The primary focus of NHMRC with respect to privacy is in relation to research, balancing the need for the protection of personal privacy in data, and the need to facilitate access to data for research purposes.
Health research privacy framework
The purpose of the Privacy Act 1988 is to protect the privacy of personal information, which is a part of the broader concept of privacy. The Privacy Act gave effect to Australia's agreement to implement Guidelines adopted in 1980 by the Organisation for Economic Cooperation and Development (OECD), and fulfils Australia's relevant obligations under the 'International Covenant on Civil and Political Rights'. The Privacy Act was generally established to protect personal information held by federal government departments and agencies.
In December 2000, the Privacy Amendment (Private Sector) Act 2001 was passed by Federal Parliament. The Amendment Act extended the Privacy Act to protect personal information held by private sector organisations. Information about the Privacy Act and the Amendment Act is available from the Office of the Australian Information Commissioner.
Under the Privacy Act there are two sets of privacy principles to regulate and guide the handling of personal information: the Information Privacy Principles (IPPs), which apply to the Commonwealth public sector; and the National Privacy Principles (NPPs), which apply to the private sector. Handling personal or health information may involve, for example, the collection, use, storage and disclosure of data. Information about the privacy principles may be accessed from the Office of the Australian Information Commissioner.
The IPPs and the NPPs primarily relate to the handling of personal information. Health information is a particular subset of personal information, so that the health privacy framework is set within the general privacy framework.
Most states and territories have also enacted privacy legislation that applies to state public sectors. Some states and territories have also enacted legislation to protect privacy in the private sector.
NHMRC's role in the health privacy framework
Under the Privacy Act 1988 NHMRC is authorised to issue guidelines to protect the privacy of personal information and health information that may be accessed in the conduct of research. NHMRC has developed two sets of guidelines for the consideration of research proposals. The S95 Guidelines apply to Commonwealth public sector agencies, and were released in 2000. The S95A Guidelines apply to private sector organisations, and were released in 2001. The S95 Guidelines and the S95A Guidelines were issued with the approval of the Federal Privacy Commissioner.
It should be noted that these guidelines apply to particular kinds of research activities, i.e. they do not apply to all research through which personal or health information may be handled.
NHMRC monitors compliance with these guidelines and reports its findings to the Office of the Australian Information Commissioner.
The role of Human Research Ethics Committees (HRECs) in health privacy
In undertaking ethical assessment of research proposals, HRECs consider the protection of privacy of those participating in research, or data used in research. HRECs must first consider which legislation might apply to research proposals, i.e. Commonwealth or state/territory legislation, bearing in mind that in some cases more than one Act will apply. HRECs then consider whether a research proposal conforms to the relevant privacy principles, and where necessary, apply the S95 or S95A Guidelines or other relevant guidelines. HRECs need to consider applying the S95 or S95A Guidelines mainly in cases where consent from participants to handle their personal or health information cannot be obtained.
As part of their annual report to NHMRC, all HRECs registered with NHMRC are asked about their use of these guidelines when reviewing research proposals.
- Report of Human Research Ethics Committee (HREC) application of the Guidelines Under Section 95 of the Privacy Act 1988 and the Guidelines approved under Section 95A of the Privacy Act 1988 for the period 1 January 2012 – 31 December 2012 (PDF, 194KB)
- Report of Human Research Ethics Committee (HREC) compliance with the Guidelines Under Section 95 of the Privacy Act 1988 and the Guidelines approved under Section 95A of the Privacy Act 1988 for the period 1 January 2011 – 31 December 2011 (PDF, 393KB)
- Report of Human Research Ethics Committee (HREC) compliance with the Guidelines Under Section 95 of the Privacy Act 1988 and the Guidelines approved under Section 95A of the Privacy Act 1988 for the period 1 January 2010 – 31 December 2010 (PDF, 393KB)
- Report of Human Research Ethics Committee (HREC) compliance with the Guidelines Under Section 95 of the Privacy Act 1988 and the Guidelines approved under Section 95A of the Privacy Act 1988 for the period 1 January 2009 – 31 December 2009 (PDF, 226KB)
Revision of S95 Guidelines and S95A Guidelines
The Guidelines Under Section 95 of the Privacy Act 1988 (s95) set the current standard for the protection of privacy in the conduct of medical research involving human participants in Australia. The s95 guidelines provide a framework for the conduct of medical research using information held by Commonwealth agencies where identified information needs to be used without consent. In these situations, a Commonwealth agency may collect or disclose, in identifiable form, records for medical research purposes without infringing the Privacy Act 1988 if the proposed medical research has been approved by a properly constituted HREC in accordance with the s95 guidelines.
The Guidelines approved under Section 95A of the Privacy Act 1988 (s95A) apply to the collection, use or disclosure of health information by organisations in the private sector for the purposes of research or the compilation or analysis of statistics, relevant to public health or public safety, and in the conduct of health service management activities where it is impracticable to seek consent from the individual(s) involved.
The s95A guidelines provide a framework for HRECs and those involved in conducting research, the compilation or analysis of statistics or health service management, to weigh the public interest in the use of the health information for specific purposes.
The s95 guidelines were released in March 2000 and the s95A guidelines were released in December 2001. It is NHMRC policy to revise its guidelines every five years, however NHMRC has decided that a review of the s95 and s95A guidelines will not take place at the present time. It is anticipated that changes to the s95 and s95A guidelines would be considered when any changes to the Privacy Act 1988, as a result of the Australian Law Reform Commission review, have been proposed.
Until such time, it should be noted that the National Statement on Ethical Conduct in Human Research 2007 and the Australian Code for the Responsible Conduct of Research 2007 should override the current references in the s95 and s95A guidelines that refer to the National Statement on Ethical Conduct in Research Involving Humans 1999 and the Joint NHMRC/AVCC Statement and Guidelines on Research Practice respectively.
Contact for further information
Health and Research Ethics Section