Skip to Content

Disclosure Obligations in Evaluation and Research

Knowing where your legal obligations begin and end when working with stakeholders
15 December 2025 by
Disclosure Obligations in Evaluation and Research
Gerard Atkinson

Many thanks to Professor Chris Maylea, Iris Ethics Chair for developing this resource, drawing upon his legal expertise and direct experience in delivering evaluation and social research projects where disclosure of illegal activity has been a central consideration. Disclaimer: Please note that the following does not constitute formal legal advice; while Iris Ethics can advise on the acceptability of projects under the NHMRC National Statement on Ethical Conduct in Human Research, we are not able to provide legal advice on disclosure obligations as part of reviews. For specific cases of disclosure we recommend engaging legal counsel, in line with the advice of the National Statement at paragraph 4.9.3.

Evaluation, social research, and market research are fundamentally engaging with human experiences. While most experiences are benign in nature, there is the risk that a person may disclose information that relates to illegal activities that have taken place or may take place. This scenario creates an ethical and regulatory dilemma: as a researcher/evaluator, am I required to notify authorities of this activity, or is this a violation of the confidentiality of the information gathering process?

To complicate things further, the answer to this question varies depending on where the information is gathered. In Australia, each state and territory has in place different regulations around the protection of personal information, and around what activities require mandatory reporting to authorities. This creates a complicated system which researchers and evaluators have to navigate in planning and delivering projects.

For this reason, we have developed this resource to provide clarity around the different scenarios and requirements that may lead to disclosure, as well as cases where an evaluator or researcher is not permitted to disclose information.

Scope

While the National Statement provides requirements in relation to ethical review of activities that may discover illegal activity at Chapter 4.9*, this chapter explicitly does not contain guidance about the specific legal obligations of researchers arising from their conduct of research that discovers illegal activity. 

This resource sets out in generalised terms the legal obligations that researchers and evaluators may face when conducting activities in Australia, particularly where participants disclose sensitive information. These obligations arise independently of the research context but may be engaged by disclosures made in interviews, surveys, focus groups or other research interactions. Understanding these duties is essential for designing ethically sound research, preparing accurate participant information and consent materials, and ensuring compliance with institutional responsibilities. 

There are three broad categories of scenario that provide a clear conceptual framework for researchers and evaluators to apply:

  • Must not disclose:
    • situations in which no legal authority or obligation permits disclosure, and the researcher has not obtained participant consent.
  • May disclose:
    • situations in which legislation permits disclosure, such as serious threat exceptions in privacy or health records laws, but no mandatory reporting duty applies.
    • situations where advance free and informed consent to disclose has been obtained from the participant or someone with a legal power to consent on behalf of the participant.
  • Must disclose:
    • situations in which legislation imposes a duty to report, including mandatory reporting to child protection, offences for failure to report child sexual abuse, universal reporting obligations in the Northern Territory for child harm and serious domestic violence, and organisational duties under reportable conduct schemes.

In essence, two things must be considered:

  • Is disclosure permitted or mandated by law?
  • Do I have consent to do so?

The following sections set out the relevant legal obligations at Commonwealth and state or territory levels. 

Part 1: Cross cutting legal concepts

No general law compels researchers to divulge disclosures absent a statutory duty (that is, if a specific law doesn't require you to). Australian courts have not adopted a US-style duty to warn (breaching confidentiality to prevent harm), and Australian privacy regulators require a high threshold of seriousness and immediacy for any discretionary disclosures. In this sense, privacy is normally the overriding consideration.

Privacy and confidentiality

Across Australia, privacy and health records legislation regulates how researchers collect, use and disclose personal information. Researchers and evaluators must, in designing and delivering projects, establish which schemes they are subject to.

At a Commonwealth level, the Privacy Act 1988 (Cth) applies to Commonwealth agencies and many private sector entities. The Australian Privacy Principles (APPs) in Schedule 1 restrict secondary use or disclosure of personal information unless an exception applies. APP 6 permits disclosure where required or authorised by law or where a “permitted general situation” applies. Section 16A identifies permitted general situations, including disclosure necessary to lessen or prevent a serious threat to life, health or safety where obtaining consent is impracticable.

Most states and territories have parallel frameworks:

  • Victoria: Privacy and Data Protection Act 2014 (Vic) Schedule 1 IPP 2; Health Records Act 2001 (Vic) Schedule 1 HPP 2 (serious threat and required-or-authorised exceptions).
  • New South Wales: Privacy and Personal Information Protection Act 1998 (NSW) s 18; Health Records and Information Privacy Act 2002 (NSW) Schedule 1 HPP 2.
  • Queensland: Information Privacy Act 2009 (Qld) and the Queensland Privacy Principles (especially QPP 6 on use and disclosure, which contains similar “serious threat” and required-or-authorised exceptions).
  • Tasmania: Personal Information Protection Act 2004 (Tas).
  • ACT: Information Privacy Act 2014 (ACT) (Territory Privacy Principles mirror the APPs).
  • Northern Territory: Information Act 2002 (NT) (Information Privacy Principles 2 and 10).
  • Western Australia: Privacy and Responsible Information Sharing Act 2024 (WA) (taking effect 1 July 2026) will introduce comprehensive privacy principles for WA public sector data.
  • South Australia: no comprehensive privacy statutes are in place, but administrative privacy regimes exist.

What is common across all these frameworks is that researchers and evaluators must not disclose identifiable information unless an exception applies. These exceptions include threats to life or safety and legal obligations to report, but it is important to understand the extent of these exceptions for the states and territories where you are conducting activities.

Concealing or compounding offences

While in general there is a principle of non-disclosure which absolves researchers and evaluators from criminal liability, there are some cases where non-disclosure by a researcher or evaluator may result in criminal prosecution.

In NSW, it is an offence not to report a serious indictable offence, which means an offence that is punishable by term of 5 years or more (Crimes Act 1900 (NSW) s 316). This obligation does not apply if it concerns a sexual or domestic violence offence against an adult, and the person has good reason to believe that the adult does not want the matter reported to police or any other authority.

In addition, every jurisdiction criminalises accepting benefits in return for concealing crimes or agreeing not to cooperate with police. With the exception of NSW, these provisions do not impose a general duty to report crime; they prohibit corrupt arrangements to conceal crime.  

Part 2: Child related obligations

Mandatory reporting to child protection authorities

Mandatory reporting duties apply to specified professionals in most jurisdictions. In most cases, the duty applies when a mandated reporter forms a belief or suspicion, on reasonable grounds, that a child is being abused, has been abused or is at risk. This includes child sexual abuse but also includes other forms of child abuse such as physical, psychological and emotional abuse and neglect.

Statutory duties include:

  • Victoria: Children, Youth and Families Act 2005 (Vic) ss 182–184.
  • NSW: Children and Young Persons (Care and Protection) Act 1998 (NSW) s 27.
  • Queensland: Child Protection Act 1999 (Qld) ss 13A–13E.
  • Western Australia: Children and Community Services Act 2004 (WA) ss 124A–124C.
  • South Australia: Children and Young People (Safety) Act 2017 (SA) ss 30–31.
  • Tasmania: Children, Young Persons and Their Families Act 1997 (Tas) s 14.
  • ACT: Children and Young People Act 2008 (ACT) ss 354–358.
  • Northern Territory: Care and Protection of Children Act 2007 (NT) s 26 (which, unlike other jurisdictions, creates a universal duty applying to all adults).

Whether a researcher or evaluator is a mandatory reporter depends on their professional registration or the statutory definition of their role. Whether someone is a mandated reporter depends on their role and the law’s definitions. Note that some laws preserve specific confidences. For example, they typically do not override legal professional privilege. 

Failure to report child sexual abuse offences

These criminal offences apply to adults who fail to report child sexual abuse to police.

Examples include:

  • Victoria: Crimes Act 1958 (Vic) s 327.
  • NSW: Crimes Act 1900 (NSW) s 316A.
  • Queensland: Criminal Code Act 1899 (Qld) ss 229BB (failure to protect) and 229BC (failure to report).
  • ACT: Crimes Act 1900 (ACT) s 66AA.
  • Northern Territory: Care and Protection of Children Act 2007 (NT) s 26 (universal).

These laws apply regardless of whether the disclosure is made in a research context.

Child abuse material offences and research defences

Research involving case files, court transcripts, archival records or criminology datasets may involve material legally defined as child abuse material. 

The Criminal Code Act 1995 (Cth) ss 474.22–474.25 criminalises possession, production, distribution and access to child abuse material using a “carriage service”, which includes the internet and telecommunications. Section 474.24 provides a “public benefit” defence, which includes genuine medical, legal, scientific or educational research. The defence requires written ministerial approval.

State and territory legislation also applies, such as the Victorian Crimes Act 1958 (Vic) s 51L which provides a public benefit defence where material is used for genuine medical, legal, scientific or educational purposes.

These defences do not arise automatically from ethics approval. Approval under the Commonwealth defence must be obtained separately and the obtainment of one does not guarantee the other.

Reportable conduct schemes

These schemes impose organisational duties to report allegations of child abuse or child-related misconduct by staff, contractors or volunteers:

  • Victoria: Child Wellbeing and Safety Act 2005 (Vic) Part 5A.
  • NSW: Children’s Guardian Act 2019 (NSW).
  • ACT: Ombudsman Act 1989 (ACT) Part 4A.
  • Queensland: Child Safe Organisations Act 2024 (Qld), Part 4 (commencing 1 July 2026).

Researchers and evaluators working within organisations included in these schemes must follow internal notification protocols. As researchers and evaluators may also be engaged as contractors to such organisations, they should be aware of any obligations that may arise under these schemes based on their affiliation with the organisation, which may vary based on the nature of the contract and the relationship with the organisation.

Part 3: Family and domestic violence obligations

Mandatory reporting

The Northern Territory is the only jurisdiction with a universal duty to report serious domestic and family violence. The Domestic and Family Violence Act 2007 (NT) s 124A requires adults to report to police where they believe on reasonable grounds that serious physical harm has occurred, is occurring or is likely.

Information sharing schemes

Several jurisdictions authorise, but do not generally require, disclosure of information to manage family violence risk.

These include:

  • Victoria: Family Violence Protection Act 2008 (Vic) Part 5A.
  • NSW: Crimes (Domestic and Personal Violence) Act 2007 (NSW) Part 13A.
  • Northern Territory: Domestic and Family Violence Act 2007 (NT) information sharing framework.
  • Queensland: Domestic and Family Violence Protection Act 2012 (Qld) Part 5A.

These schemes override some confidentiality restrictions but impose careful conditions to ensure safety and proportionality. Again, researchers and evaluators must make themselves aware of which conditions may apply in their circumstances.

Part 4: Practical guidance for researchers and evaluators

Where applicable and relevant to the specific project, applicants to the Iris Ethics HREC should show evidence that they have: 

  • Identified all statutory limits on confidentiality relevant to the jurisdictions in which research will occur.
  • Determined whether any researchers are mandatory reporters under child protection laws.
  • Understood duties to report child sexual abuse and the circumstances in which they apply.
  • Considered whether the organisation hosting the research/evaluation is subject to reportable conduct schemes.
  • Established whether the activities may involve material regulated as child abuse material, and if so, whether a public benefit defence is available and what approvals are required.
  • Crafted clear participant information materials explaining that confidentiality is limited by legal reporting obligations.
  • Developed internal procedures for responding to disclosures. 

Summary

Researchers and evaluators, in designing and delivering projects should return to the three-part framework that appears at the beginning of this guidance:

  • Must not disclose
    • situations in which no legal authority or obligation permits disclosure, and the researcher has not obtained participant consent to disclose.
  • May disclose
    • situations in which legislation permits disclosure.
  • Must disclose
    • situations in which legislation imposes a duty to report.

Using this structure ensures that confidentiality is respected, statutory duties are met and ethical standards are maintained.


*Notably, paragraph 4.9.6 states: "Research that is intended to study or expose illegal activity or that is likely to discover it must be reviewed and approved by an HREC, except where that researchuses collections of non-identifiable data and may be eligible for lower risk research review processes."