Information is critical to the conduct of health and medical research. Much of the time the information relates to individuals. Higher education institutions regularly collect, use, disclose and hold information, including health information, for research purposes. The richness and availability of information sources for research purposes, including digital data from the public domain, together with the ease with which data can cross jurisdictions, and the ability to mine and analyse it, all require researchers and human research ethics committees (HRECs) to engage directly with a complex range of multi-jurisdictional privacy obligations.

The challenges are even more onerous when health information is involved as it is considered to be more sensitive than other personal information (and is legally defined as such ). It is therefore afforded a higher degree of protection, which means there are more stringent obligations on individuals and entities who collect health information for research purposes. However privacy legislation also makes special provisions to permit the use of personal information in health and medical research where the public interest in the research activities substantially outweighs the public interest in the protection of privacy.

This article provides a recap of the privacy framework that applies to health information that is collected for research purposes and offers some practical insights into preparing for and managing privacy issues.

Who is regulated and by what laws?

The regulation of health information is made up of a patchwork of principles based State, Territory and Commonwealth privacy and health records laws. These operate simultaneously. Which statute(s) apply to the collection and handling of health information for research purposes will depend on the location of the institution (whether it is private or public) and sites and should be carefully considered. Each statute defines the nature of the information and the types of entities (public and/or private sector, contracted service providers) that are regulated. The regulated entities must not do an act or engage in a practice which interferes with an individual's privacy by breaching one or more of the principles in the statute.

The Privacy Act 1988 (Cth) (Privacy Act) regulates Commonwealth agencies and 'organisations' with an annual turnover of more than $3million in the relevant financial year and which are defined to include individuals, body corporate, trusts and unincorporated associations (APP entities) who collect and hold personal and sensitive information. APP entities must comply with the Australian Privacy Principles (APPs) in the Privacy Act.

In Victoria and New South Wales, health information is regulated by the Health Records Act 2002 (Vic) and the Health Records and Information Privacy Act 2002 (NSW) respectively and the Health Privacy Principles (HPPs) in each of the Acts. These Acts apply to both public sector and to private sector organisations that are health service providers or who collect, hold or use health information. They otherwise have the same definition of organisation.

In the Northern Territory, health information is also regulated by the Information Act 2002 (NT), in Tasmania by the Personal Information Protection Act 2004 (Tas), in the ACT, by the Records (Privacy and Access) Act 1997 (ACT) and in Queensland by the Information Privacy Act 2009 (QLD) . There is no State privacy legislation in Western Australia or South Australia.

Freedom of Information laws will also apply to the granting of access to information of public sector organisations and the ability of individuals or third parties to access health information should be considered.

An institution may also be collaborating with other organisations who may be subject to different health privacy legislation. Where there the Privacy Act applies as well as State or Territory based statutes, if there is a conflict between State and Commonwealth statutes, the Privacy Act should be followed.

What information is regulated?

Broadly, the information that will be subject to regulation is, personal information or an opinion about the health or a disability (at any time) of a person and is not sufficiently de-identified. Personal information not only includes information about an identified individual but individuals who are identifiable from the information. Because institutions may need to collect large amounts of information, even if a person does not provide their name or contact details, there could still be a possibility that they are identifiable. Institutions will need to consider whether it is necessary to collect and use personal information or whether it can be de-identified.

Privacy principles – planning for privacy

The applicable principles will regulate the handling of the health information at each stage of its life cycle: from the point of collection, to its use and disclosure, to storage and to destruction or de-identification. The design of research projects should plan for privacy compliance through all stages of the information life cycle.

APP1 in the Privacy Act specifically requires APP entities to implement privacy by design, having regard to their functions and activities, through the implementation of relevant practices, procedures and systems to ensure that they effectively deal with inquiries or complaints and comply with the APPs.

Considering at the outset of a project its impact on privacy and planning for privacy at each stage of the lifecycle of the information will help minimise privacy risks and avoid obstacles to the required flow of the information. Questions that should be asked include: what information is required, what are its sources and who will the participants be, can the information be de-identified or the participants remain anonymous, is consent required and if so how will it be obtained, how will the information be collected and notice given, where will the information be stored, how will it be kept secure and what will happen to it when the research is complete? Also it is important to ensure the research proposal is consistent with the institution's privacy policy, which should be up to date and available.

Collection: necessary + consent or an exception

The general approach to collection of health information is that only information that is necessary for the functions and activities of the organisation - in this case, to carry out and achieve the objectives of the research. In addition, the individual's consent must be obtained, unless an exception for research applies.

Whether consent will be required depends on the nature of the research, what legislation applies and whether the research falls within the health research exception of the applicable legislation.

Applicable research guidelines and the privacy principles make it clear that wherever possible, research should be conduct with the consent of participants. Failing that, research should be conducted using de-identified information. HRECs considering research proposals will have regard to these considerations and the research guidelines discussed below, which aim to protect health information from unexpected uses and disclosures beyond individual healthcare while recognising the importance of health and medical research in improving public health.

Consent from participants to be part of the research must meet these elements to be valid – be informed, current and specific, voluntary and the participant must have the capacity to consent. This requires participants to be given clear and sufficient information to enable them to make their decision, including about what information their consent relates to. If information is being collected from the public domain then this consent is much less likely to exist. The consent may be a one-off consent or it may need to be ongoing.

The research exception in the Privacy Act is the 'permitted health situation' defined in section 16B(2). If this situation exists, then consent will not be required to collect health information (APP3.4(b)). The situation requires the collection to be:

  • necessary for research relevant to public health or public safety - that is it must have an impact on or provide information or advance public health or public safety (which are not defined terms);
  • unable to be served by the collection of de-identified information – for example where data linking is required; and
  • it is impracticable for to obtain the individual's consent to the collection – this will depend on the circumstances in each case and the onus is on the institution to demonstrate this through an independents opinion. The HREC will have a view; and
  • the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or
  • the information is collected in accordance with guidelines issued by the National Health and Medical Research Council (NHMRC) and approved under section 95A by the Australian Privacy Commissioner . This means the ethics approval process is incorporated into the privacy regime.

Institutions must also provide collection notices to participants to ensure they are made aware of certain matters such as the identity and contact details of the institution, the purposes for which the information is being collected, to whom it will usually be disclosed and how to request access to or correction of personal information.

Use and disclosure

The same permitted general situation as described above applies to the use and disclosure of the health information that is collected for research where consent cannot be obtained. Similar exceptions exists in State and Territory legislation. However there may be the added qualification that the research is in the public interest. Also there may be varying State and Territory guidelines to consider, such as the Statutory Guidelines on Research issued by the Office of the Health Services Commissioner (Victoria).

There are also other circumstances in which the health information may be used and disclosed, this includes where the purpose is for a secondary purpose that is directly related to the primary purpose and which the participant would reasonably expect. This is an objective test and the onus is on the institution making the use or disclosure to demonstrate that a reasonable expectation exists.

If consent has been obtained, the use and disclosure of the information including any re-purposing must be consistent with the consent that has been given.

Inter-jurisdictional disclosure

Before health information collected for research purposes can be transferred outside of a State or Territory jurisdiction or sent overseas it will need to meet the conditions required by any applicable inter-jurisdictional disclosure requirements. One relevant condition is that the organisation making the disclosure 'reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Health Privacy Principles'. More than 80 countries have comprehensive laws that explicitly recognise information privacy rights. Another option may be informed consent. The Privacy Act also permits overseas disclosure if an exception does not if the institution, before disclosing the information to an overseas recipient, takes reasonable steps to ensure that the recipient will not breach the APPs. The accountability provisions of section 16C of the Privacy Act means the disclosing institution will remain responsible for any breaches of the APPs by the overseas recipients.

Security and destruction or de-identification

Given the sensitivity of health information and the potential harm that could be caused to individuals as a result of a data breach or misuse or unauthorised access or interference, institutions as the custodians of the information must take appropriate technological and operational steps to keep the information secure and confidential, restrict access, de-identify it once that is possible and, once the research is complete, take steps to securely destroy or permanently de-identify all of the health information.