17.08.2010
Background
66.3 A number of health information databases and registers have been established by legislation—for example, the Australian Government maintains the Medicare and Pharmaceutical Benefits Program databases. State and territory governments in Australia have established databases that include information collected under mandatory reporting requirements in public health legislation. For example, the Public Health Act 1991 (NSW) requires health service providers to notify the cervical cancer register of cervical cancer screening tests performed and the results of those tests. The Act states that the purpose of the register is to reduce the incidence of, and mortality from, preventable cervical cancer.[3]
66.4 A wide range of non-statutory databases collect information on a voluntary basis and may be established and maintained by hospitals, universities, research bodies and others. For example, the Australian and New Zealand Dialysis and Transplant Registry (ANZDATA) records the incidence, prevalence and outcome of dialysis and transplant treatment for patients with end stage renal failure.[4] The Menzies Centre for Population Research maintains a research database comprising extensive genealogical data, genetic samples, and health information supplied by donors, to search for genetic causes of disease. All material is provided with consent specifically for the Centre’s research projects.
66.5 Health service providers, such as hospitals, also maintain extensive databases established in the course of delivering health services and for management, funding and monitoring purposes.
66.6 In its submission to the Office of the Privacy Commissioner’s (OPC) review of the private sector provisions of the Privacy Act (the OPC Review), the National Health and Medical Research Council (NHMRC) noted that access to health information in such registers is crucial to the conduct of public health research but expressed concern that the Privacy Act does not provide an appropriate regime for the establishment, maintenance and use of such registers.[5]
66.7 The NHMRC stated that the use or disclosure of health information without consent for the purposes of establishing or maintaining a register is unlikely to comply with the National Privacy Principles (NPPs). Such use and disclosure is unlikely to be a directly related secondary purpose or to be within the reasonable expectations of health consumers. The NHMRC noted that getting consent from all relevant health consumers for their health information to be included in a register is likely to be impracticable and that incomplete data sets substantially impair the utility of such registers.[6]
66.8 The NHMRC noted that establishing such registers would appear to require approval by a Human Research Ethics Committee (HREC), according to the Guidelines Approved under Section 95A of the Privacy Act 1988[7] (Section 95A Guidelines), but that it would be difficult for an HREC to decide where the balance of interests lay in relation to an individual register, in the absence of specific information about the proposed future use of the register. The NHMRC noted that health information registers raise significant privacy concerns, but considered that the registers should be permitted within a rigorous ethical and privacy framework that appropriately protects the public interest.[8]
66.9 In Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC 96), the ALRC and the Australian Health Ethics Committee (AHEC) of the NHMRC gave detailed consideration to the regulation of human genetic research databases, including the issue of consent to future unspecified use of information held in such databases.[9] ALRC 96 made a number of recommendations in this regard, including:
The National Health and Medical Research Council (NHMRC), as part of its review of the National Statement on Ethical Conduct in Research Involving Humans … should amend the National Statement to provide ethical guidance on the establishment, governance and operation of human genetic research databases. The amendments (whether by means of a new chapter or otherwise) should include specific guidance on obtaining consent to unspecified future research.[10]
66.10 The revised National Statement on Ethical Conduct in Human Research (the National Statement), issued in 2007, includes a new chapter on ‘databanks’.[11] The chapter discusses establishing databanks and using the information stored in databanks for research purposes. The National Statement discusses consent requirements for collection of information into databanks, including: ‘specific consent’ that is limited to a specific research project; ‘extended consent’ for the use of information in future research projects that are closely related to the original project or in the same general area of research; and ‘unspecified consent’ for the use of information for any future research. The National Statement includes specific guidance on obtaining such consent and notes the possibility that a researcher may seek permission from an ethical review body to proceed without consent.[12]
66.11 In response to the ALRC’s Issues Paper, Review of Privacy (IP 31),[13] a number of major research institutions, including the NHMRC and the Australian Institute of Health and Welfare, reiterated that the existing provisions of the Privacy Act do not provide an appropriate regime for the establishment, maintenance and use of health registers. In its submission to IP 31, the OPC acknowledged that seeking approval to establish a health register through the HREC mechanism may present difficulties.
In the absence of a clearly identified purpose, HRECs would be unable to assess where the public interest lay in relation to the register. It may be difficult for researchers to clearly identify all prospective uses of that data at the time of submitting a research proposal. As the NHMRC put it in their submission to the OPC review, ‘by the time the questions are obvious, the opportunity to identify the person to whom the information relates or to gain consent to use the health information may be lost’.[14]
Discussion Paper proposals
66.12 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC noted that establishing a health information database or register for research purposes, where the information is to be collected, used or disclosed without consent, would be possible under the proposed research exceptions to the Unified Privacy Principles (UPPs), but would require the approval of an HREC and would have to be done in accordance with the Research Rules issued by the Privacy Commissioner.
66.13 The ALRC proposed in DP 72 that, to assist HRECs to review proposals to establish health information databases or registers, the following issues should be addressed in the Research Rules to be issued by the Privacy Commissioner:
the process by which an HREC should review a proposal to establish a health information database or register for research purposes;
the matters an HREC should take into account in considering whether the public interest in establishing the health information database or register outweighs the public interest in maintaining the level of privacy protection provided by the UPPs; and
the fact that, where a database or register is established on the basis of HREC approval, that approval does not extend to future unspecified uses. Any future proposed use of the database or register for research would require separate review.[15]
Submissions and consultations
66.14 The OPC expressed qualified support for this proposal noting, however, that the OPC remained of the view that the Privacy Commissioner should not be the party responsible for issuing the Research Rules and that the public interest test should not be amended from ‘substantially outweighs’ to ‘outweighs’. The OPC also reiterated its view that, where a database or register is to be established for broad purposes—for example, to inform the development of public health policy—it should be established by legislation. Enabling legislation would bring the database within the ‘required or authorised by law’ exceptions to the UPPs and ensure ‘the certainty, parliamentary oversight and scrutiny needed to maintain public confidence in the way health and other sensitive information is used’.[16]
66.15 The Department of Health and Ageing (DOHA) was also of the view that, where collection of personal information into a research database was to be mandatory and done without consent, the database should be established by specific legislative provisions.[17]
66.16 The Western Australian Department of Health noted that:
Guidelines are needed to assist HRECs with the application of the public interest test to research infrastructure projects such as long term data bases or biobanks. In these cases the benefits of the research cannot be effectively evaluated because particular research projects are prospective and have not yet been developed. The value of the research is therefore speculative. Factors relevant to evaluating the public interest in these applications should include the administrative procedures for managing and securing the data over the life of the data bank or biobank, the provision of information to participants, the criteria for access and the procedures for protecting privacy.[18]
66.17 A number of stakeholders expressed support for the ALRC’s proposal to provide guidance for HRECs in relation to the establishment of registers and databases in the Research Rules to be issued by the Privacy Commissioner.[19] The NHMRC noted that it would be pleased to assist the Privacy Commissioner in developing the rules around the establishment of databases and registers.[20]
ALRC’s view
66.18 In Chapter 63, the ALRC recommends that the new Privacy (Health Information) Regulations make express provision for the collection, use and disclosure of health information without consent where necessary for the funding, management, planning, monitoring, or evaluation of a health service where:
the purpose cannot be achieved by the collection, use or disclosure of information that does not identify the individual;
it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent before the collection, use or disclosure; and
the collection, use or disclosure is conducted in accordance with rules issued by the Privacy Commissioner.[21]
66.19 A provision along these lines would allow the establishment of health information databases and registers in the health services context where it is necessary to collect identified information and it is unreasonable or impracticable to seek consent. Establishing a database under this provision would not require approval by an HREC, although it would have to be done in accordance with rules issued by the Privacy Commissioner. Personal information held in such databases might then be used for research, but any proposed use would have to be conducted in accordance with the research exceptions to the UPPs and would be subject to HREC approval.
66.20 The ALRC notes that it will continue to be possible to establish particular databases or registers in the health services context or the research context by legislation, as has been done in the case of the New South Wales Pap Test Register[22] and the National Human Papillomavirus Vaccination Program Register.[23] It will also continue to be possible to establish databases or registers on the basis of consent, including specific, extended or unspecified consent as set out in the National Statement.
66.21 Where such a database is to be established purely for research purposes and the information is to be collected, used or disclosed without consent, this will also be possible under the recommended research exceptions to the model UPPs, but will require the approval of an HREC and will have to be done in accordance with the Research Rules issued by the Privacy Commissioner. On the basis of the recommendations in Chapter 65, such databases will not be confined to databases established for health and medical research, but may include databases in other areas of human research such as sociology and criminology.[24]
66.22 The ALRC notes that it is sometimes difficult for HRECs to decide where the balance of interests lies in relation to an individual register, in the absence of specific information about the proposed future use of the register. Recommendations 65–8 and 65–9 provide that HRECs consider the public interest in a proposed collection, use or disclosure of personal information without consent where it is ‘necessary for research’, and be satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the UPPs. The language used in the recommendations is deliberately broad, referring to the review of activities ‘necessary for research’, rather than review of specific research proposals in order to allow the review of activities preliminary to research—such as the establishment of registers or sample acquisition, discussed below.
66.23 In addition, Recommendation 65–3 suggests that the definition of research be amended to include the ‘compilation and analysis of statistics’. The establishment of a database or register for research purposes might also be characterised as the ‘compilation of statistics’ and reviewed on that basis.
66.24 Such databases or registers should not be established in the research context, however, in the absence of legislation or ethical review. Both these mechanisms provide a degree of scrutiny and an opportunity to assess the competing public interests. This is appropriate where personal information, including sensitive information such as health information, is to be collected, used and disclosed without consent by researchers. Agencies or organisations proposing to establish databases or registers for research purposes should be able to describe the potential future uses and benefits of the database at some level and to provide an HREC with enough information to allow the HREC to consider whether the public interest in establishing the database outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act. If the public interest in establishing the database cannot be demonstrated, the UPPs should prevail. In these circumstances it may be more appropriate to proceed on the basis of consent.
66.25 The ALRC notes that it would also be possible to seek a public interest determination from the Privacy Commissioner allowing the establishment of databases or registers for research. This process would also provide scrutiny and the opportunity to weigh the competing public interests.
66.26 In DP 72, the ALRC proposed that the Research Rules to be issued by the Privacy Commissioner under the research exceptions to the UPPs should address the process by which an HREC might review a proposal to establish a database or register for research purposes, as well as the matters an HREC should take into account in considering the public interest balance. The ALRC has considered this matter further, and is of the view that the Research Rules should be addressed to agencies and organisations that wish to establish a database or register, rather than HRECs. The Research Rules are intended to regulate the collection, use and disclosure of personal information by agencies and organisations for research purposes, rather than the conduct of HRECs.
66.27 The ALRC recommends, therefore, that the rules to be issued by the Privacy Commissioner should address in what circumstances and under what conditions it is appropriate to collect, use or disclose personal information without consent for inclusion in a database or register for research purposes. This will assist HRECs in their deliberations by setting out an acceptable framework for the establishment of databases and registers in the research context. The Privacy Commissioner and the authors of the National Statement may wish to consider providing HRECs with further assistance in the form of guidelines discussing the matters an HREC should take into account in considering the public interest balance. Such guidelines should not, however, be included in the Research Rules themselves.
66.28 The rules should make clear that where a database or register is established without consent on the basis of HREC approval, that approval does not extend to future unspecified uses. Any future use of the database or register for research would require separate consideration.
Recommendation 66-1 The Privacy Commissioner should address the following matters in the Research Rules:
(a) in what circumstances and under what conditions it is appropriate to collect, use or disclose personal information without consent for inclusion in a database or register for research purposes; and
(b) the fact that, where a database or register is established on the basis of Human Research Ethics Committee approval, that approval does not extend to future unspecified uses. Any future proposed use of the database or register for research would require separate review by a Human Research Ethics Committee.
[3]Public Health Act 1991 (NSW) s 42G.
[4] ANZDATA is located at The Queen Elizabeth Hospital in South Australia.
[5] National Health and Medical Research Council, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 10 December 2004.
[6] Ibid.
[7] National Health and Medical Research Council, Guidelines Approved under Section 95A of the Privacy Act 1988 (2001).
[8] National Health and Medical Research Council, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 10 December 2004. The Australian Nursing Federation was also of the view that collection of data for health data registers is being impeded by individual organisations’ interpretation of the Privacy Act: Australian Nursing Federation, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 1 February 2005.
[9] Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Ch 14.
[10] Ibid, Rec 18–1.
[11] National Health and Medical Research Council, Australian Research Council and Australian Vice Chancellors’ Committee, National Statement on Ethical Conduct in Human Research (2007), Ch 3.2.
[12] Ibid, [2.2.14].
[13] Australian Law Reform Commission, Review of Privacy, IP 31 (2006).
[14] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[15] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 58–11.
[16] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[17] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.
[18] Department of Health Western Australia, Submission PR 139, 23 January 2006.
[19] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; National Prescribing Service, Submission PR 547, 24 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; University of Western Sydney Human Research Ethics Committee, Submission PR 418, 7 December 2007; University of Newcastle, Submission PR 413, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[20] National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[21] Rec 63–7.
[22]Public Health Act 1991 (NSW) pt 3B.
[23]National Health Amendment (National HPV Vaccination Program Register) Act 2007 (Cth).
[24] Rec 65–2.