Section 95 and 95A Guidelines

65.3 As discussed in Chapter 64, the Guidelines under Section 95 of the Privacy Act 1988[2] (the Section 95 Guidelines) relate to research conducted by public sector agencies bound by the IPPs. The Guidelines approved under Section 95A of the Privacy Act 1988[3] (the Section 95A Guidelines) relate to research conducted by private sector organisations bound by the NPPs. For a range of reasons, including differences in the enabling provisions, the two sets of guidelines are not identical. The Office of the Privacy Commissioner’s (OPC) review of the private sector provisions of the Privacy Act (the OPC Review) noted stakeholder concerns that having two sets of guidelines gives rise to inconsistency and confusion, leading to conservative and incorrect decision making.[4] The National Health and Medical Research Council (NHMRC) expressed the view that this was hindering the conduct of effective health and medical research.[5]

65.4 A number of stakeholders, including the NHMRC, expressed strong support for a single set of principles and a single set of guidelines regulating health information in the conduct of health and medical research.[6] In response, the OPC Review stated that ‘the Privacy Act is not intended to restrict important medical research’[7] and made the following recommendation:

As part of a broader inquiry into the Privacy Act … the Australian Government should consider … how to achieve greater consistency in regulating research activities under the Privacy Act.[8]

Discussion Paper proposals

65.5 In the Discussion Paper, Review of Australian Privacy Law (DP 72),[9] the ALRC proposed that the arrangements under the Privacy Act for conducting research should be streamlined, and noted that a nationally consistent privacy regime applying to both agencies and organisations, including a single set of Unified Privacy Principles (UPPs), would eliminate the problems inherent in maintaining two sets of research guidelines. The ALRC proposed that the Privacy Commissioner issue a set of rules to replace the Section 95 and 95A Guidelines.[10]

65.6 The change from ‘guidelines’ to ‘rules’ was based on proposals made in Chapter 44 of DP 72. In that chapter, the ALRC examined the powers of the Privacy Commissioner to issue binding rules and advisory guidelines and expressed the view that the Privacy Act should distinguish between these types of instrument. The ALRC proposed that where ‘guidelines’ are legally binding they should be called ‘rules’.[11] As stakeholders had not raised concerns about the fact that the Section 95 and 95A Guidelines were binding, the proposed research rules also were expressed to be binding.

65.7 The ALRC also put forward proposed research exceptions to the ‘Collection’ principle and the ‘Use and Disclosure’ principle,[12] discussed further below. Although each principle requires an exception to allow the collection, use and disclosure of personal information for research purposes, one set of rules would apply to such collection, use and disclosure.

65.8 In DP 72, the ALRC also proposed that the research exceptions—currently limited to health and medical research—should be extended to cover all human research.[13] In these circumstances, it would no longer be appropriate for the NHMRC to develop and issue the research rules, as is currently the case, because of its focus on health and medical research. A wider range of agencies and organisations would need to be involved, and it was the ALRC’s intention that the Privacy Commissioner would coordinate this consultation and development process.

65.9 The ALRC anticipated, however, that these rules would be developed by drawing upon the expertise of relevant stakeholders—most notably the NHMRC, the Australian Research Council and Universities Australia. The ALRC also proposed, therefore, that the Privacy Commissioner consult with relevant stakeholders in developing the rules to be issued under the research exceptions to the proposed ‘Collection’ principle and the proposed ‘Use and Disclosure’ principle. The ALRC noted that this consultation process would be an opportunity to ensure that the research rules and the National Statement were compatible.[14]

Submissions and consultations

65.10 Submissions and consultations to this Inquiry consistently made clear that having two different regimes regulating health and medical research under the IPPs and the NPPs and, in particular, two sets of guidelines (the Section 95 and 95A Guidelines), creates confusion and adds significantly to the cost and complexity of seeking approval to conduct research. There was strong support in submissions and consultations for the development of a unified regime to regulate research, including a single set of guidelines.[15]

65.11 The CSIRO stated that:

The current policy environment regarding privacy of personal information is complex and difficult to navigate. It is quite time-consuming to ensure that a given project will be compliant with all of the relevant legislation and codes of practice. This can add significantly to the set up costs of research projects, particularly where they involve health data. In addition, and most importantly, it also means that there is a delay of up to two years in initiating research projects, and a corresponding delay in the Australian people and society’s acquisition of the benefits of the research outcomes.[16]

65.12 The Department of Health and Ageing (DOHA) submitted that:

Recent reports on the operation of the Privacy Act and on research have both concluded that the present fragmentation and inconsistency in privacy regulation is proving to be a major impediment to health and medical research.

The Department supports the development of a single set of guidelines regulating health information in the conduct of research, to support these activities at the institutional, multi-institutional and national levels. In keeping with the objective of achieving national consistency, there should also be alignment between the privacy principles covering research and the NHMRC’s National Statement on Ethical Conduct in Human Research (National Statement).[17]

65.13 The OPC expressed support for a single set of rules to regulate research, but did not agree that these rules should be issued by the Privacy Commissioner. The OPC stated that the current arrangement, whereby the NHMRC issues guidelines, with approval from the Privacy Commissioner, worked well and did not require amendment.[18]

65.14 A number of stakeholders expressed support for the proposal to develop rules in consultation with relevant stakeholders and to ensure that the rules and the National Statement were compatible.[19] The Public Interest Advocacy Centre (PIAC) suggested that consumer representatives should be involved in the development process.[20] The NHMRC noted that it would be pleased to assist the Privacy Commissioner in the development of the research rules.[21]

ALRC’s view

65.15 The issues of complexity, fragmentation and inconsistency in the privacy regime generally, are discussed in detail in Part C of this Report. Chapter 4 includes a number of recommendations aimed at achieving greater national consistency. Part D recommends a single set of UPPs applying to agencies and organisations. A nationally consistent privacy regime applying both to agencies and organisations, and including a single set of UPPs, would eliminate the need for two sets of research guidelines.

65.16 The ALRC recommends, below,[22] that the ‘Collection’ principle and the ‘Use and Disclosure’ principle in the model UPPs include exceptions for the conduct of research using identified or identifiable personal information without consent. It is further recommended that any such research: be subject to HREC review; and be conducted in accordance with binding rules issued by the Privacy Commissioner. There should be one set of rules issued under the model UPPs covering the collection, use and disclosure of identified or reasonably identifiable personal information in the conduct of research, and these ‘Research Rules’ should replace the Section 95 and 95A Guidelines.

65.17 While the Section 95 and 95A Guidelines are issued by the NHMRC and approved by the Privacy Commissioner, the new Research Rules should be issued by the Privacy Commissioner. This approach is recommended for three reasons. First, the research exceptions allow the use of personal information in ways that, under normal circumstances, would be a breach of the UPPs. In this respect the research exceptions, and the rules issued under those exceptions, are similar in effect to Public Interest Determinations (PIDs). As discussed in detail in Chapter 47, PIDs are developed and ‘made’ by the Privacy Commissioner. This level of involvement and control by the regulator is appropriate in circumstances where the level of protection provided by the UPPs is to be modified.

65.18 By way of contrast, privacy codes, developed by industry and ‘approved’ by the Privacy Commissioner, cannot derogate from the protection provided by the UPPs. This distinction is important. Where collection, use and disclosure of personal information are to be allowed in circumstances that derogate from the UPPs, the Privacy Commissioner should retain primary responsibility for the development and issuance of the rules that regulate that activity.

65.19 Secondly, the ALRC recommends, below, that the research exceptions currently applying to health and medical research should be extended to cover all human research.[23] In these circumstances, it would no longer be appropriate for the NHMRC alone to develop and issue the Research Rules. A wider range of agencies and organisations will need to be involved in developing the rules and the Privacy Commissioner is well placed to play a coordinating role. As mentioned above, the ALRC anticipates that the rules will be developed in consultation with, and drawing on the expertise of, key stakeholders.

65.20 Thirdly, the ALRC recommends in Chapter 3 that the Australian Government and state and territory governments establish a Commonwealth-state cooperative scheme in relation to the handling of personal information. Under the recommended scheme, the states and territories would enact legislation to regulate the handling of personal information in that state or territory’s public sector, with all jurisdictions adopting the relevant UPPs and other elements of the Privacy Act into their legislation. This will include the research exceptions to the ‘Collection’ principle and the ‘Use and Disclosure’ principle, including the requirement for research to be conducted in accordance with Research Rules issued by the Privacy Commissioner. The Office of the Victorian Privacy Commissioner (OVPC) submitted that, if such rules are to apply to personal information held by state and territory public sector agencies, they will need to be developed in consultation with state and territory privacy commissioners and other relevant state and territory stakeholders.[24] The ALRC agrees.

65.21 In DP 72, the ALRC proposed that the Privacy Commissioner consult with relevant stakeholders to ensure that the approach adopted in the Research Rules and the National Statement are compatible. It is important to ensure that the Research Rules and the elements of the National Statement dealing with privacy are aligned to minimise confusion for research institutions, researchers and HRECs.

Recommendation 65-1 (a) The Privacy Commissioner should issue one set of rules under the research exceptions to the ‘Collection’ principle and the ‘Use and Disclosure’ principle to replace the Guidelines under Section 95 of the Privacy Act 1988 and the Guidelines Approved under Section 95A of the Privacy Act 1988.

(b) The Privacy Commissioner should consult with relevant stakeholders in developing the rules to be issued under the research exceptions to the ‘Collection’ and ‘Use and Disclosure’ principles—that is, the ‘Research Rules’.

(c) Those elements of the National Statement on Ethical Conduct in Human Research dealing with privacy should be aligned with the Privacy Act and the Research Rules to minimise confusion for institutions, researchers and Human Research Ethics Committees.

[2] National Health and Medical Research Council, Guidelines under Section 95 of the Privacy Act 1988 (2000).

[3] National Health and Medical Research Council, Guidelines Approved under Section 95A of the Privacy Act 1988 (2001).

[4] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 201.

[5] National Health and Medical Research Council, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 10 December 2004.

[6] NHMRC Privacy Working Committee, Consultation PC 13, Canberra, 30 March 2006; Australian Government Department of Health and Ageing, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, December 2004; Australian Academy of Science, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 18 January 2005.

[7] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 199.

[8] Ibid, rec 62 (in part).

[9] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007).

[10] Ibid, Proposal 58–1.

[11] Ibid, Proposal 47–2.

[12] Ibid, Proposals 58–8, 58–9.

[13] Ibid, Proposal 58–2.

[14] Ibid, Proposal 58–5.

[15] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; National Prescribing Service, Submission PR 547, 24 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Australian Institute of Criminology, Submission PR 461, 12 December 2007; University of Western Sydney Human Research Ethics Committee, Submission PR 418, 7 December 2007; University of Newcastle, Submission PR 413, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Australian Commission on Safety and Quality in Health Care, Submission PR 252, 14 March 2007.

[16] CSIRO, Submission PR 176, 6 February 2007.

[17] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.

[18] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[19] Confidential, Submission PR 570, 13 February 2008; National Prescribing Service, Submission PR 547, 24 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; University of Western Sydney Human Research Ethics Committee, Submission PR 418, 7 December 2007; University of Newcastle, Submission PR 413, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[20] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[21] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[22] Recs 65–8, 65–9.

[23] Rec 65–2.

[24] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.