Health agencies are required to comply with the National Privacy Principles (NPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).
NPP 2 provides that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the exceptions applies. NPP 2 also provides that personal information must not be disclosed outside the health agency unless one of the exceptions applies.
Health specific legislation
The use and disclosure of health information is addressed specifically under the Hospital and Health Boards Act 2011 (Qld) and the Public Health Act 2005. Where those Acts do not apply, NPP 2 will generally be the relevant standard. Use and disclosure of personal information that is not health information will, in most cases, be governed solely by the applicable provisions of NPP 2.
Definitions for NPP 2
NPP 2 (6) In this section—
child, of an individual, includes an adopted child, a stepchild and a foster-child, of the individual.
enforcement body means an enforcement body within the meaning of the Privacy Act 1988 (Cth).
parent, of an individual, includes a step-parent, adoptive parent and a foster-parent, of the individual.
relative, of an individual, means a grandchild, uncle, aunt, nephew or niece, of the individual.
sibling, of an individual, includes a half-brother, half-sister, adoptive brother, adoptive sister, stepbrother, stepsister, foster-brother and foster-sister, of the individual.
Use or disclosure of health information
NPP 2(1)(c) allows the secondary use and disclosure of health information if the use or disclosure is necessary for research or statistical compilation or analysis relevant to public health or safety. Health information may only be used or disclosed without consent for these purposes if seeking consent is impracticable.
If a health agency wishes to rely on NPP 2(1)(c) it must first consider:
- Is the use or disclosure necessary for the research? Can the same goal be achieved with unidentified or de-identified information?
- How effective will de-identification of the data in the final product of the research be? More than just a name can identify an individual.
Carefully consider the sample size and its origin: a small geographic or professional area may lead to the identification of some or all of the subjects.
- For a disclosure, what steps will a health agency take to ensure the recipient does not disclose the personal information? The recipient must be bound not to further disclose the information, to safeguard it appropriately, not to use it for any other purpose and to return it or destroy it at the conclusion of the research.
- For a disclosure, is the information being communicated outside Australia? If so, the requirements of section 33 must be met.
- Is it impracticable to seek the consent of the potential subjects?
- Is the work in the public interest?
When considering whether the use or disclosure is necessary, consider to what degree the health information is needed for the research. It will be a question of degree, to be determined having regard to the purpose of the research, its intended outcomes, and the extent to which it is dependent on the information. If de-identified information would serve the same purpose, then the use or disclosure of personal information is not necessary.
Research generally involves investigation using a set methodology intended to achieve a specific result. It must begin with a clearly defined goal around which the study is designed. The data gathered as part of the research must be aimed at assisting the researcher towards achieving that goal.
It must be more than simply a reorganisation or restatement of the facts contained in the data; it must use a clear procedure to analyse a body of information or data and extract new meaning from it, or develop unique solutions to problems or cases.
Compilation or analysis of statistics is the act or process of collecting numerical data, or undertaking a detailed examination of the elements or structure of numerical data, especially in or about large quantities, and inferring conclusions for the whole from conclusions reached from the whole or a representative sample.
Public health or public safety
For research to be in the public interest, the results it is aimed at achieving, the questions it is attempting to answer, or the knowledge it is seeking to gain must be of potential benefit to more than just a health agency who holds the information or the individual conducting the research. It must contribute to the public health or public safety.
Research of this kind would commonly involve something of interest to society as a whole, or a specific segment of it, with an emphasis on areas the government has responsibility for.
All proposed research projects where personal information is considered necessary, including ones into the above topics, must be individually assessed to determine if they are actually for the benefit of public health or public safety.
When making this assessment, a health agency should consider:
- How is public health or public safety being defined?
- How is the public expected to benefit from this research? Will it bring greater knowledge, insight, or understanding, improve public safety or public health, or improve understanding of issues relating to them, or enhance the delivery or improve the effectiveness of a government service relating to the public health or public safety?
- Is there a risk or a potential cost to the community if the research is not conducted?
- Are the potential subjects of the research at any risk of harm as a result of their personal information being used in this way?
Impracticable to seek consent
Consent is always the simplest and best way of using or disclosing personal information for a purpose not contemplated at the time of collection. Only if it is not practicable to seek consent can personal information be used for research. ‘Not practicable’ does not mean difficult or undesirable. To be impracticable, it must be impossible, or extremely difficult, to seek that consent. The fact that seeking consent is inconvenient or would involve expenditure of some effort or resources is not sufficient.
The impracticability of seeking consent must not be confused with the undesirability of seeking consent. For example, it is not sufficient that, if consent were sought, refusal by some individuals would make the research project more difficult.
Whether it is impracticable to seek consent will depend on the individual circumstances. When making this determination, the following are relevant considerations:
- the age of the information
- whether the individuals are likely to have moved or died
- the lack of current or ongoing contact with the individuals, and a lack of sufficient information to determine their current contact details (bearing in mind the obligation to ensure information is accurate and up to date before use)
- the resources required to seek consent would be a significant drain on a health agency or researcher to the extent that the research could not be done. The size of the subject pool would be a relevant consideration.
Current as at: July 23, 2014