Macquarie Law Journal
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Macquarie Law Journal |
|
‘PROTECTING GENETIC PRIVACY IN THE RESEARCH CONTEXT: WHERE TO FROM HERE?’[∗]
MARGARET OTLOWSKI[**]
INTRODUCTION
It is axiomatic that research is fundamental to the progress that is being made in the area of genetics and there can be no doubting its value in generating knowledge which has the potential to improve public health. Human genetic research involves the study of genetic factors which are responsible for or contribute to genetic disease, and the interaction between those factors and with the environment. It includes identification of the genes that make up the human genome, ascertaining the function of genes and their relationship to human health, and the characterisation of genetic disease in individuals, amongst biological relatives and wider groups. Thus, in one way or another, human genetic research is concerned with the use of genetic material and the information derived from it. One of the important characteristics of genetic research is that it typically goes beyond any individual participant. It often involves biological relatives for the purposes of establishing family history and for linkage and mutation analysis, and therefore depends on co-operation amongst the wider family.
The aim of this paper is to explore some of the key privacy issues that arise in relation to human genetic research in Australia. The opening part of the paper explores the concept of ‘privacy’ and the meaning of the term ‘human genetic information’ and examines the forms and circumstances in which human genetic information is typically accessible in the research context. It then proceeds to catalogue some of the characteristics of genetic information, with a view to evaluating whether genetic information is in some way unique and therefore warranting special protection. The second part of the paper seeks to outline the existing regulation of privacy in the research context and its implications for protecting the privacy of human genetic information. Finally, the paper seeks to assess the adequacy of current privacy protection of human genetic information in the research context and determine whether this is an area where increased regulation is required.
PART I
Understanding the concept of ‘privacy’
As this paper deals with privacy regulation, it may be useful to begin by defining the term ‘privacy’. Privacy is recognised to be a complex concept, ‘multifaceted, fluid and evolving’,[1] and open to a number of potential interpretations.[2] The concept of privacy is based on principles of human dignity and respect for individual freedom[3] and finds backing in various international instruments which recognise an individual’s right to privacy as a fundamental human right.[4] It integrates with other values (for example, liberty and autonomy) and increases their impact.[5] There are a number of ways in which privacy can be categorised: informational privacy, physical privacy, decisional privacy and proprietary privacy.[6] This paper focuses on ‘informational privacy’ interests, that is, the interest a person has in controlling access to and use of their personal information. This is the aspect of privacy which is most commonly referred to in the discussions about ‘genetic privacy’ and is particularly relevant in the context of human genetic research. Further to this approach, ‘privacy’ is defined in the National Health and Medical Research Council (NHMRC) Information Paper on Ethical Aspects of Human Genetic Testing as referring to a person’s interest in exerting effective control over the collection of, access to, use of or disclosure of any personal information that has been collected or could be collected by any other person.[7] In this sense, privacy is a broad concept, as this interest in retaining control over information and keeping it private arises in respect of anyone who might have access to that information, whether in an existing relationship with the person or otherwise.
The term ‘privacy’ is often linked with the term ‘confidentiality’ and the terms are even sometimes used interchangeably, as if their meanings were entirely synonymous. For definitional purposes, however, ‘confidentiality’ refers to an obligation arising in certain relationships whereby the recipient of personal information about another is under an obligation not to use that information for any purpose other than that for which the information was given.[8] In reality, both terms are open to a broad and narrow construction: on the one hand, the layman’s idea of what is ‘private’ and ‘confidential,’ and on the other, the actual legal interests that the law protects which have typically been much more limited.
The term ‘human genetic information’ is essentially a non-technical term used to describe information about an individual’s genetic make-up. Although in the light of the major biotechnological developments in the field of genetics, there is a tendency to assume that acquiring human genetic information necessarily entails genetic testing, the term is broad enough to also cover genetic information available through family history. Significantly, the term is not a term of art but simply a means of describing the vast and growing body of genetic information that is potentially available about every individual.
In the context of genetic testing, it is important to draw a clear distinction between genetic ‘samples’ or ‘material’ on the one hand (eg. a sample of blood, saliva or any other source of deoxyribonucleic acid (DNA) or ribonucleic acid (RNA)) and the information which can be derived from that sample through the process of genetic analysis. The derived genetic information can readily be stored (in a paper file, computer etc.), is easily preserved, and may endure long after the sample from which the DNA is obtained is destroyed. Of its nature, it is information that can easily be passed on to others, irrespective of whether the original sample still exists. Significant privacy issues arise in relation to the storage, access to and use of genetic samples, whether obtained for clinical or research purposes.[9] Notwithstanding the importance of these issues, they are beyond the immediate scope of the present inquiry and this paper accordingly focuses on the protection of genetic information, that is, the information derived from the genetic sample.
It is important to recognise, as does the NHMRC National Statement on Ethical Conduct in Research Involving Humans (1999) ('National Statement'),[10] that human genetic research can take various forms, and may require different sorts of genetic information – some implicating privacy interests more than others. Privacy issues come particularly to the fore in circumstances where researchers have access to ‘identified’ or ‘potentially identified’ information.[11] Although the use of this form of information entails more onerous obligations for researchers, in practice, identified or potentially identified information is commonly used in genetic research because the information is most useful in this form.
Another way of looking at human genetic information in the research context is in terms of the benefit or value it may have for the persons from whom it is obtained. In the case of predictive genetic testing performed on asymptomatic individuals, research can reveal information about an individual’s susceptibility to disease. This information may be of benefit to the individuals involved, particularly if prophylactic strategies are available. However, due to the familial nature of genetic information, information obtained from genetic research may be of significance beyond the immediate research participants and may be of interest and benefit to other family members. This may give rise to dilemmas for researchers as to when they may, or perhaps even must, disclose information obtained about a research participant to family members to whom this information may be relevant.
In evaluating the significance of particular forms of genetic information for an individual, a further distinction needs to be drawn between information which is merely predictive, based on susceptibility testing for genetic disorders, and information which serves to diagnose an existing disorder in a symptomatic individual or (in the case of dominantly inherited late onset genetic disorders) the future onset of genetic disease. Receiving information about existing or future onset genetic conditions is undoubtedly difficult for the individuals concerned and would be widely regarded as more problematic than the less certain information about susceptibility to genetic disease which may be quantified as a percentage of risk. It is therefore, perhaps ironic that it is the predictive nature of much of the genetic information available that underlies the concerns about the privacy of this information. This is not so much because of the direct impact it has on the individual, but because of the way in which this information may be interpreted and used by others (treated as decisive when in fact it is not) and the adverse implications this may have for the individual concerned.
There may be some unexpected outcomes in the area of genetic research: research may reveal previously unknown information that an individual or a family did not want or intend to become known such as the existence or absence of a genetic relationship. A further privacy consideration arises in respect of the use of ‘record linkage’ involving the combination of data from disparate sources to produce a new data set that contains more accurate details about each individual. What is clear is that there are a range of factors which impact on genetic information and an appreciation of the nature and circumstances in which genetic information is obtained will be important in assessing the privacy issues associated with that information.
The importance of privacy in health care as well as in research has long been recognised. The developments in genetics and genetic technology over the past decade or so have led to particular concerns about protecting the privacy of genetic information and this has given rise to a new concept of ‘genetic privacy’.[12] The importance of protecting privacy in the context of genetics has been acknowledged in a number of international instruments specifically dealing with human genetics and biomedicine. These include the Council of Europe’s Bioethics Convention on Human Rights and Biomedicine and the UNESCO Universal Declaration on the Human Genome and Human Rights.[13]
This new focus on ‘genetic privacy’ implies that human genetic information is somehow unique and therefore warrants special recognition and protection. However, whilst many have urged that separate attention needs to be given to the protection of genetic information in light of the special nature of such information, this view is by no means universally accepted. Opponents of this view assert that genetic information is just another form of personal health information and should therefore come within the existing protection of health information. On practical grounds and/or grounds of principle, they argue against ‘genetic exceptionalism’,[14] that is, the notion that the area of genetics presents unique problems which require special treatment.
In order to assess such claims and counterclaims, we need to consider the nature of human genetic information and determine its key features. From the outset, it should be stressed that the availability of human genetic information is not of itself new (as noted earlier, some genetic information has long been available through family history of genetic disease) - what has changed is the means by which genetic information is available and also the extent of information which can now potentially be obtained as a result of the advancements in relation to genetic testing.
Information about a person’s genetic makeup obviously comes within the meaning of ‘health’ or ‘medical’ information, but there are arguably some special characteristics of this information, the combined effect of which, call for particular care in relation to privacy protection. To begin with, genetic information is highly personal: it can serve as a unique identifier of an individual, and influences things that make up personal identity such as height, build, skin colour, intelligence and possible propensity for some behaviours such as alcoholism.[15] Further, genetic information can be obtained from a very small amount of genetic material (eg blood, saliva, etc) in circumstances where the person from whom it is obtained has not necessarily consented to the taking or analysis of that sample. Moreover, genetic information is sensitive in the sense that it may reveal significant insights into the person’s future health and life prospects for example, information about a late onset disorder, susceptibility to genetic disease or carrier status. This may well be information that the individual may not want others to know and may not even want to know him or herself, particularly in circumstances where there is no effective therapy or prevention available. Additionally, notwithstanding its personal status, genetic information also has a familial quality due to its inherited and shared nature. Thus, genetic material and information collected about one individual can disclose significant information about other family members which may have implications for their health. This can give rise to difficult ethical dilemmas regarding disclosure of information in circumstances where the assertion of a claim to ‘privacy’ by one family member may be at the expense of other members of the family who might benefit from that knowledge.[16] Moreover, non-blood relatives, such as partners and spouses, are also likely to have an interest in this information out of concern for their partner and/or their offspring.
Also significant is the fact that genetic information, at least on the basis of current medical technology, relates to something which is permanent and unalterable. Account also needs to be taken of the fact that the reliability and value of genetic information is quite variable depending on factors including, the nature of the disorder, its pattern of inheritance, degree of penetrance and the nature of the test . Whilst in some circumstances, test information can tell you what will or is likely to happen to your health in the future, in many cases, tests have limited predictive power and can only indicate increased risk or predisposition to developing a particular genetic condition.
Genetic information might also be argued to be special because of the impact that disclosure of this information may have for the individual about whom the information relates. It may have implications for the person socially and may stigmatise the entire group to which the individual belongs. Misunderstanding or misuse of the results of genetic testing has the potential to undermine an individual’s self-identity and sense of self-worth. Further, if disclosed to institutional third parties such as insurers and employers, it may result in discrimination against that person and as is discussed in more detail below, there is already some evidence of this occurring.
The difficult question is, do these foregoing features of genetic information qualify to make it unique? It must be conceded that some of these characteristics are shared with other forms of medical information, for example, information about a persons’ HIV/AIDS is highly personal, sensitive, information which cannot be changed and has implications for others as well as the individual affected. Moreover, there are other forms of presymptomatic medical testing which are predictive of future health such as testing for blood pressure or cholesterol. Although such analogies can be found, it is submitted that because of the cumulative effect of these various characteristics of human genetic information, special care needs to be taken to protect the privacy of this type of information.[17] This view certainly underpins the approach taken by the NHMRC to human genetic research in the National Statement[18] as well as equivalent documents from overseas jurisdictions,[19] and has received support from some academic commentators.[20]
What are the implications of this for researchers in the area of genetics and the human research ethics committees (HRECs) which are involved in the ethical review of their research proposals? In practical terms this translates into the need to prevent others from gaining access to this information except with the persons’ consent, as well as the individual’s right ‘not to know’ about his/her genetic makeup.[21] It also demands that care be taken in ensuring that individuals’ participation in genetic research is entirely voluntary and informed, supported where appropriate with professional counselling,[22] and that the researchers have fully considered and addressed the social significance and consequences of the proposed research including the potential harms that subjects might experience as a result of their participation.[23]
Whilst practical difficulties in distinguishing genetic information from other medical information must be acknowledged,[24] it is submitted that one cannot ignore the reality that genetic information does have some distinctive characteristics and that real harm may come to individuals if this information is not adequately protected. Underlying the anxieties about the ‘new genetics revolution’ is the fear of an emerging ‘genetic underclass’ comprised of individuals singled out because of their ‘abnormal’ genetic make-up. It would seem that some of these fears may now be materialising with growing evidence of genetic discrimination occurring in Australia within insurance, employment and other contexts, in some instances, on the basis of genetic testing undertaken in the context of participation in research. In a key Australian study of genetic discrimination, of a total of 48 cases of alleged genetic discrimination, there were 5 cases where genetic testing had been undertaken as part of a research project.[25] There was no suggestion in any of these cases of inappropriate disclosure by the researchers, indeed, it was typically the individual’s own disclosure which led to discrimination, for example, in the insurance context, where there is a legal obligation to make full disclosure. These cases, do however, highlight the risk of discrimination arising from participation in genetic testing, including in the research context.
Health care professionals working in the field have expressed their concern that fear of such discrimination occurring is deterring some individuals from undertaking necessary genetic testing.[26] Further, it is feared that individuals may be deterred from participating in genetic research because of potential negative consequences arising from their involvement.[27] These emerging problems are fuelled by a tendency, especially on the part of the media, to encourage a reductionist or deterministic way of thinking, namely, that individuals are reduced to their DNA sequences. There is also evidence to suggest that genetic information is often misunderstood and treated as if it were determinative[28] when in fact in many, if not most cases, it is not. Public opinion surveys indicate widespread community concern about the uses to which genetic information may be put (for example, by insurers for the purposes of setting premiums) and privacy issues in respect of that information feature significantly in this regard.[29]
On the basis of the foregoing arguments, it is submitted that genetic information has a number of characteristics, the combined effect of which give rise to concerns about its use, particularly in view of the potential for misunderstanding of this information. This gives rise to sufficient justification for special care to be taken of this information, including in the research context.
PART II
While the ‘right to privacy’ is widely regarded as important, and despite its recognition as a fundamental human right, there is no corresponding broad legal right to privacy. There is certainly no distinct common law[30] or constitutional right of privacy but this does not mean that there is no protection of privacy interests. Although there is no distinctive cause of action in privacy at common law,[31] there are a number of established causes of action which protect various privacy interests including trespass to land, trespass to the person, nuisance, defamation, injurious falsehood, and breach of confidence.[32] In more recent years, as a result of legislative intervention, there is also now quite a complex array of Commonwealth, and in some cases, state and territory statutory provisions for the protection of individual privacy. In addition, there are other non-legal sources of regulation including the ethical guidance given by the NHMRC National Statement. The following section of this paper seeks to outline these various sources of privacy protection in Australia and the role that they may play in the context of genetic research. It also seeks to examine possible interplay between these various sources of privacy protection.
Common law
Relevant to protecting informational privacy interests is the obligation of confidentiality which is imposed on recipients of information in certain special relationships. This obligation can be based in contract, tort or upon equitable principles, and may give rise to legally enforceable obligations as well as ethical duties to maintain the confidentiality of information in all but exceptional circumstances. One established example of a relationship giving rise to obligations of confidentiality is the doctor/patient relationship. The relationship between researchers and the subjects participating in the research also undoubtedly comes within this category of special relationship, giving rise to an obligation on the researcher not to disclose personal information about research subjects without their consent. Individuals can seek to protect their right to have confidentiality maintained by bringing proceedings to restrain unauthorised disclosure of information or, in circumstances where that disclosure has already occurred, by bringing a claim for compensation for a breach of confidentiality. In practice, however, the duty of confidentiality is subject to many exceptions and is often unenforceable, at least in the courts.[33] This is because in an action in negligence, a plaintiff can only successfully sue for a breach of duty if he or she can prove actual injury or loss arising from the breach.
Because of the familial nature of genetic information, conflict may arise between the privacy interests of an individual who through participation in research, has obtained information about his/her genetic status, and the interests of other family members. For example, information may come to light about susceptibility to genetic disease, disclosure of which may benefit related family members as it may enable preventative measures to be taken or permit earlier intervention to alleviate or minimise the harm suffered. This can give rise to dilemmas for researchers as to when they may disclose such information or may possibly be under a legal duty to do so.
In the context of genetic research, it is most unlikely that a researcher would ever be under a legal duty to disclose genetic information about one individual to another. There is no Australian case law directly dealing with the disclosure obligations of health care professionals or researchers and doubts have been raised whether Australian courts would follow the United States cases[34] in relation to a ‘duty to warn’.[35] Even if this line of authority were to be adopted by the courts in Australia, it is difficult to see how it could apply to disclosure of genetic information as a duty to warn would only arise where threat to life is imminent. This would rarely, if ever, be the case in relation to genetic conditions. It is, therefore, probably safe to conclude that in the context of genetic research, the primary, and probably the only duty, is to the research participant and maintaining the confidentiality of his/her information and no legal duty to warn relatives of genetic risk could be found to exist.[36]
(c) Relevance of public interest justification for breaching confidentiality
In some circumstances, a conflict might arise between the public interest in maintaining the confidentiality of medical information and the public interest in the disclosure of that information.[37] Confidentiality is not an absolute concept. However, the circumstances in which confidentiality may legitimately be breached at common law[38] are rather limited. Essentially, they focus on situations where disclosure is necessary to avert imminent harm to others and are therefore unlikely to be applicable in the context of human genetic research where possible harms arising from non-disclosure would usually take some time to emerge. Further, whilst the new privacy principles under the amended Privacy Act 1988 (Cth) discussed below make provision for disclosure to family[39] or in certain emergency situations[40] without the person’s consent, the family disclosure only applies where there is no expressed wish to the contrary and the emergency disclosure exception only applies to lessen or prevent serious and imminent threat to life, health or safety. Neither of these exceptions would appear to allow disclosure of genetic information, in circumstances where conflicts arise between the individual’s interests and that of family members.
However, although the law, strictly construed, would suggest that the individual about whom the information relates has full control over that information, there is an emerging but by no means unanimous view that because of the shared nature of genetic information, it should be considered at the family rather than individual level.[41] This would not necessarily involve identifying any particular member of the family as the source of the information. It could, for example, entail passing on information to family members to whom it is relevant in a way which avoids disclosure to other family members of any individual's test results. At the very least, pursuant to this more family-orientated approach, individuals who have obtained relevant test results would be encouraged to allow disclosure to other family members for whom this information may be of relevance for their future health.[42] Genetic counselling, which, depending on the nature of the genetic condition being tested for, may be offered pre and post testing, clearly may play an important role in this context.[43]
(a) Privacy Act 1988 (Cth): regulation in the public sector
Legislative protection of privacy in Australia, particularly in the private sector, has been slow to eventuate. Since the enactment of the Privacy Act 1988 (Cth) there has been regulation at the federal level, but up until recently, its scope has been limited to Commonwealth government departments or agencies and therefore has not been directly applicable to much of the human genetic research that is being undertaken around the country. Nevertheless, the introduction of this legislation was significant. It marked, for the first time, a real commitment to privacy protection at the federal level, and in practice, the influence of the ‘Information Privacy Principles’ which are central to the legislation’s operation, has extended beyond the narrow field strictly attributed to them.
The ‘Information Privacy Principles’ (IPPs) contained in s 14 of the Act,[44] deal with all aspects of the information ‘life-cycle’. With regard to collection of information, the IPPs stipulate that information about individuals is to be collected fairly, lawfully and with knowledge and consent of the individual from whom it is collected,[45] and collection of information unnecessarily or for an unlawful purpose is prohibited.[46] The principles also regulate the storage of information[47] and require that records are up-to-date.[48] Further, the principles limit the use and disclosure of personal information held by an agency.[49]
A number of the IPPs have particular relevance in the research context, for example, Principle 9 which provides that personal information is only to be used for relevant purposes and Principle 10 which limits the use of personal information to the purpose for which it was collected, unless one of the exceptions can be made out. The exceptions are where the individual has consented; or the record keeper believes on reasonable grounds that the use of the information is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person, or the use of the information for that other purpose is required or authorised by law or is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the revenue, or the purpose for which the information is used is directly related to the purpose for which the information was obtained. Also of relevance is Principle 11, which limits the disclosure of personal information to a person, body or agency (other than the individual concerned), subject to a range of similar exceptions. Breaches of the IPPs are not directly actionable by those affected but may form the basis of a complaint to the Privacy Commissioner.
Central to a consideration of the application of the IPPs in the health research context is s 95 of the Privacy Act 1988 (Cth) which provides a mechanism for authorising health research which would otherwise be in breach of one of more of the IPPs, for example, where researchers wish to use personal information held by a government agency without the consent of the persons to whom this information relates. Section 95 of the Privacy Act 1988 (Cth) seeks to balance the competing public interests in medical research and in the protection of privacy. This section provides that a Commonwealth agency may deal with personal information for medical research purposes in ways that may contravene the IPPs provided that that research conforms with guidelines issued by the NHMRC and approved by the federal Privacy Commissioner.[50] Pursuant to s 95, before giving such approval, the Privacy Commissioner must be satisfied that the public interest in the promotion of research of the kind to which the guidelines relate outweighs to a substantial degree the public interest in maintaining adherence to the IPPs. The federal Privacy Commissioner has issued guidelines pursuant to this provision, these guidelines having been most recently revised in March 2000.[51] The guidelines stipulate that approval must be sought from a properly constituted HREC and set out, in some detail, the procedure for applications seeking authorisation for anticipated breaches of the IPPs. In particular, the guidelines spell out what researchers have to include in their application,[52] and also the responsibilities of HRECs considering such applications[53] and the matters that they must take into account in weighing up competing public interest considerations. They cover a very broad range of matters encompassing: the impact, in terms of risk and benefit to the individuals involved; the public importance of the research and its ability to contribute to promoting health; potential difficulties if the research were to proceed without the information sought; standards of conduct to be observed in the research; and procedures to be followed at the completion of the research.[54]
The wide range of matters that the section 95 guidelines address highlights the complexities involved in trading off the privacy rights of individuals (or what can also be characterised as the public interest in the protection of privacy) against public interests in promoting health research.[55] Reservations have been expressed from time to time about the structure of the guidelines system, in particular, it being a process which produces legally binding outcomes from what are committees comprised of voluntary citizens.[56] However, according to the Privacy Commissioner, the annual reports of the NHMRC provided to the Commissioner suggest that the system has been working fairly well in practice.[57] The Australian Health Ethics Committee of the NHMRC reports annually to the Privacy Commissioner on the application of the guidelines. On the basis of statistics for the period 2000-2001 obtained through the HREC annual compliance reporting process initiated by AHEC, 22 HRECs considered such proposals and some of these had considered more than one.[58] This is a marked increase from figures available for 1994 during which 6 projects were considered under the guidelines.[59] Just as with HREC determinations in respect of other applications, in some cases conditions were attached to the project to minimise the privacy intrusion involved.
Of particular interest is the fact that in practice, some HRECs are using the guidelines for assessing the privacy implications of research projects that do not involve personal information held by Commonwealth agencies.[60] There are a number of reasons that can be suggested for why this is so. Firstly, it should be noted that since the revision of the National Statement in 1999, compliance with the IPPs has been incorporated as an ethical requirement and therefore the dispensation provisions in s 95 are also arguably applicable.[61] Secondly, the former document, Aspects of Privacy in Medical Research (1995), which had been quite extensive in its coverage of privacy issues and which had in practice been relevant in guiding decision-making, has since been replaced with the more streamlined section 95 guidelines issued in 2000.[62] In the absence of other guidance, there appears to be increased reliance placed on the section 95 guidelines. Thus, it seems that because of their perceived relevance to decision-making in this area, the guidelines under s 95 of the Privacy Act are having a wider reach than is strictly required by force of law, but in a manner consistent with the ethical requirements of the National Statement.[63]
(b) Expansion of Privacy Regulation to the Private Sector: Privacy Amendment (Private Sector) Act 2000 (Cth)
Because of the limited application of the Privacy Act 1988 (Cth) as originally framed, there has been growing concern about the adequacy of protection in respect of information held by non-Commonwealth organisations. In recent years, there have been repeated calls by various bodies of inquiry for the expansion of privacy protection to the private sector.[64] After some initial reticence on the part of the Howard Government to legislate in this area, the Privacy Amendment (Private Sector) Act 2000 (Cth) was passed establishing a national scheme for the protection of personal information in the private sector which came into force on 21st December 2001.[65]
This legislation, which draws on OECD and European regulatory instruments in respect of privacy,[66] gives statutory force to the National Principles for the Fair Handling of Personal Information. These principles were introduced in February 1998 by the federal Privacy Commissioner and governed, within a self-regulatory framework, the collection, use, disclosure and transfer of personal information in the private sector.[67] These National Principles for the Fair Handling of Personal Information have been revised to accommodate legislative language. Further, their application to ‘health information’ has been modified, this category of information being recognised to be particularly sensitive[68] and therefore requiring greater protection, particularly with regard to the collection and use of disclosure of information.[69] ‘Health information’ is broadly defined in the legislation and would clearly encompass genetic information: section s 6(1) of the Act defines ‘health information’ as information or an opinion about the health or a disability (at any time) of an individual or an individual's expressed wishes about the future provision of health services to him or her; or a health service provided, or to be provided to an individual, that is also personal information.[70] In guidelines recently issued, the Privacy Commissioner has indicated his view that health information includes genetic information when this is collected or used in connection with delivering a health service or genetic information when this is predictive of an individual’s health.[71]
The National Privacy Principles (NPPs) are similar to, but not identical with, the IPPs in the Privacy Act 1988 (Cth). Aside from the area of collection of information, where, not surprisingly, greater prominence is given to individual consent under the NPPs than the IPPs, (Commonwealth agencies being required in many circumstances to collect personal information about individuals) the IPPs set a higher standard for the public sector handling information than is required in the private sector. This is because the NPPs have sought to make some accommodation for business practices and contain a number of broad exemptions, including an exemption for small businesses[72] and an exemption in respect of employee records.[73]
The new private sector amendments are directed to organisations in the private sector who hold ‘personal information’.[74] The term ‘organisations’ is broadly defined under the legislation[75] and includes individuals. The term ‘individual’ is in turn defined in the legislation as a ‘natural person’.[76] Pursuant to the exemption provisions in s 7B of the Act, individuals acting in a non-business capacity will be exempt from the requirements of the NPPs.[77] This section has a cross referenced note to s 16E of the Act which provides that the NPPs do not apply for the purposes of, or in connection with, an individual’s personal, family or household affairs. The intended scope of the legislation is further clarified in Information Sheets issued by the Office of the Privacy Commissioner. According to Information Sheet 12 –2001, ‘the Privacy Act does not cover the collection, use and disclosure of personal information by an individual unless it is done in the course of running a business’. The terms ‘business’ or ‘in the course of a business’, are not defined in the legislation but appear to be used in contradistinction to the use of personal information for personal, family or household purposes.
In circumstances where the NPPs apply, ‘organisations’ (within the meaning of the Act) must comply with those principles unless they come within one of the specific exemptions.[78] This means that they will have to comply with the Act’s requirements in relation to data collection (NPP 1), use and disclosure (NPP 2), data quality (NPP 3), data security (NPP 4), openness (NPP 5), access and correction (NPP 6), identifiers (NPP 7), anonymity (NPP 8), transborder data flows (NPP 9), and sensitive information (NPP 10).
The legislative approach is one of ‘co-regulation’[79] or so called ‘light-touch’: organisations and industries will be encouraged to develop codes of practice, using the NPPs as a benchmark, which are then to be approved by the Privacy Commissioner. In the absence of an industry or organisational code, the NPPs will apply by way of default position. The Act deals with breaches of the NPPs or approved privacy codes[80] and sets out avenues of complaint and redress in respect of such breaches.[81] Significantly, the federal Act as amended, does not seek to cover the field: State and Territory privacy legislation continues to operate to the extent that such legislation is not directly inconsistent with the terms of the Privacy Act 1988 (Cth) as amended.[82]
As these new amendments have only recently come into force, there has only been limited opportunity to examine the impact in practice of these amendments for research in the private sphere, particularly with regard to those working in the field of genetic research. Nevertheless, some preliminary conclusions can be reached about the applicability and impact of these amendments for the research sector.
The first point to note is that in practice, most of the genetic research that is being undertaken in Australia is conducted through hospitals, universities, and other research institutions, although there is a developing trend for the private sector to be involved in this research, either by funding university and hospital researchers to conduct the research or by conducting its own research. Public hospitals and universities are public state and territory government agencies.[83] The status of these organisations means that they come within the ambit of state and territory privacy laws rather than the new privacy scheme for the private sector.[84] State and territory legislation in this area is, however, incomplete and lacking in uniformity and therefore provides a less than adequate foundation for privacy regulation. Some jurisdictions, including New South Wales and the ACT, have introduced specific privacy legislation.[85] Significantly, the Privacy and Personal Information Protection Act 1998 (NSW) defines personal information specifically to include genetic information.[86] Also noteworthy is the Victorian Health Records Act 2001 which contains rigorous privacy protection for health care information generally and expressly encompasses the protection of genetic data. In other jurisdictions, however, no specific privacy legislation exists although some are in the process of considering legislative reform in this area.[87] In addition to any legislative coverage, it should be noted that research involving humans undertaken within hospitals and universities is governed by the NHMRC ethical guidelines: applications must be reviewed by an HREC and must not be undertaken or funded unless and until approval has been granted.
Enabling legislation for universities and other public institutions typically define the institution as including its staff.[88] Thus, research conducted by individuals working within universities, public hospitals or other such public government agencies in their capacity as staff would not ordinarily have to be undertaken in compliance with the NPPs and would instead be required to comply with relevant state or territory legislation where such exists and, where relevant, the ethical guidelines contained in the NHMRC National Statement.
However, there are some circumstances where the situation is not so clear cut, and where the NPPs may apply to individual researchers, notwithstanding their affiliation with a university or public hospital. One area of uncertainty concerns the situation where the researcher(s) have received funding from an external body, particularly where the funding is from the private sector. In this situation, the matter would probably have to be considered on a case by case basis, taking into account things such as the impact (if any) of the funding upon the relationship between the individuals and the university/public hospital, and the terms of the contract (or similar document) between the individuals and the organisation providing the funding.[89]
Another area of uncertainty is where the research group is of mixed composition, comprising, for example, some university or hospital researchers, but also individuals working outside state or territory government agencies. The need for the research as a whole to comply with the NPPs would depend on the status of these other individuals and whether they come within the meaning of the term ‘individual’ contained in the federal Privacy Act as amended.[90] As noted above, the NPPs are stated not to apply to the collection, use and disclosure of personal information by an individual unless it is done in the course of running a business, the legislation seeking to explain that it is not intended to apply for the purposes of, or in connection with an individual’s personal, family or household affairs.[91] This gives rise to some interpretative difficulty: whilst the conduct of researchers would not typically fall within the meaning of ‘in the course of running a business’ (and therefore is arguably beyond the scope of the legislation) such research could not be said to be ‘for the purposes of, or in connection with an individual’s personal, family or household affairs’. Further clarification of the applicability of the NPPs to individual researchers in these circumstances is therefore required. Notably, the current national inquiry into the protection of human genetic information being jointly undertaken by the Australian Law Reform Commission and the Australian Health Ethics Committee of the NHMRC (discussed further below) has failed to shed any light on this issue. The ARLC/AHEC Issues Paper, Protection of Human Genetic Information[92] which devotes a whole chapter to medical and other human research,[93] gives no specific consideration in this context to the applicability of the Privacy Act amendments to individual researchers. This is particularly surprising as in other respects, the Issues Paper is quite a detailed and comprehensive document.
It should be noted that in practice, even if the researcher does not have to comply with the NPPs, they may find that the organisations that they propose to collect information from (for example, a private hospital) do have to comply. In this situation, the practical effect is most likely to be that the researcher will have to comply by default. Thus, any researchers that do not come under the jurisdiction of the NPPs will nevertheless have to ensure that the research proposal meets the requirements of the legislation[94] before an organisation that does come under jurisdiction can disclose the information to the researcher.[95]
There may also be some doubts about the circumstances in which private companies conducting their own research will be governed by the private sector provisions. If the company is a health service provider[96] or deals with ‘health information’ it will not be exempt from the private sector requirements even though it falls within the definition of a small business.[97] Whilst it is unlikely that research undertaken by a genomics company would fall within the definition of a health service,[98] it may well fall within the scope of the NPPs by virtue of the fact that it deals with health information, at least in the clear cut case of genetic information that is predictive of an individual’s health.[99]
While the situation is by no means clear, it appears that there may be circumstances where individual researchers working with personal identified or potentially identifiable information in the private sector will be required to comply with the NPPs.[100] This is a significant development, as it represents the first occasion that statutory privacy obligations at the federal level have extended to researchers in the private sector. In view of some of the prevailing uncertainties and the practical difficulties of deciding in a given case whether or not the NPPs apply to particular research being undertaken, some organisations may be inclined to insist on compliance with the NPPs. Importantly, however, even where the NPPs do apply, researchers may be able to dispense with the usual requirement of individual consent if their activities fall within the ‘research exception’ discussed below.
(d) Research exception – s 95A Privacy Act 1988 (Cth) as amended by the Privacy Amendment (Private Sector) Act 2000 (Cth)
Pursuant to the recent privacy amendments, the research exception existing in the public sector pursuant to s 95 of the Privacy Act 1988 (Cth) has been extended to the private sector by virtue of new s 95A. This section, applying to information held in the private sector, in circumstances where the NPPs apply, authorises the Privacy Commissioner to approve guidelines issued by the NHMRC (or a prescribed authority) allowing the collection, use or disclosure of identifying health information for purposes of research without the necessity of obtaining the consent of the individual to whom the information relates. As with the s 95 exception, the legislation stipulates that such approval can only be given if the Privacy Commissioner is satisfied that the public interest in the collection or use or disclosure of that health information substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs.[101]
A number of preconditions will have to be met in order to obtain the benefit of this exception which is not limited to research, but extends also to the compilation or analysis of statistics relevant to public health or safety.[102] With regard to collection of health information,[103] notwithstanding the normal requirement of individual consent for collection of sensitive information (NPP 10), an organisation may collect health information about an individual without their consent if: the collection is necessary for research ‘relevant to public health or safety’[104] and that purpose cannot be served by the collection of information that does not identify the individual; that it is ‘impracticable’ for the organisation to seek the individual’s consent to the collection; and that the information is collected in accordance with guidelines approved by the Privacy Commissioner under s 95A. The Privacy Commissioner has indicated his view that this exception should be seen as a last resort measure, only to be used when other alternatives are demonstrably not available and has given the clear message that consent or de-identification is the preferable approach.[105] With particular regard to the requirement of ‘impracticability,’ the Privacy Commissioner has made clear that this must mean more than the fact that it involves expense or effort on the part of an organisation in seeking consent.[106] If an organisation collects data under this exception, NPP 10.4 applies which states that ‘it must take reasonable steps to de-identify the data before disclosing it’. This means that the information must not be disclosed without permanently de-identifying it.
In circumstances where an organisation wishes to use or disclose personal information for a purpose other than the primary purpose of the collection, NPP 2 applies, restricting such use and disclosure. Here too, a research exception is provided for in circumstances where the information is health information and the use or disclosure is necessary for the proposed research. Further, it would need to be established that it is ‘impracticable’ to seek the individual’s consent before the use or disclosure; that the use or disclosure is conducted in accordance with guidelines approved by the Privacy Commissioner under s 95A; and, in the case of disclosure, the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information.[107]
Clearly, there are intended to be direct parallels to the existing s 95 exemption process and new s 95A – the aim of the new provision being to facilitate research involving health information held in the private sector. As with the section 95 guidelines, pursuant to the section 95A guidelines which were released by the NHMRC in December 2001,[108] and which have been approved by the Privacy Commissioner, researchers can only gain the benefit of the exception if their research project is assessed and approved by a properly constituted HREC. The section 95A guidelines set out criteria by which research projects will be assessed, drawing on the existing criteria applicable in relation to s 95 discussed earlier. They set out the procedures to be followed with regard to both the collection and use and disclosure of health information for the purposes of research relevant to public health or safety[109] and guidance for the preparation of written proposals to an HREC.[110] In accordance with the section pursuant to which they are established,[111] the section 95A guidelines require the application of a public interest test. In particular, they stipulate that before granting approval under the guidelines, the HREC must be satisfied that the public interest in the collection of health information substantially outweighs the public interest in maintaining the level of privacy afforded by the NPPs.[112] The criteria for HRECs to weigh the public interest are also very similar to those contained in the section 95 guidelines, some of which were touched on earlier. Both sets of guidelines contain special reporting requirements applying to HRECs, and to the AHEC, which in addition to reporting to the NHMRC, is required to report to the Federal Privacy Commissioner, on an annual basis, details of the decisions made under the respective guidelines.[113]
Although uncertainties remain about the circumstances in which the NPPs apply to research, in situations where the NPPs are applicable, the new section 95A guidelines provide a possible pathway for dispensing with the need for individual consent. This is clearly of potential relevance to genetic research as it is to other areas of research endeavour involving the collection of personal information. The extension of the NPPs, at least in some circumstances, to the private research sector has been a significant development, highlighting the need for appropriate privacy protection in all spheres of research. As noted earlier, much of the research involving humans undertaken in Australia has already been subject to ethical requirements pursuant to the NHMRC National Statement, however, this is the first time that legal privacy obligations under federal legislation have extended to the private sector.
At the same time, the privacy amendments, in conjunction with the new section 95A guidelines, acknowledge the value of research involving personal information notwithstanding the absence of individual consent and can facilitate this proceeding provided that the public interest in the research justifies this. No doubt with the passage of time, there will be greater awareness and clarity in respect of these changes. One clear factor, however, is the involvement of HRECs in the operation of the section 95A guidelines. However, in order to be effective, these laws will rely on a strong system of ethical review, which, as the federal Privacy Commissioner has suggested, has a ‘well-resourced ethical approval and oversight process with an effective health consumer voice’.[114] Applications for waiver could conceivably be brought by individual researchers within universities or hospitals but are probably more likely to come from individuals outside these institutions.[115] This, in turn, has implications for access to institutional HRECs which do not appear to be presently covered under the National Statement. Significantly, at the time of writing, the NHMRC was in the process of arranging workshops, nationwide, on the operation of the new section 95A guidelines aimed at HRECs, researchers, research administrators, health administrators and community members.
Interest in the new privacy amendments and their application to the research sector should not deflect attention from the significant role that the NHMRC guidelines have played, and continue to play, in the regulation of research in Australia. In practice, this has been, by far, the most significant form of regulation effecting those engaged in genetic research, at least for those working in institutional settings such as universities and hospitals who are therefore bound by these ethical guidelines. This has particularly been the case since the revised National Statement which devotes a whole section to human genetic research and contains a number of paragraphs dealing specifically with issues of privacy and confidentiality.[116]
These ethical guidelines mirror, to some extent, and reinforce the legal obligations at common law to maintain the confidentiality. They require that identifying or potentially identifying genetic information acquired about an individual in the course of research must not be released to others without that person’s explicit request.[117] Similarly, information provided by participants about family members must also be kept confidential.[118] Further, the guidelines require that the researchers specify, in the research protocol, the form in which genetic information or genetic material and information derived from studying the genetic material will be stored, that is, whether in an identified, potentially identifiable or de-identified form.[119] Genetic material and related information may only be transferred to another research group in circumstances where the researcher and the other research groups are collaborating on research which has been approved by an HREC and the material and/or information is provided in a form which ensures that participants cannot be identified.[120]
It should be noted that although the need for voluntary consent is usually fundamental as a precondition for participation in research, the National Statement contemplates that there are exceptional circumstances where the need for consent may be waived.[121] As these provisions acknowledge, such waiver of consent clearly has implications for individual privacy. Nevertheless consent may be waived after relevant factors are taken into account and where the public interest in the research proceeding is seen as outweighing or justifying the intrusion into individual privacy.
The impact of the NHMRC guidelines in affording privacy protection in the research context has, for some years, been augmented by the express incorporation as an ethical requirement in all human research involving identified or potentially identified data, the IPPs applying in the public sector.[122] This is followed up by a requirement that where a proposal for medical research may involve a breach of the IPPs, the HREC is to follow the section 95 guidelines.[123] Presumably this was included within the 1999 National Statement to redress the limited scope of formal privacy protection in Australia existing at that time. However, in light of recent changes which have resulted in the extension of privacy protection to the private sector through the introduction of new NPPs, there may need to be some revision of this approach, especially as the principles to be applied as a result of those amendments are not exactly the same as the IPPs contained in the Privacy Act 1988 (Cth).
The guidelines themselves have no legal force although whether or not they have been adhered to could be a factor in legal proceedings, for example in an action in negligence or in disciplinary proceedings. The primary sanction for non-compliance is that the offending institution, as identified through reporting mechanisms to the NHMRC, may cease to be eligible to receive NHMRC funding for research. Thus, although not directly legally binding, compliance with the guidelines is more than merely ‘voluntary’. The area of compliance, and the lack of effective enforcement, has been seen by some as a weakness of the current system of ethical review by HRECs. The Privacy Commissioner, in his 1996 paper Privacy Implications of Genetic Testing, had raised questions about the adequacy of the existing ‘self-regulatory’ framework for privacy regulation in the research context.[124] In particular, the lack of formal enforcement mechanisms in relation to the handling of genetic information has been identified as a concern. Although concerns about lack of formal enforcement mechanisms have been raised, this is not to suggest that there have been widespread problems – indeed, according to the Privacy Commissioner’s 1996 Information Paper, ‘there is little evidence that genetic epidemiological research in Australia has involved the unwarranted disclosure or use of personal genetic information’.[125] The Privacy Commissioner went on to suggest that ‘if adjustment to the existing regime were made, it would be necessary to be sure that the attractive features of the current framework – including flexibility, the involvement of those with expert knowledge, and peer review – were retained’.[126]
In summary, the reforms introduced under the Privacy Amendment (Private Sector) Act 2000 (Cth), give legal force to a regime very similar to that which researchers have been ethically bound to follow pursuant to the National Statement (particularly in view of the National Statement's incorporation of the IPPs). Therefore, researchers are unlikely to find the new requirements totally unfamiliar or particularly onerous, although of course, under the Privacy Act, as amended, they apply by force of law, backed up by a mechanism for enforcement. The new law seeks to strike a balance between promoting privacy interests and permitting research which is in the public interest. From a practical point of view, it represents little change from the existing ethical requirements. Significantly, however, the new privacy reforms are of general application – and whilst ‘health information’ is now recognised as ‘sensitive information’, there is no specific attention given to protecting genetic information. Although genetic research is potentially covered by these amendments, the legislation is not specifically targeted to this area. Moreover, as discussed above, genetic research is subject to considerable regulation through the NHMRC guidelines, however the non-legal nature of these guidelines in turn, has compliance and enforceability implications.
The Privacy Act amendments have met with mixed response, attracting particular criticism for their inadequacy in the health sphere[127] – an area where many believe that dedicated legislation, dealing more comprehensively with privacy concerns, is required.[128] There has also been criticism that the ‘research exception’ is too vague and uncertain and has sold out consumer interests.[129] These concerns are likely to be especially acute with regard to highly sensitive information such as genetic information. Notably, however, the explanatory memorandum to the legislation makes clear that it is not intended to specifically address the complex privacy issues that arise in respect of the handling of such information, foreshadowing to some extent, the current national inquiry.[130] Significantly, the announcement of the inquiry was welcomed by the Federal Privacy Commissioner, Malcolm Crompton, who stated in a media release that safeguarding the privacy of personal health information will be essential if the community is to gain the benefit from adoption of the new gene technologies.[131] Fears have also been expressed in other forums that confusion about the privacy laws may impede the conduct of medical research in Australia, echoing similar concerns that have been recently voiced in the United Kingdom.[132]
There is, at present, a delicate interplay between the legal and ethical requirements in relation to privacy. The relationship between law and ethics is discussed in the National Statement[133] where it is stated that in the event that both a legal requirement and ethical guidelines apply, the legal requirement will prevail. Where the (ethical) guidelines prescribe a standard that exceeds that required by the law, then researchers should apply this higher standard. What can be extrapolated from this in relation to privacy, and in particular, in relation to genetic privacy? We have seen that in some cases, at least, legal provisions in the form of the private sector privacy amendments will apply to researchers engaged in genetic research. In these circumstances, the new legal requirements in relation to dispensing with consent impose more rigorous requirements than the ethical guidelines contained in the National Statement. Thus, the legal requirement would prevail because it could not be said that the ethical guidelines set a higher standard.
One practical consequence which appears to flow from the privacy reforms is that researchers involved in genetic research may find themselves bound by conflicting regulations: they may be legally bound by the Privacy Act, as amended, to comply with the NPPs (being an ‘organisation’ to which these principles apply) and ethically bound by the requirements of the National Statement to comply with the IPPs of the Privacy Act 1988 (Cth). This is a situation likely to create confusion. It would, therefore, be desirable for the National Statement to be amended to clarify what its expectations are of researchers in light of the privacy amendments. The need for such amendment was in fact foreshadowed in the current section 95 guidelines.[134]
In light of the particular characteristics of genetic information, identified earlier, there is a strong argument that care needs to be taken in this area to ensure that the rights and interests of research subjects are not undermined. After all, this is an area of rapid change, and in view of the potential financial gains from research development, there is a real need to be sensitive to privacy issues in genetic research.[135] Given the concerns that have been raised about the appropriateness of the privacy reform's coverage of health information generally, one must seriously question whether these laws are adequate to protect individual rights insofar as genetic privacy is concerned. However, whilst these concerns may point to the need for more specific regulation in some areas, there is arguably less need for this in the institutional research context, in the light of the prevailing ethical requirements and the awareness of the special nature of genetic information that the National Statement has generated. A system of ethical guidelines has been largely successful in regulating this area. The strong ethical culture which prevails in relation to the research sector is evident from the fact that the section 95 guidelines have in practice been used even though strictly speaking, they have not been legally required. Closer scrutiny may, however, be warranted in respect of private companies undertaking genetic research which are not directly subject to the National Statement, particularly as some questions remain about the application of the new privacy sector amendments to such organisations.[136]
Possible models for the protection of privacy in genetic research
Different regulatory models for the protection of genetic privacy have been mooted. One option is the sort of approach proposed in the Genetic Privacy and Non-discrimination Bill 1998 (Cth) – a private members bill introduced by Senator Stott Despoja. This bill provided for a stand alone scheme dealing with genetic privacy and discrimination. It sought to protect genetic information through regulation of the collection and use of genetic material and information. Its focus was on the protection of genetic privacy through strictly regulating who may create, control, and have access to a DNA sample in respect of an individual. In this respect, this proposed legislative model differed from the scheme under the Privacy Act amendments, under which privacy rights attach to the information itself. Given the ease with which genetic information can be derived from genetic materials and the rapid advances in technology for determining genetic information, this alternative approach has been argued by some commentators to have some merit.[137]
Inter alia, the bill included detailed provisions in relation to use of genetic material and information for research purposes.[138] However, concerns had been raised that if enacted, this legislation may impede research. The research communities’ reaction to the proposed reforms can to some extent be gauged by submissions which had been made to the Senate Legal and Constitutional Legislation Committee to which the bill had been referred for inquiry. Whilst many of the submissions suggested that much of what the bill was seeking to achieve in this area was already adopted in practice under existing guidelines, a strong theme which came through quite a number of submissions was that too strict regulation of this area could stifle research. Further to this, it was argued that if provisions are introduced to cover research which are very detailed and particularised, they may inhibit existing regulatory strategies such as those employed by HRECs.
In its 1999 Report,[139] the Senate Committee recommended that the bill not proceed and that there be further examination of the issues. On the specific issue of medical research, the committee recognised that this area generates complex issues in relation to the competing interests of researchers and pharmaceutical companies, and individuals.[140] While the bill sought to deal with some of the relevant issues, it was thought that in view of the submissions received, these issues required further consideration and consultation.[141] The Committee was of the view that in general, medical research in Australia is well regulated and adequate safeguards exist to ensure that research is conducted in an appropriate way, although it did make the point that the extent to which private sector funded research is covered by NHMRC rules and guidelines is not clear.[142]
There are already strong expectations that the inquiry will result in recommendations for legislative change, at least in some areas. Even if we are to assume that increased regulation is seen as necessary for the protection of genetic privacy, at least in some areas, this still leaves open a number of complex questions including the form of that regulation and whether it should be in general terms, covering all health information, or specific to genetics, and in either event, what impact it should have with regard to genetic research. The final date for the inquiry to report has been extended to March 2003 and it is therefore likely to be some time before we see any tangible reforms.
In looking to solutions, the concerns about the protection of the privacy of genetic information have to be considered in the wider context of existing dissatisfaction with the Commonwealth Privacy Act's coverage of health information generally. Indeed, there had been considerable debate before the commencement of the privacy amendments as to whether they should extend to the protection of health information or whether this area warranted separate treatment. Significantly, the House of Representative Standing Committee on Legal and Constitutional Affairs which had reviewed the legislation, had recognised in principle the desirability of dealing separately with health information. However, it recommended that coverage of this category of personal information be retained within the legislation for the time being, on the grounds that it was important that health information be covered and that introducing privacy protection specific to health information would take some time to implement.[144] It was accordingly recommended that the Government should establish processes to resolve a consensus view for the health sector in the review of the privacy amendments proposed to take place in two years.[145] This recommendation was given in principle approval by the Government.[146]
Viewed in this light, the optimal solution to addressing any deficiencies in the privacy protection of genetic information is not to expand the scope of the existing privacy legislation in an attempt to more effectively protect this form of information. Rather, the approach should be to remove the whole area of health information from the coverage of the legislation and enact legislation specifically dealing with privacy protection of all forms of health information. Enacting special legislation dedicated to health information would allow the tailoring of privacy standards to accommodate the particular characteristics and sensitive nature of this information. A useful model for health privacy legislation is the Victorian Health Records Act 2001 (Vic). Significantly, the Victorian legislature has deliberately enacted this health privacy legislation alongside general privacy legislation, thus reflecting the view that health information needs to be dealt with separately.
Within the framework of privacy legislation specific to health, provisions could be included giving special recognition to the protection of genetic information to address perceived deficiencies in this area, as indeed could be done for other areas of health where there may be a need for particular protection. After all, genetic information clearly comes within the ambit of health information and is best dealt with within this context, with the addition of specific provision as appropriate to address particular aspects of genetic information that require attention. This would ensure a coherent approach is taken to the issue, in a manner consistent with a general health privacy framework. This approach has the advantage of being able to afford appropriate protection to genetic information which, as argued earlier, has particular characteristics which make this category of health information especially sensitive and vulnerable. Such an approach would offer an avenue to deal in a more targeted and appropriate way with issues such as those arising from the familial nature of genetic information in both the clinical and research contexts. It could, for example, also address particular issues concerning the individual's right not to know about their genetic status which is presently overshadowed by the privacy legislation's focus on the right of individuals to know what information is held and the disclosure obligations of those collecting information. At the same time, the approach suggested avoids overreacting to the difficulties and helps to counter claims of unwarranted genetic exceptionalism.
The process of giving formal legal protection to protecting the privacy of personal information in the research context has begun but is by no means complete. As we have seen, one of the key problems lies in the piecemeal coverage of privacy protection in Australia, with divisions between the public and private sectors and between Commonwealth and State and Territory areas of responsibility. As noted, this has particular implications in the research context as many of the institutions within which genetic research is being undertaken would not be covered by the new Commonwealth privacy amendments. More attention to the coverage of State and Territory legislation in this area is therefore obviously required, ideally with a view to achieving some consistency in legislative response. Further, attention needs to be given to removing existing anomalies in the operation of the various legal and ethical requirements which have been identified earlier.
Conclusions
Research goals are important but not at any cost. Whilst genetic research has the potential to yield enormous gains, it also entails some significant risks. Particular care needs to be taken by researchers engaged in genetic research involving identified or potentially identifiable information. The concept of regulation of health research is by no means a new one in Australia. Researchers have long been familiar with a scheme of ethical regulation of research involving humans and since the 1999 National Statement, the particular attention that has been given to genetic research. As this paper has outlined, these requirements have now been reinforced by the new privacy laws which, together with the new research exception, give legal force to the sort of ethical considerations that have guided such research to date. However, the applicability in practice of these new legal requirements to the genetic research that is being undertaken in Australia may in fact prove to be quite limited. Whether the current arrangements, involving a mix of legal and ethical obligations, are ultimately perceived as adequate in this area remains to be seen. As was acknowledged earlier, there are some aspects of the use of genetic information which may warrant greater scrutiny than in the area of research where an established framework of protection, through ethical guidelines, already exists. If further reforms in the research sector are seen as necessary, effective implementation will inevitably prove challenging in view of the jurisdictional complexities in this area.
[∗] This a revised version of a paper that was originally presented at the AIHLE National Conference, ‘Science Technology and Culture’, 28 June – 1 July 2001.
[**] Associate Professor in Law at the University of Tasmania.
[1] Sonia Le Bris and Bartha Maria Knoppers, ‘International and Comparative Concepts of Privacy’ in Mark Rothstein (ed), Genetic Secrets: Protecting Privacy and Confidentiality in the Genetic Era (1997) 418, 438.
[2] For example, privacy can refer to the reasons on which individuals rely in reaching decisions about participation in research or the freedom of individuals from observation or surveillance: see the NHMRC National Statement on Ethical Conduct in Research Involving Humans (1999) 52.
[3] Le Bris and Knoppers, above n 1, 419.
[4] International Covenant on Civil and Political Rights Article 17 and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
[5] Ibid.
[6] Anita Allen, ‘Genetic Privacy: Emerging Concepts and Values’ in Rothstein (ed), above n 1, 31. These concepts are examined in Allen's paper but in summary, informational privacy concerns access to personal information; physical privacy concerns access to persons and personal spaces; decisional privacy concerns governmental and other third party interference with personal choices; and proprietary privacy relates to the appropriation and ownership of interests in human personality.
[7] NHMRC, Ethical Aspects of Human Genetic Testing: An Information Paper (2000) 45.
[8] The legal concept of confidentiality is considered further below.
[9] See, for example, the extensive regulation of the use of human tissue samples and of human genetic research under the NHMRC National Statement on Ethical Conduct in Research Involving Humans (1999); note also the NHMRC Guidelines for Genetic Registers and Associated Genetic Material (1999).
[10] Ibid, chapter 16.
[11] That is, information which identifies a particular individual or which is capable of being so used. See the definitions contained in the NHMRC National Statement on Ethical Conduct in Research Involving Humans (1999) 9 and chapter 14.
[12] For analysis of this emerging concept, see Allen, ‘Genetic Privacy: Emerging Concepts and Values,’ above n 6.
[13] Council of Europe Convention for the Protection of Human Rights and Dignity of the Human Being with Regard to the Application of Biology and Medicine, (‘Bioethics Convention on Human Rights and Biomedicine’), Strasbourg, November 1996. DIR/JUR (96) 14, Article 10; and United Nations Educational, Scientific and Cultural Organisation (‘UNESCO’), Universal Declaration on the Human Genome and Human Rights (adopted by the General Conference of UNESCO in November 1997), Article 7. Note also the, World Health Organisation (‘WHO’), ‘Proposed International Guidelines on Ethical Issues in Medical Genetics and Genetic Services: Report of a WHO Meeting on Ethical Issues in Medical Genetics’ (1997).
[14] For discussion see Thomas Murray, ‘Genetic Exceptionalism and ‘Future Diaries’: Is Genetic Information Different from Other Medical Information?' in Mark Rothstein (ed), above n 1, 68; and Trudo Lemmens, ‘Selective Justice, Genetic Discrimination, and Insurance: Should We Single Out Genes in Our Laws?’ (2000) 45 McGill Law Journal 347, 369.
[15] Privacy Commissioner, Information Paper Number Five, The Privacy Implications of Genetic Testing (1996) 1.
[16] For analysis of these dilemmas, see Loane Skene, ‘Patients’ Rights or Family Responsibilities? Two Approaches to Genetic Testing’ (1998) 6 Medical Law Review 1.
[17] See, also the Human Genetics Commission, Whose Hands on Your Genes?: A Discussion Document on the Storage, Protection and use of Personal Genetic Information, November (2000) 6.
[18] NHMRC National Statement on Ethical Conduct in Research Involving Humans (1999) Chapter 16. The specific requirements imposed by these guidelines are considered further below.
[19] For example, the Canadian Tri-Council Policy Statement, Ethical Conduct for Research Involving Humans (1998) 8.2.
[20] See, for example, Larry Gostin, ‘Genetic Privacy’ (1995) 23 Journal of Law, Medicine and Ethics 320; George Annas, Leonard Glantz and Patricia Roche, ‘Drafting the Genetic Privacy Act: Science, Policy and Practical Considerations’ (1995) 23 Journal of Law, Medicine and Ethics 360.
[21] Privacy Commissioner of Canada, Genetic Testing and Privacy (1992) 30, where these two elements are argued to be integral to a ‘reasonable expectation of genetic privacy’. It should be noted that both the right to know and the right not to know information collected about one’s health are protected in international instruments: see Council of Europe Convention for the Protection of Human Rights and Dignity of the Human Being with Regard to the Application of Biology and Medicine, above n 13, Article 10 and UNESCO, Universal Declaration on the Human Genome and Human Rights, above n 13, Article 5.
[22] See the requirements in the NHMRC National Statement on Ethical Conduct in Research Involving Humans (1999) with regard to genetic counseling paras 16.15-16.16; and note also the Canadian Tri-Council Policy Statement, Ethical Conduct for Research Involving Humans (1998) Article 8.4.
[23] See generally NHMRC National Statement on Ethical Conduct in Research Involving Humans (1999) Chapter 16 and note also the Canadian Tri-Council Policy Statement, Ethical Conduct for Research Involving Humans (1998) Articles 8.2 and 8.3.
[24] See Mark Rothstein, ‘Genetic Secrets: A Policy Framework’ in Mark Rothstein (ed), above n 1, 451, 457-458.
[25] See Kristine Barlow-Stewart and David Keays, ‘Genetic Discrimination in Australia’ (2001) 8(3) Journal of Law and Medicine 250 which reports on 48 cases of alleged genetic discrimination (defined as less favourable or adverse treatment because of a positive genetic test result) arising with respect to a wide range of genetic tests including haemochromatosis, inherited breast cancer, inherited bowel cancer, familial melanoma, Alzheimer’s disease, Huntington’s disease and hyperlipidemia. The majority of respondents reported discrimination in the insurance industry, although there were also reports of genetic discrimination by employers and health service providers.
[26] Ibid 254-255.
[27] Ibid.
[28] Paul Billings et al, ‘Discrimination as a Consequence of Genetic Testing’ (1992) 50 American Journal of Human Genetics 476; E. Virginia Lapham et al, ‘Genetic Discrimination: Perspectives of Consumers’ (1996) 274 Science 621; Lisa Geller et al, ‘Individual, Family, and Societal Dimensions of Genetic Discrimination: A Case Study Analysis’ (1996) 2 Science and Engineering Ethics 71; Lawrence Low, Suzanne King and Tom Wilkie, ‘Genetic Discrimination in Life Insurance: Empirical Evidence from a Cross Sectional Survey of Genetic Support Groups in the United Kingdom’ (1998) 317 British Medical Journal 1632.
[29] See, for example, People’s Panel Quantitative Study, Public Attitudes to Human Genetic Information, conducted for the Human Genetics Commission, October-December 2000, 29-37 and note also the survey results in relation to use and access of genetic information held on databases. In Australia, the Community Attitudes Survey undertaken in July 2001, reported that 13% of those surveyed had identified genetic information as one form of information that they were reluctant to provide to organisations and 3% identified genetic information as the information that they would be most reluctant to hand over: <http://www.privacy.gov.au/publications/rcommunity.html> .
[30] Victoria Park Racing and Recreation Grounds Co. Ltd v Taylor [1937] HCA 45; (1937) 58 CLR 479.
[31] Note, however, the deliberations of the High Court in the case of Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) Aust Torts Reports 81-627. Note also the case of Douglas v Hello Ltd [2000] EWCA Civ 353, which accepts that the action for breach of confidence protects privacy rights in the common law.
[32] Le Bris and Knoppers, ‘International and Comparative Concepts of Privacy’, above n 1, 436-437.
[33] Loane Skene, Law and Medical Practice: Rights, Duties, Claims and Defences (1998) 193 and see generally the discussion in chapter 9. As Professor Skene explains, there may be other possible avenues for redress in respect of such a breach, for example, in the case of a medical practitioner who has breached confidentiality, possible disciplinary proceedings.
[34] Note, in particular, the case of Tarasoff v Regents of the University of California 551 P 2d 334 (Cal SC) 1976 in which a psychologist was held liable in negligence for a failure to warn of a patient’s confided intention to kill a fellow student who was subsequently shot dead.
[35] See also, Skene, Law and Medical Practice: Rights, Duties, Claims and Defences, above n 33, 211.
[36] With regard to the clinical context, note also the AMA Position Statement, Human Genetic Issues – 2002 which supports the principle of non-disclosure other than with the patient’s specific consent: 5.7. The Human Genetics Society of Australasia Policy on Privacy Implications of Genetic Testing (1999) recommends a more flexible approach in the case of blood relatives who may share the same gene mutation, suggesting that each situation will need to be assessed, having regard to the need to maintain patient confidentiality and autonomy not to disclose, versus the duty to inform other family members, who may suffer potential harm if their risk status is not disclosed.
[37] For discussion see Deane Bell and Belinda Bennett, ‘Genetic Secrets and the Family’ (2001) 9 Medical Law Review 130.
[38] Bernadette McSherry, ‘Breaching Confidentiality in the Public Interest: Guidance from Canada?’ (2000) 19 Monash Bioethics Review 28.
[39] NPP 2.4.
[40] NPP 2.1(e).
[41] Loane Skene, ‘Patients’ Rights or Family Responsibilities? Two Approaches to Genetic Testing’ (1998) 6 Medical Law Review 1; Ann Sommerville and Veronica English, ‘Genetic Privacy: Orthodoxy or Oxymoron?’ (1999) 25 Journal of Medical Ethics 144. For a critique of this view, see Bell and Bennett, ‘Genetic Secrets and the Family’, above n 37.
[42] It has been suggested that a doctor or genetic counselor would owe a duty of care to third parties to explain to the patient the implications of the test for the future health of third parties (at least in circumstances where the disclosure of the test results by the patient could ameliorate future genetically caused harm): Roger Magnusson, ‘Genetic Health Information On-line: Some Regulatory Issues’, paper for the Centre for Law and Genetics Symposium, ‘Regulating the New Frontiers: Legal Issues in Biotechnology’, 10th December 2001.
[43] See for example, NHMRC, Ethical Aspects of Human Genetic Testing: An Information Paper (2000) chapter 3.
[44] For the benefit of researchers, there principles are set out as Appendix to the NHMRC National Statement on Ethical Conduct in Research Involving Humans (1999): see Appendix 2.
[45] Information Privacy Principles 1, 2, 3.
[46] Information Privacy Principle 1.
[47] Information Privacy Principle 4.
[48] Information Privacy Principle 7.
[49] Information Privacy Principles 10, 11.
[50] The National Statement confirms that this is the case: while stipulating that compliance with the IPPs is normally required, it acknowledges in paragraph 18.3 that where a proposal for medical research may involve a breach of those principles, the HREC must follow the s 95 Guidelines. (The Statement refers in fact to the guidelines contained in Aspects of Privacy in Medical Research (1995) but indicates that these to be ‘under review.’ In the meantime, the NHMRC Guidelines Under Section 95 of the Privacy Act March 2000 have been issued.)
[51] NHMRC, Guidelines Under Section 95 of the Privacy Act, March 2000.
[52] Ibid para 2.4.
[53] Ibid para 3.1.
[54] Ibid paras 3.2-3.3.
[55] Privacy Commissioner, The Privacy Implications of Genetic Testing, above n 15, 47.
[56] Privacy Commissioner (Australia), NHMRC Guidelines for the Protection of Privacy in the Conduct of Medical Research (1996) 11.
[57] Ibid 51.
[58] AHEC does not ask the relevant HRECs to specify the number of proposals considered by each committee.
[59] Ibid 50.
[60] Ibid 50.
[61] Ibid paras 14.7, 18.2 and 18.3.
[62] NHMRC, above n 51.
[63] Note, through the National Statement’s incorporation of the IPPs, it could be argued to in fact be an ethical requirement to bring such an application for research potentially breaching the IPPs.
[64] Note the recommendations of the House of Representatives Standing Committee on Legal and Constitutional Affairs, In Confidence: A Report of the Inquiry Into the Protection of Confidential Personal and Commercial Information held by the Commonwealth June 1995; Australian Law Reform Commission and Administrative Review Council, Report of the Review of Freedom of Information Act 1982, tabled in the Commonwealth Parliament 24 January 1996; Commonwealth Attorney-General’s Department, Discussion Paper, Privacy Protection in the Private Sector, September 1996; and the Senate Legal and Constitutional References Committee, Privacy and the Private Sector: Inquiry into Privacy Issues Including the Privacy Amendment Bill 1998, March 1999.
[65] The collection provisions operate prospectively from the date of commencement, however, the provisions regulating use and disclosure of information will apply to information already collected: see s 16C of the Privacy Act 1988 (Cth) as amended by the Privacy Amendment (Private Sector) Act 2000 (Cth).
[66] Guidelines for the Protection of Privacy and Transborder Flows of Personal Data and the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.
[67] Privacy Commissioner, National Privacy Principles for the Fair Handling of Personal Information (1998).
[68] Note the definition of ‘sensitive information’ in s 6(1) of the Privacy Act 1988 (Cth) as amended by the Privacy Amendment (Private Sector) Act 2000 (Cth) which includes reference to ‘health information’. These modifications were based on the Privacy Commissioner’s recommendations to the Government following consultation with health stakeholders: Privacy Commissioner’s Report on the Application of the National Principles for the Fair Handling of Personal Information to Personal Health Information, December 1999.
[69] See NPPs 10 and 2 respectively, which establish as a general rule the requirement of the individual’s consent, unless one of the specified exceptions can be made out.
[70] It also includes other personal information collected in relation to the provision of a health service or in connection with the donation by an individual of his/her body parts, organs, or body substances.
[71] Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001) A3.2.
[72] Privacy Act 1988 (Cth) s 6C, 6D.
[73] Privacy Act 1988 (Cth) s 7B(3).
[74] ‘Personal information’ is defined in s 6(1) of the Privacy Act 1988 (Cth) as information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonable be ascertained, from the information or opinion.
[75] See s 6C of the Privacy Act 1988 (Cth) as amended by the Privacy Amendment (Private Sector) Act 2000 (Cth) where ‘organisation' is defined as meaning an individual, or a body corporate, or a partnership, or any other unincorporated association, or a trust that is not a small business operator, a registered political party, an agency, a State or territory authority or a prescribed instrumentality of a State or Territory.
[76] Privacy Act 1988 (Cth) s 6.
[77] Privacy Act 1988 (Cth) s 7B(1).
[78] The research exception contained in NPPs 2 and 10 is discussed further below.
[79] According to the Explanatory Memorandum accompanying the bill, the term ‘co-regulation’ refers to a legislative framework within which self-regulatory codes of practice can be given official recognition. Legislation establishes the general principles with which all organisations must comply. It establishes the minimum benchmarks or safeguards that must apply across the board: Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth) 12.
[80] Privacy Act 1988 (Cth) s 16A as amended by the Privacy Amendment (Private Sector) Act 2000 (Cth).
[81] See Part V Privacy Act 1988 (Cth) as amended by the Privacy Amendment (Private Sector) Act 2000 (Cth) dealing with investigations.
[82] Privacy Act 1988 (Cth) s 3 as amended by the Privacy Amendment (Private Sector) Act 2000 (Cth).
[83] With the exception of private universities such as Bond University in Queensland.
[84] These requirements are discussed further below.
[85] Privacy and Personal Information Protection Act 1998 (NSW); Health Records (Privacy and Access) Act 1997 (ACT).
[86] See s 4(2) which states that personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics.
[87] Note for example, in Tasmania, the Tasmanian Information Privacy Legislation, Issues Paper, November 2001 released by the Department of Premier and Cabinet, proposing privacy legislation in the public sector.
[88] See, for example, University of Tasmania Act 1992 (Tas) s 5(1).
[89] Email communications with the Office of the Federal Privacy Commissioner, March 2002.
[90] It is not inconceivable that such research groups may come within other aspects of the definition of organisation in the amended Privacy Act 1988 (Cth) (see s 6C referred to in note 75 above) for example, as a partnership or unincorporated association.
[91] See sections 7B and 16E discussed earlier.
[92] Issues Paper 26, October 2001.
[93] See Chapter 6.
[94] See, in particular, NPP2.1 (d)(ii).
[95] Email communications with the Office of the Federal Privacy Commissioner, March 2002.
[96] Note the definition of ‘health service’ in s 6(1) of the Privacy Act 1988 (Cth) as amended.
[97] Defined in s 6D of the Privacy Act 1988 (Cth) as amended.
[98] It should be noted that private sector research organisation are not listed as health service providers in the Guidelines on Privacy in the Health Sector (2001) issued by the Privacy Commissioner (see A2.1).
[99] Note the opinion of the Privacy Commissioner regarding the interpretation of health information referred to above.
[100] Information that is de-identified before it is used or disclosed for research will generally not be considered personal information and will not be subject to the NPPs: Privacy Commissioner’s Report on the Application of the National Principles for the Fair Handling of Personal Information to Personal Health Information, December 1999, 38.
[101] Privacy Act 1988 (Cth) s 95A, as amended by the Privacy Amendment (Private Sector) Act 2000 (Cth).
[102] See Privacy Act 1988 (Cth) s 95A, as amended by the Privacy Amendment (Private Sector) Act 2000 (Cth) together with NPP 2 dealing with use and disclosure and NPP 10 dealing with the collection of sensitive information.
[103] See in particular NPP 10.3.
[104] Research and statistics ‘relevant to public health or safety' means that the research is about public health or public safety or the compilation or analysis of statistics in relation to public health or safety: Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles, September 2001, 10.
[105] Privacy Commissioner’s Report on the Application of the National Principles for the Fair Handling of Personal Information to Personal Health Information, December 1999, 39-40.
[106] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles, above n 104, 10. Separate guidelines on privacy in the private health sector have also been issued by the Privacy Commissioner (Guidelines on Privacy in the Private Health Sector, above n 71), however, their scope is limited to ‘health service providers’. Organisations which are exclusively involved in research must therefore refer to the general NPP guidelines as their primary source of advice.
[107] NPP 2.1(d).
[108] NHMRC, Guidelines Approved Under s 95A of the Privacy Act, December 2001 < www.nhmrc.gov.au >.
[109] See A.2 and A.3 respectively.
[110] See A.2.6 and A.3.6 respectively.
[111] See in particular, Privacy Act 1988 (Cth) s 95A(3), (5).
[112] NHMRC, Guidelines Approved Under s 95A of the Privacy Act D3-D4.
[113] See NHMRC, Guidelines Under Section 95 of the Privacy Act 3.4-3.6, 4 and 5 and NHMRC, Guidelines Approved Under s 95A of the Privacy Act D6-D8, E, F.
[114] Privacy Commissioner’s Report on the Application of the National Principles for the Fair Handling of Personal Information to Personal Health Information December 1999, 37.
[115] See the discussion above regarding the application of the NPPs.
[116] See paras 16.3-16.8.
[117] See, in particular, paras 16.3 and 16.7.
[118] See, in particular, para 16.4.
[119] See, in particular, para 16.5.
[120] See, in particular, para 16.8.
[121] See para 14.4 in Chapter 14 dealing with epidemiological research; para 15.8 within Chapter 15, dealing with use of human tissue samples; and para 16.3 dealing with human genetic research.
[122] See para 14.7 within the chapter dealing with ‘Epidemiological Research’ and para 18.2 in the chapter specifically dealing with privacy of information. Note also the incorporation in para 14.7 of the National Statement of Standards Australia Personal Privacy Protection in Health Care Information Systems (AS4400-1995).
[123] See para 18.3 which refers to ‘the guidelines contained in Aspects of Privacy in Medical Research (1995) [Under review]’: as was noted earlier, these guidelines have since been replaced with the NHMRC Guidelines Under Section 95 of the Privacy Act, March 2000.
[124] Information Paper, Privacy Implications of Genetic Testing (1996) 48-9. (This paper predates the revised NHMRC guidelines, but the foundations of the ethics committee system remain.)
[125] Ibid 50.
[126] Ibid.
[127] Meredith Carter, Executive Director, Health Issues Centre, Victoria, Radio National, ‘Life Matters’, 27 January 2000; and ‘Warning: New Privacy Laws May be Bad For your Health!’ [2000] AltLawJl 36; (2000) 25(2) Alternative Law Journal 90.
[128] Note, in this regard, also the view of the House of Representatives Standing Committee on Legal and Constitutional Affairs, Parliament of Australia, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000, September 2000, which had given in principle support to separate provision being made for privacy of health information.
[129] See for example, Tim Smyth, ‘Protecting Human Genetic Information and its Use’ (2002) 10 Australian Health Law Bulletin 64, 66.
[130] Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000.
[131] Privacy Commissioner, ‘Gene Technology Inquiry is an Opportunity to Get Privacy Right’ (Press Release, 9 August 2000).
[132] Sarah Stock, ‘Fears for Medical Research’ The Australian (Sydney) 21 May 2001.
[133] National Statement, above n 2.
[134] Ibid, the Introduction, 9.
[135] See also the Canadian Tri-Council Policy Statement, Ethical Conduct for Research Involving Humans (1998) 8.1.
[136] See the discussion above.
[137] For a useful comparison of these models, see Charles Lawson, ‘Genetic Privacy - Who's in Your Genes?’ (1999) 8 Australian Health Law Bulletin 37.
[138] See Genetic Privacy and Non-discrimination Bill 1998 (Cth) pt 5, clauses 20-22 dealing with research.
[139] Senate Legal and Constitutional Legislation Committee, Parliament of Australia, Inquiry into the Genetic Privacy and Non-discrimination Bill 1998 (1999).
[140] Ibid para 4.39.
[141] Ibid para 4.41.
[142] Ibid para 4.40.
[143] Daryl Williams, Attorney-General and Michael Wooldridge, Minister for Health (Press Release, 9 August 2000).
[144] See Standing Committee on Legal and Constitutional Affairs, Cth House of Representatives, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000).
[145] Government Response to Advisory Report on the Privacy Amendment (Private Sector) Bill 2000.
[146] Ibid, Recommendations 14 and 15.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/MqLawJl/2002/4.html