The National Statement — submission to the National Health and Medical Research Council

Date: 1 January 2017

Our reference: D2017/000487

Professor Anne Kelso AO
Chief Executive Officer
National Health and Medical Research Council

Via email ethics@nhmrc.gov.au

Dear Professor Kelso

Public Consultation on Section 3 (Chapters 3.1 & 3.5), Glossary and Revisions to Section 5 National Statement on Ethical Conduct in Human Research, 2007

Thank you for providing the Office of the Australian Information Commissioner (OAIC) with the opportunity to comment on the proposed revisions to Section 3 of the National Statement on Ethical Conduct in Human Research 2007 (the National Statement), developed jointly by the National Health and Medical Research Council (NHMRC), the Australian Research Council and Universities Australia.

I understand that the National Statement is a high-level document and does not provide guidance on privacy issues directly. However, I would like to acknowledge the National Statement’s recognition of the complex privacy and consent questions relating to the use of data in health and medical research. Recognising, and appropriately addressing, these questions and concerns is an essential step in good privacy practice and governance and in establishing a social licence for the use of data for research purposes. A social licence – which is also built on transparency and a sense of trust – can help researchers and data custodians use and share personal information in ways that fulfil their own objectives, as well as those of affected individuals.

My comments below specifically address the question raised in the consultation discussion paper about whether the language used in the National Statement regarding ‘data identifiability’ should be amended to better align with privacy legislation.

Consistency of terms

The Privacy Act 1988 (Cth) (Privacy Act) uses the terms ‘personal information’ and ‘de-identified’ information.[1] The term ‘de-identified’ is used to refer to information which does not identify or reasonably identify any individuals, and is therefore not subject to the Privacy Act. In addition to your terminology, I note that a range of terms are sometimes used internationally and at the domestic level to describe such information – including ‘confidentialised’, and ‘anonymised’. While definitions vary, in our view de-identification is an omnibus term which is likely to cover all of these types of information.

I strongly recommend that the National Statement use the terms ‘personal information’ and ‘de-identified’ information wherever possible, to help ensure consistency with the Privacy Act. Consistent use of terminology will help avoid fragmentation by ensuring that the same terms are used across different sectors and by privacy professionals, data analysts and researchers, and between specific agencies. It can also help provide clarity on whether the information handled is personal information and promote consistency in decision-making.

As acknowledged in the National Statement, researchers and data custodians should be aware that whether information ‘reasonably identifies’ an individual is, above all, a contextual question, and the answer will depend heavily on who has access to the information and under what circumstances.[2]

Considering this issue, we have recently conducted a series of conversations through the OAIC’s Privacy Professionals Network and other networks, to work with business, government, consumer and technical groups to further explore de-identification and its potential as a privacy-enhancing tool.

As a result of these conversations, the OAIC is currently updating its de-identification resources[3] to provide further policy guidance:

  • about using a risk management approach
  • to reflect developments in de-identification techniques
  • to expand the discussion of re-identification, including how to deal with data that is re-identified, and
  • to clarify the terminology used.

I trust that these comments are useful to the NHMRC and we would be pleased to provide further information on de-identification. If you have any questions, please contact Sarah Ghali, Acting Director, Regulation and Strategy Branch, on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

25 January 2017

Footnotes

[1] See section 6 of the Privacy Act for the definitions of ‘personal information’ and ‘de-identified’ information.

[2] One example is where data may be considered de-identified when handled in a secure research lab where there are controls in place to prevent re-identification, for example physical and contractual controls to prevent the matching or linking of that data with other data which could reveal an individual’s identity. However, if released to the world at large, the same data may be reasonably identifiable and as a result be personal information.

[3] The OAIC’s current guidance for organisations on de-identification is available at https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-4-de-identification-of-data-and-information

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au