10.0 Privacy, confidentiality and the law
- 10.1 Introduction
- 10.2 Privacy in research
- 10.3 Collecting personal information
- 10.4 Waiving consent
- 10.5 Protecting confidentiality
- 10.6 Duty of disclosure
- 10.7 Privacy and the reuse of data
- 10.8 Privacy and data storage
- 10.9 Transborder data flow
- 10.10 Privacy and deceased persons
Privacy is a significant public issue, and many people have concerns about access to and use of their information, as well as continual solicitation from cold callers wanting sales, donations or comments. People are aware of their right to privacy and may be disturbed or angry if they suspect that their details have been used without their consent. Information privacy is the subject of both Commonwealth and state legislation. Compliance with privacy guidelines is an important issue both for research integrity, and to preserve and promote trust in the research process.
The Australian information privacy regime is a combination of Commonwealth and state legislation and guidelines.
The Commonwealth guidelines are based on the Privacy Act 1988. Pursuant to the Privacy Act, there are guidelines under s 95 and section 95A which relate to collection, use and disclosure of personal information in research.
Although Deakin University as a Victorian state organisation is not subject to the Privacy Act, if Deakin researchers wish to obtain data from Commonwealth or private organisations which are, they will need to comply with the Act and its guidelines.
The states also have their own privacy requirements. In Victoria these include the Information Privacy Act 2000 (Vic)and the Health Records Act 2001 (Vic). There are also statutory guidelines issued by the Health Services Commissioner (Victoria) that allow waiver of consent for use of health information in research where the requirements are met. Deakin as a Victorian statutory organisation is subject to these requirements.
Where data are collected or used outside Victoria other guidelines may apply. There is a useful summary of Australian state legislation available on the Victorian privacy website.
If information is being collected in another country, you will also need to be aware of any requirements in that jurisdiction and comply with them.
Privacy can mean different things in different contexts. In terms of research and research ethics, it relates to the collection, use or disclosure of personal information for research purposes. Personal information is defined legislatively, for example in the Victorian Information Privacy Act as:
"... information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."
It should be noted that the judgement of whether data are identifying in the hands of the researcher is based on the form in which the researcher has access to them. If the data (eg medical records) are accessed in identifying form, but recorded by the researcher without identifiers, this is still considered to be identifying data.
Privacy is considered in various ways through the National Statement, legislation and guidelines. Based on respect for persons, and the risk of harm in releasing personal information, there is a presumption that identifiable information should remain confidential unless the person has given explicit consent for its publication.
There is an exception to this requirement in relation to research, which allows an HREC to dispense with the consent requirement for the use of information.
Based on these requirements, information that identifies individual people may be collected, used or disclosed in research only:
- if the person involved has given informed consent to the collection, use or disclosure, or
- if the information is non-identifying, or
- if permission to dispense with consent in accordance with the applicable legislation has been given by a fully constituted HREC.
When seeking to find and recruit research participants, the least problematic sources of information are public. This includes phone books and other directories, information on websites, and any other information which is available without special permission or access.
Alternatively, if there is a list or database of people whom you wish to contact and they have given permission for their details to be supplied to researchers, their details may also be passed on to you. An example of this is a clinical register where patients have been asked to nominate whether they may be contacted for research purposes and have responded in the affirmative.
If your recruitment strategy requires access to a mailing list or other restricted information, the best approach will usually be to ask someone who normally has access to the list to pass your contact information on to the potential participants. In most cases it will not be possible for contact details to be supplied to you. For more information about this see the section on recruitment.
When collecting personal information from someone, you are required by law to inform them of:
- the identity of the organisation collecting the information,
- the fact that they are able to gain access to the information,
- the purposes for which the information was collected,
- to whom the organisation usually discloses information of this kind,
- any law that required the information to be collected, and
- the consequences (if any) if the information is not provided.
Information Privacy Principles, 1.3, Information Privacy Act (Vic) 2000, schedule 1
These are the requirements under the Information Privacy Act 2000 (Vic), but similar information is required under the commonwealth legislation and guidelines. For this reason, these elements are included in the various Plain Language Statement and Consent guidelines.
Where identifying information about a person is being obtained from third parties (either other people or existing records) you must obtain permission from the person to use the information. The exception to this is where a waiver of consent has been given by an HREC.
Waiver of consent for use of personal information in research requires approval from a fully constituted HREC. It cannot be given by a HEAG or executive process. The requirements vary slightly in relation to the types of information involved and to the organisation holding the information, but the basic requirements are common to all. The HREC must make the following findings:
- that the research is covered by the particular guidelines,
- that the public interest in conducting the research substantially outweighs the public interest in maintaining the privacy of the information,
- that the research cannot be conducted using non-identifiable information,
- that it is not practicable to obtain consent,
- that there is no reason to think that the people whose information is involved would not consent, and
- that the information will be kept at least as securely by the researchers as it was by the original custodians.
As noted above there are a three potential sets of guidelines. They are all based on the same fundamental requirements, but differ slightly in detail. The following chart will help you determine which guidelines apply to your research.
|Section 95 Guidelines||Section 95A Guidelines||Health Services Commissioner's Guidelines|
|Nature of proposed activity||medical research||research and statistical compilation and analysis relevant to public health and public safety||research and statistical compilation and analysis, in the public interest|
|Type of organisation proposing to collect, use or disclose||any organisation wanting to use personal information held by a Commonwealth agency; Commonwealth agency wanting to release personal information||any private sector health service provider; private sector organisations with annual turnover of more than $3 million||any Victorian public sector organisation; any private sector organisation collecting, using or disclosing health information in Victoria|
|Tasks for proposers||Substantially the same: ensure proposal fits within relevant criteria, then submit proposal to HREC for approval; content of proposal, including matters to be addressed, substantially the same.|
|Tasks for HREC||Substantially the same: must determine whether the public interest in conducting the research substantially outweighs the public interest in maintaining the level of privacy; minor differences reflect differences in State and Commonwealth privacy laws.|
|Content of guidelines||Substantially the same||Has separate sections for 'research' and 'compilation or analysis of statistics'||Same section deals with research and compilation or analysis of statistics|
|Reporting annually by HREC||Report to AHEC||Report to AHEC||Report to Health Services Commissioner|
Because the NEAF deals only with Commonwealth requirements, it does not necessarily cover the information required for waiver of consent under the Health Records Act statutory guidelines. For this reason all Deakin University ethics applications which involve a request for DUHREC to waive the requirement for consent must include the Victorian Privacy Supplement (DOCX, 68.4 KB) . This captures the information required to confirm that the project complies with Victorian privacy guidelines.
It is common in hospital studies to conduct audits both for quality assurance (QA) and research purposes. These studies often involve use of patient records which are necessarily identified. Many hospitals have, in the past, considered these studies to be QA and not to require full ethics approval, whether or not the data are identified.
Deakin considers these studies to be research where the data collected during audits of this kind are subsequently used outside the organisation (ie for a staff or student research project). Accordingly, if the data are to be accessed in identified form without prior informed consent, then the project will require HREC approval for a waiver of consent, either from the hospital's own HREC or from Deakin HREC.
In all stages of human research it is vital to keep faith with the participants. During recruitment people are provided with information and assurances about what will happen to them, and about how their information will used and stored both during and after the research process. It is very important that these representations be honest and accurate.
In describing levels of confidentiality, you must consider the form in which the information will be collected, and how it will be stored.
Information is non-identifiable if it was collected without identifiers or if all identifiers have been permanently removed. No one, including the researchers can be aware of the sources of the particular information. If information is accessed or collected in identifiable form, but the identifiers are later removed and it is stored anonymously, this needs to be explained.
An important point to remember is that if information is anonymous, the contributions of particular participants cannot be separated from the aggregated information. In this situation participants must be informed that once their information is submitted they will not be able to access or withdraw it.
Information is re-identifiable if it is not directly identified (ie the names and direct identifiers have been removed) but still contains coding or other information which would allow the source of the information to be known.
Re-identified data are considered in the same way as identified for most legal purposes (in particular for waiver of consent).
Information is identified if it contains the name or other identifying details of the person to whom it relates. This includes situations where the combination of data points (eg a student's course, gender, age and nationality) could potentially identify the person.
There are also circumstances (eg when a study involves someone who is a public figure) where it may be necessary and appropriate to identify the source of information. In this situation, the participant must be informed of what is planned, and their consent for the use of identified data obtained in writing.
In most projects researchers will assure participants of the confidentiality of their data. This means that although the research team may be able to identify particular contributions, the information will not be released in a form that can identify the participant. This will often mean that data will only be published in aggregated form. If individual data are to be published, even with identifiers removed, it is important to be aware of the potential for identification by inference.
In some types of projects (usually in qualitative research) the data are such that it is possible for people to be identified by their contribution. For example, in a qualitative study of people who use a particular service, a person's story might identify them to acquaintances, or others aware of their experiences. In some cases this can be dealt with by combining profiles or altering individual details. However, if extended quotes or unaltered individual information are to be used, then the person should be asked to explicitly review this and give permission. As with fully identified data the best option in this situation is to clearly explain the potential for identification and obtain written consent from the participant for the use of the information.
All participants are able to withdraw from a research project at any time without giving a reason. Where data are stored in a form which is identified or identifiable, participants may also withdraw their information should they choose to do so. This is a legal entitlement, and may not be reduced or removed by agreement.
In practical terms, once the data are analysed or published, it is no longer possible to withdraw them, but if there are other points where withdrawal becomes impossible (eg the identifiers will be removed after data collection is complete) then this should be explained in the Plain Language Statement.
A duty of disclosure is a situation where a researcher is obliged to divulge information to third parties.
In most cases this relates to particular professions. The best known duty of disclosure is mandatory reporting of suspected child abuse. In Victoria this applies to registered medical practitioners, registered nurses, teachers and police officers. A summary of mandatory reporting requirements is available at the Australian Institute of Family Studies.
Researchers who are members of professions where these duties apply are expected to be aware of, and comply with, their legal obligations.
The more common situation is where research could make the researcher privy to information relating to matters which could come before the courts, such as illegal activities or family disputes. In such cases, there is the potential for courts to subpoena research information as part of their proceedings. It is important to be aware that research documents are not in themselves 'privileged' and are subject to court order in most cases.
In situation where data might be subject to legal action you should consider:
- whether the data can be collected in non-identifiable form, so as to avoid incriminating individual participants
- whether the questionnaire/interview schedule should be designed so as not to elicit this information unless it is necessary to the research.
If this information is necessary to the research:
- participants should be clearly warned of the potential for legal vulnerability and asked to take care with their statements.
If a duty to disclose (either professional or by court order) can be anticipated, this should be discussed in the application for ethical clearance for the proposed protocol, as well as the researcher's intended approach to the duty. This should be discussed under the anticipated risks in the NEAF 5.3.
If a researcher is presented with an unexpected duty of disclosure, and time permits they should contact the University Solicitor's Office for advice on the action to be taken.
However, there may be situations where the researcher does not have time to consult, or they believe that their moral responsibility is clear. In such situations, it is appropriate for a researcher to act according to their conscience, but they must as soon as practicable advise their Head of School or research group and the Manager, Research Integrity.
There are a number of situations where research use of existing data sets is both useful and ethical. The ethical and practical aspects of this relate to the original source of the data, the reasons for which it was collected, and whether it is still identifiable.
Existing data sets that are non-identifiable may be used for research, whatever the reason for which the data were collected (research, quality assurance or any other purpose).
As long as the use of the data satisfies the negligible risk requirements, use of non-identified data is exempt from ethical review and requires only a registration process (Exemption).
Identified or identifiable data collected for research will usually be able to be re-used, however there are a number of variables which affect the approval process which will be required for the re-use. These include:
- the level of consent which was originally given by the participants (specific, extended or unspecified),
- whether the data were collected by the research group who wish to re-use it or other researchers
- whether the data were collected for a similar research program or a different purpose altogether, and potentially
- the time frame of the original consent (is the original research still ongoing, or is this a data set from a completed project?),
The essential question is whether the original consent can be considered to cover the proposed new use of the data or whether a new consent or waiver of consent is required. If you wish to re-use identifiable data you should contact an Ethics Advisor to discuss the project and what approval will be required.
In all cases the re-use of identified data will require ethics approval.
Where the identified or identifiable data were collected for a purpose other than research (such as medical records or student information) the same question must still be asked: is there an existing consent which would cover the proposed use of the information?
In the likely event that there is no existing consent for research use of the data, you will need either to obtain consent from the persons whose data are involved for the proposed research use, or obtain a waiver of consent if the data come within the guidelines for a waiver. An Ethics Advisor will be able to discuss these options with you.
The re-use of human tissue collected for another purpose (research or other) attracts the same concerns as re-use of identified data. Under the National Statement human tissue will always be considered to be in principle re-identifiable, so it is never exempt from review.
Again, if you wish to conduct testing of stored human tissue as part of your research project, you should contact an Ethics Advisor to discuss your project and the best way forward.
Data storage, as an ethical issue can also raise issues about measures to protect privacy and confidentiality. There are strict minimum time requirements for data storage based on the requirements of the Australian code for the responsible conduct of research, section 2. The University also has statutory obligations under the Public Records Act 1973 (Vic). The Deakin requirement is that data be securely stored for a minimum of 5 years (longer for clinical data) after publication of the research. The current Deakin requirements are available in the Research Conduct Policy in The Guide.
The general requirements are that data are securely protected, either in physical storage (eg a locked filing cabinet or storage locker) or electronically (eg a secure area of a dedicated server). It is essential that electronically stored data are both secure and backed up regularly. The particular arrangements will vary depending on the nature of the research and the data. When you submit your ethics application you will be asked to specify whether the data will be in identified, re-identifiable or non-identifiable form, and who will have access to them.
Research data should never be stored on a USB, as these devices are not secure, are easy to lose, and are not reliable over the long term.
Where data are coded, the code key should be stored separately from the coded data, as an added security measure.
Where all members of a research team leave the University, the responsibility for maintaining secure data storage becomes the responsibility of the Head of School.
Secure disposal is also required at the end of the data retention period. Research data should never be just 'binned' but must be destroyed as appropriate for the format.
The usual practice in the case of students conducting research in other countries, is that the data be stored securely at the overseas site and transferred at appropriate intervals or at the end of data collection to Deakin for longer term storage within the school. This can be varied by agreement with the supervisor and school, or if the research is being undertaken at an appropriate institution in the overseas location (eg a university) where secure storage can be provided.
The time requirements for data storage are minimum requirements, and do not require researchers to dispose of raw data unless they have entered into an undertaking with the research participants to do so.
If the research is likely to produce data of ongoing value (eg life interviews) then it is appropriate that this be stored permanently in an archive or library. If this is likely, then you should raise the option with your participants and gain explicit consent for the long term storage and use of the information.
The Victorian and Commonwealth requirements in relation to transborder data flow are essentially identical. The requirements relate to the movement of identified personal data outside of Victoria (in the case of Victorian legislation) or Australia (in the case of the Commonwealth). The essential point is that a person's personal data is not to be sent out of the state/country unless:
- the person has consented to the transfer, or
- there is no reason to think that they would not agree, and appropriate safeguards (at least the same level of security as the original storage) are in place.
In the case of data being collected overseas by a Deakin employee and brought to Australia, reciprocal considerations should apply. Accordingly the same level of protection should be extended to overseas participants.
The Information Privacy Act applies only to the personal information of a living natural person. This is in contrast to the Health Records Act, which has provisions for legal representatives of deceased persons to obtain access to information. Accordingly there is no protection at law for the privacy of a deceased person in relation to non-health information.
When collecting information about a deceased person (eg for a biography) it is not necessary to obtain permission from their heirs or family to do so. However, in such a case you need to be aware of potential sensitivities, particularly with those who were close to the deceased person. As a practical matter, you may also find that organisations will not release information about the person without consent from their family.
You should also be aware of the tendency for the information that you do collect to identify others than the deceased, and take appropriate measures. Where the information is identified or identifiable, it is always preferable to have informed consent for its use.