CHAPTER 2 - Provisions of the Bill
Introduction
2.1
The Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006
(the Bill) seeks to amend the Privacy Act 1988 to establish a clear and certain
legal basis for the management of the collection, use and disclosure of
personal information about deceased, injured and missing individuals in an
emergency or disaster, whether in Australia or overseas.
2.2
In particular, the Bill aims to address practical difficulties faced by
agencies, the private sector and non-government organisations, which were
highlighted during events such as the Asian tsunami in December 2004.
2.3
This chapter sets out the background to the Bill, outlines its
provisions and deals with several issues that emerged during the inquiry.
Background to the Bill
2.4
The Privacy Act already has exemptions concerning the use and disclosure
of personal information which allow agencies some flexibility in emergency or
disaster situations. However, these have proven difficult to apply with
confidence in crises involving mass casualties and missing persons because of
uncertainty as to the extent of their application. In its Review of the
Private Sector Provisions of the Privacy Act 1988, the Office of the Privacy
Commissioner considered the issue of balancing the flow of information and
privacy considerations during times of large scale emergencies and noted that:
The scale and gravity of large scale emergencies have tested the
application of the Privacy Act and raised questions as to how privacy
protection should operate in such situations. The Privacy Act received
criticism in the media after the tsunami disaster for lacking commonsense and
for being unable to anticipate and cope with the extent of the tsunami
disaster.[1]
2.5
Similar concerns were raised during the Senate Legal and Constitutional References
Committee's Inquiry into the Privacy Act 1988.[2]
The committee received evidence from the Australian Red Cross and the
Department of Foreign Affairs and Trade in relation to the impact on
information-sharing between government and non-government agencies involved in
response and recovery in emergency situations overseas. Both organisations
identified privacy-related impediments which had affected each organisation's ability
to provide assistance at a time when it was most needed.
2.6
The explanatory memorandum to the Bill states that the proposed
amendments are intended to: place beyond doubt the capacity of the Australian
Government and others to lawfully exchange personal information in an emergency
or disaster situation; ensure that agencies make clear and timely decisions on
information exchange; and enable agencies to apply the Privacy Act less
restrictively and with greater confidence in regard to the personal information
that may be disclosed.[3]
2.7
The explanatory memorandum and the second reading speech emphasise that
Part VIA permits, but does not require, any agency or organisation to disclose
personal information. The decision to disclose personal information will
remain at the discretion of the individual agency or organisation.[4]
Similarly, the amendments do not displace individual agencies' and
organisations' internal management processes for the collection, use and
disclosure of information. The explanatory memorandum states that it is assumed
that all disclosures will take place in conformity with the usual
authorisations and other internal controls.[5]
Provisions of the Bill
2.8
Item 1 of Schedule 1 inserts a new Part VIA in the Act. Division 1 of
Part VIA sets out the object of the part and defines key terms. Clause 80G
defines a 'secrecy provision' as a provision of the law of the Commonwealth,
that prohibits or regulates the use or disclosure of personal information
generally, or in specified circumstances.
2.9
Clause 80H defines 'permitted purpose' as 'a purpose that relates
to the Commonwealth's response to an emergency or disaster in respect of which
an emergency declaration is in force'. The clause includes a list of purposes
as a guide, but the explanatory memorandum states that this list should not be
interpreted to limit the generality of the definition of 'permitted purpose'.[6]
Informing a person responsible for an individual involved in the emergency or
disaster of matters relevant to the individual's involvement in the emergency
or disaster is a 'permitted purpose'. A person 'responsible' includes a parent,
child and spouse of the individual.
2.10
Division 2 of Part VIA provides for either the Prime Minister or the
Attorney-General to make an emergency declaration, in relation to events in Australia
(clause 80J) or overseas (clause 80K), subject to certain preconditions. A
declaration must be in writing (clause 80L) and has effect from the time at
which it is signed (clause 80M). Clause 80N provides for an emergency
declaration to cease to have effect either at a date specified in the
declaration or, if no date is specified, the earlier date of the date on which
the declaration is revoked or 12 months after the declaration is made.
2.11
Division 3 of Part VIA sets out provisions dealing with the use and
disclosure of personal information. Clause 80P provides for, and prescribes the
circumstances in which, personal information relating to an individual may be
collected, used or disclosed in the event of an emergency declaration. The collection
use or disclosure of personal information is permitted where there is a
reasonable belief that the individual may be involved in the emergency or
disaster. In addition, the collection use or disclosure must be for a 'permitted
purpose'. Paragraphs 80P(1)(c) and 80P(1)(d) place limits on the types of
bodies to whom agencies and others may disclose personal information and
paragraph 80P(1)(e) prohibits disclosure to the media under Part VIA.
2.12
Division 4 creates an offence for unauthorised secondary disclosures.
The offence does not apply to a person ‘responsible’[7]
for the individual involved in the emergency or disaster. Secondary disclosures
are authorised in certain circumstances prescribed in subclause 80Q(2).
2.13
Schedule 2 to the Bill makes a consequential amendment to subsection
18(3) of the Australian Security Intelligence Organisation Act 1979 to
ensure that ASIO is not prevented from disclosing personal information when an
emergency is declared under Part VIA.
Issues
2.14
The principal purpose of the Bill is to clarify the legal basis for the management
of the collection, use and disclosure of personal information in an emergency
or disaster. The key question considered by the committee is whether the Bill
will achieve this.
2.15
In his second reading speech, the Attorney-General states that:
These amendments follow from extensive consultation with
stakeholders, both within government and in the private and charitable
sectors. All have agreed that the amendments are necessary to enable an
effective response to emergencies or disasters.
2.16
The committee notes that most submissions to the inquiry expressed broad
support for the proposed amendments. The Office of the Privacy Commissioner
(OPC) stated
This clarification will assist individuals directly affected by
an emergency or disaster and will also assist government agencies and private
sector organisations, where appropriate, to collect, use or disclose personal
information to assist those individuals directly affected. This will allow the
Australian government to provide an appropriate and timely response to the
emergency or disaster. [8]
2.17
The committee considers that the Bill will achieve its broad objective.
The Bill appears to take account of concerns raised by agencies, the private
sector and non-government agencies. However, the committee notes that some submissions
raised concerns about the effect of specific clauses of the Bill and proposed
technical modifications to clarify their application. These issues are
discussed below.
Meaning of 'emergency' and
'disaster'
2.18
The words 'emergency' and 'disaster' are not defined in the Bill and
therefore have their ordinary meaning. The explanatory memorandum states that
the reason for this is to ensure 'flexibility in the operation of the Bill, as
the types and circumstances of emergency or disaster are too numerous to allow
for sensible definition.'
2.19
In its submission, the OPC suggested that, notwithstanding the difficulty
of defining all relevant emergency and disaster circumstances that might
require the exchange of personal information, '[s]ome additional criteria as to
what constitutes a disaster or emergency would assist the decision-making
process and reinforce public confidence in relation to the collection,
disclosure and use of personal information under such circumstances.'[9]
The OPC drew the committee's attention to the definition of these words in the Civil
Contingencies Act 2004 (UK) and noted that while the set of criteria
applied in that act may not be completely appropriate in the context of the
Bill, it may assist in identifying relevant criteria that would be appropriate.
Scope of 'permitted purpose'
2.20
The Bill limits the operation of the provisions in Part VIA to collection,
use and disclosure of personal information for a 'permitted purpose'. As noted
earlier, a 'permitted purpose' is defined in clause 80H as 'a purpose that
relates to the Commonwealth's response to an emergency or disaster in respect
of which an emergency declaration is in force.' The explanatory memorandum
expands upon this definition by stating that a 'permitted purpose' is a purpose
'that has some temporal, physical or other connection to action taken by the
Commonwealth in response to an emergency or disaster in which an emergency
declaration under Part VIA is in force'.[10]
Subclause 80H(1) provides a list of purposes that may be construed as
'permitted purposes', but the explanatory memorandum states that this list is
intended as a guide and should not be interpreted to limit the generality of
the definition.
2.21
The committee received a number of submissions in relation to the
intended scope of 'permitted purpose'. The Victorian Privacy Commissioner (VPC)
stated that it is not clear in relation to clause 80H of the Bill whether law
enforcement agencies' investigation of criminal offences thought to give rise
to the emergency or disaster, or offences thought to be committed during it, is
included within the meaning of 'permitted purpose'.[11]
2.22
The committee was advised by the Attorney-General's Department[12]
(the Department) that the Bill deliberately confines collection, use and disclosure
by an entity for a permitted purpose to prevent disclosure occurring for
reasons that are too broad. However, paragraph 80H(2)(c) specifically permits
the collection, use or disclosure of personal information if it assists with
law enforcement in relation to the emergency or disaster.
2.23
The Department also advised that the Bill does not displace the usual
operation of the Privacy Act. Under the Privacy Act, the Australian Federal
Police may already disclose personal information where that disclosure is
reasonably necessary for the enforcement of the criminal law. Similarly, the Privacy
Act already permits other agencies to disclose personal information to a law
enforcement agency where that disclosure is reasonably necessary for the
enforcement of the criminal law.
2.24
The NSW Council for Civil Liberties (NSWCCL)[13]
and the OPC expressed concern at the apparent breadth of the definition of 'permitted
purpose'. The NSWCCL proposed that it should be restricted to those purposes
enumerated in subclause 80H(2) or, if necessary, purposes 'closely connected'
to those enumerated in subclause 80H(2). Similarly, the OPC proposed that a
permitted purpose should be defined as 'a purpose directly related to' the
emergency or disaster.[14]
The Department advised that the Government was reluctant to limit the scope of
permitted purpose to the purposes listed in subclause 80H(2) as it would
eliminate the flexibility to encompass necessary additional purposes not listed
in subclause 80H(2).
Cessation of declaration of
emergency
2.25
Clause 80N provides for an emergency declaration to cease to have effect
at a time specified in the declaration, at the time at which the declaration is
revoked, or at the end of 12 months from when the declaration is made. A number
of submitters expressed concern about the length of time that a declaration
might be in effect. The CrimTrac Agency (CrimTrac)[15]
expressed the view that it is unlikely that an appropriate time frame for the
conclusion of the declaration could be determined immediately following an emergency
event or disaster occurring. CrimTrac noted that some disaster victim
identification processes have continued beyond the 12 month period provided for
in clause 80N and recommended that consideration be given to allow for the
extension of the time frame of a declaration in situations where the
identification process continues to rely upon the provision of identifying
information.
2.26
The NSWCCL noted that the Bill does not impose a limit on the length of
time that a declaration can be in effect and noted that under subclause 80N(a)
a declaration could be made for a period of greater than 12 months. The NSWCCL
expressed concern that privacy rights would be suspended for the duration of
the declaration of emergency. The OPC also expressed concern that a declaration
of emergency may have the effect of decreasing some existing privacy
protections and that a default period of 12 months for a declaration may be
disproportionate in some circumstances. The OPC recommended that 'consideration
should be given to whether it should be mandatory for the declaration to be
revoked when the need for it has come to an end or a shorter default period be
specified with a provision to extend it where necessary.'[16]
In this context the committee notes the Department's assurance that '[t]he Bill
does not displace the usual operation of the Privacy Act.'[17]
Scope of person 'responsible'
2.27
The OPC and the Australian Privacy Foundation (APF)[18]
noted that under Part VIA the class of person to whom disclosures can be made
is limited to a person 'responsible' as defined in NPP 2.5. Both the OPC and
the APF suggested that, to ensure that disclosures to individuals permitted by
this Bill are only for relevant purposes, the types of circumstances outlined
in NPP 2.4 should be used to limit the purposes for disclosure.
Data security
Designated secrecy provisions
2.28
The committee received submissions expressing concern that Part VIA
would override secrecy provisions of some agencies[19]
and the wider effect of this. Some submitters expressed concern that the
prospect of increased information sharing may reduce public confidence and
result in a decreased willingness to provide information. In particular, the
Australian Bureau of Statistics (ABS) proposed that section 19 and 19A of the Census
and Statistics Act 1905 be included in the list of designated secrecy
provisions in subclause 80P(7) of the Bill. The ABS noted that these provisions
could be listed as exempt in the regulations accompanying the Privacy Act, but
was concerned at the potential for this to be viewed as a serious compromise of
safeguards in relation to ABS data.
2.29
The Department advised the committee that:
The Bill lists as a 'designated secrecy provision' those secrecy
provisions binding the Inspector-General of Intelligence and Security and the
intelligence agencies. This is because the IGIS and most intelligence agencies
are completely exempt from the Privacy Act, and other intelligence agencies are
partially exempt in relation to their intelligence collection and analysis
activities. Subclause 80R (2) of the Bill makes it clear that the Bill only
enables disclosure but does not compel it. Therefore the ABS would not be
required in any way to disclose personal information under the Bill. In this
respect, the ABS is in the same position as other agencies which do not have a
secrecy provision specified as a designated secrecy provision.
Disclosure of information
2.30
Clause 80Q creates an offence for unauthorised secondary disclosures.
The explanatory memorandum states that '[a] secondary disclosure occurs when a
person to whom personal information has been disclosed under Part
VIA subsequently discloses that information.' The offence does not apply to a
person 'responsible' (as defined in NPP 2.5) or where information is disclosed
in circumstances authorised under subclause 80Q(2). These permitted
disclosures include those made by an agency or organisation under an
Information Privacy Principle, an approved privacy code or NPP, disclosures
permitted under clause 80P, and disclosures made to, or with the consent of,
the individual to whom the information relates.
2.31
The NSWCCL expressed concern that the Bill does not sufficiently
prohibit derivative or ancillary use of information obtained under the
provisions of clause 80P. The NSWCCL recommends that information obtained for
a permitted purpose should only be used for that 'permitted purpose' and should
be destroyed within one month after a declaration ceases to have effect. [20]
2.32
The VPC also expressed concern about provisions for the disposal of data
handled pursuant to Part VIA upon cessation of a declaration. The committee
notes that NPP 4.2 requires an organisation to take reasonable steps to destroy
or permanently de-identify personal information if it is no longer needed for
any purpose provided for under NPP 2. The VPC expressed concern that the
current disclosure principle in NPP 2 is tailored for business activities and
is consequentially broad. The VPC suggests that consideration should be given
to having purpose-built retention and disposal provisions for data collected
under the scheme. [21]
2.33
The NSWCCL expressed similar concerns that the offence provision in
clause 80Q does not appear to prevent the use of information by the same entity
but for an unrelated purpose. The NSWCCL recommended that:
A provision should be inserted providing that information
obtained for a 'permitted purpose' can only be used for that 'permitted
purpose'. Information obtained for a 'permitted purpose' should also be
destroyed within one month after a declaration ceases to have effect, unless
the individual concerned consents to its retention. A failure to include such
restrictions raises the risk that an organisation may capitalise on an
emergency situation to accumulate information not otherwise available to it.
Committee view
2.34
The committee concurs with the purposes of the bill and considers that
the provisions of the bill will successfully provide a clear legal basis for
the collection, use and disclosure of personal information in emergency or
disaster situations.
2.35
The committee notes the concerns in relation to the use of the ordinary
meaning of 'emergency' or 'disaster'. However, the committee accepts that
defining these terms would risk excluding unforseen events which should
properly be the subject of a declaration under the Bill.
2.36
Similarly the committee considers that seeking to limit the meaning of
'permitted purpose' to the purposes listed in subclause 80H(2) would risk
excluding collection, use or disclosure for legitimate purposes related to an
emergency or disaster. Nevertheless, the committee considers that the current
definition of 'permitted purpose' is unnecessarily broad. The committee
recommends that the definition of 'permitted purpose' in subclause 80H (1) should
require that the purpose 'directly' relate to the Commonwealth's response to
any emergency or disaster.
2.37
The committee notes the suggestion of OPC and APF that the types of
circumstances outlined in NPP 2.4 should be used to limit the purposes for
which disclosure to individuals is permitted by the Bill. However, the
committee considers that the tightening of the definition of 'permitted
purpose' would appropriately limit the circumstances in which information is
disclosed.
2.38
The committee notes the conflicting evidence provided in relation to the
cessation of declarations. While the committee notes the difficulty of
determining the appropriate duration of a declaration at the time of the
declaration, and the often protracted nature of disaster identification and
investigation processes, the committee agrees that the period of time for which
normal operation of the Privacy Act is suspended should be limited and that a
maximum duration for declarations of emergency should be specified in the Bill.
2.39
The committee notes the concerns of the ABS in relation to secrecy
provisions under the Census and Statistics Act 1905. However, the
committee accepts the advice of the Attorney-General's Department that the
provisions are intended to permit and not compel persons, agencies and
organisations to disclose information. The committee considers that this
provides sufficient flexibility for agencies such as the ABS to balance
considerations regarding disclosure of information in the event of an emergency
against the need to preserve the confidentiality of data.
Recommendation 1
2.40
The committee recommends that subclause 80H(1) be amended to limit
'permitted purpose' to a purpose that 'directly' relates to the Commonwealth's
response to any emergency or disaster.
Recommendation 2
2.41
The committee recommends that a maximum period of 12 months should apply
to a declaration of emergency under clause 80J and clause 80K.
Recommendation 3
2.42
Subject to the preceding recommendations, the committee recommends that
the Senate pass the Bill.
Senator Marise Payne
Committee Chair
Navigation: Previous Page | Contents | Next Page