Publication date: 09 Nov 2023

The OAIC is reviewing the approvals for the guidelines issued and approved under section 95, 95A and 95AA of the Privacy Act 1988. The approvals for the section 95A and 95AA guidelines are due to sunset on 1 April 2024 and the section 95 guidelines are due to sunset on 1 April 2025.

The OAIC is seeking submissions from interested individuals, government agencies and organisations on the Information Commissioner re-approving the guidelines as they stand for 5 years with a self-repeal provision.

This consultation is closed. The deadline for submissions was 8 December 2023.

Background

In certain circumstance, the Privacy Act permits the handling and disclosure of health information, including genetic information, for health and medical research purposes without the individuals’ consent. This recognises:

  • the need to protect health information from unexpected uses beyond individual healthcare
  • the important role of health and medical research in advancing public health
  • the need to disclose genetic information to genetic relatives to lessen or prevent a serious threat to life, health or safety.

To promote these ends, the Information Commissioner issues her approval of guidelines, developed by the National Health and Medical Research Council (NHMRC).

Researchers, Australian Government agencies and health service providers must follow these guidelines when handling health information for medical research and other purposes specified in the guidelines, without individuals’ consent.

Section 95 guidelines

The section 95 guidelines set out procedures that human research ethics committees and researchers must follow when personal information is disclosed from an Australian Government agency for medical research purposes. They ensure that the public interest in the research activities substantially outweighs the public interest in the protection of privacy.

The section 95 guidelines are developed by the NHMRC with the approval of the Information Commissioner.

Read the current section 95 guidelines on the NHMRC website.

Section 95A guidelines

The section 95A guidelines provide a framework for human research ethics committees to assess proposals from researchers to handle health information held by organisations for health research purposes (without individuals consent). They ensure that the public interest in the research activities substantially outweighs the public interest in the protection of privacy.

The section 95A guidelines are developed by the NHMRC and approved by the Information Commissioner.

Read the current section 95A guidelines on the NHMRC website.

Section 95AA guidelines

The section 95AA guidelines provide a framework that health service providers must follow if they are using or disclosing a patient’s genetic information and they have not been able to obtain the patient’s consent.

Health service providers must comply with the section 95AA guidelines and ensure all of the following criteria are met before using or disclosing a patient’s genetic information:

  • The health service provider obtained the genetic information in the course of providing a health service to the patient.
  • The health service provider reasonably believes that there is a serious threat to the life, health or safety of a genetic relative of the patient.
  • The use or disclosure to the genetic relative is necessary to lessen or prevent that threat.
  • In the case of disclosure, the recipient of the information is a genetic relative of the patient.

The section 95AA guidelines are developed by the NHMRC and approved by the Information Commissioner.

Read the current section 95AA guidelines on the NHMRC website.

Privacy Act review

The Australian Government is undertaking a review of the Privacy Act to strengthen existing privacy laws. In February 2023, after over two years of extensive consultation, the Attorney-General’s Department released the Privacy Act Review Report. Chapter 14 (Research) of the report included three research related proposals:

  • Proposal 14.1 – Introduce a legislative provision that permits broad consent for the purposes of research.
  • Proposal 14.2 – Consult further on broadening the scope of research permitted without consent for both agencies and organisations.
  • Proposal 14.3 – Consult further on developing a single exception for research without consent and a single set of guidelines, including considering the most appropriate body to develop the guidelines.

The Government released its response to the Privacy Act Review Report on 28 September 2023. The Government’s response agreed with all three research related recommendations, stating:

The Government recognises that the changes to consent may present challenges for research organisations conducting research in the public interest. The Government agrees that researchers should also be able to rely on ‘broad consent’ due to difficulties in obtaining ‘specific’ consent from individuals in research contexts (proposal 14.1).

The Government agrees further consultation should be undertaken on expanding the scope of the Act’s exceptions from requiring consent in research contexts to apply to human research generally that is in the public interest, and on agencies and organisations being covered by a single research exception and set of guidelines developed by the Privacy Commissioner in consultation with relevant stakeholders (proposals 14.2 and 14.3).”

Proposed approach

The OAIC proposes that the Information Commissioner re-approve the guidelines as they stand for 5 years with a self-repeal provision.

This approach will allow for certainty around how or if the proposals in the Privacy Act Review Report will be implemented before a substantive review of the guidelines is undertaken. Given the Attorney-General’s Department has proposed significant changes to the guidelines, it would be inefficient and duplicative to undertake a substantive review before the consultation process has been finalised and any changes implemented.

Consultation documents

Consultation questions

We ask that interested individuals, agencies and organisations consider the following:

Section 95 guidelines

  1. Are you supportive of the proposed approach to remake the section 95 guidelines as they stand for 5 years with a self-repeal provision?
  2. Are the section 95 guidelines fit for purpose?
  3. Does the public interest in the promotion of research of the kind to which the section 95 guidelines relate outweigh to a substantial degree the public interest in maintaining adherence to the Australian Privacy Principles (APPs)? [1]

Section 95A guidelines

  1. Are you supportive of the proposed approach to remake the section 95A guidelines as they stand for 5 years with a self-repeal provision?
  2. Are the section 95A guidelines fit for purpose?
  3. Does the public interest in the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety, in accordance with the section 95A guidelines substantially outweigh the public interest in maintaining the level of privacy protection afforded by the APPs? [2]
  4. Does the public interest in the collection of health information for the purposes of:
    1. research, or the compilation or analysis of statistics, relevant to public health or public safety,
    2. the management, funding or monitoring of a health service,

    in accordance with the section 95A guidelines substantially outweigh the public interest in maintaining the level of privacy protection afforded by the APPs? [3]

Section 95AA guidelines

  1. Are you supportive of the proposed approach to remake the section 95AA guidelines as they stand for 5 years with a self-repeal provision?
  2. Are the section 95AA guidelines fit for purpose?

How to provide comments

Submissions can be made to:

Email

research.guidelines@oaic.gov.au

Post

GPO Box 5288

Sydney NSW 2001

The closing date for submissions is 5 pm AEDT Friday 8 December 2023.

Although you may send your comments by email or post, email is preferred.

We intend to make all submissions publicly available. Please indicate when making your submission if it contains confidential information you do not want made public and why it should not be published.

Requests for access to confidential comments will be determined in accordance with the Freedom of Information Act 1982.

Privacy collection statement

The OAIC will only use the personal information it collects during this consultation for the purpose of considering the issues outlined above. This will include sharing submissions with the NHMRC for the purpose of the review.

Submissions received

The OAIC received the following submissions during the consultation period:

[1] section 95(2) of the Privacy Act.

[2] section 95A(3) of the Privacy Act.

[3] section 95A(5) of the Privacy Act.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia