Local laws

Has the local regulator published any guidelines/regulations addressing privacy matters on clinical trials and/or pharmacovigilance? ('Regulator' may mean either the local data protection authority, or the local medicines authority.)

Yes.

The Privacy Act 1988 (Cth) (Privacy Act) makes provision for circumstances where the handling of personal information and health inform may take place where it is impracticable for researchers to obtain the individual’s consent.

This recognizes:

  • The need to protect health information from unexpected uses beyond individual healthcare.
  • The important role of health and medical research in advancing public health.

To promote these ends, the Privacy Commissioner (the regulator) has approved two sets of legally binding guidelines, issued by the National Health and Medical Research Council (NHMRC):

  • Guidelines under Section 95 of the Privacy Act 1988, which set out procedures that Human Research Ethics Committees (HRECs) and researchers must follow when personal information is disclosed from a Commonwealth agency for medical research purposes.
  • Guidelines under Section 95A of the Privacy Act 1988, which provide a framework for HRECs to assess proposals to handle health information held by organisations for health research (without individuals' consent). They ensure that the public interest in the research activities substantially outweighs the public interest in the protection of privacy.

Last modified 18 Oct 2022

Australia

Australia

Has the local regulator published any guidelines/regulations addressing privacy matters on clinical trials and/or pharmacovigilance? ('Regulator' may mean either the local data protection authority, or the local medicines authority.)

Yes.

The Privacy Act 1988 (Cth) (Privacy Act) makes provision for circumstances where the handling of personal information and health inform may take place where it is impracticable for researchers to obtain the individual’s consent.

This recognizes:

  • The need to protect health information from unexpected uses beyond individual healthcare.
  • The important role of health and medical research in advancing public health.

To promote these ends, the Privacy Commissioner (the regulator) has approved two sets of legally binding guidelines, issued by the National Health and Medical Research Council (NHMRC):

  • Guidelines under Section 95 of the Privacy Act 1988, which set out procedures that Human Research Ethics Committees (HRECs) and researchers must follow when personal information is disclosed from a Commonwealth agency for medical research purposes.
  • Guidelines under Section 95A of the Privacy Act 1988, which provide a framework for HRECs to assess proposals to handle health information held by organisations for health research (without individuals' consent). They ensure that the public interest in the research activities substantially outweighs the public interest in the protection of privacy.

Last modified 18 Oct 2022

Australia

Australia

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

Depending on factual analysis.

The Australian Privacy Principles (the APPs) (as set out in Schedule 1 to the Privacy Act) extend to an act done, or practice engaged in, outside Australia by an organization that has an Australian link (s 5B(1A)).

An organization has an Australian link where it is:

  • An Australian citizen or a person whose continued presence in Australia is not subject to a legal time limitation
  • A partnership formed, or a trust created, in Australia
  • A body corporate incorporated in Australia, or
  • An unincorporated association that has its central management and control in Australia (s 5B(2))

An organisation that does not fall within one of those categories will also have an Australian link where:

  • It carries on business in Australia, and
  • It collected or held personal information in Australia, either before or at the time of the act or practice (s 5B(3))
Note: The phrase ‘carries on business in Australia’ in s 5B(3)(c) is not defined in the Privacy Act. However, it arises in other areas of law, including corporations and consumer law. Guidance may be drawn from judicial consideration of the phrase in those contexts.

Last modified 18 Oct 2022

Australia

Australia

What is the preferred legal ground for the processing of the personal data of the participants in a clinical trial in your jurisdiction?

Subject to the exceptions set out in our answer to Question 1, the collection of sensitive information (including health information) requires the individual’s consent.

The applicable provision is found in APP 3.3.

An agency or organization (an APP entity) must not collect sensitive information about an individual unless:

  • The individual consents to the collection of the information and:
    • If the entity is an agency – the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or
    • If the entity is an organisation – the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities;
  • Or subclause 3.4 applies in relation to the information (Note: Subclause 3.4 provides various carve outs for law enforcement, court orders, and most relevant to this enquiry is 3.4(c) a permitted health situation exists.

Permitted health situations are defined section 16B of the Privacy Act and set the circumstances where the collection, use or disclosure of health information is permitted without obtaining the individual’s consent.

Use or disclosure of personal information

APP 6 sets out the conditions by which an APP entity may use or disclose personal information.

  • 6.1  In general, If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:
    • The individual has consented to the use or disclosure of the information; or
    • Subclause 6.2 or 6.3 (note 6.3 only applies to government agencies) applies in relation to the use or disclosure of the information.
Note: APP 8 sets out requirements for the disclosure of personal information to a person who is not in Australia.
  • 6.2  This subclause applies in relation to the use or disclosure of personal information about an individual if:
    • The individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is:
      • If the information is sensitive information (e.g. health information) directly related to the primary purpose; or
      • If the information is not sensitive information--related to the primary purpose; or
    • The use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
    • Not applicable
    • The APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or
    • Not applicable.

Consent – the regulator has published non-binding guidelines on consent to the handling of personal information, and the following recommendations are also consistent with findings from the regulator’s investigatory powers. In general consent must be informed, voluntary, current and specific, the individual must also have capacity to provide consent.

Last modified 18 Oct 2022

Australia

Australia

What is the legal ground for the processing of the personal data in respect of pharmacovigilance in your jurisdiction?

The legal grounds for processing personal data in respect of pharmacovigilance are as set out in Local laws.

Last modified 18 Oct 2022

Australia

Australia

Indicate the role from a data protection perspective of various parties involved (i.e in respect of the processing of the personal data of the clinical trial).

Role Notes
Sponsor

The Privacy Act does not contain the concept of controller and processor, to the extent the Sponsor is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.

Principal Investigator

The Privacy Act does not contain the concept of controller and processor, to the extent the Principal Investigator is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.

Clinical Trial Site

The Privacy Act does not contain the concept of controller and processor, to the extent the CTS is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.

Monitor

The Privacy Act does not contain the concept of controller and processor, to the extent the Moniotor is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.

CRO The Privacy Act does not contain the concept of controller and processor, to the extent the CRO is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.

Last modified 18 Oct 2022

Australia

Australia

Is key-coded clinical trial data considered personal data under your jurisdiction’s data protection laws? (Key-coded clinical trial data is where the identity of the individual clinical trial participant is replaced with a unique subject identification code, and the ‘key’ which can be used to re-identify the participant is held by the Principal Investigator.)

To the extent key-coded clinical trial data cannot reasonably identify an individual it is likely to be De-identified personal information for the purpose of the Privacy Act.

De-identified personal information is no longer personal information for the purpose of the Privacy Act.

In general, personal information will be de-identified if:

  • Direct identifiers are removed; and
  • One or both of the following steps have been taken:
    • The removal or alteration of other information that could potentially be used to re-identify an individual, and/or;
    • The use of controls and safeguards in the data access environment to prevent re-identification

The regulator has issued the following guidance on de-identification:

Last modified 18 Oct 2022

Australia

Australia

Is it possible to re-use the personal data obtained for the purposes of conducting the clinical trial? If so, what requirements need to be satisfied?

Yes, but only in limited circumstances.

This is because under APP 6.1 if an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:

  • The individual has consented to the use or disclosure of the information; or
  • Subclause 6.2 or 6.3 (note 6.3 only applies to government agencies) applies in relation to the use or disclosure of the information.
Note: APP 8 sets out requirements for the disclosure of personal information to a person who is not in Australia.

6.2  This subclause applies in relation to the use or disclosure of personal information about an individual if:

  • The individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is:
    • If the information is sensitive information (e.g. health information) directly related to the primary purpose; or
    • If the information is not sensitive information--related to the primary purpose; or
  • The use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
  • Not applicable
  • The APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or
  • Not applicable.

Last modified 18 Oct 2022

Australia

Australia

What requirements, if any, need to be satisfied if clinical trial data is transferred internationally?

Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information (APP 8.1). There are exceptions to the requirement in APP 8.1 to take reasonable steps and to the accountability provision in s 16C.

Note: an APP entity that discloses personal information to an overseas recipient is accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs (s 16C).

Last modified 18 Oct 2022