Research involving collection, use or disclosure of personal information – definitions and background information

Definitions

Purposes

Collection – an organisation or individual collects information if it gathers, acquires or obtains information from any source and by any means, whether that information has been requested or not. Questionnaires, surveys, interviews, focus groups and requests for information held in databases, data sets or institutional records are all examples of how information may be collected.

Use – an organisation or individual uses information if it handles the information in any way. Use of information includes any form of quantitative or qualitative analysis and any inclusion of the information in any form of publication. Note that contacting a person based on contact details is considered to be use of that information.

Disclosure – an organisation or individual discloses information when it releases information to other organisations or individuals (that is, outside of those who collected the information in the first instance). Giving individuals information about themselves does not constitute disclosure.

Types of information

Individually identifiable, re-identifiable and non-identifiable information

The ‘National Statement’identifies three mutually exclusive forms of data identifiably, as follows [NS 3.2]:

Individually identifiable data where the identity of a specific individual can reasonably be ascertained. Examples of identifiers include the individual’s name, image, date of birth or address.

Identifying information can include other information, if that information is unique in some way or highly specific. For example, “employee of the Victorian Department of Human Services” is not sufficient information to identify a person. However, “employee of organisation X” which only employs three people may be sufficient information to identify someone, particularly in conjunction with other information;

Re-identifiable data, from which identifiers have been removed and replaced by a code, but it remains possible to re-identify a specific individual by, for example, using the code or linking different data sets.

Non-identifiable data, which have never been labelled with individual identifiers or from which identifiers have been permanently removed, and by means of which no specific individual can be identified. A subset of non-identifiable data are those that can be linked with other data so it can be know that they are about the same data subject, although the person’s identity remains unknown.

Example: Health information is disclosed to a researcher without information that could identify the individual, but coded so that it may be re-identified if necessary.

  • If it would be impossible for the researcher to access the link, then the information collected and subsequently used by the researcher is non-identifiable.
  • If the researcher is given the code, as well as the information, then the information is re-identifiable, as long as the code remains associated with the information. Potentially identifiable information is treated in the legislation in the same way as identifiable information.

Personal information generallymeans information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Health information under the Victorian ‘Health Records Act 2001’means:

(a) information or an opinion about:

i. the physical, mental or psychological health or a disability (at any time) of an individual; or

ii. an individual’s expressed wishes about the future provision of health, disability or aged care services to him or her; or

iii. a health, disability or aged care service provided, or to be provided, to an individual;

that is also personal information; or

(b) other personal information collected to provide, or in providing, a health, disability or aged care service; or

(c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or

(d) personal information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or any of his or her descendants.

Sensitive information means information or an opinion about an individual’s:

  • racial or ethnic origin; or
  • political opinions; or
  • membership of a political association; or
  • religious beliefs or affiliations; or
  • philosophical beliefs; or
  • membership of a professional or trade association; or
  • membership of a trade union; or
  • sexual preferences or practices; or
  • criminal record;

that is also personal information; or (in the Commonwealth Privacy Act only): health information about an individual.

1 The Victorian Health Records Act also expressly provides that “personal information” includes information about a person who has been dead for 30 years or less.

Sources of information

Health service provider

For the purposes of the ‘Health Records Act 2001’, a health service provider means a person or an organisation that provides a health service in Victoria. A health service means an activity that is intended or claimed to assess, maintain or improve a person’s health, or to diagnose or treat illness, injury or disability, and includes a disability, palliative care or aged care service.

Commonwealth agency

For the purposes of the Privacy Act 1988, a Commonwealth agency is a minister, department, statutory corporation or other body established for a public purpose by Commonwealth legislation. This covers virtually all Commonwealth departments. The main exceptions are companies, incorporated societies, intelligence organisations and trade unions.

Some of the organisations and government departments defined as Commonwealth record keepers are listed below. This list is a guide to the agencies most commonly approached by researchers (from the AHEC Report on Use of Section 95 Guidelines)

    • Aboriginal and Torres Strait Islander Commission (ATSIC)
    • Australian Archives
    • Australian Bureau of Statistics
    • Australian Institute of Health and Welfare
    • Law Reform Commission
    • Australian Electoral Commission (not State Electoral Offices)
    • Australian National University
    • Australian Sports Commission
    • Health Insurance Commission

An organisation for the purposes of section 95A of the amended Privacy Act 1988 and the National Privacy Principles is generally a private sector organisation that:

  • has a turnover of more than $3 million, or
  • is a health service provider, or
  • undertakes the collection or sale of personal information for a profit, or
  • provides a service to the Commonwealth, or
  • is specifically prescribed by the Commonwealth Attorney-General under the Privacy Act -

except political parties and State and Territory authorities, including universities set up under State legislation.

Legislation

The following is an overview of the State and Commonwealth privacy legislation that may impact upon a project in relation to collection, use or disclosure of information. There are other Privacy Principles that deal with data quality, data security, access to data, identifiers, trans-border data flows and other issues.

Researchers should review ALL Privacy Principles in the relevant legislation identified in question SP1(b), to ensure that their project is fully compliant with all aspects of the law. Links are provided below to legislation and any relevant guidelines.

Victorian Law

(a) Personal information - where the collection, use or disclosure is by the Victorian public sector or a contracted service provider to the public sector

The ‘Information Privacy Act 2000’ (Victoria) sets out ten Information Privacy Principles (IPPs) that regulate the responsible collection and handling of personal information – which includes “sensitive information” but excludes health information (see definition below) – by organisations in the Victorian public sector, including universities set up by state legislation.

The IPPs also apply to agencies that provide services under contract to the Victorian Government.

Although the IPPs are very similar to the National Privacy Principles of the Commonwealth legislation (see below), the numbering of the principles is different.

IPPs 1, 2 and 10 deal with the collection, use and disclosure of this information for the purposes of research.

This Act is administered by the Victorian Privacy Commissioner: www.privacy.vic.gov.au There are no separate Guidelines issued in relation to this Act.

(b) Health information – where the collection, use or disclosure is by an organisation in Victoria

The ‘Health Records Act’ 2001 (Victoria) applies to all health information handled by the Victorian public sector and private sector.

There are eleven Health Privacy Principles (HPPs). HPP 1 and 2 govern the collection, use and disclosure of health information, including for the purposes of research. This Act is administered by the Victorian Health Services Commissioner, who may issue or approve Guidelines in relation to the HPPs. The relevant Guidelines are:

Statutory Guidelines on Research’ issued for the purposes of Health privacy principles 1.1 (e)(iii) and 2.2(g)(iii). Download from the Health Services Commissioner’s website

This Victorian Act applies generally to private sector organisations when they handle health information in Victoria. Unlike the Commonwealth Privacy Act (see below), it does not contain any exemptions for “small business”.

(c) Other laws

Other more specific laws may apply to particular categories of research. For instance, section 60 of the Cancer Act 1958 regulates the disclosure of information from registries established under that Act.

Commonwealth Law

(a) Personal information held by the Commonwealth public sector

The ‘Privacy Act’ 1988 (Commonwealth) applies to the Commonwealth public sector and has implications for research using information held by a Commonwealth agency. The Privacy Act sets out eleven Information Privacy Principles (IPPs) and these treat all categories of personal information (including sensitive information and health information) in the same way. The NHMRC has issued guidelines (under Section 95 of the Act) for the conduct of medical research to ensure that personal information is protected against unauthorised collection or disclosure.

Any researcher wishing to obtain information from a Commonwealth agency should read the NHMRC Guidelines under Section 95 of the Privacy Act 1988

(b) Personal information – where the collection, use or disclosure is by a “private sector organisation”

In 2000, the ‘Privacy Act’ 1988 was amended to incorporate the Privacy Amendment (Private Sector) Act 2000 (Commonwealth), which extends the scope of that Act to include information held by organisations in the private sector. The National Privacy Principles (NPPs) set out in this amendment only apply to businesses and bodies that fall within the definition of “organisation” as set out in the ‘Privacy Act’ 1988 (see summary definition below).

The NPPs distinguish sensitive information and health information from other types of personal information. Section 95A permits the NHMRC to issue guidelines that form part of the compliance requirements under the NPPs and any researcher who considers that the health information being collected, used or disclosed might come within the ambit of the NPPs should read the Guidelines approved under Section 95A of the Privacy Act 1988

General considerations

All of the Guidelines listed above provide very clear instructions as to the information that researchers must include in their application.

Researchers are responsible for identifying the relevant Act and guidelines under which an application for approval of a project is made.

If more than one Act (or set of guidelines) applies, all relevant legislative requirements will need to be met.

Researchers should note that this discussion about privacy laws is general information intended to provide a starting point to assist them in understanding how the legislative regimes may apply to their research activities. If in doubt as to their legal obligations, researchers should seek their own advice.

[Next: Accountability]