Research exceptions to the model Unified Privacy Principles

65.152 Part D of this Report recommends a set of model UPPs. In this section the ALRC recommends exceptions to the ‘Collection’ principle and the ‘Use and Disclosure’ principle to allow research using identified or reasonably identifiable personal information without consent to proceed, where the public interest in allowing the research to go forward outweighs the public interest in maintaining the level of privacy protection provided by the UPPs.

65.153 Currently, NPP 10.3 provides, in part, that health information may be collected without consent where necessary for research, or the compilation or analysis of statistics, where:

  • it is relevant to public health or public safety;

  • the purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained;

  • it is impracticable for the organisation to seek the individual’s consent to the collection; and

  • the information is collected as required by law; or in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or in accordance with guidelines approved under s 95A.

65.154 In addition, NPP 10.4 provides that if an organisation collects health information about an individual in accordance with NPP 10.3, the organisation must take reasonable steps to permanently de-identify the information before the organisation discloses it.

65.155 NPP 2.1(d) provides that an organisation may use or disclose health information without consent where necessary for research, or the compilation or analysis of statistics, where:

  • it is relevant to public health or public safety;

  • it is impracticable for the organisation to seek the individual’s consent before the use or disclosure;

  • the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under s 95A; and

  • in the case of disclosure—the organisation reasonably believes that the recipient of the health information will not disclose that information, or personal information derived from that information.

Discussion Paper proposals

65.156 In DP 72 the ALRC proposed that a similar regime should be established under the model UPPs, applying to agencies and organisations, with the following modifications.

65.157 The ‘Collection’ principle expressly allows the collection of sensitive information without consent where the collection is required or authorised by or under law. It was not necessary, therefore, to include this specifically in the provision dealing with collection of sensitive information for research. In addition, and as discussed in Chapter 63, the OPC is not aware of any existing rules established by competent health or medical bodies that would fulfil the requirements of NPP 10.3. Consequently, the ALRC omitted the references to these two mechanisms from the proposed research exceptions. Instead, the research exceptions provided that personal information could be collected, used and disclosed without consent where necessary for research if all of the following conditions were met:

  • the purpose could not be served by the collection of information that did not identify the individual;

  • it was impracticable for the agency or organisation to seek the individual’s consent;

  • an HREC was satisfied that the public interest in the activity outweighed the public interest in maintaining the level of privacy protection provided by the UPPs; and

  • the information was collected, used and disclosed in accordance with rules to be issued by the Privacy Commissioner.

65.158 The Section 95 and 95A Guidelines are issued by the NHMRC and approved by the Privacy Commissioner. Once approved and gazetted the guidelines become binding. Because of the recommendation to expand the scope of the research exception beyond health and medical research to apply to human research generally,[185] the ALRC indicated that it was no longer appropriate to rely on the NHMRC alone to develop guidelines for the conduct of research. The ALRC proposed that the research exceptions to the model UPPs simply provide that the rules to guide the conduct of research should be issued by the Privacy Commissioner, who would consult with stakeholders, including the authors of the National Statement, in developing the rules.

65.159 In contrast to NPP 1, the ‘Collection’ principle deals with the collection of both sensitive and non-sensitive information. The ‘Collection’ principle does not require consent for the collection of non-sensitive information and so the research exception was limited to the collection of sensitive information.

65.160 The ALRC also proposed that NPP 10.4 should be re-worded so that the provision no longer required that reasonable steps be taken to ‘permanently de-identify’ information before it is disclosed. It is sufficient to require agencies and organisations that collect sensitive information under the research exception to take reasonable steps to ensure that the information is not disclosed in a form that would identify individuals or from which individuals would be reasonably identifiable. This approach is more consistent with the definition of ‘personal information’ discussed in Chapter 6.[186] Where information is not about an identified or reasonably identifiable individual, it will not fall within the recommended definition of ‘personal information’ and will no longer be covered by the Privacy Act.

Submissions and consultations

65.161 The AIC strongly supported the ALRC’s proposed research exceptions to the ‘Collection’ principle and the ‘Use and Disclosure’ principle.[187] Other stakeholders also expressed support.[188] PIAC expressed qualified support for the exceptions, but was concerned about the use of the word ‘reasonable’ in the context of taking ‘reasonable’ steps to ensure that information is not disclosed in a form that would identify individuals or from which individuals would be reasonably identifiable. PIAC also questioned the use of the phrase ‘reasonably believes’, in the context of an agency or organisation ‘reasonably believing’ that the recipient of personal information will not disclose the information in a form that would identify individuals, or from which individuals would be reasonably identifiable.[189]

65.162 The OPC agreed with some elements of the proposed research exceptions but, as discussed above, did not support: expanding the exceptions to include human research generally; requiring the Privacy Commissioner to issue the Research Rules; or amending the public interest test from ‘substantially outweighs’ to ‘outweighs’.[190]

ALRC’s view

65.163 It is appropriate to require agencies and organisations that have collected personal information for research purposes to take ‘reasonable steps’ to ensure that it is not possible to identify individuals from their published results. Reasonable steps might include, for example, applying techniquesemployed by the ABS and other agencies, and discussed in Chapter 6—such as data suppression, data rounding and category collapsing. While these techniques minimise the risk that individuals will be identifiable, it is not always possible to ensure absolutely that no-one will be able to identify individual involved. In these circumstances, it would be inappropriate to impose absolute liability on agencies and organisations to ensure that information is not disclosed in an identifiable form.

65.164 It is also appropriate to impose a requirement that agencies and organisations ‘reasonably believe’ that the recipient of the personal information will not disclose the information in an identifiable form. Where agencies and organisations are not, themselves, in control of personal information because it has been disclosed to a researcher for use in a research project, for example, it is not possible for those agencies and organisations to ensure absolutely that the researcher will handle the information appropriately. On the other hand, the agency or organisation should be required to have a reasonable belief that this will occur. A ‘reasonable belief’ cannot be without foundation, and the agency or organisation would have to be able to indicate those factors that provided the basis for the belief—for example: the good reputation and past best practices of the researcher; and the arrangements put in place between the agency or organisation and the researcher to ensure that the information was handled appropriately.

65.165 The following recommendations set out the elements the ALRC considers should be included in the research exceptions to the UPPs.

Recommendation 65-8 The research exception to the ‘Collection’ principle should provide that an agency or organisation may collect personal information, including sensitive information, about an individual where all of the following conditions are met:

(a) the collection is necessary for research;

(b) the purpose cannot be served by the collection of information that does not identify the individual;

(c) it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the collection;

(d) a Human Research Ethics Committee—constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research as in force from time to time—has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act; and

(e) the information is collected in accordance with the Research Rules, to be issued by the Privacy Commissioner.

Where an agency or organisation collects personal information about an individual under this exception, it must take reasonable steps to ensure that the information is not disclosed in a form that would identify the individual or from which the individual would be reasonably identifiable.

Recommendation 65-9 The research exception to the ‘Use and Disclosure’ principle should provide that an agency or organisation may use or disclose personal information where all of the following conditions are met:

(a) the use or disclosure is necessary for research;

(b) it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the use or disclosure;

(c) a Human Research Ethics Committee—constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research as in force from time to time—has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act;

(d) the information is used or disclosed in accordance with the Research Rules, to be issued by the Privacy Commissioner; and

(e) in the case of disclosure—the agency or organisation reasonably believes that the recipient of the personal information will not disclose the information in a form that would identify the individual or from which the individual would be reasonably identifiable.

[185] Rec 65–2.

[186] Rec 6–1.

[187] Australian Institute of Criminology, Submission PR 461, 12 December 2007.

[188] Medicare Australia, Submission PR 534, 21 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; University of Western Sydney Human Research Ethics Committee, Submission PR 418, 7 December 2007.

[189] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[190] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.