CHAPTER 2 - Provisions of the Bill

CHAPTER 2 - Provisions of the Bill

Introduction

2.1        The Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006 (the Bill) seeks to amend the Privacy Act 1988 to establish a clear and certain legal basis for the management of the collection, use and disclosure of personal information about deceased, injured and missing individuals in an emergency or disaster, whether in Australia or overseas.

2.2        In particular, the Bill aims to address practical difficulties faced by agencies, the private sector and non-government organisations, which were highlighted during events such as the Asian tsunami in December 2004.

2.3        This chapter sets out the background to the Bill, outlines its provisions and deals with several issues that emerged during the inquiry.

Background to the Bill

2.4        The Privacy Act already has exemptions concerning the use and disclosure of personal information which allow agencies some flexibility in emergency or disaster situations. However, these have proven difficult to apply with confidence in crises involving mass casualties and missing persons because of uncertainty as to the extent of their application.  In its Review of the Private Sector Provisions of the Privacy Act 1988, the Office of the Privacy Commissioner considered the issue of balancing the flow of information and privacy considerations during times of large scale emergencies and noted that:

The scale and gravity of large scale emergencies have tested the application of the Privacy Act and raised questions as to how privacy protection should operate in such situations.  The Privacy Act received criticism in the media after the tsunami disaster for lacking commonsense and for being unable to anticipate and cope with the extent of the tsunami disaster.[1]

2.5        Similar concerns were raised during the Senate Legal and Constitutional References Committee's Inquiry into the Privacy Act 1988.[2] The committee received evidence from the Australian Red Cross and the Department of Foreign Affairs and Trade in relation to the impact on information-sharing between government and non-government agencies involved in response and recovery in emergency situations overseas. Both organisations identified privacy-related impediments which had affected each organisation's ability to provide assistance at a time when it was most needed.

2.6        The explanatory memorandum to the Bill states that the proposed amendments are intended to: place beyond doubt the capacity of the Australian Government and others to lawfully exchange personal information in an emergency or disaster situation; ensure that agencies make clear and timely decisions on information exchange; and enable agencies to apply the Privacy Act less restrictively and with greater confidence in regard to the personal information that may be disclosed.[3]

2.7        The explanatory memorandum and the second reading speech emphasise that Part VIA permits, but does not require, any agency or organisation to disclose personal information.  The decision to disclose personal information will remain at the discretion of the individual agency or organisation.[4] Similarly, the amendments do not displace individual agencies' and organisations' internal management processes for the collection, use and disclosure of information. The explanatory memorandum states that it is assumed that all disclosures will take place in conformity with the usual authorisations and other internal controls.[5]

Provisions of the Bill

2.8        Item 1 of Schedule 1 inserts a new Part VIA in the Act. Division 1 of Part VIA sets out the object of the part and defines key terms.  Clause 80G defines a 'secrecy provision' as a provision of the law of the Commonwealth, that prohibits or regulates the use or disclosure of personal information generally, or in specified circumstances.

2.9        Clause 80H defines 'permitted purpose' as 'a purpose that relates to the Commonwealth's response to an emergency or disaster in respect of which an emergency declaration is in force'. The clause includes a list of purposes as a guide, but the explanatory memorandum states that this list should not be interpreted to limit the generality of the definition of 'permitted purpose'.[6] Informing a person responsible for an individual involved in the emergency or disaster of matters relevant to the individual's involvement in the emergency or disaster is a 'permitted purpose'. A person 'responsible' includes a parent, child and spouse of the individual.

2.10      Division 2 of Part VIA provides for either the Prime Minister or the Attorney-General to make an emergency declaration, in relation to events in Australia (clause 80J) or overseas (clause 80K), subject to certain preconditions. A declaration must be in writing (clause 80L) and has effect from the time at which it is signed (clause 80M). Clause 80N provides for an emergency declaration to cease to have effect either at a date specified in the declaration or, if no date is specified, the earlier date of the date on which the declaration is revoked or 12 months after the declaration is made.

2.11      Division 3 of Part VIA sets out provisions dealing with the use and disclosure of personal information. Clause 80P provides for, and prescribes the circumstances in which, personal information relating to an individual may be collected, used or disclosed in the event of an emergency declaration. The collection use or disclosure of personal information is permitted where there is a reasonable belief that the individual may be involved in the emergency or disaster. In addition, the collection use or disclosure must be for a 'permitted purpose'. Paragraphs 80P(1)(c) and 80P(1)(d) place limits on the types of bodies to whom agencies and others may disclose personal information and paragraph 80P(1)(e) prohibits disclosure to the media under Part VIA.

2.12      Division 4 creates an offence for unauthorised secondary disclosures.  The offence does not apply to a person ‘responsible’[7] for the individual involved in the emergency or disaster. Secondary disclosures are authorised in certain circumstances prescribed in subclause 80Q(2).

2.13      Schedule 2 to the Bill makes a consequential amendment to subsection 18(3) of the Australian Security Intelligence Organisation Act 1979 to ensure that ASIO is not prevented from disclosing personal information when an emergency is declared under Part VIA.

Issues

2.14      The principal purpose of the Bill is to clarify the legal basis for the management of the collection, use and disclosure of personal information in an emergency or disaster. The key question considered by the committee is whether the Bill will achieve this.

2.15      In his second reading speech, the Attorney-General states that:

 These amendments follow from extensive consultation with stakeholders, both within government and in the private and charitable sectors.  All have agreed that the amendments are necessary to enable an effective response to emergencies or disasters.

2.16      The committee notes that most submissions to the inquiry expressed broad support for the proposed amendments. The Office of the Privacy Commissioner (OPC) stated

This clarification will assist individuals directly affected by an emergency or disaster and will also assist government agencies and private sector organisations, where appropriate, to collect, use or disclose personal information to assist those individuals directly affected. This will allow the Australian government to provide an appropriate and timely response to the emergency or disaster. [8]

2.17       The committee considers that the Bill will achieve its broad objective.  The Bill appears to take account of concerns raised by agencies, the private sector and non-government agencies. However, the committee notes that some submissions raised concerns about the effect of specific clauses of the Bill and proposed technical modifications to clarify their application. These issues are discussed below.

Meaning of 'emergency' and 'disaster'

2.18      The words 'emergency' and 'disaster' are not defined in the Bill and therefore have their ordinary meaning.  The explanatory memorandum states that the reason for this is to ensure 'flexibility in the operation of the Bill, as the types and circumstances of emergency or disaster are too numerous to allow for sensible definition.'

2.19       In its submission, the OPC suggested that, notwithstanding the difficulty of defining all relevant emergency and disaster circumstances that might require the exchange of personal information, '[s]ome additional criteria as to what constitutes a disaster or emergency would assist the decision-making process and reinforce public confidence in relation to the collection, disclosure and use of personal information under such circumstances.'[9]  The OPC drew the committee's attention to the definition of these words in the Civil Contingencies Act 2004 (UK) and noted that while the set of criteria applied in that act may not be completely appropriate in the context of the Bill, it may assist in identifying relevant criteria that would be appropriate.

Scope of 'permitted purpose'

2.20      The Bill limits the operation of the provisions in Part VIA to collection, use and disclosure of personal information for a 'permitted purpose'. As noted earlier, a 'permitted purpose' is defined in clause 80H as 'a purpose that relates to the Commonwealth's response to an emergency or disaster in respect of which an emergency declaration is in force.'  The explanatory memorandum expands upon this definition by stating that a 'permitted purpose' is a purpose 'that has some temporal, physical or other connection to action taken by the Commonwealth in response to an emergency or disaster in which an emergency declaration under Part VIA is in force'.[10]  Subclause 80H(1) provides a list of purposes that may be construed as 'permitted purposes', but the explanatory memorandum states that this list is intended as a guide and should not be interpreted to limit the generality of the definition.

2.21       The committee received a number of submissions in relation to the intended scope of 'permitted purpose'. The Victorian Privacy Commissioner (VPC) stated that it is not clear in relation to clause 80H of the Bill whether law enforcement agencies' investigation of criminal offences thought to give rise to the emergency or disaster, or offences thought to be committed during it, is included within the meaning of 'permitted purpose'.[11]

2.22       The committee was advised by the Attorney-General's Department[12] (the Department) that the Bill deliberately confines collection, use and disclosure by an entity for a permitted purpose to prevent disclosure occurring for reasons that are too broad. However, paragraph 80H(2)(c) specifically permits the collection, use or disclosure of personal information if it assists with law enforcement in relation to the emergency or disaster.

2.23      The Department also advised that the Bill does not displace the usual operation of the Privacy Act. Under the Privacy Act, the Australian Federal Police may already disclose personal information where that disclosure is reasonably necessary for the enforcement of the criminal law.  Similarly, the Privacy Act already permits other agencies to disclose personal information to a law enforcement agency where that disclosure is reasonably necessary for the enforcement of the criminal law.

2.24      The NSW Council for Civil Liberties (NSWCCL)[13] and the OPC expressed concern at the apparent breadth of the definition of 'permitted purpose'. The NSWCCL proposed that it should be restricted to those purposes enumerated in subclause 80H(2) or, if necessary, purposes 'closely connected' to those enumerated in subclause 80H(2). Similarly, the OPC proposed that a permitted purpose should be defined as 'a purpose directly related to' the emergency or disaster.[14] The Department advised that the Government was reluctant to limit the scope of permitted purpose to the purposes listed in subclause 80H(2) as it would eliminate the flexibility to encompass necessary additional purposes not listed in subclause 80H(2).

Cessation of declaration of emergency

2.25      Clause 80N provides for an emergency declaration to cease to have effect at a time specified in the declaration, at the time at which the declaration is revoked, or at the end of 12 months from when the declaration is made. A number of submitters expressed concern about the length of time that a declaration might be in effect. The CrimTrac Agency (CrimTrac)[15] expressed the view that it is unlikely that an appropriate time frame for the conclusion of the declaration could be determined immediately following an emergency event or disaster occurring. CrimTrac noted that some disaster victim identification processes have continued beyond the 12 month period provided for in clause 80N and recommended that consideration be given to allow for the extension of the time frame of a declaration in situations where the identification process continues to rely upon the provision of identifying information.

2.26      The NSWCCL noted that the Bill does not impose a limit on the length of time that a declaration can be in effect and noted that under subclause 80N(a) a declaration could be made for a period of greater than 12 months. The NSWCCL expressed concern that privacy rights would be suspended for the duration of the declaration of emergency. The OPC also expressed concern that a declaration of emergency may have the effect of decreasing some existing privacy protections and that a default period of 12 months for a declaration may be disproportionate in some circumstances. The OPC recommended that 'consideration should be given to whether it should be mandatory for the declaration to be revoked when the need for it has come to an end or a shorter default period be specified with a provision to extend it where necessary.'[16]   In this context the committee notes the Department's assurance that '[t]he Bill does not displace the usual operation of the Privacy Act.'[17]

Scope of person 'responsible'

2.27      The OPC and the Australian Privacy Foundation (APF)[18] noted that under Part VIA the class of person to whom disclosures can be made is limited to a person 'responsible' as defined in NPP 2.5.  Both the OPC and the APF suggested that, to ensure that disclosures to individuals permitted by this Bill are only for relevant purposes, the types of circumstances outlined in NPP 2.4 should be used to limit the purposes for disclosure.

Data security

Designated secrecy provisions

2.28      The committee received submissions expressing concern that Part VIA would override secrecy provisions of some agencies[19] and the wider effect of this. Some submitters expressed concern that the prospect of increased information sharing may reduce public confidence and result in a decreased willingness to provide information.  In particular, the Australian Bureau of Statistics (ABS) proposed that section 19 and 19A of the Census and Statistics Act 1905 be included in the list of designated secrecy provisions in subclause 80P(7) of the Bill. The ABS noted that these provisions could be listed as exempt in the regulations accompanying the Privacy Act, but was concerned at the potential for this to be viewed as a serious compromise of safeguards in relation to ABS data.

2.29      The Department advised the committee that:

The Bill lists as a 'designated secrecy provision' those secrecy provisions binding the Inspector-General of Intelligence and Security and the intelligence agencies.  This is because the IGIS and most intelligence agencies are completely exempt from the Privacy Act, and other intelligence agencies are partially exempt in relation to their intelligence collection and analysis activities.  Subclause 80R (2) of the Bill makes it clear that the Bill only enables disclosure but does not compel it.  Therefore the ABS would not be required in any way to disclose personal information under the Bill.  In this respect, the ABS is in the same position as other agencies which do not have a secrecy provision specified as a designated secrecy provision.

Disclosure of information

2.30      Clause 80Q creates an offence for unauthorised secondary disclosures.  The explanatory memorandum states that '[a] secondary disclosure occurs when a person to whom personal information has been disclosed under Part
VIA subsequently discloses that information.'  The offence does not apply to a person 'responsible' (as defined in NPP 2.5) or where information is disclosed in circumstances authorised under subclause 80Q(2).  These permitted disclosures include those made by an agency or organisation under an Information Privacy Principle, an approved privacy code or NPP, disclosures permitted under clause 80P, and disclosures made to, or with the consent of, the individual to whom the information relates.

2.31      The NSWCCL expressed concern that the Bill does not sufficiently prohibit derivative or ancillary use of information obtained under the provisions of clause 80P.  The NSWCCL recommends that information obtained for a permitted purpose should only be used for that 'permitted purpose' and should be destroyed within one month after a declaration ceases to have effect. [20]

2.32      The VPC also expressed concern about provisions for the disposal of data handled pursuant to Part VIA upon cessation of a declaration. The committee notes that NPP 4.2 requires an organisation to take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose provided for under NPP 2. The VPC expressed concern that the current disclosure principle in NPP 2 is tailored for business activities and is consequentially broad.  The VPC suggests that consideration should be given to having purpose-built retention and disposal provisions for data collected under the scheme. [21]

2.33      The NSWCCL expressed similar concerns that the offence provision in clause 80Q does not appear to prevent the use of information by the same entity but for an unrelated purpose. The NSWCCL recommended that:

A provision should be inserted providing that information obtained for a 'permitted purpose' can only be used for that 'permitted purpose'. Information obtained for a 'permitted purpose' should also be destroyed within one month after a declaration ceases to have effect, unless the individual concerned consents to its retention. A failure to include such restrictions raises the risk that an organisation may capitalise on an emergency situation to accumulate information not otherwise available to it.

Committee view

2.34      The committee concurs with the purposes of the bill and considers that the provisions of the bill will successfully provide a clear legal basis for the collection, use and disclosure of personal information in emergency or disaster situations.

2.35      The committee notes the concerns in relation to the use of the ordinary meaning of 'emergency' or 'disaster'. However, the committee accepts that defining these terms would risk excluding unforseen events which should properly be the subject of a declaration under the Bill.

2.36       Similarly the committee considers that seeking to limit the meaning of 'permitted purpose' to the purposes listed in subclause 80H(2) would risk excluding collection, use or disclosure for legitimate purposes related to an emergency or disaster.  Nevertheless, the committee considers that the current definition of 'permitted purpose' is unnecessarily broad.  The committee recommends that the definition of 'permitted purpose' in subclause 80H (1) should require that the purpose 'directly' relate to the Commonwealth's response to any emergency or disaster.

2.37      The committee notes the suggestion of OPC and APF that the types of circumstances outlined in NPP 2.4 should be used to limit the purposes for which disclosure to individuals is permitted by the Bill.  However, the committee considers that the tightening of the definition of 'permitted purpose' would appropriately limit the circumstances in which information is disclosed.

2.38      The committee notes the conflicting evidence provided in relation to the cessation of declarations. While the committee notes the difficulty of determining the appropriate duration of a declaration at the time of the declaration, and the often protracted nature of disaster identification and investigation processes, the committee agrees that the period of time for which normal operation of the Privacy Act is suspended should be limited and that a maximum duration for declarations of emergency should be specified in the Bill.

2.39      The committee notes the concerns of the ABS in relation to secrecy provisions under the Census and Statistics Act 1905.  However, the committee accepts the advice of the Attorney-General's Department that the provisions are intended to permit and not compel persons, agencies and organisations to disclose information.  The committee considers that this provides sufficient flexibility for agencies such as the ABS to balance considerations regarding disclosure of information in the event of an emergency against the need to preserve the confidentiality of data.

Recommendation 1

2.40      The committee recommends that subclause 80H(1) be amended to limit 'permitted purpose' to a purpose that 'directly' relates to the Commonwealth's response to any emergency or disaster.

Recommendation 2

2.41      The committee recommends that a maximum period of 12 months should apply to a declaration of emergency under clause 80J and clause 80K.

Recommendation 3

2.42      Subject to the preceding recommendations, the committee recommends that the Senate pass the Bill.

 

Senator Marise Payne

Committee Chair

 

Navigation: Previous Page | Contents | Next Page