17.08.2010
Use and disclosure for primary and secondary purposes
63.63 IPPs 10 and 11 and NPP 2 regulate the use and disclosure of personal information. IPP 10 provides that information, including health information, may be used for the purpose it was collected or a directly related purpose. If it is to be used for any other purpose the person who wishes to use the information must have the consent of the individual concerned. IPP 11 provides that information may not be disclosed to a person, body or agency unless the individual concerned is reasonably likely to have been aware that information of that kind is usually passed to that person, body or agency. Otherwise, the person who wishes to disclose the information must have the consent of the individual concerned. There are several exceptions to these rules, including where use or disclosure of the information is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
63.64 NPP 2 provides that sensitive information, including health information, may be used or disclosed for the ‘primary purpose of collection’ or a secondary purpose where the secondary purpose is directly related to the primary purpose of collection and the individual concerned would reasonably expect the organisation to use or disclose the information for that secondary purpose. If it is to be used for any other purpose the person who wishes to use the information must have the consent of the individual concerned. There are several exceptions to this rule, including where the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety.
63.65 Concern was expressed in the course of the Senate Legal and Constitutional References Committee inquiry into the Privacy Act (Senate Committee privacy inquiry)[63] and the OPC Review[64] that the concept of ‘primary purpose of collection’ in NPP 2 may be interpreted in a narrow way and impede the provision of holistic health care and the appropriate management of an individual’s health.
63.66 In its submission to the OPC Review, the AMA expressed the view that the primary purpose of collection should be ‘to provide for the person’s health care and general well being … unless another meaning is specifically agreed to between the doctor and the patient’. The AMA also noted that the primary purpose should not be limited to a particular episode of care:
The care of a patient’s health and well being is not achieved by episodic care. The process is not static, nor can it be temporally defined. One’s past health and well being impacts on one’s current health and well being which in turn influences one’s future health and well being.[65]
63.67 The OPC Review noted that:
There is an intentionally close relationship between the primary purpose and the directly related purpose provisions at NPP 2.1(a), which in this context means that with open communication between a health service provider and an individual (something to be expected in the delivery of quality health care), a holistic approach to care can be agreed either explicitly or implicitly. In other words, where the individual expects their health information to be used in the delivery of health care to them in a holistic manner, it is permissible under NPP 2.[66]
63.68 The OPC Review stated that the OPC would work with the health sector to develop further guidance about the operation of NPP 2 as it specifically relates to the issue of primary and secondary purpose in the health services context.[67]
63.69 The regime established for using and disclosing health information in NHPP 2 of the draft National Health Privacy Code is similar to NPP 2, in that it allows the use and disclosure of health information for the primary purpose of collection and directly related secondary purposes within the reasonable expectations of the health consumer. However, NHPP 2 also allows the use of health information without consent where all of the following apply:
(i) the organisation is a health service provider providing a health service to the individual; and
(ii) the use is for the purpose of the provision of further health services to the individual by the organisation; and
(iii) the organisation reasonably believes that the use is necessary to ensure that the further health services are provided safely and effectively; and
(iv) the information is used in accordance with guidelines, if any, issued for the purposes of this paragraph.
63.70 In IP 31, the ALRC asked whether guidance by the OPC was an appropriate and effective response to concerns about the provisions of NPP 2 and the use and disclosure of health information.[68]
Submissions and consultations
63.71 The NHMRC’s submission described a number of situations in which health service providers might be unclear about their obligations under the Privacy Act:
For example, a patient is admitted to a hospital for acute care, and the hospital contacts the patient’s general practitioner and asks him or her to disclose health information about the patient for the purpose of ongoing clinical care. There is not a serious and imminent threat to the patient’s life, health or safety. The general practitioner does not have direct access to the patient to obtain consent to the disclosure of their health information. Nevertheless, good clinical practice requires its timely disclosure.[69]
63.72 The NHMRC stated that, while use or disclosure in these circumstances might well be a directly related secondary purpose, it will not always be clear to general practitioners whether individuals would reasonably expect their health information to be disclosed in these circumstances. The NHMRC was of the view, therefore, that use and disclosure to other health care providers of health information for the purposes of the current care of an individual health consumer should be permitted explicitly without any additional requirement that the health consumer would reasonably expect the information to be used or disclosed in this way.[70]
63.73 The Australian Nursing Federation (ANF) submitted, however, that if health information is collected with consent and appropriate information is provided to individuals, ‘then there should be little impediment to the appropriate management of the individual’s health’.[71]
63.74 The OPC remained of the view that NPP 2 sits comfortably with the ‘relationships of trust and good communication that are the hallmark of good practice in the health sector’ and that NPP 2 does not require amendment. The OPC suggested that it is not always, or even usually, necessary for health service providers to seek the consent of an individual before using or disclosing their health information to other members of a treatment team.[72]
63.75 The OPC also argued that a holistic approach to the provision of health services can be accommodated by the ‘directly related secondary purpose within the reasonable expectations of the individual’ test in NPP 2. The OPC noted that this test is consistent with the ethical principles set out in the AMA’s Code of Ethics,[73] including respect for the individual; health care as a collaboration between doctor and patient; and patient confidentiality. The OPC did not agree that the primary purpose of collection should be broadly defined as providing ‘for the person’s health care and general well being’, as this would allow use and disclosure of health information without taking the health consumer’s reasonable expectations into account or, alternatively, seeking consent.
63.76 The OPC was not of the view that NHPP 2 provided a better framework for the use and disclosure of health information. The OPC stated that NHPP 2 was unnecessarily lengthy and complex, and that the discretions conferred by the provision did not give adequate weight to individuals’ wishes and expectations about the way that their health information is used and disclosed.
63.77 A number of other stakeholders, however, were more supportive of NHPP 2.[74] One stakeholder expressed support on that the basis that NHPP 2 provides clearer guidance on when it is appropriate to use and disclose health information in the health services context, particularly in relation to ongoing health care.[75]
63.78 The OPC reiterated the recommendations from its review that further guidance on the operation of NPP 2 in the health services context would be provided:
This may include updating information sheets, providing greater access to these and other Office resources, and publishing articles in prominent health sector publications. A clearer understanding of how these terms operate would allow health service providers to be more confident in using and disclosing patients’ information for appropriate and mutually anticipated purposes, and ensure individuals receive enough information to retain control over the direction of their healthcare.[76]
63.79 A number of other stakeholders agreed that further guidance was necessary and appropriate.[77]
Discussion Paper 72
63.80 The ALRC did not make a proposal in relation to this issue in DP 72, but expressed support for the OPC Review recommendation that further guidance be developed for health care providers on the use and disclosure of health information in the provision of health services. The ALRC perceived a lack of clarity on the meaning of the principles among health service providers, which is particularly undesirable if it is preventing the flow of health information from one health service provider to another in appropriate circumstances.
ALRC’s view
63.81 The ALRC notes that the OPC recently issued detailed guidance on the use and disclosure of health information in the health services context. Information Sheet 25, Sharing Health Information to Provide a Health Service, includes guidance on the meaning of ‘directly related purpose’ and notes that, in the health services context, directly related purposes ‘are likely to include anything to do with the patient’s care or wellbeing’.[78] The Information Sheet also discusses how to establish an individual’s reasonable expectations and includes a series of case studies to illustrate how the principle might operate in practice.
63.82 The test set out in NPP 2 and incorporated in the ‘Use and Disclosure’ principle—that the use or disclosure of health information must be for the primary purpose of collection or a directly related secondary purpose within the reasonable expectations of the individual—is appropriate and workable in the health services context. An individual’s health information should not be used or disclosed in ways that are outside his or her reasonable expectations, except in very specific circumstances. These circumstances are set out in the exceptions to the ‘Use and Disclosure’ principle, for example, where the use or disclosure is required or authorised by or under law.
63.83 The regulation recommended above—to allow health service providers to collect health information if the information is necessary to provide a health service to the individual and the individual would reasonably expect the agency or organisation to collect the information for that purpose—in combination with detailed guidance from the OPC on the sharing of information in the health services context, will address the issues identified by stakeholders in the course of this Inquiry.
Disclosure to a person responsible for an individual
63.84 NPP 2.4 makes special provision for the disclosure of health information to ‘a person who is responsible for the individual’, where the individual is physically or legally incapable of giving consent to the disclosure or physically cannot communicate this consent. Such disclosures may only be made by health service providers in the health services context. The health service provider must be satisfied that the disclosure is necessary to provide appropriate care or treatment to the individual or the disclosure must be made for compassionate reasons. The disclosure must not be contrary to any wish expressed by the individual—before the individual became unable to give or communicate consent—of which the health service provider is aware or could reasonably be expected to be aware. The disclosure must be limited to that information that it is reasonable to disclose in the circumstances.
63.85 NPPs 2.5 and 2.6 define ‘a person who is responsible for the individual’ as:
a parent of the individual;
a child or sibling of the individual and at least 18 years old;
a spouse or de facto spouse of the individual;
a relative of the individual, at least 18 years old and a member of the individual’s household;
a guardian of the individual;
exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health;
a person who has an intimate personal relationship with the individual; or
a person nominated by the individual to be contacted in case of emergency.[79]
Discussion Paper proposals
63.86 In DP 72, the ALRC proposed a number of changes to the NPPs dealing with ‘a person responsible for the individual’. The first proposal was that the provisions should be moved to the new Privacy (Health Information) Regulations and should be expressed to apply to agencies and organisations. The relevant NPPs only deal with health information in the health services context and, as discussed in Chapter 60, the ALRC’s view is that such provisions should not be included in the body of the UPPs but should be set out in regulations expressed to amend the UPPs.
63.87 In DP 72, the ALRC also proposed that the Privacy Act be amended to include an ‘authorised representative’ mechanism. Where an individual was incapable of giving consent, making a request or exercising a right under the Act, the ALRC proposed that an ‘authorised representative’ of that individual be allowed to make these decisions on behalf of the individual. An ‘authorised representative’ was to be defined as a guardian appointed under law; a guardian appointed under an enduring power of attorney; a person with parental responsibility for the individual; or otherwise empowered under law to act as agent in the best interests of the individual.[80] As a consequence, the ALRC also proposed that the definition of ‘a person responsible for the individual’ be amended to include a reference to an ‘authorised representative’.[81]
63.88 In order to provide consistency across federal legislation, the ALRC also proposed that the reference to ‘de facto spouse’ in NPP 2.5 should be changed to ‘de facto partner’, in line with recommendations made in the report, Uniform Evidence Law (ALRC 102).[82]
Submissions and consultations
63.89 A number of stakeholders expressed support for these proposals.[83] Carers Australia noted that the provisions allow information to flow to family members and carers in appropriate circumstances:
Historically, the privacy legislation has had unintended consequences especially in restricting carers’ access to information which is necessary to perform their caring role. There is a mounting body of evidence that suggests carer participation in assessment, treatment and care planning is critical in both the treatment and recovery of the person and the wellbeing of the carer. This has particularly been demonstrated in the area of mental health. In the same way that the potential for negative outcomes for an individual occur as a result of a restriction of the sharing of information between treating teams, the same risks exist if information is not adequately shared with carers as they are the major providers of support to people with disability, illness or injury.[84]
63.90 Carers Australia noted that NPP 2.4(b) currently refers to a person providing a health service as a ‘carer’ and suggested that a more appropriate term would be ‘health service worker’ or something similar. The OPC agreed with this view, stating that:
The Office is aware that some terminology used in NPP 2.4 may be a source of confusion to providers and others. In particular, NPP 2.4 uses the term ‘carer’ to signify the health professional who is providing care, rather than the everyday usage of that term, which generally aligns more with the person ‘responsible’ for the individual.[85]
63.91 Carers Australia also expressed concern about NPP 2.4(c), which provides that disclosures can be made if they are not contrary to the expressed wishes of the individual. Carers Australia noted that this provision may give rise to difficulties, especially in the mental health area, where individuals may experience paranoia about the motives of family, friends and carers, or may be in denial about their condition:
Despite having had a positive relationship with their family in the past, they may request that information is not provided to them. While this is the person’s expressed wish, it is doubtful if they currently have the capacity to make that decision. Whilst the legislation would still allow for the provision of information to families and friends, the interpretation of health service workers routinely denies families information in such situations.[86]
63.92 The NHMRC stated that it was important to ensure that information can be disclosed to an individual’s primary carer, even where that carer is not a relative and does not hold a legal power of attorney or guardianship order. The NHMRC pointed to the Guardianship and Administration Act 1986 (Vic), which defines ‘primary carer’ as ‘any person who is primarily responsible for providing support or care to a person’.[87]
63.93 The ACT Government Department of Disability, Housing and Community Services drew attention to the provisions of the Health Records (Privacy and Access) Act 1997 (ACT). This Act allows disclosures to ‘a person responsible for the consumer’s care’ where ‘in the record keeper’s opinion, the disclosure is necessary to enable the carer to safely and effectively provide appropriate services to, or care for, the consumer’. The Department added that:
In regard to multiple carers and the Review of Australian Privacy Laws, the Department recommends ensuring multiple carers are recognised, in particular young carers, in the flow of information between health service providers. Increasingly young people are taking on the primary caring responsibilities for their parents and siblings.[88]
63.94 The OPC also drew attention to carers under the age of 18, stating that:
In particular, the Office notes that while NPP 2.5 refers to children ‘at least 18 years of age’, a significant number of carers are under 18 years of age, including some primary carers. Carers Australia provides anecdotal evidence that young carers may in some cases be ‘overlooked or not consulted by health practitioners in discussions about the care or treatment of the person they care for, because they are children’. Unless carers under 18 years are recognised as ‘authorised representatives’, they would not be able to receive information from providers for treatment or compassionate reasons under NPP 2.4 or its equivalent.[89]
ALRC’s view
63.95 It is important to include provisions in the new Privacy (Health Information) Regulations allowing disclosures of health information in the health services context to people who are responsible for an individual where the individual is incapable of providing consent to the disclosure. The regulations should be modelled on the existing NPPs 2.4 to 2.6 with the following amendments.
63.96 The regulations should be expressed to apply to agencies and organisations as both provide health services and regularly interact with health consumers, their families, legal representatives and carers. The regulations should allow disclosures to any person who is ‘primarily responsible for providing support or care to the individual’. The current provisions do not cover a sufficiently wide range of carers; for example, they may not cover family friends performing caring responsibilities or paid professional carers. For the reasons put forward by Carers Australia and the OPC, above, the provisions should not use the term ‘carer’ to refer to the health service provider.
63.97 The ALRC notes the difficulties raised by Carers Australia in relation to the requirement that the disclosure must not be contrary to the expressed wishes of the individual. This is, however, an appropriate limit on the provisions. If an individual has requested that personal health information not be disclosed to a particular person, that request should be respected. It is a matter for health service providers’ judgement as to whether an individual had capacity to make that decision at the time it was expressed.
63.98 For the reasons discussed in Chapter 70, the ALRC no longer supports the introduction of the ‘authorised representative’ mechanism into the Privacy Act. Instead, the new regulations should refer to ‘a substitute decision maker authorised by a federal, state or territory law to make decisions about the individual’s health’.
63.99 The ALRC also recommends that there should be no express age limit included in the definition of ‘a person responsible for an individual’. Children and other family and household members under 18 often play the role of primary carer. Health service providers should have the discretion to disclose an individual’s health information to these people in the circumstances set out in NPP 2.4. In considering whether to disclose an individual’s health information to a person who is under the age of 18, a health service provider should consider, on a case-by-case basis, that person’s maturity and capacity to understand the information.
63.100 Finally, the Privacy Act should be amended to refer to ‘de facto partner’ rather than ‘de facto spouse’. The Act should define ‘de facto partner’ as ‘a person in a relationship as a couple with another person to whom he or she is not married’. This is consistent with the ALRC’s recommendations in ALRC 102.[90]
Recommendation 63-3 National Privacy Principles (NPPs) 2.4 to 2.6—dealing with the disclosure of health information by a health service provider to a person who is responsible for an individual—should be moved to the new Privacy (Health Information) Regulations. The new regulations should provide that, in addition to the other provisions of the ‘Use and Disclosure’ principle, an agency or organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual, if the individual is incapable of giving consent to the disclosure and all the other circumstances currently set out in NPP 2.4 are met. In addition, the new regulations should:
(a) be expressed to apply to both agencies and organisations;
(b) not refer to a health service provider who may make a disclosure under these provisions as a ‘carer’; and
(c) define ‘a person who is responsible for an individual’ as:
(i) a parent, child or sibling of the individual;
(ii) a spouse or de facto partner of the individual;
(iii) a relative of the individual who is a member of the individual’s household;
(iv) a substitute decision maker authorised by a federal, state or territory law to make decisions about the individual’s health;
(v) a person who has an intimate personal relationship with the individual;
(vi) a person nominated by the individual to be contacted in case of emergency; or
(vii) a person who is primarily responsible for providing support or care to the individual.
In considering whether to disclose an individual’s health information to a person who is responsible for an individual and who is under the age of 18, a health service provider should consider, on a case-by-case basis, that person’s maturity and capacity to understand the information.
Recommendation 63-4 The Privacy Act should be amended to provide a definition of ‘de facto partner’ in the following terms: ‘de facto partner’ means a person in a relationship as a couple with another person to whom he or she is not married.
Use and disclosure of genetic information
63.101 The Privacy Legislation Amendment Act 2006 (Cth), passed in September 2006, amended NPP 2.1 to allow the use or disclosure of an individual’s genetic information, without consent, where necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative of the individual. Any such use or disclosure must be done in accordance with guidelines issued by the NHMRC and approved by the Privacy Commissioner.[91] In February 2008, the NHMRC issued draft guidelines for public consideration and comment.[92]
Discussion Paper proposal
63.102 In DP 72, the ALRC proposed that this provision be moved to the new Privacy (Health Information) Regulations and that the regulation should be expressed to apply to both agencies and organisations. In DP 72, the ALRC also proposed that, where guidelines are intended to be binding, they should be called ‘rules’,[93] and that the rules to be issued in relation to the use and disclosure of genetic information should be issued by the Privacy Commissioner.[94]
63.103 A number of stakeholders expressed support for these proposals.[95] The NHMRC noted that the relevant rules should be developed in close consultation with the NHMRC.[96] The OPC was of the view that the rules should be issued by the NHMRC and approved by the Privacy Commissioner.[97]
ALRC’s view
63.104 ‘Health information’ is defined to include genetic information in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual. Currently, provisions relating to the use and disclosure of genetic information where necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative are included in the NPPs. As the provisions relate to the use and disclosure of a form of health information obtained in the health services context, the ALRC recommends that they should be included in the new Privacy (Health Information) Regulations.
63.105 The use and disclosure of genetic information in these circumstances would normally be in breach of the UPPs. In this respect, the new regulation will be similar in effect to PIDs. As discussed in detail in Chapter 47, PIDs are developed and ‘made’ by the Privacy Commissioner. This level of involvement and control by the regulator is appropriate in circumstances where the level of protection provided by the UPPs is to be modified. By way of contrast, privacy codes, developed by industry and ‘approved’ by the Privacy Commissioner, cannot derogate from the protection provided by the UPPs. This distinction is appropriate. Where collection, use and disclosure of personal information are to be allowed in circumstances that derogate from the UPPs, the Privacy Commissioner should retain primary responsibility for the development and issue of the rules that regulate that activity.
63.106 The guidelines, currently issued under s 95AA of the Privacy Act, are intended to be binding and to form part of the legal framework within which genetic information may be used and disclosed. The ALRC considers that the ‘rules’ which would replace the ‘guidelines’ should be formally issued by the Privacy Commissioner. The Privacy Commissioner would be free to develop the rules in consultation with the NHMRC and other relevant stakeholders.
Recommendation 63-5 The new Privacy (Health Information) Regulations should include provisions similar to those set out in National Privacy Principle 2.1(ea) on the use and disclosure of genetic information where necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative. These regulations should apply to both agencies and organisations. Any use or disclosure under the new regulations should be in accordance with rules issued by the Privacy Commissioner.
[63] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [5.63].
[64] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 264–265.
[65] Australian Medical Association, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 21 December 2004.
[66] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 263.
[67] Ibid, recs 77–78.
[68] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 8–17.
[69] National Health and Medical Research Council, Submission PR 114, 15 January 2007.
[70] Ibid.
[71] Australian Nursing Federation, Submission PR 205, 22 February 2007.
[72] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[73] Australian Medical Association, Code of Ethics (2004).
[74] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; Department of Health Western Australia, Submission PR 139, 23 January 2006; Centre for Law and Genetics, Submission PR 127, 16 January 2007.
[75] Confidential, Submission PR 570, 13 February 2008.
[76] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[77] Australian Nursing Federation, Submission PR 205, 22 February 2007; Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; Department of Health Western Australia, Submission PR 139, 23 January 2006; A Smith, Submission PR 79, 2 January 2007.
[78] Office of the Privacy Commissioner, Sharing Health Information to Provide a Health Service, Information Sheet 25 (2008).
[79] The terms ‘child’, ‘parent’, ‘relative’ and ‘sibling’ are defined in NPP 2.6.
[80] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 61–2.
[81] Ibid, Proposal 57–4(c).
[82] Australian Law Reform Commission, New South Wales Law Reform Commission and Victorian Law Reform Commission, Uniform Evidence Law, ALRC 102 (2005), Rec 4–4.
[83] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[84] Carers Australia, Submission PR 423, 7 December 2007.
[85] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[86] Carers Australia, Submission PR 423, 7 December 2007.
[87]Guardianship and Administration Act 1986 (Vic) s 3.
[88] ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007.
[89] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[90] Australian Law Reform Commission, New South Wales Law Reform Commission and Victorian Law Reform Commission, Uniform Evidence Law, ALRC 102 (2005), Recs 4–4, 4–5.
[91]Privacy Act 1988 (Cth) s 95AA. This amendment was intended to implement, in part, Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 21–1.
[92] National Health and Medical Research Council, Disclosure of Genetic Information to a Patient’s Genetic Relatives Under Section 95AA of the Privacy Act 1988 (Cth): Guidelines for Health Practitioners in the Private Sector, Consultation Draft (2008).
[93] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 44–2.
[94] Ibid, Proposal 57–5.
[95] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[96] National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[97] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.