 Good afternoon and welcome to the ANS webinar for today. This is the third in our series of health and medical webinars. I'm Kate LeMay and I work at the Australian National Data Service. We're a federally funded body that works to make Australia's research data assets more valuable for researchers, research institutions and the nation. I have a history of being a pharmacist and then working in medical research in primary care programs to help patients manage their chronic conditions more effectively and now I'm a research data specialist at ANS. I've got with me three panellists today and they are Connor, Phoebe and Amundi. Phoebe is the head of Legal at the Murdoch Children's Research Institute in Melbourne which has about 1,500 researchers and Phoebe manages all legal agreement for the institute with a particular focus around research projects and collaborations, clinical trials, engagement with industry partners, management and licensing of intellectual property and risk management. Phoebe also provides advice on diverse legal issues such as privacy in the context of medical research and data storage, biobanking and informed consent requirements and works closely with the ethics committee to deal with these often complex issues. Amundi is a civil law qualified lawyer from Belgium. Prior to coming to Australia she worked at a Belgian law firm for three years where she was in the IT and intellectual property department with a strong focus on privacy and data protection issues. She's been at the MCRI for just over a year and she works closely with Phoebe as a member of the legal office. Connor is an Australian medical graduate with a research doctorate in respiratory muscle physiology and a master's in bioethics. She has hospital based clinical care, clinical and pharmaceutical research experience as well as research and clinical governance roles. Connor has served on Human Research Ethics Committees for 20 years in the UK and Australia and she's currently the chair of Marta Miserie Connor Day. I can't say that Connor. Human Research Ethics Committee and QUT University Human Research Ethics Committee. So I'm going to hand over now to Phoebe and Amundi and we're going to speak to us about legal issues around data sharing. So we've got 10 minutes to cover a pretty big topic here legal considerations for data sharing. So I'm going to jump right into it. Quick outline of what we want to cover off in this 10 or so minutes. Give you a feel for what personal information is and a bit of basic information around the privacy acts here in Australia that we deal with. Then we're going to dive in just looking at personal information in the context of medical research, which is what we're doing on this webinar. We'll touch on how to de-identify personal information or the proper forms in which you can share information and strip out identifiers. And then we've got a few additional legal recommendations and wrap up. And we'll do questions at the end at the end of the webinar like Kate said. So Amundi and I are going to flip from slide to slide so she's kicking it off. Thank you, Phoebe. So I think the first thing to understand is the notion of personal information. I won't be too long here as I'm sure most of you have a pretty good understanding of what is or what is not personal information. So personal information is any information or opinion about an individual identified or who is reasonably identifiable. So it includes opinion, not any factual information and it doesn't matter whether the information is true or not or whether the information is stored in manual or electronic form. Health information and genetic information are a subcategory of personal information which is considered as sensitive and therefore the rules around that information are more strict. Any information which is unmanumous or which has been de-identified is not personal information because it is no longer about an identifiable individual or individual who is reasonably identifiable. So really one of the key elements is to assess whether someone is reasonably identifiable or not. The answer to this question depends on the circumstances. So there are a few things to take into consideration which include the nature and amount of information, who will have access to that information how the information was received and whether or not it is possible for someone holding the information to identify the person using available resources. The notion of personal information is crucial to understand because Australia has a specific legal framework around the handling of personal information. So as you can see on this slide there are three layers of protection. So without entering into too much details we can see that there is a privacy act and the APPs at the Commonwealth level. So this act applies to Commonwealth government entities and most private sector organizations. There are a few exemptions such as the small business exemptions so any businesses with an annual turnover of less than 3 million are not subject to the act. However if that business provides a health service and holds health information then the act will apply. Then at the state and territory level we also have some privacy legislation for the public sector in those state and territories including public hospitals and universities. In three states in Victoria, New South Wales and ACT we also have specific health privacy legislation which applies to public and private sector in their relevant jurisdictions. In this presentation we will only focus on the federal act and the APPs. This is first because the MCRI when we work is subject to the privacy act and also because the other regimes are not too different from the federal legislations. And then the last source of protection but not the least includes all the statesmen's warranties representation related to privacy that are made by your organization or your agency to your patients or your clients or any individual. So it includes the privacy policy you may have, the privacy statement, the consent form. So really everything that you say in those documents is legally binding and the individuals whose data is being dealt with can expect that you comply with what you say in these documents. So for instance if you put in your privacy policy that you will never share your patients' data with anyone else but then you do, then you could be liable for misrepresentation. So diving into looking at personal information more in the context of some of the research you might be doing, really I think all the privacy legislation like Amandine said we're focusing on the Commonwealth Privacy Act here but all of them really have at their core the central idea of ensuring that you manage an individual's personal information you're collecting in a really open and transparent way with that person. So a few key things to consider when you're collecting personal information as part of a study is really having a good think about only collecting health information that you really need for the study and not collecting unnecessary information. Obviously you're all across the fact that you need to have the individual's consent to collect their information and that consent needs to be voluntary, it needs to be informed and there's a thorough process that must be followed there. It needs to be current and a research participant needs to know that they can withdraw their consent at any time so that needs to be made clear. It needs to be really specific so I think who, what, why when all those things are really good questions to ask and present to an individual who's participating in a research study. So why are you doing this study? For what purpose? Being specific around details like we're working with X number of research collaborators and will be required to share your data with our collaborators in Queensland for instance is really important because it's that scope of the consent that really governs how you can use it going forward in the future. Obviously an overarching thing to remember is that you have to respect the individual's rights to know, to access, to correct and to withdraw their consent at any time. And one thing to set up at the beginning of any study is to ensure that you've got good team accountability around the management and security of research data that includes personal information. So that might be setting one key person up in your team to manage access permissions to the data having a process in place around off-site transfer of information is a really key principles that you need to consider before kicking off any research study. So once you've got your research data and that may contain personal information just touch on how you can go about disclosing that. So there's these three sort of subsets of types of data. We've got non-identifiable data which is information that really doesn't enable identification of an individual and this really means that those personal identifiers need to have been permanently removed. If that's the kind of data you're dealing with and you've collected in that way, stripped out all identifiers and intend to share it, you can share it generally freely. It's not only considered personal information so the Privacy Act doesn't overlay there. Reidentifiable data is probably the most common form of data you're dealing with and this is where a code has been linked to a research participant so the personal identifiers have been stripped out but there's one hopefully just one person who has the master list that would enable re-identification to happen. As long as that master list with the codes stored separately and not shared along with the re-identifiable data, that subset of data that's had the identifiers temporarily stripped out can in most circumstances be shared. Again you need to think about who's at the receiving end of it. If they could in any way re-identify it, then it's not really something that's had the important stuff stripped out but generally that's okay to share as well. Then you've got identifiable data and that's really where the personal information is still in there. I think we caution you around the need to really share identifiable data and we always encourage researchers to strip out identifiers wherever they can but if that's the case and you need to share personal information it's really important that your consent form covered off on that and you have consent around that because that's the main situation where you'll be able to do it. So how to re-identify personal information? I'm pretty conscious of the time here so I'll try to go quickly on that one. So as Phoebe has mentioned if you don't really need to share personal information you should only share re-identified data to assess whether your data is re-identified enough. We depend on their circumstances. Some people consider that it is always impossible to really have re-identified information. I guess if re-identification is hard in terms of resources, if it involves a lot of time and money, if it's highly unlikely to happen because of the nature of the information that you're going to be sharing on the type of recipient, then the information would not generally be regarded as personal information. The ANDS has published some very helpful guidelines on how to re-identify data. We put the link on the slide here and we really encourage you to download the guide because this is really helpful. And prior to conclude some additional tips or recommendations from a legal point of view so firstly it's really important to understand what are your systems? What kind of information you have at your organization? Does it include personal information? Why do you have that information? For which purposes did you collect that data? Where is it located? Is it internally on your own server? Or is it externally? Is it in Australia or overseas? Do you have a good understanding of how it works at your organization? Then it's important to have and implement some procedures outlining how that data must be handled and what steps needs to be undertaken prior to sharing that data to external people. Finally, prior to sharing any data you should really ensure that you have a good contract or agreement that your legal team has approved and so that contract should cover such issues such as liability is always good to have kept liability for, for instance, loss of data, some warranties ensure that your contractor is obliged to comply with Australian privacy laws. It's good to have some security obligations in line with the sensitivity of the data that will be shared and a process in the event of a data breach. As you might know, there is a mandatory notification regime which will enter into force in February next year. So it's important that the recipient of your data notifies you in case they are victim of a breach so that you can then comply with your obligations towards the privacy commissioner and the affected individuals. So I think this is the end of our presentation. Fabulous. Thank you so much, Phoebe and Omondine. That's a really great overview of the privacy legislation and things that people need to consider. So I'm just handing over to Conor now. Okay, thank you. I'm going to talk about planning for data sharing but from the research ethics perspective and what ethics committees are particularly concerned about. So the primary principle which guides research review is that it is in the common good so that the premise is a utilitarian one and all ethics committees are aware of that and we understand that the purpose is good and that research should be maximised with public benefit for the common good. And this also applies to data sourced and used in research. And the primary principle around that value of research is balanced with others that the committee looks at which are focused particularly on the individual so about justice, beneficence and respect. And so we're interested in understanding that benefit is maximised for those participants and the risks and burdens are minimised. That participants are appropriately engaged and recruited and given sufficient information and provided with that information sufficient to give a voluntary consent. That the privacy and confidentiality issues are well attended to so that there are no elements of data which either during the research or subsequent to the research could lead to identification. And of course as Phoebe and Aberdeen have already said that can be quite difficult but also we're aware that there is necessity to ensure the efficient use of research effort and funding so how will it be used in the future to the best effect. There's a range of relevant guidance that ethics committees refer to and the national statement on ethical conduct and human research is the most well known and the one that we apply to the greatest extent and refer to the greatest extent. The Australian code for the responsible conduct of research is something of particular relevance to researchers and to organisations which undertake research. And then in more recent years the issue of data sharing and further use of data has come to the fore and the NHMRC has responded to that with a statement on data sharing and also a fairly detailed consumer guide to the principles for accessing and using publicly funded data for health research and that I would suggest that everybody tries to access if they can. The NHMRC has more recently provided a set of principles about accessing and using publicly funded data for health research and that isn't just research data but it also refers to other forms of publicly funded data. And this is in agreement and in concert with other international guidance such as from the Global Alliance for Genomics and Health, International Cancer Genome Consortium and the Wellcome Trust. And there are no doubt other ones as well but these are perhaps the most well known. So the NHMRC supports data sharing and public access to data and to the outputs of NHMRC supported research and it says to the public that the use of these data for research provides our greatest opportunity to unlock the value in these records for the benefits of all Australians and that's a very powerful promise but they offset this promise or they in addition promise to participants that data are collected subject to rigorous privacy and confidentiality conditions and the use of the data will maintain these requirements and in addition to that, that any research which accesses such publicly funded data are subject to very strict ethical approval processes so in order to establish that the research project is worthwhile and will add to that knowledge. So those are very important statements and promises that are made to participants in research. So the NHMRC therefore views research and data sharing from the premise that it's important to promote it but it is equally important, more important to maintain trust in research endeavours and to ensure that it can be seen that the guidance is followed. So we focus on the participant interests and the perspective of the participant. We try and consider what the research will mean to a participant. We're interested in knowing that research is facilitated and achieves its end so it's feasible and there is going to be the outcome that's promised. But in relation to data sharing, it's important that conclusions can be confirmed through data sharing and reanalysis and that the data that has been collected can be reused and therefore the benefit from all of that effort can be maximised. And we're also interested in understanding that all the stakeholders along the line of custody of those data do understand the responsibilities and will follow best practice guidelines. So in particular we look at research merit and for that we're interested in the basis for the research whether there's a good literature surrounding the reasons for the research which can justify the aims and also as I've said there will be a particular benefit that will flow from the research which will have a public and community benefit to it. We're interested in knowing that responsibilities are passed on with the data and the references that I've given here all relate to the national statement which relate to which is at the bottom. Where there is a new project which is going to rely on previously collected research data, we want to know that either the aims are closely related to the original research questions or there is some provision for seeking further consent. And that there is adequate respect demonstrated for autonomy of the participants, their expectation of quality as said in the national statement on data sharing and that any prior agreements are followed through. So this means that we may wish to refer back to consent, the nature and the quality in the original study and that this is sufficient for the further aims and if that's not the case then we will want to understand how participants are to be re-engaged and to have their consent agreed to. Now if that's considered not possible then there may be an opportunity to consider waiving the expectation of consent but that would be a very rigorous argument that would have to occur regarding the quality of the research proposed and the protections that are in place for the data. The other concerns and interests that we have are relating to justice beneficence and respect. So we want to know for example that the population from which the cohort is drawn is likely to benefit from the generalisable knowledge which will result from the research or in some way the application of the findings from the research. That if there are any implications from the research for participants and others, so community, the broader community, family members, that this will be acted on and this may relate to returning study findings or addressing potential harms and benefits. And we're also interested in understanding the rigour of the controls and the governance around data and any agreements regarding access use and release of information. So again that goes back to how the data managed and the confidentiality and privacy undertakings. So this is just a summary to really wrap up what I've already said that there's a lot of guidance around the use of data in the future and the benefits that may accrue from it. The research studies should satisfy these certain quality standards and demonstrate that there will be a benefit, that that benefit will be maximised including in terms of the future use of the data. That we're interested that the protocols and the agreements and the information provided in the reviewed application define these future possibilities of sharing. And we wish to know that participants are well informed about the current and the future research and they're given options of consent to each so that they may be asked to consent for the current project but also are alerted to the fact that there would be future research. And depending on the nature of that there would be an additional agreement for them to include their data in that future research. And that the research data when it's used in future research must comply with the prior consent agreements unless these can be renegotiated. Thank you. Thank you very much Connor. We've got a couple of questions that we received. So someone asked do ethics committees treat data differently if data for sharing is captured from secondary sources and what they have explained that to be is electronic medical record documentation rather than directly from a patient? Not really. Data which is captured in health records is collected for a particular purpose and that is clinical care. The problem with that is that patients are not generally informed that their health data collected for that clinical purpose for that individual is going to subsequently be used to address a research question. So in fact it complicates the issue if there's no consent. So in the case of a patient who is engaged and asked whether or not they'd be willing to have their health record data used collated and used to answer a research question then adequate information can be provided and they can consent to that knowing exactly what's going to happen. In the case of health records and secondary use of data the patient doesn't know that. And so the issues of a waiver of consent have to be considered and those are things like the merit of the application whether or not there's any reason to consider that a particular participant might not have agreed to more generally. The risk level of the research has to be low. So it's and it's got to be a fairly simple question and we would expect normally that it may be related to the reasons why are the health data collected in the first place. So perhaps related to the condition that the patient had and also that all the legal requirements are fulfilled. So quick answer is it's more complicated if you're going to access secondary data where there has been no prior consent. Phoebe and I and Dan, does this have anything to do with the S95 and S95A sections of the Act as well? It does. So it's that section of the Privacy Act that essentially leaves it to the discretion of an ethics committee to make the call on whether the research is in the public interest and a lot of those steps that Conor just took us through and in certain circumstances will allow an ethics committee to waive the need to consent for a particular research study. But it's not overly common. I think one other factor that Conor did mention that is also a consideration is sort of how many people you'd have to potentially go back and talk to to get their consent and the efforts of getting that consent. You sort of balance that essentially with the risk of running the research project. So if it's low risk with high impact it's related to the clinical information about them. It's already been collected and an ethics committee makes the call that it's unlikely to make participants really uncomfortable that their data is being used for that kind of research. Then there are the sort of circumstances where an ethics committee would feel comfortable maybe granting a waiver. Yes. First you're absolutely right. I should have added the point about practicability of returning to potential participants to gain their consent. And we would normally expect to see very large numbers or that a very large number of the population which you wish to go back to are just inaccessible for some particular reason. So thank you for that Phoebe. Excellent. And I just want to ask one last question and any other questions that we have in the question pod we can address later where you can answer them in a written format and have them up on the ANN's website. So a few people have asked about image data. For example CT scans whether they can be de-identified. Are they identifiable only if they've got the patient's name on or how are those able to be approached? Yeah. So that's an interesting one. So I guess as CT scan on its own strip of identifiers in terms of your name, date of birth or the vast majority of cases would be considered not personal information as my take. But I guess you always have to look at who the recipient of that information is. So if you just hand the CT scan to the doctor who's had that person in their care for the last five years, you know, there might be something there that they instantly recognise that's linked to that individual. So it's a big thing to think about. What's the knowledge base of the person you're handing the information to and is there anything in there that's going to be identifiable to them immediately? And to some extent how common whatever thing that you're looking at or something that might be in that scan is, for example, if it's something that makes their bones look a certain way and only five people in Australia have that, that makes it more identifiable than x-ray of a broken arm that is a very common sort of type of break. That's right. And then what other information is coupled with so that the hospital where it was at and the age, it's a bit of a judgment called in some instances. And you don't have to be putting the person at the other end receiving it is sort of, you can sort of assume it's the reasonable person with some knowledge but you don't have to think about exactly who it is you're giving it to and what their knowledge base is as well. So I think Conor, perhaps in the case of image data in general, probably the best first place to think about is not, I mean, in terms of de-identification, definitely taking off names and immediately identifiable information but not then trying to de-identify an image but rather looking at informed consent from the patients. That's absolutely right. I mean often images accompany a description of that image and one of the problems with that is that that may increase the likelihood of re-identification of an individual, particularly as Phoebe says it's something, as you said Kate, something that's a little more unusual about the case that's described. So it's particularly the case reports. And under those circumstances we would definitely recommend people go back to the patient to seek their consent so that they understand that those images are going to be used but also one needs to be very, very careful how if you can't obtain a consent but you still have a fixed approval to use that image and a description that the utmost is done to really remove any identifying features which will be included in the narrative as well. So it's not just names, places and things like that. It's also unusual features. Absolutely. Thank you very much. There's a couple of other questions that we'll address in our Q&A document after. So I just want to thank Phoebe and Amandine and Conor for coming in on our webinar today and speaking to us. It's been really valuable information. So thank you everyone for coming.