Privacy Commissioner

Privacy Act 1988

Notice under Section 95A

I, Malcolm Woodhouse Crompton, Privacy Commissioner, by this notice approve pursuant to subsections 95A(2) and (4) of the Privacy Act 1988 the guidelines issued by the National Health and Medical Research Council for the purposes of subparagraphs 2.1(d)(ii) and 10.3(d)(iii) of the National Privacy Principles of the Act, namely, Guidelines approved under Section 95A of the Privacy Act 1988.

SIGNED

DATED

12 December 2001

 

Guidelines approved under Section 95A of the Privacy Act 1988

December 2001

 

© Commonwealth of Australia 2001

ISBN Print: 1864961074 Online: 1864961139

This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from AusInfo. Requests and enquiries concerning reproduction and rights should be addressed to the Manager, Legislative Services, AusInfo, GPO Box 1920, Canberra ACT 2601.

Email address: Cwealthcopyright@dofa.gov.au

The strategic intent of the NHMRC is to provide leadership and work with other relevant organisations to improve the health of all Australians by:

• fostering and supporting a high quality and internationally recognised research base;

• providing evidence based advice;

• applying research evidence to health issues thus translating research into better health practice and outcomes; and

• promoting informed debate on health and medical research, health ethics and related issues.

It is planned to review this Guideline in 2003. For further information regarding the status of this document, please refer to the NHMRC web address: http://www.nhmrc.gov.au

This document is sold through AusInfo Government Info Bookshops at a price which covers the cost of printing and distribution only. For publication purchases please contact AusInfo on their toll-free number 132 447, or through their internet address:

http://www.dofa.gov.au/infoaccess/general/purchase_info_products.htm

CONTENTS

Abbreviations

v

Structure of the Guidelines

vii

Introduction

1

Privacy in research, the compilation or analysis of statistics and the management of health services

1

The Guidelines approved under Section 95A of the Privacy Act 1988

2

Relationship between the Guidelines approved under Section 95A of the Privacy Act 1988 and the NHMRC Guidelines under Section 95 of the Privacy Act 1988

2

Relationship between the Guidelines approved under Section 95A of the Privacy Act 1988 and the NHMRC National Statement on Ethical Conduct in Research Involving Humans

3

Guidelines issued by the Office of the Federal Privacy Commissioner

4

Other legislation and regulations

4

When should the Guidelines approved under Section 95A of the Privacy Act 1988 be applied?

5

Key Concepts

7

Guidelines approved under Section 95A of the Privacy Act 1988

11

Section A: Guidelines for the conduct of research relevant to public health or public safety

11

Section B: Guidelines for the conduct of the compilation or analysis of statistics relevant to public health or public safety

18

Section C: Guidelines for the conduct of the management, funding or monitoring of a health service

25

Section D: Consideration by human research ethics committees (HRECs)

29

Section E: Responsibilities of the National Health and Medical Research Council (NHMRC)

33

Section F: Reports to or for the Federal Privacy Commissioner

33

Section G: Complaints mechanisms

33

Section H: Date of review

34

Appendix 1

 

National Privacy Principles

35

Appendix 2

 

Privacy Act 1988 (Commonwealth), Section 95A

45

Appendix 3

 

Joint NHMRC/AVCC Statement and Guidelines on Research Practice, Section 2

47

Appendix 4

 

OFPC Guidelines on Privacy in the Private Health Sector, Section A.3.5

49

Appendix 5

 

OFPC Information Sheet 9—2001 Handling Health Information for Research and Management, Attachments 1 and 2

50

Appendix 6

 

Information about the National Statement on Ethical Conduct in Research Involving Humans

52

ABBREVIATIONS

AHEC

Australian Health Ethics Committee

AVCC

Australian Vice-Chancellors’ Committee

HREC

Human Research Ethics Committee

IPP

Information Privacy Principle

NHMRC

National Health and Medical Research Council

NPP

National Privacy Principle

OECD

Organisation for Economic Cooperation and Development

OFPC

Office of the Federal Privacy Commissioner

STRUCTURE OF THE GUIDELINES

The Guidelines approved under Section 95A of the Privacy Act 1988 provide a framework for human research ethics committees (HRECs) and those involved in conducting research, the compilation or analysis of statistics or health service management, to weigh the public interest in—research, or the compilation or analysis of statistics, or health service management activities—against the public interest in the protection of privacy. The guidelines contain procedures to follow in preparing proposals to be submitted to an HREC for approval to collect, use or disclose health information held by organisations without consent from the individual(s) involved and guidelines for HRECs to follow when considering proposals. The following guidelines are divided into 8 sections.

Section A provides guidance for the conduct of research relevant to public health or public safety. Section A.1 outlines when a proposal must be submitted to an HREC for approval under these guidelines. Section A.2 contains procedures to be followed in preparing a proposal to be submitted to an HREC for the collection of health information. Section A.3 contains procedures to be followed in preparing a proposal to be submitted to an HREC for the use or disclosure of health information.

Section B provides guidance for the conduct of the compilation or analysis of statistics, relevant to public health or public safety. Section B.1 outlines when a proposal must be submitted to an HREC for approval under these guidelines. Section B.2 contains procedures to be followed in preparing a proposal to be submitted to an HREC for the collection of health information. Section B.3 contains procedures to be followed in preparing a proposal to be submitted to an HREC for the use or disclosure of health information.

Section C provides guidance for the conduct of the management, funding or monitoring of a health service. Section C.1 outlines when a proposal must be submitted to an HREC for approval under these guidelines. Section C.2 contains procedures to be followed in preparing a proposal to be submitted to an HREC for the collection of health information.

Section D provides guidance to HRECs on the issues to consider in reviewing research, the compilation or analysis of statistics and management, funding or monitoring of a health service proposals under these guidelines. Paragraphs D.1–D.4 outline decisions that the HREC must consider before weighing the public interest in the proposed activity against the public interest in the protection of privacy. Paragraph D.5 lists the matters that an HREC must consider in weighing the public interest. Paragraphs D.6–D.8 contain guidance for HRECs on requirements for the recording, notification and monitoring of decisions made under these guidelines.

Section E outlines the responsibilities to be undertaken by the NHMRC in reporting to the Federal Privacy Commissioner.

Section F outlines what kind of information will be reported to the Federal Privacy Commissioner.

Section G outlines the complaint mechanisms available in regard to decisions made under these guidelines.

Section H outlines the NHMRC’s commitment to review these guidelines two years from the date of issue.

INTRODUCTION

Privacy in research, the compilation or analysis of statistics and the management of health services

An individual’s right to privacy is a fundamental human right. This is recognised in a number of international instruments, in particular, the International Covenant on Civil and Political Rights (Article 17) and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Australia adopted the OECD Guidelines in 1984 and the principles in those guidelines were incorporated in the Federal Privacy Act 1988. The Privacy Act 1988 deals with the protection of personal information, a component of the broader concept of privacy. The Privacy Act 1988 and the Information Privacy Principles (IPPs) it established, was generally limited in operation to Commonwealth agencies within the public sector.

On 6 December 2000, the Privacy Amendment (Private Sector) Act 2000 was passed by Federal Parliament to provide protection of personal information held by organisations in the private sector (See: ‘Key Concepts’, for discussion of what is meant by the term ‘organisation’). From 21 December 2001, the amended Privacy Act 1988 will regulate the handling of personal information held by both Commonwealth agencies and organisations in the private sector.

However, the individual’s right to privacy is not an absolute right. In some circumstances, it must be weighed against the interests of others and against matters that benefit society as a whole. The conduct of research, and the compilation or analysis of statistics, relevant to public health or public safety and health service management1 fall within these circumstances. Research, and the compilation or analysis of statistics, are important for providing information to help the community make decisions that impact on the health of individuals and the community. The properly informed management of health services is necessary to ensure individuals and the community receive the best possible health and medical care. However, all the above activities should be carried out in a way that minimises the intrusion on people’s privacy. Optimally, this is achieved by obtaining the consent of participants prior to collecting, using or disclosing their personal information. Where this is impracticable, de-identified information should be used. Where neither of these options is available, it may be that personal information must be collected, used or disclosed without consent from the individual in order for the research, the compilation or analysis of statistics, or the management of a health service to proceed.

In these latter cases, there is a need to balance the public interest in the proposed research, statistical or health service management activity against the public interest in the protection of privacy. The Guidelines approved under Section 95A of the Privacy Act 1988 provide a framework in which such decisions can be made.


1 For the purpose of these guidelines, health service management means the management, funding or monitoring of a health service.

The Guidelines approved under Section 95A of the Privacy Act 1988

The Guidelines approved under Section 95A of the Privacy Act 1988 are issued for the purposes of National Privacy Principle 10.3(d)(iii) and National Privacy Principle 2.1(d)(ii). Compliance with these guidelines is necessary to ensure compliance with NPP 10.3(d)(iii) and NPP 2.1(d)(ii). These guidelines do not replace the NPPs and they must be used in conjunction with the NPPs (See: Appendix 1).

These guidelines apply to organisations in circumstances where, for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, an organisation must collect, use or disclose health information2. It must be impracticable to seek consent from the individual(s) involved and it also must be that de-identified information will not achieve the purpose of the research or compilation or analysis of statistics activity.

These guidelines also apply to organisations in circumstances where, for the purpose of health service management, an organisation must collect health information. It must be impracticable to seek consent from the individual(s) involved and it also must be that de-identified information will not achieve the purpose of health service management activity.

It should be noted that the Guidelines approved under Section 95A of the Privacy Act 1988 are not the only lawful mechanism under the Privacy Act 1988 for allowing the collection of health information, where it is impracticable to seek consent from the individual(s) involved for the purposes of:

 Research relevant to public health or public safety; or

 The compilation or analysis of statistics, relevant to public health or public safety; or

 The management, funding or monitoring of a health service.

Collection of health information where it is impracticable to seek consent from the individual(s) involved, is also authorised under:

 NPP 10.3(d)(i) as required by law (other than this Act); or

 NPP 10.3(d)(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation. (See: Appendixes 1 and 5).

Relationship between the NHMRC Guidelines approved under Section 95A of the Privacy Act 1988 and the NHMRC Guidelines under Section 95 of the Privacy Act 1988

In March 2000, the NHMRC issued Guidelines under Section 95 of the Privacy Act 1988 (s95 Guidelines). These guidelines provide for the protection of privacy in the conduct of medical research and provide a framework for weighing the public interest in

2 By definition (Section 6 of the Privacy Act 1988 ) the term ‘health information’ is also ‘personal information’. Therefore, all health information is information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, (See: Key Concepts, pages 8 & 9).

medical research against the public interest in adhering to the Information Privacy Principles (IPPs). The s95 Guidelines apply to medical research that involves access to personal information held by Commonwealth agencies where identified information needs to be used without consent from the individual(s) involved.

The Guidelines approved under Section 95A of the Privacy Act 1988 (s95A Guidelines) provide a similar framework for weighing the public interest. However, the purposes to which the s95A Guidelines apply are significantly broader than those of the s95 Guidelines. The s95A Guidelines apply to the collection, use or disclosure of health information held by organisations in the private sector for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, and to the collection of health information held by organisations for the purpose of health service management.

The s95 Guidelines provide a process whereby medical research activities to be conducted in a manner that would normally breach the IPPs are allowable if conducted in accordance with these guidelines. Failure to follow the s95 Guidelines when proposing to conduct medical research in a manner that breaches the IPPs would represent a breach of the Privacy Act 1988. The s95A Guidelines form part of compliance requirements under the NPPs, specifically NPP 2.1(d)(ii) and NPP 10.3(d)(iii). Failure to comply with the s95A Guidelines when applying NPP 2.1(d)(ii) or NPP 10.3(d)(iii) would represent a breach of the Privacy Act 1988.

Relationship between the Guidelines approved under Section 95A of the Privacy Act 1988 and the NHMRC National Statement on Ethical Conduct in Research Involving Humans

The Australian Health Ethics Committee (AHEC) is a principal committee of the NHMRC and advises the NHMRC on ethical issues relating to health and monitors and advises on the functioning of HRECs that review research proposals involving human participation.

In June 1999, AHEC issued the National Statement on Ethical Conduct in Research Involving Humans (National Statement), which provides ethical guidance for the conduct of research involving humans.

Within the Guidelines approved under Section 95A of the Privacy Act 1988, references are made to the National Statement as a source of guidance on issues that are related to the protection of privacy in the conduct of research, or the compilation or analysis of statistics, or health service management, but which are not covered by the guidelines themselves. For example, particular kinds of research, such as research using genetic information or research using children’s personal information, involve specific ethical considerations that are essential to providing effective protection of privacy, as well as to ensuring that the welfare and rights of participants in research are protected. The Guidelines approved under Section 95A of the Privacy Act 1988 refer to the National Statement where appropriate for guidance on how to fulfil these broader ethical obligations in the conduct of research, statistical and health service management activities.

It should be recognised that the National Statement is a set of ethical guidelines that have the objective of defining standards of behaviour to which researchers should adhere. The Guidelines approved under Section 95A of the Privacy Act 1988 form part of legal requirements for compliance with federal legislation, namely the Privacy Act 1988. In the event that both a legal requirement and an ethical guideline apply, the legal requirement will prevail (although they will normally be consistent).

It should also be noted that the National Statement was issued before the introduction of the Privacy Amendment (Private Sector) Act 2000, and therefore does not contain any specific reference to the NPPs.

Guidelines issued by the Office of the Federal Privacy Commissioner

The Office of the Federal Privacy Commissioner (OFPC) has issued guidelines to help organisations comply with their obligations established by the Privacy Amendment (Private Sector) Act 2000. These guidelines contain explanatory material on the application of the NPPs and the Privacy Commissioner’s expectations of the use of the NPPs in practice. The guidelines are entitled:

 Guidelines to the National Privacy Principles; and

 Guidelines on Privacy in the Private Health Sector.

The OFPC has also prepared a series of information sheets on particular aspects of applying the NPPs. Copies of the guidelines and information sheets are available from the OFPC web site at www.privacy.gov.au

Other legislation and regulation

States and Territories may also have their own privacy regulation in the form of legislation or administrative codes of practice. State and Territory legislation or codes of practice may apply to the collection, use or disclosure of personal information held in the public and/or private sectors. HRECs and those involved in the conduct of research, the compilation or analysis of statistics or health service management must be satisfied that proposals submitted in accordance with the Guidelines approved under Section 95A of the Privacy Act 1988 also conform to relevant State and Territory legislation or codes of practice. To the extent that there are direct inconsistencies between Commonwealth and State or Territory laws, generally the Commonwealth law prevails.

Where State or Territory legislation or other Commonwealth legislation (apart from the Privacy Act 1988 ) requires an organisation to collect health information, it is not necessary to seek HREC approval for research or statistical compilation or analysis or health service management activities that involve the collection of health information without consent from the individual involved.

Where State or Territory legislation or other Commonwealth legislation (apart from the Privacy Act 1988 ) requires or authorises an organisation to use or disclose health information, it is not necessary to seek HREC approval for activities that involve the use or disclosure of health information without consent from the individual involved.

Examples include the collection of health information required under State or Territory legislation for inclusion on cancer registries.

When should the Guidelines approved under Section 95A be applied?

The following diagram relates to organisation in the private sector for:

1. The collection of health informaion under NPP 10.3(d)(iii) for the purposes of:

– research relevant to public health or public safety; and

– the compilation or analysis of statistics, relevant to public health or public safety; and

– the management, funding or monitoring of a health service.

2. The use and disclosure of health information under NPP 2.1(d)(ii) for the purposes of:

– research relevant to public health or public safety; and

– the compilation or analysis of statistics, relevant to public health or public safety.

[For information on when NPP 10.3(d)(iii) and NPP 2.1(d)(ii) apply, see diagram at Appendix 5.]

KEY CONCEPTS

Collection

An organisation collects personal information if it gathers, acquires or obtains personal information from any source and by any means. Collection includes when an organisation keeps personal information it has come across by accident or has not requested.

(OFPC—Guidelines to the National Privacy Principles, September 2001)

Compilation or analysis of statistics 3

The compilation or analysis of statistics is the act or process of collecting numerical data, or undertaking a detailed examination of the elements or structure of numerical data, especially in or about large quantities, and inferring conclusions for the whole from conclusions reached from the whole or a representative sample.

Directly related secondary purposes

Directly related secondary purposes may include many activities or processes necessary to the functioning of the health sector.

Where the use or disclosure of de-identified data will not suffice, and provided it is within the reasonable expectations of the individual, no extra steps need be taken when using or disclosing relevant personal information in circumstances, such as:

 Providing an individual with further information about treatment options;

 Billing or debt-recovery;

 An organisation’s management, funding, service-monitoring, complaint handling, planning, evaluation and accreditation activities; for example, activities to assess the cost-effectiveness of a particular treatment or service;

 Disclosure to an insurer, medical defence organisations, medical expert or lawyer for the purpose of liability, indemnity arrangements; for example, to report an adverse incident;

 Disclosure to a lawyer for the defence of anticipated or existing legal proceedings;

 An organisation’s quality assurance or clinical audit activities, where they evaluate and seek to improve the delivery of a particular treatment or service; and

 Disclosure to a clinical supervisor by a psychiatrist, psychologist or social worker.

(OFPC—Guidelines on Privacy in the Private Health Sector, October 2001)

 

3 This term is based on entries contained in The Australian Concise Oxford Dictionary, Third Edition, 1997.

Disclosure

In general terms an organisation discloses personal information when it releases information to others outside the organisation. It does not include giving individual’s information about themselves. (cf: Key Concept—‘Use’, page 10.)

(OFPC—Guidelines to the National Privacy Principles, September 2001)

Health information

Health information is a particular subset of personal information. Health information is personal information:

 About an individual’s health or disability at any time (that is past, present or future);

 About an individual’s expressed wishes regarding future health services;

 About health services provided or to be provided to the individual;

 Collected whilst providing a health service; or

 Collected in connection with the donation or intended donation of body parts and substances.

Health information includes any information collected by a health service provider during the course of providing treatment and care to an individual, including;

 Medical information;

 Personal details, such as name, address, admission and discharge dates, billing information and Medicare number;

 Information generated by a health service provider, such as notes or opinions about an individual and their health;

 Information about physical or biological samples, where it can be linked to an individual; for example, where they have a name or identifier attached;

 Genetic information, when this is collected or used in connection with delivering a health service, or genetic information when this is predictive of an individual’s health.

Under the Privacy Act 1988, higher privacy standards apply to the handling of sensitive information. Health information is one kind of sensitive information, and is subject to additional provisions.

(OFPC—Guidelines on Privacy in the Private Health Sector, October 2001. Defined in Section 6, Privacy Act 1988 )

(Cf: Key Concepts—‘Sensitive information’, page 10)

Health services

Providers of health services range from hospitals, pharmacists and general practitioners to gyms and weight loss clinics. A more comprehensive but not exhaustive list of health service providers is provided at section A.2.1 of the OFPC—Guidelines on Privacy in the Private Health Sector, 2001. See Appendix 2 of the OFPC Guidelines for the definition of the term Health services, as defined in the Privacy Act 1988.

(OFPC—Guidelines on Privacy in the Private Health Sector, October 2001. Defined in Section 6, Privacy Act 1988 ).

Management, funding or monitoring of a health service

Whether an activity falls within the ‘management, funding or monitoring of a health service’ depends on the circumstances. Factors that might ordinarily be relevant to this question include whether the organisation provides a health service (health services are defined in section 6 of the Privacy Act 1988 and Appendix 2 of the OFPC Guidelines on Privacy in the Private Health Sector, 2001) or whether the organisation has a role in funding or monitoring the quality or other aspects of a health service. Management, funding or monitoring of a health service may include some quality assurance and audit activities.

(OFPC Information Sheet 9—2001 Handling Health Information for Research and Management)

Organisation

The NPPs apply to businesses and bodies that fall within the definition of ‘organisation’ in section 6C of the Privacy Act 1988. Section 6C says that ‘organisation’ means: an individual; or body corporate; or partnership; or any other unincorporated association; or trust; that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory.

(OFPC—Guidelines to the National Privacy Principles, September 2001. Defined in Section 6, Privacy Act 1988 )

[For further information see the OFPC Information Sheet 12—2001 Coverage of and exemptions from the Private Sector Provision]s

Personal information

Personal information is information or an opinion (including information or an opinion forming part of a database) whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion (Section 6 of the Privacy Act 1988 ). It includes all personal information regardless of its source.

(OFPC—Guidelines to the National Privacy Principles, September 2001. Defined in Section 6, Privacy Act 1988 )

Public health and public safety 4

Public health includes activities such as education, economics, technology, legislation and management, which protect and enhance the health of all people and to prevent illness, injury and disability.

Public safety can be thought of as the condition for all people of being safe and free from danger or risks.

To be relevant to public health or public safety the outcome of the research, or compilation of analysis of statistics activity should have an impact on or provide information about public health or public safety. Examples of public health or public safety issues could include, water quality, food safety, mental health, environmental hazards, diabetes, cancer and heart disease.

Research

There are many definitions of research. These include systematic investigation to establish facts, principles or knowledge and a study of some matter with the objective of obtaining or confirming knowledge. A defining feature of research is the validity of results. The knowledge that is generated by research is valid in the sense that what is discovered about the particular facts investigated can be justifiably claimed to be true for all like facts.

(for further discussion of this term please see; National Statement on Ethical Conduct in Research Involving Humans, 1999).

Sensitive information

Sensitive information is a subset of personal information. It means information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record or health information about an individual (Section 6 of the Privacy Act 1988 ).

(OFPC—Guidelines to the National Privacy Principles, September 2001. Defined in Section 6, Privacy Act 1988 ).

Use

In general terms, use of personal information refers to the handling of personal information within an organisation including the ‘inclusion of information in a publication’.

(OFPC—Guidelines to the National Privacy Principles, September 2001).

 

4 This term is based on information from the following sources: Public Health Australia—An Introduction, Lawson, James S., 1991, The Australian Concise Oxford Dictionary, Third Edition, 1997, and the OFPC Information Sheet 9—2001 Handling Health Information for Research and Management.

GUIDELINES APPROVED UNDER SECTION 95A OF THE PRIVACY ACT 1988

A.1 Guidelines for the conduct of research relevant to public health or public safety

A.1.1 These guidelines apply to NPP 10.3(d)(iii) for the collection of health information and NPP 2.1(d)(ii) for the use and disclosure of health information, for the purpose of research relevant to public health or public safety. These guidelines provide a mechanism for weighing the public interest in research relevant to public health or public safety against the public interest in the protection of privacy. The public interest in the research activity must substantially outweigh the public interest in maintaining the level of privacy protection afforded by the NPPs (other than NPP 10.3(d) and NPP 2.1(d)).

Prerequisites to applying the Guidelines approved under Section 95A of the Privacy Act 1988

A.1.2 It must be necessary to collect, use or disclose health information for the purpose of research relevant to public health or public safety. It must be determined that:

(a) the outcome of the research activity would have an impact on or provide information about public health or public safety; and

(b) the relevant purpose of the research activity can not be achieved by the collection, use or disclosure of de-identified data5.

A.1.3 It must be impracticable 6 to seek consent from the individual(s) involved to collect, use or disclose their health information for the purpose of research relevant to public health or public safety.

A.1.4 Where an organisation seeks to rely on these guidelines to collect, use or disclose health information for the purpose of research relevant to public health or public safety under NPP 10.3(d)(iii) 7 or NPP 2.1(d)(ii ), the organisation must be satisfied that the research activity in which health information is to be collected, used or disclosed has been approved by a HREC for the particular purpose.

 

5 The NPPs and these guidelines do not apply to de-identified information or statistical data sets, which would not allow individuals to be identified. (OFPC—Guidelines on Privacy in the Private Health Sector).

6 In assessing whether it is ‘impracticable’ to seek consent, this would ordinarily mean more than simply the incurring of some expense or effort in seeking consent. For example, it may be impracticable to seek consent where the organisation is unable to locate the individual, despite making reasonable efforts. (OFPC—Guidelines to the National Privacy Principles).

7 NPP 10.3(d)(iii) and these guidelines are not the only mechanism under which health information may be lawfully collected without consent for the purpose of research relevant to public health or public safety. Collection of health information where it is impracticable to seek consent for the purpose of research is also authorised under NPP 10.3 (d)(i) and NPP 10.3 (d)(ii).

(See: Introduction to these guidelines, page 2 and Appendix 5)

 

Conditions relating to approval of research relevant to public health or public safety given by a human research ethics committee

A.1.5 A human research ethics committee (HREC) must give approval for the collection, use or disclosure of health information for the purpose of research relevant to public health or public safety, in accordance with these guidelines. The HREC must be constituted and functioning in accordance with the National Statement on Ethical Conduct in Research Involving Humans.

[See: ‘2. Human Research Ethics Committees’, National Statement (1999)].

A.1.6 An organisation from which health information is sought, may always decline to agree to the use or disclosure of health information it holds for the purpose of research relevant to public health or public safety, even where the use or disclosure of that health information has been approved by an HREC in accordance with these guidelines.

A.2 Procedures to be followed in the collection of health information 8 for the purpose of research relevant to public health or public safety

A.2.1 This section (A.2) of the guidelines applies to the collection of health information under NPP 10.3, for the purpose of research relevant to public health or public safety. A research proposal must be submitted to an HREC for approval. The research proposal must follow the procedures set out in this section (A.2) and will be considered by an HREC only if the proposal also satisfies requirements in section A.1 of these guidelines.

A.2.2 An overriding obligation for those who seek to collect health information is at all times to respect the dignity and privacy of the individual.

A.2.3 Collection of health information for the purpose of research relevant to public health or public safety must be in accordance with NPP 1.1 and NPP1.2. (See: Appendix 1)

[See: OFPC—Guidelines to the National Privacy Principles for guidance on the privacy obligations required under NPP 1].

A.2.4 The collector(s) of health information for the purpose of research relevant to public health or public safety must give a written proposal for that research activity to an HREC. The proposal must include any information necessary for members of that HREC to meet their responsibilities under these guidelines. Guidance on the information to be included in the written proposal for the collection of health information is set out in paragraph A.2.6 of these guidelines.

A.2.5 The proposal to be submitted to an HREC for a research activity involving the collection of health information must contain a reference

 

8 By definition (Section 6 of the Privacy Act 1988 ) the term ‘health information’ is also ‘personal information’. Therefore, all health information is information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, (See: Key Concepts, pages 8 & 9).

to NPP 10. The proposal must state the reasons for believing that the public interest in the proposed research activity substantially outweighs the public interest in adhering to the other NPPs (other than NPP 10.3(d)(iii)). In the proposal, the collector(s) must provide the HREC with the necessary information to enable the HREC to weigh the public interest consideration in accordance with paragraph D.5 of these guidelines.

Guidance for preparing a written proposal to be submitted to an HREC

A.2.6 In the proposal to collect health information for the purpose of research relevant to public health or public safety, the collector(s) should state:

(a) the aims or purpose of the collection;

(b) the credentials and technical competence of the collector(s) of the data;

(c) the data needed;

(d) the study period;

(e) the target population;

(f) the reasons why de-identified information can not achieve the relevant purpose of the research activity;

(g) the reasons why it is impracticable to seek consent from the individual for the collection of health information9;

(h) the estimated time of retention of the health information;

(i) the identity of the custodian(s) of the health information collected;

(j) the security standards to be applied to the health information. Standards must be in accordance with NPP 4. (See: Appendix 1).

[Note: In particular, health information should be retained in accordance with the Joint NHMRC/AVCC Statement and Guidelines on Research Practice (See: Appendix 3), and in a form that is at least as secure as it was in the sources from which the health information was obtained unless more stringent legislative or contractual provisions apply];

(k) a list of personnel within the collecting organisation or organisations with access to the health information collected;

(l) the level of protection that will be applied by the collector(s) to protect health information disclosed to the collector(s) by the disclosing organisation. These should include:

(i) terms of any release agreement between the disclosing organisation and the collector(s) to govern limits on the use and disclosure of collected health information.

[See: paragraph A.2.9 of these guidelines]; and

 

9 The impracticability of obtaining consent for research involving identified genetic information may extend beyond the individual to include relatives of the individual. See: ‘16 Human Genetic Research’ of the National Statement for further information.

(ii) proposed methods of disposal of the health information on the completion of the research activity, as required by NPP 4.2. (See: Appendix 1).

A.2.7 The collector(s) of health information for the purpose of research relevant to public health or public safety should provide to the organisation(s) from which health information is sought, written notification of the decision of the HREC made in accordance with these guidelines. This written notification removes the obligation for the disclosing organisation(s) to submit a written proposal to an HREC to disclose health information for the same research activity.

[See: paragraph A.3.5 of these guidelines].

A disclosing organisation may still decide to submit a written proposal to an HREC in accordance with section A.3 of these guidelines even if that disclosing organisation receives written notification of HREC approval from the collector(s).

A.2.8 The collector(s) of health information for the purpose of research relevant to public health or public safety must immediately report to the HREC anything that might warrant review of ethical approval of the research proposal.

[See: paragraph 2.37, ‘Human Research Ethics Committees’ National Statement (1999)].

A.2.9 Disclosure of health information collected under these guidelines, and therefore collected in accordance with NPP 10.3, must be in accordance with NPP 10.4. (See: Appendix 1).

[See: OFPC Information Sheet 9—2001 Handling health information for research and management for further information on privacy obligations required under NPP 10.4].

A.2.10 Once a proposal submitted to an HREC to collect health information for the purpose of research relevant to public health or public safety satisfies the procedural requirements outlined in this section (A.2), the HREC must then weigh the public interest considerations set out in section D.5 of these guidelines.

A.3 Procedures to be followed in the use and disclosure of health information 10 for the purpose of research relevant to public health or public safety

A.3.1 This section (A.3) of the guidelines applies to the use or disclosure of health information under NPP 2.1(d), for the purpose of research relevant to public health or public safety. A research proposal must be submitted to an HREC for approval. The research proposal must follow

 

10 By definition (Section 6 of the Privacy Act 1988 ) the term ‘health information’ is also ‘personal information’. Therefore, all health information is information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, (See: Key Concepts, pages 8 & 9).

the procedures set out in this section (A.3) and will be considered by an HREC only if the proposal also satisfies requirements in section A.1 of these guidelines.

A.3.2 An overriding obligation for those who seek to use or disclose health information is at all times to respect the dignity and privacy of the individual.

A.3.3 Those who seek to use or disclose health information for the purpose of research relevant to public health or public safety must give a written proposal for that activity to an HREC. The proposal must include any information necessary for members of the HREC to meet their responsibilities under these guidelines. Guidance on the information to be included in the written proposal for the use or disclosure of health information is set out in paragraph A.3.6 of these guidelines.

A.3.4 The proposal to be submitted to an HREC for a research activity, involving the use or disclosure of health information must contain a reference to NPP 2. The proposal must state reasons for believing that the public interest in the proposed research activity substantially outweighs the public interest in adhering to the other NPPs (other than 2.1(d)). In the proposal, the user or discloser must provide the HREC with the necessary information to enable the HREC to weigh the public interest consideration in accordance with paragraph D.5 of these guidelines.

A.3.5 An organisation may disclose health information to a collecting organisation for the purpose of research relevant to public health or public safety without submitting a written proposal to an HREC, if the disclosing organisation receives written notification of HREC approval for health information to be collected from it.

[See: paragraph A.2.7 of these guidelines].

Guidance for preparing the written proposal to be submitted to an HREC

A.3.6 In the proposal to use or disclose health information for the purpose of research relevant to public health or public safety, the user or discloser should state:

(a) the aims or purpose of the use or disclosure;

(b) the credentials and technical competence of those seeking to use or disclose the data;

(c) the data needed;

(d) the study period;

(e) the target population;

(f) the reasons why de-identified information can not achieve the relevant purpose of the research activity;

(g) the reasons why it is impracticable to seek consent from the individual for the use or disclosure of health information11;

(h) the specific uses or disclosures that will be applied to the health information during the study;

(i) the proposed method of publication of results of the research, including a statement that health information will not be published unless in de-identified form;

(j) the estimated time of retention of the health information;

(k) the identity of the custodian(s) of the health information used or disclosed;

(l) the security standards to be applied to the health information. Standards must be in accordance with NPP 4. (See: Appendix 1).

[Note: In particular, health information should be retained in accordance with the Joint NHMRC/AVCC Statement and Guidelines on Research Practice (See: Appendix 3), and in a form that is at the least as secure as it was in the sources from which the health information was obtained unless more stringent legislative or contractual provisions apply];

(m) a list of personnel within an organisation or organisations with access to the health information to be used or disclosed;

(n) the level of protection that will be applied by those seeking to use or disclose health information to protect that health information. These should include:

(i) the terms of any disclosure agreement between the organisation that holds the health information and the user or discloser, to govern limits on the use and disclosure of the health information.

[See: paragraph A.3.10 of these guidelines]; and

(ii) the proposed methods of disposal of the health information on the completion of the research activity as required by NPP 4.2 (See: Appendix 1); and

(iii) the level of protection that will be applied to protect the privacy of health information where it is made available to others if that is proposed.

A.3.7 An organisation seeking or approached to disclose health information for the purpose of research relevant to public health or public safety, where notification from the collector is not given under paragraph A.2.7 of these guidelines should submit a written proposal to an HREC to

 

11 The impracticability of obtaining consent for research involving identified genetic information may extend beyond the individual to include relatives of the individual. See: ‘16 Human Genetic Research’ of the National Statement for further information.

disclose the health information. The discloser should retain written notification of the decision of an HREC made in accordance with these guidelines. A copy of this notification should be provided to the collector(s) of the health information.

A.3.8 If those seeking to use or disclose health information propose to use or disclose that information to contact a person, the user or discloser of that information must inform the person:

(a) that his or her health information is being used or disclosed in accordance with the Privacy Act 1988 and these guidelines; and

(b) how his or her health information will be used or disclosed; and

(c) that he or she is free at any time to withdraw consent for further involvement in the research activity;

[See: paragraph 1.12 ‘Principles of Ethical Conduct’, National Statement (1999)] and

(d) of the standards that will apply to protect the privacy of that individual; and

[See: paragraph A.3.6(l) of these guidelines]

(e) of the complaint mechanisms in section G of these guidelines.

A.3.9 Those who seek to use or disclose health information for the purpose of research relevant to public health or public safety must immediately report to the HREC anything that might warrant review of ethical approval of the research proposal.

[See: paragraph 2.37, ‘Human Research Ethics Committees’, National Statement (1999)].

A.3.10 Health information disclosed under these guidelines, and therefore disclosed in accordance with NPP 2.1(d), must be in accordance with NPP 2.1(d)(iii). (See: Appendix 1).

A.3.11 Once a proposal submitted to an HREC to use or disclose health information for the purpose of research relevant to public health or public safety satisfies the procedural requirements outlined in this section (A.3), the HREC must then weigh the public interest considerations set out in section D.5 of these guidelines.

B.1 Guidelines for the conduct of the compilation or analysis of statistics, relevant to public health or public safety

B.1.1 These guidelines apply to NPP 10.3(d)(iii) for the collection of health information and NPP 2.1(d)(ii) for the use and disclosure of health information, for the purpose of the compilation or analysis of statistics, relevant to public health or public safety. These guidelines provide a mechanism for weighing the public interest in the compilation or analysis of statistics, relevant to public health or public safety against the public interest in protection of privacy. The public interest in the compilation or analysis of statistics activity must substantially outweigh the public interest in maintaining the level of privacy protection afforded by the NPPs (other than NPP 2.1(d)).

Prerequisites to applying the Guidelines approved under Section 95A of the Privacy Act 1988

B.1.2 It must be necessary to collect, use or disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety. It must be determined that:

(a) the outcome of the compilation or analysis of statistics activity would have an impact on or provide information about public health or public safety; and

(b) the relevant purpose of the compilation or analysis of statistics activity can not be achieved by the collection, use or disclosure of de-identified data12.

B.1.3 It must be impracticable 13 to seek consent from the individual(s) to collect, use or disclose their health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety.

B.1.4 Where an organisation seeks to rely on these guidelines to collect, use or disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety under NPP 10.3(d)(iii) 14 or NPP 2.1(d)(ii), the organisation must be satisfied that the compilation or analysis or statistics activity in which health information is to be collected, used or disclosed has been approved by an HREC for the particular purpose.

 

12 The NPPs and these guidelines do not apply to de-identified information or statistical data sets, which would not allow individuals to be identified. (OFPC—Guidelines on Privacy in the Private Health Sector).

13 In assessing whether it is ‘impracticable’ to seek consent, this would ordinarily mean more than simply the incurring of some expense or effort in seeking consent. For example, it may be impracticable to seek consent where the organisation is unable to locate the individual, despite making reasonable efforts. (OFPC—Guidelines to the National Privacy Principles).

14 NPP 10.3(d)(iii) and these guidelines are not the only mechanism under which health information may be collected without consent for the purpose of the compilation or analysis of statistics, relevant to public health or public safety. Collection of health information where it is impracticable to seek consent for the purpose of the compilation or analysis of statistics is also authorised under NPP 10.3 (d)(i) and NPP 10.3 (d)(ii). (See: Introduction to these guidelines, page 2 and Appendix 5)

Conditions relating to approval of the compilation or analysis of statistics relevant to public health or public safety given by a human research ethics committee

B.1.5 An HREC must give approval for the collection, use or disclosure of health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, in accordance with these guidelines. The HREC must be constituted and functioning in accordance with the National Statement on Ethical Conduct in Research Involving Humans.

[See: ‘2. Human Research Ethics Committees’, National Statement (1999)]

B.1.6 An organisation may always decline to agree to the use or disclosure of health information it holds for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, even where the collection, use or disclosure of that health information has been approved by an HREC in accordance with these guidelines.

B.2 Procedures to be followed in the collection of health information 15 for the purpose of the compilation or analysis of statistics, relevant to public health or public safety

B.2.1 This section (B.2) of the guidelines applies to the collection of health information under NPP 10.3, for the purpose of the compilation or analysis of statistics, relevant to public health or public safety. A compilation or analysis of statistics proposal must be submitted to an HREC for approval. The compilation or analysis of statistics proposal must follow the procedures set out in this section (B.2) and will be considered by an HREC only if the proposal also satisfies requirements in section B.1 of these guidelines.

B.2.2 An overriding obligation for those who seek to collect health information is at all times to respect the dignity and privacy of the individual.

B.2.3 Collection of health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety must be in accordance with NPP 1.1 and NPP 1.2. (See: Appendix 1).

[See: OFPC—Guidelines to the National Privacy Principles for guidance on the privacy obligations required under NPP 1].

B.2.4 The collector(s) of health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, must give a written proposal for that activity to an HREC. The proposal must include any information necessary for members of that HREC to meet their responsibilities under these guidelines. Guidance on the

 

15 By definition (Section 6 of the Privacy Act 1988) the term ‘health information’ is also ‘personal information’. Therefore, all health information is information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, (See: Key Concepts, pages 8 & 9).

information to be included in the written proposal for collection of health information is set out in paragraph B.2.6 of these guidelines.

B.2.5 The proposal to be submitted to an HREC for a compilation or analysis of statistics activity, involving the collection of health information, must contain a reference to NPP 10. The proposal must state the reasons for believing that the public interest in the proposed compilation or analysis of statistics activity substantially outweighs the public interest in adhering to the other NPPs (other than NPP 10.3(d)). In the proposal, the collector(s) must provide the HREC with the necessary information to enable the HREC to weigh the public interest consideration in accordance with paragraph D.5 of these guidelines.

Guidance for preparing a written proposal to be submitted to an HREC

B.2.6 In the proposal to collect health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, the collector(s) should state:

(a) the aims or purpose of the collection;

(b) the credentials and technical competence of the collector(s) of the data;

(c) the data needed;

(d) the study period;

(e) the target population;

(f) the reasons why de-identified information can not achieve the relevant purpose of the compilation or analysis of statistics activity;

(g) the reasons why it is impracticable to seek consent from the individual for the collection of health information16.

(h) the estimated time of retention of the health information;

(i) the identity of the custodian(s) of the health information collected;

(j) the security standards to be applied to the health information. Standards must be in accordance with NPP 4. (See: Appendix 1).

[Note: In particular, health information should be retained in accordance with the Joint NHMRC/AVCC Statement and Guidelines on Research Practice (See: Appendix 3), and in a form that is at least as secure as it was in the sources form which the health information was obtained unless more stringent legislative or contractual provisions apply];

(k) a list of personnel within the collecting organisation or organisations with access to the health information collected;

 

16 The impracticability of obtaining consent for the compilation or analysis of statistics involving identified genetic information may extend beyond the individual to include relatives of the individual. See: ‘16 Human Genetic Research’ of the National Statement for further information.

(l) the level of protection that will be applied by the collector(s) to protect health information disclosed to the collector(s) by the disclosing organisation. These should include:

(a) the terms of any release agreement between the disclosing organisation and the collector(s) to govern limits on the use and disclosure of collected health information.

[See: paragraph B.2.9 of these guidelines]; and

(b) the proposed methods of disposal of the health information on the completion of the statistical activity, as required by NPP 4.2. (See: Appendix 1).

B.2.7 The collector(s) of health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, should provide to the organisation from which the health information is sought, written notification of the decision of the HREC made in accordance with these guidelines. This written notification removes the obligation for the disclosing organisation to submit a written proposal to an HREC to disclose health information for the same compilation or analysis of statistics activity.

[See: paragraph B.3.5 of these guidelines].

A disclosing organisation may still decide to submit a written proposal to an HREC in accordance with section B.3 of these guidelines even if that disclosing organisation receives written notification of HREC approval from the collector(s).

B.2.8 The collector(s) of health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety must immediately report to the HREC anything that might warrant review of ethical approval of the proposal.

[See: paragraph 2.37, ‘Human Research Ethics Committees’, National Statement (1999)].

B.2.9 Disclosure of health information collected under these guidelines, and therefore collected in accordance with NPP 10.3, must be in accordance with NPP 10.4. (See: Appendix 1).

[See: OFPC Information Sheet 9—2001 Handling health information for research and management for further information on privacy obligations required under NPP 10.4].

B.2.10 Once a proposal submitted to an HREC to collect health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety satisfies the procedural requirements outlined in this section (B.2), the HREC must then weigh the public interest considerations set out in section D.5 of these guidelines.

B.3 Procedures to be followed in the use and disclosure of health information 17 for the purpose of the compilation or analysis of statistics, relevant to public health or public safety

B.3.1 This section (B.3) of the guidelines applies to the use or disclosure of health information under NPP 2.1(d), for the purpose of the compilation or analysis of statistics, relevant to public health or public safety. A compilation or analysis of statistics proposal must be submitted to an HREC for approval. The compilation or analysis or statistics proposal must follow the procedures set out in this section (B.3) and will be considered by an HREC only if the proposal also satisfies requirements in section B.1 of these guidelines.

B.3.2 An overriding obligation for those who seek to use or disclose health information is at all times to respect the dignity and privacy of the individual.

B.3.3 Those who seek to use or disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, must give a written proposal for that activity to an HREC. The proposal must include any information necessary for members of the HREC to meet their responsibilities under these guidelines. Guidance on the information to be included in the written proposal for the use or disclosure of health information is set out in paragraph B.3.6 of these guidelines.

B.3.4 The proposal to be submitted to an HREC for a compilation or analysis of statistics activity, involving the use or disclosure of health information, must contain a reference to NPP 2. The proposal must state reasons for believing that the public interest in the proposed compilation or analysis of statistics activity substantially outweighs the public interest in adhering to the other NPPs (other than 2.1(d)). In the proposal, the user or discloser must provide the HREC with the necessary information to enable the HREC to weigh the public interest consideration in accordance with paragraph D.5 of these guidelines.

B.3.5 An organisation may disclose health information to a collecting organisation for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, without submitting a written proposal to an HREC, if the disclosing organisation receives written notification of HREC approval for health information to be collected from it.

[See: paragraph B.2.7 of these guidelines].

 

17 By definition (Section 6 of the Privacy Act 1988 ) the term ‘health information’ is also ‘personal information’. Therefore, all health information is information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, (See: Key Concepts, pages 8 & 9).

Guidance for preparing a written proposal to be submitted to an HREC

B.3.6 In the proposal to use or disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, the user or discloser should state:

(a) the aims or purpose of the use or disclosure;

(b) the credentials and technical competence of those seeking to use or disclose the data;

(c) the data needed;

(d) the study period;

(e) the target population;

(f) the reasons why de-identified information can not achieve the relevant purpose of the compilation or analysis of statistics activity;

(g) the reasons why it is impracticable to seek consent from the individual(s) for the use or disclosure of health information18;

(h) the specific uses or disclosures that will be applied to the health information during the study;

(i) the proposed method of publication of results of the research, including a statement that health information will not be published unless in de-identified form;

(j) the estimated time of retention of the health information;

(k) the identity of the custodian(s) of the health information used or disclosed;

(l) the security standards to be applied to the health information. Standards must be in accordance with NPP 4. (See: Appendix 1).

[Note: In particular, health information should be retained in accordance with the Joint NHMRC/AVCC Statement and Guidelines on Research Practice (See: Appendix 3), and in a form that is at the least as secure as it was in the sources from which the health information was obtained unless more stringent legislative or contractual provisions apply];

(m) a list of personnel within an organisation or organisations with access to the health information to be use or disclosed;

(n) the level of protection that will be applied by those seeking to use or disclose health information to protect that health information. These should include:

(i) the terms of any disclosure agreement between the organisation that holds the health information and the user or discloser, to govern limits on the use and disclosure of the health information.

[See: paragraph B.3.10 of these guidelines]; and

 

18 The impracticability of obtaining consent for the compilation or analysis of statistics involving identified genetic information may extend beyond the individual to include relatives of the individual. See: ‘16 Human Genetic Research’ of the National Statement for further information.

(ii) the proposed methods of disposal of the health information on the completion of the statistical compilation or analysis activity, as required by NPP 4.2. (See: Appendix 1); and

(iii) the level of protection that will be applied to protect the privacy of health information where it is made available to others if that is proposed.

B.3.7 An organisation seeking or approached to disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, where notification from the collector is not given under paragraph B.2.7 of these guidelines, should submit a written proposal to an HREC to disclose the health information. The discloser should retain written notification of the decision of an HREC made in accordance with these guidelines. A copy of this notification should be provided to the collector(s) of health information.

B.3.8 If those seeking to use or disclose health information propose to use or disclose that information to contact a person, the user or discloser of that information must inform the person:

(a) that his or her health information is being used or disclosed in accordance with the Privacy Act and these guidelines; and

(b) how his or her health information will be used or disclosed; and

(c) that he or she is free at any time to withdraw consent for further involvement in the statistical activity.

[See: paragraph 1.12, ‘Principles of Ethical Conduct’, National Statement (1999)]; and

(d) of the standards that will apply to protect the privacy of that individual;

[See: paragraph B.3.6(l) of these guidelines]; and

(e) of the complaint mechanisms in section G of these guidelines.

B.3.9 Those who seek to use or disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, must immediately report to the HREC anything that might warrant review of ethical approval of the proposal.

[See: paragraph 2.37, ‘Human Research Ethics Committees’, National Statement (1999)].

B.3.10 Health information disclosed under these guidelines, and therefore disclosed in accordance with NPP 2.1(d), must be in accordance with NPP 2.1 (d)(iii). (See: Appendix 1).

B.3.11 Once a proposal submitted to an HREC to use or disclose health information for the purpose of the compilation or analysis of statistics, relevant to public health or public safety, satisfies the procedural requirements outlined in this section (B.3), the HREC must then weigh the public interest considerations set out in section D.5 of these guidelines.

C.1 Guidelines for the conduct of the management, funding or monitoring of a health service

The Guidelines approved under Section 95A of the Privacy Act 1988 are only authorised to provide guidance for the collection of health information for the purpose of the management, funding or monitoring of a health service19.

For information on the requirements for the use and disclosure of health information for the purpose of the management, funding or monitoring of a health service refer to the OFPC Guidelines on Privacy in the Private Health Sector (Section 2).

C.1.1 These Guidelines approved under Section 95A of the Privacy Act 1988 apply to NPP 10.3(d)(iii) for the collection of health information for the purpose of health service management and provide a mechanism for weighing the public interest in health service management activities against the public interest in protection of privacy. The public interest in the health service management activity must substantially outweigh the public interest in maintaining the level of privacy protection afforded by the NPPs (other than NPP 10.3(d)).

Prerequisites to applying the Guidelines approved under Section 95A of the Privacy Act 1988

C.1.2 It must be necessary to collect health information for the purpose of health service management. It must be determined that:

(a) the relevant purpose of the health service management activity can not be achieved by the collection of de-identified data20.

C.1.3 It must be impracticable 21 to seek consent from the individual(s) to collect their health information for the purpose of health service management.

C.1.4 Where an organisation seeks to rely on these guidelines to lawfully collect health information for the purpose of health service management under NPP 10.3(d)(iii) 22, the organisation must be satisfied that the health service management activity in which health information is to be collected, has been approved by an HREC for the particular purpose.

 

19 For the purpose of these guidelines, health service management means the management, funding or monitoring of a health service.

20 The NPPs and these guidelines do not apply to de-identified information or statistical data sets, which would not allow individuals to be identified. (OFPC—Guidelines on Privacy in the Private Health Sector).

21 In assessing whether it is ‘impracticable’ to seek consent, this would ordinarily mean more than simply the incurring of some expense or effort in seeking consent. For example, it may be impracticable to seek consent where the organisation is unable to locate the individual, despite making reasonable efforts. (OFPC—Guidelines to the National Privacy Principles).

22 NPP 10.3(d)(iii) and these guidelines are not the only mechanism under which health information may be collected without consent for the purpose of health service management. Collection of health information where it is impracticable to seek consent for the purpose of health service management is also authorised under NPP 10.3 (d)(i) and NPP 10.3 (d)(ii). (See: Introduction to these guidelines, page 2 and Appendix 5).

Conditions relating to approval of health service management activities given by a human research ethics committee

C.1.5 An HREC must give approval for the collection of health information for the purpose of health service management, in accordance with these guidelines. The HREC must be constituted and functioning in accordance with the National Statement on Ethical Conduct in Research Involving Humans.

[See: ‘2. Human Research Ethics Committees’, National Statement (1999)].

C.1.6 An organisation may always decline to agree to the disclosure of health information it holds, for the purpose of health service management, even where the collection of that health information has been approved by an HREC in accordance with these guidelines.

C.2 Procedures to be followed in the collection of health information 23 for the purpose of the management, funding or monitoring of a health service

C.2.1 This section (C.2) of the guidelines applies to the collection of health information under NPP 10.3, for the purpose of health service management. A health service management proposal must be submitted to an HREC for approval. The health service management proposal must follow the procedures set out in this section (C.2) and will be considered by an HREC only if the proposal also satisfies requirements in section C.1 of these guidelines.

C.2.2 An overriding obligation for those who seek to collect health information is at all times to respect the dignity and privacy of the individual.

C.2.3 Collection of health information for the purpose of health service management must be in accordance with NPP 1.1 and NPP 1.2. (See: Appendix 1).

[See: OFPC—Guidelines to the National Privacy Principles for guidance on privacy obligations established under NPP 1].

C.2.4 The collector(s) of health information for the purpose of health service management must give a written proposal for that activity to an HREC. The proposal must include any information necessary for members of that HREC to meet their responsibilities under these guidelines. Guidance on the information to be included in the written proposal for collection of health information is set out in paragraph C.2.6 of these guidelines.

C.2.5 The proposal to be submitted to an HREC for a health service management activity involving the collection of health information must

 

23 By definition (Section 6 of the Privacy Act 1988 ) the term ‘health information’ is also ‘personal information’. Therefore, all health information is information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, (See: Key Concepts, pages 8 & 9).

contain a reference to NPP 10. The proposal must state the reasons for believing that the public interest in the proposed health service management activity substantially outweighs the public interest in adhering to the other NPPs (other NPP 10.3(d)(iii)). In the proposal, the collector(s) must provide the HREC with the necessary information to enable the HREC to weigh the public interest consideration in accordance with paragraph D.5 of these guidelines.

Guidance for preparing a written proposal to be submitted to an HREC

C.2.6 In the proposal to collect health information for the purpose of health service management, the collector(s) should state:

(a) the aims or purpose of the collection;

(b) the credentials and technical competence of the collector(s) of the data;

(c) the data needed;

(d) the study period;

(e) the target population;

(f) the reasons why de-identified information can not achieve the relevant purpose of the health service management activity;

(g) the reasons why it is impracticable to seek consent from the individual(s) for the collection of health information24;

(h) the estimated time of retention of the health information;

(i) the identity of the custodian(s) of the health information collected;

(j) the security standards to be applied to the health information. Standards must be in accordance with NPP 4. (See: Appendix 1).

[Note: In particular, health information should be retained in accordance with the Joint NHMRC/AVCC Statement and Guidelines on Research Practice (See: Appendix 3), and in a form that is at least as secure as it was in the sources from which the health information was obtained unless more stringent legislative or contractual provisions apply];

(k) a list of personnel within the collecting organisation or organisations with access to the health information collected;

(l) the level of protection that will be applied by the collector(s) to protect health information disclosed to the collector(s) by the disclosing organisation. These should include:

(i) the terms of any release agreement between the disclosing organisation and the collector(s) to govern limits on the use and disclosure of collected health information.

[See: paragraph C.2.9 of these guidelines]; and

 

24 The impracticability of obtaining consent for health service management activities involving identified genetic information may extend beyond the individual to include relatives of the individual. See: ‘16 Human Genetic Research’ of the National Statement for further information.

(ii) the proposed methods of disposal of the health information on the completion of the health service management activity, as required under NPP 4.2. (See: Appendix 1).

C.2.7 The collector(s) of health information for the purpose of health service management should provide to the organisation from which health information is sought, written notification of the decision of the HREC made in accordance with these guidelines.

C.2.8 The collector(s) of health information for the purpose of health service management must immediately report to the HREC anything that might warrant review of ethical approval of the proposal.

[See: paragraph 2.37, ‘Human Research Ethics Committees’, National Statement (1999)].

C.2.9 Disclosure of health information collected under these guidelines, and therefore collected in accordance with NPP 10.3, must be in accordance with NPP 10.4. (See: Appendix 1).

[See: OFPC Information Sheet 9—2001 Handling health information for research and management for further information on privacy obligations required under NPP 10.4].

C.2.10 Once a proposal submitted to an HREC to collect health information for the purpose of health service management satisfies the procedural requirements outlined in this section (C.2), the HREC must then weigh the public interest considerations set out in section D.1.5 of these guidelines.

D. Consideration by human research ethics committees (HRECs)

D.1 Before making a decision under these guidelines, an HREC must assess whether it has sufficient information, expertise and understanding of privacy issues, either amongst the members of the HREC or otherwise available to it, to make a decision that takes proper account of privacy matters. For the review of proposals for the collection of health information for the purpose of health service management, this may necessitate the appointment of additional members with specific expertise in the management, funding or monitoring of a health service.

[See: ‘2. Human Research Ethics Committees’ and ‘18. Privacy of Information’, National Statement (1999)].

D.2 In making decisions under these guidelines, an HREC must consider whether the proposal complies with the relevant NPPs in the course of:

(a) the collection of health information for the purposes of:

(i) research relevant to public health or public safety; or

(ii) the compilation or analysis of statistics, relevant to public health or public safety; or

(iii) the management, funding or monitoring of a health service;

or

(b) the use and disclosure of health information for the purposes of:

(i) research relevant to public health or public safety; or

(ii) the compilation or analysis of statistics, relevant to public health or public safety.

This would include considering whether the purpose of the proposed activity can be achieved using de-identified data and whether it is impracticable to collect, use or disclose health information for the proposed activity with the consent of the individual(s) involved.

D.3 In making decisions under these guidelines the HREC must ensure that the committee has the competence to determine if the public interest in the proposed activity substantially outweighs, or does not substantially outweigh, the public interest in the protection of privacy.

D.4 If the public interest in the proposed research, or compilation or analysis of statistics, or health service management activity does not substantially outweigh the public interest in the protection of privacy, then the activity should not be approved to proceed by the HREC.

Weighing the public interest

D.5 In determining whether the public interest in the proposed activity substantially outweighs, or does not substantially outweigh, the public interest in the protection of privacy, an HREC should consider the following matters:

(a) the degree to which the proposed collection, use or disclosure of

health information is necessary to the functions or activities of the organisation;

(b) the degree to which the research, or compilation or analysis of statistics activity is relevant to public health or public safety;

(c) the degree to which the research, or compilation or analysis of statistics or the health service management activity is likely to contribute to :

(i) the identification, prevention or treatment of illness, injury or disease; or

(ii) scientific understanding relating to public health or safety; or

(iii) the protection of the health of individuals and/or communities; or

(iv) the improved delivery of health services; or

(v) enhanced scientific understanding or knowledge; or

(vi) enhanced knowledge of issues within the fields of social science and the humanities relating to public health or public safety;

(d) any likely benefits to individuals, to the category of persons to which they belong, or the wider community that will arise from the research, or compilation or analysis of statistics, or management of a health service being undertaken in the manner proposed;

(e) in considering benefits to the category of persons to which the individual(s) belong, specific consideration should be given to any likely benefits to individuals that belong to certain categories where the information may be of a particularly personal or sensitive nature; for example:

(i) children and young people; or

(ii) persons with intellectual or psychiatric disability; or

(iii) persons highly dependent on medical care; or

(iv) persons in dependent or unequal relationships; or

(v) persons who are members of collectivities; or

(vi) Aboriginal and Torres Strait Islander peoples; or

(vii) persons whose information relates to their mental or sexual health;

[See: National Statement for further information on considerations relevant to the above categories of persons.];

(f) whether the research, or compilation or analysis of statistics, or management of a health service study design can be satisfied without needing to apply NPP 2.1(d)(ii)              and/or NPP 10.3(d)(iii) and the scientific defects in the activity that might arise if the activity was not undertaken in the manner proposed;

(g) the cost of not undertaking the research, or compilation or analysis of statistics, or management of a health service activity (to government, the public, the health care system etc);

(h) the public importance of the proposed research, or compilation or analysis of statistics, or management of a health service activity;

(i) the extent to which the data being sought are usually available to the public from the organisation that holds that data; and

(i) whether the research, or compilation or analysis of statistics activity, involves use of the data in a way that is inconsistent with the purpose for which the data was made public; and

(ii) whether the research, or compilation or analysis of statistics activity requires alteration of the format of the data of a kind that would, if used or disclosed by an organisation, involve a breach of an NPP;

(j) whether the risk of harm to an individual whose health information is to be collected, used or disclosed in the proposed research, or compilation or analysis of statistics, or management of health service activity is minimal, based on the information provided in proposals submitted under paragraphs A.2.6; or A.3.6; or B.2.6; or B.3.6; or C.2.6 of these guidelines;

(k) the standards of conduct that are to be observed in the research, or compilation or analysis of statistics, or management of a health service activity, including:

(i) the study design and the scientific credentials of those involved in conducting that study;

(ii) if the study involves contact with participants, the procedures or controls that will apply to ensure that participants are treated with integrity and sensitivity, including whether questions to be asked or procedures to be employed are intrusive;

(iii) whether access to health information is adequately restricted to appropriate personnel involved in conducting the proposed study;

(iv) the procedures that are to be followed to ensure that the health information is permanently de-identified before the publication of results;

(v) the procedures that are to be followed at the completion of the proposed study to ensure that all data containing health information are at least as secure as they were in the sources from which the data was obtained, including the date when the data will be destroyed or returned. These procedures must be in accordance with NPP 4 (See: Appendix 1).

Recording, notification and monitoring of decisions made by an HREC

D.6 Details of the decision made by the HREC regarding proposals to conduct research, or the compilation or analysis of statistics, relevant to public health or public safety, or health service management must be recorded in accordance with paragraph 2.30 of the National Statement on Ethical Conduct in Research Involving Humans (1999).

Whenever the collection, use or disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, or the collection of health information for the purpose of health service management activities are being considered under these guidelines, the HREC must also record details of the following:

(a) the organisation(s) from which health information is sought;

(b) the data items sought from the organisation(s) and approved by the HREC;

(c) the number of records involved;

(d) the NPP to which the proposal applies (NPP 2 or NPP 10);

(e) how and on what grounds the HREC came to the conclusion that it had sufficient information, expertise and understanding of privacy issues either amongst the members of the HREC or otherwise available to it to make a decision that takes proper account of privacy; and

(f) considerations involved in weighing the public interest in the proposed research, compilation or analysis of statistics, or management of a health service activity against the public interest in the protection of privacy, including why de-identified health information would not achieve the purpose of the approved proposal and why it is impracticable to obtain consent from the individual(s) involved.

D.7 It is an obligation of the HREC to monitor proposals approved in accordance with these guidelines for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, or for the purpose of the management of a health service in accordance with paragraphs 2.33-2.38, ‘Human Research Ethics Committees’, National Statement (1999).

D.8 When the HREC approves a proposal for research, or the compilation or analysis of statistics, relevant to public health or public safety, or for the management of a health service, it must decide whether the proposed activity should commence within a defined period from the date of approval and whether the project should be completed within a set period, and notify those conducting the study of that decision.

E. Responsibilities of the National Health and Medical Research Council (NHMRC)

E.1 The AHEC will report annually to NHMRC in relation to HRECs generally, based on the annual compliance report completed by HRECs. The annual compliance report will include all decisions, and details of these decisions as required by paragraph D.6 of these guidelines.

E.2 The AHEC of the NHMRC may request at any time, information in relation to paragraphs D.6, D.7 and D.8 of these guidelines.

E.3 When there has been a failure to comply with these guidelines the AHEC of the NHMRC will:

(a) Report details of the failure to the Federal Privacy Commissioner and may name those involved in the particular study or the HREC responsible; and

(b) Where that failure involves health information disclosed by an organisation, inform that organisation of details of the failure.

F. Reports to or for the Federal Privacy Commissioner

F.1 AHEC will annually report to the Federal Privacy Commissioner all details recorded under paragraph D.6 of these guidelines, of the research, compilation or analysis of statistics, or health service management activities conducted under these guidelines and shall provide an evaluation of the operation of these guidelines for the year of reporting. AHEC will also include in its report details relating to the number of complaints made under paragraph G.1 (b) of these guidelines.

F.2 AHEC will also provide to the Federal Privacy Commissioner, at his or her request, additional information about the operation of the guidelines, research, compilation or analysis of statistics, or the management of a health service activities conducted under these guidelines and/or failure to comply with these guidelines.

G. Complaints mechanisms

G.1 Complaints may be made to:

(a) The individual(s), institution(s) or organisation(s) conducting the research, or compilation or analysis of statistics, relevant to public health or public safety, or health service management activity; and /or

(b) HRECs concerning the individual(s) or institution(s) involved in the research, or compilation or analysis of statistics, relevant to public health or public safety, or the management of a health

service, regarding the conduct of an approved activity that may interfere with the privacy of the individual involved,

[See: paragraphs 2.39-2.43 ‘Human Research Ethics Committees’, National Statement (1999)]; and/or

(c) the Federal Privacy Commissioner concerning the collection, use or disclosure of health information by organisations.

Under section 36(1) of the Privacy Act 1988, an individual may complain to the Privacy Commissioner about an act or practice that may be an interference with the privacy of the individual. Where an organisation seeks to rely on these guidelines to:

(i) collect health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, or the management of a health service; or

(ii) use and disclose health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety

under Section 95A, an individual may complain if the procedures set out in these guidelines are not followed.

G.2 The AHEC of the NHMRC may request at any time, information in relation to G.1 (b) of these guidelines.

H. Date of Review

H.1 The NHMRC will initiate a review of the adequacy and operation of these guidelines two years from the date of issue on 21 December 2001. This review will complement and coincide with any evaluation of the new privacy legislation.

APPENDIX 1

National Privacy Principles

[from the Privacy Act 1988 (Commonwealth), incorporating the Privacy Amendment (Private Sector) Act 2000 (Commonwealth)]

1 Collection

1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.

1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

(a) the identity of the organisation and how to contact it; and

(b) the fact that he or she is able to gain access to the information; and

(c) the purposes for which the information is collected; and

(d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and

(e) any law that requires the particular information to be collected; and

(f) the main consequences (if any) for the individual if all or part of the information is not provided.

1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

2 Use and disclosure

2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose ) other than the primary purpose of collection unless:

(a) both of the following apply:

(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;

(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or

(b) the individual has consented to the use or disclosure; or

(c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:

(i) it is impracticable for the organisation to seek the individual’s consent before that particular use; and

(ii) the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and

(iii) the individual has not made a request to the organisation not to receive direct marketing communications; and

(iv) in each direct marketing communication with the individual, the organisation draws to the individual’s attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and

(v) each written direct marketing communication by the organisation with the individual (up to and including the communication that involves the use) sets out the organisation’s business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically; or

(d) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:

(i) it is impracticable for the organisation to seek the individual’s consent before the use or disclosure; and

(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and

(iii) in the case of disclosure—the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or

(e) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent:

(i) a serious and imminent threat to an individual’s life, health or safety; or

(ii) a serious threat to public health or public safety; or

(f) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

(g) the use or disclosure is required or authorised by or under law; or

(h) the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii) the protection of the public revenue;

(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;

(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

Note 1: It is not intended to deter organisations from lawfully co-operating with agencies performing law enforcement functions in the performance of their functions.

Note 2: Subclause 2.1 does not override any existing legal obligations not to disclose personal information. Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.

Note 3: An organisation is also subject to the requirements of National Privacy Principle 9 if it transfers personal information to a person in a foreign country.

2.2 If an organisation uses or discloses personal information under paragraph 2.1(h), it must make a written note of the use or disclosure.

2.3 Subclause 2.1 operates in relation to personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.

2.4 Despite subclause 2.1, an organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if:

(a) the individual:

(i) is physically or legally incapable of giving consent to the disclosure; or

(ii) physically cannot communicate consent to the disclosure; and

(b) a natural person (the carer ) providing the health service for the organisation is satisfied that either:

(i) the disclosure is necessary to provide appropriate care or treatment of the individual; or

(ii) the disclosure is made for compassionate reasons; and

(c) the disclosure is not contrary to any wish:

(i) expressed by the individual before the individual became unable to give or communicate consent; and

(ii) of which the carer is aware, or of which the carer could reasonably be expected to be aware; and

(d) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).

2.5 For the purposes of subclause 2.4, a person is responsible for an individual if the person is:

(a) a parent of the individual; or

(b) a child or sibling of the individual and at least 18 years old; or

(c) a spouse or de facto spouse of the individual; or

(d) a relative of the individual, at least 18 years old and a member of the individual’s household; or

(e) a guardian of the individual; or

(f) exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or

(g) a person who has an intimate personal relationship with the individual; or

(h) a person nominated by the individual to be contacted in case of emergency.

2.6 In subclause 2.5:

child of an individual includes an adopted child, a step-child and a foster-child, of the individual.

parent of an individual includes a step-parent, adoptive parent and a foster-parent, of the individual.

relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.

sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother, step-sister, foster-brother and foster-sister, of the individual.

3 Data quality

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

4 Data security

4.1 An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.

5 Openness

5.1 An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.

5.2 On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

6 Access and correction

6.1 If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:

(a) in the case of personal information other than health information—providing access would pose a serious and imminent threat to the life or health of any individual; or

(b) in the case of health information—providing access would pose a serious threat to the life or health of any individual; or

(c) providing access would have an unreasonable impact upon the privacy of other individuals; or

(d) the request for access is frivolous or vexatious; or

(e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or

(f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

(g) providing access would be unlawful; or

(h) denying access is required or authorised by or under law; or

(i) providing access would be likely to prejudice an investigation of possible unlawful activity; or

(j) providing access would be likely to prejudice:

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or

(iii) the protection of the public revenue; or

(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;

by or on behalf of an enforcement body; or

(k) an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.

Note: An organisation breaches subclause 6.1 if it relies on subclause 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where subclause 6.2 does not apply.

6.3 If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable, consider whether the

use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

6.4 If an organisation charges for providing access to personal information, those charges:

(a) must not be excessive; and

(b) must not apply to lodging a request for access.

6.5 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up-to-date.

6.6 If the individual and the organisation disagree about whether the information is accurate, complete and up-to-date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, the organisation must take reasonable steps to do so.

6.7 An organisation must provide reasons for denial of access or a refusal to correct personal information.

7 Identifiers

7.1 An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:

(a) an agency; or

(b) an agent of an agency acting in its capacity as agent; or

(c) a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.

7.1A However, subclause 7.1 does not apply to the adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances.

Note: There are prerequisites that must be satisfied before those matters are prescribed: see subsection 100(2).

7.2 An organisation must not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:

(a) the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or

(b) one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure; or

(c) the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.

Note: There are prerequisites that must be satisfied before the matters mentioned in paragraph (c) are prescribed: see subsection 100(2).

7.3 In this clause:

identifier includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations. However, an individual’s name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999 ) is not an identifier.

8 Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

9 Transborder data flows

9.1 An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:

(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or

(b) the individual consents to the transfer; or

(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request; or

(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or

(e) all of the following apply:

(i) the transfer is for the benefit of the individual;

(ii) it is impracticable to obtain the consent of the individual to that transfer;

(iii) if it were practicable to obtain such consent, the individual would be likely to give it; or

(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.

10 Sensitive information

10.1 An organisation must not collect sensitive information about an individual unless:

(a) the individual has consented; or

(b) the collection is required by law; or

(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:

(i) is physically or legally incapable of giving consent to the collection; or

(ii) physically cannot communicate consent to the collection; or

(d) if the information is collected in the course of the activities of a non-profit organisation—the following conditions are satisfied:

(i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;

(ii) at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual’s consent; or

(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

10.2 Despite subclause 10.1, an organisation may collect health information about an individual if:

(a) the information is necessary to provide a health service to the individual; and

(b) the information is collected:

(i) as required by law (other than this Act); or

(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.

10.3 Despite subclause 10.1, an organisation may collect health information about an individual if:

(a) the collection is necessary for any of the following purposes:

(i) research relevant to public health or public safety;

(ii) the compilation or analysis of statistics relevant to public health or public safety;

(iii) the management, funding or monitoring of a health service; and

(b) that purpose cannot be served by the collection of information

that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained; and

(c) it is impracticable for the organisation to seek the individual’s consent to the collection; and

(d) the information is collected:

(i) as required by law (other than this Act); or

(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or

(iii) in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph.

10.4 If an organisation collects health information about an individual in accordance with subclause 10.3, the organisation must take reasonable steps to permanently de-identify the information before the organisation discloses it.

10.5 In this clause:

non-profit organisation means a non-profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims.

APPENDIX 2

Privacy Act 1988 (Commonwealth), Section 95A

Overview

(1) This section allows the Commissioner to approve for the purposes of the National Privacy Principles (the NPPs ) guidelines that are issued by the National Health and Medical Research Council or a prescribed authority.

Approving guidelines for use and disclosure

(2) For the purposes of subparagraph 2.1(d)(ii) of the NPPs, the Commissioner may, by notice in the Gazette, approve guidelines that relate to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety.

Public interest test

(3) The Commissioner may give an approval under subsection (2) only if satisfied that the public interest in the use and disclosure of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs (other than paragraph 2.1(d)).

Approving guidelines for collection

(4) For the purposes of subparagraph 10.3(d)(iii) of the NPPs, the Commissioner may, by notice in the Gazette, approve guidelines that relate to the collection of health information for the purposes of:

(a) research, or the compilation or analysis of statistics, relevant to public health or public safety; or

(b) the management, funding or monitoring of a health service.

Public interest test

(5) The Commissioner may give an approval under subsection (4) only if satisfied that the public interest in the collection of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs (other than paragraph 10.3(d)).

Revocation of approval

(6) The Commissioner may, by notice in the Gazette, revoke an approval of guidelines under this section if he or she is no longer satisfied of the matter that he or she had to be satisfied of to approve the guidelines.

Review by AAT

(7) Application may be made to the Administrative Appeals Tribunal for review of a decision of the Commissioner to refuse to approve guidelines or to revoke an approval of guidelines.

APPENDIX 3

Joint NHMRC/AVCC Statement and Guidelines on Research Practices Section 2

Data storage and retention

2.1 Data (including electronic data) must be recorded in a durable and appropriately referenced form. Data management should comply with relevant privacy protocols, such as the Australian Standard on personal privacy protection25.

2.2 The department or research unit must establish procedures for the retention of data and for the keeping of records of data held.

2.3 Data must be held for sufficient time to allow reference. For data that is published this may be for as long as interest and discussion persists following publication. It is recommended that the minimum period for retention is at least 5 years from the date of publication but for specific types of research, such as clinical research, 15 years may be more appropriate 26.

2.4 Wherever possible, original data must be retained in the department or research unit in which they were generated. Individual researchers should be able to hold copies of the data for their own use. Retention solely by the individual researcher provides little protection to the researcher or the institution in the event of an allegation of falsification of data.

2.5 Data related to publications must be available for discussion with other researchers. Where confidentiality provisions apply (for example, where the researchers or institution have given undertakings to third parties, such as the subjects of the research), it is desirable for data to be kept in a way that reference to them by third parties can occur without breaching such confidentiality.

2.6 Confidentiality agreements to protect intellectual property rights may be agreed between the institution, the researcher and a sponsor of the research. Where such agreements limit free publication and discussion, limitations and restrictions must be explicitly agreed.

2.7 It is the obligation of the researcher to enquire whether confidentiality agreements apply and of the Head of the Department or research unit to inform researchers of their obligations with respect to these provisions.

2.8 All confidentiality agreements should be made known at an early stage to the head of the research institution, or nominated representative.

 

25 Personal Privacy Protection in Health Care Information Systems, Australian Standard AS 4400-1995.

26 The December 1991 Guidelines for Good Clinical Research Practice in Australia. Published by the Therapeutic Goods Administration of the Commonwealth Department of Health and Family Services, recommends retention of data for at least 15 years.

2.9 The procedures formulated by institutions must include guidelines on the establishment and ownership of and access to databases containing confidential information, and any limits on this.

2.10 When the data are obtained from limited access databases, or via a contractual arrangement, written indication of the location of the original data, or key information regarding the database from which it was collected, must be retained by the researcher or research unit.

2.11 Researchers must be responsible for ensuring appropriate security for any confidential material, including that held in computing systems. Where computing systems are accessible through networks, particular attention to security of confidential data is required. Security and confidentiality must be assured in a way that copes with multiple researchers and the departure of individual researchers.

APPENDIX 4

Office of the Federal Privacy Commissioner— Guidelines on Privacy in the Private Health Sector Section A.3.5 Health information held before the commencement of the Privacy Act

The new provisions in the Privacy Act are effective from 21 December 2001.

Only some of the National Privacy Principles (NPPs) apply to information collected before 21 December 2001. These include NPP 4 on data security, NPP 5 on openness, NPP 7 on identifiers and NPP 9 on transborder data flows. NPP 6 on access also applies to information already collected, but only where that information is still in use and if compliance would not pose an unreasonable administrative burden or expense.

For further information on when each of the NPPs apply, see the Guidelines on Privacy in the Private Health Sector or the OFPC Information Sheet 10—2001 Application of the Privacy Act to information already held

APPENDIX 5

Office of the Federal Privacy Commissioner—Information Sheet 9 2001— Handling Health Information for Research and Management, Attachments 1 and 2.

The following diagrams are designed to outline the circumstances in which it is lawful under the National Privacy Principles to collect, use or disclose health information.

Requirements when collecting health information without consent:

 for research or the compilation and analysis of statistics relevant to public health or public safety, or

 for the management, funding or monitoring of a health service.

Requirements for using or disclosing health information for research or the compilation or analysis of statistics relevant to public health or public safety or for health service management activities

APPENDIX 6

Information about the National Statement on Ethical Conduct in Research Involving Humans

The National Statement on Ethical Conduct in Research Involving Humans (National Statement) is a significant advance for research Australia. It is issued by the National Health and Medical Research Council (NHMRC) under the National Health and Medical Research Council Act 1992. It has been endorsed or supported by the Australian Vice-Chancellors’ Committee, the Australian Research Council, and the Academies of Humanities, Science, Social sciences, and Technological Science and Engineering.

The National Statement applies to all disciplines of research involving or impacting upon humans. All individuals, institutions and organisations conducting research that involves human participants should use it.

The National Statement provides general ethical principles that should be applied to all research involving humans, as well as guidelines on specific research types, participant groups and other issues.

The National Statement can be downloaded free of charge from the NHMRC web site at http://www.nhmrc.gov.au/publications/synopses/e35syn.htm

It can also be purchased from AusInfo Government Bookshops for $14.00 (inc. GST) by phoning their toll free number 132 447 (catalogue no. 9818566).

The National Health and Medical Research Council

The National Health and Medical Research Council (NHMRC) is a statutory body within the portfolio of the Commonwealth Minister for Health and Aged Care, established by the National Health and Medical Research Council Act 1992. The NHMRC advises the Australian community and Commonwealth; State and Territory Governments on standards of individual and public health, and supports research to improve those standards.

The NHMRC advises the Commonwealth Government on the funding of medical and public health research and training in Australia and supports many of the medical advances made by Australians.

The NHMRC also develops guidelines and standards for the ethical conduct of health and medical research.

The Council comprises nominees of Commonwealth, State and Territory health authorities, professional and scientific colleges and associations, unions, universities, business, consumer groups, welfare organisations, conservation groups and the Aboriginal and Torres Strait Islander Commission.

The Council meets up to four times a year to consider and make decisions on reports prepared by committees and working parties following wide consultation on the issue under consideration.

A regular publishing program ensures that Council’s recommendations are widely available to governments, the community, scientific, industrial and educational groups.

The Council publishes extensively in the following areas:

 Aged care

 Child health

 Clinical practice guidelines

 Communicable diseases

 Dentistry

 Diabetes

 Drugs and poisons

 Drug and substance abuse

 Environmental health

 Ethics – Animal

 Ethics – Human

 Health procedures

 Health promotion

 Infection control

 Men’s health

 Mental health

 NHMRC – National Health and Medical Research Council

 Nutrition

 Public health

 Research

 Sport/Injury

 Women’s health

 Workforce

A list of current publications is available from:

The Publications Officer

ONHMRC

MDP 100

GPO Box 9848

Canberra ACT 2601

Phone: (02) 6289 9520 (24-hour answering machine)

Toll free: 1800 020 103

Fax: (02) 6289 9197

E-mail: nhmrc.publications@health.gov.au

Internet: http://www.nhmrc.health.gov.au