House debates

Tuesday, 28 November 2006

Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006

Second Reading

4:42 pm

Photo of Malcolm TurnbullMalcolm Turnbull (Wentworth, Liberal Party, Parliamentary Secretary to the Prime Minister) Share this | | Hansard source

I present the explanatory memorandum to the bill, and I move:

That this bill be now read a second time.

The tragic Boxing Day tsunami in 2004 provided many lessons in how to provide effective and timely assistance to Australians caught up in an emergency. To provide effective assistance, we have to identify those who need help and what help is appropriate. The tsunami, along with other subsequent emergencies and disasters, revealed practical problems for Commonwealth agencies, state and territory governments, private sector organisations and non-government organisations regarding the extent to which personal information can be shared.

The Privacy Act 1988 contains provisions which allow disclosure of personal information in terms of emergency and disaster. However, the act contemplates that these provisions will be applied on a case-by-case basis after careful analysis of the particular circumstances. Clearly, in an emergency or disaster, where there may be many thousands of victims requiring urgent assistance, agencies and organisations do not have the luxury of time, or the resources, to consider each case individually.

These existing provisions have proven difficult to apply with confidence in situations involving mass casualties and missing persons. This has resulted in some agencies and organisations taking an overly cautious interpretation and has contributed to unnecessary delays in delivering services and added to the trauma experienced by victims and their families.

Two recent reports, Getting in on the Act: the review of the private sector provisions of the Privacy Act 1988, produced by the Privacy Commissioner, and The real Big Brother: inquiry into the Privacy Act 1988, produced by the Senate References Legal and Constitutional Committee, have noted the need for clarification of the provisions of the act in times of an emergency. The government acknowledges the work of the Privacy Commissioner and the committee in preparing those reports.

We also acknowledge the inquiry and report on the bill by the Senate Standing Committee on Legal and Constitutional Affairs which followed the bill’s introduction in the Senate. The committee made two recommendations for amendments to the original bill, which the government has adopted in the current bill.

I turn now to the new part VIA. There needs to be a seamless whole-of-government approach to the exchange of personal information in a disaster. The Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006 inserts a new part into the Privacy Act to establish a clear and certain legal basis for the collection, use and disclosure of personal information about deceased, injured and missing individuals caught up in an emergency or disaster occurring in Australia or overseas.

The effect of these amendments is to permit the Australian government, private sector organisations and non-government organisations to collect, use and disclose personal information in the event of an emergency or disaster, despite the possible application of the Privacy Act or of specific secrecy provisions in other Commonwealth legislation. The bill will not apply to state and territory governments and their agencies other than the ACT, but it will allow Australian government agencies and private sector organisations and non-government organisations to disclose personal information to state and territory governments and their agencies.

We are hopeful that, where state or territory legislation prevents their agencies from sharing personal information with the Australian government or with private sector or non-government organisations, states and territories might consider corresponding amendments to their legislation.

I turn now to the trigger provisions which will trigger the operation of the new part. These new provisions will be triggered when the Prime Minister or the Attorney-General makes a declaration for the purposes of the Privacy Act that an emergency or disaster has occurred in Australia or overseas. An emergency or disaster may only be declared where:

at least one Australian citizen has been affected; and

the emergency or disaster is such that it is appropriate that certain agencies, organisations and individuals be permitted to exchange personal information more freely than might otherwise be permitted by the Privacy Act.

Where the emergency or disaster has occurred outside Australia, the Attorney-General must consult the Minister for Foreign Affairs before making a declaration. The declaration will have effect for a limited time.

An emergency declaration does not operate indefinitely. A maximum period of 12 months applies to an emergency declaration. The 12-month cap was included as a result of a recommendation by the Senate Standing Committee on Legal and Constitutional Affairs in its report on the bill.

The bill does not attempt to define ‘emergency’ or ‘disaster’. The range of emergencies or disasters requiring urgent government response is too vast and too varied to be susceptible to any sensible and comprehensive definition. However, it is envisaged that the Prime Minister or the Attorney-General make the declaration as part of a coordinated, whole-of-government response to an emergency or disaster. The words, in other words, will have their natural and ordinary meaning.

The bill will not allow unfettered dealing with personal information outside the existing regulation of the Privacy Act. On the contrary, the bill serves to clarify and enhance what is largely already permissible under the Privacy Act. The bill will allow collection, use or disclosure of personal information only where it will:

provide people closely connected to an individual caught up in an emergency or disaster with information about their welfare;

help to identify individuals;

otherwise contribute to the response to the emergency or disaster; or

assist individuals and law enforcement.

Under the bill, information can only be collected, used or disclosed for a purpose that directly relates to the Commonwealth’s response to an emergency or disaster, in respect of which an emergency declaration is in force. In this regard, the bill implements a recommendation of the Senate Standing Committee on Legal and Constitutional Affairs that the word ‘directly’ be inserted in the bill.

Given the objects of the bill, these amendments, of necessity, modify the operation of the Information Privacy Principles and the National Privacy Principles and relevant secrecy provisions in other Commonwealth legislation. However, recognising the special status of the intelligence agencies and the Inspector-General of Intelligence and Security, secrecy provisions applying to those agencies are excluded from modification under the amendments and will continue to apply unchanged.

In addition, there is a regulation-making power to exclude other nominated secrecy provisions from modification under the amendments where a sound policy case is made out to preserve those provisions, even in an emergency situation. In this regard, the government gives an undertaking to include in the regulations made under the bill the secrecy provisions of the Australian Bureau of Statistics, which are in the Census and Statistics Act 1905.

The bill also modifies the operation of common law duties of confidence, such as that which applies to the banker and client relationship.

The amendments will not permit the disclosure of personal information to the media. If there is a need to involve the media to ensure a speedy and effective response to the emergency, then agencies and organisations must do so in accordance with the normal operation of the Privacy Act.

To ensure that personal information is not disclosed for unrelated purposes, the bill includes an offence prohibiting the further disclosure of any information received as a result of a declaration of emergency or disaster. This prohibition does not apply to persons closely related to an individual affected by an emergency or disaster, nor does it prohibit disclosure to the individual concerned or where that individual has consented to the disclosure. Naturally, the offence does not apply where the Privacy Act otherwise permits the disclosure.

I want to stress that the bill merely enables the collection, use and disclosure of personal information in an emergency or disaster situation. It does not require any agency or organisation to disclose personal information. Agencies and organisations will retain their existing discretion under the Privacy Act not to disclose personal information. The amendments do not displace internal management processes of agencies which regulate the collection, use and disclosure of such information.

The amendments follow from extensive consultation with stakeholders, both within government and in the private and charitable sectors. All have agreed that the amendments are necessary to enable an effective response to emergencies or disasters.

The bill will place beyond doubt the capacity of the Australian government and others to lawfully exchange personal information in an emergency or disaster situation. It reflects an expectation of the community that the government will respond to emergencies and disasters quickly and effectively. The bill complements the existing core policy of the Privacy Act. The Privacy Act continues to apply in the absence of an emergency declaration; even in its normal operation, the Privacy Act usually allows the disclosure of personal information for legitimate government purposes.

The government is confident that the amendments in this bill will assist search, rescue and recovery efforts and the distribution of services to victims and their families without derogating from the proper protection of personal information. I commend the bill to the House.

4:52 pm

Photo of Nicola RoxonNicola Roxon (Gellibrand, Australian Labor Party, Shadow Attorney-General) Share this | | Hansard source

I rise today to speak on the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006. Privacy protection is one of the most important issues of our time. Labor considers that society’s need to respond efficiently and effectively to emergencies and disasters must at all times be balanced against the protection of individuals’ personal information. The bill inserts a new part VIA into the Privacy Act to enhance information exchange in an emergency or disaster situation. The new part permits but does not compel the collection, use and disclosure of personal information about deceased, injured and missing individuals involved in an emergency or disaster, whether in Australia or overseas, between Australian government agencies, state and territory authorities, private sector organisations, non-government organisations and others.

Part VIA is triggered by a declaration of an emergency by either the Prime Minister or the Attorney-General, in consultation with the Minister for Foreign Affairs for overseas situations, and provides for the use and disclosure of personal information related to the Commonwealth’s response to an emergency or disaster situation. Schedule 2 of the bill makes consequential amendments to the Australian Security Intelligence Organisation Act 1979. The need for these measures to address the practical issues faced by government agencies, the private sector and non-government organisations in times of emergency or in disaster situations was highlighted, sadly, during recent experiences including September 11, the Bali bombings, the 2004 Asian tsunami and the evacuation of Australians recently out of Lebanon.

Schedule 3 of the Privacy Act contains provisions in National Privacy Principle 2 which allow for the disclosure of personal information in times of emergency and disaster. The structure of the act is such that it is expected that these provisions will be applied on a case-by-case basis after careful analysis of the circumstances. These recent experiences that we have had, the recent emergencies and disasters, have highlighted the difficulty of applying these provisions with confidence during large-scale emergencies.

In its review of the private sector provisions of the Privacy Act, the Office of the Privacy Commissioner considered the issue of balancing the flow of information and privacy considerations during times of large-scale emergencies and noted:

The scale and gravity of large scale emergencies have tested the application of the Privacy Act and raised questions as to how privacy protection should operate in such situations. The Privacy Act received criticism in the media after the tsunami disaster for lacking commonsense and for being unable to anticipate and cope with the extent of the tsunami disaster.

Evidence to that OPC inquiry and to the Senate Legal and Constitutional References Committee’s subsequent inquiry into the Privacy Act 1988 revealed that some government agencies and private sector organisations adopted an overly cautious approach to interpreting the Privacy Act, impeding effective and timely assistance to Australians caught up in these terrible situations.

The OPC review considered a number of options for reform, recommending that privacy laws need to take a common-sense approach balancing between the desirability of having a flow of information and protecting an individual’s right to privacy. The Senate committee noted the OPC review and urged the Australian government to implement the OPC’s recommendation as a matter of priority. The committee also suggested that the government ensure that it also addresses any impediments under the Privacy Act, to information sharing between government agencies in such situations.

We note that, while the bill addresses the issues raised by both of these reviews, it does not in fact act on the specific recommendations of the OPC as endorsed by the Senate committee. Rather than amend existing provisions and deal with emergencies and disasters through temporary public interest determinations made by the Privacy Commissioner, the bill inserts a new part and framework into the Privacy Act. The bill covers both government agencies and private sector organisations, although the latter are not specified by industry or any other identifier. As recommended by the Senate committee, the bill does address information sharing between agencies in emergency situations.

Recent events and the difficulties experienced not only by agencies, organisations and travel related industries but also by Australian families caught up in these tragedies, demonstrate that the amendments to the Privacy Act should not be delayed. Labor understands that the Attorney-General’s Department has consulted extensively with stakeholders in the drafting of this bill and notes that most of the submissions to the Senate Standing Committee on Legal and Constitutional Affairs examination of this bill expressed broad support for the proposed amendments.

Labor is satisfied that the laws offer greater assurance to both government agencies and private organisations that personal information may be lawfully disclosed and exchanged during times of emergency or disaster either at home or abroad. They will further ensure that assistance and relief to victims and their families is not unduly delayed or complicated by privacy concerns.

I will now deal with the specific changes to the bill. Schedule 1 of the bill inserts a new part VIA, as I have indicated, into the Privacy Act of 1988. The new provisions will operate only upon the making of a declaration for the purposes of the Privacy Act that an emergency or disaster has occurred in Australia or overseas.

Clause 80J provides for the declaration of an emergency or disaster in Australia by the Prime Minister or the Attorney-General, and there are preconditions for that declaration to be made. They are: that an emergency or disaster has occurred; that the emergency or disaster is of a kind which would make it appropriate that personal information be exchanged; the emergency or disaster is of national significance; and the emergency or disaster has affected at least one or more Australian citizens or permanent residents.

Clause 80K provides for the declaration of an emergency or disaster outside Australia by the Prime Minister or the Attorney-General in consultation with the Minister for Foreign Affairs. The preconditions for a declaration under clause 80K are: that an emergency or disaster has occurred outside Australia; the emergency or disaster is of a kind which would make it appropriate that personal information be exchanged; and the emergency or disaster has affected at least one or more Australian citizens or permanent residents.

These provisions specify that the emergency or disaster must have occurred. A declaration cannot be made in respect of an imminent event or a warning. The requirement that the foreign affairs minister be consulted in relation to events outside Australia reflects a sensitivity to diplomatic relations with other countries—an approach with which Labor concurs.

According to clause 80L, an emergency declaration must be in writing and signed by the person making the declaration and has effect from the time at which it is signed. Clause 80M provides that an emergency declaration cannot be retrospective. It has effect from the time at which it is signed. Clause 80L requires that an emergency declaration must be published as soon as practicable after it has taken effect on the Attorney-General’s departmental website and by notice published in the Gazette.

According to clause 80N, as amended in the Senate, a declaration of emergency under clause 80J and clause 80K will cease to have effect no later than the end of 12 months, with the time starting from when the declaration is made, but it may end earlier. This amendment reflected a recommendation of the Senate committee and was supported by Labor in the other place.

The making of an emergency declaration under 80J or 80K triggers the operation of the new part VIA. Clause 80R provides that part VIA of the bill has a broad operation and is not limited by any other secrecy provision in a law of the Commonwealth unless the secrecy provision expressly excludes the operation of clause 80R. I note the comments made by the Parliamentary Secretary to the Prime Minister in relation to some undertakings that have been made in that area.

Importantly, clause 80R provides that nothing in the part compels the collection, use or disclosure of personal information. It simply makes it permissible. The decision to disclose personal information will remain at the discretion of individual agencies or organisations. Clause 80H defines the meaning of permitted purpose as a purpose that has some temporal, physical or other connection to action taken by the Commonwealth in response to an emergency or disaster in respect of which an emergency declaration under this bill—or the act, as it will be—is in force. The section provides examples without limitation of the types of situations in which the collection, use and disclosure of personal information may be authorised. They include the identification of individuals involved in assisting them to obtain necessary services, coordination or management of the response to the emergency or disaster, including law enforcement, and ensuring people who are responsible for individuals who are or may be involved in the emergency or disaster are kept appropriately informed.

Clause 80H was the subject of amendment in the Senate limiting the permitted purpose to a purpose that directly relates to the Commonwealth’s response to an emergency or disaster. This was recommended by the Senate committee and supported by Labor in the Senate.

Clearly, with respect to the sorts of issues that we are talking about, all of us unfortunately have seen them in recent times. I know many members of parliament were involved when constituents or their family members were caught up in some of these terrible disasters. Certainly, a fair share of us around this House know the frustrations that people have suffered from when information has not been able to be made available to them. Hopefully, this bill will deal with a number of those problems.

It is important to note that the words ‘emergency’ and ‘disaster’ are not defined in the bill, as it was intended by the government to maintain absolute flexibility as to the types of events this may involve. Labor notes that the Senate committee’s view was that defining these terms would actually risk excluding unforeseen events which would properly be the subject of a declaration under the bill. We approve of the bill’s intentionally broad drafting, given the desire for it to operate in a range of unforeseeable circumstances. However, it is one of those areas where there is a little warning bell, I guess, in that all of us might worry that this is unnecessarily broad. But given the circumstances it is addressing, we are left with little choice other than to take this sort of approach and support the approach that the government has taken.

Clause 80H confirms that the disclosure of relevant information to a person responsible for the individual involved in the emergency or disaster is a permitted purpose under part VIA. According to the explanatory memorandum, this subparagraph addresses the concern that people such as relatives could be denied information regarding the welfare of family members because of concerns about the application of the Privacy Act. This provision takes up the Office of the Privacy Commissioner’s recommendations to enable disclosure of personal information to a person responsible in times of emergency, but it has not extended or clarified the definition of ‘person responsible’. We are concerned that there is no mechanism providing for the number of family members who may come within this definition of ‘person responsible’. It may be preferable in such situations for one person to be a nominated individual rather than for the information to be disclosed numerous times or it may be vital that all family members are able to have access.

Clause 80P permits the collection, use or disclosure of personal information relating to an individual if the person, agency or organisation collecting, using or disclosing the information reasonably believes the individual may be involved in the emergency or disaster and the collection, use or disclosure is for a permitted purpose. Clause 80P deals with who government agencies may disclose personal information to. Clause 80P(1)(d) refers to the disclosure of personal information by an organisation or another person. As the parliamentary secretary noted, clause 80P(1)(e) makes it clear that disclosure to the media or a media organisation is not permitted under part VIA.

The bill ensures that an entity is not liable for contravening a secrecy provision by using or disclosing personal information where it is authorised to do so under the bill unless the secrecy provision is a designated secrecy provision. A designated secrecy provision is defined to include secrecy provisions binding the Inspector-General of Intelligence and Security and the intelligence agencies, who do not normally have coverage under the Privacy Act. The explanatory memorandum notes that it would not be appropriate to override secrecy provisions in this way, particularly as applying to the intelligence agencies.

The bill provides that an entity is not liable for contravening a duty of confidence in respect of disclosing personal information where authorised to do so by clause 80P(1). The department has advised that this most commonly would relate to the common-law duty of confidentiality to which banks are subject. Clauses 80P(4) and 80P(5) provide that an agency or organisation does not breach an information privacy principle, a privacy code or a national privacy principle, respectively, in respect of the collection, use or disclosure of personal information.

According to the bill, part VIA is not intended to override agencies’ internal information management processes and assumes that all disclosures will take place in conformity with the usual process for the collection, use and disclosure of information. Clause 80Q creates an offence for unauthorised secondary disclosures. A secondary disclosure occurs when a person to whom personal information has been disclosed under part VIA subsequently then discloses that information. Clause 80Q(1)(c) creates an exception for a person responsible for the individual involved in an emergency or disaster while another provision authorises the secondary disclosure of personal information in prescribed circumstances.

When I read it like this, it does make it sound complicated for those who might be listening to the debate, but I think that the intention is right here, to allow disclosure in circumstances where it may be a matter of life or death or it may be a matter of quickly being able to identify who has been involved, in what have been some pretty horrific circumstances, but making sure that that relaxing of the rules does not mean that information can be passed on more broadly to media organisations or others through these secondary disclosures.

It is intended, and there are provisions in the bill, that the act is given the widest possible operation consistent with Commonwealth constitutional legislative power. We are a little concerned about clause 80T, which deals with acquisition of property. Apparently, it has been provided on the advice of the department that it is necessary and was put in out of an abundance of caution. But it seems an entirely inappropriate provision in this bill and we cannot understand why it would be here, even out of an abundance of caution. It certainly does not seem likely to cause any damage. Schedule 2 of the bill amends the ASIO Act, and there are consequential amendments which deal with that in terms of material that can be communicated or that comes into the possession of ASIO in the course of performing its function. It enables ASIO to disclose information where an emergency is declared.

As I say, these sound like extremely technical provisions. It is a technical bill but it is important, we believe, that some balance is maintained between when our privacy laws recognise the value of sharing information for the benefit of both the individuals who might be involved and the wider community and the privacy considerations that protect an individual’s personal information. We believe it is important that the need for efficient responses to emergency and disaster situations are balanced by laws and systems that protect personal information from misuse, but we do believe that the changes in this bill are necessary.

We hope, of course, that we are not in a situation where it is necessary to make a declaration of an emergency or disaster, but it makes sense for us to ensure that our laws enable swift and appropriate action by government and non-government agencies that might be involved if we are in that sorry circumstance again. Labor supports this bill, as we believe that the measures it contains effectively strike that delicate balance that is needed. We hope and trust that we are not in the situation that we need to use these provisions at all, but certainly not in the near future. I commend the bill to the House.

5:09 pm

Photo of Petro GeorgiouPetro Georgiou (Kooyong, Liberal Party) Share this | | Hansard source

The Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006 seeks to amend areas of both the Privacy Act 1988 and the ASIO Act 1979. The object is to facilitate a better network of information sharing between government and non-government agencies involved in emergency response operations both in Australia and abroad. The driving force behind this legislation is the need to respond effectively to disasters. As evidenced by submissions to the Senate Standing Committee on Legal and Constitutional Affairs, the broader community has welcomed this clarification of the privacy laws in crisis situations. For example, the Office of the Privacy Commissioner concluded:

This clarification will assist individuals directly affected by an emergency or disaster and will also assist government agencies and private sector organisations, where appropriate, to collect, use or disclose personal information to assist those individuals directly affected. This will allow the Australian Government to provide an appropriate and timely response to the emergency or disaster.

In light of recent large-scale disasters in our own region, a modification to our privacy laws is a necessity. This bill acknowledges the frustrations experienced by disaster relief agencies during recent emergencies such as the 2002 Bali bombing and the 2004 Boxing Day tsunami. It establishes a clear legal basis for the sharing of personal information between relevant organisations, and it will result in a more efficient operation of emergency information management. All agencies and organisations will, with confidence in the protection of the law, be able to assist each other in the exchange of personal information about those directly affected by the disaster. Victims and their families will be spared the added distress of having to repeat the same information over and over to different agencies. We will not in the future, hopefully, encounter the situation experienced by the Australian Red Cross during the aftermath of the Bali bombing. The Red Cross, unable to access lists of deceased, injured or missing victims held by other agencies, saw the suffering of those affected by the disaster exacerbated.

It is becoming increasingly apparent with recent global events that there is a need to reduce the complexity of current legal arrangements. The Privacy Act 1988 does already allow for the suspension of customary privacy regulations in particular circumstances. Exemptions, however, can only be applied after detailed consideration of the specifics of the situation on a case-by-case basis. Some have argued that this is adequate if the Privacy Act is properly understood; consequently, the sensible use of the current act merely requires a greater awareness of the existing exemptions, which can be achieved by broader education. However, in times of crisis, restricting information sharing to a case-by-case basis is not efficacious. The amendments made by this bill will eliminate any unnecessary ambiguity in the law. Confident of their rights and obligations in emergency situations, organisations will be able to collect, use and disclose information to best serve the needs of victims and their families. Faced with a crisis situation, there will no longer be a lack of clear understanding as to the legalities of sharing information. The bill does not compel disclosure and it will not force agencies to exchange information. It will, however, create an environment where agencies can be confident in sharing and seeking information in the pursuit of effective emergency management without fear of legal penalty. This in turn should ensure that victims and their families receive accurate information about their loved ones without unnecessary delay.

The bill before us has been extensively researched. Upon introduction to the Senate it was referred to the Senate Standing Committee on Legal and Constitutional Affairs for further analysis and debate. The committee heard from a variety of state and federal government agencies, private sector organisations and non-government organisations. These included the Acting Privacy Commissioner, CrimTrac, the Queensland Police Service and St John Ambulance Australia. Upon the conclusion of the inquiry, the committee put forward two substantive recommendations to the Attorney-General. I would like to commend the work of the Senate Standing Committee on Legal and Constitutional Affairs with regard to this bill. In fact, I think that this committee does a very effective job on other bills that are even more controversial than this one. Its analysis has resulted in both recommendations from the report being accepted and included by the government.

The committee first recommended that the wording of subclause 80H(1) be changed to reflect more adequately the highly unusual circumstances in which such a deviation from normal privacy laws could occur. As it originally stood, this clause defined ‘permitted purpose’ as:

... a purpose that relates to the Commonwealth’s response to an emergency or disaster in respect of which an emergency declaration is in force.

The committee recommended that the term ‘permitted purpose’ be amended to a purpose that ‘directly relates to the Commonwealth’s response to an emergency or disaster’. The introduction of this amendment into the bill is an important addition as it imposes limits on the circumstances in which the disclosure of personal information can be sought. The purpose must now relate directly to the Commonwealth’s response to the situation. It also establishes that the type of personal information available to be shared is of direct relevance to the emergency response operation at hand.

One of the criticisms levelled at the bill was that it went too far. It has been argued that to insert a whole new part into the Privacy Act overemphasises the need for change, focusing on incidents which are relatively uncommon and which thereby allow a departure from our privacy regime which is inappropriate and disproportionate to such limited situations. I believe that the second committee recommendation alleviates this concern. In the committee hearing stage, concerns were raised about the lack of limitation on the duration of an emergency declaration being in effect. In light of this, the committee recommended that an emergency declaration should cease to have effect at the end of a 12-month period. The bill now incorporates this recommendation. If no date is specified for the expiration of the emergency declaration and the declaration has not been revoked, it will automatically expire 12 months after the declaration is made.

The acceptance of this recommendation into the bill is a significant amendment. It recognises, having taken account of numerous submissions, that there is a need to impose a time limit on such declarations. Some agencies, however, still expressed concern about the length of time that ordinary privacy requirements could be suspended and could therefore be open to misuse. This was raised in reference to the balancing of access to information and respect for privacy concerns. These concerns were shared by the Senate committee, but the Attorney-General has emphasised that the bill does not displace the usual operations of the Privacy Act.

When the Senate’s two recommended changes are placed alongside each other the law is able to have a two-pronged effect. Firstly, the bill allows sufficient time for the processes of victim identification to be largely completed when responding to a major emergency or disaster. Secondly, it ensures that the privacy rights of people not involved in the emergency are protected for the entirety of the emergency declaration. Mr Deputy Speaker, where legislation might impact upon individual rights, even when we speak only about rare and limited situations, we do need to be cautious. We need to be careful that our responses are proportionate and appropriate. Thankfully, emergency and disaster incidents remain relatively uncommon. As such, departures from our normal privacy regimes need to be quite rare. It must be ensured that provisions enacted for the explicit purpose of information sharing in direct relation to a particular and extreme situation are not misused. This means having strict and clear guidelines. It means providing clear legislation about how such personal information is used, as is specified in clause 80P, and for how long the exchange of such personal information is permitted, as specified in clause 80N. It also means having a clear understanding of the purpose for which the release of information has been permitted, as outlined in clause 80H. It is also important that data acquired for particular and extraordinary purposes be destroyed when the disaster has been dealt with, for much of this information will be of a sensitive and delicate nature.

In times of uncertainty it is important to institute the necessary means to best serve the interests of a majority of people. It is also important to respect the interests of the individual. It is to be remembered that such emergencies of national significance are rare and that it is only within the context of such isolated events that these steps will be taken. This legislation will allow for the better serving of the interests of Australians in times of dire need, and I commend the bill to the House.

5:20 pm

Photo of Roger PriceRoger Price (Chifley, Australian Labor Party) Share this | | Hansard source

I want to make some supporting remarks about the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006 but also to talk about privacy particularly in respect of the role of members of this House. This bill has a very desirable purpose and was intentionally wide so as to allow its operation in yet unforeseen circumstances. Privacy laws need to strike a balance between the value of sharing information for the benefit of both individuals and society and the privacy considerations that protect an individual’s personal information. It is important that the need for an efficient response to emergency and disaster situations is met, yet there needs to be a balance so as to protect personal information from misuse.

These laws offer greater clarity and assurance to both government agencies and private organisations who may be involved in emergency and disaster responses. The bill will ensure that assistance and relief to victims and their families is not unduly delayed or complicated by privacy concerns. Unfortunately, we have had a number of disasters—the Bali bombing and of course the tsunami in January 2005. Those emergencies have been the genesis of the changes.

I note that the Office of the Privacy Commissioner undertook a review which highlighted the difficulty faced by airlines in the aftermath of the 2004 tsunami, when many Australians contacted airlines to find out whether the missing had continued flying after the tsunami hit. Such information, readily available to airlines, if disclosed would normally appear to be a breach of our privacy laws. The review considered a number of options for reform, recommending that a common-sense approach is taken to privacy laws, balancing between the desirability of having a flow of information and protecting individuals’ right to privacy. In large-scale emergencies the consequences of disclosure should be compared to the consequences of nondisclosure. The review noted the potential of identity fraud that may continue during such a time, especially if disclosure is allowed to the media.

I think all of us in this parliament, whichever side of politics we are on, support privacy laws; I certainly do. But I must say, going back to Attorney-General Michael Duffy’s time, I have had difficulty in the application of the privacy laws to the role of members of parliament. I believe that people often approach members of parliament after they have exhausted many other avenues. I find it very frustrating when departments of state demand that I as a member of parliament have a clearance, an authorisation from my constituent, to pursue their particular complaint and concern. Starting with the former Labor government with the banking ombudsman, we now have a plethora of ombudsmen who are privately appointed and privately funded, and they do a good job—I am not critical of their role. But, again, I find it offensive when I have been approached by a constituent to pursue their grievances that I may be requested as a member of parliament to seek a clearance from my constituent to act on their behalf. I find this profoundly offensive. I have been cautioned that members of parliament should not see themselves as above the law, and I do not.

There are a number of things that hinder me from fully exploiting my frustration. Firstly, this parliament does not have an active ethics committee, as many modern parliaments do. In other words, if a member of parliament were to misuse their office and seek information without acting on behalf of a constituent, there is no ethics committee to refer this matter to. I am told that this has occurred in a state other than my own. I believe that members of parliament cannot put themselves above others. We need to be accountable and not merely through the electoral cycle. I think there are sufficient experienced members of parliament on both sides of this House who would make an ethics committee work sensibly.

Secondly, there is the Privileges Committee. Sooner or later I am going to be tempted to place ombudsmen’s requests or department of state requests for authorisation from a constituent of mine to the Privileges Committee. Having said that, I regret to say that the Privileges Committee is the last of the functioning star chambers in the empire—not in the Senate; the Senate has undertaken a great deal of reform.

Photo of Mrs Bronwyn BishopMrs Bronwyn Bishop (Mackellar, Liberal Party) Share this | | Hansard source

I might interrupt the member and remind him that we are discussing a bill dealing with emergencies and disasters. He might like to make a statement connecting his discursion to the bill.

Photo of Roger PriceRoger Price (Chifley, Australian Labor Party) Share this | | Hansard source

I thank the deputy chair and I think it is not an unreasonable intervention, but I am trying to make the point that I am a strong supporter of privacy legislation and of this legislation, but the Privileges Committee has yet to reform itself, even though after many months we are still waiting for a consultant’s report. I believe that the Privileges Committee needs to operate in a transparent and public way so that, if a member of parliament transgresses in relation to privacy laws—whether they be the existing laws or these new emergency powers—a proper, modern privileges committee could operate.

But I do say this—and I hope the officials from the Attorney-General’s Department are listening: we need to work together with the Privacy Commissioner, in my view, to ensure that the privacy laws, whether for emergency circumstances such as these or for more normal operations of departments of state, do not hinder members of parliament in their function of representing their constituents. If the Privacy Commissioner has concerns or if the departments of state have concerns that have not been transmitted to the Privacy Commissioner then we need to work through them so that we have a Privacy Act that is flexible and meets the objectives both in a normal situation and in an emergency situation such as this, where the privacy legislation has been found to be counterproductive to the very objectives for which it was set up. I am always going to speak out in this place about the right of members to make representations, without fear or favour, on behalf of their constituents. Whether that means taking on a permanent head or whether that means taking on a privately funded ombudsman, I think members of parliament should be allowed to do it.

I do not believe that we have found the right balance. I do not believe that there are the right checks and balances that make members of parliament not above the law but answerable properly for their actions. The lack of a functioning ethics committee of this parliament I think is unfortunate. It means we are behind the times. I again say about the House of Representatives Privileges Committee, which I am a member of, that it is the last of the functioning star chambers of any parliament. It is so far behind the Senate Privileges Committee that it is not funny. For the life of me, I do not understand why it has taken so long to get a consultant’s report that looks at modernising the Privileges Committee. I say to the members on both sides of the chamber in this chamber today: please take a keen interest in reform of the Privileges Committee. It is long overdue. It needs to be done and it needs to be done quickly. We cannot hold ourselves up as being modern, responsible legislators if we are prepared to tolerate this star chamber that has operated for so long. Last but not least, I think it is an absolute outrage that we—that is, the Privileges Committee—have only ever published in the Hansard two responses by members of the public to matters that have been raised in the House or in this chamber. The Senate has, without in any way feeling constrained or diminished, allowed that to happen on many, many occasions.

Again, I will just say that I have been a supporter of privacy legislation. I welcome the fact that even the commissioner himself has understood that these principles can work in a counterproductive way, and he is supportive of the legislation that is before the parliament. I support it but I do have form, going back to Attorney-General Michael Duffy, in pointing out the difficulty that members of parliament may suffer when they want to raise matters on behalf of their constituents.

5:32 pm

Photo of Chris HayesChris Hayes (Werriwa, Australian Labor Party) Share this | | Hansard source

I would like to make a few brief comments about the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006. Labor’s view is that the privacy laws need to strike a balance between the value of sharing information for the benefit of individuals and the wider community and the privacy considerations that protect an individual’s personal information. This also has to be balanced with the need to respond rapidly to emergency and disaster situations so that the problem at hand can be dealt with, reducing the threat to property and, more importantly, reducing the threat to lives.

The bill before us inserts a new part VIA into the Privacy Act 1988 to permit but not compel information exchange between Australian government agencies, state and territory authorities, private sector organisations, non-government organisations and others in an emergency or a disaster situation, whether in Australia or overseas. Part VIA is triggered by a declaration of an emergency by either the Prime Minister or the Attorney-General, in consultation with the Minister for Foreign Affairs should it be an overseas situation, and provides for the use and disclosure of personal information related to the Commonwealth’s response to an emergency or a disaster.

On the face of it, the amendments are aimed at increasing the ease of information sharing. I have to say that that has considerable merit. The Boxing Day tsunami, the Bali bombings and Cyclone Katrina, which hit New Orleans last year, are all disasters or emergency situations that stick in the minds of individuals, but they have also pointed to how quickly the systems that we rely on can break down in an emergency or disaster situation, creating undue delays, poor responses and confusion. Such instances point out the problem that the public and, to some degree, private sector organisations have when it comes to dealing with emergency or disaster situations and how they respond to them.

The problem emerges with the chain of command, jurisdictional debates, and in particular situations we find an incompatibility of equipment and plant used in emergency response or emergency relief. All issues at hand, whether it be fire, flood, bombing or whatever, are not being dealt with to the best of anyone’s ability. These are situations that lead to chaos and unfortunately sometimes these situations can lead to loss of lives. That is unfortunately a direct result of a less than efficient response to an emergency or disaster based situation.

I note that schedule 3 of the Privacy Act 1988 contains provisions that allow the disclosure of personal information at times of emergency or disaster. I also note that the operation of provisions in schedule 3 requires that the information-sharing provisions be applied on a case-by-case basis. Unfortunately, a case-by-case basis does lead to costly delays and, as a consequence of that, the inevitable response to a delay in an emergency situation is obviously something that is not relished by the community. It was noted that in the review of the Privacy Act 1988 the Office of the Privacy Commissioner said:

The scale and gravity of the large-scale emergencies have tested the application of the Privacy Act and raised questions as to how the privacy protection should operate in such situations. The Privacy Act received criticism in the media after the tsunami disaster for lacking commonsense and for being unable to anticipate and cope with the extent of the tsunami disaster.

The evidence presented to the Office of the Privacy Commissioner indicates that the agencies and private sector organisations tended to have an overly cautious approach in terms of the provisions of the Privacy Act and that has been seen to impede the timely assistance in those very emergency situations. The Department of Foreign Affairs and Trade noted that the privacy legislation had restricted its ability to coordinate a whole-of-government response as the legislation impeded its ability to gather personal information held by other government agencies to help in the effort to locate, identify and assist Australian citizens when they are in need of help.

Having identified a clear need, at the very least, to improve the operation of the Privacy Act when it comes to the information sharing between public agencies, the private sector and others in the event of an emergency or disaster, it is incumbent on us that we do not overreach in the relaxation of the privacy protections. This is what I think the member for Chifley was drawing the attention of this chamber to a little while back. It would be far easier for us to remove the provisions in an ill-considered way that could result in it being too easy to share personal information and accordingly dilute the protections for individuals based on the argument that we may need the ease of transmission or sharing of that information at some unforeseen point in time in relation to some disaster or emergency event.

Australians are right to be concerned about having their private information shared too freely. Personal information and the theft and misuse of personal information, quite frankly, is probably one of the newest forms of crime that we have seen develop in this country. We have already seen the open condemnation by the Australian public of the banks who have decided to move their call centres overseas. In addition to being offended by the loss of Australian jobs—and rightly so—there was deep concern amongst people about the prospect of private information then falling into the wrong hands. Only a couple of weeks ago we heard reports of personal information of Australians being on sale in the back alleys of some cities. As a matter of fact, the report indicated there were bulk discounts for those who wanted to make a large purchase or bulk purchases of that sort of data. That is the sort of thing that does scare the Australian population.

I note that, in order to combat this problem and to allow individuals rather than business owners to have the final say on the transfer of personal information, Labor has announced that it will introduce measures to address this when it reaches office next year. This compares to the notable silence of the government in addressing this problem of allaying the concerns of Australian citizens, and particularly Australian families, when it comes to inappropriately gathered information being freely available in the marketplace. So while I support moves to improve the flow of personal information between agencies to overcome needless cumbersome provisions that impede operations in the event of an emergency or disaster, I also recognise that personal information must be protected.

The bill that is before us is intentionally drafted in a very broad manner. No-one would reasonably expect that any of us could predict the exact circumstances that we may be faced with in the future when we would be applying the provisions of this bill. Accordingly, as we could not predict that, I think it is only right that this bill is drafted on a very broad basis. However, that should not be an excuse for laziness; it should not be an excuse to allow holes to be created in the laws that protect the personal information of individuals.

I will be supporting this bill because I support people being provided with the tools they need to do their job. In the past I have supported provisions to assist information sharing in an attempt to deal with cross-jurisdictional issues that emerge in combating criminal activity, and I apply the same logic here. Those dedicated Australians, professionals and volunteers, who respond to disasters and emergency situations need to be equipped with everything they need to address the problem at hand in a timely and efficient manner. With respect to the bill that is before us, while there are some legitimate concerns about the lack of definitions contained in certain areas and about the broad regulation-making powers that can be extended to whoever the provisions will apply to, it offers greater clarity and assurance to organisations which may be involved in emergency and disaster response. This can only help, not hinder, the activities of our various agencies, both public and private, that have a role in responding to emergencies or disasters, should they occur. Therefore, I commend this bill to the House.

5:44 pm

Photo of Malcolm TurnbullMalcolm Turnbull (Wentworth, Liberal Party, Parliamentary Secretary to the Prime Minister) Share this | | Hansard source

in reply—I thank members for their contributions to the debate on the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006. The bill enhances information exchange between Australian government agencies, state and territory authorities, private sector organisations, non-government organisations and others in an emergency or disaster situation. The bill establishes a clear and certain legal basis for the management of the collection, use and disclosure of personal information about deceased, injured and missing individuals involved in an emergency or disaster, whether it occurs in Australia or overseas. Its provisions will assist search, rescue and recovery efforts and the provision of services to victims and their families, without derogating from the proper protection of personal information.

It is important to note that the bill does not compel disclosure of personal information but confirms that disclosure is permitted in particular circumstances. Agencies and organisations will be assisted by these amendments to apply the Privacy Act less restrictively and with greater confidence with regard to the personal information that may be disclosed under the Privacy Act. The bill amends the Privacy Act 1988 and makes a consequential amendment to the Australian Security Intelligence Organisation Act 1979. The bill incorporates the two amendments recommended by the Senate Standing Committee on Legal and Constitutional Affairs in its report on the bill published on 12 October 2006. These amendments enhance the bill. The amendments serve to change the definition of ‘permitted purpose’ in the bill so that it is a purpose that directly relates to the Commonwealth’s response to the emergency or disaster in respect of which an emergency declaration is in force, and ensure that an emergency declaration made under the provisions of the bill has a statutory maximum period of 12 months. The bill therefore will assist the government’s response and the community’s response to emergencies and disasters.

Question agreed to.

Bill read a second time.

Ordered that the bill be reported to the House without amendment.