Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Disclosure
 

Inquiry into the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006; Submission to the Senate Legal and Constitutional Affairs Committee (October 2006)

document icon pdf (70.27 KB)


September 2006

Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Privacy Act 1988 (the Privacy Act) covers federal and ACT Government agencies, businesses with an annual turnover of more than $3 million, the private health sector, small businesses that trade in personal information, credit providers and credit reporting agencies. The Privacy Commissioner has responsibilities under the Privacy Act and other federal legislation to regulate the way Australian government agencies and organisations collect, use, store and disclose individuals' personal information.

Background

The Office welcomes the opportunity to make a submission to the Senate Legal and Constitutional Affairs Committee's inquiry into the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006 (the Bill).

The Office's review Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (the Review) looked at the issue of balancing the flow of information and privacy considerations during times of large scale emergencies.1 The review considered various options and made recommendations to the Government.

The comments below reflect the Office's support for the Bill and some suggested improvements. In general, the comments suggest that by applying more definition around the circumstances under which the provisions could operate, it will enhance public confidence that in the event of an emergency, personal information will be collected, used and disclosed appropriately.

The proposed amendments

The Office understands that the intention of the Bill is to insert a new Part into the Privacy Act to establish a clear and certain legal basis for the collection, use and disclosure of personal information about deceased, injured and missing Australian individuals caught up in an emergency or disaster occurring in Australia or overseas.

The Office welcomes the clarification of the legal basis for disclosure of personal information in the event of an emergency or disaster.

This clarification will assist individuals directly affected by an emergency or disaster and will also assist government agencies and private sector organisations, where appropriate, to collect, use or disclose personal information to assist those individuals directly affected. This will allow the Australian Government to provide an appropriate and timely response to the emergency or disaster.

However, consistent with our Review recommendation 68 that "there needs to be an appropriate balance between the desirability of having a flow of information and protecting (an) individual's right to privacy"2 it is important that the Bill be as clear as possible about its application.

Declaration of emergency- ss 80J 80K

It is understood that a declaration made under clause 80J or 80K would be made solely for the purpose of triggering the operation of Part VIA, and would not directly relate to any other legislative or non-legislative scheme about emergencies.

The Office notes that the words "emergency" and "disaster" are not defined in the Bill and that they will retain their ordinary meaning. While it might be difficult to define all the relevant emergency and disaster circumstances which will require the exchange of personal information, the Office believes that the preconditions could be more specific. Some additional criteria as to what constitutes a disaster or emergency would assist the decision-making process and reinforce public confidence in relation to the collection, disclosure and use of personal information under such circumstances.

The Committee might care to consider overseas approaches to the definition of "emergency" and "disaster", for example the meaning of "emergency" under the Civil Contingencies Act 2004 (UK) includes; "an event or situation which threatens serious damage to human welfare..." .3 The Office has attached the relevant parts of the provisions.

While this set of criteria may not be completely appropriate in the context of the current Bill it may assist in identifying relevant criteria that would be appropriate.

Permitted purposes - ss 80H, 80P(1)(b)

The Office notes that the draft Bill restricts the operation of the provisions to uses and disclosures for "permitted purposes" only, and views this as a positive step in limiting unnecessary uses and disclosures.

The Office would encourage further tightening of the definition of "permitted purpose". Proposed s80H (1) is very broadly worded in that it is "a purpose that relates to an emergency or disaster in respect of which an emergency declaration is in force". The Office would suggest that it be clarified as "a purpose directly related to" the emergency or disaster.

Again this would reinforce public confidence that in the event of an emergency, personal information will be collected, disclosed and used only when necessary.

When declarations cease to have effect - 80N

Given that a declaration may result in decreasing some existing privacy protections, the Office suggests that stronger mechanisms be built in to the Bill to ensure that normal processes protecting personal information disclosures and uses are resumed as soon as possible. The Office considers that a default period of 12 months for a declaration may sometimes be disproportionate. While the Bill allows the period of effect to be specified at the time of declaration or the declaration to be revoked earlier, consideration should be given to whether it should be mandatory for the declaration to be revoked when the need for it has come to an end or a shorter default period be specified with a provision to extend it where necessary.

Persons responsible - for an individual s80P (1)(c)(v)

The Office acknowledges the attention given to limiting the class of person to whom disclosures can be made to a "person responsible" for the individual involved in the emergency. This reflects the current provisions in the National Privacy Principles (NPPs), specifically NPP2.5.

However, the Office would suggest that to further assist in ensuring that disclosures to individuals allowed by these changes are only for relevant purposes, the types of circumstances outlined in NPP2.4 be used to limit the purposes for disclosure for example for compassionate reasons, or to enable the provision of appropriate care or treatment.

Designated secrecy provision - s80P(7)(a)-(e)

The Office understands that there will continue to be a need to retain adherence to some secrecy provisions in respect of uses and disclosures of particular types of personal information as acknowledged by the inclusion of s80P(7)(a)-(e). The Office also recognises that for good public policy reasons there may be some agencies apart from those listed in the proposed s80P(7)(a)-(c), such as the Australian Bureau of Statistics, that require being exempted from the ability to override their secrecy provisions provided by this amendment to the Privacy Act.

Attachment A

Civil Contingencies Act 2004

...  

PART 2

 

EMERGENCY POWERS

19     Meaning of "emergency"

  1. In this Part "emergency" means-
    1. an event or situation which threatens serious damage to human welfare in the United Kingdom or in a Part or region,
    2. ...
    3. ...
  2. For the purposes of subsection (1)(a) an event or situation threatens damage to human welfare only if it involves, causes or may cause-
    1. loss of human life,
    2. human illness or injury,
    3. homelessness,
    4. damage to property,
    5. disruption of a supply of money, food, water, energy or fuel,
    6. disruption of a system of communication,
    7. disruption of facilities for transport, or
    8. disruption of services relating to health.

Endnotes

1http://www.privacy.gov.au/law/reform/review/ - Section 7.13 Responding to large scale emergencies - page 234 of PDF version

2http://www.privacy.gov.au/materials/types/reports/view/6049#rec_large_scale_emergencies

3http://www.opsi.gov.uk/acts/acts2004/20040036.htm