Introduction/ background to Privacy Act
1. On 27 July I was approached on behalf of the Inquiry to assist the Inquiry in relation to research and privacy issues.
2. The Privacy Act was passed in 1993. Its purpose, as set out in the long title is "to promote and protect individual privacy in general accordance with the Recommendation of the Council of the Organisation for Economic Cooperation and Development Concerning guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data..."
3. The way in which the Act seeks to achieve this general aim is by 12 information privacy principles (set out in section 6), which regulate the ways in which "agencies" collect, use, store disclose, and provide for individuals access to and correction of, "personal information". These 12 information privacy principles are based on the guidelines issued by the OECD in 1980
4. It is important to understand the breadth of coverage of the Act. It applies to all agencies. This term is defined very broadly. With certain specific exceptions, the term applies to "any person or body of persons, whether corporate or unincorporate and whether in the public sector or the private sector."
5. It is agencies that are required to comply with the information privacy principles in their dealings with personal information. The term encompasses organisations and individuals that one would expect would hold quite sensitive information (such as hospitals and doctors), and those that would not be expected to hold personal information of any special consequence, like dairies and shoemakers.
6. The term "personal information" is equally broad. It means "information about an identifiable individual". There is no qualitative threshold limiting the application of the term to "private" or "intimate" information. The Act applies to all information about an identifiable individual, whether sensitive or mundane.
7. This breadth of coverage has several features. First, the information privacy principles are written in a way which must apply in all circumstances. They require agencies to apply tests of "reasonableness". For example, information privacy principle 8 sets out agencies' obligations to ensure that information is accurate and up to date before it is used. That principle says;
"An agency which holds personal information shall not use that information without taking such steps (if any) as are in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate up to date, complete relevant and not misleading."
8. The second feature is the way in which liability for breach of the principles is incurred. Section 66 sets out the liability for an "interference with privacy". In summary, that section requires that in order for an alleged breach of privacy to be actionable under the Act, there must have been a breach of an information privacy principle, and some harm, loss, damage, detriment, or adverse effect on a right or benefit, or some significant humiliation, loss of dignity or injury to feelings of that individual. The exception to this harm requirement is where the complaint relates to a request by an individual for access to or correction of personal information.
9. In other words an agency will not be liable to pay damages for a breach of a collection or disclosure principle which produces no adverse outcome for the individual concerned.
10. The third feature is the way in which the Act is enforced. The principles are not enforceable in a court of law (with the exception of the right of access to information held by a public sector agency). Complaints must be made to the Privacy Commissioner, whose function is to investigate them impartially with an obligation to conciliate, and try and settle complaints. Ultimately, civil proceedings based on a complaint may be determined by the Complaints Review Tribunal which can give a ruling on a case. There is a right of appeal to the High Court.
11. Fourthly, by virtue of section 7 of the Act, neither the Act nor the Code overrides other enactments which authorise, require or prohibit particular information collections or disclosures. For example, the information privacy principles in the Act and the rules in the Code do not derogate from such provisions in section 74A of the Health Act, the Cancer Registry Act, or section 4C of the Commissions of Inquiry Act to the extent they constitute legal authority for certain actions.
12. A fifth consequence is the ability of the Privacy Commissioner to issue codes of practice, which can tailor the application of the information privacy principles to particular industries or sectors. The first such Code of Practice I issued was the Health Information Privacy Code (temporary) 1993. ("the Code"). Compliance with the rules of the Code is deemed compliance with the information privacy principles.
13. In addition to codes of practice, the Privacy Commissioner is able to authorise certain actions that would otherwise be in breach of the principles under section 54 of the Act. Collection, use or disclosure in accordance with an authority granted under section 54 is a stated exception to Rules 2, 10 and 11.
Health Information Privacy Code
14. The code substitutes the Health Information Privacy Rules for the information privacy principles. I issued the forerunner to the code in 1993 (Health Information Privacy Code (Temporary) 1993) as a temporary code to coincide with the health reforms of that year. I issued the present code one year later, and have reviewed the code and reissued it this year. In the meantime there have been amendments. The process of development and issuance of the Code was inclusive. I publicly notified the intention to issue a code and sought submissions, circulated discussion papers and held publicly advertised workshops around the country. Ethics committees and researchers were included in the consultative process. The document that resulted amended the information privacy principles in several important ways that are of relevance to this inquiry.
15. Three of the information privacy principles and Health Information Privacy Rules may be of particular interest to this Inquiry.
- Rule 2 says that health information should generally be collected directly from the person concerned. - Rule 3 requires openness in the collection of health information.
- Rule 11 places some restrictions on the disclosure of health information.
16. It is an exception to Rule 2 requiring collection of health information directly from the person concerned if the health agency believes, on reasonable grounds...
(2)(g) that the information:
(i) will not be used in a form in which the individual concerned is identified;
(ii) will be used for statistical purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or
(iii) will be used for research purposes (for which approval by an ethics committee, if required, has been given) and will not be published in a form that could reasonably by expected to identify the individual concerned...
17. Rule 3 requires a health agency to take such steps as are, in the circumstances, reasonable to ensure that the individual concerned or the representative is aware of the collection and the purposes for which it is being collected, the intended recipients and the consequences (if any) of failing to do so. Compliance with these and other requirements of the Rule has the incidental benefit of permitting such uses and disclosures as are anticipated. There are some exceptions to this Rule.
18. There are exceptions to Rule 11 restricting disclosure of health information where the health agency believes, on reasonable grounds that obtaining the authorisation of the individual concerned is not reasonable or practicable and that...
(2)(a) the disclosure of the information is directly related to one of the purposes in connection with which the information was obtained; or
(c) that the information:
(i) is to be used in a form in which the individual concerned is not identified;
(ii) is to be used for statistical purposes and will not be published in a form that could reasonably to expected to identify the individual concerned; or
(iii) is to be used for research purposes (for which approval by an ethics committee, if required, has been given) and will not be published in a form which could reasonably be expected to identify the individual concerned...
(h) that the disclosure of the information:
(i) is required for the purpose of a professionally recognised accreditation of a health or disability service;
(ii) is required for a professionally recognized external quality assurance programme;
(iii) is required for risk management assessment and the disclosure is solely to a person engaged by an agency for the purpose of assessing the agency's risk;
and the information will not be published in a form which could reasonably by expected to identify any individual nor disclosed by the accreditation or quality assurance or risk management organisation to third parties except as required by law...
19. Some of these exceptions were included in the code to take into account particular information needs of the health sector and of health research. In incorporating them into the Code, I have reflected nothing more onerous than the ethical and professional standards for these activities. By this I mean that it is not for me to impose my view about when a research project will require ethics committee approval, or which quality assurance programmes should be able to avail themselves of the relevant exception. Those are matters for the professions and research bodies themselves to determine. I was concerned to build in sufficient flexibility to enable the Code to take into account commonly accepted good practice within the sector and professions. In effect, these exceptions permit a degree of self regulation.
20. I am not able to offer any further detailed guidance to the Inquiry as to how I have interpreted these provisions, because I would only do so in the context of investigating a complaint. In the short time I have had to prepare these submissions I have not been able to locate any cases where I have made a finding that a research or quality assurance activity has resulted in an interference with the privacy of an individual. I can only speculate as to the reasons that these sections have not come up as issues during any complaint investigation, but these may include that no individual has felt that their privacy has been interfered with by any research or quality assurance programme, and that the exceptions have therefore been applied correctly. Conceivably this might occur because there has been a degree of caution, based on risk averse advice tendered by the advisers to institutions, researchers, or ethics committees, on compliance with the Code. It does however seem likely that the emphasis on patient autonomy and informed consent following the Cartwright Inquiry has led to the strong emphasis on consent in the approach of Ethics Committees. The Health Research Guidelines are an example.
21 Research published recently by Charlotte Paul, Associate Professor, Department of Preventive and Social Medicine, University of Otago would tend to suggest the former view is the more accurate. Her article (New Zealand Medical Journal 9 June 2000 p 210) records the findings of a study into health researchers' views of ethics committee functioning in New Zealand. She found that researchers "appeared largely satisfied with the code and its interpretation by ethics committees - except for two people." The article concluded that "the positive aspects of ethics committee functioning should be recognised, especially ... the handling of the Health Information Privacy Code".
22. There is likely to be an area of overlap between the Code and matters that are properly the concern of ethics committees. That is to say, there will be occasions when the implications of a particular research proposal have a privacy dimension that the ethics committee will want to consider very closely. However that is not the same as saying that the Privacy Act or Code should be interpreted as directing ethics committees' deliberations.
23. Obtaining ethics committee approval for research is not required by the Code if one of the other provisions allows the intended collection, use or disclosure. If, for instance, a particular disclosure was one of the purposes for which the information was obtained, Rule 11(1)(c) would apply. If it was either not desirable or practicable to obtain authorisation and the disclosure was directly related to one of the purposes for which it was obtained of if it was required for a professionally recognized external quality assurance programme (Rule 11(2)(h)) then no ethics approval is required by the Code. The researcher may, however, feel obliged to seek such approval.
24. I would expect that in approving or declining any given proposal, an ethics committee might have regard to the Health Research Council Guidelines on Ethics in Health Research. The guidelines were prepared by Charlotte Paul, Associate Professor of Epidemiology, Department of Preventive and Social Medicine, University of Otago; Grant Liddell, Senior Lecturer, Faculty of Law, University of Otago; and Peter Skegg, Professor of Law, University of Otago. (refer www.hrc.govt.nz/ethguid9 and Human Rights Law and Practice vol 1 no 4 p 196). Those guidelines explain the provisions of the Code, and set out "Recommended good practice". One such recommendation is that:
"in general health information should not be disclosed without the authorisation of the individual concerned. It may not always be desirable or practicable to obtain individual consent in which case the safeguards set out below are particularly important. The overriding consideration should always be that no harm or distress will ensue for the individual or for the family, and that professional relations (for example doctor-patient) will not be impaired in any way. The 'safeguards' referred to include consideration by an accredited ethics committee, consultation with Kaitiaki Committees and strict procedures regarding the maintenance of confidentiality."
These guidelines go further than the Health Information Privacy Code requires. I understand prior evidence to this Inquiry indicates that committees may have been stricter than the guidelines suggest.
25. It seems to me that there is considerable latitude in the Code for the use of health information for research, audit, or quality assurance activities. I note that Professor David Skegg did not express any dissatisfaction with the terms of the Health Information Privacy Code.
26. My office frequently gives advice as to how the code operates, although I cannot give rulings in advance. To do so might prejudice my ability to investigate a complaint in an impartial way, without predetermination. If a researcher approached my office for advice, I would point to the provisions of the Code and invite the person to consider whether their proposal required an ethical approval, and if so, to make an application. I do not have a detailed understanding of how the ethics committees go about their considerations, but I would imagine that they would assess the application against the guidelines, and that any approval would contain an implicit or explicit condition that the researcher complied with all legal obligations (including the Code) in carrying out their research.
27. Where the proposal involves the trial of a drug or participants undergoing some medical procedure, the ethics committee would no doubt require participants "informed consent" as a condition of its approval.
28. In my experience there has been a tendency among some health professionals to confuse, and to regard as equivalent, the concepts of "informed consent", and privacy because of the provisions in the Privacy Act about individual authorisation to carry out some action. From what I have seen or know of the matters raised with the Inquiry concern has been expressed about the requirement for informed consent from the individual subjects. This would seem to derive from the concept of informed consent rather than the need to protect individual information privacy, although the effect might be to protect privacy somewhat more than is provided in the Code.
29. The concept of confidentiality of medical information is a venerable one. Underpinning the concept is the need to protect the special relationship between doctor and patient. However the concept of confidentiality is not and has never been regarded as absolute. Certain other information flows are required in order to best serve the patient, and in some cases, society as a whole.
30. Professor Skegg in his evidence noted that the concepts of privacy and confidentiality are not identical. Privacy interests as expressed in the Privacy Act are concerned not just with maintaining confidentiality, but with openness as to the purposes of collection of information, and the expectations to which individuals are entitled in respect of information transactions affecting them.
31. There is a risk in establishing health information databases, or inviting public participation in public health programmes without forethought as to the subsequent information needs of the project. Instead, public participation may be enlisted on the basis of absolute promises of confidentiality. These undertakings might have been seen as critical in terms of ensuring public trust in the project, but may ultimately be counterproductive if they prove to limit the use to which the information obtained can be used to such an extent as to limit the integrity of the project. There will be a temptation later to want to cast aside the promises for undoubtedly good purposes. Enthusiasm for the clear benefits of good research may lead to overriding the wishes of some patients to the detriment of confidence in health databases and thus jeopardise future research and treatment. On the other hand reasonable advance statements about intended quality assurance programmes, audits or research to benefit the project and thus its participants may well also build confidence.
32. The emphasis in the Privacy Act is on openness and transparency when information is collected. If, when a database is established, all the purposes for collecting the health information are certain and made clear to participants, there are likely to be no surprises due to a subsequent failure to meet legitimate expectations of participants. Hence the importance of compliance with Rule 3. It may be that this openness has ultimately an effect which underscores the confidentiality interest in the Hippocratic Oath, in that it enhances the relationship between practitioner and patient, and improves the trust and confidence that exists between them.
33. Information privacy is never a value which in our society may be maintained without regard to competing social interests. The balance is not always easy but perhaps the most difficult is to respect what others consider as important to their privacy when we do not share their concern or when we feel the overwhelming public good should cause them to concede some of that privacy. In respect of health information research I do not consider there is a natural dissonance between the objectives of research and the interests of patients, including privacy.
B H Slane, CBE LL.B
1 August 2000