Download the print version

Version 1.0, September 2019

Key points

Provided certain requirements are met:

  • you can collect health information where it is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety
  • you can use or disclose health information where it is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety.

While you normally need a patient’s consent to collect health information, you can collect health information where it is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety, and:

  • the particular research purpose cannot be served by collecting de-identified information
  • it is impracticable to obtain the individual’s consent, and
  • the collection is either:
    • required by or under an Australian law (other than the Privacy Act 1988, (Privacy Act))
    • in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation, or
    • in accordance with guidelines issued by the National Health and Medical Research Council and approved by the Information Commissioner under s 95A of the Privacy Act.

‘Necessary’

You can only collect health information that is ‘necessary’ for the research or statistical exercise. The term ‘necessary’ is applied objectively and in a practical sense. Collection is usually considered necessary if you cannot effectively carry out the activity without collecting the information. Collection is not necessary if it is merely helpful, desirable or convenient.

‘Relevant to public health or public safety’

To be relevant to public health or public safety, the outcome of the research or statistical exercise should impact on, or provide information about, public health or public safety.

Examples could include research and statistics on communicable diseases, cancer, heart disease, mental health, injury control, diabetes and the prevention of childhood diseases.

De-identified information is not sufficient

You must consider whether you can achieve the research or statistical aims by collecting de-identified information.

Example

A research project involves linking information about individuals from two or more electronic databases. You need identified information to correctly link the two data sets. In this case, de-identified health information will not achieve the project’s purpose.

Helpful hint

When you hold health information, as a security measure you should de-identify information once you no longer need identified information. In the example above, you should de-identify the information once you have linked the two data sets and no longer require identified data.

Whether it is impracticable to obtain consent will depend on the circumstances. You will need to justify why it is impracticable to obtain a patient’s consent. Incurring some expense or doing extra work does not in itself make it impracticable to obtain consent.

Examples of where it may be impracticable to seek consent could include where:

  • there are no current contact details and there is insufficient information to get up-to-date contact details (this may occur in longitudinal studies involving old records)
  • the integrity or validity of health research could be impaired, for example, because you are conducting a participant observation study and obtaining the consent of participants may alter their behaviour and the research results.

Helpful hint

Organisations arguing that consent is impracticable because it would invalidate the research methodology must have justifiable grounds for this view, including an independent opinion that does not come from researchers involved in the project. You could consider consulting a human research ethics committee about whether obtaining consent would have this effect.

Collection required by law, or in accordance with rules or guidelines

The collection must meet one of the following three criteria:

  • be required by or under an Australian law
  • be in accordance with binding confidentiality rules established by competent health or medical bodies or
  • be in accordance with guidelines approved under s 95A.

Binding rules of confidentiality issued by competent health or medical bodies

The rules dealing with obligations of professional confidentiality must be binding on the organisation and a competent health or medical body must have established them. Generally, a binding rule is one that will attract a sanction or adverse consequence if breached.

Section 95A Guidelines

The National Health and Medical Research Council’s Guidelines approved under Section 95A of the Privacy Act 1988 (s 95A guidelines) have been approved by the Information Commissioner and are legally binding. The s 95A Guidelines provide a framework for human research ethics committees to assess research proposals involving the handling of health information (without the consent of the subject). The framework requires ethics committees to weigh the public interest in research activities against the public interest in the protection of privacy.

Reasonable steps to de-identify the information before disclosure

If you collect health information under this exception, you must take reasonable steps to de-identify that information before disclosing it.

What are reasonable steps to de-identify information will depend on circumstances such as:

  • the possible adverse consequences for an individual if the information is not de-identified before disclosure (more rigorous steps will be required as the risk of adversity increases)
  • the practicability, including time and cost involved. However, you are not excused from taking particular steps to de-identify health information simply because it would be inconvenient, time-consuming or impose some cost. Whether these factors make it unreasonable to take a particular step depends on whether the burden is excessive in all the circumstances.

You may use or disclose health information for research or statistical purposes relevant to public health or public safety when the Privacy Act permits the use or disclosure. For example:

  • the individual has consented to the use or disclosure
  • it is for the same (primary) purpose for which the information was collected
  • it is for a purpose which is directly related to the primary purpose of collection, and the individual would reasonably expect you to use or disclose the information for that purpose.

However, you are also allowed to use or disclose health information where this is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety, and:

  • it is impracticable to obtain the individual’s consent
  • the use or disclosure is conducted in accordance with the s 95A guidelines, and
  • in the case of disclosure — you reasonably believe that the recipient will not disclose the information, or personal information derived from it.

Some of these concepts are outlined above. Two further concepts are discussed below.

Helpful hint

If you are conducting research in NSW, Victoria or the ACT, you may also be subject to additional requirements. While these requirements largely reflect the s 95A guidelines, some differences may exist. For instance, Victorian guidelines and ACT legislation refer to research, statistical compilation and analysis in the ‘public interest’ rather than research relating to ‘public health or public safety’. Contact the Information and Privacy Commission NSW, Victorian Health Complaints Commissioner, or ACT Health Services Commissioner to find out more about any additional requirements.

‘Necessary’

One aspect of considering whether a use or disclosure is ‘necessary’ is whether the particular purpose could be achieved by using or disclosing de-identified information. If so, the use or disclosure would not be considered necessary. De-identification is discussed above.

Reasonably believes the recipient will not disclose

Before disclosing health information using this exception, you must reasonably believe that the recipient will not disclose the information or personal information derived from it. You must have a reasonable basis for the belief, and must be able to justify it. The test is what a reasonable person, who is properly informed, could be expected to believe in the circumstances.

Helpful hint

You may have a reasonable belief that the recipient will not disclose the information if you have reviewed their research project plan and it does not involve the disclosure of the information. You could also seek written confirmation from the researcher that the information will not be disclosed.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au