close
Share with your friends

While the COVID-19 pandemic impacted clinical trials,1 there remains a high degree of community confidence in Australian clinical research. This confidence has been vital in Australia’s response to the pandemic, a response that has been further supported by funding initiatives by Commonwealth and State and Territory Governments. To maintain this confidence, and to support quality outcomes, the safety of participants and the secure collection and use of health data to support research efforts must be prioritised. As research project teams prepare, or continue, to undertake clinical trials, they must navigate a complex legal framework with strict governance and legal and ethics requirements to successfully recruit participants and collect and use data in circumstances where the patients may lack the requisite capacity to consent.

There are several COVID-19 focussed clinical trials currently being conducted with participation from members of the community. Research institutions and hospitals have joined forces to understand how to treat COVID-19 where the virus has infected both healthy patients and patients with pre-existing conditions, including where the virus has led to the development of further health complications. Clinical trials are focusing on how treatments will contribute to a patient’s recovery and the consequential effects on existing health conditions. The insights from these trials help to support and develop clinical practice, quality and patient outcomes. Other ongoing trials have also had to adapt their processes to manage COVID-19 related risks.

Success factors

Key to the ongoing viability and success of these trials, is ensuring that research project teams can legitimately recruit participants and handle their data in accordance with Australia’s privacy laws, while managing other research risks. It’s important that the team is compliant and does not compromise the wellbeing or privacy of participants. The design of the clinical trial will need to be reviewed in relation to recruitment and data handling practices to ensure the trial:

  • aligns with the applicable legal and regulatory frameworks
  • considers appropriate consent mechanisms and processes
  • integrates controls to mitigate data privacy risks
  • manages clinical, research and third-party stakeholders in accordance with established governance principles.

Legal and governance frameworks

Project teams must always consider the commonwealth, state and/or territory laws and regulations that might apply in relation to their recruitment and data handling, while also considering the National Health and Medical Research Council (NHMRC) guidelines, clinical procedures, hospital and site protocols and conditions issued by the relevant Human Research Ethics Committee. There may also be relevant institutional and industry-based literature that should be consulted.

As part of addressing risks in connection with the research project, the project team will need to assess the laws and rules that apply to recruiting patients from the treating hospital into the trial which is a different process from enrolling a patient into hospital. The project team must also consider any laws and rules that apply to continuing the patient’s participation in the trial. For example, if a project team wants to conduct follow up research following the initial assessment, every subsequent interaction will need to be reviewed and qualified.

As a trial produces data necessary for research purposes, the laws and regulations that apply to the collection, use and disclosure of health information need to be assessed. This can be challenging as, for example, each state and territory approaches medical emergency treatment differently, and the application of these legal principles may require a clinical assessment to support the approach taken. If a clinical trial is being conducted on a national scale, an approach that is tailored for each state and territory is recommended.

Recruiting patients: consent options

When a project team recruits patients for a clinical trial, they will need to consider whether the candidates have the requisite capacity to make an informed decision to consent to participate and whether the elements of lawful consent can be met. This will depend on the health of the patients, who may have been admitted to hospital in life-threatening or other emergency circumstances or are otherwise unable to consent given an existing cognitive disability, and this ability to give consent may change over the course of the trial. If patients have the capacity to consent, their decision must be respected.

State and territory regimes

Most states and territories in Australia have comprehensive guardianship, medical treatment decision making, or equivalent legislation, which prescribe the applicable laws. These laws are designed to protect individuals when they are most vulnerable from being automatically enrolled in clinical trials against their wishes (i.e. in an advance health directive). However, the laws also recognise the importance of making clinical trials accessible to all (even those who cannot validly consent) so that clinical care and the latest treatments are not withheld from those who need it most.

If consent cannot be provided in accordance with the applicable laws, avenues to seek consent from a legally authorised representative will need to be considered. This may require an application to a state or territory tribunal or court. Most jurisdictions permit consent to be waived if certain conditions are met, for example when the patient is undergoing life-threatening treatment or has been brought into hospital in circumstances where the treatment is required due to an emergency.

Handling of personal information

In addition to the success of patient treatment and recovery, the data collected is critical to supporting research efforts and contributing to the development of clinical knowledge and practice. Data collected from a clinical trial will be classified as sensitive health information which is regulated under the commonwealth’s Privacy Act 1988 or state and territory based health information or records legislation, depending on the design of the trial, funding covenants and third party-imposed obligations.

The collection of data from patients who are admitted to hospital, and satisfy the criteria to make them a suitable candidate, usually do not have the capacity to consent to the collection of their data from the treating site. Since the primary purpose for which a patient attends a hospital is to receive care, the conduct of a clinical trial would be for a secondary purpose and hence the collection of data from the trial would need to be authorised by law. Privacy and health records laws include health research exemptions which permit research project teams to collect data from sites conducting the trial without the patient’s consent provided certain conditions are satisfied.

These conditions will usually include:

  • satisfying the research purpose
  • demonstrating that the purpose cannot be served through the collection of de-identified information
  • demonstrating that it is impractical to seek consent from the patient
  • following applicable guidelines such as those issued by the NHMRC
  • obtaining HREC approval.


It is important that the relevant conditions are assessed on a case-by-case basis to ensure they can all be met, that the data processes are designed to support this and that other legal requirements are satisfied. This includes meeting the NHMRC guideline requirements where, given the circumstances, the project team rely on collecting and using data with limited disclosure, following an opt-out process, or a waiver of the consent requirement. Once addressed, the project team can consider issues in relation to data linkage, data analysis and data access.

Data governance

The research project protocol is a fundamental document which governs the conduct of a clinical trial. This document should cover the scope of the trial, approach to recruiting patients, safeguards in relation to the collection, use and disclosure of patient information, and other data governance practices. Adopting a privacy-by-design approach in the early stages of planning will help to ensure that the information of vulnerable members of the community is internally regulated and conforms to best practices. Topics such as data linkage, third party access to data and sharing data with the participant’s nominated advisors should also be considered.

Given the volume of data collected, and its sensitivity, it should be stored, accessed and disclosed (where permitted) in a safe and secure manner. Data collected from the treating site is often stored in a central source on a cloud-based network, merged into a bigger registry, accessible by individuals who are not members of the treating team while also being shared with organisations globally or linked with data from other databases. Whatever the circumstances, the data needs to be accessible, accurate and complete while being secure at all points in the process. A data mapping exercise can help to identify the relevant touchpoints so that controls are designed, implemented and monitored to avoid any non-compliance with data privacy obligations during the lifetime of the data.

How can we help?

KPMG Law continues to support clinical and research project and registry teams that lead or contribute to clinical trial efforts in Australia to navigate the complex legal framework involved. We can assist project teams with relevant rules and requirements to help ensure successful planning, management and compliance of clinical or medical research projects through their lifecycle including requirements relating to recruitment of patients, satisfying informed consent or alternative requirements, meeting research conditions for the collection and management of data, and integration of or access to the data.

In addition, we can support research project teams by reviewing protocols and supporting documents (including data sharing agreements, data linkage agreements and data access forms and terms), advising on privacy impacts and controls, developing data processing and governance frameworks and engaging in data mapping exercises.

Further reading