Additional comments and points of Dissent by the Australian Democrats
1.1
While we understand that
government agencies and non-government organisations need to use personal
information in times of disaster relief, we believe that this need can be
accommodated by minor legislative amendment to the current framework for these
limited circumstances, without the necessity to invoke such far reaching
changes to our current privacy regime as are envisaged by this bill.
1.2
Among the aims of the bill stated
in the Explanatory Memorandum is that it will ensure that agencies make clear
and timely decisions on information exchange in order to deliver necessary
services to victims.[1] Recent and particularly large scale disasters such as
the Bali bombing and Boxing Day tsunami have highlighted the anguish and
distress of victims of these disasters and their loved ones back home, in
trying to locate individuals who may be affected, and to access assistance from
organisations involved in disaster relief. Indeed, there are already
provisions (contained in Information Privacy Principle 10.1 and 11.1 and
National Privacy Principle 2.1) that permit the use of personal information to
assist in situations like these.
1.3
However the breadth and size of
those international disasters has caused criticism to be directed towards the
Privacy Act 1988 as inhibiting the location and assistance of individuals. The
Democrats believe the current legislation can be modified to facilitate this
assistance, while still leaving the current privacy architecture in place.
This bill however, would permit the Minister or Prime Minister to completely
dismantle the system and processes of protections we currently enjoy at the
stroke of a pen. It would allow information to be disclosed to, and by, a far greater
range of organisations and individuals, for a far greater range of situations,
and for far longer than most Australians would consider reasonable. The
Democrats share the concerns expressed by the Australian Privacy Foundation in
its submission, and draw attention to the following specific concerns.
The circumstances in which an emergency can be declared are unnecessarily
broad and may include so-called ‘emergencies’ far different from the Bali bombing
or Boxing Day tsunami type of emergency most Australians would imagine.
1.4
In declaring a situation of
emergency, the bill envisages that:
- an emergency has occurred – subclause 80J(a), and
- is considered to be of “national
significance” – subclause 80J(c), and
- has affected at least one
person – subclause 80J(d).
1.5
The definition of “national
significance” in paragraph 80J(c)) is extremely broad, and may relate to the
“nature” or “extent” of the situation. Assuming the “extent” refers in some
way to size, no indication is given as to what threshold test (eg. affecting
how many people, or costing how much money) constitutes sufficient “extent” to
be considered significant. The “nature” (paragraph 80J(c)) of the situation is
left completely open to interpretation, and may permit a wide range of vaguely
problematic situations to be deemed by the Minister or Prime Minister, as of a
type “appropriate” (paragraph 80J(b)) for declaration. Paragraph 80J(c)
explicitly allows for “indirect” effects of an emergency to be considered by
the Minister to be of “national significance”. The Democrats are concerned
that in these circumstances, it will be possible for an emergency to be
declared and privacy protections dispensed with, in situations not contemplated
or able to be questioned by Parliament.
1.6
While this may give flexibility to
the Minister or Prime Minister to declare an emergency in unforeseen events,
the Democrats believe when Australians contemplate the Bali bombing and Boxing
Day tsunami situation, they have a particular and limited set of circumstances
in mind, in which privacy protection might reasonably be reduced. We therefore
do not believe that such a emergency cannot be accommodated by legislative
amendment within the current legislative framework. We agree with the Office
of the Federal Privacy Commission and the Australian Privacy Foundation, that
deeming of “National Emergency” should be determined by the Minister to be an
‘incident’ under section 23YUF of the Crimes Act 1914.
The capacity for “entities” to determine the circumstances in which
information can be disclosed is inappropriate.
1.7
The current National Privacy
Principles permit the disclosure and use of personal information in particular
health, life and safety situations, but places limits on the circumstances and
people to whom this information can be disclosed. The proposed bill contain
none of these safeguards.
1.8
According to this bill, when the
proposed “emergency declaration” is in force, an entity (being a person, agency
or organisation) may collect, use or disclose personal information relating to
an individual, where:
- the entity “reasonably believes” the individual MAY be involved in the emergency; and
- it is for a “permitted purpose.”
1.9
Government agencies are authorised
by subclause 80P to disclose personal information, (with no definitional limit
to the type of information) to a wide range of people and entities, and may
include any person that “is likely to be” involved in “assisting” (paragraph 80P(1)(c))
in the emergency. There is no guide as to what type or level of “assisting” a
person or organisation needs to be undertaking, nor any indication as to how a
government agency officer might determine if the person or agency “is likely to
be” involved in assisting, before disclosure to the person is lawful.
1.10
The bill purports to limit the
collection, use and disclosure of information, to situations of “permitted
purpose” (clause 80H), the principal purpose being any action that forms part
of the “Commonwealth’s response” (subclause 80H(1)) to the emergency. What follows
in subclause 80H(2) is an inclusive list of examples of purposes, including
assisting with law enforcement (paragraph 80H(2)(c)) that can be considered
part of the response.
1.11
The Democrats agree with the
Committee’s view that the current definition of “permitted purpose” is
unnecessarily broad. We are, in addition particularly concerned that a
“declaration” may be made in relation to domestic matters not related to a
natural disaster or international terrorist situation, and that having overridden
the normal privacy protections, individuals may unfairly be subject to
infringement of their right to privacy under the rubric of “assisting with law
enforcement”, where this purpose is only indirectly related to the
“emergency”. Moreover, the bill contains none of the protections on
dissemination of disclosed information contained in the current legislation,
but permits an agency or organisation to determine whether it is appropriate to
divulge personal information in the circumstances.
1.12
The findings by the Australian Law
Reform Commission in its Issue Paper 31: Review of Privacy indicate
Australians continue to be concerned about the handling of their personal
details by government and private companies. The Democrats consider that the
current bill gives too broad a discretion for “entities” to determine when an
individual’s personal information may be disclosed and for the net to be cast
too wide in allowing entities with an “indirect” connection to the emergency,
to access or disclose information.
1.13
In evidence to the Senate Legal
and Constitutional References Committee, Mr Greg Heesom of the
Australian Red Cross suggested that a solution could include a Public Interest
Determination exemption by the Privacy Commissioner, or an amendment to the
Information Privacy Principle 11 to provide a specific limited exemption for
emergency disaster situations.[2]
We also note that the submission by the Officer of the Federal Privacy
Commissioner refers to the definitions of “emergency” and “disaster” contained
in the Civil Contingencies Act 2004 (UK) as assisting to identify relevant criteria upon
which an emergency of disaster may be declared. The Democrats support the
limiting of circumstances in which an “emergency” may be declared, where the
outcome of such declaration is removing of privacy protections for individuals,
and the limiting of entities permitted to use information to those having only
a “direct” connection to the emergency.
1.14
The bill proposes that the
“emergency declaration” continue to be in force for one year (clause 80N)
unless it is declared to end earlier. The Democrats agree with the Committee’s
view that the period of time for which normal operation of the Privacy Act is
suspended should be limited to a specified time, but consider that 12 months is
too long.
Even if it was felt necessary to allow a greater sharing of information
between agencies to address the concerns outlined by the Australian Red Cross
in its submission, there are other ways in which the sharing of information can
be facilitated, without resorting to such major changes as the bill proposes.
1.15
The Explanatory Memorandum asserts
this bill will assist in clarifying the provisions relating to disclosure of
personal information during emergencies.[3]
Far from clarifying the situations in which personal information can be
disclosed and the types of people, organisations and other bodies that can
receive or disclose information, this bill adds a level of legislative
ambiguity and uncertainty to the foundation of privacy protections, that may
erode Australians' confidence that their personal information will be protected
in all but the most dire of circumstances, and thereby undermine the integrity
of out current system of privacy protection.
1.16
We note the Committee reference to
the Privacy Commissioner’s findings in its report Getting in on the Act: The
Review of the Private Sector Provisions of the Privacy Act 1988 that
following the tsunami disaster, the Privacy Act received criticism in the media
for being “unable to anticipate and cope” with the extent of the tsunami
disaster.[4]
Certainly, the extent of the tsunami was on a scale previously unimagined, and
not contemplated during the original drafting of the Privacy Act. However, the
rarity and unusual severity of that event and its consequences cannot be
justification for completely re-writing the privacy regime which has until such
recent disasters, served the Australian public reasonably well. Even in times
of disaster, there must be a balancing of the rights of an individual to
privacy in their activities and movements, as against the need to obtain
otherwise confidential information in relation to an individual. This is
acknowledged by the Senate Legal and Constitutional References Committee in The
Real Big Brother: Inquiry the Privacy Act 1988 [5]
and the Privacy Commissioner in her recommendations in relation to large scale
emergencies.[6]
1.17
Both the Office of the Federal
Privacy Commissioner and the Australian Privacy Foundation have highlighted the
fact that the current legislation allows for the disclosure of information
where there is a serious and imminent threat to the life or health of
individuals, and both have proposed changes in the current legislation that
would go a long way towards alleviating the problems experienced by the ARC in
assisting individuals in the recent disasters, while limiting the purpose for
which disclosure is permitted.[7]
The Democrats support the proposals of the Office of the Federal Privacy
Commission and Australian Privacy Foundation as providing a better balance
between the privacy rights of individuals and the expectations of Australians
during times of disaster.
Senator Andrew Bartlett Senator
Natasha Stott Despoja
Australian Democrats
Navigation: Previous Page | Contents | Next Page