1. Ethical Conduct of
Human Research
Risks to research participants
Benefits to research participants and society
Legislation protecting participants
Mitigation of Risks to participants, researchers and infrastructure providers
. . .
Jeff Christiansen
2. Experience
QCIF
• Health and Life Sciences Program Manager
• UQ, Griffith, other QLD Universities
Intersect
• med.data.edu.au National Manager
• NSW Cancer Institute’s Biobanking Stakeholder Network
• USyd, UoN, UNSW, WSU, Ingham Institute, Kid’s Research Institute, Kolling
Institute, Children’s Medical Research Institute, Westmead Institute for Medical
Research, Garvan Institute, NHMRC Clinical Trials Centre, Cancer Council NSW,
Centenary Institute, Melanoma Institute, Children’s Cancer Institute
3. Human Research
National Statement on Ethical Conduct
in Human Research (2007)
(Updated May 2015)
• Human research is conducted with or
about people, or their data or tissue
• taking part in surveys, interviews or focus groups;
• undergoing psychological, physiological or medical testing or treatment;
• being observed by researchers;
• researchers having access to their personal documents or other materials;
• the collection and use of their body organs, tissues or fluids or their exhaled
breath;
• access to their information as part of an existing published or unpublished
source or database.
4. Risks and Benefits
• National Statement on Ethical Conduct in Human Research (2007) (Updated May 2015)
• Risk: a potential for harm, discomfort or inconvenience. It involves:
• the likelihood that a harm (or discomfort or inconvenience) will occur; and
• the severity of the harm, including its consequences.
• Harms:
• physical harms: including injury, illness, pain;
• psychological harms: including feelings of worthlessness, distress, guilt, anger or fear related, for example, to disclosure of
sensitive or embarrassing information, or learning about a genetic possibility of developing an untreatable disease;
• devaluation of personal worth: including being humiliated, manipulated or in other ways treated disrespectfully or unjustly;
• social harms: including damage to social networks or relationships with others; discrimination in access to benefits, services,
employment or insurance; social stigmatisation; and findings of previously unknown paternity status;
• economic harms: including the imposition of direct or indirect costs on participants;
• legal harms: including discovery and prosecution of criminal conduct.
5. Risks and Benefits
• National Statement on Ethical Conduct in Human Research (2007) (Updated May 2015)
• Benefits: Research is ethically acceptable only when its potential benefits justify any risks
involved in the research.
• Who decides?
• researchers, who need to identify, gauge, minimise and manage any risks involved in their project;
• institutions, in deciding the appropriate level of ethical review for research projects;
• Human Research Ethics Committees (HRECs) and other ethical review bodies in reviewing research proposals and making
judgements on whether risks are justified by potential benefits;
• participants’ through their perceptions of the risks and benefits. These perceptions are a factor to be considered by review bodies in
deciding whether the risks are justified by the benefits.
6. Sensitive Information
Information that could cause harm
to an individual if used inappropriately
• Cth Privacy Act (1988) regulates how
personal information is handled in Australia
7. Sensitive Information
Cth Privacy Act (1988) definitions
• Personal information
…information or an opinion, whether true or not, and whether recorded in a material
form or not, about an identified individual, or an individual who is reasonably identifiable.
• Sensitive information
… information or an opinion about an individual’s racial or ethnic origin; political
opinions; membership of a political association; religious beliefs or affiliations;
philosophical beliefs; membership of a professional or trade association; membership of a
trade union; sexual orientation or practices; criminal record that is also personal
information;
or
… health information, genetic information or biometric information about an individual.
8. Cth Privacy Act (1988)
Schedule 1: Australian Privacy Principles
• APP 1 — Open and transparent management of personal information
• APP 2 — Anonymity and pseudonymity
• APP 3 — Collection of solicited personal information
• APP 4 — Dealing with unsolicited personal information
• APP 5 — Notification of the collection of personal information
• APP 6 — Use or disclosure of personal information
• APP 7 — Direct marketing
• APP 8 — Cross-border disclosure of personal information
• APP 9 — Adoption, use or disclosure of government related identifiers
• APP 10 — Quality of personal information
• APP 11 — Security of personal information
• APP 12 — Access to personal information
• APP 13 — Correction of personal information
9. Cth Privacy Act (1988)
Use of personal/sensitive information in research
• If an individual consents to the use of their personal/sensitive information for
research purposes, the Privacy Act does not apply
10. Consent
National Statement on Ethical Conduct in Human Research (2007) (Updated May
2015)
• In the research context, consent should be a voluntary choice, and should be
“informed” – i.e. based on sufficient information and adequate understanding of
both the proposed research and the implications of participation in it:
• any alternatives to participation;
• how the research will be monitored;
• provision of services to participants adversely affected by the research;
• contact details of a person to receive complaints;
• contact details of the researchers;
• how privacy and confidentiality will be protected;
• the participant’s right to withdraw from further participation at any stage, along with any implications of withdrawal, and whether it will
• be possible to withdraw data;
• the amounts and sources of funding for the research;
• the likelihood and form of dissemination of the research results, including publication;
• any expected benefits to the wider community;
11. Cth Privacy Act (1988)
If an individual does not consent, the use of personal and sensitive information may still be possible
for the purposes of research.
The Privacy Act s95 and s95A guidelines provide a framework for HRECs and researchers to weigh
the public interest in the use of the health information for research against the individuals’ interest
in privacy. The approving HREC holds responsibility for determining if information should be
disclosed for research purposes.
Privacy Act S95 guidelines (2014)
• apply to the collection, use or disclosure of health information by Commonwealth agencies for
research where it is impracticable to seek consent from the individual(s) involved
Privacy Act S95A Guidelines (2014)
• apply to the collection, use or disclosure of health information by the private sector for research
where it is impracticable to seek consent from the individual(s) involved.
NOTE: s95 and s95A guidelines do not apply to State managed public health organisations, including
public hospitals, arguably the richest source of health information.
12. State and Territory Privacy Legislation
Jurisdiction
Public Sector
(including Public Health Organisation (PHO)s and State Health Agencies)
Private Sector
(Health)
Private Sector
(General)
ACT
Information Privacy Act 2014 (ACT) (ACT Public Sector Agencies)
Health Records (Privacy and Access) Act 1997
Privacy Act 1988 (Clth)
Health Records (Privacy and
Access) Act 1997
Privacy Act 1988 (Clth)
NSW
Privacy and Personal information Protection Act 1998
Health Records and Information Privacy Act 2002 - Health records held by NSW Government agencies
(including public hospitals)
Privacy Act 1988 (Clth) Privacy Act 1988 (Clth)
NT
Note: no health specific
privacy legislation
Information Act (2002) (NT) – Applies to NT Government Organisations including PHOs. Privacy Act 1988 (Clth) Privacy Act 1988 (Clth)
QLD
Note: no health specific
privacy legislation
Information Privacy Act 2009 (Qld)
Information Standards 42 (general) & 42A (health)
Public Health Act 2005 Chapter 6, Part 4, Division 2, s281 – s284 (access to confidential information held by
QLD Health
Privacy Act 1988 (Clth) Privacy Act 1988 (Clth)
SA
There is no legislation that specifically addresses privacy in South Australia.
The South Australian Department of the Premier and Cabinet, however, has issued an administrative
instruction requiring its government agencies to comply with a set of Information Privacy Principles (IPPs)
based on the IPPs in the Commonwealth Privacy Act118
Privacy Act 1988 (Clth) Privacy Act 1988 (Clth)
TAS
Note: no health specific
privacy legislation
Personal Information and Protection Act 2004 (Tas) applies to the Tasmanian Public Sector, including the
University of Tasmania
Privacy Act 1988 (Clth) Privacy Act 1988 (Clth)
VIC
Privacy and Data Protection Act 2014
Health Records Act 2001 (Vic)
Privacy Act 1988 (Clth) Privacy Act 1988 (Clth)
WA There is no legislation that specifically addresses privacy in Western Australia
Privacy Act 1988 (Clth)
Confidentiality of Health
Information Committee
Privacy Act 1988 (Clth)
13. How can risks be reduced for research
participants?
1. Removing the identifiability of individual research participants
2. Using an appropriately robust Information Security Framework
• Information Governance
o Information Security Policy
o Clearly defined Roles and Responsibilities
• Observing appropriate technical security set-up,
o Encryption
o User Identify Management
o Authentication
o Access Control
o Secure Audit
o General IT Security
o etc
14. Identifiability
National Statement on Ethical Conduct in Human Research (2007) (Updated May
2015)
• three levels of data identifiability:
1. INDIVIDUALLY IDENTIFIABLE - data from which the identity of a specific individual can reasonably be
ascertained (e.g. a name, image, date of birth, global identifier or address).
2. RE-IDENTIFIABLE - data where identifiers have been removed and replaced by a code, but it remains
possible to re-identify a specific individual by, for example, using the code or linking different data
sets.
3. NON-IDENTIFIABLE - data that have never been labelled with individual identifiers or from which
identifiers have been permanently removed, and by means of which no specific individual can be
identified. A subset of non-identifiable data are those that can be linked with other data so it can be
known that they are about the same data subject, although the person’s identity remains unknown.
15. Confidentialisation
Guidelines for the Disclosure of Secondary
Use Health Information for Statistical Reporting,
Research and Analysis 2015
National Statistical Service Statistical Information Management Committee
• For item level information:
removal of identifiers and identifying information
• Aggregation of data into groupings
(e.g. the number of people with disease X
in geographical area Y or age group Z).
Note that if this latter approach is used, Data Custodians must bear in mind that in small
populations (e.g. patients with a rare condition) they are responsible for minimising the risk of
identification and attribute disclosure within these datasets using principles of data
minimisation, and address concerns of small denominator populations by: removing and/or
modifying personal identifiers, encryption, aggregation of dates, aggregation of variables- age
groups, diagnosis related groups, geographic area indicators.
16. Information Security Frameworks
• All help identify the risks to important information and put in place the
appropriate controls to help reduce the risk. e.g.
ISO/IEC 27001:2013
+27000 series
Cth Gov: ASD ISM QLD Gov: IS18
17. Information Security Frameworks
• Requires commitment and involvement from leadership team.
• Top management are responsible for the system’s effectiveness and for making
sure the whole organisation understands how they contribute to the Information
Security Management System, (ISMS).
• Creation of a culture whereby the importance of information security is
promoted and embraced avoids confusion and provides clarity for all.
• Clear roles and responsibilities (within a CSP organisation and tenants, others)
• Identification and management of risks
• Evaluation of the effectiveness of the controls put in place to manage the risks
and making sure they are proportionate to the potential impact on a business.
• Australian standard for technical controls: ASD ISM
18. Information Security Frameworks
• Certification to a standard by an Accredited Assessor is possible. e.g.
• ASD/iRAP certification for
Cloud Service Providers
• ISO27000 series certification
• Major research infrastructure for human research does not require certification (e.g.
PHRN), but does require a robust Information Security Management System.
• Without certification, demonstrating security maturity and garnering trust with research
partners is more difficult for infrastructure providers.
19. Information Security Frameworks
• Certification to a standard by an Accredited Assessor is possible. e.g.
• ASD/iRAP certification for
Cloud Service Providers
• ISO27000 series certification
• Major research infrastructure for human research does not require certification (e.g.
PHRN), but does require a robust Information Security Management System.
• Without certification, demonstrating security maturity and garnering trust with research
partners is more difficult for infrastructure providers.
20. Summary
• Human Research carries a level of risk for research participants
• Conducting Human Research Legally and Ethically requires the minimisation of risk
• Minimising Risk in Human Research is a joint responsibility
• Research Participants
• Researchers
• Institutions
• Human Research Ethics Committees
• Data Custodians
• Research Collaborators
• Infrastructure providers
• Risk Management Frameworks can be used to manage the risks and making sure
they are proportionate to the potential impacts