Bills Digest no. 45, 2006-07-Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006


Index

Bills Digest no. 45 2006–07

Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006

WARNING:
This Digest was prepared for debate. It reflects the legislation as introduced and does not canvass subsequent amendments. This Digest does not have any official legal status. Other sources should be consulted to determine the subsequent official status of the Bill.

CONTENTS

Passage History
Purpose
Background
Financial implications
Main Provisions
Concluding Comments
Endnotes
Contact Officer & Copyright Details


Passage History

Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006

Date introduced: 13 September 2006

House: House of Representatives

Portfolio: Senate

Commencement: The day after Royal Assent

Purpose

The Bill amends the Privacy Act 1988 in order to clarify the legal basis for the collection, use and disclosure of personal information in an emergency or disaster, whether in Australia or overseas.

Background

Basis of policy commitment

The Bill represents the Government s response to the criticisms regarding impediments under the Privacy Act after the tsunami disaster. The second reading speech states:

The tragic Boxing Day Tsunami in 2004 provided many lessons in how to provide effective and timely assistance to Australians caught up in an emergency. To provide effective assistance, we have to identify those who need help and what help is appropriate. The tsunami, along with other subsequent emergencies and disasters, revealed practical problems for Commonwealth agencies, State and Territory governments, private sector organisations and non-government organisations regarding the extent to which personal information can be shared.(1)

Privacy Act 1988

The Privacy Act 1988 addresses the collection, use, disclosure and storage of personal information held by Commonwealth government departments and agencies, ACT government departments and agencies and also the private sector across Australia.

Central to the Act are the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs). The IPPs, in section 14, apply to personal information handled by Commonwealth and ACT Government agencies whereas the NPPs, in Schedule 3 of the Act, regulate the way private sector organisations handle personal information.

In the context of the Bill, NPP2 is particularly relevant. Specifically, NPP 2.1 provides limited circumstances where an organisation may disclose personal information, such as: where the individual has consented (NPP2.1 (b)), where the disclosure is a related secondary purpose and within the individual s reasonable expectations (NPP 2.1(a)) and where the disclosure is authorised or required by or under law (NPP 2.1(g)). NPP 2.4 allows personal information to be disclosed for compassionate reasons, to a person responsible for an individual, however, this relates only to health information held by a health service provider.(2)

Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988

The Office of the Privacy Commissioner (OPC) in its 2005 Review of the Private Sector Provisions of the Privacy Act 1988 acknowledged there were problems for agencies dealing with personal information at the time of large-scale emergencies. As the Review commented:

The scale and gravity of large scale emergencies have tested the application of the Privacy Act and raised questions as to how privacy protection should operate in such situations. The Privacy Act received criticism in the media after the tsunami disaster for lacking commonsense and for being unable to anticipate and cope with the extent of the tsunami disaster.(3)

The OPC Review considered various options for reform and made the following recommendations to the Government:

  • the consequences of disclosure of information should be compared to the consequences of non-disclosure. Consideration also needs to be given to the potential identity fraud that may occur during such a time, especially if disclosure is allowed to the media
  • NPP 2 should be amended to enable disclosure of personal information in times of national emergency to a person responsible
  • the Privacy Act should be amended to enable the Privacy Commissioner to make a Temporary Public Interest Determination without requiring an application from an organisation(4)
  • National Emergency should be defined as incidents determined by the Minister under section 23YUF of the Crimes Act 1914.(5)

Senate Committee inquiry into the Bill

On 14 September 2006, the Senate referred the Bill to the Senate Standing Committee on Legal and Constitutional Affairs for inquiry and report by 12 October 2006. The Committee report recommends that the Bill be passed by the Senate subject to two amendments. The Australian Democrats provided additional comments with a number of points of dissent. Further information from the report and submissions is provided throughout the Digest.

Position of significant interest groups

Office of the Privacy Commissioner

The OPC, in its submission to the Senate Committee inquiry, indicated support for the Bill, while also proposing some improvements. In general the OPC comments suggest that more definition of the circumstances under which the provisions could operate, would enhance public confidence that in the event of an emergency, personal information will be collected, used and disclosed appropriately. The Main Provisions section of the Digest provides more detail of the OPC recommendations.

Australian Privacy Foundation

The Australian Privacy Foundation, in its submission to the Senate Committee inquiry, stated that it remains unconvinced that legislative amendments to the Privacy Act are necessary. Instead, the Foundation suggests that a better alternative would be guidelines from the Privacy Commissioner or the Attorney-General s Department making it clear that the existing provisions of the Privacy Act already allow collection, use and disclosure of personal information for the benefit of individuals in emergency situations. The submission goes on:

In the rare circumstances where a collection, use or disclosure may technically not be permitted by the Act, it is unlikely that the individuals concerned would complain, and in any case, both the Privacy Commissioner and the Courts would have the discretion to treat any such complaint as trivial.

The lack of a clearer justification for these amendments suggests to us that they have more to do with protecting government from embarrassment, and/or facilitating other public interests at the expense of individuals privacy rights, than they do with promoting the interests of individuals affected by emergencies or disasters.

For views of other interested groups, the reader is referred to the submissions to the Senate Committee inquiry.

Australian Democrats policy position

The Australian Democrats, in the Senate Committee report, expressed several points of dissent regarding the Bill. The main thrust of their argument was:

While we understand that government agencies and non-government organisations need to use personal information in times of disaster relief, we believe that this need can be accommodated by minor legislative amendment to the current framework for these limited circumstances, without the necessity to invoke such far reaching changes to our current privacy regime as are envisaged by this bill.(6)

[ ]

This bill [ ] would permit the Minister or Prime Minister to completely dismantle the system and processes of protections we currently enjoy [under the Privacy Act] at the stroke of a pen. It would allow information to be disclosed to, and by, a far greater range of organisations and individuals, for a far greater range of situations, and for far longer than most Australians would consider reasonable.(7)

Financial implications

The Explanatory Memorandum states that there will not be any new significant financial impact.

Main provisions

Schedule 1 Privacy Act 1988

Item 1 inserts new Part VIA into the Privacy Act. The object of new Part VIA is to enhance the exchange of personal information in an emergency or disaster (8) (new section 80F).

Declaration of an emergency

New Part VIA only operates in the event of the declaration of an emergency. The Prime Minister or the Attorney-General may make an emergency declaration in relation to events in Australia (new section 80J) or overseas (new section 80K) subject to certain preconditions. The preconditions that must exist in relation to an event in Australia are:

  • an emergency or disaster of national significance has occurred
  • the emergency or disaster is of a kind which would make it appropriate that personal information be exchanged, and
  • the emergency or disaster has affected one or more Australian citizens or permanent residents.

The preconditions for a declaration in relation to events outside Australia are:

  • an emergency or disaster has occurred outside Australia
  • the emergency or disaster is of a kind which would make it appropriate that personal information be exchanged, and
  • the emergency or disaster has affected one or more Australian citizens or permanent residents.

The notes to new sections 80J and 80K state that such declarations of emergencies are merely a trigger for the operation of Part VIA of the Privacy Act and are not the trigger for any other schemes about emergencies.

The meaning of emergency and disaster

The words emergency and disaster are not defined in the Bill. The Explanatory Memorandum states that the reason for this is to ensure flexibility in the operation of the Bill, as the types and circumstances of emergency or disaster are too numerous to allow for sensible definition. (9)

In its submission to the Senate Committee inquiry, OPC suggested that, notwithstanding the difficulty of defining all relevant emergency and disaster circumstances that might require the exchange of personal information, [s]ome additional criteria as to what constitutes a disaster or emergency would assist the decision-making process and reinforce public confidence in relation to the collection, disclosure and use of personal information under such circumstances. The OPC drew the Committee s attention to the definition of these words in the Civil Contingencies Act 2004 (UK) and noted that while the set of criteria applied in that Act may not be completely appropriate in the context of the Bill, it may assist in identifying relevant criteria that would be appropriate.(10)

The Committee, while noting these concerns, accepted the view expressed in the Explanatory Memorandum that defining these terms would risk excluding unforseen events which should properly be the subject of a declaration under the Bill.(11)

Procedures for emergency declarations

Emergency declarations must be signed and in writing and be published as soon as is practicable on the Attorney-General s Department website and in the Gazette. Declarations are not legislative instruments (new section 80L). They take effect from the time of signing (new section 80M) and will cease to have effect at the earliest of: a time specified in the declaration, a time at which the declaration is revoked, or the end of 12 months from when the declaration is made (new section 80N).

A number of submissions to the Senate Committee inquiry expressed concern about how long a declaration might be in effect. The NSW Council of Civil Liberties (NSWCCL) noted that the Bill did not impose a limit on the length of time that a declaration could be in effect and that a declaration could be made for a period of more than 12 months. The NSWCCL expressed concern that privacy rights would be suspended for the duration of the declaration of emergency.(12) The OPC also expressed concern that a declaration of emergency might have the effect of decreasing some existing privacy protections and that a default period of 12 months for a declaration might be disproportionate in some circumstances. The OPC recommended that consideration should be given to whether it should be mandatory for the declaration to be revoked when the need for it has come to an end or a shorter default period be specified with a provision to extend it where necessary.(13)

The Senate Committee, in its report, noted the difficulties of determining the appropriate duration of a declaration at the time of the declaration, but agreed that the period of time for which normal operation of the Privacy Act is suspended should be limited. The Committee recommended that a maximum period of 12 months should be specified in the Bill.(14)

Section 80N was amended in the Senate on 17 October 2006 in line with the Senate Committee s recommendation.

Collection, use and disclosure of personal information in the event of declaration of an emergency

New section 80P is the key provision in the new Part VIA. It authorises the collection, use and disclosure of personal information if an emergency is declared. It permits an entity (i.e. a person, an agency or a private sector organisation) to collect, use or disclose personal information relating to an individual if:

  • that entity reasonably believes that the individual may be involved in the emergency or disaster; and
  • the collection, use or disclosure is for a permitted purpose .

Scope of permitted purpose

Permitted purpose is defined in new section 80H as a purpose that relates to the Commonwealth s response to a declared emergency or disaster. The following examples are provided as a guide to what may be a permitted purpose:

  • identification of individuals involved in the emergency or disaster
  • assisting those individuals to obtain necessary services
  • assisting with law enforcement in relation to the emergency or disaster
  • coordination or management of the response to the emergency or disaster, and
  • ensuring people who are responsible for individuals (as defined in NPP 2.5 and including a parent, child or spouse) are appropriately informed of matters concerning an individual s involvement in the emergency or disaster (new section 80H(2)).

Some of the submissions to the Senate Committee inquiry saw problems with this definition. In particular the NSWCCL and the OPC expressed concern at the apparent breadth of the definition of permitted purpose .(15) The NSWCCL proposed that it should be restricted to those purposes listed in subsection 80H(2) or, if necessary, purposes closely connected to those listed in subsection 80H(2). Similarly, the OPC proposed that a permitted purpose should be defined as a purpose directly related to the emergency or disaster. The Attorney-General s Department advised that the Government was reluctant to limit the scope of permitted purpose to the purposes listed in subclause 80H(2) as it would eliminate the flexibility to encompass necessary additional purposes not listed in subclause 80H(2).(16)

The Committee, in response, agreed with the Department but argued that the definition of permitted purpose was unnecessarily broad. The report states:

[ ] the committee considers that seeking to limit the meaning of permitted purpose to the purposes listed in subclause 80H(2) would risk excluding collection, use or disclosure for legitimate purposes related to an emergency or disaster. Nevertheless, the committee considers that the current definition of permitted purpose is unnecessarily broad. The committee recommends that the definition of permitted purpose in subclause 80H(1) should require that the purpose directly relate to the Commonwealth s response to any emergency or disaster. (17)

Subclause 80H(1) was amended in the Senate on 17 October 2006 in line with the Senate Committee s recommendation.

Disclosure of personal information

New paragraphs 80P(1)(c) and 80P(1)(d) specify the types of bodies and persons to whom agencies and private-sector organisations can disclose personal information under Part VIA. In particular, Government departments and agencies may disclose personal information to:

  • other agencies
  • state or territory authorities
  • private sector organisations
  • any other entities likely to be involved in managing or assisting with the emergency or disaster, or
  • persons responsible for an individual (as defined in NPP 2.5 and including a parent, child or spouse).
  • Private-sector organisations and other persons may disclose personal information to:
  • government agencies
  • entities directly involved in providing repatriation services, including medical and humanitarian assistance services, to those involved in the emergency, or
  • persons or entities prescribed by the regulations or specified by the Minister by legislative instrument.

Disclosure to the media under Part VIA is prohibited (new paragraph 80H(2)(e)).(18)

New subsections 80P(2), (3), (4) and (5) are safeguard provisions clarifying that use or disclosure of personal information under new subsection 80P(1) will not result in a breach of other privacy and secrecy provisions (although designated secrecy provisions specified in new subsection 80P(7) are exempt).

Persons responsible for an individual

The OPC, in its submission to the Senate Committee inquiry, supported the concept of limiting the class of person to whom disclosures can be made to a person responsible for the individual involved in the emergency, noting that this reflects the current provisions in the National Privacy Principles (NPPs), specifically NPP 2.5.

However, the OPC suggested that, to further assist in ensuring that disclosures to individuals allowed by these changes are only for relevant purposes, the types of circumstances outlined in NPP 2.4 be used to limit the purposes for disclosure, for example for compassionate reasons, or to enable the provision of appropriate care or treatment.(19) The Senate Committee considered this recommendation unnecessary, arguing that the tightening of the definition of permitted purpose would appropriately limit the circumstances in which information is disclosed.(20)

Offence of unauthorised secondary disclosure

New section 80Q creates an offence for unauthorised secondary disclosures. A secondary disclosure occurs when a person to whom personal information has been disclosed under Part VIA subsequently discloses that information. The penalty applying to this offence is 60 penalty units or one year imprisonment, or both. The offence does not apply to a person responsible for the individual involved in the emergency or where information is disclosed in circumstances authorised under subclause 80Q(2). Permitted secondary disclosures are those:

  • made in accordance with the IPPs, the NPPs or an approved privacy code under the Privacy Act
  • permitted under new section 80P
  • made with the consent of the individual to whom the information relates
  • made to the person to whom the information relates
  • made to a court, or
  • prescribed by the regulations.

Schedule 2 Australian Security Intelligence Organisation Act 1979

Schedule 2 to the Bill makes a consequential amendment to subsection 18(3) of the Australian Security Intelligence Organisation Act 1979 to ensure that ASIO is not prevented from disclosing personal information when an emergency is declared under Part VIA.

Concluding comments

There appears to be bipartisan support for the idea that the Privacy Act must be flexible enough to deal with the free flow of information in times of large-scale emergencies. However, there is still debate about the most appropriate way of achieving balance between the desirability of having a flow of information and protecting the individual s right to privacy. The amendments to the Bill recommended by the Senate Committee and by the Office of the Privacy Commissioner, while only modest, are worth noting by the Parliament.(21) They may go some way to reassuring privacy advocates that an appropriate balance has indeed been achieved.

Endnotes

  1. Senator the Hon. N. Minchin, Second reading speech: Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006 , Senate, Debates, 13 September 2006, p. 1.
  2. Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, 2005, p. 236.
  3. ibid., p. 235.
  4. Sections 80A and 80B of the Privacy Act give the Privacy Commissioner the power to issue temporary public interest determinations in which she may determine that an act or practice shall be disregarded for the purposes of the Act where the act or practice might otherwise constitute a breach of the Act. The Privacy Commissioner may make a determination only if she is satisfied that the public interest in the agency or organisation doing the act outweighs to a substantial degree the public interest in adhering to the Act.
  5. Office of the Privacy Commissioner, op. cit., pp. 237 8.
  6. Senate Standing Committee on Legal and Constitutional Affairs, Privacy legislation Amendment (Emergencies and Disasters Bill 2006, October 2006, Additional comments and points of dissent by the Australian Democrats, paragraph 1.1.
  7. ibid., paragraph 1.3.
  8. Explanatory Memorandum, p. 2.
  9. ibid., paragraph 24.
  10. Office of the Privacy Commissioner, submission to the Senate Committee inquiry, p. 3, at:
    http://www.aph.gov.au/Senate/committee/legcon_ctte/privacy_emerg_disasters/submissions/sub10.pdfCivilContingencies Act 2004 (UK) Section 19: Meaning of emergency : (1) In this Part emergency means: an event or situation which threatens serious damage to human welfare in the United Kingdom or in a Part or region, [ ] (2) [ ] an event or situation threatens damage to human welfare only if it involves, causes or may cause: (a) loss of human life, (b) human illness or injury, (c) homelessness, (d) damage to property, (e) disruption of a supply of money, food, water, energy or fuel, (f) disruption of a system of communication, (g) disruption of facilities for transport, or (h) disruption of services relating to health.
  11. Senate Standing Committee on Legal and Constitutional Affairs, op. cit., paragraph 2.35.
  12. ibid., paragraph 2.26.
  13. ibid.
  14. ibid., paragraph 2.38 and Recommendation 2.
  15. ibid., paragraph 2.24.
  16. ibid.
  17. ibid., paragraphs 2.36 and 2.37.
  18. However, as the Explanatory Memorandum explains in paragraph 39, if any disclosures need to be made to the media, they should be made in accordance with the normal operation of the Privacy Act.
  19. Office of the Privacy Commissioner, Submission to the Senate Committee inquiry, p. 4.
    The NPPs are available at: http://www.privacy.gov.au/publications/npps01.html
  20. Senate Standing Committee on Legal and Constitutional Affairs, op cit., paragraph 2.37.
  21. As noted earlier, the Senate made amendments to the Bill on 17 October 2006 in line with the Senate Committee recommendations.

Contact Officer and Copyright Details

Mary Anne Neilsen
31 October 2006
Bills Digest Service
Parliamentary Library

This paper has been prepared to support the work of the Australian Parliament using information available at the time of production. The views expressed do not reflect an official position of the Parliamentary Library, nor do they constitute professional legal opinion.

Staff are available to discuss the paper's contents with Senators and Members and their staff but not with members of the public.

ISSN 1328-8091
© Commonwealth of Australia 2006

Except to the extent of the uses permitted under the Copyright Act 1968, no part of this publication may be reproduced or transmitted in any form or by any means, including information storage and retrieval systems, without the prior written consent of the Parliamentary Library, other than by members of the Australian Parliament in the course of their official duties.

Published by the Parliamentary Library, 2006.

Back to top


Facebook LinkedIn Twitter Add | Email Print
Back to top