House debates

Tuesday, 28 November 2006

Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006

Second Reading

4:52 pm

Photo of Nicola RoxonNicola Roxon (Gellibrand, Australian Labor Party, Shadow Attorney-General) Share this | Hansard source

I rise today to speak on the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006. Privacy protection is one of the most important issues of our time. Labor considers that society’s need to respond efficiently and effectively to emergencies and disasters must at all times be balanced against the protection of individuals’ personal information. The bill inserts a new part VIA into the Privacy Act to enhance information exchange in an emergency or disaster situation. The new part permits but does not compel the collection, use and disclosure of personal information about deceased, injured and missing individuals involved in an emergency or disaster, whether in Australia or overseas, between Australian government agencies, state and territory authorities, private sector organisations, non-government organisations and others.

Part VIA is triggered by a declaration of an emergency by either the Prime Minister or the Attorney-General, in consultation with the Minister for Foreign Affairs for overseas situations, and provides for the use and disclosure of personal information related to the Commonwealth’s response to an emergency or disaster situation. Schedule 2 of the bill makes consequential amendments to the Australian Security Intelligence Organisation Act 1979. The need for these measures to address the practical issues faced by government agencies, the private sector and non-government organisations in times of emergency or in disaster situations was highlighted, sadly, during recent experiences including September 11, the Bali bombings, the 2004 Asian tsunami and the evacuation of Australians recently out of Lebanon.

Schedule 3 of the Privacy Act contains provisions in National Privacy Principle 2 which allow for the disclosure of personal information in times of emergency and disaster. The structure of the act is such that it is expected that these provisions will be applied on a case-by-case basis after careful analysis of the circumstances. These recent experiences that we have had, the recent emergencies and disasters, have highlighted the difficulty of applying these provisions with confidence during large-scale emergencies.

In its review of the private sector provisions of the Privacy Act, the Office of the Privacy Commissioner considered the issue of balancing the flow of information and privacy considerations during times of large-scale emergencies and noted:

The scale and gravity of large scale emergencies have tested the application of the Privacy Act and raised questions as to how privacy protection should operate in such situations. The Privacy Act received criticism in the media after the tsunami disaster for lacking commonsense and for being unable to anticipate and cope with the extent of the tsunami disaster.

Evidence to that OPC inquiry and to the Senate Legal and Constitutional References Committee’s subsequent inquiry into the Privacy Act 1988 revealed that some government agencies and private sector organisations adopted an overly cautious approach to interpreting the Privacy Act, impeding effective and timely assistance to Australians caught up in these terrible situations.

The OPC review considered a number of options for reform, recommending that privacy laws need to take a common-sense approach balancing between the desirability of having a flow of information and protecting an individual’s right to privacy. The Senate committee noted the OPC review and urged the Australian government to implement the OPC’s recommendation as a matter of priority. The committee also suggested that the government ensure that it also addresses any impediments under the Privacy Act, to information sharing between government agencies in such situations.

We note that, while the bill addresses the issues raised by both of these reviews, it does not in fact act on the specific recommendations of the OPC as endorsed by the Senate committee. Rather than amend existing provisions and deal with emergencies and disasters through temporary public interest determinations made by the Privacy Commissioner, the bill inserts a new part and framework into the Privacy Act. The bill covers both government agencies and private sector organisations, although the latter are not specified by industry or any other identifier. As recommended by the Senate committee, the bill does address information sharing between agencies in emergency situations.

Recent events and the difficulties experienced not only by agencies, organisations and travel related industries but also by Australian families caught up in these tragedies, demonstrate that the amendments to the Privacy Act should not be delayed. Labor understands that the Attorney-General’s Department has consulted extensively with stakeholders in the drafting of this bill and notes that most of the submissions to the Senate Standing Committee on Legal and Constitutional Affairs examination of this bill expressed broad support for the proposed amendments.

Labor is satisfied that the laws offer greater assurance to both government agencies and private organisations that personal information may be lawfully disclosed and exchanged during times of emergency or disaster either at home or abroad. They will further ensure that assistance and relief to victims and their families is not unduly delayed or complicated by privacy concerns.

I will now deal with the specific changes to the bill. Schedule 1 of the bill inserts a new part VIA, as I have indicated, into the Privacy Act of 1988. The new provisions will operate only upon the making of a declaration for the purposes of the Privacy Act that an emergency or disaster has occurred in Australia or overseas.

Clause 80J provides for the declaration of an emergency or disaster in Australia by the Prime Minister or the Attorney-General, and there are preconditions for that declaration to be made. They are: that an emergency or disaster has occurred; that the emergency or disaster is of a kind which would make it appropriate that personal information be exchanged; the emergency or disaster is of national significance; and the emergency or disaster has affected at least one or more Australian citizens or permanent residents.

Clause 80K provides for the declaration of an emergency or disaster outside Australia by the Prime Minister or the Attorney-General in consultation with the Minister for Foreign Affairs. The preconditions for a declaration under clause 80K are: that an emergency or disaster has occurred outside Australia; the emergency or disaster is of a kind which would make it appropriate that personal information be exchanged; and the emergency or disaster has affected at least one or more Australian citizens or permanent residents.

These provisions specify that the emergency or disaster must have occurred. A declaration cannot be made in respect of an imminent event or a warning. The requirement that the foreign affairs minister be consulted in relation to events outside Australia reflects a sensitivity to diplomatic relations with other countries—an approach with which Labor concurs.

According to clause 80L, an emergency declaration must be in writing and signed by the person making the declaration and has effect from the time at which it is signed. Clause 80M provides that an emergency declaration cannot be retrospective. It has effect from the time at which it is signed. Clause 80L requires that an emergency declaration must be published as soon as practicable after it has taken effect on the Attorney-General’s departmental website and by notice published in the Gazette.

According to clause 80N, as amended in the Senate, a declaration of emergency under clause 80J and clause 80K will cease to have effect no later than the end of 12 months, with the time starting from when the declaration is made, but it may end earlier. This amendment reflected a recommendation of the Senate committee and was supported by Labor in the other place.

The making of an emergency declaration under 80J or 80K triggers the operation of the new part VIA. Clause 80R provides that part VIA of the bill has a broad operation and is not limited by any other secrecy provision in a law of the Commonwealth unless the secrecy provision expressly excludes the operation of clause 80R. I note the comments made by the Parliamentary Secretary to the Prime Minister in relation to some undertakings that have been made in that area.

Importantly, clause 80R provides that nothing in the part compels the collection, use or disclosure of personal information. It simply makes it permissible. The decision to disclose personal information will remain at the discretion of individual agencies or organisations. Clause 80H defines the meaning of permitted purpose as a purpose that has some temporal, physical or other connection to action taken by the Commonwealth in response to an emergency or disaster in respect of which an emergency declaration under this bill—or the act, as it will be—is in force. The section provides examples without limitation of the types of situations in which the collection, use and disclosure of personal information may be authorised. They include the identification of individuals involved in assisting them to obtain necessary services, coordination or management of the response to the emergency or disaster, including law enforcement, and ensuring people who are responsible for individuals who are or may be involved in the emergency or disaster are kept appropriately informed.

Clause 80H was the subject of amendment in the Senate limiting the permitted purpose to a purpose that directly relates to the Commonwealth’s response to an emergency or disaster. This was recommended by the Senate committee and supported by Labor in the Senate.

Clearly, with respect to the sorts of issues that we are talking about, all of us unfortunately have seen them in recent times. I know many members of parliament were involved when constituents or their family members were caught up in some of these terrible disasters. Certainly, a fair share of us around this House know the frustrations that people have suffered from when information has not been able to be made available to them. Hopefully, this bill will deal with a number of those problems.

It is important to note that the words ‘emergency’ and ‘disaster’ are not defined in the bill, as it was intended by the government to maintain absolute flexibility as to the types of events this may involve. Labor notes that the Senate committee’s view was that defining these terms would actually risk excluding unforeseen events which would properly be the subject of a declaration under the bill. We approve of the bill’s intentionally broad drafting, given the desire for it to operate in a range of unforeseeable circumstances. However, it is one of those areas where there is a little warning bell, I guess, in that all of us might worry that this is unnecessarily broad. But given the circumstances it is addressing, we are left with little choice other than to take this sort of approach and support the approach that the government has taken.

Clause 80H confirms that the disclosure of relevant information to a person responsible for the individual involved in the emergency or disaster is a permitted purpose under part VIA. According to the explanatory memorandum, this subparagraph addresses the concern that people such as relatives could be denied information regarding the welfare of family members because of concerns about the application of the Privacy Act. This provision takes up the Office of the Privacy Commissioner’s recommendations to enable disclosure of personal information to a person responsible in times of emergency, but it has not extended or clarified the definition of ‘person responsible’. We are concerned that there is no mechanism providing for the number of family members who may come within this definition of ‘person responsible’. It may be preferable in such situations for one person to be a nominated individual rather than for the information to be disclosed numerous times or it may be vital that all family members are able to have access.

Clause 80P permits the collection, use or disclosure of personal information relating to an individual if the person, agency or organisation collecting, using or disclosing the information reasonably believes the individual may be involved in the emergency or disaster and the collection, use or disclosure is for a permitted purpose. Clause 80P deals with who government agencies may disclose personal information to. Clause 80P(1)(d) refers to the disclosure of personal information by an organisation or another person. As the parliamentary secretary noted, clause 80P(1)(e) makes it clear that disclosure to the media or a media organisation is not permitted under part VIA.

The bill ensures that an entity is not liable for contravening a secrecy provision by using or disclosing personal information where it is authorised to do so under the bill unless the secrecy provision is a designated secrecy provision. A designated secrecy provision is defined to include secrecy provisions binding the Inspector-General of Intelligence and Security and the intelligence agencies, who do not normally have coverage under the Privacy Act. The explanatory memorandum notes that it would not be appropriate to override secrecy provisions in this way, particularly as applying to the intelligence agencies.

The bill provides that an entity is not liable for contravening a duty of confidence in respect of disclosing personal information where authorised to do so by clause 80P(1). The department has advised that this most commonly would relate to the common-law duty of confidentiality to which banks are subject. Clauses 80P(4) and 80P(5) provide that an agency or organisation does not breach an information privacy principle, a privacy code or a national privacy principle, respectively, in respect of the collection, use or disclosure of personal information.

According to the bill, part VIA is not intended to override agencies’ internal information management processes and assumes that all disclosures will take place in conformity with the usual process for the collection, use and disclosure of information. Clause 80Q creates an offence for unauthorised secondary disclosures. A secondary disclosure occurs when a person to whom personal information has been disclosed under part VIA subsequently then discloses that information. Clause 80Q(1)(c) creates an exception for a person responsible for the individual involved in an emergency or disaster while another provision authorises the secondary disclosure of personal information in prescribed circumstances.

When I read it like this, it does make it sound complicated for those who might be listening to the debate, but I think that the intention is right here, to allow disclosure in circumstances where it may be a matter of life or death or it may be a matter of quickly being able to identify who has been involved, in what have been some pretty horrific circumstances, but making sure that that relaxing of the rules does not mean that information can be passed on more broadly to media organisations or others through these secondary disclosures.

It is intended, and there are provisions in the bill, that the act is given the widest possible operation consistent with Commonwealth constitutional legislative power. We are a little concerned about clause 80T, which deals with acquisition of property. Apparently, it has been provided on the advice of the department that it is necessary and was put in out of an abundance of caution. But it seems an entirely inappropriate provision in this bill and we cannot understand why it would be here, even out of an abundance of caution. It certainly does not seem likely to cause any damage. Schedule 2 of the bill amends the ASIO Act, and there are consequential amendments which deal with that in terms of material that can be communicated or that comes into the possession of ASIO in the course of performing its function. It enables ASIO to disclose information where an emergency is declared.

As I say, these sound like extremely technical provisions. It is a technical bill but it is important, we believe, that some balance is maintained between when our privacy laws recognise the value of sharing information for the benefit of both the individuals who might be involved and the wider community and the privacy considerations that protect an individual’s personal information. We believe it is important that the need for efficient responses to emergency and disaster situations are balanced by laws and systems that protect personal information from misuse, but we do believe that the changes in this bill are necessary.

We hope, of course, that we are not in a situation where it is necessary to make a declaration of an emergency or disaster, but it makes sense for us to ensure that our laws enable swift and appropriate action by government and non-government agencies that might be involved if we are in that sorry circumstance again. Labor supports this bill, as we believe that the measures it contains effectively strike that delicate balance that is needed. We hope and trust that we are not in the situation that we need to use these provisions at all, but certainly not in the near future. I commend the bill to the House.

Comments

No comments