To the Editor: In Australia, personal and health information that identifies an individual cannot be used or disclosed for research without specific requirements being met.1 Even if these requirements are met, data custodians may still refuse access if their views are discordant with those of the relevant human research ethics committee (HREC). It is now evident that there are adverse consequences of this well-meaning legislation.

Our research group conducts community-based vaccine trials. Recently, we attempted to use school enrolment lists to mail information to parents about a study. Despite approval from the Royal Children’s Hospital HREC, one major governing body of Victorian public schools rejected our proposal on privacy grounds, as did several independent schools. Only a small number of schools raised no privacy concerns at all. The main concern expressed was that the use of these registers for health research was not related to the primary purpose of collection, and families had not consented to this use. The net result was substantially reduced access to the population eligible for recruitment.

We now have a situation in which the legislation may actually do more harm than good. This is an emerging issue here in Australia and overseas.2,3 Even more worrying are the findings of an Australian survey in which 61% of adults believed that even their de-identified health information should not be used for research purposes without their consent.4 Health research is dependent on access to population datasets to recruit participants, monitor health indicators, identify risk factors and inform interventions. Non-representative access threatens a study’s validity, resulting in poorly informed interventions, policy and funding decisions. The situation may now have progressed beyond reasonable trade-offs between the public good and individual privacy to the point where important research cannot be done at all, and the opportunity for advances in health are lost.

Despite statutory guidelines,1,5 there are widespread differences in interpretation of the legislation, particularly regarding the terms “practicable” and “public good”. Amendment of the legislation in this respect is therefore urgently required, together with clauses which facilitate a researcher’s ability to inform the public of a particular project and enable individuals, not organisations, to decide whether they wish to participate. There needs to be greater effort in gaining public understanding of the legislation and its intent with respect to research. In addition, upfront declarations and “opt-out” clauses about the use of personal information for health research must also be included in the privacy statements that organisations are now legally required to provide to individuals at the point of data collection.

In reply: We are familiar with concerns such as those expressed by O’Grady and Nolan, and we are grateful for this opportunity to respond, so that readers can consider the views side by side.

Privacy is not new. Ethical obligations of confidentiality in medical settings date back to Hipprocrates. New privacy legislation — Health Records Act 2001 (Vic); Information Privacy Act 2000 (Vic); Privacy Act 1988 (Cwlth) — clarifies these obligations and also sets a higher standard of accountability. (Other states and territories also have legislation or are contemplating it.) The new laws cover all sorts of personal information, but health information is especially delicate. Wrongly handled, it can lead to discrimination — not just embarrassment or loss of dignity. In Victoria, this was recognised by Parliament when it passed the Health Records Act as a separate piece of legislation to deal specifically with health information.

The policy behind the privacy laws is aimed at promoting trust between health service providers and the public by reassuring them that their personal information will be respected, particularly in an electronic age in which information can be speedily transmitted far and wide. If surveys show the public to be wary about the use of their health information for research, it would seem to be in the best interests of the research community to embrace new standards rather than to seek to unravel or avoid them.

Privacy legislation was drafted after extensive consultation, taking into account competing factors and the need to balance respect for privacy with other public interests, including research. Research is very important, and privacy is a cherished and longstanding value. Reputable research can coexist with the recent statutory expressions of privacy, just as reputable research has always coexisted with respect for privacy.

Many data custodians perhaps do not yet realise that privacy laws rarely require an existing legitimate practice to cease completely, but rather may require the practice to be adapted to meet new standards. For example, for researchers seeking to recruit subjects for a study, the data custodian may disseminate the researchers’ initial letter rather than hand over lists of names and addresses to researchers. Once recipients opt in, direct consensual dealings with the researchers proceed as usual. Researchers can always use properly de-identified information, or they may use information with the consent of the subject.

As with all new laws, the privacy laws will become better understood with time and experience. Some data custodians are understandably overcautious, while others have blamed privacy laws for preventing them from providing information in situations in which disclosure is permitted. Many adapt with ingenuity and effectiveness. Privacy Commissioners and the Health Services Commissioner are available to explain the laws.

We, along with everyone with an interest in collecting and using the sensitive information of others, must recognise and consider the subtleties inherent in balanced privacy protection.