University of New South Wales Law Journal

ANDREW E GRULICH^[*] AND JOHN M KALDOR^[**]

[1] The status of ethical considerations in the provision of health care has undergone a substantial evolution over the past 50 years. This development was partially a response to particular abuses of human rights that had occurred in the name of health research,[1 ]but it was also a manifestation of the wider consumer rights movement that arose in a number of countries over the same time period. Through legal and political processes, a range of patient rights and health care worker responsibilities were identified and enshrined in a series of documents, among the first of which was the Helsinki Declaration of 1964.[2]

[2] While concern about experimentation on human beings was the main motivation behind these developments, standards and procedures have also been developed and applied to studies and public health investigations that do not involve experimentation on subjects (‘observational research’). In some studies and investigations, information is collected exclusively from medical records and from tests that would normally be undertaken in the course of patient care. However, other studies may involve specially developed questionnaires or tests that are administered purely for the purposes of the research.

[3] Although observational research does not involve the same potential for direct harm as experimental research, it has become clear over the past few decades that it nevertheless raises significant ethical issues, among which the protection of privacy has proved central.

[4] Put in its simplest terms, the principle of privacy protection (as it applies in the area of health) entails that people must be able to seek and obtain health care without being publicly exposed or obliged to provide information that is not directly relevant to their care. Furthermore, medical information relating to an individual must be accessible only to those people who need it to provide care, and must be used by them for this purpose only.[3]

[5] There are, however, a number of aspects or types of medical information that can be used by health researchers or public health authorities to provide a health benefit to people other than those to whom it directly pertains. This benefit may be direct, for example, through the tracing of contacts of a person with an infectious disease, thereby allowing others who have been exposed to be diagnosed and treated. But more often the benefit is indirect, and arises through research that provides new knowledge about the prevention or treatment of disease.

[6] Recognising the potential benefits that may flow from the use of an individual’s information other than for the purposes of providing them with health care, laws and regulations have been devised to facilitate legitimate uses of medical information relating to individuals, while still protecting their privacy as far as possible. This article describes the ways in which public health and research practice relies on information obtained about individuals through the provision of their health care, and briefly assesses the principal mechanisms developed to balance the apparently competing needs of information and privacy.

[7] The concept of privacy can be seen as deriving from the principle that individuals have a part of their lives from which they should be able to exclude any intrusion.[4] In practice, privacy is largely a cultural construct, with a meaning that differs markedly across countries and communities. In the Australian context, privacy legislation has been primarily concerned with the protection of information relating to individuals (that is, data protection). A series of information privacy principles have been identified and used as the basis for legislation such as the Privacy Act 1988 (Cth) (‘Privacy Act’).[5] These laws, and related codes of practice, cover a broad range of institutional settings, including the health care system.

[8] As they apply to health care, the Information Privacy Principles in the Privacy Act are quite explicit in their exclusion of the use of individuals’ information for any purpose other than the provision of health care to those individuals.[6] There are a number of ways in which the Principles may be breached by the implementation of research and investigation procedures aimed at providing a health benefit to people other than the individual in question. The following (non-exhaustive) list of examples demonstrates the scope for violation of individual privacy in observational research.

[9] The conduct of most health research requires the involvement of people other than those directly responsible for the care of the study subjects. As soon as such people become aware of information that identifies study subjects (and which was obtained through their medical care), there has been a violation of the subjects’ privacy.

[10] In some investigations, a subject may be contacted by a third party to provide further information. This situation can arise when a public health authority is trying to find the source of an outbreak of an infectious disease, or in studies involving subjects who have been reported through a routine mechanism such as cancer registration.

[11] For example, in investigating disease causation, people with a particular condition may be asked about a range of factors in their lives that preceded the diagnosis of the condition, and that have no bearing on its treatment. Similarly, a number of studies involve tests that have no benefit for the individual study subject. Knowledge of the results of these tests by others may be construed as an invasion of privacy.

[12] Investigators may obtain information beyond that involved in patient care by linking to other, pre-existing registers and databases and thus collect data on exposure and disease outcome for an individual.

[13] Once the information collection is complete, the results are analysed and a report is generally prepared for external presentation. Even if no individual patient information is included in the report, there is the possibility that this step can be perceived as a violation of the privacy of the subjects of the investigation.

[14] Three broad approaches have been employed to allow researchers and health authorities to undertake investigations that involve intrusions into individual privacy.

[15] The most straightforward and conceptually satisfactory solution is to obtain subjects’ consent for any proposed violations of their privacy. Informed consent is recognised as an ethical and legal requirement for the provision of health services more generally. If potential study subjects are given a clear explanation of the nature of the investigation being undertaken, they can make an informed decision as to whether or not they wish to permit any consequent loss of privacy.

[16] In practice, a number of difficulties arise with the use of informed consent. First of all, it will not always be possible to contact all people who are of interest in a health study. Some may have died, moved away, or be otherwise uncontactable. Among those who can be contacted, there is likely to be a great deal of variation in the degree to which they can truly understand a research project that is explained to them, regardless of whether or not English is their second language.

[17] Further, in some studies, the precise objective of the investigation is deliberately concealed from subjects in order to minimise various forms of bias. Consent in these situations could not be said to be truly informed. Another issue is the potential influence of the person seeking the individual’s consent, who may well be a doctor or other health care worker with a relationship of influence over the potential participant. Finally, under some study designs (for example, when potential study participants are selected from a disease registry), the very process of approaching a potential subject involves an invasion of privacy, even before the process of obtaining consent has begun.

[18] Many studies that have provided crucial information on disease causation would have been seriously constrained by a requirement that individual consent be sought from participants. For example, studies that have demonstrated the long-term risks of various forms of occupation have relied on industry or union records of large numbers of people who are either no longer alive, or who would be very difficult to contact. Hospital and clinic records have also been the basis for important research, undertaken without individual consent for the same reasons. Had consent been required in these studies, either the studies would simply not have gone ahead, as costs would have been prohibitive, or they would have been restricted to those subjects from whom consent had been obtained, possibly introducing serious bias into their results and certainly limiting their reliability.

[19] All health jurisdictions in Australia have powers under public health legislation to require the provision of health information about individuals for purposes other than their health care.[7] One of the main applications of this power is in the area of disease surveillance, which is generally based on laws that require doctors or laboratories to provide public health officials with information related to new diagnoses of specified diseases. The purpose of disease surveillance is to facilitate public health responses, both acute and strategic. The timely identification of outbreaks allows action to be taken quickly so that the general public’s health can be protected. Although outbreaks attract public attention, disease surveillance continually informs the public health response to a variety of infectious and non-infectious diseases, allowing the development of government policy in the provision and improvement of health services.

[20] Disease surveillance usually involves the collection of fully identified patient data in order to avoid duplicate notifications, and to provide a means of contacting affected individuals to facilitate further investigation of disease causation.

[21] Although the collection of identified data for public health practice is in general covered by legislation, there has been considerable debate about whether individual consent for collection of data should be required, given the increasing concerns about individual privacy. Generally, the public health authorities have justified their powers in the name of the public good. If an immediate response is required to protect the health of others, individuals should be obliged to provide information of relevance to disease control, even at the expense of their privacy. Privacy concerns are nevertheless recognised, as the legislation empowering health authorities to collect information without consent also provides for strong safeguards to ensure that individually identified data is used with great care. For example, identified data is typically available only to the agency authorised to collect it; it must be kept securely on protected databases; and there are substantial penalties for unauthorised release of information to third parties.[8]

[22] For some diseases, such as sexually transmitted infections, it has been argued that there is no immediate public health response required, and that legislation should therefore not require reporting by name, provided that duplicates can be adequately identified by a suitable coding scheme. Furthermore, if the disease is associated with potential discrimination, people may actually avoid seeking diagnosis or medical attention if they are concerned about a mandatory provision that requires their names to be reported to public health authorities.[9] Considerations such as these have led over the past decade to all jurisdictions in Australia modifying their public health legislation to make HIV infection and AIDS reportable under code only.

[23] Ethical scrutiny of medical research in most countries has been assigned to a network of institutional committees, generally based at hospitals, universities, government health departments, or other agencies with an involvement in health.[10] Although the original motivation for the establishment of institutional research ethics committees was the need to control human experimentation, their role has since broadened to include overseeing observational health research. If individuals are asked to complete questionnaires or submit to additional tests in the course of a study, it is an ethical requirement that the study be designed well enough to be able to achieve its stated objectives.[11] Ethics committees are essentially asked to make a determination as to whether the benefit to be obtained from the research is sufficient to justify the burden placed on study subjects through their involvement.

[24] Apart from the loss of their time, and perhaps various forms of discomfort arising from specific testing procedures, the violation of privacy is probably the major burden placed on study subjects by observational research. If all study procedures are undertaken with informed consent, the usual role of ethics committees in privacy protection is to ensure that information collected through the study is adequately protected against unauthorised use.

[25] The role of ethics committees in reviewing studies becomes more complicated if a study proposes procedures for obtaining information without consent. In 1991, the National Health and Medical Research Council and the Federal Privacy Commissioner released Guidelines for the Protection of Privacy in the Conduct of Medical Research (‘Medical Research Guidelines’),[12] which govern the use of personal information obtained without consent in observational health research. The Medical Research Guidelines require that an institutional ethics committee assess the benefit to the wider population that might arise from the research, and weigh it against the harm that might result from the violation of the study subjects’ privacy (arising through the absence of consent). As expressed in the most recent version of the Medical Research Guidelines, an ethics committee can choose to approve the collection of identifying or potentially identifying information without individual consent provided that:
(a) Either (i) the procedures required to obtain consent are likely either to cause unnecessary anxiety for those whose consent would be sought, or to prejudice the scientific value of the research, and there will be no disadvantage to the participants or their relatives or to any collectivity involved; or (ii) it is impossible in practice, due to the quantity, age or accessibility of the records to be studied to obtain consent; and
(b) The public interest in the research outweighs to a substantial degree the public interest in privacy.[13]

[26] This approach is appealing as it provides a mechanism for approval that considers each application on its merits. Closer scrutiny does, however, reveal some practical difficulties. First, there is little guidance given to ethics committees as to how they are supposed to measure and weigh up the competing costs and benefits of the research. Each committee must be able to judge the study design, to determine whether or not there may be viable alternatives that involve consent, as well as the public interest value of the research finding, before the research has even begun. There is also no way to standardise these assessments across the many committees that are asked to approve research of this kind in Australia.

[27] Furthermore, there is no consensus among the State and Territory jurisdictions in Australia about the relationship between the Medical Research Guidelines and the various forms of privacy legislation that have been separately implemented. One seemingly simple but central issue that has not been clearly resolved is the definition of ‘identifying information’. Clearly a person’s name or address would qualify as identifying, and a hospital serial number would not, but in between these extremes there is a range of alternatives that have been used. For example, national reporting of new diagnoses of HIV infection and AIDS has employed a ‘name code’ consisting of the first two letters of the given and family names of the subject, as well as their date of birth.[14] Use of this data is seen as providing sufficient precision to minimise duplicate reporting, while still ensuring that individuals cannot be identified. Yet although there has never been a real or perceived breach of privacy under this system, concerns have been raised from time to time that, in some cases, and in the wrong hands, the birth date and name code of an individual can in fact become identifying information.

[28] Well justified societal concerns about privacy have led to increasing regulation of individual information in a wide range of contexts. While privacy protection is generally seen as a public good, we believe it is important that its application to the health care system does not lead to a curtailment of beneficial research and investigation. On the other hand, there has sometimes been a tendency for health researchers to regard privacy legislation as an externally imposed burden, not because they disagree with its objectives, but because they feel that they are capable of respecting its principles without being compelled to do so. While the vast majority of practitioners may be excellent judges of community privacy standards, the regulatory framework now provides formal protection against those who are not. Yet the promulgation of privacy legislation and guidelines at both federal and State level has resulted in inconsistencies in the specific provisions of privacy law as they relate to health research, and particularly in the application of such law. The health research sector needs to ensure that its own position is clearly and logically communicated wherever the potential for violation of privacy is present. In fact, only increased communication between users of health information, representatives of people who might be adversely affected by its misuse, and people whose profession entails drafting legislation, can ensure that the balance is maintained between the sometimes competing (but equally important) needs of privacy and the provision of health information for research.