Allens Arthur Robinson

• Introduction
• Feature
• IP law update
• Company news
• Government news
• Science news
• International news
• All Biotech News feature articles
• Biotech & Health publications
• Biotech & Health services

New privacy laws to govern research activities

From 21 December this year, new Commonwealth private sector privacy laws will come into effect (for more, see the dedicated AAR privacy site). These laws will govern various categories of personal information that have not previously been subject to regulation in Australia. Under the new laws, many private sector organisations will have to comply with the 10 National Privacy Principles (NPPs), unless they subscribe to another Code approved by the Federal Privacy Commissioner.

• What is Health Information?
• How will the new laws affect the use of Health Information in research activities?
• Victorian Health Records Act 2001

The new laws will affect the collection, use, disclosure and maintenance of Health Information in research activities (although the use of health information obtained from Commonwealth government agencies is already currently regulated).

What is Health Information?

Under the new laws, Health Information includes information or an opinion about matters such as the health or disability of a person, an individual's wishes with respect to the provision of future health services, health services provided to an individual and other personal information collected in order to provide a health service or in connection with organ, body part or substance donation. 

How will the new laws affect the use of Health Information in research activities?

Health Information is a category of sensitive information, which cannot, as a general rule, be collected under the new laws without the person's consent. However, the NPPs also provide an exception which allows the collection, use and disclosure of Health Information which is necessary for research that is 'relevant to public health' under certain conditions where it is 'impracticable' for the research organisation to seek an individual's consent first. Current Draft Health Privacy Guidelines issued by the Federal Privacy Commissioner (14 May 2001) note that an example of this might be where there is no current address for a person whose health information is being used in research and also insufficient details about identity to find an up to date address.

For this exception to apply however, it must also be shown that the research purpose cannot be served by 'de-identified' information (from which the identity of each individual cannot reasonably be ascertained) and the research must take place in accordance with guidelines approved by the Privacy Commissioner under section 95A of the Privacy Act. 

Under section 95A of the Act, the Privacy Commissioner may approve Guidelines issued by the NHMRC for these purposes. The NHMRC has now issued draft Guidelines for public comment. The draft Guidelines provide that a Human Research Ethics Committee must consider a wide range of matters (including whether it has sufficient information, expertise and understanding of privacy issues itself) before deciding whether or not the public interest in the proposed research activity substantially outweighs the public interest in the protection of privacy. If it does, then the research activity may be carried out.

It is important to remember that these Guidelines will not necessarily displace the application of other NPPs. For example, the NPPs also provide that organisations must take reasonable steps:

• where health information has been collected without consent, to de-identify it before it is disclosed;
• to protect personal information from misuse, loss, and unauthorised access, modification or disclosure;
• to destroy or permanently de-identify personal information when it is no longer required; and
• to let any person who asks know what sort of personal information the organisation holds, for what purposes and how it collects, holds, uses and discloses that information. 

Subject to a number of exceptions, organisations must also give individuals access to any personal information it holds about them, on request.

Victorian Health Records Act 2001

From July next year, private sector organisations involved in research in Victoria will also have to comply with the recently passed Health Records Act. The Victorian Act contains 11 Health Privacy Principles (HPPs). These govern the collection, use, disclosure and maintenance of health information, which is defined similarly to the way it is defined under the federal legislation (although it more explicitly includes the genetic information and psychological health of an individual).

The HPPs contains an exemption similar to the exemption under the federal legislation. The Victorian exemption is for the collection, use and disclosure of health information that is necessary for 'research...in the public interest' if it is impracticable to seek consent from the relevant individual and the research purpose cannot be served by de-identified data. Under the Victorian Act, the collection, use and disclosure then must be in accordance with guidelines issued or approved by the Victorian Health Services Commissioner. It remains to be seen whether these will be similar to the NHMRC Guidelines.

Please contact Karin Clark if you would like more information about the impact of these new privacy laws.