Management, funding and monitoring of health services

63.176 In its submission to the OPC Review, the NHMRC stated that health information was important in three areas: the provision of health services; management activities related to the provision of health services; and the conduct of research. The NHMRC noted that management activities include, for example: quality assurance; quality improvement; policy development; planning; evaluation; and cost-benefit analysis:

The availability of health information without consent for quality assurance, research, and related activities is crucial to the safety and quality of clinical care, now and in the future. These activities, while similar in nature and intent, are currently subject to complex and different requirements under the Privacy Act, depending on the setting in which they are conducted and whether they are characterised as quality assurance or research.[172]

63.177 The OPC has issued guidance on the use and disclosure of health information for management, funding and monitoring activities, noting that:

Such activities are likely to include those reasonably necessary for the ordinary running of the health service, including activities that support the community’s expectation that appropriately high standards of quality and safety will be maintained. These expectations may be underpinned by professional standards or legal obligations.[173]

Management, funding or monitoring of a health service under the NPPs

63.178 The NPPs go some way towards acknowledging the public interest in allowing the use of health information in the management activities of health service providers. NPP 10.3 allows the collection of health information without consent in limited circumstances for:

  • research relevant to public health or public safety;

  • the compilation or analysis of statistics relevant to public health or public safety; or

  • the management, funding or monitoring of a health service.

63.179 Although there is some overlap across these three areas, this chapter focuses on the third—that is, the management, funding and monitoring of health services. (Research is discussed in detail in Chapters 64, 65 and 66). The compilation and analysis of statistics relevant to public health or public safety can be conducted for research purposes or for management, funding or monitoring purposes. The ALRC does not propose to deal with this issue separately on the basis that, where the compilation or analysis of statistics is done for the purposes of the management, funding or monitoring of a health service, the activity can be subsumed in the provisions dealing with management, funding and monitoring activity.

63.180 Under the NPPs, health information may be collected without consent for management, funding and monitoring activities in the following circumstances. An organisation must consider whether it could use de-identified information to achieve its purpose. If this is not possible, it must be impracticable for the organisation to seek the consent of all the individuals involved. Finally, the information must be collected:

  • as required by law;

  • in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or

  • in accordance with guidelines approved by the Privacy Commissioner under s 95A of the Privacy Act.[174]

As required by law

63.181 NPP 10.3(d)(i) allows for collection of health information without consent where the collection is required by law. The OPC notes, for example, that:

A radiologist is required under section 23DS of the Health Insurance Act to produce records of diagnostic imaging services, if requested by the Chief Executive Office of Medicare Australia. Under regulation 20 of the Health Insurance Regulations 1975, the radiologist is required to provide the name of the individual to whom the imaging service was provided and the date of the service.[175]

63.182 The ‘Collection’ principle allows the collection of sensitive information, including health information, without consent where the collection is required or authorised by or under law.[176] The ‘Use and Disclosure’ principle permits the use and disclosure of personal information, including health information, without consent where the use or disclosure is required or authorised by or under law.[177] It is not necessary, therefore, to include these elements specifically in the provision dealing with collection, use and disclosure of health information without consent for the management, funding, or monitoring of a health service. Where collection, use or disclosure is required or authorised by or under law, for any purpose, it is permissible under the relevant principles.

In accordance with rules on professional confidentiality

63.183 NPP 10.2 also allows the collection of health information for management, funding and monitoring of a health service when it is done in accordance with ‘rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation’. The OPC indicated that it was not aware of any existing binding rules in the health sector that would meet these criteria.[178]

In accordance with s 95A Guidelines

63.184 Section 95A of the Privacy Act authorises the Privacy Commissioner to approve guidelines issued by the NHMRC in relation to the collection of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety or the management, funding or monitoring of a health service. Section 95A also allows the Privacy Commissioner to approve guidelines on the use and disclosure of health information under NPP 2.1(d)(ii) for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety. NPP 2 does not refer specifically to management, funding and monitoring of a health service. Before approving any such guidelines, the Privacy Commissioner must be satisfied that the public interest in the collection, use or disclosure of health information without consent for these purposes substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs.[179]

63.185 Currently, the Section 95A Guidelines require Human Research Ethics Committee (HREC) approval for management, funding or monitoring activities based on NPP 10.3(d)(iii). The NHMRC has noted that it is often difficult to distinguish management activities, such as quality assurance, from research in the health services context. It is of the view that, where such activities amount to research, they should always be conducted in accordance with the Section 95A Guidelines and be subject to review by an HREC.[180] For example, a hospital may collect information about surgical mortality rates for quality assurance purposes, but that information may also form the basis of a research project by hospital staff or others. The NHMRC has published some guidance on how to make the distinction between quality assurance activities and research, but suggests that even in relation to quality assurance activities that ‘could infringe ethical principles that guide human research, independent ethical scrutiny of such proposals should be sought.’[181]

63.186 As noted above, while NPP 10 expressly provides for the collection of health information for management, funding or monitoring of a health service, NPP 2 does not expressly provide for the use or disclosure of health information for the same purpose. NPP 2 does allow, however, for the use and disclosureof health information without consent for a purpose directly related to the primary purpose for which the information was collected where the person would reasonably expect the organisation to use or disclose the information for that purpose.

63.187 The OPC Review stated that disclosure of health information for management activities generally would be within the reasonable expectations of individuals.[182] In response to concerns that the position is not clear, however, the OPC Review recommended that the OPC issue guidance to clarify when organisations can disclose health information for the management, funding and monitoring of a health service.[183] The OPC subsequently issued an Information Sheet, which stated that:

While health information will generally be collected by health service providers to afford treatment to patients, some health service management activities will be directly related purposes … Health service management activities that may be directly related purposes include service-monitoring, funding, complaint-handling, planning, evaluation and accreditation activities.

They may also include disclosures to a medical expert for medico-legal opinion, an insurer, a medical defence organisation, or lawyer, solely for the purpose of addressing liability indemnity arrangements, for example, in reporting an adverse incident.

Marketing, fund-raising, or research are unlikely to be directly related purposes, and generally consent should be obtained. In addition, training that does not relate to the direct provision of health care is also unlikely to be directly related and consent should be sought.[184]

63.188 In relation to ‘reasonable expectations’, the OPC noted that:

A patient’s expectations can be effectively managed through good provider-patient communication. This usually means the patient has been told the use or disclosure would happen, or they would expect it to happen in the context of why they provided the information in the first place. If the patient would not reasonably expect the use or disclosure that the provider has in mind, such as for managing a health service, then the provider will usually need to get the patient’s consent before proceeding.[185]

Management, funding or monitoring of a health service under the IPPs

63.189 Management activities are undertaken in both the public and the private health sectors. The IPPs, however, do not make specific reference to management, funding and monitoring activities and so it is necessary to interpret the basic principles to decide whether it is possible to use health information in the public sector for such activities.

63.190 The use of health information for management activities may involve collection, use or disclosure of the information. IPP 1 allows collection of health information so long as it is for a lawful purpose, directly related to the activities of the agency. IPP 1 does not require consent to collect personal information, including health information. This would seem to allow collection of health information by public sector health service providers for management, funding and monitoring activities directly related to the agency’s activities.

63.191 IPP 10 allows use of health information without consent for the primary purpose for which it was collected and any directly related secondary purpose. As noted above, the OPC is of the view that a range of management, funding and monitoring activities are directly related to the collection of health information in the context of providing a health service to an individual.

63.192 IPP 11 allows disclosureof health information without consent where the individual concerned is reasonably likely to have been aware that health information was usually disclosed to the particular person, body or agency. As noted above, the OPC considers that this issue can be addressed by reasonable provider-consumer communication.

State and territory legislation

63.193 Both the New South Wales Health Records and Information Privacy Act and the Victorian Health Records Act expressly provide for the use or disclosure of health information without consent in the public and private sectors for various management activities related to funding, planning, monitoring, improvement or evaluation of health services, and for training provided to employees or others working with the health services organisation.[186] Any such use or disclosure is subject to certain criteria; for example, it must be impracticable to seek individuals’ consent and reasonable steps must be taken to de-identify the information. Use or disclosure of health information for management activities under these Acts does not depend on establishing that it is a directly related secondary purpose or that it would be within individuals’ reasonable expectations.

Issues Paper 31

63.194 In IP 31, the ALRC asked whether guidance by the OPC to clarify that organisations can disclose health information for the management, funding and monitoring of a health service was an appropriate and effective response to the lack of clarity in this area.[187]

63.195 The NHMRC submitted that:

The complexity of these provisions has not been resolved for NHMRC stakeholders by the guidance provided to date by the Office of the Privacy Commissioner, partly because of the restrictions imposed by the ‘reasonable expectation’ requirement on the circumstances in which health information can be used or disclosed for quality assurance and related activities, and partly because of the underlying inconsistencies in relation to disclosure on the one hand and collection on the other. Much greater clarity of the status of these important activities is required.[188]

63.196 Other major stakeholders also expressed the view that further guidance from the OPC would not be an adequate response to concerns. These stakeholders supported amending the Privacy Act to deal expressly with the collection, use and disclosure of health information for management activities.[189]

63.197 The NHMRC and the Australian Commission on Safety and Quality in Health Care (ACSQHC) suggested that collection, use and disclosure of health information without consent for management activities be allowed where it is conducted in accordance with guidelines issued by the Privacy Commissioner or, alternatively, a PID issued by the Privacy Commissioner. Both stakeholders also expressed the view that some of this activity could proceed legitimately without being subject to review by an HREC.[190] The ACSQHS also noted that, for most quality and safety indicators, a probabilistic matching process can be used, and individuals need not be uniquely identified.[191]

63.198 A final issue that was raised by the Australian Health Insurance Association (AHIA) concerned the use of health information to report on the charging practices and performance of health service providers.

At present the National Privacy Principles (NPPs) are interpreted to mean that health funds must have the consent of practitioners to disclose their billing practices or information on the number and types of procedures and other services they perform. This can be regarded as business rather than personal information and it must be questioned whether this was the intended effect of the privacy laws and NPPs.[192]

63.199 The OPC has stated that if an individual’s identity can be determined from business information, then the information is personal information for the purposes of the Privacy Act. Where this information is sensitive information, including health information, it generally must be collected with consent.[193]

63.200 The AHIA noted the following recommendations of the Taskforce on Reducing the Regulatory Burden on Business:

The Australian Government should facilitate the publication of industry-wide data on the charging practices of individual medical specialists.[194]

The Australian Government should amend laws to enable data on hospital treatment outcomes to be published.[195]

63.201 In August 2006, the Australian Government agreed in principle with these recommendations and undertook to improve the information available to health consumers. It made clear, however, that:

Information about doctors’ fees needs to be considered sensitively as it relates directly to the charging practices of medical specialists, and impacts directly on the interface between the medical provider and the consumer … [and] proposals to publish data on hospital treatment outcomes need to be considered sensitively as they relate to the clinical outcomes of decisions made by health care providers.[196]

63.202 Although the Privacy Act has an impact on the publication of this kind of information, the issue is not, primarily, a privacy issue. As noted in the Australian Government response to Rethinking Regulation, the publication of detailed information on the charging practices and performance of health service providers is likely to have industry-wide implications, and any proposed reform will need to take these into account. A detailed consideration of these issues falls outside the terms of reference for this Inquiry. While the Privacy Act would not stand in the way of this kind of regulatory reform, in the absence of such reform the Privacy Act will apply to such information.

Discussion Paper proposals

63.203 In DP 72, the ALRC proposed that the Privacy (Health Information) Regulations should make express provision for the collection, use and disclosure of health information without consent where necessary for the funding, management, planning, monitoring, improvement or evaluation of a health service. This would be allowed where:

  • the purpose could not be achieved by the collection, use or disclosure of information that did not identify the individual;

  • it was impracticable for the agency or organisation to seek the individual’s consent before the collection, use or disclosure; and

  • the collection, use or disclosure was conducted in accordance with rules issued by the Privacy Commissioner.[197]

63.204 The ALRC also proposed that the Privacy Act be amended to empower the Privacy Commissioner to issue rules in relation to the handling of personal information for the funding, management, planning, monitoring, improvement or evaluation of a health service.[198]

63.205 The ALRC’s proposals were premised on the existence of a clear public interest in allowing the collection, use and disclosure of health information for the funding, management, planning, monitoring, improvement or evaluation of health services in defined circumstances. In the ALRC’s view, the public interest in allowing such activities to proceed outweighs the public interest in maintaining the level of privacy protection provided by the NPPs. The ALRC was not persuaded that individuals would be aware or expect that their health information was collected, used and disclosed without consent for such activities. It is important to allow such activities to proceed, whether or not they fall within individuals’ reasonable expectations.

63.206 The ALRC adopted the more detailed description of management, funding and monitoring activities from provisions in the draft National Health Privacy Code, the New South Wales Health Records and Information Privacy Act and the Victorian Health Records Act—that is, funding, management, planning, monitoring, improvement or evaluation of health services—to make clear that health information can also be used to evaluate and improve the provision of health services.[199]

63.207 The proposed rules to be issued by the Privacy Commissioner were intended to replace the ‘rules established by competent health or medical bodies that deal with obligations of professional confidentiality’ required by NPP 10.3(d)(ii) and the guidelines—issued by the NHMRC and approved by the Privacy Commissioner under s 95A of the Privacy Act—required by NPP 10.3(d)(iii).

63.208 The ALRC noted that some funding, management, planning, monitoring, improvement and evaluation activities also may be characterised as research. Where particular activities can be characterised as both management activities and research, the ALRC expressed the view that the activity should be conducted in accordance with the proposed rules issued by the Privacy Commissioner in relation to management activities and should also be subject to the provisions relating to research, discussed in Chapters 64–66.

63.209 The New South Wales and Victorian health privacy legislation and the draft National Health Privacy Code allow the use of health information without consent for training purposes in some circumstances.[200] The ALRC expressed the view that the public interest balance in relation to training activities is not the same as the public interest balance in ensuring the quality and safety of health care. Health information used in the training context should be used in accordance with the proposed UPPs; and special provision should not be made for this activity.

Submissions and consultations

63.210 The AMA submitted that allowing the collection, use and disclosure of health information without consent for the funding, management, planning, monitoring, improvement or evaluation of a health service was a very broad exception, and had the potential to affect the relationship of trust and confidentiality between health service providers and consumers. The AMA also expressed concern about the use of the term ‘impracticable’ in relation to ‘impracticable to seek consent’, and asked whether this would include mere inconvenience or cost.[201]

63.211 The NHMRC also expressed concern about the use of the term ‘impracticable’:

We note, however, that in some circumstances a consent requirement which may result in less than full access to relevant records is likely to damage the validity of a quality assurance project or program. We are concerned that potential damage to the validity of a project or program by seeking consent may not be interpreted consistently as an issue of ‘impracticality’; in such circumstances seeking consent may be viewed as ‘practicable’ in the sense that subjects are easily contactable, thereby precluding the relevant collection despite the project or program being in the overall public interest.[202]

63.212 The Australian Privacy Foundation, on the other hand, expressed support for the proposal, noting that it set a high threshold for use of health information without consent for management purposes:

As noted earlier, it is all too easy for agencies and organisations to assert a need for collection, use and disclosure of personal information on grounds of administrative convenience or efficiency. Particularly in the case of health information, it needs to be established that the use of personally identifiable information is necessary and that seeking consent is impracticable—not merely inconvenient or expensive.[203]

63.213 Other key stakeholders also expressed support for the proposal[204] and for the related proposal that the Privacy Commissioner be empowered to issue binding rules in relation to the use of health information in the funding, management, planning, monitoring, improvement or evaluation of a health service.[205] Privacy NSW was also supportive, noting that:

In our view individuals would be unlikely to expect that their personal information will be collected, used or disclosed for funding, management, planning, monitoring, improvement or evaluation of health services. We therefore welcome the proposal that there be limitations placed on the collection, use or disclosure of health information for those purposes, and that the OPC be given the power to issue guidelines in relation to these matters.[206]

63.214 The OPC also supported the proposals in general terms, but indicated that the proposed rules should be issued by the NHMRC and approved by the Privacy Commissioner. In addition, the OPC was of the view the term ‘improvement’ was an unnecessary addition to the list of allowable activities.[207]

63.215 The Health Informatics Society of Australia suggested a number of other options in relation to such management activities. These included:

  • a one-off review by an HREC of current and future management activities where the HREC would have to be satisfied that the policies and practices established provided sufficient privacy protection;

  • an approval process that did not involve HRECs but was based on a clear definition of the activity as one intended to improve local service delivery;

  • the development of guidelines by the NHMRC to provide adequate regulation.[208]

63.216 The OPC and other stakeholders agreed with the ALRC that the public interest balance in relation to training activities was not the same as the public interest balance in ensuring the quality and safety of health care, and that special provision should not be made for this activity.[209] A number of other stakeholders, however, did not agree, arguing that appropriately trained health service providers are fundamental to the delivery of high quality and safe health services.[210]

ALRC’s view

63.217 Funding, management, planning, monitoring and evaluation of health services should be able to proceed in defined circumstances using individuals’ health information without consent. The recommendation below makes clear that, generally, these activities can and should be conducted either on the basis of consent, or using health information that does not identify individuals. Identifiable health information may only be used where the purpose cannot be achieved using information that does not identify individuals. In addition, it must be unreasonable or impracticable to seek individuals’ consent and any collection, use or disclosure must be conducted in accordance with binding rules issued by the Privacy Commissioner.

63.218 The ALRC has dropped the reference to ‘improvement’ of a health service, on the basis that this is subsumed in evaluation and planning activities.

63.219 The ALRC has modified the wording dealing with consent suggested in DP 72. The recommendation below requires that it be ‘unreasonable or impracticable’ rather than just ‘impracticable’ to seek consent. This acknowledges that, while it might be practicable to seek consent in terms of it being logistically possible, seeking consent may lead to an incomplete or biased sample due to self selection. It is important to ensure that the integrity and validity of management activities aimed at safety and quality in the health care sector are not compromised in this way.[211]

63.220 Since binding rules form part of the legal framework for handling health information without consent, these should be issued by the Privacy Commissioner. The rules could address issues such as: who may collect, use and disclose identified health information without consent for management activities; limits on further use and disclosure of the information; requirements to destroy information, and requirements to render health information non-identifiable before publication of any management papers or reports.

63.221 The NHMRC has noted that management activity that does not amount to research should not require review by an HREC.[212] The ALRC agrees with this view and has recommended that such activity should proceed simply in accordance with the management rules issued by the Privacy Commissioner.

63.222 The ALRC recognises, however, that some funding, management, planning, monitoring and evaluation activities may also be characterised as research. Where particular activities can be characterised as both management activities and research, the activity should be conducted in accordance with the management rules issued by the Privacy Commissioner and should also be subject to the provisions relating to research, discussed in Chapters 65 and 66. The research exceptions recommended in those chapters, like the Section 95 and 95A Guidelines, provide for review of research proposals by an HREC.

63.223 Finally, it is possible that, while not amounting to research, some management activity may still require ethical review. The NHMRC has provided guidance on when this might be necessary, for example, where a proposed quality assurance activity poses risks for, or imposes burdens on, health consumers beyond those of their routine care.[213] The ALRC notes this advice, although the broader issue of ethical review of management activities is outside the Inquiry’s terms of reference.

63.224 The public interest balance in relation to training activities is not the same as the public interest balance in ensuring the quality and safety of health care. Health information used in the training context should be used in accordance with the UPPs and special provision should not be made for this activity.

63.225 Finally, health consumers should be made aware, as far as possible, that their health information may be used without consent for the funding, management, planning, monitoring, or evaluation of a health service.

Recommendation 63-9 The new Privacy (Health Information) Regulations should provide that, in addition to the other provisions of the ‘Collection’ principle and the ‘Use and Disclosure’ principle, an agency or organisation may collect, use or disclose health information where necessary for the funding, management, planning, monitoring, or evaluation of a health service where:

(a) the purpose cannot be achieved by the collection, use or disclosure of information that does not identify the individual or from which the individual would not be reasonably identifiable;

(b) it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent before the collection, use or disclosure; and

(c) the collection, use or disclosure is conducted in accordance with rules issued by the Privacy Commissioner.

Recommendation 63-10 The Privacy Act should be amended to empower the Privacy Commissioner to issue rules in relation to the handling of personal information for the funding, management, planning, monitoring, or evaluation of a health service.

[172] National Health and Medical Research Council, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 10 December 2004.

[173] Office of the Privacy Commissioner, Use and Disclosure of Health Information for Management, Funding and Monitoring of a Health Service, Private Sector Information Sheet 23 (2008).

[174]Privacy Act 1988 (Cth) sch 3, NPP 10.3.

[175] Office of the Privacy Commissioner, Use and Disclosure of Health Information for Management, Funding and Monitoring of a Health Service, Private Sector Information Sheet 23 (2008).

[176] See Ch 21.

[177] See Ch 25.

[178] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[179] The current guidelines were issued in 2001: National Health and Medical Research Council, Guidelines Approved under Section 95A of the Privacy Act 1988 (2001) (the Section 95A Guidelines).

[180] National Health and Medical Research Council, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 10 December 2004.

[181] National Health and Medical Research Council, When Does Quality Assurance in Health Care Require Independent Ethical Review? (2003), 3. For the purposes of this Report, it is necessary to distinguish between the need for compliance with privacy legislation and the need for ethical review. Ethical review may include an analysis of privacy and confidentiality issues but is also concerned with the welfare and other rights of participants.

[182] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 210.

[183] Ibid, rec 61.

[184] Office of the Privacy Commissioner, Use and Disclosure of Health Information for Management, Funding and Monitoring of a Health Service, Private Sector Information Sheet 23 (2008).

[185] Ibid.

[186]Health Records and Information Privacy Act 2002 (NSW) sch 1, HPP 10; Health Records Act 2001 (Vic) sch 1, HPP 2.2.

[187] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 8–9.

[188] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[189] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; Department of Health Western Australia, Submission PR 139, 23 January 2006; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[190] Australian Commission on Safety and Quality in Health Care, Submission PR 252, 14 March 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[191] Australian Commission on Safety and Quality in Health Care, Submission PR 252, 14 March 2007.

[192] Australian Health Insurance Association, Submission PR 161, 31 January 2007.

[193] Office of the Privacy Commissioner, Frequently Asked Questions: When is Business Information Covered by the Privacy Act? <www.privacy.gov.au/faqs/bf/q8.html> at 30 April 2008.

[194] Regulation Taskforce 2006, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business, Report to the Prime Minister and the Treasurer (2006), rec 4.11.

[195] Ibid, rec 4.12.

[196] Australian Government, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business—Australian Government’s Response (2006), 5–6.

[197] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 57–9.

[198] Ibid, Proposal 57–10.

[199] National Health Privacy Working Group of the Australian Health Ministers’ Advisory Council, Draft National Health Privacy Code (2003), NHPP 2.2(f)(i).

[200]Health Records and Information Privacy Act 2002 (NSW) sch 1, HPP 10(1)(e); Health Records Act 2001 (Vic) sch 1, HPP2.2(f)(ii); National Health Privacy Working Group of the Australian Health Ministers’ Advisory Council, Draft National Health Privacy Code (2003), NHPP 2.2(f)(ii).

[201] Australian Medical Association, Submission PR 524, 21 December 2007.

[202] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[203] Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[204] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; National Prescribing Service, Submission PR 547, 24 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[205] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[206] Privacy NSW, Submission PR 468, 14 December 2007.

[207] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[208] Health Informatics Society of Australia, Submission PR 554, 2 January 2008.

[209] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[210] Confidential, Submission PR 570, 13 February 2008; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007.

[211] This issue is discussed in detail in relation to research results in Ch 65.

[212] National Health and Medical Research Council, When Does Quality Assurance in Health Care Require Independent Ethical Review? (2003), 5.

[213] Ibid, 6.