Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Business resource: Collecting, using and disclosing health information for research

This is a draft business resource. The OAIC conducted a public consultation on a suite of new draft health privacy guidance resources for health service providers and consumers in late 2015. Those resources are currently being finalised.

docxWord version1.39 MB

This business resource explains the requirements under the Privacy Act 1988 (Cth) (Privacy Act) for private sector health service providers or other private sector organisations who are seeking to collect, use or disclose health information without consent for research or statistical purposes relevant to public health or public safety. This resource is part of a series that outlines what private sector health service providers need to know about handling their patients’ health information. Some of the key health privacy terms used are explained in Business resource — Key health privacy concepts, while other terms are explained in the Australian Privacy Principles Guidelines.

Collecting health information for research without consent

Under Australian Privacy Principle (APP) 3, an organisation generally can only collect health information[1] where it is reasonably necessary for its functions or activities, and the individual concerned consents to the collection. However, an organisation may collect health information without consent if an exception applies.

One of the exceptions allows collection where it is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety, and:

  • the particular purpose cannot be served by collecting de-identified information
  • it is impracticable to obtain the individual’s consent, and
  • the collection is either:
    • required by or under an Australian law (other than the Privacy Act)
    • in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation, or
    • in accordance with guidelines issued by the CEO of the National Health and Medical Research Council and approved by the Commissioner under s 95A of the Privacy Act (s 16B(2)).[2]

You will also have to comply with the other APPs that deal with collection (APPs 2, 3, 5, 9 and 10). Further information on the APPs is available in the APP guidelines.

Research and statistics must be ‘relevant to public health or public safety’

To be relevant to public health or public safety, the outcome of the research or the compilation or analysis of statistics should have an impact on, or provide information about, public health or public safety.

‘Public health or public safety’ is not defined in the Privacy Act. Examples that could fall into this category are research and statistics on communicable diseases, cancer, heart disease, mental health, injury control, diabetes and the prevention of childhood diseases.

De-identified information cannot serve the research purpose

You must consider whether the research or statistical aims can be achieved by collecting de-identified information. Personal information is de-identified once the information is no longer about an identifiable individual or an individual who is reasonably identifiable. Generally, de-identification includes two steps:

  • removing personal identifiers, such as name, address, date of birth or other identifying information, and
  • removing or altering other information that may allow an individual to be identified, for example, because of a rare characteristic of the individual, or a combination of unique or remarkable characteristics.

An example of a circumstance in which de-identified health information might not achieve the relevant purpose is where a project involves linking information about individuals from two or more sources and identified information is needed to correctly link records from each data source.

Compliance tip

As a security measure, when you hold health information, you should take steps to de-identify the information once identified information is no longer needed. In the example above, you should de-identify the information once the information from two different sources has been linked.

It is impracticable to seek consent

Whether it is impracticable to seek consent will depend on the particular circumstances of the case. It is the responsibility of an organisation relying on this exception to justify why it is impracticable to obtain an individual’s consent. Incurring some expense or doing extra work to obtain consent would not itself make it impracticable to obtain consent.

Examples of where it may be impracticable to seek consent could include situations where:

  • there are no current contact details and where there is insufficient information to get up-to-date contact details (this may occur in longitudinal studies involving old records)
  • the integrity or validity of health research could be impaired, for example, because you are conducting a participant observation study and obtaining the consent of participants may alter their behaviour and the research results.

Compliance tip

Organisations arguing that consent is impracticable because it would invalidate the research methodology should have justifiable grounds for this view, including an independent opinion that does not come from researchers involved in the project. Consideration could be given to consulting a human research ethics committee as to whether obtaining consent would have this effect, and evidence that such a committee had come to that conclusion may be relevant here.

Collection required by law, or in accordance with rules or guidelines

The collection must meet one of the following three criteria:

  • be required by or under an Australian law
  • be in accordance with binding confidentiality rules established by competent health or medical bodies
  • be in accordance with guidelines approved under s 95A.

Collection required by or under an Australian law

Collection is ‘required by law’ if a law compels you to collect the information. You must have a legal obligation to handle information in a particular way and cannot choose to act differently. The obligation will usually be indicated by words such as ‘must’ or ‘shall’, and may be accompanied by a sanction for non-compliance. Being ‘required by law’ is distinct from the situation where a law authorises or permits collection but the organisation can choose whether or not to collect the information.

‘Australian law’ means an Act of the Commonwealth, or a State or Territory, regulations or any other instrument made under such an Act, a Norfolk Island enactment, or a rule of common law or equity (s 6(1)).

Collection in accordance with binding rules of confidentiality issued by competent health or medical bodies

The rules dealing with obligations of professional confidentiality must be binding on the organisation and they must have been established by a competent health or medical body. The Privacy Act does not specify which bodies qualify as ‘competent health or medical bodies’. Common examples include medical boards and other rule-making bodies recognised in an applicable Australian law. Generally, a binding rule is one that will attract a sanction or adverse consequence if breached.

Collection in accordance with Section 95A Guidelines

The National Health and Medical Research Council’s Guidelines approved under Section 95A of the Privacy Act 1988 (s 95A guidelines) have been approved by the Commissioner under s 95A and are legally binding. The s 95A Guidelines provide a framework for human research ethics committees to assess research proposals involving the handling of health information (without the consent of the subject). The framework requires ethics committees to weigh the public interest in research activities against the public interest in the protection of privacy.

Reasonable steps to de-identify the information before disclosure

If you collect health information under s 16B(2), you must take reasonable steps to de-identify that information before it is subsequently disclosed under APP 6 (see APP 6.4).

What are reasonable steps to de-identify information will depend on circumstances such as:

  • the possible adverse consequences for an individual if the information is not de-identified before disclosure (and more rigorous steps may be required as the risk of adversity increases)
  • the practicability, including time and cost involved. However, you would not be excused from taking particular steps to de-identify health information by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances.

Use or disclosure for research without consent

You may use or disclose health information for research or statistical purposes relevant to public health or public safety in accordance with APP 6. For example, APP 6 permits use or disclosure where:

  • the individual has consented to the use or disclosure
  • it is for the same (primary) purpose for which the information was collected
  • it is for a purpose which is directly related to the primary purpose of collection, and the individual would reasonably expect you to use or disclose the information for that purpose.

In addition, APP 6 provides an exception allowing you to use or disclose health information where the use or disclosure of health information is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety, and:

  • it is impracticable to obtain the individual’s consent to the use or disclosure
  • the use or disclosure is conducted in accordance with the s 95A guidelines, and
  • in the case of disclosure — you reasonably believe that the recipient of the information will not disclose the information, or personal information derived from that information.[3]

Compliance tip

If you are conducting research in NSW, Victoria or the ACT, you may also be subject to additional guidelines for the use or disclosure of health information for research purposes. These guidelines largely reflect the s 95A guidelines, however some differences may exist. For instance, the Victorian guidelines deal with research, statistical compilation and analysis in ‘the public interest’ rather than research relating to ‘public health or public safety’. ACT legislation similarly deals with research and statistical compilation and analysis in the public interest. For more information regarding state or territory obligations, please contact your local privacy regulator.

Guidance on a number of these concepts is provided above. Two further concepts are discussed below.

Use or disclosure must be necessary

One aspect of considering whether a use or disclosure is ‘necessary’ is whether the particular purpose of the proposed use or disclosure could be achieved by using or disclosing de-identified information. If so, the use or disclosure would not be considered necessary. De-identification is discussed above.

Reasonably believes the recipient will not disclose

Before disclosing health information using this exception, an organisation must reasonably believe that the recipient of the information will not disclose the information or personal information derived from that information. You must have a reasonable basis for the belief, and not merely a genuine or subjective belief. It is the responsibility of the organisation to be able to justify its reasonable belief.

Compliance tip

You may have a reasonable belief that the recipient will not disclose the information if you have reviewed the recipient’s research project plan and that plan does not involve the disclosure of the information. You could also seek written confirmation from the researcher that the information will not be disclosed.

The information provided in this resource is of a general nature. It is not a substitute for legal advice.

Footnotes

[1] The meaning of ‘health information’ is discussed in more detail in the overview resource of this series. Generally, all personal information collected in the course of providing a health service is ‘health information’ under the Privacy Act.

[2] This exception is known as a ‘permitted health situation’ and is contained in APP 3.4(c) and s 16B(2) of the Privacy Act. Permitted health situations are discussed generally in the overview resource of this series.

[3] This exception is known as a ‘permitted health situation’ and is contained in APP 6.2(d) and s 16B(3) of the Privacy Act. Permitted health situations are discussed generally in the overview resource of this series.