Privacy Education

The Sydney Children’s Hospitals Network (SCHN) Research Ethics

Prepared by: Asra Gholami

Research Ethics Executive Officer, SCHN

Date: April 2020

Content • What is Privacy?

• Key Definitions: Personal Information

• Key Definitions: Sensitive Information

• Key Definitions: Health Information

• Reasonably Identifiable

• De-identification

• Use and disclosure of health information

• Consent

• Collecting health information for research without consent

• Use or disclosure for research without consent

• Using and disclosing genetic information without consent

• Relevant Statutory Guidelines

• Relevant Acts

• Storage, retention and disposal of research data

What is Privacy?

It’s about protecting information that says who we are, what we do, what we think and what we believe.

Reference: The Office of the Australian Information Commissioner (OAIC)

Please click on the below video for more information about Privacy! (length of video: 1:22mins)

If the video does not play, you can copy-paste this URL into your internet browser: https://www.youtube.com/watch?v=wmCE_CkV58I&t=4s

Key Definitions: Personal Information

Personal Information is any information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details and commentary or opinion about a person.

What constitutes personal information will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances.

Important: Personal information that has been de-identified will no longer be personal information.

Reference: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/

Key Definitions: Sensitive Information

Sensitive information is a subset of personal information and is defined as information or an opinion about an individual’s:

• racial or ethnic origin

• political opinions or associations

• religious or philosophical beliefs

• trade union membership or associations

• sexual orientation or practices

• criminal record

• health or genetic information

• some aspects of biometric information

sensitive information has a higher level of privacy protection than other personal information.

Reference: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/

Key Definitions: Health Information

the health or a disability (at any time) of an individual, or

an individual's expressed wishes about the future provision of health services to him or her, or

a health service provided, or to be provided, to an individual, or

other personal information collected to provide, or in providing, a health service, or

other personal information about an individual collected in connection with the donation, or intended donation, by the individual of their body parts, organs or body substances, or

genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

Health information is information or an opinion, that is also personal information, about:

Reference: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/

Reasonably Identifiable Whether an individual is ‘reasonably identifiable’ from particular information will depend on considerations that include:

the nature and amount of information

the circumstances of its receipt

who will have access to the information

other information either held by or available to the organization that holds the information

whether it is possible for the individual or entity that holds the information to identify the individual, using available resources (including other information available to that individual or entity). Where it may be possible to identify an individual using available resources, the practicability, including the time and cost involved, will be relevant to deciding whether an individual is ‘reasonably identifiable’.

if the information is publicly released, whether a reasonable member of the public who accesses that information would be able to identify the individual

Reference: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/

Reasonably Identifiable - Examples

• Most entities and individuals would encounter difficulty in using a license plate number to identify the registrant of a car, as they would not have access to the car registration database. By contrast, an agency or individual with access to that database may be able to identify the registrant. Accordingly, the license plate number may be ‘personal information’ held by that agency or individual, but may not be personal information if held by another entity.

Example 1

• Information that an unnamed person with a certain medical condition lives in a specific postcode area may not enable the individual to be identified and would not therefore be personal information. By contrast, it may be personal information if held by an entity or individual with specific knowledge that could link an individual to the medical condition and the postcode

Example 2

Reference: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/

Important notes!

• Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information would not generally be regarded as ‘personal information’.

• Where it is unclear whether an individual is ‘reasonably identifiable’, an organisation should err on the side of caution and treat the information as personal information.

Reference: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/

De-identification • De-identification involves removing or altering information

that identifies an individual or is reasonably likely to do so.

• De-identification involves two steps. The first is the removal of direct identifiers. The second is taking one or both of the following additional steps:

• the removal or alteration of other information that could potentially be used to re-identify an individual, and/or

• the use of controls and safeguards in the data access environment to prevent re-identification.

Reference: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/

NOTE: Information that has undergone an appropriate and robust de-identification process is not personal information,

and is therefore not subject to the Privacy Act.

Use and disclosure of health information

• When using and / or disclosing health information, researchers should first consider whether their research objectives could be achieved, as applicable, by direct collection of the information from individuals, by use of de-identified or anonymous information and by obtaining consent.

• Only if none of these options are available, or practicable, should a research project rely on the exemption in the Privacy Act for waiver of consent.

Reference: https://www.ipc.nsw.gov.au/sites/default/files/2020-01/Statutory_Guidelines_on_Research_section_27B_September_2019.pdf

Consent

• As per both the Privacy Act and the National Statement on Ethical Conduct in Human Research, consent should be voluntary, based on sufficient information and adequate understanding of both the proposed research and the implications of participating in it.

Children & Young people

• The Privacy Act does not specify an age after which individuals can make their own privacy decisions. Organisations are required to determine on a case-by-case basis whether an individual under the age of 18 has the capacity to consent.

• Where it is impractical to assess capacity on a case-by-case basis, the Office of the Australian Information Commissioner requires that those under the age of 15 are presumed not to have capacity to consent.

• In assessing whether an individual under the age of 18 can consent to their own participation, the HRECs must consider the following:

• Whether the research project meets the requirements of the National Statement, paragraph 4.2.9; AND

• The processes proposed by the research team to assess the individual’s capacity and maturity to understand the nature and demands of the research.

References: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/ & https://www.nhmrc.gov.au/about-us/publications/national-statement-ethical-conduct-human-research-2007-updated-2018#toc__1227

Collecting health information for research without consent

Reference: https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-health-privacy/chapter-9-research/

• Researchers can collect health information without consent where it is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety, and:

• the particular research purpose cannot be served by collecting de-identified information

• it is impracticable to obtain the individual’s consent, and

• The collection is in accordance with the relevant statutory guidelines.

IMPORTANT NOTE: If researchers collect health information under this exception, they must take

reasonable steps to de-identify that information before disclosing it.

Example

• A research project involves linking information about individuals from two or more electronic databases. Researchers need identified information to correctly link the two data sets. In this case, de-identified health information will not achieve the project’s purpose.

• In this example, researchers should de-identify the information once they have linked the two data sets and no longer require identified data.

Reference: https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-health-privacy/chapter-9-research/

Use or disclosure for research without consent

Reference: https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-health-privacy/chapter-9-research/

• Researchers are also allowed to use or disclose health information without consent where this is necessary* for research, or the compilation or analysis of statistics, relevant to public health or public safety, and:

• it is impracticable to obtain the individual’s consent

• the use or disclosure is conducted in accordance with the relevant statutory guidelines

• in the case of disclosure — researchers reasonably believe that the recipient will not disclose the information, or personal information derived from it.

• where the information could reasonably be expected to identify individuals – it is not published in a publicly available publication.

*’Necessary’ is whether the particular purpose could be achieved by using or disclosing de-identified information. If so, the use or disclosure of health information would not be considered necessary. Only de-identified information must be used or disclosed.

Using and disclosing genetic information without consent

Reference: https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-health-privacy/chapter-9-research/

Where a health service provider has not been able to obtain consent from the patient, the Privacy Act allows the use and disclosure of genetic information where:

• the health service provider obtained the genetic information in the course of providing a health service to the patient

• the health service provider reasonably believes that there is a serious threat to the life, health or safety of a genetic relative of the patient

• the use or disclosure to the genetic relative is necessary to lessen or prevent that threat

• the health service provider has complied with the Guidelines issued under section 95AA of the Privacy Act

• in the case of disclosure, the recipient of the information is a genetic relative of the patient.

Relevant Statutory Guidelines

Researchers must follow these legally binding statutory guidelines when handling health information for research purposes without individuals' consent. The guidelines also assist HRECs in deciding whether to approve research applications.

• NSW Statutory Guidelines on Research (updated 2019)– For information from NSW State departments / agencies

• Guidelines under Section 95 of the Privacy Act 1988 – For information from Commonwealth State departments / agencies

• Guidelines under Section 95A of the Privacy Act 1988 – For information from private agencies

Reference: https://www.oaic.gov.au/privacy/the-privacy-act/health-and-medical-research/

Relevant Statutory Guidelines - continued

• For researcher conducted in Victoria or ACT, researchers may also be subject to additional requirements. While these requirements largely reflect the s 95A guidelines, some differences may exist. For instance, Victorian guidelines and ACT legislation refer to research, statistical compilation and analysis in the ‘public interest’ rather than research relating to ‘public health or public safety’.

• For research conducted in other states, the researchers and HRECs should refer to the s 95A guidelines.

Reference: https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-health-privacy/chapter-9-research/

Relevant Acts

• Privacy Act 1988, (Privacy Act)

• Privacy and Personal Information Protection Act 1998 (NSW)

Storage, retention and disposal of research data

• Storage, retention and disposal of research data must be in accordance with relevant privacy and ethical principles and confidentiality agreements.

• As per the National Statement (paragraph 3.1.45), researchers should develop a data management plan that addresses their intentions related to generation, collection, access, use, analysis, disclosure, storage, retention, disposal, sharing and re-use of data and information, the risks associated with these activities and any strategies for minimising those risks.

• This plan must include information about the security of the proposed physical, online or other technological systems utilised to handle participant data.

• Data, information and biospecimens used in research should be disposed of in a manner that is safe and secure, consistent with the consent obtained and any legal requirements and appropriate to the design of the research (National Statement, 3.1.49)

Research Ethics Contact Details

• Tel: (02) 9845 1253

• Email: SCHN-ethics@health.nsw.gov.au

Talk to us if you need more help or if you’re unsure!

Disclaimer: these slides were prepared based on the guidelines and regulations as of April 2020. They do not include any revisions/new provisions introduced after this date.