 So, we've got 10 minutes to cover a pretty big topic here, legal considerations for data sharing. So I'm going to jump right into it with a quick outline of what we want to cover off in this 10 or so minutes. I'll give you a feel for what personal information is and a bit of basic information around the privacy acts here in Australia that we deal with. Then we're going to dive in just looking at personal information in the context of medical research, which is what we're doing on this webinar. We'll touch on how to de-identify personal information or the proper forms in which you can share information and strip out identifiers. And then we've got a few additional legal recommendations and wrap up. And we'll do questions at the end, at the very end of the webinar, like Kate said. So Amanda and I are going to flip from slide to slide, so she's kicking it off. Thank you, Fimi. So I think the first thing to understand is the notion of personal information. I won't be too long here, as I'm sure most of you have a pretty good understanding of what is or what is not personal information. So personal information is any information or opinion about an individual identified or who is reasonably identifiable. So it includes opinion, not any factual information. It doesn't matter whether the information is true or not, or whether the information is stored in manual or electronic form. Health information and genetic information are a subcategory of personal information, which is considered as sensitive. And therefore, the rules around that information are more strict. Any information which is anonymous or which has been de-identified is not personal information because it is no longer about an identifiable individual or an individual who is reasonably identifiable. So really, one of the key elements is to assess whether someone is reasonably identifiable or not. The answer to this question depends on the circumstances. So there are a few things to take into consideration, which include the nature and amount of information, who will have access to that information, how the information was received, and whether or not it is possible for someone holding the information to identify the person using available resources. The notion of personal information is crucial to understand because Australia has a specific legal framework around the handling of personal information. So as you can see on this slide, there are three layers of protection. So without entering into too much details, we can see that there is a privacy act and the APPs at the Commonwealth level. So this act applies to Commonwealth government entities and most private sector organizations. There are a few exemptions such as the small business exemptions. So any businesses with an annual turnover of less than 3 million are not subject to the act. However, if that business provides a health service and holds health information, then the act will apply. Then at the state and territory level, we also have some privacy legislation for the public sector in those state and territories, including public hospitals and universities. In three states, in Victoria, New South Wales and ACT, we also have specific health privacy legislation, which applies to public and private sector in their relevant jurisdictions. In this presentation, we will only focus on the federal act and the APPs. This is first because the MCRI when we work is subject to the privacy act and also because the other regimes are not too different from the federal legislations. And then the last source of protection, but not the least, includes all the statesmen's warranties representation related to privacy that are made by your organization or your agency to your patients or your clients or any individual. So it includes the privacy policy you may have, the privacy statement, the consent form. So really everything that you say in those documents is legally binding and the individuals whose data is being dealt with can expect that you comply with what you say in these documents. So for instance, if you put in your privacy policy that you will never share your patients' data with anyone else, but then you do, then you could be liable for misrepresentation. So diving into looking at personal information more in the context of some of the research you might be doing, really I think all the privacy legislation, like Amadeen said, we're focusing on the Commonwealth Privacy Act here, but all of them really have at their core this central idea of ensuring that you manage an individual's personal information you're collecting in a really open and transparent way with that person. So a few key things to consider when you're collecting personal information as part of a study is really having a good thing about only collecting health information that you really need for the study and not collecting unnecessary information. Obviously you're all across the fact that you need to have the individual's consent to collect their information and that consent needs to be voluntary, it needs to be informed and there's a thorough process that must be followed there. It needs to be current and a research participant needs to know that they can withdraw their consent at any time, so that needs to be made clear. It needs to be really specific, so I think who, what, why, when, all those things are really good questions to ask and present to an individual who's participating in a research study. So why are you doing this study, for what purpose? Being specific around details like we're working with X number of research collaborators and will be required to share your data with our collaborators in Queensland, for instance, is really important because it's that scope of the consent that really governs how you can use it going forward in the future. Obviously an overarching thing to remember is that you have to respect the individual's rights to know, to access, to correct and to withdraw their consent at any time. And one thing to set up at the beginning of any study is to ensure that you've got good team accountability around the management and security of research data that includes personal information. So that might be setting one key person up in your team to manage access permissions to the data, having a process in place around off-site transfer of information. It's orally key principles that you need to consider before kicking off any study. So once you've got your research data and that may contain personal information, just touch on how you can go about disclosing that. So there's these three sort of subsets of types of data. We've got non-identifiable data, which is information that really doesn't enable identification of an individual, and this really means those personal identifiers need to have been permanently removed. If that's the kind of data you're dealing with and you've collected in that way, stripped out all identifiers and intend to share it, you can share it generally freely. It's not only considered personal information, so the Privacy Act doesn't overlay that. Reidentifiable data is probably the most common form of data you're dealing with, and this is where a code has been linked to a research participants so the personal identifiers have been stripped out, but there's one, hopefully just one person who knows has the master list that would enable re-identification to happen. As long as that master list with the codes is stored separately and not shared along with the re-identifiable data, that subset of data that's had the identifiers temporarily stripped out can in most circumstances be shared. Again, you need to think about who's at the receiving end of it. If they could in any way easily re-identify it, then it's not truly something that's had the important stuff stripped out, but generally that's okay to share as well, and then you've got identifiable data, and that's really where the personal information is still in there. I think we caution you around the need to really share identifiable data, and we always encourage researchers to strip out identifiers wherever they can, but if that's the case and you need to share personal information, it's really important that your consent form covered off on that and you have consent around that, because that's the main situation where you'll be able to do it. So how to de-identify personal information? I'm pretty conscious of the time here, so I'll try to go quickly on that one. So as Phoebe has mentioned, if you don't really need to share personal information, you should only share de-identified data. To assess whether your data is de-identified enough, we depend on their circumstances. Some people consider that it is always impossible to really have de-identified information. I guess if re-identification is hard in terms of resources, if it involves a lot of time and money, if it's highly unlikely to happen because of the nature of the information that you're gonna be sharing and on the type of recipient, then the information would not generally be regarded as personal information. The end has published some very helpful guidelines on how to de-identify data. We put the link on the slide here and we really encourage you to download the guide because this is really helpful. And prior to conclude, some additional tips or recommendation from a legal point of view. So firstly, it's really important to understand what are your systems, what kind of information you have at your organization? Does it include personal information? Why do you have that information for which purposes did you collect that data? Where is it located? Is it internally on your own server or is it externally? Is it in Australia or overseas? So we have a good understanding of how it works at your organization. Then it's important to have and implement some procedures outlining how data must be handled and what steps needs to be undertaken prior to sharing that data to external people. Finally, prior to sharing any data, you should really ensure that you have a good contract or agreement that your legal team has approved and so that contract should cover such issue, sorry, such as liability. It's always good to have kept liability for, for instance, loss of data and some warranties. Ensure that your contractor is obliged to comply with Australian privacy laws. It's good to have some security obligations in line with the sensitivity of the data that will be shared and a process in the event of a data breach. As you might know, there is a mandatory notification regime which will enter into force in February next year. So it's important that the recipient of your data notifies you in case they are victim of a breach so that you can then comply with your obligations towards the privacy commissioner and the affected individuals. So I think this is the end of our presentation. Fabulous. Thank you so much, Phoebe and Omondine. That's a really great overview of the privacy legislation and things that people need to consider.