64.28 The IPPs themselves do not refer to the use of personal information for health and medical research. Section 95 of the Privacy Act, however,provides as follows:
(1) The CEO of the National Health and Medical Research Council may, with the approval of the Commissioner, issue guidelines for the protection of privacy in the conduct of medical research.
(2) The Commissioner shall not approve the issue of guidelines unless he or she is satisfied that the public interest in the promotion of research of the kind to which the guidelines relate outweighs to a substantial degree the public interest in maintaining adherence to the Information Privacy Principles.
(3) Guidelines shall be issued by being published in the Gazette.
(a) but for this subsection, an act done by an agency would breach an Information Privacy Principle; and
(b) the act is done in the course of medical research and in accordance with guidelines under subsection (1);
the act shall be regarded as not breaching that Information Privacy Principle.
(5) Where the Commissioner refuses to approve the issue of guidelines under subsection (1), an application may be made to the Administrative Appeals Tribunal for review of the Commissioner’s decision.
64.29 The current Guidelines under Section 95 of the Privacy Act 1988 (Section 95 Guidelines) were issued in 2000. Once these guidelines were approved by the Privacy Commissioner and published in the Australian Government Gazette, they gained the force of law. If an agency does an act in the course of medical research that would have breached the IPPs but is consistent with the Section 95 Guidelines, the act is regarded as not breaching the IPPs.
 National Health and Medical Research Council, Guidelines under Section 95 of the Privacy Act 1988 (2000).