Federal Register of Legislation - Australian Government

Primary content

Approvals as made
This instrument approves guidelines issued by the Chief Executive Officer of the National Health and Medical Research Council for the purposes of paragraph 16B(3)(c) and subparagraph 16B(2)(d)(iii) of the Privacy Act 1988.
Administered by: Attorney-General's
Registered 11 Mar 2014
Tabling HistoryDate
Tabled Senate17-Mar-2014
Tabled HR17-Mar-2014

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Guidelines approved under Section 95A of the Privacy Act 1988

2014


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Publication Details

 

Publication title:                               Guidelines approved Under Section 95A of the Privacy Act 1988

Published:                                    March 2014

Publisher:                                     National Health and Medical Research Council

NHMRC Publication reference:        PR2

Online version:                               www.nhmrc.gov.au/guidelines/publications/pr2

ISBN Online:                                 978-1-925129-07-6

Suggested citation:

 

Copyright

 

© Commonwealth of Australia 2014

 


 

 

All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia licence (www.creativecommons.org.au), with the exception of the Commonwealth Coat of Arms, NHMRC logo and content identified as being owned by third parties. The details of

the relevant licence conditions are available on the Creative Commons website (www.creativecommons.org.au), as is the full legal code for the CC BY 3.0 AU licence.


Attribution

 

Creative Commons Attribution 3.0 Australia Licence is a standard form license agreement that allows you to copy, distribute, transmit and adapt this publication provided that you attribute the work. The NHMRCs preference is that you

attribute this publication (and any material sourced from it) using the following wording: Source: National Health and Medical Research Council.

 

Use of images

 

Unless otherwise stated, all images (including background images, icons and illustrations) are copyrighted by their original owners.


 

Contact us

 

To obtain information regarding NHMRC publications or submit a copyright request, contact: E: nhmrc.publications@nhmrc.gov.au

P: 13 000 NHMRC (13 000 64672)

or call (02) 6217 9000


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

GUIDELINES APPROVED UNDER SECTION 95A OF THE PRIVACY ACT 1988

 

 

 

 

 

 

 

 

 

2014


 

 

CONTENTS

 

 

 

 

 

 

ABBREVIATIONS                                                                                                                     v

 

STRUCTURE OF THE GUIDELINES                                                                                        1

 

INTRODUCTION                                                                                                                       2

 

Collection, use or disclosure or health information for the purposes of research, compilation or

analysis of statistics and the management of health services                                                               2

 

The Guidelines approved under Section 95A of the Privacy Act 1988                                                    2

 

Relationship between the NHMRC Guidelines approved under Section 95A of the Privacy Act

1988 and the NHMRC Guidelines under Section 95 of the Privacy Act 1988                                           3

 

Relationship between the Guidelines approved under Section 95A of the Privacy Act 1988 and

the NHMRC National Statement on Ethical Conduct in Human Research                                                  4

 

Guidelines issued by the Office of the Australian Information Privacy Commissioner                               4

 

Other legislation and regulation                                                                                                     4

 

When should the Guidelines approved under Section 95A of the Privacy Act 1988 be applied?               5

 

 

KEY CONCEPTS                                                                                                                      6

 

Guidelines approved under Section 95A of the Privacy Act 1988                                       10

 

Section A: Guidelines for the conduct of research relevant to public health or public safety              10

 

Section B: Guidelines for the conduct of the compilation or analysis of statistics, relevant to

public health or public safety                                                                                    14

 

Section C:  Guidelines for the conduct of the management, funding or monitoring of a health service        20

 

Section D: Consideration by human research ethics committees (HRECs)                                       22

 

Section E: Responsibilities of the National Health and Medical Research Council (NHMRC)                   25

 

Section F:  Reports to or for the Commissioner                                                                         25

 

Section G: Complaints mechanisms                                                                                           26

 

Appendix 1

Requirements when collecting information without consent                                                               27


 

 

ABBREVIATIONS

 

 

 

 

 

 

AHEC

Australian Health Ethics Committee

APPs

Australian Privacy Principles

HREC

Human Research Ethics Committee

NHMRC

National Health and Medical Research Council

OECD

Organisation for Economic Cooperation and Development

OAIC

Office of the Australian Information Commissioner


 

 

STRUCTURE OF THE GUIDELINES

 

 

 

 

 

The Guidelines approved under Section 95A of the Privacy Act 1988 provide a framework for human research ethics committees (HRECs) and those involved in conducting research, the compilation or analysis of statistics or health service management, to weigh the public interest in—research, or the compilation or analysis of statistics, or health service management activities—against the public interest in the protection

of privacy. The guidelines contain procedures to follow in preparing proposals to be submitted to an HREC

for approval to collect, use or disclose health information held by organisations without consent from the individual(s) involved and guidelines for HRECs to follow when considering proposals. The following guidelines are divided into 8 sections.

 

Section A provides guidance for the conduct of research relevant to public health or public safety. Section A.1 outlines when a proposal must be submitted to an HREC for approval under these guidelines. Section A.2 contains procedures to be followed in preparing a proposal to be submitted to an HREC for the collection  of health information. Section A.3 contains procedures to be followed in preparing a proposal to be submitted to an HREC for the use or disclosure of health information.

 

Section B provides guidance for the conduct of the compilation or analysis of statistics, relevant to public health or public safety. Section B.1 outlines when a proposal must be submitted to an HREC for approval under these guidelines. Section B.2 contains procedures to be followed in preparing a proposal to be submitted to an HREC for the collection of health information. Section B.3 contains procedures to be followed in preparing a proposal to be submitted to an HREC for the use or disclosure of health information.

 

Section C provides guidance for the conduct of the management, funding or monitoring  of a health service. Section C.1 outlines when a proposal must be submitted to an HREC for approval under these guidelines. Section C.2 contains procedures to be followed in preparing a proposal to be submitted to an HREC for the collection  of health information.

 

Section D provides guidance to HRECs on the issues to consider in reviewing research, the compilation or analysis of statistics  and management, funding or monitoring  of a health service proposals under these guidelines. Paragraphs D.1–D.4 outline decisions that the HREC must consider before weighing the public interest in the proposed activity against the public interest in the protection of privacy. Paragraph D.5 lists the matters that an HREC must consider in weighing the public interest. Paragraphs D.6–D.8 contain guidance for HRECs on requirements for the recording, notification and monitoring of decisions made

under these guidelines.

 

Section E outlines the responsibilities to be undertaken by the NHMRC in reporting to the Office of the

Australian Information Commissioner.

 

Section F outlines what kind of information will be reported to the Commissioner.

 

Section G outlines the complaint mechanisms available in regard to decisions made under these guidelines.


 

 

INTRODUCTION

 

 

 

 

 

 

Collection, use or disclosure of health information for the purpose of research, compilation or analysis of statistics and the management of health services

 

 

An individuals right to privacy is a fundamental human right. This is recognised in a number of international instruments, in particular, the International Covenant on Civil and Political Rights (Article 17) and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Australia adopted the OECD Guidelines in 1984 and the principles in those guidelines were incorporated in the Federal Privacy Act 1988 (Privacy Act). The Privacy Act deals with the protection of personal information, a component of the broader concept of privacy. Many private sector organisations must comply with privacy principles set out in the Privacy Act. Particularly, any individual, body corporate, partnership, unincorporated association or trust that provides a health service to another individual and holds any health information (except in an employee record) must comply with the Privacy Act and its privacy principles.

 

The individuals right to privacy is not an absolute right. In some circumstances, it must be weighed against the interests of others and against matters that benefit society as a whole. The conduct of research,

and the compilation or analysis of statistics, relevant to public health or public safety and health service management1 fall within these circumstances. Research, and the compilation or analysis of statistics, are important for providing information to help the community make decisions that impact on the health

of individuals and the community. The properly informed management of health services is necessary to ensure individuals and the community receive the best possible health and medical care. However, all the above activities should be carried out in a way that minimises the intrusion on peoples privacy. Optimally, this is achieved by obtaining the consent of participants prior to collecting, using or disclosing their personal information. Where this is impracticable, de-identified information should be used. Where neither of these options is available, it may be that personal information must be collected, used or disclosed without consent from the individual in order for the research, the compilation or analysis of statistics, or the management of a health service to proceed.

 

In these latter cases, there is a need to balance the public interest in the proposed research, statistical or health service management activity against the public interest in the protection of privacy. These guidelines provide a framework in which such decisions can be made.

 

 

The Guidelines approved under Section 95A of the Privacy Act 1988

 

 

The Guidelines approved under Section 95A of the Privacy Act 1988 are issued for the purposes of Australian Privacy Principles (APPs) and sections 16B(2) and 16B(3) of the Privacy Act. Compliance with these guidelines is necessary to ensure compliance with the APPs and section 16B(2)(d)(iii) and 16B(3). These guidelines do not replace the APPs or the Privacy Act.2 They must be used in conjunction with the APPs and the Privacy Act.

 

Minor amendments to this document were issued to reflect amendments to the Privacy Act which apply from

12 March 2014. They supersede and replace the previous version of the guidelines dated December 2001.

 

 

 

 

 For the purpose of these guidelines, health service management means the management, funding or monitoring of a health service.

 The APPs are available at www.oaic.gov.au and the Privacy Act is available at www.comlaw.gov.au/Current/C2013C00482


 

These guidelines apply to organisations that collect, use or disclose health information3 for the purposes of research, or the compilation or analysis of statistics relevant to public health or public safety. Particularly, these guidelines require that it be impracticable to seek consent from the individual(s) involved for the organisation to collect, use or disclose health information, and also that de-identified information will not achieve the purpose of the research or compilation or analysis of statistics activity.

 

These guidelines also apply to organisations in circumstances where, for the purpose of health service management, an organisation collects health information. Generally, a health service may only collect health information in order to manage a health service, without the consent of the individual(s) involved, if it is impracticable to seek consent from the individual(s) involved and collection of de-identified information will not achieve the purpose of health service management activity.

 

It should be noted that the Guidelines approved under Section 95A of the Privacy Act 1988 are not the only lawful mechanism under the Privacy Act for allowing the collection of health information where it is impracticable to seek consent from the individual(s) and the purpose cannot be served by collection of de-identified information, for the purposes of:

•   Research relevant to public health or public safety; or

 

•   The compilation or analysis of statistics, relevant to public health or public safety; or

 

•   The management, funding or monitoring of a health service.

 

Collection of health information in these in circumstances may also be allowable under:

 

•   s 16B(2)(d)(i), as required by a law other than the Privacy Act; or

 

•   s 16B(2)(d)(ii), in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation. [See: Appendix 1].

 

 

Relationship between the NHMRC Guidelines approved under Section 95A of the Privacy Act 1988 and the NHMRC Guidelines under Section 95 of the Privacy Act 1988

 

 

In March 2000, the NHMRC issued Guidelines under Section 95 of the Privacy Act 1988 (s95 Guidelines), which were updated and reissued in 2014. These guidelines provide for the protection of privacy in the conduct of medical research and provide a framework for agencies in weighing the public interest in medical research against the public interest in adhering to the APPs set out in the Privacy Act. The s95 Guidelines apply to medical research that involves access to personal information held by agencies where identified information needs to be used without consent from the individual(s) involved.

 

The Guidelines approved under Section 95A of the Privacy Act 1988 (s95A Guidelines) provide a similar framework for weighing the public interest. However, the purposes to which the s95A Guidelines apply are significantly broader than the s95 Guidelines. The s95A Guidelines apply to the collection, use or disclosure of health information held by organisations in the private sector for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, and to the collection of health information held by organisations for the purpose of health service management.

 

The s95 Guidelines provide a process whereby medical research activities that would normally breach the APPs and Privacy Act may be allowable, provided the activities are conducted in accordance with the guidelines.

 

These s95A Guidelines therefore form part of compliance requirements under the Privacy Act when dealing with health information, specifically in relation to the application of s 16B(2)(d)(iii) and s 16B(3).

 

 

 Under s 6 of the Privacy Act 1988, ‘health information’ is a type of ‘personal information’ that is related to health. [See Key Concepts, pages 8 and 9 for further detail].


 

Relationship between the Guidelines approved under Section 95A of the Privacy Act 1988 and the National Statement on Ethical Conduct in Human Research, 2007

 

 

The Australian Health Ethics Committee (AHEC) is a principal committee of the NHMRC and advises the

NHMRC on ethical issues relating to health and medical research.

 

In 2007, the National Statement on Ethical Conduct in Human Research (National Statement), which provides ethical guidance for the conduct of research involving humans, was released.

 

Within the s95A Guidelines, references are made to the National Statement as a source of guidance on issues that are related to the protection of privacy in the conduct of research, or the compilation or analysis of statistics, or health service management, but which are not covered by the guidelines themselves.

For example, particular kinds of research, such as research using genetic information or research using childrens personal information, involve specific ethical considerations that are essential to providing effective protection of privacy, as well as to ensuring that the welfare and rights of participants in research are protected. Reference should also be made to the National Statement where appropriate for guidance on how to fulfil these broader ethical obligations in the conduct of research, statistical and health service management activities.

 

It should be recognised that the National Statement is a set of ethical guidelines that have the objective of defining standards of behaviour to which researchers should adhere. The s95A Guidelines form part of legal requirements for compliance with federal legislation, namely the Privacy Act. In the event that both a legal requirement and an ethical guideline apply, the legal requirement will prevail (although they will normally be consistent).

 

 

Guidelines issued by the Office of the Australian Information Commissioner

 

 

The Office of the Australian Information Commissioner  (OAIC) has issued Guidelines to the Australian Privacy Principles (APP Guidelines) to help organisations comply with their obligations under the Privacy Act. These guidelines contain explanatory material on the application of the APPs and the Commissioners expectations in relation to application of the APPs in practice.

 

The OAIC has also prepared a series of information sheets on particular aspects of applying the Privacy Act and the APPs. Copies of the guidelines and information sheets are available from the OAIC web site

at www.oaic.gov.au.

 

 

Other legislation and regulation

 

 

States and territories may also have their own privacy regulation in the form of legislation or administrative codes of practice. State and territory legislation or codes of practice may apply to the collection, use

or disclosure of personal information and health information held in the public and/or private sectors. HRECs and those involved in the conduct of research, the compilation or analysis of statistics or health service management must be satisfied that proposals submitted in accordance with the s95A guidelines also conform to relevant state and territory legislation or codes of practice. To the extent that there are direct

inconsistencies between Commonwealth and state or territory laws, generally the Commonwealth law prevails.

 

Where state or territory legislation or other Commonwealth legislation (apart from the Privacy Act) requires an organisation to collect health information, it is not necessary to seek HREC approval for research or statistical compilation or analysis or health service management activities that involve the collection of health information without consent from the individual involved.


 

Where state or territory legislation or other Commonwealth legislation (apart from the Privacy Act) requires or authorises an organisation to use or disclose health information, it is not necessary to seek HREC approval for activities that involve the use or disclosure of health information without consent from the individual involved.

 

Examples include the collection of health information required under state or territory legislation for inclusion on cancer registries.

 

 

When should the Guidelines approved under Section 95A of the Privacy Act 1988

be applied?

 

 

The following diagram relates to organisations undertaking:

 

1.    The collection of health information under section 16B(2)(d)(iii) for the purposes of:

 

 research relevant to public health or public safety

 the compilation or analysis of statistics, relevant to public health or public safety

 the management, funding or monitoring of a health service.

 

2.    The use and disclosure of health information under section 16B(3) for the purposes of:

 

 research relevant to public health or public safety

 the compilation or analysis of statistics, relevant to public health or public safety.


 

 

KEY CONCEPTS4

 

 

 

 

Agency

 

Under the Privacy Act, ‘agency’ means a Minister, Department, a body or tribunal established under a Commonwealth act for a public purpose, a body established by the Governor-General, a person holding office under a Commonwealth act, a federal court, the Federal Police, a Norfolk Island agency, the nominated AGHS company (under Part 2 of the Hearing Services and AGHS Reform Act 1997), an eligible hearing service provider, or the service operator under the Healthcare Identifiers Act 2010.

 

 

APP entity

 

APP entity means an ‘agency’ or ‘organisation’, as defined under the Privacy Act. APP entities must comply with the Privacy Act and the APPs.

 

 

Collection

 

Under the Privacy Act, an organisation collects personal information if it gathers, acquires or obtains personal information from any source and by any means. Collection includes when an organisation keeps personal information it has not requested or come across by accident (ie. ‘unsolicited’ personal information see particularly APP 4).

 

 

Compilation or analysis of statistics5

 

The compilation or analysis of statistics is the act or process of collecting numerical data, or undertaking a detailed examination of the elements or structure of numerical data, especially in or about large quantities, and inferring conclusions for the whole from conclusions reached from the whole or a representative sample.

 

 

De-identified information

 

Under the Privacy Act, personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.

 

 

Directly related secondary purposes for health services

 

Under APP 6, an APP entity may generally only use or disclose sensitive information (which includes all health information) for a secondary purpose where the individual would reasonably expect the APP entity

to use or disclose the information for that secondary purpose and the secondary purpose is directly related to the primary purpose for collection (unless the individual has consented to the use or disclosure for that secondary purpose).

 

If an APP entity relies on this provision to use or disclose information it does not need to rely on these guidelines. [See ‘When should the Guidelines approved under Section 95A be applied?’ above.]

 

 

 

 

 

 Definitions from the Privacy Act were current at 12 March 2014

 This term is based on entries contained in The Australian Concise Oxford Dictionary, Third Edition, 1997.


 

Directly related secondary purposes for use or disclosure of sensitive information for health service organisations may include activities such as:

•   providing an individual with further information about treatment options

 

•   billing or debt-recovery

 

•   an organisations management, funding, service-monitoring, complaint handling, planning, evaluation and accreditation activities; for example, activities to assess the cost-effectiveness of a particular treatment or service

•   disclosure to an insurer, medical defence organisations, medical expert or lawyer for the purpose of liability, indemnity arrangements; for example, to report an adverse incident

•   disclosure to a lawyer for the defence of anticipated or existing legal proceedings

 

•   an organisations quality assurance or clinical audit activities, where they evaluate and seek to improve the delivery of a particular treatment or service

•   disclosure to a clinical supervisor by a psychiatrist, psychologist or social worker.

 

 

Disclosure

 

In general terms an organisation discloses personal information when it actively releases information to others outside the organisation and is no longer able to exercise control over the information. It does not include giving individuals information about themselves.

 

[See the OAICs APP Guidelines, available at www.oaic.gov.au, for further information about disclosures of personal information under the Privacy Act].

 

 

Health information

 

Health information is a particular subset of personal information. Health information is personal information or an opinion:

•   about an individuals health or disability at any time (that is past, present or future)

 

•   about an individuals expressed wishes regarding future health services

 

•   about health services provided or to be provided to the individual

 

•   collected to provide or in providing a health service

 

•   collected in connection with the donation or intended donation of body parts and substances; or

 

•   genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

 

As indicated above, health information includes any information collected by a health service provider during the course of providing treatment and care to an individual, including:

•   medical information

 

•   personal details, such as name, address, admission and discharge dates, billing information and

Medicare number

 

•   information generated by a health service provider, such as notes or opinions about an individual and their health

•   information about physical or biological samples, where it can be linked to an individual; for example, where they have a name or identifier attached.

 

Under the Privacy Act, higher privacy standards apply to the handling of sensitive information. Health information is one kind of sensitive information, and is therefore subject to those higher standards.


 

Health services

 

Under the Privacy Act, a health service means an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:

a) to assess, record, maintain or improve the individuals health; or b) to diagnose the individuals illness or disability; or (c)

c)  to treat the individuals illness or disability or suspected illness or disability; or the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

 

Providers of health services range from hospitals, pharmacists and general practitioners to gyms and weight loss clinics. The OAIC provides further guidance for and about health service providers and privacy on its website, www.oaic.gov.au.

 

(Defined in Section 6, Privacy Act).

 

 

Management, funding or monitoring of a health service

 

Whether an activity falls within the ‘management, funding or monitoring of a health service’ depends on the circumstances. Factors that might ordinarily be relevant to this question include whether the organisation provides a ‘health service’ [see above] or whether the organisation has a role in funding or monitoring the quality or other aspects of a health service. Management, funding or monitoring of a health service may include some quality assurance and audit activities.

 

 

Organisation

 

The APPs apply to all APP entities, which include agencies, as well as all individuals, businesses and bodies that fall within the definition of ‘organisation’ in section 6C of the Privacy Act. Section 6C says that ‘organisation’ means: an individual; or body corporate; or partnership; or any other unincorporated association; or trust; that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory. Significantly, any individual,

body corporate, partnership, unincorporated association or trust that provides a health service to another individual and holds any health information (except in an employee record) is an ‘organisation’ for the purposes of the Privacy Act (and is not considered a small business operator), and therefore must comply with the Act and the APPs.

 

(Defined in Section 6, Privacy Act)

 

 

Personal information

 

Personal information means information or an opinion about an identified individual or an individual who

is reasonably identifiable, whether the information is true or not and whether the information or opinion is recorded in a material form or not. (Section 6 of the Privacy Act 1988). It includes all personal information regardless of its source but does not include information contained in a publication that is generally available to the public (eg a newspaper or magazine) unless the information is included in a record of the organisation

 

(OAIC APP Guidelines www.oaic.gov.au. Defined in Section 6, Privacy Act)


 

Public health and public safety6

 

Public health includes activities such as education, economics, technology, legislation and management, which protect and enhance the health of all people and to prevent illness, injury and disability.

Public safety can be thought of as the condition for all people of being safe and free from danger or risks. To be relevant to public health or public safety the outcome of the research, or compilation or analysis

of statistics activity should have an impact on or provide information about public health or public safety.

Examples of public health or public safety issues could include, water quality, food safety, mental health, environmental hazards, diabetes, cancer and heart disease.

 

 

Research

 

There are many definitions of research. These include systematic investigation to establish facts, principles or knowledge and a study of some matter with the objective of obtaining or confirming knowledge.

A defining feature of research is the validity of results. The knowledge that is generated by research is valid in the sense that what is discovered about the particular facts investigated can be justifiably claimed to be true for all like facts.

 

(For further discussion of this term please see the National Statement).

 

 

Sensitive information

 

Sensitive information is a subset of personal information. It means information or an opinion about an individuals racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record, or health, genetic or biometric information about an individual (Section 6 of the Privacy Act).

 

(OAIC— APP Guidelines www.oaic.gov.au. Defined in Section 6, Privacy Act ).

 

 

Use

 

In general terms, use of personal information refers to the handling and management of personal information by an organisation, where the organisation retains control, or a right to control, the information.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 This term is based on information from the following sources: Public Health Australia—An Introduction, Lawson, James S., 1991, The Australian Concise Oxford Dictionary, Third Edition, 1997, and the OAICs guidance on handling health information for research and management see www.oaic.gov.au.


 

Guidelines approved under Section 95A of the Privacy Act 1988

 

 

 

SECTION A

 

A.1     Guidelines for the conduct of research relevant to public health or public safety

 

A.1.1     These guidelines apply to s 16B(2) for the collection of health information and s 16B(3) for the use and disclosure of health information, for the purpose of research or the compilation or analysis

of statistics, relevant to public health or public safety. These guidelines provide a mechanism for weighing the public interest in research relevant to public health or public safety against the public interest in the protection of privacy. The public interest in the research activity must substantially outweigh the public interest in maintaining the level of privacy protection afforded by the APPs.

 

 

Prerequisites to applying the Guidelines approved under Section 95A of the Privacy Act 1988

 

A.1.2     It must be necessary to collect, use or disclose health information for the purpose of research or the compilation or analysis of statistics relevant to public health or public safety. It must be determined that:

a)    the outcome of the research activity would have an impact on or provide information about public health or public safety

b)    the relevant purpose of the research activity cannot be achieved by the collection, use or disclosure of de-identified data.7

A.1.3     It must be impracticable8 to seek consent from the individual(s) involved to collect, use or disclose their health information for the purpose of research relevant to public health or public safety.

 

A.1.4     Where an organisation seeks to rely on these guidelines to collect, use or disclose health information for the purpose of research relevant to public health or public safety under s 16B(2)(d) or s 16B(3), the organisation must be satisfied that the research activity in which health information is to be collected, used or disclosed has been approved by a HREC for the particular purpose.

 

 

Conditions relating to approval of research relevant to public health or public safety given by a human research ethics committee

 

A.1.5     A human research ethics committee (HREC) must give approval for the collection, use or disclosure of health information for the purpose of research relevant to public health or public safety, in accordance with these guidelines. The HREC must be constituted and functioning in accordance with the National Statement.

 

[See: Section 5, National Statement]

 

A.1.6     An organisation from which health information is sought, may always decline to agree to the use or disclosure of health information it holds for the purpose of research relevant to public health or public safety, even where the use or disclosure of that health information has been approved by an HREC in accordance with these guidelines.

 

 

 The APPs and these guidelines do not apply to de-identified information or statistical data sets. This is because de-identified information is not ‘personal information’ protected under the Privacy Act. (Also see the OAICs guidance on privacy in the private health sector www.oaic.gov.au).

 In assessing whether it is ‘impracticable’ to seek consent, this would ordinarily mean more than simply the incurring of some expense or effort in seeking consent. For example, it may be impracticable to seek consent where the organisation is unable to locate the individual, despite making reasonable efforts. (OAIC—Guidelines to the Australian Privacy Principles).


 

A.2     Procedures to be followed in the collection of health information for the purpose of research relevant to public health or public safety

 

A.2.1     This section (A.2) of the guidelines applies to the collection of health information under s 16B(2)

of the Privacy Act for the purpose of research relevant to public health or public safety. A research proposal must be submitted to an HREC for approval. The research proposal must follow the procedures set out in this section (A.2) and will be considered by an HREC only if the proposal also satisfies requirements in section A.1 of these guidelines.

 

A.2.2     An overriding obligation for those who seek to collect health information is at all times to respect the dignity and privacy of the individual.

 

A.2.3     Collection of health information for the purpose of research relevant to public health or public safety must be in accordance with APP 3.5 (collection of solicited personal information).

[See the OAICs APP Guidelines for more detail on the privacy obligations required under the APPs] A.2.4            The collector(s) of health information for the purpose of research relevant to public health or

public safety must give a written proposal for that research activity to an HREC. The proposal

must include any information necessary for members of that HREC to meet their responsibilities under these guidelines. Guidance on the information to be included in the written proposal for the collection of health information is set out in paragraph A.2.6 of these guidelines.

 

A.2.5     The proposal to be submitted to an HREC for a research activity involving the collection of health information must contain a reference to s16B(2)(d)(iii) and any relevant APPs. The proposal must state the reasons for believing that the public interest in the proposed research activity substantially outweighs the public interest in adhering to the APPs. In the proposal, the collector(s) must

provide the HREC with the necessary information to enable the HREC to weigh the public interest consideration in accordance with paragraph D.5 of these guidelines.

 

 

Guidance for preparing a written proposal to be submitted to an HREC

 

A.2.6     In the proposal to collect health information for the purpose of research relevant to public health or public safety, the collector(s) should state:

a)    the aims or purpose of the collection

 

b)    the credentials and technical competence of the collector(s) of the data c)       the data needed

d)    the study period

 

e)    the target population

 

f)     the reasons why de-identified information cannot achieve the relevant purpose of the research activity

g)    the reasons why it is impracticable to seek consent from the individual for the collection of health information

h)    the estimated time of retention of the health information

 

i)      the identity of the custodian(s) of the health information collected

 

j)      the security standards to be applied to the health information. Standards must be in accordance with APP 11 (security of personal information)

 

[Note: In particular, health information should be retained in accordance with the Australian Code for the Responsible Conduct of Research, 2007 and in a form that is at least as secure as it was in the sources from which the health information was obtained unless more stringent legislative or contractual provisions apply]


 

k)    a list of personnel within the collecting organisation or organisations with access to the health information collected

l)      the level of protection that will be applied by the collector(s) to protect health information disclosed to the collector(s) by the disclosing organisation. These should include:

i.    terms of any release agreement between the disclosing organisation and the collector(s)

to govern limits on the use and disclosure of collected health information

 

[See: paragraph A.2.9 of these guidelines]

 

ii.   proposed methods of disposal of the health information on the completion of the research activity, as required by APP 11.2 (security of personal information).

m)   any proposal to send data overseas for the purpose of the research project including the names of the countries to which it is proposed the data be sent and how the research project will comply with APP 8 (crossborder disclosure of personal information) of the Privacy Act.

 

A.2.7     The collector(s) of health information for the purpose of research relevant to public health or

public safety should provide to the organisation(s) from which health information is sought, written notification of the decision of the HREC made in accordance with these guidelines. This written notification removes the obligation for the disclosing organisation(s) to submit a written proposal

to an HREC to disclose health information for the same research activity. [See: paragraph A.3.5 of these guidelines]

A disclosing organisation may still decide to submit a written proposal to an HREC in accordance with section A.3 of these guidelines even if that disclosing organisation receives written notification of HREC approval from the collector(s).

 

A.2.8     The collector(s) of health information for the purpose of research relevant to public health or public safety must immediately report to the HREC anything that might warrant review of ethical approval of the research proposal.

 

A.2.9     Once a proposal submitted to an HREC to collect health information for the purpose of research relevant to public health or public safety satisfies the procedural requirements outlined in this section (A.2), the HREC must then weigh the public interest considerations set out in section D.5 of these guidelines.

 

A.3     Procedures to be followed in the use and disclosure of health information for the purpose of research relevant to public health or public safety

 

A.3.1     This section (A.3) of the guidelines applies to the use or disclosure of health information under

s 16B(3) of the Privacy Act, for the purpose of research relevant to public health or public safety. A research proposal must be submitted to an HREC for approval. The research proposal must follow the procedures set out in this section (A.3) and will be considered by an HREC only if the proposal also satisfies requirements in section A.1 of these guidelines.

 

A.3.2     An overriding obligation for those who seek to use or disclose health information is at all times to respect the dignity and privacy of the individual.

 

A.3.3     Those who seek to use or disclose health information for the purpose of research relevant to public health or public safety must give a written proposal for that activity to an HREC. The proposal must include any information necessary for members of the HREC to meet their responsibilities under these guidelines. Guidance on the information to be included in the written proposal for the use or disclosure of health information is set out in paragraph A.3.6 of these guidelines.


 

A.3.4     The proposal to be submitted to an HREC for a research activity, involving the use or disclosure of health information must contain a reference to APP 6.2(d) and s 16B(3). The proposal must state reasons for believing that the public interest in the proposed research activity substantially outweighs the public interest in adhering to the APPs. In the proposal, the user or discloser must provide the HREC with the necessary information to enable the HREC to weigh the public interest consideration in accordance with paragraph D.5 of these guidelines.

 

A.3.5     An organisation may disclose health information to a collecting organisation for the purpose of research relevant to public health or public safety without submitting a written proposal to an HREC, if the disclosing organisation receives written notification of HREC approval for health information to be collected from it.

 

[See: paragraph A.2.7 of these guidelines]

 

 

Guidance for preparing the written proposal to be submitted to an HREC

 

A.3.6     In the proposal to use or disclose health information for the purpose of research relevant to public health or public safety, the user or discloser should state:

a)    the aims or purpose of the use or disclosure

 

b)    the credentials and technical competence of those seeking to use or disclose the data c)          the data needed

d)    the study period

 

e)    the target population

 

f)     the reasons why de-identified information cannot achieve the relevant purpose of the research activity

g)    the reasons why it is impracticable to seek consent from the individual for the use or disclosure of health information9

h)    the specific uses or disclosures that will be applied to the health information during the study i) the proposed method of publication of results of the research, including a statement that

health information will not be published unless in de-identified form

 

j)      the estimated time of retention of the health information

 

k)    the identity of the custodian(s) of the health information used or disclosed

 

l)      the security standards to be applied to the health information. Standards must be in accordance with APP 11 (security of personal information).

 

[Note: In particular, health information should be retained in accordance with the Australian Code for the Responsible Conduct of Research, 2007, Section 2 and in a form that is at the least as secure as it was in the sources from which the health information was obtained unless more stringent legislative or contractual provisions apply]

 

m)   a list of personnel within an organisation or organisations with access to the health information to be used or disclosed

n)    the level of protection that will be applied by those seeking to use or disclose health information to protect that health information. These should include:

i.    the terms of any disclosure agreement between the organisation that holds the health information and the user or discloser, to govern limits on the use and disclosure of the health information. [See: paragraph A.3.10 of these guidelines]

 

 

 

 The impracticability of obtaining consent for research involving identified genetic information may extend beyond the individual to include relatives of the individual. [See: Ch 3.5 Human genetics of the National Statement for further information]


 

ii.   the proposed methods of disposal of the health information on the completion of the research activity as required by APP 11.2

iii.  the level of protection that will be applied to protect the privacy of health information where it is made available to others if that is proposed.

 

o)    any proposal to send data overseas for the purpose of the research project including the names of the countries to which it is proposed the data be sent and how the research project will comply with APP 8 (crossborder disclosure of personal information).

 

A.3.7     An organisation seeking or approached to disclose health information for the purpose of research relevant to public health or public safety, where notification from the collector is not given under paragraph A.2.7 of these guidelines should submit a written proposal to an HREC to disclose

the health information. The discloser should retain written notification of the decision of an HREC made in accordance with these guidelines. A copy of this notification should be provided to the collector(s) of the health information.

 

A.3.8     If those seeking to use or disclose health information propose to use or disclose that information to contact a person, the user or discloser of that information must inform the person:

a)    that his or her health information is being used or disclosed in accordance with the Privacy

Act 1988 and these guidelines

 

b)    how his or her health information will be used or disclosed

 

c)    that he or she is free at any time to withdraw consent for further involvement in the research activity; [See: National Statement, paragraph Chapter 2.2 General requirements for consent]

d)    of the standards that will apply to protect the privacy of that individual; and of existing complaint mechanisms to HRECs, the Commissioner [See: paragraph A.3.6(l) of these guidelines]

e)    of the complaint mechanisms in section G of these guidelines.

 

A.3.9     Those who seek to use or disclose health information for the purpose of research relevant to public health or public safety must immediately report to the HREC anything that might warrant review of ethical approval of the research proposal.

A.3.10    Health information disclosed under these guidelines must be in accordance with s 16B(3). A.3.11      Once a proposal submitted to an HREC to use or disclose health information for the purpose of

research relevant to public health or public safety satisfies the procedural requirements outlined in this

section (A.3), the HREC must then weigh the public interest considerations set out in section D.5 of these guidelines.

 

 

SECTION B

 

B.1      Guidelines for the conduct of the compilation or analysis of statistics, relevant to public health or public safety

 

B.1.1     These guidelines apply to s 16B(2) for the collection of health information and s 16B(3) for the use and disclosure of health information, for the purpose of the compilation or analysis of statistics, relevant to public health or public safety. These guidelines provide a mechanism for weighing the public interest in the compilation or analysis of statistics, relevant to public health or public safety against the public interest in protection of privacy. The public interest in the compilation or analysis of statistics activity must substantially outweigh the public interest in maintaining the level of privacy protection afforded by the APPs.


 

Prerequisites to applying the Guidelines approved under Section 95A of the Privacy Act 1988

 

B.1.2     It must be necessary to collect, use or disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety. It must be determined that:

a)    the outcome of the compilation or analysis of statistics activity would have an impact on or provide information about public health or public safety

b)    the relevant purpose of the compilation or analysis of statistics activity cannot be achieved by the collection, use or disclosure of de-identified data.10

 

B.1.3     It must be impracticable11 to seek consent from the individual(s) to collect, use or disclose their health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety.

 

B.1.4     Where an organisation seeks to rely on these guidelines to collect, use or disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety under s 16B(2)12 or s 16B(3), the organisation must be satisfied that the compilation or analysis or statistics activity in which health information is to be collected, used or disclosed has been approved by an HREC for the particular purpose.

 

 

Conditions relating to approval of the compilation or analysis of statistics relevant to public health or public safety given by a human research ethics committee

 

B.1.5     An HREC must give approval for the collection, use or disclosure of health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, in accordance with these guidelines. The HREC must be constituted and functioning in accordance with the National Statement.

 

B.1.6     An organisation may always decline to agree to the use or disclosure of health information it holds for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, even where the collection, use or disclosure of that health information has been approved by an HREC in accordance with these guidelines.

 

B.2      Procedures to be followed in the collection of health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety

 

B.2.1     This section (B.2) of the guidelines applies to the collection of health information under s 16B(2), for the purpose of the compilation or analysis of statistics, relevant to public health or public

safety. A compilation or analysis of statistics proposal must be submitted to an HREC for approval. The compilation or analysis of statistics proposal must follow the procedures set out in this

section (B.2) and will be considered by an HREC only if the proposal also satisfies requirements in section B.1 of these guidelines.

 

 

 

 

10 The APPs and these guidelines do not apply to de-identified information or statistical data sets, which would not allow individuals to be identified (in which case, the information ceases to be ‘personal information’ which would be covered by the Privacy Act). [Also see the OAICs guidance on privacy in the private health sector www.oaic.gov.au]

11 In assessing whether it is ‘impracticable’ to seek consent, this would ordinarily mean more than simply the incurring of some expense or effort in seeking consent. For example, it may be impracticable to seek consent where the organisation is unable to locate the individual, despite making reasonable efforts. (OAIC— APP Guidelines).

12 These guidelines apply specifically under subsection 16B(2)(d)(iii) to the collection of health information without consent. However, health information may also be collected without consent for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, under subsections 16B(2)(d)(i) and 16B(2)(d)(ii). [See: Introduction to these guidelines, page 2]


 

B.2.2     An overriding obligation for those who seek to collect health information is at all times to respect the dignity and privacy of the individual.

 

B.2.3     Collection of health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety must be in accordance with APP 3.5 (collection of solicited personal information).

[See: OAIC—APP Guidelines for guidance on the privacy obligations required under APP 3] B.2.4            The collector(s) of health information for the purpose of the compilation or analysis of statistics,

relevant to public health or public safety, must give a written proposal for that activity to an HREC.

The proposal must include any information necessary for members of that HREC to meet their responsibilities under these guidelines. Guidance on the information to be included in the written proposal for collection of health information is set out in paragraph B.2.6 of these guidelines.

 

B.2.5     The proposal to be submitted to an HREC for a compilation or analysis of statistics activity, involving the collection of health information, must contain a reference to s 16B(2)(d)(iii) and any relevant APPs. The proposal must state the reasons for believing that the public interest in the proposed compilation or analysis of statistics activity substantially outweighs the public interest in adhering to the APPs. In the proposal, the collector(s) must provide the HREC with the necessary information to enable the HREC to weigh the public interest consideration in accordance with paragraph D.5 of these guidelines.

 

 

Guidance for preparing a written proposal to be submitted to an HREC

 

B.2.6     In the proposal to collect health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, the collector(s) should state:

 

a)    the aims or purpose of the collection

 

b)    the credentials and technical competence of the collector(s) of the data c)       the data needed

d)    the study period

 

e)    the target population

 

f)     the reasons why de-identified information cannot achieve the relevant purpose of the compilation or analysis of statistics activity

g)    the reasons why it is impracticable to seek consent from the individual for the collection of health information13

h)    the estimated time of retention of the health information

 

i)      the identity of the custodian(s) of the health information collected

 

j)      the security standards to be applied to the health information. Standards must be in accordance with APP 11

 

[Note: In particular, health information should be retained in accordance with the Australian code for the responsible conduct of research, 2007 Section 2), and in a form that is at least as secure as it was in the sources from which the health information was obtained unless more stringent legislative or contractual provisions apply]

 

 

 

 

 

13 The impracticability of obtaining consent for the compilation or analysis of statistics involving identified genetic information may extend beyond the individual to include relatives of the individual. [See: Chapter 3.5 Human genetics of the National Statement for further information]


 

k)    any proposal to send data overseas for the purpose of the research project including the names of the countries to which it is proposed the data be sent and how the research project will comply with APP 8 (crossborder disclosure of personal information)

l)      a list of personnel within the collecting organisation or organisations with access to the health information collected

m)   the level of protection that will be applied by the collector(s) to protect health information disclosed to the collector(s) by the disclosing organisation. These should include:

i.    the terms of any release agreement between the disclosing organisation and the collector(s) to govern limits on the use and disclosure of collected health information

[See: paragraph B.2.9 of these guidelines]

 

ii.   the proposed methods of disposal of the health information on the completion of the statistical activity, as required by APP 11.2.

 

B.2.7     The collector(s) of health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, should provide to the organisation from which the health information is sought, written notification of the decision of the HREC made in accordance with these guidelines. This written notification removes the obligation for the disclosing organisation to submit a written proposal to an HREC to disclose health information for the same compilation or analysis of statistics activity. [See: paragraph B.3.5 of these guidelines]

 

A disclosing organisation may still decide to submit a written proposal to an HREC in accordance with section B.3 of these guidelines even if that disclosing organisation receives written notification of HREC approval from the collector(s).

 

B.2.8     The collector(s) of health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety must immediately report to the HREC anything that might warrant review of ethical approval of the proposal.

 

B.2.9     Once a proposal submitted to an HREC to collect health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety satisfies the procedural requirements outlined in this section (B.2), the HREC must then weigh the public interest considerations set out in section D.5 of these guidelines.

 

B.3      Procedures to be followed in the use and disclosure of health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety

 

B.3.1     This section (B.3) of the guidelines applies to the use or disclosure of health information under

s 16B(3), for the purpose of the compilation or analysis of statistics, relevant to public health or public safety. A compilation or analysis of statistics proposal must be submitted to an HREC

for approval. The compilation or analysis or statistics proposal must follow the procedures set out in this section (B.3) and will be considered by an HREC only if the proposal also satisfies requirements in section B.1 of these guidelines.

 

B.3.2     An overriding obligation for those who seek to use or disclose health information is at all times to respect the dignity and privacy of the individual.

 

B.3.3     Those who seek to use or disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, must give a written proposal for that activity

to an HREC. The proposal must include any information necessary for members of the HREC to meet their responsibilities under these guidelines. Guidance on the information to be included in the written proposal for the use or disclosure of health information is set out in paragraph B.3.6 of these guidelines.


 

B.3.4     The proposal to be submitted to an HREC for a compilation or analysis of statistics activity, involving the use or disclosure of health information, must contain a reference to APP 6.2(d) and s 16B(3). The proposal must state reasons for believing that the public interest in the proposed compilation or analysis of statistics activity substantially outweighs the public interest in adhering to the APPs. In the proposal, the user or discloser must provide the HREC with the necessary information to enable the HREC to weigh the public interest consideration in accordance with paragraph D.5 of these guidelines.

 

B.3.5     An organisation may disclose health information to a collecting organisation for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, without submitting a written proposal to an HREC, if the disclosing organisation receives written notification of HREC approval for health information to be collected from it.

 

[See: paragraph B.2.7 of these guidelines]

 

 

Guidance for preparing a written proposal to be submitted to an HREC

 

B.3.6     In the proposal to use or disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, the user or discloser should state:

a)    the aims or purpose of the use or disclosure

 

b)    the credentials and technical competence of those seeking to use or disclose the data c)          the data needed

d)    the study period

 

e)    the target population

 

f)     the reasons why de-identified information cannot achieve the relevant purpose of the compilation or analysis of statistics activity

g)    the reasons why it is impracticable to seek consent from the individual(s) for the use or disclosure of health information

h)    the specific uses or disclosures that will be applied to the health information during the study i) the proposed method of publication of results of the research, including a statement that

health information will not be published unless in de-identified form

 

j)      the estimated time of retention of the health information

 

k)    the identity of the custodian(s) of the health information used or disclosed

 

l)      the security standards to be applied to the health information. Standards must be in accordance with APP 11 (security of personal information)

 

[Note: In particular, health information should be retained in accordance with the Australian code for the responsible conduct of research, 2007 Section 2, and in a form that is at the least as secure as it was in the sources from which the health information was obtained unless more stringent legislative or contractual provisions apply]

 

m)   a list of personnel within an organisation or organisations with access to the health information to be use or disclosed

n)    any proposal to send data overseas for the purpose of the research project including the names of the countries to which it is proposed the data be sent and how the research project will comply with APP 8 (crossborder disclosure of personal information)


 

o)    the level of protection that will be applied by those seeking to use or disclose health information to protect that health information. These should include:

i.    the terms of any disclosure agreement between the organisation that holds the health information and the user or discloser, to govern limits on the use and disclosure of the health information [See: paragraph B.3.10 of these guidelines]

ii.   the proposed methods of disposal of the health information on the completion of the statistical compilation or analysis activity, as required by APP 11.2 (security of personal information)

iii.  the level of protection that will be applied to protect the privacy of health information where it is made available to others if that is proposed.

 

B.3.7     An organisation seeking or approached to disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, where notification from the collector is not given under paragraph B.2.7 of these guidelines, should submit a written proposal to an HREC to disclose the health information. The discloser should retain written notification of the decision of an HREC made in accordance with these guidelines. A copy of

this notification should be provided to the collector(s) of health information.

 

B.3.8     If those seeking to use or disclose health information propose to use or disclose that information to contact a person, the user or discloser of that information must inform the person:

a)    that his or her health information is being used or disclosed in accordance with the Privacy

Act and these guidelines

 

b)    how his or her health information will be used or disclosed

 

c)    that he or she is free at any time to withdraw consent for further involvement in the statistical activity. [See: Chapter 2.2, National Statement]

d)    of the standards that will apply to protect the privacy of that individual; [See: paragraph

B.3.6(l) of these guidelines]

 

e)    of the complaint mechanisms in section G of these guidelines.

 

B.3.9     Those who seek to use or disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, must immediately report to the HREC

anything that might warrant review of ethical approval of the proposal.

B.3.10    Health information disclosed under these guidelines must be in accordance with s 16B(3). B.3.11      Once a proposal submitted to an HREC to use or disclose health information for the purpose

of the compilation or analysis of statistics, relevant to public health or public safety, satisfies the procedural requirements outlined in this section (B.3), the HREC must then weigh the public interest considerations set out in section D.5 of these guidelines.


 

SECTION C

 

C.1     Guidelines for the conduct of the management, funding or monitoring of a health service

 

The s95 Guidelines are only authorised to provide guidance for the collection of health information for the purpose of the management, funding or monitoring of a health service.14

 

For information on the requirements for the use and disclosure of health information for the purpose of the management, funding or monitoring of a health service refer to Guidelines to the Australian Privacy Principles and the OAICs website.

 

C.1.1     These s95A Guidelines apply to s 16B(2)(d)(iii) for the collection of health information for the purpose of health service management and provide a mechanism for weighing the public

interest in health service management activities against the public interest in protection of privacy. The public interest in the health service management activity must substantially outweigh the public interest in maintaining the level of privacy protection afforded by the APPs.

 

 

Prerequisites to applying the Guidelines approved under Section 95A of the Privacy Act 1988

 

C.1.2     It must be necessary to collect health information for the purpose of health service management.

It must be determined that:

 

a)    the relevant purpose of the health service management activity cannot be achieved by the collection of de-identified data.15

 

C.1.3     It must be impracticable16 to seek consent from the individual(s) to collect their health information for the purpose of health service management.

 

C.1.4     Where an organisation seeks to rely on these guidelines to lawfully collect health information for

the purpose of health service management under s 16B(2), the organisation must be satisfied that the health service management activity in which health information is to be collected, has been approved by an HREC for the particular purpose.

 

 

Conditions relating to approval of health service management activities given by a human research ethics committee

 

C.1.5     An HREC must give approval for the collection of health information for the purpose of health service management, in accordance with these guidelines. The HREC must be constituted and functioning in accordance with the National Statement.

 

C.1.6     An organisation may always decline to agree to the disclosure of health information it holds, for the purpose of health service management, even where the collection of that health information has been approved by an HREC in accordance with these guidelines.

 

 

 

 

 

 

 

 

14 For the purpose of these guidelines, health service management means the management, funding or monitoring of a health service.

15 The APPs and these guidelines do not apply to de-identified information or statistical data sets, which would not allow individuals to be identified.

16 In assessing whether it is ‘impracticable’ to seek consent, this would ordinarily mean more than simply the incurring of some expense or effort in seeking consent. For example, it may be impracticable to seek consent where the organisationis unable to locate the individual, despite making reasonable efforts. (OAIC—Guidelines to the Australian Privacy Principles).


 

C.2     Procedures to be followed in the collection of health information for the purpose of the management, funding or monitoring of a health service

 

C.2.1     This section (C.2) of the guidelines applies to the collection of health information under s 16B(2), for the purpose of health service management. A health service management proposal must be submitted to an HREC for approval. The health service management proposal must follow the procedures set out in this section (C.2) and will be considered by an HREC only if the proposal also satisfies requirements in section C.1 of these guidelines.

 

C.2.2     An overriding obligation for those who seek to collect health information is at all times to respect the dignity and privacy of the individual.

 

C.2.3     Collection of health information for the purpose of health service management must be in accordance with APP 3.5 (collection of solicited personal information).

 

[See: The OAICs APP Guidelines (www.oaic.gov.au) for guidance on privacy obligations established under APP 3]

 

C.2.4     The collector(s) of health information for the purpose of health service management must give a written proposal for that activity to an HREC. The proposal must include any information necessary for members of that HREC to meet their responsibilities under these guidelines. Guidance on the information to be included in the written proposal for collection of health information is set out in paragraph C.2.6 of these guidelines.

 

C.2.5     The proposal to be submitted to an HREC for a health service management activity involving the collection of health information must contain a reference to 16B(2)(d)(iii). The proposal must state the reasons for believing that the public interest in the proposed health service management activity substantially outweighs the public interest in adhering to the APPs. In the proposal, the collector(s) must provide the HREC with the necessary information to enable the HREC to weigh the public interest consideration in accordance with paragraph D.5 of these guidelines.

 

 

Guidance for preparing a written proposal to be submitted to an HREC

 

C.2.6     In the proposal to collect health information for the purpose of health service management, the collector(s) should state:

a)    the aims or purpose of the collection

 

b)    the credentials and technical competence of the collector(s) of the data c)       the data needed

d)    the study period

 

e)    the target population

 

f)     the reasons why de-identified information cannot achieve the relevant purpose of the health service management activity

g)    the reasons why it is impracticable to seek consent from the individual(s) for the collection of health information17

h)    the estimated time of retention of the health information

 

i)      the identity of the custodian(s) of the health information collected

 

j)      the security standards to be applied to the health information. Standards must be in accordance with APP 11 (security of personal information)

 

 

 

17 The impracticability of obtaining consent for health service management activities involving identified genetic information may extend beyond the individual to include relatives of the individual. See: Chapter 3.5 Human genetics of the National Statement for further information.


 

[Note: In particular, health information should be retained in accordance with the Australian Code for the Responsible Conduct of Research, 2007 Section 2, and in a form that is at least as secure as it was in the sources from which the health information was obtained unless more stringent legislative or contractual provisions apply]

 

k)    a list of personnel within the collecting organisation or organisations with access to the health information collected

l)      the level of protection that will be applied by the collector(s) to protect health information disclosed to the collector(s) by the disclosing organisation. These should include:

i.    the terms of any release agreement between the disclosing organisation and the collector(s) to govern limits on the use and disclosure of collected health information

 

[See: paragraph C.2.9 of these guidelines]

 

ii.   the proposed methods of disposal of the health information on the completion of the health service management activity, as required under APP 11.2 (security of information)

m)   any proposal to send data overseas for the purpose of the research project including the names of the countries to which it is proposed the data be sent and how the research project will comply with APP 8 (crossborder disclosure of personal information).

 

C.2.7     The collector(s) of health information for the purpose of health service management should provide to the organisation from which health information is sought, written notification of the decision of the HREC made in accordance with these guidelines.

 

C.2.8     The collector(s) of health information for the purpose of health service management must immediately report to the HREC anything that might warrant review of ethical approval of the proposal.

 

C.2.9     Once a proposal submitted to an HREC to collect health information for the purpose of health service management satisfies the procedural requirements outlined in this section (C.2), the HREC must then weigh the public interest considerations set out in section D.1.5 of these guidelines.

 

 

SECTION D

 

Consideration by human research ethics committees (HRECs)

 

D.1        Before making a decision under these guidelines, an HREC must assess whether it has sufficient information, expertise and understanding of privacy issues, either amongst the members of the HREC or otherwise available to it, to make a decision that takes proper account of privacy matters. For the review of proposals for the collection of health information for the purpose of health service management, this may necessitate the appointment of additional members with specific expertise in the management, funding or monitoring of a health service.

 

D.2        In making decisions under these guidelines, an HREC must consider whether the proposal complies with the relevant APPs in the course of:

a)    the collection of health information for the purposes of:

 

i.    research relevant to public health or public safety; or

ii.   the compilation or analysis of statistics, relevant to public health or public safety; or iii.  the management, funding or monitoring of a health service;

 

or

 

b)    the use and disclosure of health information for the purposes of;

 

i.    research relevant to public health or public safety; or

 

ii.   the compilation or analysis of statistics, relevant to public health or public safety.


 

This would include considering whether the purpose of the proposed activity can be achieved using de-identified data and whether it is impracticable to collect, use or disclose health information for the proposed activity with the consent of the individual(s) involved.

 

D.3        In making decisions under these guidelines the HREC must ensure that the committee has the competence to determine if the public interest in the proposed activity substantially outweighs, or does not substantially outweigh, the public interest in the protection of privacy.

 

D.4        If the public interest in the proposed research, or compilation or analysis of statistics, or health service management activity does not substantially outweigh the public interest in the protection of privacy, then the activity should not be approved to proceed by the HREC.

 

 

Weighing the public interest

 

D.5        In determining whether the public interest in the proposed activity substantially outweighs, or does not substantially outweigh, the public interest in the protection of privacy, an HREC should consider the following matters:

a)    the degree to which the proposed collection, use or disclosure of health information is necessary to the functions or activities of the organisation

b)    the degree to which the research, or compilation or analysis of statistics activity is relevant to public health or public safety

c)    the degree to which the research, or compilation or analysis of statistics or the health service management activity is likely to contribute to:

i.    the identification, prevention or treatment of illness, injury or disease; or ii.   scientific understanding relating to public health or safety; or

iii.  the protection of the health of individuals and/or communities; or iv.  the improved delivery of health services; or

v.   enhanced scientific understanding or knowledge; or

 

vi.  enhanced knowledge of issues within the fields of social science and the humanities relating to public health or public safety

 

d)    any likely benefits to individuals, to the category of persons to which they belong, or the wider community that will arise from the research, or compilation or analysis of statistics, or management of a health service being undertaken in the manner proposed

e)    in considering benefits to the category of persons to which the individual(s) belong, specific consideration should be given to any likely benefits to individuals that belong to certain categories where the information may be of a particularly personal or sensitive nature;

for example:

 

i.    children and young people; or

 

ii.   persons with intellectual or psychiatric disability; or iii.  persons highly dependent on medical care; or

iv.  persons in dependent or unequal relationships; or v.       persons who are members of collectivities; or

vi.  Aboriginal and Torres Strait Islander peoples; or

 

vii. persons whose information relates to their mental or sexual health.

 

[See: National Statement, Section 4, for further guidance relating to ethical considerations specific to participants]


 

f)     whether the research, or compilation or analysis of statistics, or management of a health service study design can be satisfied without needing to apply s 16B(2) and/or s 16B(3) and the scientific defects in the activity that might arise if the activity was not undertaken in the manner proposed

g)    the cost of not undertaking the research, or compilation or analysis of statistics, or management of a health service activity (to government, the public, the health care system etc)

h)    the public importance of the proposed research, or compilation or analysis of statistics, or management of a health service activity

i)      the extent to which the data being sought are usually available to the public from the organisation that holds that data

i.    whether the research, or compilation or analysis of statistics activity, involves use of the data in a way that is inconsistent with the purpose for which the data was made public

ii.   whether the research, or compilation or analysis of statistics activity requires alteration of the format of the data of a kind that would, if used or disclosed by an organisation, involve a breach of an APP

 

j)      whether the risk of harm to an individual whose health information is to be collected, used or disclosed in the proposed research, or compilation or analysis of statistics, or management

of health service activity is minimal, based on the information provided in proposals submitted under paragraphs A.2.6; or A.3.6; or B.2.6; or B.3.6; or C.2.6 of these guidelines

k)    the standards of conduct that are to be observed in the research, or compilation or analysis of statistics, or management of a health service activity, including:

i.    the study design and the scientific credentials of those involved in conducting that study ii. if the study involves contact with participants, the procedures or controls that will apply

to ensure that participants are treated with integrity and sensitivity, including whether

questions to be asked or procedures to be employed are intrusive

 

iii.  whether access to health information is adequately restricted to appropriate personnel involved in conducting the proposed study

iv.  the procedures that are to be followed to ensure that the health information is permanently de-identified before the publication of results

v.   the procedures that are to be followed at the completion of the proposed study to ensure that all data containing health information are at least as secure as they were

in the sources from which the data was obtained, including the date when the data will be destroyed or returned. These procedures must be in accordance with APP 11.

 

 

Recording, notification and monitoring of decisions made by an HREC

 

D.6        Details of the decision made by the HREC regarding proposals to conduct research, or the compilation or analysis of statistics, relevant to public health or public safety, or health service management must be recorded in accordance with paragraph 5.2.24 of the National Statement.

 

Whenever the collection, use or disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, or the collection

of health information for the purpose of health service management activities are being considered under these guidelines, the HREC must also record details of the following:

a)    the organisation(s) from which health information is sought

 

b)    the data items sought from the organisation(s) and approved by the HREC

 

c)    the number of records involved

 

d)    the section of the Privacy Act to which the proposal applies (s 16B(3) and or 16B(2))


 

e)    how and on what grounds the HREC came to the conclusion that it had sufficient information, expertise and understanding of privacy issues either amongst the members of the HREC or otherwise available to it to make a decision that takes proper account of privacy

f)     considerations  involved in weighing the public interest in the proposed research, compilation or analysis of statistics, or management of a health service activity against the public interest in the protection of privacy, including why de-identified health information would not achieve the purpose of the approved proposal and why it is impracticable to obtain consent from the individual(s) involved.

 

D.7        It is an obligation of the HREC to monitor proposals approved in accordance with these guidelines for the purposes of research, or the compilation or analysis of statistics, relevant to public health

or public safety, or for the purpose of the management of a health service in accordance with

Chapter 5.5, National Statement.

 

D.8        When the HREC approves a proposal for research, or the compilation or analysis of statistics, relevant to public health or public safety, or for the management of a health service, it must decide whether the proposed activity should commence within a defined period from the date of approval and whether the project should be completed within a set period, and notify those conducting the study of that decision.

 

 

SECTION E

 

Responsibilities of the National Health and Medical Research Council (NHMRC)

 

E.1        NHMRC18 may request at any time, information in relation to paragraphs D.6, D.7 and D.8 of these guidelines.

 

E.2        When there has been a failure to comply with these guidelines NHMRC will:

 

a)    Report details of the failure to the Commissioner and may name those involved in the particular study or the HREC responsible; and

b)    Where that failure involves health information disclosed by an organisation, inform that organisation of details of the failure.

 

 

SECTION F

 

Reports to or for the Commissioner

 

F.1         The NHMRC will annually report to the Commissioner all details recorded under paragraph D.6 of these guidelines, of the research, compilation or analysis of statistics, or health service management activities conducted under these guidelines and shall provide an evaluation of the operation of these guidelines for the year of reporting. The NHMRC will also include in its report details relating to the number of complaints made under paragraph G.1 (b) of these guidelines.

 

F.2         The NHMRC will also provide to the Commissioner, at his or her request, additional information about the operation of the guidelines, research, compilation or analysis of statistics, or the management of a health service activities conducted under these guidelines and/or failure to comply with these guidelines.

 

 

 

 

 

 

18 The National Health and Medical Research Council Act 1992 defines the NHMRC as the CEO, NHMRCs Council and committees, and the staff of the NHMRC: s 5B(2).


 

SECTION G

 

Complaints mechanisms

 

G.1        Complaints may be made to:

 

a)    The individual(s), institution(s) or organisation(s) conducting the research, or compilation or analysis of statistics, relevant to public health or public safety, or health service management activity

and/or

 

b)    HRECs concerning the individual(s) or institution(s) involved in the research, or compilation or analysis of statistics, relevant to public health or public safety, or the management of a health service, regarding the conduct of an approved activity that may interfere with the privacy of the individual involved, [See: Chapter 5.6, National Statement ]

and/or

 

c)    the Commissioner concerning the collection, use or disclosure of health information by organisations. Under section 36(1) of the Privacy Act, an individual may complain to the Commissioner about an act or practice that may be an interference with the privacy of the individual. Where an organisation seeks to rely on these guidelines to:

i.    collect health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, or the management of a health service; or

ii.   use and disclose health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety under Section 95A,

an individual may complain if the procedures set out in these guidelines are not followed. G.2 The NHMRC may request at any time, information in relation to G.1 (b) of these guidelines.


 

 

APPENDIX 1

 

 

 

 

 

The following diagrams are designed to outline the circumstances in which it is lawful under the Australian

Privacy Principles to collect, use or disclose health information.

 

Requirements when collecting health information without consent:

 

   for research or the compilation and analysis of statistics relevant to public health or public safety, or

 

•   for the management, funding or monitoring of a health service.

 

 

Requirements when collecting