Privacy Act Under the Microscope
In brief: Lawyer Andrew Cameron and Partner Peter James discuss the NHRMC's submissions to the current review of Australia's privacy regime.
In 2001, Biotech News reported on the introduction of the Privacy Amendment (Private Sector) Act 2001 (Cth). This Act made significant amendments to the Privacy Act 1988 (Cth) (the Act), and included a requirement that the efficacy of the Amendments be reviewed within 2 years of introduction. The Review, being conducted by the Privacy Commissioner, was commissioned by the Attorney-General on 13 August 2004. Submissions to the Review closed on 22 December 2004, and the Final Report is expected shortly.
As part of the Review, the National Health and Medical Research Council (NHMRC) filed a number of submissions (the Submissions) detailing what it perceives to be the significant shortcomings with the current dual regime for both private and public sector agencies and organisations.
Section 95 of the Act allows the NHMRC, with the approval of the Privacy Commissioner, to issue guidelines for the protection of privacy in the conduct of medical research by agencies, (the Section 95 Guidelines). The Section 95 Guidelines is to be read in conjunction with the National Statement on Ethical Conduct in Research Involving Humans.
Where an activity undertaken in an agency would breach an Information Privacy Principle (IPP), and the activity is done in the course of medical research performed in accordance with the Guidelines, it is not regarded as breaching an IPP.
Section 95A was introduced to the Act as part of the Private Sector Amendments in 2001. Section 95A allows the Commissioner to approve Guidelines issued by the NHMRC for the National Privacy Principles (NPPs). Guidelines were issued under this section in December 2001, (the Section 95A Guidelines). The Section 95A Guidelines relate to the collection, use and disclosure of health information by private sector organisations.
The Section 95A Guidelines provide a framework for the Human Research Ethics Committees of private sector organisations to:
- assess proposals to access health information (without the consent of the subject) for research, compilation or analysis of statistics, or health service management; and
- weigh up the public interest in those activities against the public interest in the protection of privacy.
Unlike the Section 95 Guidelines, compliance with the Section 95A Guidelines does not excuse a breach of the relevant National Privacy Principles. Rather, the Section 95A Guidelines are designed to ensure compliance with the National Privacy Principles.
The NHMRC has conducted a number of stakeholder surveys to evaluate the impact of the Act on health care, as well as health and medical research.
The Submissions made by the NHMRC raise the following issues:
- the Australian privacy regime is overly complex, particularly for private sector organisations that provide health care or conduct health and medical research; and
- it is not possible to review the private sector provisions of the Act in the areas of health care and health and medical research without considering the interaction with other elements of the Australian privacy regulatory regime.
The Submissions also noted that there is considerable confusion created by the dual sets of privacy principles and differing requirements for public sector agencies and private organisations. The Submissions noted that while the IPPs and NPPs are similar, they differ in some important respects and therefore have different effects on information-based activities in health care as well as in health and medical research.
Based on the results of stakeholder surveys, the NHMRC considers that there is no obvious rationale that requires health information to be managed differently as between agencies (the public sector) and organisations (the private sector), and the existence of these differences is creating confusion and resulting in incorrect interpretation of the Act in all sectors.
The NHMRC recommended the following course of action:
- The IPPs and NPPs be combined into a single set of National Privacy Principles that apply to all relevant public sector agencies and private sector organisations;
- The present distinction between the specified types of health and medical research be removed;
- Provision be made for a single set of Research Guidelines that apply to the collection, use and disclosure of health information without consent, for the specific purpose of all approved health and medical research by public sector agencies and private sector organisations to which the Act applies;
- These new Research Guidelines should be applied in a consistent manner, either to exempt agencies and organisations from breach of, or as a means to enable agencies and organisations to meet, the new National Privacy Principles; and
- The relevant section providing for the Research Guidelines be preceded by a statement highlighting the standards which apply to research involving health information and which are applied and monitored by Human Research Ethics Committees.
It is clear from the NHMRC Submissions that there is substantial concern within the biotechnology and health industries in relation to privacy obligations.
The Final Report of the Privacy Commissioner was due on 31 March 2005 and is yet to be submitted to the Attorney-General. Biotech News will continue to keep you updated with any further developments.