Federal Register of Legislation - Australian Government

Primary content

Approvals as made
This instrument approves guidelines issued by the Chief Executive Officer of the National Health and Medical Research Council for the purposes of paragraph 16B(3)(c) and subparagraph 16B(2)(d)(iii) of the Privacy Act 1988.
Administered by: Attorney-General's
Registered 11 Mar 2014
Tabling HistoryDate
Tabled Senate17-Mar-2014
Tabled HR17-Mar-2014

 

Office of the Australian Information Commissioner logo

 

 

 

 

Explanatory Statement

Approval of guidelines issued under section 95A of the Privacy Act 1988

 

Decorative coloured ribbon imageMarch 2014


Explanatory Statement

Approval of guidelines issued under section 95A of the Privacy Act 1988

This explanatory statement has been prepared by the Australian Privacy Commissioner. It fulfils the Commissioner’s obligations under subsection 26(1A) of the Legislative Instruments Act 2003 (Cth) (Legislative Instruments Act).

This explanatory statement explains the scope and intended operation of the Approval of guidelines issued under section 95A of the Privacy Act 1988 (the approval) about the handling of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, and for the purposes of the management, funding or monitoring of a health service.

Purpose

The Australian Information Commissioner is empowered by section 95A of the Privacy Act 1988 (Cth) (Privacy Act) to approve guidelines issued by the Chief Executive Officer (CEO) of the National Health and Medical Research Council relating to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety; and the collection of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, and the management, funding and monitoring of a health service (the guidelines).

This approval replaces the Approval of the Guidelines approved under Section 95A of the Privacy Act 1988 (December 2001, FRLI F2008B00222).

Authority

The authority for the Privacy Commissioner to approve these guidelines rests in:

·         section 95A of the Privacy Act, and

·         section 12 of the Australian Information Commissioner Act 2010 (Cth) (the Australian Information Commissioner Act).

Subsections 95A (1), (2) and (4) of the Privacy Act state:

Overview

(1)               This section allows the Commissioner to approve for the purposes of the Australian Privacy Principles that are issued by the CEO of the National Health and Medical Research Council or a prescribed authority.

Approving guidelines for use and disclosure

(2)               For the purposes of paragraph 16B(3)(c), the Commissioner may, by notice in the Gazette, approve guidelines that relate to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety.

[…]

Approving guidelines for collection

(4)                           For the purposes of subparagraph 16B(2)(d)(iii) the Commissioner may, by notice in the Gazette, approve guidelines that relate to the collection of health information for the purposes of:

a.                 research, or the compilation or analysis of statistics, relevant to public health or public safety; or

b.                 the management, funding or monitoring of a health service.

Section 6 of the Privacy Act defines ‘Commissioner’ to mean ‘the Information Commissioner within the meaning of the Australian Information Commissioner Act’.

The guidelines are approved by the Privacy Commissioner, who under section 12 of the Australian Information Commissioner Act has the privacy functions defined in section 9 of that Act. The privacy functions include functions conferred on the Information Commissioner by the Privacy Act.

Relevant provisions of the Privacy Act

The Australian Privacy Principles (APPs) are a set of legally binding privacy principles that establish standards, rights and obligations in relation to the handling, holding, accessing and correcting of personal information. They apply to most Australian Government agencies and certain private sector organisations, collectively referred to as APP entities.

Under the APPs, an APP entity must not collect sensitive information, and must not use or disclose personal information for a purpose other than the primary purpose of collection, unless an exception applies.

Australian Privacy Principle (APP) 6 prohibits uses or disclosures of personal information for secondary purposes unless the individual to whom the personal information relates has consented or a listed exception in relation to the use or disclosure of that information applies.

APP 6.2(d) provides that an APP entity may use or disclosure personal information about an individual if the APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the person by the entity.

Permitted health situations are set out in section 16B of the Privacy Act. Subsection 16B(2) states that:

A permitted health situation exists in relation to the collection by an organisation of health information about an individual if:

(a)               the collection is necessary for any of the following purposes:

(i)                 research relevant to public health or public safety;

(ii)               the compilation or analysis of statistics relevant to public health or public safety;

(iii)             the management, funding or monitoring of a health service; and

(b)               that purpose cannot be served by the collection of information about the individual that is de identified information; and

(c)               it is impracticable for the organisation to obtain the individual’s consent to the collection; and

(d)               any of the following apply:

[…]

(iii)             the information is collected in accordance with guidelines approved under section 95A for the purposes of this subparagraph.

Subsection 16B(3) states that:

A permitted health situation exists in relation to the use or disclosure by an organisation of health information about an individual if:

(a)               the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety; and

(b)               it is impracticable for the organisation to obtain the individual’s consent to the use or disclosure; and

(c)               the use or disclosure is conducted in accordance with guidelines approved under section 95A for the purposes of this paragraph; and

(d)               in the case of disclosure—the organisation reasonably believes that the recipient of the information will not disclose the information, or personal information derived from that information.

‘Health information’ is defined as follows in subsection 6(1) of the Privacy Act:

health information means:

(a)                information or an opinion about:

(i)                 the health or a disability (at any time) of an individual; or

(ii)               an individual’s expressed wishes about the future provision of health services to him or her; or

(iii)             a health service provided, or to be provided, to an individual;

that is also personal information; or

(b)                other personal information collected to provide, or in providing, a health service; or

(c)                other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or

(d)                genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

Background to the guidelines

Section 95A of the Privacy Act allows the Commissioner to approve guidelines issued by the CEO of the National Health and Medical Research Council or a prescribed authority about the collection, use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety; and about the collection of health information for the purposes of the management, funding or monitoring of a health service. Guidelines for this purpose were issued by the National Health and Medical Research Council in 2001, namely, Guidelines approved under Section 95A of the Privacy Act 1988.

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) introduced a number of significant changes to the Privacy Act, taking effect on 12 March 2014. These changes mean that references to the Privacy Act in the guidelines issued in 2001 will be out of date. The National Health and Medical Research Council has issued a revised version of the guidelines with amendments reflecting the changes to the Privacy Act.

Consultation

Prior to issuing the 2001 Guidelines approved under Section 95A of the Privacy Act 1988, the National Health and Medical Research Council undertook consultation in accordance with the consultation requirements under the Legislative Instruments Act.

In issuing revised guidelines to incorporate legislative amendments to the Privacy Act, the National Health and Medical Research Council together with the Office of the Australian Information Commissioner considered whether further consultation was necessary.

Section 17 of the Legislative Instruments Act generally requires the rule-maker to undertake appropriate consultation before making a legislative instrument. However, section 18 of that Act sets out circumstances where consultation may be unnecessary or inappropriate. Paragraph 18(1)(a) provides that an instrument that is of a minor or machinery nature and that does not substantially alter existing arrangements is an example of an instrument having a nature such that the rule-maker may be satisfied that consultation is unnecessary or inappropriate.

In approving these guidelines, the Privacy Commissioner is satisfied that consultation was unnecessary because the changes made to the guidelines:

-          were limited to updating references to the amended Privacy Act; and

-          do not substantially alter existing arrangements.

 

Matters considered in approving the guidelines

Subsection 95A(3) of the Privacy Act requires that the Privacy Commissioner may give an approval under subsection 95A(2) of guidelines that relate to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, only if satisfied that the public interest in the use and disclosure of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the Australian Privacy Principles (disregarding subsection 16B(3)).

Similarly, subsection 95A(5) of the Privacy Act requires that the Privacy Commissioner may give an approval under subsection 95A(4) of guidelines relating to the collection of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety; or the management, funding or monitoring of a health service, only if satisfied that the public interest in the collection of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the Australian Privacy Principles (disregarding subsection 16B(2)).

The Privacy Commissioner has considered the public interest matters raised in subsections 95A(3) and (5) and is satisfied that the public interest in the handling of health information for the purposes mentioned in subsections 95A(2) and (4) substantially outweighs the public interest in maintaining the level of privacy protection afforded by the Australian Privacy Principles (disregarding subsections 16B(2) and 16B(3)). 

Legal status of the guidelines

The guidelines are legally binding on all private sector organisations that seek to collect, use or disclose health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety; or to collect health information for the management, funding or monitoring of a health service.

A breach of the guidelines constitutes an interference with privacy under section 13 of the Privacy Act because the act or practice would breach an Australian Privacy Principle in relation to personal information about the individual. An individual may complain to the Office of the Australian Information Commissioner about an act or practice they believe has not been done in accordance with APP 6.2(d).

The guidelines will take effect on 12 March 2014.  


 

Statement of Compatibility with Human Rights

This Statement of Compatibility with Human Rights has been prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

The Approval by the Privacy Commissioner of guidelines issued under section 95A of the Privacy Act 1988 (Privacy Act) is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the legislative instrument

The legislative instrument approves the guidelines issued by the CEO of the National Health and Medical Research Council under section 95A of the Privacy Act relating to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety; and the collection of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, and the management, funding and monitoring of a health service (the guidelines).  

Human rights implications

Under section 29 of the Privacy Act, in performing Commissioner functions or exercising Commissioner powers, the Privacy Commissioner must, amongst other things:

(a)          have due regard for the protection of important human rights and social interests that compete with privacy…

The Preamble to the Privacy Act makes clear that the legislation was intended to implement, at least in part, Australia’s obligations relating to privacy under the International Covenant on Civil and Political Rights (ICCPR). Specifically, article 17 of the ICCPR prohibits unlawful or arbitrary interferences with a person's privacy, family, home and correspondence. However, the right to privacy is not absolute and there may be circumstances in which the guarantees in article 17 can be outweighed by other considerations, such as the protection of the right to health.

With respect to the right to health, article 12 of the International Covenant on Economic, Social and Cultural Rights (ICESCR) provides that:

1.                  The State Parties to the present Covenant recognise the right of everyone to the enjoyment of the highest attainable standard of physical and mental health.

Article 12(2) of the ICESCR outlines the steps to be taken to achieve the full realisation of this right, including those necessary for:

(c)          The prevention, treatment and control of epidemic, endemic, occupational and other diseases.

Research, and the compilation or analysis of statistics, are important for providing information to help the community make decisions that impact on the health of individuals and the community. The properly informed management of health services is necessary to ensure individuals and the community receive the best possible health and medical care.

These activities should be carried out in a way that minimises intrusion on people’s privacy. However, it may be necessary for personal information to be collected, used or disclosed without consent from an individual in order for the research, the compilation or analysis of statistics, or the management of a health service to proceed. The guidelines approved by this instrument provide a framework for researchers and human research ethics committees to balance the public interest in the proposed research, statistical or health service management activity against the public interest in the protection of privacy.

In approving the guidelines, the Privacy Commissioner has considered the competing rights to privacy and health. It is considered that the acts or practices authorised by this legislative instrument advance the protection of human rights and the right to health. To the extent that it may also limit human rights, those limitations are reasonable and proportionate.

Conclusion

The approval by the Privacy Commissioner of guidelines issued under section 95A of the Privacy Act 1988 is compatible with human rights because it advances the protection of human rights and to the extent that it may also limit human rights, those limitations are reasonable and proportionate.

Timothy Pilgrim, Australian Privacy Commissioner