Confidentiality Guidelines

Updated: 3 October 2003, reviewed Janurary 2020

These guidelines specifically address the requirements outlined in Chapter 5 of the “Guidelines for Genetic Registers and Associated Genetic Material”. National Health and Medical Research Council, 2000.

Disclosure of information to:

(i) Staff of the register

The register staff, the Senior Data Manager and Data Manager, are responsible for the registers’ day-to-day operation. Other staff responsible for maintaining the register are:

  1. Research Nurses
  2. Laboratory staff
The Senior Data Manager is directly responsible to the kConFab Coordinator and Executive Director.

Register staff will be appropriately qualified, skilled and experienced to carry out the functions of the register. They must have a demonstrated knowledge of administering databases, and appreciation of privacy issues, and data quality issues. Register staff will adhere to the Privacy Policy of the Peter MacCallum Cancer Centre, and are required to sign Centre’s Confidentiality Statement upon employment.

Access to computers containing the register is restricted to authorised kConFab personnel, and user authentication is established before access is gained. Unauthorised disclosure of register information by register staff includes the release of identifiable information to any party other than those the participants have consented to, and de-identified information to non-approved projects. Any unauthorised or unlawful disclosure or discussion of records or information concerning registrants will be regarded as a serious breach of confidentiality and could lead to dismissal.

Register staff will also adhere to the Information Privacy Principles [from the Victorian Information Privacy Act 2000]. These principles are paraphrased as follows:

  1. Information will be collected lawfully, non-intrusively and only if it is relevant for the organisation’s activities. Participants must be informed of what is being collected and why.
    • Information is only collected if a participant has given informed consent, or another close family member or someone with Power of Attorney has given consent.
    • The data fields that store the participant’s information have been approved by the kConFab Executive Committee. No other information is collected other than that which has been approved.
    • Any participant requesting “no further contact” will have their status noted as such and will no longer be contacted by kConFab staff.

  2. Personal information will only be used and disclosed for the primary purpose it was collected for.
    • Only approved Research Project are given information, and only in a form that will prevent and individual’s identity from being determined.
    • Other organisations that hold information on participants may be approached with the purpose of ensuring that data we store is as accurate as possible. In such cases, they will be provided with participant’s personal information for the purposes of matching information. Such organisations must demonstrate their adherence to the Information Privacy Principles.

  3. Information will be kept as up-to-date and complete as possible.
    • kConFab Clinical Follow-up study follow up every 3 years to obtain new contact info and cancer details. Research Nurses (RNs) do a yearly follow up of the families they have recruited.
    • We only give data to researchers when family details are deemed to be as complete as possible at the time by the RNs.
    • Carry out regular matching of data to other agencies (where possible, feasible and applicable) which can provide more accurate and up-to-date information on participants (eg. AusPost match, Cancer Registry match.

  4. Information will be protected against loss, unauthorised access, use, modification or disclosure, and misuse.
    • User authentication for applications/database
    • Different roles showing only info directly relevant to party accessing the database
    • PeterMac firewall
    • Database being physically kept under lock and key.
    • Encryption for data sent/received over the internet

  5. Policies outlining the management of personal information collected will be available on request.
    • ‘Privacy and Security of Information’ document
    • Consent Form and the Information Sheet given to participants at recruitment outlines what we collect, why, how, how we store it, and who we disclose it to.
    • This policy

  6. Information relative to a registrant will be disclosed to the him/her upon his/her request.
    • PeterMac FOI Policy
    • As a government body we are bound by Freedom of Information (FOI) laws allowing access to a registrant’s documents. Our policy dictates that the documents must be viewed in the presence of an appointed member of kConFab staff.

  7. Unique identifiers will only be assigned to individuals if necessary to carry out the organisation’s activities efficiently. Unique identifiers will not be adopted that have been assigned by another organisation.
    • The “Database” automatically generates a unique identifier when the participant’s details are first entered for the participant and the family. These identifiers are essential in ensuring Research Projects do not receive any information that can be used to determine the identity of an individual.

  8. Individuals have the option of not identifying themselves.
    • It is not compulsory for name to be entered into the database.

Personal information may be transferred to agencies outside of Victoria only if the recipient protects privacy under standards similar to Victoria’s Information Privacy Principles (IPPs).

Only those research projects that have been signed a Materials Transfer Agreement are eligible to receive this de-identified information. See points listed for IPP 2.

Sensitive information like an individual’s racial or ethnic origin, political views, religious beliefs, sexual preferences, and membership of groups or criminal record may not be collected without the individual’s consent.

We ask the participant/other family member directly and only when they have consented.

(ii) The registrant

If asked, the register will provide access to register information relating the registrant. Reasons for requesting information should first be assessed so that the information sought can be provided in the most helpful way. If information is sought:

  1. to check accuracy, a register staff member should be present to assist with any queries.

  2. to gain better understanding of his/her medical condition, then register staff can suggest that this information be sought from their health care provider.

(iii) Blood relatives and spouse of the registrant

Information about a registrant may only be provided to blood relatives and spouses (‘relatives’) with his/her consent.

Care should be taken not to disclose registrants’ confidential information to other family members, even if they are also registrants. In particular, care should be taken when leaving telephone messages and mailing to registrants not to disclose the purpose of the communication.

With regard to deceased registrants, such information may be provided without consent to a spouse or relative who is the registrant’s senior available next-of-kin.

The register will not communicate to relatives information about the inheritance of a mutated gene in a registrant. Via a routine mail-out, or if approached directly by a registrant, the register will reveal that there is family test result of interest without revealing the identity of the individual who was tested to identify the information of interest.

(iv) Health professionals and other registers

Information may only be provided to health professional and other registers with the consent of the registrant. At the time of registration, the registrant will identify those health professionals and organisations to which information may be given. Encryption will be used if identified information is to be transferred in electronic form to another register.

(v) Those with access to laboratory databases

The person with administrative responsibility for the laboratory will ensure that access to the genetic information held in the register is restricted to authorised persons, who will be those persons who have the registrant’s consent to access the information.

(vi) Researchers, including register staff

Researchers accessing kConFab research data will only receive data in a de-identified format. All kConFab research projects are fully funded, peer reviewed, and ethically approved, before any data is provided. Data will only be provided if a kConFab project number is supplied, and verified by the kConFab coordinator.

(vii) Other, including insurance companies, employers and financial organisations (See also (viii) below)

Information about a registrant may only be released to such entities with the written informed consent of the registrant, or other person (eg Legal representative or senior available next-of-kin) or organisation (eg guardianship board) able to give legally valid consent.

Generally such requests for information will comprise a letter which details the information sought and a general release signed by the registrant. Register staff will suggest to the registrant that this information could be more appropriately provided by the managing health professional.

If the knowledge or written consent of the registrant has not been obtained by the body seeking the information, register staff will not respond to the inquiry, or will respond neither confirming or denying that the registrant is a participant in the study.

Insurance and Genetic Testing
Details of your family history are relevant in assessing your risk profile for certain forms of insurance. The ability to obtain health insurance is not changed by your family history or genetic test results. The Investment and Financial Services Association (IFSA) has confirmed that any existing life, trauma or disability insurance that you may have will not be affected by your participation in the study. There is a possibility that after your participation we may write to you with information that a cancer susceptibility gene mutation has been found within your family. This fact will need to be disclosed on future, new insurance applications and as such may affect assessment of your application.

(viii) Such persons or organisations to which disclosure is required by law

Access to information the kConFab register holds can potentially be sought under subpoena, and register staff could be compelled to provide it. A subpoena only requires production of document to the court, which must then decide, whether all or some of the documents will be released and to which of the parties of the case.

Some organisations, such as the Police and the Department of Social Security, have a statutory right to information if it is relevant to their functions and some of these could conceivably have an interest in genetic information.

The registrant will be informed immediately if access to his/her information or genetic material is sought under subpoena or other legislative requirement so that, if she/he desires, he/she has the opportunity to challenge the request.

Glossary

Database
The electronic file containing an organised set of related information.

De-identified (not identifiable, anonymous) genetic information
Sets of data (person records) from which identifiers (such as names, addresses) have been removed.

Register
The central database storing information collected for the kConFab Research Study.

Registrant
Participant in the kConFab research study.

Confidentiality and Privacy Policy (pdf)