Privacy Law and Policy Reporter
The AHEC's Privacy Working Group (Professor Donald Chalmers, AHEC Chair; Ms Jo Cooper, Senior Lecturer in health law, Psychiatry Professor Ross Kalucy, and Privacy Commissioner Kevin O'Connor) have released the revised draft of the NHMRC guidelines with an information paper explaining their purpose.
The papers are supposed to be for consultation purposes but were mailed from the Commissioner on 28 October, with a deadline for comments by 28 November, and the new guidelines are required to come into force on 1 January 1995 (see 1 PLPR 112).
The information paper contains a very useful diagrammatic explanation of how limited is the scope of the NHMRC guidelines. They are only applicable if there might be a breach of the IPPs in the Privacy Act 1988 (Cth), and that can only occur where personal information obtained from a Commonwealth government agency, which is not generally available to the public, is used for research in an identified form and without the consent of the subjects of the information. Their purpose is simply to provide a statutory defence to what would otherwise be a breach of the IPPs, provided the guidelines are complied with.
The guidelines have another specific role in that the Electoral Commission is authorised to provide information about the 'occupations, sex or dates of birth of electors' for the conduct of medical research authorised by the guidelines, or for public health screening programs (reg 10, Electoral Act Regulations).
The five draft guidelines concern (a) their scope; (b) procedures to be followed by researchers in drawing up protocols for approval; (c) factors to be considered by IECs in giving approval, recording decisions, and monitoring research; (d) NHMRC's audit and reporting responsibilities; and (e) review of the guidelines.
The existing 1991 guidelines were expressed to lapse after a period of time (with the consequence that medical researchers would come directly under the IPPs if they were not renewed). The draft guidelines never lapse, they merely have to be 'reviewed' by NHMRC prior to 1998, 'taking into account' any concerns the Commissioner has. Since the guidelines will never lapse, this means that the Commissioner effectively surrenders his existing ongoing control over them. He will only have the ability to refuse to approve new guidelines proposed by NHMRC, but the existing ones will never lapse.
The draft guidelines are substantially different (at least in structure) from the existing 1 July 1991 guidelines (see Federal Privacy Handbook 603-613), but neither the information paper nor the draft guidelines give any indication of where the differences arise, leaving it to the reader to work it out.
The AHEC comments that, because of their limited scope, 'ethics committees are required to apply the s 95 guidelines only occasionally if at all', and have therefore 'found it difficult to become familiar' with them. The information paper gives no empirical information as to whether or where the Guidelines have been used or should have been used in the past, even though NHMRC is required to report annually on their use (guideline 3.16 of 1991). However, anecdotal evidence suggests that it is the practice of at least some Institutional Ethics Committees (IECs) to use the guidelines in relation to all research proposals, whether they are required or not. The AHEC encourages researchers to apply the guidelines to all medical research.
The crucial initial questions about privacy and medical research are: (a) can the research be carried out without the use of identified personal information?; (b) if not, can the consent of the persons that the information is about be obtained?; and (c) if not, should the privacy requirement of consent be waived because of the public interest in the proposed research? In other words, what justification is there for a specific research project proceeding without subject consent?
These questions are only addressed tangentially at two points in the draft guidelines: guideline 3.3(c) says that an IEC must consider, inter alia whether the research design can not be satisfied in any other way and the scientific problems that might arise if the research were not conducted in the manner proposed; and guideline 2.3 says that a protocol must state 'the reasons why personal information is needed'.
The careful reader who also had the information paper might conclude that these were skilful allusions to the AHEC's following comment (which is not part of any guidelines):Could the research be undertaken without breaching the IPPs?
IECs should consider whether the purpose of the research could be achieved using de-identified information. If IECs think that the use of de-identified information would be feasible and practical, this should be negotiated with the researcher. Similarly, IECs should consider whether it is reasonable for the research to proceed without the consent of the individuals concerned.
The 1991 guidelines were a little more blunt:
Where consent has not been given or is not proposed to be given for the collection or disclosure of personal information by a Commonwealth agency, the IEC must be satisfied that there are sufficient grounds for not seeking that consent. (guideline 3.6).
While this does not provide any guidance as to when 'sufficient grounds' do and do not exist at least it is explicit acknowledgment of the issue in guidelines themselves.
The new draft seems to be bending over backwards to avoid telling medical researchers that they are obliged to take consent seriously. Is it likely that any IEC would now refuse to approve a research proposal on the grounds of lack of consent - would they read between the lines? A problem for the AHEC is that, if it did say anything meaningful about when consent did and did not need to be obtained, there would probably be few reasons to limit the application of these comments to research using Commonwealth agency information, so it would be likely to be controversial with all medical researchers.
Perhaps these comments are too harsh - perhaps no medical research using identified information goes ahead in Australia without the consent of the individuals concerned unless there are overwhelming practical problems in obtaining it, and only then for research where the public interest clearly outweighs the privacy concern at being a compulsory research subject. In the absence of evidence, it is difficult to just assume this is so.
It should also be stressed that the rest of Guideline 3 (concerning the factors to be considered by IECs in determining whether an IPP-breaching research proposal is justified) is exemplary in its consideration for the interests of the persons that the information is about.
For the reasons set out above, most of the other guidelines are, from a privacy perspective, in the nature of a 'mopping up' operation (though an important one) after the crucial decisions as to whether a privacy invasion will occur have been taken.Repeal s 95?
The s 95 process is an aberration in the Privacy Act. All other exemptions from the operation of particular IPPs are dealt with through the Public Interest Determination process (Pt VI) which involves three major differences from s 95: (a) Determinations (exemptions) are drafted by the Commissioner, not the agency concerned or the users of the information; (b) any Determinations are disallowable instruments, so Parliament has the final say as to whether they are in the public interest; and (3) there is a compulsory process of public submissions and hearings.
The Pt VI procedures are far from perfect. They need amendment to allow parties other than agencies to seek exemptions from the IPPs, so agencies cannot use them as a form of 'Official Secrets Act'. They also need a procedure for emergency determinations to be made, with ex-post-facto confirmation after proper consultation.
The NHMRC Guidelines are an object lesson in why the s 95 model should not be followed when other sectors are brought within the scope of the Privacy Act. It might be better if s 95 were repealed, Pt VI amended, and the whole medical research guideline process put more squarely within the Privacy Commissioner's responsibilities. NHMRC and AHEC would still of course play the major role but they should not run the process.