8. Data management

8.1 What data privacy and/or technology regulations need to be complied with in order to run a trial in the countries of interest?

Data from clinical trials are governed mostly by the Privacy Act 1988. See the relevant section below.

Privacy Act 1988

See Part IX – Miscellaneous;

Section 95 Medical Research Guidelines

95 Medical Research Guidelines

1. The CEO of the National Health and Medical Research Council may, with the approval of the Commissioner, issue guidelines for the protection of privacy by agencies in the conduct of medical research.
2. The Commissioner shall not approve the issue of guidelines unless he or she is satisfied that the public interest in the promotion of research of the kind to which the guidelines relate outweighs to a substantial degree the public interest in maintaining adherence to the Australian Privacy Principles.
3. Guidelines shall be issued by being published in the Gazette.
4. Where:
5. but for this subsection, an act done by an agency would breach an Australian Privacy Principle; and
6. the act is done in the course of medical research and in accordance with guidelines under subsection (1);

the act shall be regarded as not breaching the Australian Privacy Principle.

95A Guidelines for Australian Privacy Principles about Health Information

1. Overview

This section allows the Commissioner to approve for the purposes of the Australian Privacy Principles guidelines that are issued by the CEO of the National Health and Medical Research Council or a prescribed authority.

2. Approving guidelines for use and disclosure

For the purposes of paragraph 16B(3)(c), the Commissioner may, by notice in the Gazette, approve guidelines that relate to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety.

3. Public interest test

The Commissioner may give an approval under subsection (2) only if satisfied that the public interest in the use and disclosure of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the Australian Privacy Principles (disregarding subsection 16B(3)).

4. Approving guidelines for collection

For the purposes of subparagraph 16B(2)(d)(iii), the Commissioner may, by notice in the Gazette, approve guidelines that relate to the collection of health information for the purposes of:

1. research, or the compilation or analysis of statistics, relevant to public health or public safety; or
2. the management, funding, or monitoring of a health service.

5. Public interest test

The Commissioner may give an approval under subsection (4) only if satisfied that the public interest in the collection of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the Australian Privacy Principles (disregarding subsection 16B(2)).

6. Revocation of approval

The Commissioner may, by notice in the Gazette, revoke approval of guidelines under this section if he or she is no longer satisfied with the matter that he or she had to be satisfied with to approve the guidelines.

95AA Guidelines for Australian Privacy Principles about genetic information

1. Overview

This section allows the Commissioner to approve for the purposes of the Australian Privacy Principles guidelines that are issued by the National Health and Medical Research Council.

2. Approving guidelines for use and disclosure

For the purposes of paragraph 16B(4)(c), the Commissioner may, by legislative instrument, approve guidelines that relate to the use and disclosure of genetic information for the purposes of lessening or preventing a serious threat to the life, health or safety of an individual who is a genetic relative of the individual to whom the genetic information relates.

95B Requirements for Commonwealth Contracts

1. This section requires an agency entering into a Commonwealth contract to take contractual measures to ensure that a contracted service provider for the contract does not do an act, or engage in a practice, that would breach an Australian Privacy Principle if done or engaged in by the agency.

2. The agency must ensure that the Commonwealth contract does not authorize a contracted service provider for the contract to do or engage in such an act or practice.

3. The agency must also ensure that the Commonwealth contract contains provisions to ensure that such an act or practice is not authorized by a subcontract.

4. For the purposes of subsection (3), a subcontract is a contract under which a contracted service provider for the Commonwealth contract is engaged to provide services to:

1. another contracted service provider for the Commonwealth contract; or
2. any agency; for the purposes (whether direct or indirect) of the Commonwealth contract.

5. This section applies whether the agency is entering into the Commonwealth contract on behalf of the Commonwealth or in the agency’s own right.

95C Disclosure of certain provisions of Commonwealth contracts

If a person asks a party to a Commonwealth contract to be informed of the content of provisions (if any) of the contract that is inconsistent with a registered APP code binding a party to the contract or with an Australian Privacy Principle, the party requested must inform the person in writing of that content (if any).

More links for governing bodies of Privacy within Australia:

• Freedom of Information Act 1982
• National Health Act 1953
• Health Insurance Act 1973

8.2 What are the data locality rules within each jurisdiction?

There are no data localization requirements for personal data generally. However, in some States / Territories (e.g., NSW and Vic), health records laws restrict disclosure of health records outside the relevant State/Territory (i.e., impose in-State/in-Territory data sovereignty requirements) unless certain criteria are met (e.g., the individual consents to the transfer; a substantially similar protective regime will apply to the disclosed records; the transfer is necessary for the performance of a contract between the individual and the organization; or the organization has taken reasonable steps to protect the information consistent with State / Territory privacy principles). Original health records and copies of them would be subject to the same disclosure restrictions.

"My Health Records" and associated information (e.g., back-ups of My Health Records) must not be held, taken, processed, or handled outside Australia at all (except that the My Health Records system operator can hold, take, process, or handle non-personal and non-identifying information outside Australia). This means that original My Health Records and copies of them may not be removed from Australia.

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

Yes, see above.

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

There is no specific guidance on this matter.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

Yes, see above in relation to the sharing of personal health information outside of a specific State/Territory.

• Does data need to be collected in the country? Do the servers need to be in the country?

Yes, see above in relation to the sharing of personal health information outside of a specific State/Territory.

• Are there data storage and transmission requirements (for data transfer out of the country)?

Yes, there is no concept of a third country in the Privacy Act, and the Privacy Act regulates overseas disclosures rather than transfers.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

• Approved adequate/whitelisted jurisdictions
• To holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and security authority
• Approved standard contractual clauses binding corporate rules derogations, such as consent, contract performance, the necessity to establish, exercise, or defend legal claims
• Other solutions

Unless an exception applies, entities that disclose personal information to overseas recipients must take reasonable steps to ensure that the overseas recipient does not breach the requirements of the entity.

• Are there any exceptions made for research to the local privacy regulations?

No.

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

See the Management of Data Guidelines.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

TGA does not have its own specific guidance on this topic. This should be managed in accordance with Good Clinical Practice and TGA has adopted the ICH guidelines including the Integrated Addendum to ICH E6(R2): Guideline for Good Clinical Practice. 

TGA also follows closely the European Medicines Agency Guidelines including the Guideline on Computerised Systems and Electronic Data in Clinical Trials (March 2023). Detailed information is provided in this guideline on the specific verification and validation requirements for a computerized system.