The Boxing Day tsunami in 2004 gave rise to a raft of privacy-related practical problems concerning the disclosure of personal information about individuals caught up in the tragedy. Existing Privacy Act provisions restricted the ability of government agencies and companies to provide the large-scale, timely response necessary for dealing with mass casualties and missing persons.
The Privacy Legislation Amendment (Emergencies and Disasters) Bill (the Bill) aims to deal with disaster and emergency situations like the tsunami and the Bali bombing. The Bill inserts a new part into the Privacy Act in an attempt to establish a clear and certain legal basis for the collection, use and disclosure of personal information about deceased, injured or missing individuals caught up in a disaster in Australia or overseas.
The Bill enables the collection, use and disclosure of information by entities only where it will:
- provide people closely connected to an individual caught up in emergency with information about their welfare
- help identify individuals
- otherwise contribute to the response, or
- assist individuals and law enforcement.
The Bill only applies to information about Australian citizens or Australian residents.
What will the Bill do?
In the case of a disaster or emergency, a business might receive a request from a government agency for personal information relating to clients, customers or staff. An airline company, for example, could be asked for the names of passengers who have recently flown into a disaster affected area, or a dentist might be asked to provide dental records for particular patients.
Powers under the Bill will be triggered by a declaration made under the Privacy Act by either the Prime Minister or Attorney General that an emergency or disaster has occurred in Australia or overseas. The declaration can last for up to 12 months.
Information can only be disclosed to government agencies; entities involved in providing disaster and emergency related services; or a person or entity specified in the Regulations or by the Minister. Personal information cannot be disclosed to the media. If it is necessary to involve the media for a speedy and effective response it must be done in accordance with the normal operation of Privacy Act.
Even if all the requirements outlined above have been satisfied, there is still a discretion about whether to comply with a request for personal information concerning individuals.
Who in a business can disclose the information?
Whereas officers or employees of agencies must be authorised by the agency to collect, use or disclose information (under s80P(2)(6)), there is no equivalent provision for organisations. Businesses may therefore wish to consider who the most appropriate officer in the company would be to assume the duties of collecting and disclosing information should it be necessary in a time of emergency or disaster. A short document setting out the duties and obligations of the officer may be useful to inform staff generally, and could speed up the company's response time in case of an emergency.
Are businesses still bound by NPPs if a declaration under this Bill has been made?
Section 80P(2)(5) of the Bill provides that organisations do not breach an approved privacy code (if they have one) or a National Privacy Principle (NPP) in respect of valid collection, use or disclosure of personal information under the Bill. This guarantee is necessary to ensure the effective functioning of the Bill, but it is not without some potential pitfalls, for example, in regard to transborder disclosure of information. NPP 9 limits the circumstances in which organisations can transfer personal information to someone in a foreign country, so as to ensure personal information about Australian citizens or residents is dealt with to the same standards overseas as it is in Australia. However, in a situation like the Boxing Day tsunami, the new legislation would enable personal information to be disclosed to foreign entities, with very little control over how this information is used in the future.
Businesses should consider establishing protocols for dealing with requests for personal information concerning clients or staff should an emergency or disaster occur that affects them.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.