Submission to NHMRC re proposed amendments to chapter 2.3 of the National Statement

1 August 2013

Our reference: 12/000050

Project Officer — Revision of the National Statement Chapter 2.3
Health and Research Ethics Section
National Health and Medical Research Council
GPO Box 1421
Canberra ACT 2601

Submitted online

Dear Sir/Madam

Revision of the National Statement Chapter 2.3

Thank you for the opportunity to comment on the proposed amendments to Chapter 2.3 of the National Statement on Ethical Conduct in Human Research 2007 (the National Statement), developed jointly by the National Health and Medical Research Council (NHMRC), the Australian Research Council and Universities Australia. Chapter 2.3 of the National Statement provides guidance on alternative approaches to explicit consent to participant recruitment in research. The proposed revisions include guidance on an opt-out approach.

The Office of the Australian Information Commissioner (the OAIC) welcomes the NHMRC providing guidance to human research ethics committees (HRECs) on the opt-out approach to participant recruitment in research in the National Statement, particularly as the NHMRC states that this approach is currently used widely. Using an opt-out approach, in conjunction with ensuring compliance with the Privacy Act 1988 (Cth) (Privacy Act) and guidelines issued under sections 95 and 95A of the Privacy Act (Guidelines), is a good practice approach that can provide individuals with greater understanding and control over how their personal information is handled.

However as currently drafted there is a risk that the National Statement may give the impression that an opt-out approach replaces the need to comply with the Privacy Act and the Guidelines. I have considered the questions posed in the Consultation Paper regarding the proposed amendments and make the following comments.

Office of the Australian Information Commissioner

The OAIC was established by the Australian Information Commissioner Act 2010 as an independent statutory agency headed by the Australian Information Commissioner. The Information Commissioner is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner.

The OAIC brings together the functions of information policy and independent oversight of privacy protection and freedom of information, to advance the development of consistent workable information policy across all Australian government agencies.

Handling health information under the Privacy Act

The Privacy Act currently contains eleven Information Privacy Principles (IPPs), which regulate the handling of personal information by Australian government agencies and ten National Privacy Principles (NPPs), which regulate organisations. Under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Reform Act), from 12 March 2014 the IPPs and NPPs will be superseded by a set of Australian Privacy Principles (APPs), which will regulate both Australian government agencies and organisations.

Under the APPs, health information will be regarded as sensitive information and is treated differently to other personal information. The APPs provide a number of permitted health situations in relation to the collection, use or disclosure of health information which reflect the exemptions currently in place in relation to the NPPs. As you are aware, those exemptions permit collection, use or disclosure of health information without consent in certain circumstances.

The IPPs also allow use and disclosure without consent in certain circumstances. Of direct relevance to all these principles is the extent to which an organisation, agency or entity complies with guidelines issued under sections 95 and 95A of the Privacy Act (the Guidelines).[1]

The Guidelines currently refer to the IPPs or NPPs and will need to be amended to take account of the APPs. The Guidelines will need to be re-issued and then approved by the Commissioner in time for the commencement of the Reform Act in March 2014. The OAIC will contact the NHMRC shortly to discuss a proposed approach to the revision and re-issue of these Guidelines.

Unlike the Privacy Act and the Guidelines, the National Statement is not legally binding but seeks to guide the approach of ethical researchers.

Comments on the proposed amendments

There is a risk that the proposed changes to the National Statement could cause confusion for HRECs and researchers about their privacy obligations. In particular, the National Statement needs to make clear that the opt-out approach is unlikely to constitute consent for the purpose of the Privacy Act.

Consent

Under the Privacy Act the OAIC interprets consent to mean voluntary agreement to some act, practice or purpose, which is express or implied. Consent has four key elements: it must be provided voluntarily, the individual must be adequately informed, the consent must be current and specific, and the individual must have the capacity to understand and communicate their consent.

An organisation or agency has more difficulty establishing consent to a collection, use or disclosure where it wishes to rely on a failure to object to collection, use or disclosure to imply consent.[2] In the health context, it is difficult to establish that providing the opportunity to opt-out amounts to implied consent, particularly where an organisation is not aware of whether an individual has received and read information.

I understand that the NHMRC is not suggesting that the opt-out approach amounts to consent. For example, the Consultation Paper states that, although the approach described is sometimes referred to colloquially as ‘opt-out consent’, the paper has adopted the term ‘opt-out approach’ because it is not agreed that this approach constitutes consent.

However the National Statement does not clearly reflect the sentiment of the Consultation Paper on this issue. There is a risk that HRECs may interpret the proposed changes to chapter 2.3 to mean that the opt-out approach may amount to consent when this is unlikely to be the case.

So the National Statement is clearer, I recommend that chapter 2.3:

  • say that the opt-out approach should not be relied upon as amounting to consent under the Privacy Act
  • avoid refering to consent in the discussion of the ‘opt-out approach’. The introduction could refer to the ‘opt-out approach’ instead of ‘opt-out approach to consent’, and the final paragraph could refer to ‘different approaches’ rather than ‘different approaches to informed consent.’

Conformity with the Privacy Act

The discussion of the opt-out approach in the National Statement should also make clear how it fits with researchers’ privacy obligations. I recommend the discussion clearly outline and accord with organisation and agency obligations under the Privacy Act, particularly the Guidelines, by:

  • explicitly stating that researchers should comply with section 95 and 95A guidelines where it is impracticable for the organisation to seek the individual’s consent
  • replacing the words ‘the proposed activity is of importance and is likely to serve the public benefit’ with ‘the public interest in the proposed research activity substantially outweighs the public interest in the protection of privacy’ so it is consistent with the wording of the Guidelines
  • outlining that researchers should consider whether it is possible to achieve their research, statistical or management aims by collecting information that does not identify the person.

Thank you for the opportunity to comment on the draft amendments to the National Statement and I hope our comments are of assistance. If you have any questions, please contact Jacob Suidgeest, Director, Regulation and Strategy Branch, on [contact details redacted].

Yours sincerely

Timothy Pilgrim
Australian Privacy Commissioner
August 2013

Footnotes

[1] NHMRC, Guidelines under section 95 of the Privacy Act 1988: privacy and medical research, March 2000, <www.oaic.gov.au/privacy/applying-privacy-law/legally-binding-privacy-guidelines-and-rules/guidelines-under-section-95-of-the-privacy-act-1988-privacy-and-medical-research-march-2000> and NHMRC Guidelines under section 95A of the Privacy Act 1988, March 2001, <www.oaic.gov.au/privacy/applying-privacy-law/legally-binding-privacy-guidelines-and-rules/guidelines-under-section-95a-of-the-privacy-act-1988-december-2001>

[2] Office of the Privacy Commissioner Guidelines to the National Privacy Principles, 2001, p37

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au