Local laws

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

Depending on factual analysis.

The Australian Privacy Principles (the APPs) (as set out in Schedule 1 to the Privacy Act) extend to an act done, or practice engaged in, outside Australia by an organization that has an Australian link (s 5B(1A)).

An organization has an Australian link where it is:

• An Australian citizen or a person whose continued presence in Australia is not subject to a legal time limitation
• A partnership formed, or a trust created, in Australia
• A body corporate incorporated in Australia, or
• An unincorporated association that has its central management and control in Australia (s 5B(2))

An organisation that does not fall within one of those categories will also have an Australian link where:

• It carries on business in Australia, and
• It collected or held personal information in Australia, either before or at the time of the act or practice (s 5B(3))

Note: The phrase ‘carries on business in Australia’ in s 5B(3)(c) is not defined in the Privacy Act. However, it arises in other areas of law, including corporations and consumer law. Guidance may be drawn from judicial consideration of the phrase in those contexts.

What is the preferred legal ground for the processing of the personal data of the participants in a clinical trial in your jurisdiction?

Subject to the exceptions set out in our answer to Question 1, the collection of sensitive information (including health information) requires the individual’s consent.

The applicable provision is found in APP 3.3.

An agency or organization (an APP entity) must not collect sensitive information about an individual unless:

• The individual consents to the collection of the information and:
  • If the entity is an agency – the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or
  • If the entity is an organisation – the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities;
• Or subclause 3.4 applies in relation to the information (Note: Subclause 3.4 provides various carve outs for law enforcement, court orders, and most relevant to this enquiry is 3.4(c) a permitted health situation exists.

Permitted health situations are defined section 16B of the Privacy Act and set the circumstances where the collection, use or disclosure of health information is permitted without obtaining the individual’s consent.

Use or disclosure of personal information

APP 6 sets out the conditions by which an APP entity may use or disclose personal information.

• 6.1  In general, If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:
  • The individual has consented to the use or disclosure of the information; or
  • Subclause 6.2 or 6.3 (note 6.3 only applies to government agencies) applies in relation to the use or disclosure of the information.

Note: APP 8 sets out requirements for the disclosure of personal information to a person who is not in Australia.

• 6.2  This subclause applies in relation to the use or disclosure of personal information about an individual if:
  • The individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is:
    • If the information is sensitive information (e.g. health information) directly related to the primary purpose; or
    • If the information is not sensitive information--related to the primary purpose; or
  • The use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
  • Not applicable
  • The APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or
  • Not applicable.

Consent – the regulator has published non-binding guidelines on consent to the handling of personal information, and the following recommendations are also consistent with findings from the regulator’s investigatory powers. In general consent must be informed, voluntary, current and specific, the individual must also have capacity to provide consent.

What is the legal ground for the processing of the personal data in respect of pharmacovigilance in your jurisdiction?

The legal grounds for processing personal data in respect of pharmacovigilance are as set out in Local laws.

Indicate the role from a data protection perspective of various parties involved (i.e in respect of the processing of the personal data of the clinical trial).

Role	Notes
Sponsor	The Privacy Act does not contain the concept of controller and processor, to the extent the Sponsor is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.
Principal Investigator	The Privacy Act does not contain the concept of controller and processor, to the extent the Principal Investigator is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.
Clinical Trial Site	The Privacy Act does not contain the concept of controller and processor, to the extent the CTS is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.
Monitor	The Privacy Act does not contain the concept of controller and processor, to the extent the Moniotor is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.
CRO	The Privacy Act does not contain the concept of controller and processor, to the extent the CRO is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.

Is key-coded clinical trial data considered personal data under your jurisdiction’s data protection laws? (Key-coded clinical trial data is where the identity of the individual clinical trial participant is replaced with a unique subject identification code, and the ‘key’ which can be used to re-identify the participant is held by the Principal Investigator.)

To the extent key-coded clinical trial data cannot reasonably identify an individual it is likely to be De-identified personal information for the purpose of the Privacy Act.

De-identified personal information is no longer personal information for the purpose of the Privacy Act.

In general, personal information will be de-identified if:

• Direct identifiers are removed; and
• One or both of the following steps have been taken:
  • The removal or alteration of other information that could potentially be used to re-identify an individual, and/or;
  • The use of controls and safeguards in the data access environment to prevent re-identification

The regulator has issued the following guidance on de-identification:

• De-identification and the Privacy Act;
• The De-identification decision making framework (as adapted from the UK version);
• Guide to data analytics and the Australian Privacy Principles.

Is it possible to re-use the personal data obtained for the purposes of conducting the clinical trial? If so, what requirements need to be satisfied?

Yes, but only in limited circumstances.

This is because under APP 6.1 if an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:

• The individual has consented to the use or disclosure of the information; or
• Subclause 6.2 or 6.3 (note 6.3 only applies to government agencies) applies in relation to the use or disclosure of the information.

Note: APP 8 sets out requirements for the disclosure of personal information to a person who is not in Australia.

6.2  This subclause applies in relation to the use or disclosure of personal information about an individual if:

• The individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is:
  • If the information is sensitive information (e.g. health information) directly related to the primary purpose; or
  • If the information is not sensitive information--related to the primary purpose; or
• The use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
• Not applicable
• The APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or
• Not applicable.

What requirements, if any, need to be satisfied if clinical trial data is transferred internationally?

Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information (APP 8.1). There are exceptions to the requirement in APP 8.1 to take reasonable steps and to the accountability provision in s 16C.

Note: an APP entity that discloses personal information to an overseas recipient is accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs (s 16C).