at the lessening of the ‘substantially outweigh' test, particularly when considered in conjunction with proposal 58-2 to significantly broaden the types of research which may be conducted without consent.

42. It should also be noted that there are currently two ‘substantially outweigh tests', one that must be applied by HRECs when approving specific research proposals and one that applies to the Privacy Commissioner when approving the guidelines. DP 72 proposes that the public interest test be removed altogether in regard to the Privacy Commissioner's approval of the proposed rules. As discussed in the Office's submission on ALRC IP 31, the Office supports the retention of the ‘substantial outweigh' test in each case.[570]

43. In the second-reading speech for the 2000 amendments introducing the NPPs into the Privacy Act, the then-Attorney General, the Hon Daryl Williams QC stated that:

The government recognises that Australians consider their personal health information to be particularly sensitive and that they expect that it will be handled fairly and appropriately by all those who come into contact with it

44. In its previous submission, the Office also noted from the same speech that the existing test was drafted after careful consideration of these community sensitivities, with the National Privacy Principles designed:

...to ensure an appropriate balance between privacy interests and other important public interests, such as the promotion of research and the effective planning and delivery of health services.

45. The Office does not agree that the current proposal sits comfortably with this intent, nor does there appear to be compelling justification to depart from it.

46. In particular, the Office believes that removing ‘substantially' allows for situations in which HRECs may decide in favour of research where there is not a clear argument in its favour, but merely, a slight, marginal outweighing of public interest in the research over the public interest in maintaining privacy. This test leaves only a small margin of error before research might be permitted that may not outweigh the public interest in protecting privacy.

47. The Office notes that the Australian Government Department of Health and Ageing (DoHA) would appear to support the retention of the ‘substantially outweigh' test for this same reason. DP 72 cites DoHA's submission on IP 31:

Health information collected in the delivery of healthcare services is subject to a legal duty of confidence. In order to comply with this duty, express consent would normally be required before health information was disclosed for research purposes. It would not appear sufficient to discharge this duty by ‘finely' balancing the public interests. The balance should be ‘clearly' in favour of the research. 

48. The Office agrees that designing a system that provides for the ‘fine' balancing of public interests is inappropriate for the non-consensual handling of personal information, particularly health information. Such a mechanism leaves open the possibility that decisions could, on occasions, be made to approve research that might not be in the public interest.

49. This could lead to an outcome where the community loses confidence that their personal information is being adequately protected when being handled without their consent. The Office has previously noted the clear interest that the health research community has in maintaining community trust in the conduct of research.[571]

Application of the current test by HRECs

50. The ALRC has indicated that it is ‘...concerned that the current test may be leading to overly conservative decision making by HRECs that is not in the overall public interest.'[572]

51. The Office suggests that, if this is accurate, it does not justify changes that could lead to lower privacy protections. Instead, greater education or training of HRECs in the applications of the existing guidelines may assist in ensuring that HREC decision making is consistent and predictable.

52. In addition, the Office noted in its submission on IP 31 and reiterates here that harmonising the existing provisions would also likely assist in simplifying HRECs decision making.[573] Reducing any uncertainty about legal requirements may give HRECs greater confidence in applying the legal test. Conversely, a lack of certainty may promote a risk averse and conservative approach to decision making.

53. At the same time, it is possible that the perceived conservative approach of HREC decision making reflects the views of researchers. As the Office noted in its previous submission, it is inevitable that, on some occasions, HRECs will not approve a given research proposal because the public interest in the research does not, on balance, merit the lessening of privacy protections (or, for that matter, some other ethical standard).[574] The non-consensual research mechanism is not intended to permit all research and lessening its protections to establish a more permissive regime would seem an inappropriate outcome for privacy law reform.

54. The Office believes that HRECs should continue to be satisfied that a research proposal offers public interests that ‘substantially outweigh' the public interest in protecting privacy.

Substantially outweigh' test when approving the guidelines

55. The Office notes the comments of DP 72 regarding the role of the ‘substantially outweighs' test in the Privacy Commissioner's deliberations when approving any guidelines. Currently, the Commissioner must be satisfied that the public interest in the types of research permitted by the guidelines must ‘substantially outweigh' the public interest in protecting privacy. DP 72 proposes that this test be removed altogether.

56. DP 72, at paragraph 58.85, says on this matter that whether or not there is a public interest in personal information being handled without consent for research is ‘...a matter for the Australian Parliament to consider in deciding whether to establish an exception to the UPPs for research'. DP 72 then goes on to conclude that:

It is unnecessary for the Privacy Commissioner to consider this issue [that is, whether the public interest in the types of research ‘substantially outweigh' the public interest in protecting privacy] before approving guidelines or, in the ALRC's proposed regime, issuing rules.

57. The Office does not agree with this conclusion.

58. The Office submits that it is a matter for Parliament as to whether it imposes particular obligations on the Privacy Commissioner regarding the exercise of the Commissioner's functions under the Privacy Act. If the Parliament chooses to require that the Commissioner be satisfied of certain matters, such as one interest substantially outweighing another, then it may legislate to that effect.

59. For example, the PID provisions of the Privacy Act impose a requirement that the Commissioner be satisfied that the public interest of the relevant practice ‘substantially outweigh' the public interest in maintaining privacy. Similarly, Parliament has chosen in section 29 to prescribe certain matters about which the Commissioner must give due regard when exercising functions.

60. In contrast, as suggested above, the ‘substantially outweigh' test creates a sense of certainty and removes any ambiguity regarding the Privacy Commissioner's deliberations. Even in the event that the Commissioner erred on the side of facilitating research, this would still be in the overall public interest. A more finely balanced test might result in an overall public interest test not being appropriately balanced.

61. Accordingly, the Office submits that the comment provided at paragraph 58.85 does not support the removal of the ‘substantially outweigh' test.

Proposal 58-5 The Privacy Commissioner should consult with relevant stakeholders in developing the rules to be issued under the research exceptions to the proposed ‘Collection' principle and the proposed ‘Use and Disclosure' principle, to ensure that approaches adopted in the rules and the National Statement on Ethical Conduct in Human Research (2007) are compatible.

62. As discussed in response to proposal 58-1, the Office does not support the proposal for the Office of the Privacy Commissioner to issue the rules to be issued under the research exceptions.

63. In regard to proposal 58-5, as the Privacy Act and related rules establish legal obligations, it is unclear the extent to which the rules should be adapted to accommodate the National Statement, which is neither legally binding nor subject to Parliamentary scrutiny. While it is useful for such instruments to align wherever possible, protections that are given legal standing in the rules should not be reduced so as to ensure compatibility with the National Statement. Indeed, it would seem more appropriate for the National Statement to accord with the binding guidelines as scrutinised by Parliament.

Proposal 58-6 The National Statement on Ethical Conduct in Human Research (2007) should be amended to require that, where a research proposal seeks to rely on the research exceptions in the Privacy Act, it must be reviewed and approved by a Human Research Ethics Committee.

64. The Office agrees with proposal 58-6, in that it provides an accurate reflection of the existing legal requirement that where a research proposal seeks to rely on the research exceptions in the Privacy Act, it must be reviewed and approved by a HREC.

65. The Office notes that as the National Statement does not have the force of law, it may be preferable for this proposal to replace the word ‘require' with ‘state'.

66. The proposal is in line with the Office's position in its submission to the NHMRC in its review of the National Statement[575] that clearer express reference be included to highlight the importance of ensuring that research proposals meet any obligations under the Privacy Act.

Proposal 58-7 In developing the rules to be issued in relation to research under the proposed ‘Collection' principle and the proposed ‘Use and Disclosure' principle the Privacy Commissioner, in consultation with relevant stakeholders, should review the reporting requirements currently imposed on the Australian Health Ethics Committee and Human Research Ethics Committee. Any new reporting mechanism should aim to promote the objects of the Privacy Act, should have clear goals and should impose the minimum possible administrative burden to achieve those goals.

67. As discussed in response to proposal 58-1, the Office does not agree that the Privacy Commissioner should issue such rules for the purpose of the research exceptions.

68. However, the Office agrees that a review of the reporting requirements currently established under the section 95 and 95A guidelines would be appropriate. The Office expressed this in its submission on IP 31, as well as making a recommendation to this effect in its 2005 report Getting into the Act: The Review of the Private Sector Provisions of the Privacy Act (‘the PSR report').[576] The Office looks forward to working with the NHRMC as it conducts such a review as part of its broader review of the existing guidelines.

69. The Office is concerned at the suggestion in paragraph 58.131 that the review of the reporting requirements should be held over until the proposed rules are developed. If the Australian Government were to adopt the proposal that rules be made, there would likely still remain some period of time before such an amendment would become law. These processes would reasonably be expected to take some time. Guideline H1 of the section 95A guidelines states that they will be reviewed within two years from the date of issue on 21 December 2001.

Purpose and contents of reports

70. The Office recognises the importance of ensuring that reporting requirements are not burdensome, do not hinder the operation of HRECs or impose unreasonable compliance costs. In the Office's view, in the absence of individuals being able to control the handling of their personal information, these reporting requirements should include only as much information as is necessary to ensure that there is transparency in how the research exceptions are being used. Such transparency, in turn, will help promote community trust and confidence in non-consensual handling of personal information for research.

71. The Office believes that it would also be appropriate and consistent with the purpose of reporting for the reports to be available to the general community so that individuals can be made aware of how personal information is being handled without consent for research. In this regard, the Office suggests that reports on the operation of the research rules should be made public, either by being tabled in Parliament or being published by the Office and AHEC.

72. The Office notes that if the statutory protections accompanying the non-consensual research mechanisms are reduced as outlined in proposals 58-2 (to expand the types of permitted research) and 58-4 (to reduce the public interest balance test to ‘outweigh'), then the reporting requirements should be sufficient to offer the community assurance that the exception was being used appropriately.

73. Matters that might usefully be included in such reporting could include the quantity of records being handled with out consent, their general type and origin, as well as the types of research being conducted.

Additional matter

74. The Office has some concern at the suggestion that it is burdensome for HRECs, in compiling their reports, to determine ‘... those IPPs and NPPs that may be breached by the research proposal.'[577] It is a requirement of the current guidelines that a HREC:

...must assess whether it has sufficient information, expertise and understanding of privacy issues, either amongst the members of the HREC or otherwise available to it, to make a decision that takes proper account of privacy.

75. As most research proposals will generally only involve the principles regulating collection, use or disclosure, it does not seem excessively burdensome for a properly constituted HREC to identify the relevant principle. This may again suggest a need for greater guidance from either the Office or NHMRC on the application of the guidelines.

Proposal 58-8 The research exception to the proposed ‘Collection' principle should state that, despite subclause 2.6, an agency or organisation may collect sensitive information about an individual where:

(a) the collection is necessary for research;

(b) the purpose cannot be served by the collection of information that does not identify the individual;

(c) it is impracticable for the agency or organisation to seek the individual's consent to the collection;

(d) a Human Research Ethics Committee has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the UPPs; and

(e) the information is collected in accordance with rules issued by the Privacy Commissioner.

Where an agency or organisation collects sensitive information about an individual in accordance with this provision, it must take reasonable steps to ensure that the information is not disclosed in a form that would identify the individual or from which the individual would be reasonably identifiable.

76. The Office agrees with the paragraphs (b) and (c) of proposal 58-8, as these elements of the proposed research exception to the Collection principle are consistent with the principles currently within existing mechanisms. The Office believes that the existing mechanisms generally afford an appropriate balance between the needs of research and the protection of privacy.

77. As stated in the Office's response to proposal 58-2, the Office does not agree with the proposal at 58-8(a). The Office has proposed that the non-consensual research mechanism provide for both agencies and organisations to conduct health and medical research, including research relevant to public health and public safety. The Office does not believe that the mechanism should apply to wider forms of human research.

78. As stated in the Office's response to 58-4, the Office does not agree with the proposal at 58-8(d). To remove any uncertainty about the application of a public interest test, the test should remain ‘substantially outweigh'.

Proposal 58-9 The research exception to the proposed ‘Use and Disclosure' principle should state that despite the other provisions of the Use and Disclosure principle, an agency or organisation may use or disclose personal information where:

(a) the use or disclosure is necessary for research;

(b) it is impracticable for the agency or organisation to seek the individual's consent to the use or disclosure;

(c) a Human Research Ethics Committee has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the UPPs;

(d) the information is used or disclosed in accordance with rules issued by the Privacy Commissioner; and

(e) in the case of disclosure-the agency or organisation reasonably believes that the recipient of the personal information will not disclose the personal information in a form that would identify the individual.

79. The Office agrees with paragraphs (b) and (e) of proposal 58-9 as these elements of the proposed research exception to the Collection principle are consistent with the principles currently in the section 95 and 95A mechanisms. The Office believes that the existing mechanisms generally afford an appropriate balance between the needs of research and the protection of privacy.

80. The Office does not agree with the proposal at 58-9(a). As stated in the Office's response to 58-2, the Office does not believe that the research exception should enable the non-consensual use of personal information for human research generally, but rather, this should be restricted to research for health and medical purposes (expressed in such a way as to include research relevant to public health and public safety).

81. The Office does not agree with the proposal at 58-9(c). As stated in the Office's response to 58-4, the Office does not believe the public interest test should be changed from ‘substantially outweighs' to ‘outweighs'.

82. In relation to 58-9(d), the Office agrees that personal information should be used and disclosed in accordance with the research rules, but believes these rules should be issued by the NHMRC (possibly in conjunction with other relevant bodies) rather than the Privacy Commissioner.

Proposal 58-10 The Privacy Commissioner should provide guidance on the meaning of ‘not reasonably identifiable'.

83. The Office agrees that it should provide guidance on the meaning of ‘not reasonably identifiable'. The proposal for the Privacy Commissioner to provide guidance on the meaning of ‘not reasonably identifiable', is in line with recommendation 62 of the Office's Private Sector Review.[578]

Proposal 58-11 The Privacy Commissioner should address the following matters in the rules to be issued under the research exceptions to the proposed ‘Collection' principle and the proposed ‘Use and Disclosure' principle:

(a) the process by which a Human Research Ethics Committee should review a proposal to establish a health information database or register for research purposes;

(b) the mat