Extending the Privacy Act to fill the gaps

Benefits of extending the Act

8.55 There are some clear benefits in applying information privacy principles to the handling of genetic samples. In addition to those highlighted above, organisations would have to comply with legally enforceable standards for the physical security of holdings of genetic samples and would not be permitted to retain samples without a clearly defined purpose.[58] Genetic samples would not be able to be sent outside Australia unless reasonable steps were taken to ensure that the privacy of the samples is adequately protected by the recipient in the overseas jurisdiction.[59]

8.56 The need to comply with privacy principles would have the salutary effect of requiring organisations to articulate their policies with regard to the use, transfer and storage of genetic samples.[60] There are benefits in promoting more openness about, and public understanding of, the ways in which samples are dealt with. Openness and accountability may reduce the need for other sector-specific regulation—including, for example, the licensing or registration of human genetic research databases.[61]

8.57 It may be argued that the benefits of such reform may be limited because, as soon as information is derived from samples, the protection of the Privacy Act will immediately apply in any case.[62] However, regulating the genetic samples brings regulation closer to the point of collection and may make it more effective in practice. The Centre for Law and Genetics stated that extending privacy protection to samples

will ensure that all of the people who come into possession of genetic samples are bound by privacy obligations, irrespective of whether or not they, themselves, extract genetic information. This will improve the capacity to keep track of the use and transfer of genetic samples from the source to the end user of genetic information.[63]

8.58 If a genetic sample is passed through a chain of hands, the organisation that ultimately uses it may breach the Privacy Act, but the individual from whom the sample comes is less likely to be aware of the offending use or to be able to enforce his or her rights under the Act. Further, the ultimate user may be an organisation or individual not covered by the Act.[64]

8.59 As noted above, samples and associated information often travel in tandem, but there may be situations in which they come into different hands. For example, when a sample is sent for analysis to a pathology laboratory it may be accompanied by information about the gender and Medicare number of the patient, the conditions to be tested for, the name of the treating physician and so on. At the laboratory, the sample may be separated from this information and have only an identifier (a name or code) attached. The sample will not be covered by the Act, yet the potential exists for the sample to become re-associated with the medical records or other personal information of the patient at some future time.[65]

8.60 Extending the Privacy Act to cover samples also has the advantage of using an existing and well-developed regulatory framework, under the oversight of the Office of the Federal Privacy Commissioner (OFPC). This regulatory framework includes mechanisms for complaint investigation, conciliation and determination, the approval of industry privacy codes, the publication of privacy guidelines and the making of public interest determinations.

8.61 Privacy protection for samples may also best be achieved by building on concepts that are already becoming familiar to health professionals and others involved in handling identifiable bodily samples. The culture of privacy compliance is well-established in the professional groups most involved with the handling of bodily samples. For example, respect for the privacy of persons and information is well understood as an underpinning of ethical conduct in medical research, notably as expressed in the National Statement, which governs how researchers deal with both genetic samples and genetic information in research.

8.62 While it would be possible to draft an appropriate set of minimum privacy standards for the fair handling of bodily samples from scratch, the framework provided by existing information privacy principles is a logical place to start.

Other jurisdictions

8.63 With the exception of New South Wales,[66] no other Australian jurisdiction applies information privacy principles explicitly to bodily samples. DP 66 noted that, while the New South Wales legislation has been in operation since 1 July 2000, the coverage of bodily samples has not led to noticeable controversy.

8.64 The idea of applying information privacy protection to genetic samples is beginning to attract attention in other jurisdictions, including in the United States and the United Kingdom. In the United States, an April 2002 report prepared by the Health Privacy Project, Georgetown University, noted that the Health Insurance Portability and Accountability Act 1996 (US) ‘does not protect tissue, blood, or any other bodily source of a person’s genetic information’—despite the fact that samples are relatively easy to obtain. The report concluded that ‘genetic source materials’ need privacy protection.[67]

8.65 In the United Kingdom, a November 2002 report by William Lowrance for the Nuffield Trust considered whether genetic materials should be considered as ‘personal data’. The report noted that an analogy often suggested is with fingerprints, which are treated as personal data under most data protection (information privacy) regimes.[68] However, the report concluded that:

Medical specimens containing DNA and linked to personal identifiers probably should not be considered personal data just because they contain DNA, but they should be held in medical confidentiality as is customary.[69]

[58] See Privacy Act 1988 (Cth) NPP 4.

[59] See Ibid, NPP 9.

[60] See Ibid, NPP 5.

[61] See Australian Law Reform Commission and Australian Health Ethics Committee, Protection of Human Genetic Information, DP 66 (2002), ALRC, Sydney, Proposal 15–1.

[62] Assuming the organisation concerned is covered by the Privacy Act.

[63] Centre for Law and Genetics, Submission G255, 21 December 2002.

[64] For example, because the user is an individual testing the sample ‘other than in the course of a business’: Privacy Act 1988 (Cth) s 7B(1). However, testing a sample without consent might nevertheless constitute a breach of the new criminal offence proposed by the Inquiry: see Australian Law Reform Commission and Australian Health Ethics Committee, Protection of Human Genetic Information, DP 66 (2002), ALRC, Sydney, Proposal 5–4, 5–5.

[65] As discussed earlier in this Report, if a name or other identifier, by itself, can constitute information about an individual in terms of the Privacy Act, the effective gaps in the privacy protection of genetic samples may be more limited than indicated above.

[66] Privacy and Personal Information Protection Act 1998 (NSW); Health Records and Information Privacy Act 2002 (NSW).

[67] J Hustead, A Cunningham and J Goldman, Genetics and Privacy: A Patchwork of Protections (2002), California HealthCare Foundation, Oakland, 27.

[68] W Lowrance, Learning from Experience: Privacy and the Secondary Use of Data in Health Research (2002), The Nuffield Trust, London, 34.

[69] Ibid, 35.