ANU Home | AFFIRM | CMHR | CMBE
The Australian National University
Centre for Mental Health Research
ANU College of Medicine, Biology & Environment
Centre for Mental Health Research
Home
Mission
News & Events
Contact Details
People
Publications
Graduate Study
Graduate Course
Privacy in Research
Links
Shop
Media Releases
Research Units
Depression & Anxiety Consumer Research Unit
Ageing Research Unit
e-hub: e-mental Health Research & Development
Psychiatric Epidemiology and Social Issues Team
Longitudinal Projects
PATH Through Life Project
Canberra Longitudinal Study
The Beyond Ageing Project
Community Resources
e-couch: Personal self-help program
MoodGYM Training Program
BluePages: Depression Information
BlueBoard: Online community for mutual support
BrolgaNet: Consumer Participation Network
Assessment Tools for Professionals
AFFIRM
AFFIRM: Australian Foundation for Mental Health Research
Printer Friendly Version of this Document

Privacy in Research

The Centre for Mental Health Research respects the privacy of its research participants, friends and benefactors, personnel, and all others associated with the Centre. We are guided by Australian laws, guidelines, policies and procedures in protecting privacy.

Introduction

Through its work on mental health, the Centre for Mental Health Research (CMHR) is committed to humanitarian goals. Among these is promoting human dignity. This includes protecting individuals’ dignity in all the research we conduct and in the way CMHR personnel relate to each other. Respecting people’s privacy is part of protecting their dignity.

From a legal perspective, the Australian National University is a Commonwealth agency for the purposes of the Commonwealth Privacy Act 1988, (the Privacy Act). This means that the University, including CMHR, is subject to, and must comply with, the provisions of the Privacy Act.

Joint National Health and Medical Research Council and Australian Vice-chancellor’s Committee guidelines on research practice in 1997 recommended that institutions develop clearly formulated policies on all aspects of information privacy. The University has a privacy policy - Statement on the Collection, Use and Control of Personal Information that applies to the activities undertaken by CMHR. These Guidelines have been developed to assist staff and students understand how to implement the University’s policy and to understand their obligations with respect to the Privacy Act.

In the course of carrying out research-related activities and managing personnel matters, information about research participants and personnel is disclosed to CMHR. This information is private, must be held confidential and may only be used to the extent prescribed by relevant legislation, policies and guidelines.

The Legal framework

In collecting and using personal information CMHR is subject to:

The Privacy Act and CMHR

In relation to privacy, the fundamental legislation is the Commonwealth Privacy Act. This Act embodies:
11 Information Privacy Principles that apply to collectors of personal information. The principles apply to information gathered in research projects, information gathered about CMHR staff and students as well as information gathered in the course of promoting CMHR. They regulate the way government agencies, including the ANU, go about the process of collection, storage, use and disclosure of information about individuals.

The term ‘personal information’ is defined in the Privacy Act. It is:
"Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion".

This means that the Privacy Act is concerned with information that can, or could, identify an individual. Importantly the definition of personal information makes no distinction as to the source of the information or the forms in which it is held. This means that information can be personal information whether it is provided by an individual in a research program, or generated in the course of a research program, or information about staff members held by CMHR. Further, the protection afforded by the Act applies to personal information whether it is in paper or electronic form.

The Privacy Act requires Commonwealth agencies to take certain measures when collecting, using and controlling personal information. Specifically:

  • CMHR must only collect or generate information that is directly related to the functions and activities of CMHR, and the information must be collected in a lawful and fair manner;
  • CMHR must explain to the people who we collect personal information from what is being collected, how it is to be used and by whom;
  • CMHR must take every reasonable step to ensure the security of personal information. CMHR is obliged to ensure that personal information we hold is ‘protected by such security safeguards as it is reasonable in the circumstances to take against loss, against unauthorized access, use, modification or disclosure, and against other misuse’ (IPP 4);
  • Subject to certain exemptions from disclosure that are set out in the Privacy Act, CMHR must allow individuals to have access to the personal information held about them. This means that, in most cases, employees and students are entitled to view information held at CMHR about themselves. Advice should be sought from the Legal Office before releasing information if you have any doubt about what can and cannot be released;
  • CMHR must only use personal information for the purposes for which it was collected. In relation to research this means that the personal information collected can only be used for the specific, stated purpose of the project. In relation to CMHR personnel this means that information provided by staff and students in the course of their professional association with CMHR can only be used in relation to their employment or study at the University and not for any other purpose; and
  • CMHR must not release outside the University the personal information held unless provided for by law or with the consent of the individual to whom the information relates.

The Privacy Act, including the Information Privacy Principles can be accessed at http://scaleplus.law.gov.au/html/pasteact/0/157/rtf/Privacy1988.rtf.

The Protection of Data at the Centre.

The Privacy Act and the University’s Privacy Policy apply to all the data we collect. The term data means all research and personnel information we collect.

· Research information includes medical information; personal details such as a name, address and Medicare number; information and opinions generated by or on behalf of CMHR about an individual and their health; information about physical or biological health; actual physical or biological samples; and information on individual’s genotypes.
· Personnel information means any information collected in the course of managing any stage of a person’s study or work-based association with CMHR.

The term ‘data’ refers to information held in any form including paper, electronic, visual (x-rays, CT scans, videos, photos and MRIs), audio records or personnel records of any kind (such as student or job records, salary payment details or health and medical details).

CMHR holds “identified”, “potentially identifiable” and “de-identified” data. Identified data are data which, alone, allows the identification of a specific individual, such as personnel resumes or research participant Medicare numbers, named photographs, diagrams or drawings, medical or other professional notes about a named person and named completed questionnaires. Sometimes data have had such identifiers removed and replaced by a code or an id number. In some instances it may be possible to use the code or number to re-identify the person to whom the data relate, for example, by using “Filemaker” records. This is called “potentially identifiable data”. Potentially identifiable data also include data from which it may be possible to identify a person from a combination of variables, such as age, sex, occupation, ethnicity or visible physical features.

The term “de-identified data” refers to data where the identifiers have been removed permanently or where the data have never been referable to a specific individual. Examples may include completed anonymous paper surveys, anonymous databases and compilations of data.

Access to research-related data

The following section is a set of rules governing the protection of data in the Centre.

  • Research-related and other data are available to all Centre personnel on a needs basis ie if personnel need this data to adequately fulfil their role responsibilities.
  • Research databases may be made available to suitably qualified non-Centre personnel. This can only occur where consent given by participants who provided the data does not preclude sharing with other organisations. Data sharing is subject to a formal negotiation resulting in a signed “Data Sharing Agreement”. Non-Centre personnel who use Centre databases or other information are required to state in writing that they agree to conduct themselves according to the Privacy Act, the University’s Privacy Policy and these Guidelines and its associated procedures. They must be given a copy of the University’s policy and these Guidelines as well as an opportunity to discuss the implications of the documents.
  • Both Centre and non-Centre personnel who have access to research data must restrict their research to the purposes/aims specified in the Consent Form signed by participants of the project.
  • The ANU Human Research Ethics Committee requires a list of all those people who have access to a project’s data as part of the ethics approval. This list needs to be updated on a regular basis.

How to protect paper data held in the Centre

In general, all paperwork, which contains confidential information or personal information, must be handled with sensitivity and in confidence. The following rules should govern all staff in relation to sensitive paperwork held in the Centre. They will apply to identified and potentially identifiable data. They will apply to all data: research, marketing and HR.

Securing data

Data shall be stored in a locked cabinet in a room that has been designated for storage of personal information. The room will be kept locked;
Or
Data should be stored in locked cabinet in a room that has been designated for the relevant project or administrative function;
Or
Data will be kept in a locked cabinet, and the persons directly involved in the project or administrative function shall hold the keys.

And
Everybody in control of data will ensure that they secure the data they have been working on before leaving the office each day. If they have sensitive data on their desk they should lock their office, particularly in cases where they leave the office during the day for periods over 10 mins or where there is concern that others may enter the office during the person’s absence.

Transfer of paper data within the Centre

If possible, research data, marketing data or HR information data is to be given directly to the recipient and not left lying on a person’s desk or other surface. If such data is to be placed in peoples’ pigeonholes it shall be placed in an envelope.

All envelopes, including Reply Paid Envelopes that are sent out as a part of a research project; marketing project or HR must be marked externally to ensure that the mail is deposited in the correct pigeonhole.

All staff and students must be in attendance when printing out identifiable material and retrieve identified and potentially identifiable information promptly from printers.

Faxes shall be collected by the reception staff and deposited in the staff member’s pigeonhole. Faxes will not be used to send personal information unless the person whose information appears in the facsimile has given express permission for such a fax to be sent.

Electronic risks

“E-security” risks include how we manage databases containing names and other electronic records from which individuals may be identified. Examples of e-security risks include the use and storage of Electoral Roll samples, computerised personnel records and procedures for when people withdraw from studies in which they have previously participated.

How to protect electronic data

  1. Identified data will be kept on an encrypted internal server.
  2. Re-identifiable and de-identified data that only one person requires access to should be kept on a drive only accessible by the individual.
  3. If re-identifiable or de-identified data needs to be shared this should be stored on the CMHR shared drive in folders that can only be accessed by those who are approved to use the data.
  4. CDs, disks, containing identified data. These should be kept in a locked cabinet as specified for paper. In the case of Electoral Roll lists these should be destroyed as soon as possible after selecting the sample for a study.
  5. Personal computers should be set to lock after 10 minutes. Anything currently open on the computer will then be inaccessible until the password is entered.
  6. It is sometimes necessary to transport data to other computers using a USB pen drive, floppy disk or CD. Data carried in this way will be encrypted and the files removed from the device or the disk destroyed when the transfer is complete.

Withdrawal of Participant from a study

Sometimes a participant in a study will decide that they no longer wish to take part. It will be important to determine whether the person wants to withdraw from any further participation or if they wish to have all previous data provided by them removed from the study. Where a person requests the removal of all their previous data from the study, they should be informed that the Archives Act 1983 prevents the University from destroying data that has been provided to it, however data can be removed from a study and a notation should be made on the file containing the data that it is no longer to be used for the study.

Talking about personal information

CMHR personnel, with approval, report on research-related or personnel matters in formal and informal settings. These reports may be made in different ways to different audiences but do not escape the need to comply with privacy and confidentiality requirements. Examples include giving seminars, publishing articles, giving media interviews, informing research participants of group test results and providing feedback to personnel on work-related matters. In all cases, care needs to be exercised in any disclosure and information may only be presented in aggregate and anonymously except where there is a clear need to identify an individual.

It is critical that CMHR personnel observe the University’s Privacy Policy and these Guidelines, and do not disclose personal information to third parties?.

The obligations of the Privacy Policy and these Guidelines also apply to informal communication by CMHR personnel. It is clear that both administrative and academic staff of the University require access to personal information consistent with their professional responsibilities. However, this requirement brings with it an obligation for staff to understand and acknowledge the nature and limits on their access to and use of personal information. CMHR staff and students must not inappropriately use information, to which they may have legitimate access.

When CMHR personnel use non-CMHR data.

CMHR personnel may be given access by another person or agency to non-CMHR data, for example, via collaboration with another Centre or Institution. In this case, the Privacy Act, the privacy policy of the agency that gave them access to the data, the University’s Privacy Policy and these Guidelines, bind CMHR personnel. Where the standards set out in these Guidelines exceed those of the other agency’s policy, these Guidelines shall apply. Where the other agency does not have or cannot make available its own privacy policy, these Guidelines shall apply. In this case, the use of these Guidelines shall form a written part of the conditions upon which CMHR personnel accept access to another agency’s data.

What to do if you think this policy is being breached

If the University’s Privacy Policy or the Privacy Act are breached, the University could potentially face legal proceedings. However this is an unlikely scenario, and in the vast majority of breaches the matter will be handled internally and a satisfactory solution determined.

If you suspect that a breach of privacy may have occurred, you should report the matter to your supervisor immediately. If, because of the situation, you feel that you cannot approach your supervisor directly, then you should take your concern to your supervisor’s supervisor.

Your supervisor (or supervisor’s supervisor) will address the matter in accordance with the circumstances giving rise to it. He/she may:

  • Refer the matter for action under the University’s Enterprise Bargaining Agreement 2003-2006, Code of Conduct and/or Procedures for Dealing with Allegations of Misconduct if Research if it is a staff misconduct or staff related matter;
  • Refer the matter for action under the University’s Discipline Rules and/or Procedures for Dealing with Allegations of Misconduct if Research if it is a student misconduct matter;
  • Attempt to conciliate concerns raised by you with the views of the person alleged to have breached privacy;
  • Refer the matter for action under the University’s Discrimination, Harassment and Grievance Resolution Procedures;
  • Seek advice from the Privacy Officer in the University’s Legal Office; or
  • Take such other action as he/she considers appropriate.

Some breaches of privacy may need to be notified to the Office of the Privacy Commissioner. Advice from the Legal Office must be sought before any such notification is given and notification will be given by the Legal Office on instructions from the University’s Executive.

Please contact Professor Helen Christensen if you have any questions about privacy in our research.

Page last updated: 04 June 2009
Please direct all enquiries to: Webmaster
Page authorised by: Director CMHR
The Australian National University — CRICOS Provider Number 00120C