Submission to the NHMRC on the Draft Principles for Accessing and Using Publicly Funded Data for Health Research

16 February 2015

1. Would you describe you or your organisation as a:

  1. researcher who uses publicly funded health and health related datasets (please go to question 2); or
  2. another user of publicly funded health and health related datasets (please go to question 2); or
  3. custodian who has responsibilities regarding release of publicly funded health and health related datasets (please go to question 3); or
  4. other, please specify (please go to question 2)

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency that provides oversight of the Privacy Act 1988 (Cth), and privacy protection provisions within other federal legislation.

The Privacy Act 1988 (Cth) regulates the handling of personal information by Australian Government agencies (and the Norfolk Island administration), private sector organisations with an annual turnover of more than $3 million, and some small business operators including private sector healthcare providers.

2. How could the principles in the draft Guide add value when making a request to access existing health and health related datasets for the purposes of health research and for your use of the data?

[No comment]

3. How could the principles in the draft Guide add value (to you or your organisation) when considering an application to access existing health and health related datasets for the purposes of health research?

[No comment]

4. What barriers exist in adhering to or achieving the principles in the draft Guide? How could these be overcome?

[No comment]

5. Is there other relevant legislation, regulations and/or policies that could be added to Appendix A in the draft Guide? Please specify, including their relevance.

The OAIC suggests adding a reference and link to the ‘Australian Privacy Principles Guidelines’ (APP Guidelines) into Appendix A of the draft Guide.

Data custodians and researchers who are ‘APP entities’ are required to comply with the Australian Privacy Principles (APPs) under the Privacy Act. The OAIC’s APP Guidelines outline the mandatory requirements of the APPs, the OAIC’s interpretation of the APPs, and matters that the OAIC may take into account when exercising functions and powers under the Privacy Act.

The APP Guidelines can be found at:

In addition, the OAIC suggests:

  • linking to the entire Privacy Act 1988, rather than s 95 specifically, given that more than just s 95 will be relevant to entities covered by the Privacy Act. A link to the latest version of the Privacy Act can be found at:

  • including a link to the Guidelines under section 95 of the Privacy Act 1988 on the NHMRC’s website, rather than a link to the s 95 of the Privacy Act

  • including a link to the Guidelines approved under section 95A of the Privacy Act 1988 (2014) on the NHMRC’s website. The s 95A Guidelines may apply to a private sector organisation’s collection, use or disclosure of health information for research purposes and are therefore a relevant resource to include.

6. If the Guide was co-badged by other Australian Government Departments would you or your organisation be more likely to implement it? Why? Why not?

[No comment]

7. What could be done to publicise and disseminate the Guide, and to encourage its adoption and implementation by researchers and data custodians?

[No comment]

8. Do you have any other comments or concerns on particular sections of the document? If so, please identify the section you wish to comment on.

The OAIC welcomes the opportunity to comment on the NHMRC’s draft Principles for Accessing and Using Publicly-Funded Data for Health Research (the ‘draft Guide’).

The OAIC acknowledges that the draft Guide applies to both research involving personal information, and research not involving personal information. The OAIC also acknowledges that not all data custodians and researchers using the Guide will be covered by the Privacy Act 1988. However, the OAIC has made a number of suggestions below that are relevant to the use of personal information in research, and which can be adopted by data custodians and researchers either to comply with their privacy obligations, or to reflect best privacy practice.

As a general observation, we consider the draft guide should place greater emphasis on the requirements under privacy law.

Principle 1(b)

Many data custodians and researchers must comply with the Privacy Act. We consider it is misleading to generalise that consideration of privacy is merely a question of weighing the public benefit against the risk to privacy.

We recommend that this principle places greater emphasis on the need for data custodians and researchers to consider relevant laws and guidelines.

For example, the principle could read: ‘Use of existing datasets for research should be promoted, encouraged and maximised when there is public benefit and any risks to privacy or confidentiality have been considered and managed in accordance with relevant guidelines and legislative requirements.’

Principle 2(a)

Privacy legislation, including the Privacy Act 1988, generally requires an entity collecting personal information to take reasonable steps to notify an individual of certain matters about how their personal information will be handled.

What are reasonable steps depends on the circumstances and in some cases it may be reasonable for a collecting researcher to take no steps to notify affected individuals. Nevertheless, if a data custodian knows at the time of initially collecting personal information that that information may be disclosed for use in future research projects, it would be best privacy practice for the data custodian to notify individuals at that time of this possible future research purpose, in addition to notification of the primary purpose of collection. For some data custodians, this may be required under privacy legislation.

To reflect this, the OAIC suggests that Principle 2(a), which addresses data custodians’ processes for both current and future use of data, could expressly refer to processes for ensuring reasonable steps are taken to notify individuals of both the purpose for initial collection, and the possible disclosure for use in future research projects.

Principle 2(c)

The OAIC suggests that the word ‘guidelines’ be added to the phrase ‘Commonwealth and state/territory legislation and policies’, given that the s 95 or s 95A guidelines may apply to many releases and collections of publicly funded data.

Principle 2(d)

The OAIC suggests that Principle 2(d) could also reflect the data custodian’s responsibility to ensure that, before disclosing data to a researcher, they take reasonable steps to ensure the data is, having regard to the purpose of the disclosure, accurate, up to date, complete and relevant.

Principle 3(c)

The OAIC commends the NHMRC for recognising the responsibility for researchers to ensure that the use of publicly funded data meets obligations under legislation and in signed agreements. The OAIC suggests that Principle 3 could be strengthened by noting that researchers should also ensure that their collection ofdata is in accordance with privacy legislation. This could be implemented within 3(c) or as a separate sub-point.

Principle 3(f)

To reflect best privacy practice (and the requirements in APP 1 for those entities covered by the APPs), the OAIC suggests the inclusion of the sub-point: ‘Be transparent about… practices, procedures and systems for ensuring compliance with relevant legislation, including the Privacy Act 1988’.

The OAIC suggests that Principle 3(f) should encourage transparency in the event of a data breach involving personal information. This could be a separate sub-point, or could be mentioned in the final point on legislative compliance.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at