Our reference: D2017/000487
Professor Anne Kelso AO
Chief Executive Officer
National Health and Medical Research Council
Via email email@example.com
Dear Professor Kelso
Public Consultation on Section 3 (Chapters 3.1 & 3.5), Glossary and Revisions to Section 5 National Statement on Ethical Conduct in Human Research, 2007
Thank you for providing the Office of the Australian Information Commissioner (OAIC) with the opportunity to comment on the proposed revisions to Section 3 of the National Statement on Ethical Conduct in Human Research 2007 (the National Statement), developed jointly by the National Health and Medical Research Council (NHMRC), the Australian Research Council and Universities Australia.
I understand that the National Statement is a high-level document and does not provide guidance on privacy issues directly. However, I would like to acknowledge the National Statement’s recognition of the complex privacy and consent questions relating to the use of data in health and medical research. Recognising, and appropriately addressing, these questions and concerns is an essential step in good privacy practice and governance and in establishing a social licence for the use of data for research purposes. A social licence – which is also built on transparency and a sense of trust – can help researchers and data custodians use and share personal information in ways that fulfil their own objectives, as well as those of affected individuals.
My comments below specifically address the question raised in the consultation discussion paper about whether the language used in the National Statement regarding ‘data identifiability’ should be amended to better align with privacy legislation.
Consistency of terms
The Privacy Act 1988 (Cth) (Privacy Act) uses the terms ‘personal information’ and ‘de-identified’ information. The term ‘de-identified’ is used to refer to information which does not identify or reasonably identify any individuals, and is therefore not subject to the Privacy Act. In addition to your terminology, I note that a range of terms are sometimes used internationally and at the domestic level to describe such information – including ‘confidentialised’, and ‘anonymised’. While definitions vary, in our view de-identification is an omnibus term which is likely to cover all of these types of information.
I strongly recommend that the National Statement use the terms ‘personal information’ and ‘de-identified’ information wherever possible, to help ensure consistency with the Privacy Act. Consistent use of terminology will help avoid fragmentation by ensuring that the same terms are used across different sectors and by privacy professionals, data analysts and researchers, and between specific agencies. It can also help provide clarity on whether the information handled is personal information and promote consistency in decision-making.
As acknowledged in the National Statement, researchers and data custodians should be aware that whether information ‘reasonably identifies’ an individual is, above all, a contextual question, and the answer will depend heavily on who has access to the information and under what circumstances.
Considering this issue, we have recently conducted a series of conversations through the OAIC’s Privacy Professionals Network and other networks, to work with business, government, consumer and technical groups to further explore de-identification and its potential as a privacy-enhancing tool.
As a result of these conversations, the OAIC is currently updating its de-identification resources to provide further policy guidance:
- about using a risk management approach
- to reflect developments in de-identification techniques
- to expand the discussion of re-identification, including how to deal with data that is re-identified, and
- to clarify the terminology used.
I trust that these comments are useful to the NHMRC and we would be pleased to provide further information on de-identification. If you have any questions, please contact Sarah Ghali, Acting Director, Regulation and Strategy Branch, on [contact details removed].
Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner
25 January 2017
 See section 6 of the Privacy Act for the definitions of ‘personal information’ and ‘de-identified’ information.
 One example is where data may be considered de-identified when handled in a secure research lab where there are controls in place to prevent re-identification, for example physical and contractual controls to prevent the matching or linking of that data with other data which could reveal an individual’s identity. However, if released to the world at large, the same data may be reasonably identifiable and as a result be personal information.
 The OAIC’s current guidance for organisations on de-identification is available at https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-4-de-identification-of-data-and-information
Was this page helpful?
If you would like to provide more feedback, please email us at firstname.lastname@example.org