Using and linking information in databases

Background

66.29 Databases of health information provide the opportunity to link data more effectively. Dr Roger Magnusson notes that:

Future improvements in public health will increasingly depend on the more effective use of health data resources in order: to monitor trends in health status, to investigate the causal roles of ‘lifestyle’, environmental and other risk factors … to measure and improve the quality and performance of health care services and to develop ‘best practice’ for prevention and care. Epidemiologists and population health researchers, in particular, are keen to unlock the public health value of clinical data …

Identifying and investigating the relationships between risk factors and disease frequently requires researchers to accurately match longitudinal data relating to the same individual.[25]

66.30 The National Health Information Management Group Guidelines note that:

Most [health registers] will be intended to facilitate further research, for example, through record linkage to other data sets or establishing a sample frame for a more detailed study of a health problem or for clinical trials.[26]

66.31 The National Collaborative Research Infrastructure Strategy (NCRIS) is an Australian Government program announced in 2004 with funding of $542 million to ‘provide researchers with major research facilities, supporting infrastructure and networks necessary for world-class research’.[27] One major focus of the Strategy is population health and clinical data linkage:

Australia is an international leader in the scope and extent of health-related data collected at the population level. With new technologies, the potential exists to integrate and link data sets, providing a valuable new resource for monitoring the health of the population and the effectiveness of health services, and for research.

The NCRIS Population health and clinical data linkage capability aims: to enhance the linkage and integration of health-related data collected in Australia; to provide improved accessibility to these data for the research sector; and to support the development of improved data collection systems.[28]

66.32 The Privacy Act, like the National Statement, recognises that in some circumstances it is very difficult or impossible to conduct this kind of research in a way that complies with the Information Privacy Principles (IPPs) and NPPs. As discussed in Chapter 64, the Privacy Act provides a mechanism to allow such research to go forward on the basis of approval by an HREC. The National Statement also requires that, where information in a databank is stored in identified or identifiable form, any research proposing to make use of the information be ethically reviewed.

66.33 One stakeholder noted that the process of linking health information for research could be distinguished from the linking of health information for clinical purposes. Those delivering clinical care need to know the identity of the individual and to have access to that individual’s health information. Researchers generally do not need to know the identity of the individual, simply that certain health information relates to the same individual. This can be achieved through processes whereby independent intermediaries perform the linking of information, but do not have access to actual health information and researchers have access to the linked health information but not the identity of the individual.[29]

66.34 In ALRC 96, the ALRC and AHEC considered the use of independent intermediaries to hold codes linking genetic samples or information with identifiers. The ALRC and AHEC concluded that use of an independent intermediary (such as a ‘gene trustee’) is an effective method of protecting the privacy of samples and information held in human genetic research databases. The system maintains the privacy of samples and information, while allowing donors to be contacted if necessary. It ensures that anyone who obtains access to samples and information is unable to re-identify them without the authorisation of the gene trustee.[30] The ALRC and AHEC recommended that:

The NHMRC, in revising the National Statement in accordance with Recommendation 18–1, should provide guidance on the circumstances in which the use of an independent intermediary is to be a condition of: (a) registration of a human genetic research database; or (b) approval by a Human Research Ethics Committee of research involving a human genetic research database.[31]

66.35 The NHMRC has expressed support for these conclusions and noted that they also apply more broadly to non-genetic research databases.[32]

66.36 In its submission, the CSIRO discussed the development of the Data Linkage Unit (DLU) in Western Australia and the New South Wales/ACT Centre for Health Record Linkage, and noted that such units are likely to increase through the NCRIS Population Health and Clinical Data Linkage program.[33]

66.37 The DLU is a co-operative scheme between the Information Collection and Management Branch at the Western Australian Department of Health, the Centre for Health Services Research at the University of Western Australia, the Division of Health Sciences at Curtin University of Technology, and the Telethon Institute for Child Health Research. The DLU was established in 1995 to develop and maintain a system of linkages connecting health information about individuals in Western Australia. The DLU’s website states that:

These linkages are created and maintained using rigorous internationally accepted privacy-sensitive protocols, probabilistic matching and extensive clerical review. The core Data Linkage System consists of links within and between the State’s seven core population health datasets, spanning 35 years. This is augmented through links to an extensive collection of external research and clinical datasets. Data can be requested for ethically approved research, planning and evaluation projects, which aim to improve the health of Western Australians.[34]

66.38 In its submission, the Western Australian Department of Health noted that the

DLU uses a two stage data linkage protocol that allows linkage infrastructure (or linkage keys) to be created using identifying information. Linkable datasets containing encrypted identifiers can then be provided to researchers by data custodians with minimal risk of re-identification or unauthorized linkage to another data source. The linkage infrastructure is updated and managed separately from any clinical or service information. The DLU acts as an intermediary similar to a ‘gene trustee’. Ethics clearance is required for the creation of new linkages and use of the linkage infrastructure.[35]

66.39 The DLU has now entered into an arrangement with the Australian Government to allow access to Australian Government held aged care information as well as information in the Medicare Benefits Scheme and the Pharmaceutical Benefits Scheme databases. The Western Australian Department of Health and DOHA have entered into a Memorandum of Understanding (MOU) formalising the arrangements and a ‘best practice protocol’ has been developed to address privacy concerns and other issues.[36]

66.40 In its submission,[37] however, the OPC expressed the view that the method employed by the DLU would not be consistent with NPP 10.4, which provides:

If an organisation collects health information about an individual in accordance with subclause 10.3, the organisation must take reasonable steps to permanently de-identify the information before the organisation discloses it.

66.41 The OPC’s view is based on the requirement that the information is ‘permanently de-identified’. The maintenance of the linkage infrastructure means that information is not permanently de-identified even though an organisation takes reasonable steps to ensure that the information is not disclosed in a form that would identify individuals or from which individuals could be reasonably identifiable. The linkage infrastructure can technically be used to re-identify the information, although this could be done only with the cooperation of the DLU. In ALRC 96, the ALRC and AHEC concluded that maintaining the linkage infrastructure can be important in order to allow individuals to be contacted if research produces information that is of importance to their future health.[38]

66.42 Recommendation 65–9, which sets out the wording for the research exception to the ‘Use and Disclosure’ principle includes a suggested amendment to the wording of NPP 10.4, so that the provision no longer requires that reasonable steps be taken ‘to permanently de-identify’ information before it is disclosed. In the ALRC’s view, it is sufficient to require agencies and organisations that collect sensitive information under the research exception to take reasonable steps to ensure that the information is not disclosed in a form that would identify the individual or from which the individual would be reasonably identifiable.

66.43 An amendment of this kind would allow researchers to access information through independent intermediaries without requiring the destruction of the linkage infrastructure. If appropriate arrangements are put in place—for example, intermediaries are sufficiently independent and data recipients only receive information that does not identify individuals—in the ALRC’s view, the information held by the data recipient will be adequately protected for the purposes of the Privacy Act.

66.44 The Centre for Health Record Linkage is a co-operative scheme established by NSW Health, the Cancer Institute NSW, the Clinical Excellence Commission, the University of Sydney, the University of New South Wales, the University of Newcastle, ACT Health and The Sax Institute. The Centre, like the DLU, creates master linkage keys allowing researchers to link information about particular individuals in different databases in New South Wales and the ACT without being able to identify the individuals.

66.45 In its submission, the CSIRO discussed another data-linkage model that offered researchers access to information within a privacy protective environment:

In recognition of the widespread challenge of generating information from databases which include personal information and at the same time not compromising standards of privacy and confidentiality, CSIRO has been developing new privacy-enhancing technologies, including:

  • Health Data Integration™ (HDI™)—software which enables linking of patient records from different data repositories without requiring identifying information to be revealed to any other party. Any external release of the data through HDI™ is controlled by the data custodian, and can be stopped at any time.

  • Privacy-Preserving Analytics™ (PPA™)—software developed for analysing confidential data without compromising confidentiality. The PPA techniques allow analysis of confidential raw data, but filter the outputs delivered to the researcher in order to protect the privacy of individuals and organisations and to respect data custodians’ responsibilities not to release confidential information.[39]

66.46 There are other models being used around Australia such as the Bio21: Molecular Medicine Informatics Model (MMIM) currently being piloted in Victoria, which aims to allow authorised researchers to conduct research ‘confident that ethics, privacy, security and IP issues are addressed’. The Bio21: MMIM website states that the model will provide

clinical research collaborators from universities, research institutes and teaching hospitals with ethical approval [with] access [to] secure, privacy protected research information, that spans multiple disease groups and multiple organisations.[40]

66.47 The Department of Human Services suggested that:

There is little guidance in the Privacy Act for these issues, which leads to differing interpretations being made by organisations dealing with health registers. A set of minimum standards should be developed to facilitate effective/safe linkage processes to allow important research to be conducted, without identifying particular individuals where no consent has been obtained. Medicare Australia believes the example presented by the Cross-Jurisdictional Linkage of Administrative Health Data project, underpinned by an MoU between DoHA and WA Department of Health, could be a good model on which to base the set of minimum standards.[41]

66.48 In its submission to the OPC Review, the NHMRC noted that some HRECs appear to reject research proposals automatically where they involve data linkage of health information without consent, apparently in the ‘mistaken belief that such linkage is not ethically or legally acceptable’.[42] The revised National Statement makes clear that approval may be given to use such data even in the absence of consent, for example, where the research involves linkage of data sets and the use of identifiable data is necessary to ensure that the linkage is accurate.[43]

66.49 A number of other issues were raised in response to IP 31. The NHMRC highlighted a particular problem for researchers in gaining access to data registers in order to identify health consumers with specific characteristics relevant to a research proposal. This activity, described as ‘sample acquisition’, may pre-date the development of a formal research proposal and, in the NHMRC’s view, is unlikely to be consistent with the IPPs or NPPs. The NHMRC considered, however, that sample acquisition was important and should be facilitated by the Privacy Act.[44]

66.50 In relation to sample acquisition the OPC noted that the research exceptions in NPPs 2 and 10 cover activities necessary for research, and expressed the view that sample acquisition was such an activity and would be covered by the exceptions. The OPC noted, however, that sample acquisition might not be covered by the ‘conduct of medical research’ exception to the IPPs.[45]

Discussion Paper proposals

66.51 In DP 72, the ALRC expressed the view that ‘sample acquisition’ is an activity necessary for research and should be supported by the provisions of the Privacy Act. The ALRC noted the OPC’s advice that this activity is allowed under the existing provisions of NPPs 2 and 10. The ALRC proposed that the Research Rules should address the process by which an HREC might review a sample acquisition proposal, as well as the matters an HREC should take into account in considering the public interest balance involved in allowing access to databases and registers for research purposes.[46]

66.52 The ALRC also proposed that agencies or organisations developing systems or infrastructure to allow the linkage of personal information for research purposes, should consult the OPC to ensure that such systems or infrastructure met the requirements of the Privacy Act.[47]

Submissions and consultations

66.53 A number of stakeholders expressed support for the proposal to address sample acquisition and the public interest balance around the use of databases and registers for research in the Research Rules.[48] The OPC also expressed support for these issues to be dealt with in the rules, while maintaining its position that the rules should not be issued by the Privacy Commissioner and the public interest test should not be changed.[49]

66.54 A number of stakeholders expressed support for the proposal to consult with the OPC to ensure that research systems and infrastructure met the requirements of the Privacy Act.[50] The OPC noted that, while providing advice and guidance on the Act was one of the functions of the Privacy Commissioner, the Office was unlikely to be able to respond in detail to all such requests for advice. The OPC encouraged agencies and organisations to conduct privacy impact assessments (PIAs) in relation to projects—such as the establishment of research systems and infrastructure—that may have a significant impact on privacy.[51]

66.55 In its submission, the Alfred Hospital Ethics Committee stated that, in considering the public interest in the use of health information databases, HRECs should be required to consider:

  • the importance of the research question;

  • the imposition on privacy;

  • the security of data;

  • the seniority/quality of the researchers;

  • the consequences of requiring that consent be obtained; and

  • the consequences of inappropriate use or disclosure.[52]

ALRC’s view

66.56 There are a number of different models being adopted around Australia to allow researchers to have access to and to link personal information in ways that do not identify individuals. The ALRC has not formed a view that one model should be preferred over another. It is possible that each of the various models provides sufficient protection to comply with the Privacy Act. That will depend, however, on the details of the various models, their technical specifications and their governance arrangements.

66.57 Some high-level guidance on these issues may be included in the Research Rules, to be issued by the Privacy Commissioner, but in the final analysis, whether a particular model meets the requirements of the Privacy Act will have to be decided on a case-by-case basis. It is the responsibility of agencies and organisations to ensure that such schemes comply with the Act.

66.58 The ALRC agrees with the OPC that agencies and organisations should be encouraged to conduct PIAs for new projects and developments that may have a significant impact on the handling of personal information, including the establishment of systems or infrastructure to allow the linkage of personal information for research purposes.[53]

66.59 In DP 72, the ALRC proposed that the Research Rules should address the process by which an HREC might review a proposal to examine a database or register to identify potential participants in research, and the matters an HREC should take into account in considering the public interest balance around this activity. The ALRC has considered this matter further, and is of the view that the Research Rules should be addressed to agencies and organisations that wish to collect, use or disclose information in a database or register, rather than HRECs. The rules to be issued under the research exceptions are intended to regulate the collection, use and disclosure of personal information by agencies and organisations for research purposes, rather than the conduct of HRECs.

66.60 The ALRC recommends, therefore, that the Research Rules, to be issued by the Privacy Commissioner, should address in what circumstances and under what conditions it is appropriate to collect, use or disclose personal information without consent in order to identify potential participants in research. The content of these rules will assist HRECs in their deliberations by setting out an acceptable framework for the use of databases and registers for ‘sample acquisition’ in the research context. The Privacy Commissioner and the authors of the National Statement may wish to consider providing HRECs with further assistance in the form of guidelines discussing the matters an HREC should take into account in considering the public interest balance but these guidelines should not be included in the Research Rules themselves.

Recommendation 66-2 Agencies or organisations developing systems or infrastructure to allow the linkage of personal information for research purposes should conduct a Privacy Impact Assessment to ensure that the privacy risks involved are assessed and adequately managed in the design and implementation of the project.

Recommendation 66-3 The Research Rules, to be issued by the Privacy Commissioner, should address the circumstances in which, and the conditions under which, it is appropriate to collect, use or disclose personal information without consent in order to identify potential participants in research.

[25] R Magnusson, ‘Data Linkage, Health Research and Privacy: Regulating Data Flows in Australia’s Health Information System’ (2002) 24 Sydney Law Review 5, 8–11.

[26] Australian Institute of Health and Welfare, Minimum Guidelines for Health Registers for Statistical and Research Purposes (2001), 2.

[27] Australian Government Department of Education‚ Science and Training, National Collaborative Research Infrastructure Strategy <www.ncris.dest.gov.au/> at 1 August 2007.

[28] Ibid.

[29] A Smith, Submission PR 79, 2 January 2007.

[30] Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), [18.102]–[18.117].

[31] Ibid, Rec 18–3.

[32] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[33] CSIRO, Submission PR 176, 6 February 2007.

[34] University of Western Australia—School of Population Health, WA Data Linkage Unit <www.
populationhealth.uwa.edu.au/welcome/research/dlu/linkage> at 1 August 2007.

[35] Department of Health Western Australia, Submission PR 139, 23 January 2006.

[36] University of Western Australia—School of Population Health, WA Data Linkage Unit <www.
populationhealth.uwa.edu.au/welcome/research/dlu/linkage> at 1 August 2007.

[37] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[38] Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Ch 16.

[39] CSIRO, Submission PR 176, 6 February 2007.

[40] Melbourne Health, Molecular Medicine Informatics Model (2007) <mmim.ssg.org.au/> at 1 August 2007.

[41] Australian Government Department of Human Services, Submission PR 136, 19 January 2007.

[42] National Health and Medical Research Council, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 10 December 2004.

[43] National Health and Medical Research Council, Australian Research Council and Australian Vice Chancellors’ Committee, National Statement on Ethical Conduct in Human Research (2007), [3.2.4].

[44] National Health and Medical Research Council, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 10 December 2004.

[45] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[46] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 58–12.

[47] Ibid, Proposal 58–13.

[48] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; National Prescribing Service, Submission PR 547, 24 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; University of Western Sydney Human Research Ethics Committee, Submission PR 418, 7 December 2007; University of Newcastle, Submission PR 413, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[49] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[50] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; National Prescribing Service, Submission PR 547, 24 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; University of Newcastle, Submission PR 413, 7 December 2007.

[51] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[52] General Ethical Issues Sub-Committee—Alfred Hospital Ethics Committee, Submission PR 531, 21 December 2007.

[53] PIAs are discussed in detail in Ch 47.