NHMRC Public Consultations

Skip Navigation and go to Content
Visit NHMRC website

Section 3 (Chapters 3.1 & 3.5), Glossary and Revisions to Section 5 National Statement on Ethical Conduct in Human Research, 2007 submission

Personal Details
First Name: 
Last Name: 
Specific Comments
2. Chapter 3.1

Submission to the National Health and Medical Research Council from Judy Allen and Felicity Flack.

Chapter 3.1

Element 3 Consent

Readers may find it confusing to have this section on consent in a separate place to the material in chapters 2.2 and 2.3. We recommend consolidation of all the information on consent into one place.


Element 4: Data Collection and Management

1.1.         General Comments

The current provisions of the National Statement have led to confusion on the appropriate processes of ethical review for information based research. Firstly, it is sometimes suggested that research using de-identified information is not human research and does not require review. It is clear from the definition of human research in the preamble that it includes access to individual level information in whatever form. Secondly, some take the view that research that consists solely of the collection and use of data fits the definition of low risk in chapter 2.1 and thus would fall under expedited processes established under 5.1.7. If this view is taken then the requirement, under 2.3.9, for full ethics review for a waiver appears contradictory. Further confusion is caused by the 2.3.10 conditions of waiver that require the HREC be satisfied that the research is low risk. In our view all research involving access to individual level information raises ethical concerns, whether or not it is conducted with consent. The ethical concerns need to be considered in the context of the particular project. This should be clarified by excluding this category of research from the expedited review processes and including it in the 5.1.6 categories requiring full review.

The sixth key question “How will the collection and management of the data and materials adhere to the ethical principles in Section 1 of this National Statement?” is probably the most important question that researchers and ethics committees should be asking in relation to the use of data in research. Unfortunately the new wording of Element 4 provides little or no guidance on how to apply the ethical principles to the collection and management of data and materials. This should be the focus of this section.

We have included below some thoughts on how the four core principles relate to data collection and management.

Research merit and integrity

The first core value of research merit and integrity is clearly defined in the National statement sections 1.1-1.3. It requires researchers to design every research project to ensure that it has both value and validity[1] and to conduct the research honestly and with due regard for recognized scientific principles.

In order to be satisfied that research has merit, ethics committees should consider whether the quality of the data and the scientific and analytic methods proposed can produce meaningful results. This may be particularly pertinent when the data used in research was originally collected for another purpose e.g. administrative records. There has been some criticism in the literature[2][3] of the validity of administrative records for research. However, there have also been great benefits from the use of administrative data[4] and the merit of using all types of data should be determined on a case by case basis. Researchers should be transparent about the limitations of the data and methods they propose. They should also be able to demonstrate that they have the necessary training and experience in analysing data, particularly large complex datasets.

In the context of the establishment of new research data collections or databanks ethics committees must be satisfied that:

  • Mechanisms are in place to ensure the quality of the data

  • An appropriate metadata schema and maintenance process is in place to ensure data sharing and/or re-use is possible if appropriate

  • Appropriate information governance processes are in place including transparent and fair processes for making decisions about access to the data.


    The National Statement requires HRECs to consider the core value of justice - whether the benefits and burdens of research are fairly distributed and whether participants are being treated fairly. The new Chapter 3.1 Element 4 does not mention justice even though research using existing population level data lends itself to addressing the concerns associated with justice in research by enabling the inclusion of data from the whole population. Direct recruitment often excludes the most disadvantaged members of the community from research. Language difficulties, transitory accommodation, mental illness and other health issues may all be obstacles to participation in research. Population level data are not only more inclusive, representative and unbiased, but are also more just in their distribution of burdens and benefits than conventional studies based on samples. When establishing new data collections researchers should be encouraged to think carefully about how they can be as inclusive and fair as possible.


    The National Statement currently provides no specific guidance on how beneficence (“the likely benefit of the research must justify the risks of harm or discomfort to the participants”) should be assessed in the case of non-interventional research projects. The benefits and risks associated with interventional studies are often clear. However, it can be challenging for researchers to clearly describe the benefits and risks of observational studies. This is because it is unlikely that the research participants will enjoy any direct benefits. The benefits will most likely be indirect, long term and flow to communities rather than individuals. The establishment of databanks/biobanks or the routine linkage of data collections are examples where all the benefits are long term community benefits.

    A key risk for observational studies is the identifiability of the data. As mentioned above identifiability is a spectrum and is influenced by the type of information; quantity of information; other information held by the person who receives it and the skills and technology available to the person who receives it. The identifiability of data may also change at different stages of a research project as it is manipulated and handled by different people. Researchers should include methods appropriate to the level of identifiability of the data to minimise and manage risks of breaches of privacy and confidentiality. There is no simple one size fits all approach and the “anonymise and forget” approach will mostly not be acceptable in the long term[5]. Researchers should consider a range of risk minimisation and management strategies including physical and technological security measures, separation of identifiers from content data, appropriate policies and procedures and contractual arrangements e.g. confidentiality agreements.


    The concept of respect includes respect for autonomy. The current guidelines includes guidance on consent and the information that should be provided. It is perhaps worth noting that this guidance seems to conflate information provided to participants and information provided to an ethics committee in a review application.

    Researchers collecting data should consider whether they may want to expand the usefulness of the collection by linking their data to other data collections in the future. Where this is likely participants should be asked if they consent to the researchers obtaining information about them from other sources. This is particularly relevant when extended or unspecified consent is sought.

    Respect should not be confined to respect for autonomy and informed consent. This is particularly important where a waiver of consent is sought and there is no contact between participants and researchers. Guidance is needed on other ways of demonstrating respect for the participants such as:

  • Engagement with the particular community affected by the research including community participation in the development and implementation of a project and the dissemination of results;

  • Reporting the results of the project to the community affected in media appropriate to the particular group;

  • Ensuring the translation of the study results into improvements in services and practices; and

  • Acknowledging the participation and contribution of those included in all publications about the study.

The Structure of the Element Four

The draft provisions largely ignore data based research that is conducted without consent. Research using existing data collection that are not explicitly or solely established for research is expanding with the growing recognition of the value of data held by governments and others and the capacity to link data collections. Guidance is needed to assist researchers and reviewers in considering the ethical issues in this kind of research such as the application of the waiver of consent criteria and the principle of respect. Guidance could be incorporated into the existing sections or a separate section may be appropriate.

The draft does not draw the distinction between the ethical handling of data by researchers during collection and analysis and the appropriate protocols for publication of data. For example, it may be ethical for researchers to use identifiable information for analysis but in most cases it would be unethical to publish identifiable information without consent. This should be articulated more clearly in clauses 3.1.41 and 3.1.42. See more detailed comments below.

The provisions under the various headings do not appear to be arranged with any systematic structure and clauses relating to the same issue are not always clustered together (For example 3.1.53, 3.1.57 and 3.1.59). We suggest that the clauses under each heading should be organised around the four core values.

Data Identifiability

The preliminary material in the draft has maintained the identifiability definitions from the current guidelines. These have proved to be the source of confusion and their utility is questionable. One difficulty, as noted in the Expanatory Material for the Public Consulatation, is that these definitions do not align with definitions in the various privacy statutes. For example the National Statement recommends avoiding the term `de-identifiable data´ but the Commonwealth Privacy Act (1988) now defines and uses that term. Ethics committees are required to apply the privacy statutes and it is essential that the National Statement uses the same definitions to avoid confusion. While the definitions in the statutes in various jurisdictions are not identical there is sufficient uniformity to make this practicable.

The prominence of these definitions in the introduction to this section suggests that identifiability is an intrinsic quality of the data and that one can simply determine the relevant category. Identifiability is better understood as a spectrum. We recommend that the definitions of these terms should be provided in the context of text explaining their purpose and limitations.

Privacy legislation requires that ethics committees apply statutory guidelines when they consider a waiver of consent for the use personal information. Ethics committees need to understand and apply the concept of `personal information´ so that they know when to apply the statutory guidelines. The statutory defintions of personal information/ identifiable information and its opposite, de-identified information, given in the Commonwealth Privacy Act 1988, should be provided in the Naitonal Statement with an explanation that researchers and reveiwers mustmake a judgement as to whether an individual is `reasonably identifiable ´ when the information is in the hands of the researchers. The National Statement should provide guidance on the approach to this judgement.

Researchers and reviewers also need to make a judgement of the degree of identifiability to assess the risks to participants and to determine the appropriate level of information security precautions. There has been recent criticism of reliance on the idea of de-identification to protect privacy and eliminate ethical concerns and ethics committees need guidance on making an assessment of these risks.[6][7][8][9]

The following should be taken into consideration when determining the degree of identifiability and evaluating the risks;

  • the type of information;

  • the quantity of information;

  • the other information held by the person who receives it AND

  • the skills and technology available to the person who receives it.

‘Re-identifiability’ and ‘non-identifiability’ should now be regarded as two subsets of de-identified data. These concepts raise additional ethical issues such as the ability to return results to participants. An explanation of these terms should be given in the context of their significance.

While steps to de-identify data are central to the minimization and management of risks it is important to make the point that, in this day and age of sophisticated data science,[10] it is ill advised to suggest that data pertaining to an individual will ever be rendered completely non-identifiable. It is important to emphasise that ‘non-identifiability’, like ‘identifiable’ and ‘de-identfied’, is also a relative term and not an absolute.


1.2.         Comments on specific clauses in Section 3.1

Clause 3.1.38

Reseachers and reviewers do need a common language in which to communicate but it is unrealistic to expect them to negogiate a glossary. We suggest that this clause be deleted. Defintions of the terms Identifiable/personal information and de-identified information should be included to assist researchers and reviewers to understand their obligations under the privacy statutes. These definitions should be be put into context in the introductory material indicating their purpose and limitations as described above.

Clause 3.1.39

The identifiability of data may change over the life cycle of research project as it is manipulated and changes hands. Researchers should explain the degree of identifiability of the information at different stages and in different hands. A flow diagram can assist researchers and reviewers to understand the changes over the life of the project and to evaluate the risks.

The second half of this clause beginning ‘Researchers should explain any such process to potential participants……’ relates to the different ethical issue of informed consent and should be a separate clause. It should be located adjacent to other clasues dealing with consent.

Clause 3.1.40

This is a poor explanation of what makes data identifiable. See the response above for factors to be taken into consideration when determining identifiability. These factors should be included in introductory material on identifiability as described above. We suggest this clause be repaced with a clause concerning the need to evaluate the probability and seriousness of risks by considering the degree of identifiability and the sensitivity of data.

Clause 3.1.41

This clause is likely to be confusing for readers as it fails to acknowledge that there are circumstances where the use of identifiable information without consent may be ethical. It appears to contradict Chapter 2.3. The blanket statement that ‘researchers should ensure that participants are not identifiable from the information they provide unless they have agreed to be identified’ assumes that individuals are providing the information themselves and that they have given their consent. It excludes significant research currently conducted using government held data.

We suggest the following:

  • The issue of focus on small groups and key individuals be included as an example of the contextual factors that may impact on identifiability.

  • A general clause be incuded with advice on ways to reduce identifiability and the consequent risks eg;

    • Separation and separate storage of identifiers and content data

    • Role separation to minimise the number of people who have access to identified data i.e. people who are responsible for management of identifiers should not also analyse content data and vice versa.

Miminising identifying variables eg year of birth may be sufficient rather than full birth date

Clause 3.1.42

This clause appears to contradict 3.1.41 and also fails to acknowledge the possibility of waiving consent. We assume the point to be made is that if participants agree to have their identifiable data used and/or published then it can be ethical? The point should be made that whereas it may be ethically acceptable to collect and analyse identified data without consent it is never ethically acceptable to publish identifiable information without consent.

Clause 3.1.43

This clause only applies in the specific circumstance of data collected prospectively with consent. For many projects involving the linkage of data collections participants will be completely unaware of their participation. Therefore notification will not be possible. Refer to section 2.3

Clause 3.1.44

We would go further with this point and suggest that, as mentioned above, advances in data science and in particular re-identification science, all data that pertains to an individual is potentially identifiable. This is why there needs to be a shift in the language and practice surrounding the use of data. The conversation should be about the risk of identification and whether appropriate risk minimisation and mitigation strategies are in place given the specific circumstance.

Internet Derived Data

Clause 3.1.45 (a)

As described above, there are not just three categories of identifiability and therefore three suitable approaches to information security. This sentence should not be about the “form” in which the data is stored but rather the risk of identification of the data.

Data Management

Appropriate data management is essential to demonstrate research merit and integrity, respect and to minimise and mange risks. The section on data management could be written in a way that provides more assistance to researchers and ethics committees in determining whether the data management plan is demonstrating these principles. These are the things that need to be taken into consideration:

  • Identify Data: Identify what data will be collected, used or disclosed in the course of the research project. A flow diagram can be helpful to explain how data will be collected, used or disclosed over the life of a project.

  • Identify Risks: What are the risks associated with collecting, using or disclosing this data, to whom do the risks apply, what is the liklihood of harm and what is the severity of the harm and its consequences?

  • Minimise Risks: How can the risks be minimised? The kinds of strategies that can be employed to mimise risks include limiting the amount of data collected, used and disclosed e.g. collect year of birth instead of full date of birth. Removing obvious identifiers and replace with a code e.g. name, address, date of birth.

  • Manage Residual Risks: An appropriate data management plan should be implemented to address the remaining risks. The data management plan should be designed to specifically address the risks of each individual research project/databank. The kinds of approaches that should be considered include

  • physical and technological security measures

  • appropriate policies and procedures

  • contractual arrangements e.g. confidentiality agreements.

  • Training and education of researchers

The data management plan should be proportionate to the risks and sensitivities of the project.

Researchers should comply with all legal and regulatory requirements that pertain to the data collected, used or disclosed as well as the conditions of the consent provided by participants.

Clause 3.1.49

The use of the word “ownership” in relation to data may perpetuate the misperception amongst researchers that they can “own” data. We recommend that this clause be more carefully worded to avoid that misperception. The Productivity Commissions recently published draft report on Data Availability and Use provides a useful summary of the way copyright law applies to data in chapter 1.3 entitled “How the law treats interests in data”.

Clause 3.1.52

The wording of this clause conflates the principle of respect with consent and appears to suggest that an ethical review body may authorise the sharing of data in a way that does not adhere to the principle of respect.

Clause 3.1.53

This purpose of this clause is unclear. We assume it is addressing the transport of data between collaborators. We are unsure what ‘appropriate’ means in this context but assume the point is that it should be proportionate to the risk. There is overlap between this clause and clasues 3.1.57 and 3.1.59. We suggest these clauses be combined and re-written to include advice on the security of data as described in our introductory comments on this part.  

Clause 3.1.54

Again, how does this fit with the waiver of consent provisions?

Clause 3.1.55

This clause should be broadened to include health information that may have clinical significance for individuals and qualified to refer only to the situation where the biological materials or information are not stored or duplicated elsewhere.

Banking and sharing of data

This section appears to assume that repositories will only be established with information obtained with consent. It does not provide any guidance in relation to the of information collected under a waiver of consent inclusion in research data banks.

The mention of open access repositories raises a variety of ethical issues that are not elaborated in any way. Data which pertains to an individual can probably never be considered non-identifiable. Therefore it is difficult to conceive of a situation where open access individual level data without consent might be ethical. See our comments to 3.1.42. We are assuming that the definition of “open access” is free and unrestricted access e.g. available on public website. As discussed by the Productivity Commission a system of trusted user access would be a more appropriate approach.

Clause 3.1.62 (a)

Comment the same as Clause 3.1.45 (a). See attached checklist of the other issues which researchers and reviewers need to consider.

Clause 3.1.64

This clause will be unnecessary if the our proposed approach is accepted i.e. there are not 3 categories of identifiability there is a spectrum and researchers and HRECs must make a judgement about the level of risk of identification and therefore whether the benefits of the proposed collection, use or disclosure outweigh the risks.

Clause 3.1.65

We would argue that any data that pertains to an individual, even if there is a low risk of identification, should not be exempt from ethical review. This is because a negligible risk of identification does not necessarily remove all ethical issues. Attention needs to be given to wider ethical issues such as the impact on particular groups in society.

[1]Pieper I and Thomson C.J.H Monash Biomed Rev. 2011. 29: 15.1-15.10

[2]Evers J.L.H, Hum Reprod. 2015. 30:1747–1748

[3]Grimes D.A. Hum Reprod. 2015. 30:1749–1752

[4]Hansen M. et al. Human Reprod. 2015. 30:2956-2957

[5]Ohm P. UCLA Law Review. 2010. 57:1701-1777.

[6]Mostert M. et al. Eur J Hum Genet. 2016. 24:956-960

[7] Taylor M.J. Medical Law Review. 2011. 19(2):267-303

[8] Kaplan B. Camb Q of Healthc Ethics. 2016.25(2): 312-329

[9]Metcalf J. and Crawford K. Big Data and Society. 2016. Jan-Jun:1-14

[10]Ohm P. UCLA Law Review. 2010. 57:1701-1777.


4. Section 5

Chapter 5

Chapter 5.1.6

An amendment to Chapter 5.1.6 is required to add research where ‘individual information is collected, used or disclosed without consent’ to the types of research that require review by an HREC.This amendment includes projects where HREC review is required by privacy legislation. In our experience many reserachers and HRECs find the fact that this is not listed as one of the types of research which require review by an HREC to be confusing. For example, projects requesting access to data without consent may be low risk but privacy legislation requires review by an HREC. There can be an assumption that all research that is determined to be low risk can be reviewed by an alternative pathway.

Supporting attachments
Supporting attachments: 

Page reviewed: 10 July, 2018