15.14 Under National Privacy Principle (NPP) 10.3 of the Privacy Act, health information may be collected without consent for research purposes if obtaining consent is impracticable, de-identified information would not be suitable, and the collection is in accordance with guidelines issued by the NHMRC and approved by the Privacy Commissioner under s 95A of the Act (the s 95A Guidelines).
15.15 Under NPP 2.1(d), health information may be used or disclosed without consent for research purposes if obtaining consent is impracticable, the use or disclosure is conducted in accordance with the s 95A Guidelines and, in the case of disclosure, it is reasonably believed that the recipient will not disclose the information.
15.16 When a proposal for medical research would involve a breach of the Information Privacy Principles (IPPs), consent requirements may be waived in accordance with the s 95 Guidelines. The s 95 Guidelines apply to medical research that involves use or disclosure of personal information, typically without the consent of the person to whom it relates, where the information is held by a Commonwealth agency.
15.17 The Privacy Commissioner may approve s 95 Guidelines (in relation to the IPPs) and s 95A Guidelines (in relation to the NPPs) only where he or she is satisfied that the ‘public interest’ in research or in the use and disclosure of health information in accordance with the guidelines ‘substantially outweighs the public interest’ in maintaining adherence to the IPPs or the NPPs.
15.18 The s 95 and s 95A Guidelines provide that an HREC should not approve research that would otherwise breach the Privacy Act unless it considers that the public interest in the research outweighs to a substantial degree the public interest in privacy. Each set of guidelines provides a similar framework for weighing these interests. HRECs are directed to consider certain specified matters, including the value and public importance of the research, the likely benefits to the participants, whether the research design can be modified, the financial costs of not proceeding with the research, the type of personal information being sought, the risk of harm to individuals and the extent of possible breach of privacy.
15.19 Non-compliance with the s 95 Guidelines may lead to researchers being named in the NHMRC’s annual report or in a report to a Commonwealth agency or the federal Privacy Commissioner. Where the conduct of an organisation or agency is in breach of the Privacy Act, affected individuals may complain to, and have their complaints investigated by an adjudicator under an approved privacy code or by the federal Privacy Commissioner.
15.20 The s 95 and s 95A Guidelines do not apply to the collection, use and disclosure of health or other personal information in research by individuals or organisations that are not covered by the Privacy Act. For example, the Privacy Act does not apply to state public sector entities, including public teaching hospitals and associated research bodies, where such bodies are established for a public purpose under a law of a State.However, these organisations may be covered by state legislation.
15.21 As discussed in more detail in Chapter 21, a disclosure that is permitted by the Privacy Act may nonetheless breach the common law. While the Privacy Act permits the disclosure of patient health information to medical researchers without consent, disclosure may nevertheless breach a common law duty of confidentiality. The determination of an HREC that personal information can ethically be disclosed does not necessarily provide protection against an action for breach of confidence.
Privacy Act 1988 (Cth) NPP 10.3(a)–(d)(iii). Information may also be collected as required by law or in accordance with ‘rules established by competent health or medical bodies that deal with obligations of professional confidentiality’: NPP 10.3(d)(i)–(ii).
 Ibid NPP 2.1(d).
 Ibid ss 95(2), 95A(3).
 National Health and Medical Research Council, Guidelines Under Section 95 of the Privacy Act 1988 (2000), NHMRC, Canberra [3.3]; National Health and Medical Research Council, Guidelines Approved Under Section 95A of the Privacy Act 1988 (2001) National Health and Medical Research Council, D.5.
 See National Health and Medical Research Council, Guidelines Under Section 95 of the Privacy Act 1988 (2000), NHMRC, Canberra [3.3(a)]–[3.3(h)]; National Health and Medical Research Council, Guidelines Approved Under Section 95A of the Privacy Act 1988 (2001) National Health and Medical Research Council [D.5(a)]–[D.5(k)].
 National Health and Medical Research Council, Guidelines Under Section 95 of the Privacy Act 1988 (2000), NHMRC, Canberra [4.3].
 See Privacy Act 1988 (Cth) Pt V.
 Ibid ss 6C(1), 6C(3)(c).
 For example, Health Records Act 2001 (Vic) Health Privacy Principle 1.1(e)(iii); 2.2(g)(iii). These provisions allow for the collection, use and disclosure of health information for research without the consent of the individuals concerned in accordance with guidelines issued or approved by the Health Services Commissioner under s 22.
Privacy Act 1988 (Cth) NPP 2.1(d).
 It has been suggested that the law should be clarified to ensure that the use of personal information in medical research in circumstances where it would constitute a breach of confidence shall be lawful, provided the research has received ethics approval: Law Reform Commission of Western Australia, Report on Confidentiality of Medical Records and Medical Research, 65 (1990), Law Reform Commission of Western Australia, Perth, Pt II [6.1]; Rec 1. See also C Thomson, ‘Records, Research and Access: What Interests Should Outweigh Privacy and Confidentiality? Some Australian Answers’ (1993) 1 Journal of Law and Medicine 95; R Magnusson, ‘Confidentiality and Consent in Medical Research’ (1995) 17(4) Sydney Law Review 549, 549.