Senate debates
Tuesday, 17 October 2006
Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006
Second Reading
Debate resumed from 13 September, on motion by Senator Minchin:
That this bill be now read a second time.
12:35 pm
Joe Ludwig (Queensland, Australian Labor Party, Manager of Opposition Business in the Senate) Share this | Link to this | Hansard source
I rise today to speak on the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006. This bill inserts a new part VIA in the Privacy Act to enhance the information exchange in an emergency or disaster situation. New part VI permits but does not compel the collection, use and disclosure of personal information about deceased, injured and missing individuals involved in an emergency or disaster, whether in Australia or overseas, between Australian government agencies, state and territory authorities, private sector organisations, non-government organisations and others.
Schedule 2 of the bill makes consequential amendments to the Australian Security Intelligence Organisation Act 1979. The need for these measures to address the practical issues faced by government agencies, the private sector and non-government organisations in times of emergency or disaster situations was highlighted during recent experiences, including September 11, the Bali bombings, the 2004 Asian tsunami and the evacuation of Australians out of Lebanon. While schedule 3 of the Privacy Act 1988 contains provisions that allow for the disclosure of personal information in times of emergency and disaster, the structure of the act is such that it is expected that these provisions will be applied on a case-by-case basis after careful analysis of the circumstances.
Recent emergencies and disasters highlighted the difficulties of applying these provisions with confidence during large-scale emergencies. In its review of the private sector provisions of the Privacy Act 1988, the Office of the Privacy Commissioner considered the issue of balancing the flow of information and privacy considerations during times of large-scale emergencies and noted:
The scale and gravity of large scale emergencies have tested the application of the Privacy Act and raised questions as to how privacy protection should operate in such situations. The Privacy Act received criticism in the media after the tsunami disaster for lacking commonsense and for being unable to anticipate and cope with the extent of the tsunami disaster.
Evidence to the OPC inquiry and to a subsequent inquiry into the Privacy Act 1988 by the Senate Legal and Constitutional References Committee revealed that some government agencies and private sector organisations adopted what can only be described as an overly cautious approach to interpreting the Privacy Act, impeding effective and timely assistance to Australians caught up in emergency situations.
The OPC’s March 2005 review, for example, highlighted the difficulty faced by airlines in the aftermath of the 2004 tsunami, when many Australians contacted them to find out whether those who were believed missing had continued flying after the tsunami hit. The Senate Legal and Constitutional References Committee report also noted similar evidence from the Department of Foreign Affairs and Trade, DFAT, and from the Australian Red Cross in relation to the Privacy Act’s impact on information-sharing on response and recovery in emergency situations overseas.
DFAT noted that the privacy legislation had restricted its ability to coordinate a whole-of-government response to these crises and that it particularly impeded its ability to access personal information held by other government agencies to help in its location, identification and assistance efforts, to provide personal information to other government agencies directly involved in the crisis response and to provide personal information to other government agencies to ensure that inappropriate actions, such as those concerning Centrelink payments and the like, were not taken against affected Australians.
DFAT noted its difficulty in accessing information from private sector organisations, particularly airlines and travel agencies, whose records would be useful in locating Australians. The submission by the Australian Red Cross to the committee highlighted difficulties experienced by the organisation in the aftermath of the 2002 Bali bombing. The ARC, for example, was unable to access lists held by DFAT of deceased, injured or missing persons nor was it able to share its own list of deceased and injured persons. The ARC noted that the organisation had to seek individual client permission to share even basic information about assistance provided. It observed that many affected Australians suffering injury and trauma expressed surprise and concern about having to provide the same information to many different agencies and, quite frankly, did not understand why this information could not be provided once and then shared across relevant agencies.
The OPC review and the Senate committee report both made a number of recommendations to address these difficulties. While the bill addresses the issue raised by both of these reviews, it does not act on the specific recommendation of the OPC as endorsed by the Senate committee. Rather than amend existing provisions to deal with emergencies and disasters through temporary public interest determinations made by the Privacy Commissioner, as recommended by the OPC, the bill inserts a new part and framework into the Privacy Act.
The bill covers both government agencies and private sector organisations and addresses information-sharing between government agencies in emergency situations as recommended by the Senate committee. Recent events where difficulties were experienced not only by departments and agencies such as DFAT, organisations such as the Australian Red Cross and travel related industries such as airlines but also by Australian families caught up in these tragedies demonstrate that these amendments to the Privacy Act should not be delayed.
Labor understands that the Attorney-General’s Department consulted extensively with stakeholders in drafting this bill and notes that most submissions to the Senate Standing Committee on Legal and Constitutional Affairs examination of the bill expressed broad support for the proposed amendments. Labor is satisfied that the proposed laws offer greater assurance to both government agencies and private organisations that personal information may be lawfully disclosed and exchanged during times of emergency or disaster either at home or abroad. This legislation will further ensure that assistance and relief to victims and their families will not be unduly delayed or complicated by privacy concerns.
I will now turn to some of the specific provisions in the bill. Time will not permit me to deal with all but perhaps some of the more important or cogent ones. Schedule 1 of the bill inserts a new part VIA in the Privacy Act 1988. The new provision in part VIA will operate only upon the making of a declaration under clause 80J or clause 80K that an emergency or disaster has occurred in Australia or overseas. These provisions specify that the emergency or disaster must have occurred. A declaration cannot be made in respect of an imminent event or warning.
Clause 80J provides the preconditions for the declaration by the Prime Minister or the Attorney-General of an emergency or disaster in Australia. Clause 80K provides the preconditions for the declaration by the Prime Minister or the Attorney-General in consultation with the Minister for Foreign Affairs of an emergency or disaster outside Australia. The requirement for the Minister for Foreign Affairs to be consulted in relation to events outside Australia reflects the sensitivity to diplomatic relations with other countries—an approach which Labor concurs with. According to clause 80L(1), an emergency declaration must be in writing and signed by the person making the declaration and it has effect from the time at which it is signed.
Clause 80M provides that an emergency declaration cannot be retrospective. It has effect from the time at which it was signed. Clause 80L(2) requires that an emergency declaration must be published on the Attorney-General’s Department website as soon as practicable after it has taken effect and by notice published in the Gazette. Clause 80N provides for when declarations cease to have effect. The Senate Standing Committee on Legal and Constitutional Affairs recommended that a maximum period of 12 months should apply to a declaration of emergency under clause 80J and clause 80K. We understand somewhat belatedly that the government has proposed amendments to reflect this recommendation, and I will deal with those in the committee stage of the bill.
However, it does bear comment that the Attorney-General’s Department realised that what was proposed in the recommendations was worthy of support. Therefore, we are surprised that it took them so long to get to that place and also to ensure that, if they are going to read committee reports and pick up any recommendations, it is necessary for them to signal at the earliest possible time that they intend to do that. The simple courtesy of contacting the office of the shadow minister for the Attorney-General and letting them know that these amendments are to be forthcoming might make the passage through both houses of parliament a little easier, rather than just dropping the amendments in here and expecting us all to read them and work out that they relate to those recommendations and are a true reflection of them. If they have departed from them, then they can take that up as well. We will look carefully at the amendments during the committee stage of the bill.
The making of an emergency declaration under clause 80J or clause 80K triggers the operation of new part VIA. Clause 80R(1) provides that part VIA of the bill has a broad operation and is not limited by any other secrecy provisions in the law of the Commonwealth unless that secrecy provision expressly excludes the operation of 80R. Importantly, clause 80R(2) provides that nothing in the part compels the collection or use or disclosure of personal information; it is simply a permissible act. The decision to disclose personal information will remain at the discretion of the individual agency or organisation.
Clause 80H defines the meaning of ‘permitted purpose’. Clause 80H(2) provides examples with that limitation of the types of situations in which the collection, use and disclosure of personal information may be authorised under clause 80P. We note that the Senate Standing Committee on Legal and Constitutional Affairs recommended that clause 80H(1) be amended to limit ‘permitted purpose’ to a purpose that directly relates to the Commonwealth’s response to an emergency or disaster. We also understand that the government has proposed amendments to this effect. As I said, we will deal with those during the committee stage.
Clause 80H(2)(e) confirms that a disclosure of relevant information to a person responsible, as defined in National Privacy Principle 2.5 of the Privacy Act, for the individual involved in the emergency or disaster, is a permitted purpose under part VIA. According to the explanatory memorandum, this clause addresses the concern that people, such as relatives, could be denied information regarding the welfare of family members because of concerns about the application of the Privacy Act. This provision takes up the OPC’s recommendation to enable disclosure of personal information to a ‘person responsible’ in times of emergency, but it has not extended or clarified the definition of ‘person responsible’ in National Privacy Principle 2.5.
We are concerned that there is no mechanism providing for the number of family members who may come within the definition of ‘person responsible’ under National Privacy Principle 2.5. It may be preferable in such situations for one such person to be a nominated individual, rather than for information to be disclosed numerous times—or it may be vital that all can have access. That is a matter that needs to be looked at further. In addition, National Privacy Principle 2.5 appears to define ‘person responsible’ for the purposes of 2.4, relating to the disclosure of health information, and therefore may require amendment if it is for this wider purpose. We urge the government to address these concerns.
Clause 80P(1) permits the collection, use or disclosure of personal information relating to an individual if the person, agency or organisation collecting, using or disclosing the information reasonably believes that the individual may be involved in the emergency or disaster; and the collection, use or disclosure is for a permitted purpose. Clause 80P(1)(c) deals with who government agencies may disclose personal information to. There are a couple of other provisions. Time will not permit me to deal with some of the other matters in detail.
Clause 80P(2) ensures that an entity is not liable for contravening a secrecy provision by using or disclosing personal information—it is important to ensure that the legislation contains that safeguard—unless the secrecy provision is a designated secrecy provision. A designated secrecy provision is defined in clause 80P(7) to include secrecy provisions binding the Inspector-General of Intelligence and Security. In that way we ensure that there are reasonable safeguards in the legislation. It also does not exclude, but deals with, the secrecy issues that sometimes, unfortunately, arise. Clause 80P(3) provides that an entity is not liable for contravening a duty of confidence in respect of disclosing personal information where authorised to do so by clause 80P(1). The department has advised that this most commonly would relate to the common-law duty of confidentiality to which banks are subject.
Clause 80Q creates an offence for unauthorised secondary disclosures. The government is proposing to put in place a scheme where you can protect the information that is disclosed and also protect any secondary disclosure. It is also intended to ensure that the bill has its widest possible operation, consistent with Commonwealth and constitutional legislative power. As such, we have clause 80S, concerning severability. Clause 80T concerning compensation for acquisition of property is, according to the EM, ‘the standard constitutional safety net provision’. It is comforting to see that the government has sought to ensure that that is there. The Auditor-General’s Department advises that, although it is not expected that the new part VIA will result in an acquisition of property within the meaning of that expression in the Constitution, clause 80T was included on advice from the AGS—perhaps with an overabundance of caution, given that it was the Australian Government Solicitor. This seems an inappropriate provision in this bill and we cannot understand why it is here, even out of an abundance of caution. It seems a little inappropriate, but maybe we will get an opportunity at the committee stage to question that further.
Schedule 2 of the bill is a consequential amendment to section 18(3) of the Australian Security Intelligence Organisation Act 1979, which provides for circumstances where the Director-General of ASIO, or a person authorised by the director-general, may communicate information that has come into the possession of ASIO in the course of performing its functions under section 17 of the ASIO Act. It adds a paragraph which enables ASIO to disclose information where an emergency is declared under schedule 1 of the bill, to ensure that their work continues.
Labor believe that our privacy laws need to strike a balance between the value of sharing information for the benefit of individuals and the wider community and the privacy considerations that protect an individual’s personal information. It is important that the need for efficient responses to emergency and disaster situations are balanced by laws and systems that protect personal information from misuse. Labor support this bill. We believe that the measures it contains effectively strike the delicate balance that is needed. We commend the bill.
12:53 pm
Andrew Bartlett (Queensland, Australian Democrats) Share this | Link to this | Hansard source
The Democrats have significant concerns with the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006. On the face of it, the justification given sounds perfectly reasonable—modifying privacy laws to ensure that they do not impede our ability to respond to major emergencies and disasters. Nobody could be concerned about that, but the big question is whether this bill does that and whether it does it to the minimum extent necessary or whether it is in fact being used as a Trojan Horse for dramatic weakening of the Privacy Act.
The Boxing Day tsunami and the Bali bombings were unquestionably major disasters—tragedies on a scale which, thankfully, we do not experience often in this county. The pain of those disasters is still with us in the hearts and minds of our population. We have had natural disasters in Australia before—Cyclone Tracy, the Ash Wednesday bushfires and a number of others—but the Bali bombings and the tsunami disaster not only were significant in scale but took place overseas, in some ways making them even more traumatic, making our ability to respond more difficult for reasons of distance. The need to operate in different jurisdictions, working with other governments and agencies of other nationalities added unique difficulties. We can all appreciate the anguish of families and friends seeking information on the whereabouts and news of their loved ones. And we can appreciate the difficulties of organisations attempting to help those caught up in the disasters, as they had to contend with both the sheer number of people involved and the mounting of assistance operations across international borders in circumstances of significant chaos.
We would all like to assist where we can in these times of emergency and appreciate the need for individuals and aid agencies to access necessary information. In these traumatic situations, Australians expect information to be accessible in order to assist in the disasters. They expect no less information than necessary but also no more than needed would be made available.
The Democrats believe that with small changes to our current privacy laws we can achieve what is necessary. We should remember that the current law already permits personal information to be used and disclosed in particular circumstances where individuals’ lives and health are at risk and in circumstances of national emergency. We support any minor modifications to our existing legal regime that would help facilitate the location of and assistance to Australians in these situations without undermining the central protections of our privacy laws.
The key question is: does the bill before us achieve this? The government will tell the Australian people that it does. If the problem as recently experienced by some aid organisations following the Bali bombings was to gain ready access to information about individuals to the extent necessary to assist them, then this bill does not achieve that. This bill allows the Prime Minister or Attorney-General, with the stroke of a pen, to dispense with all our privacy protections not only for tsunami or bomb situations but for any reason he or she may consider to be of ‘national importance’.
The government response in the form of this bill, in the view of the Democrats, goes well and truly over the top. It risks washing away significant parts of the privacy protections, which, it should be remembered, have taken a long time and a lot of effort and urging to put in place. It washes away those protections far beyond what the Democrats believe is necessary. Rather than start with the privacy structures already in place and take away only what is necessary to achieve the very precise and limited purpose, the government, in typical fashion, have thrown away all the privacy protections and merely added back some minimal and inadequate protections, putting all the power for doing so in their own hands.
The Democrats have a long history of fighting for the rights of individuals to privacy back to the days of former senator the late Janine Haines in the 1980s. This is a fundamental human right. I note that some members of the current coalition contest how valid the right to privacy is. It is certainly something the Democrats still believe is a basic and valid right which we should protect.
The Privacy Act itself highlights—indeed, it starts by reminding us—that Australia is a party to the International Covenant on Civil and Political Rights. This underlines the importance that the right to privacy holds in a democratic society like ours, one that seeks to uphold civil and political rights. We should not limit or remove those rights except in particularly dire circumstances and then only the minimum amount considered necessary to deal with the situation. I do not believe that Australians want to be exposed to ongoing potential breaches of their privacy for extended periods of time in a circumstance determined only by the Prime Minister or the Attorney-General of the day, and that is what this bill does. It is a blanket approach to curtailing the fundamental rights in relation to privacy, beyond what is necessary, which tips the balance in favour of government against the individual.
None of this should in any way be used to suggest that the Democrats do not recognise that there have been some difficulties experienced by aid agencies in getting access to information in times of disaster, but I draw attention to the evidence given by the Australian Privacy Foundation to the Senate Standing Committee on Legal and Constitutional Affairs examining this legislation. They said:
... examples given of the Privacy Act preventing sensible use of personal information are due either to a wilful or inadvertent misunderstanding of the Act, which would be best addressed through better short-term communications and long-term education rather than wholesale changes to the privacy protection framework in the Act.
In other words, in many cases the examples that people have given where they are saying that the existing act prevents sensible use of personal information are due to the fact that they do not understand the provisions of, and existing exemptions within, the act as it currently is.
There are already far less drastic means by which we can address the situation. For example, it is currently possible for the Privacy Commissioner—who is an independent officer, not a politician—to make a public interest determination where, after considering all competing issues, the commissioner considers whether the public interest in doing the act or engaging in the process ‘outweighs to a substantial degree’ the public interest in adhering to the Information Privacy Principles. Why can’t such a process, with a definitional guide that acknowledges what protection is being given up in a specific circumstance, be modified for emergency situations? There is no such guide at present in the emergency regime that the government is seeking to put in place.
Let us compare further. Currently, the Privacy Commissioner, in making a public interest determination, is required to give reasons, but under the declaration process that the government wants to put in place neither the Prime Minister nor the Attorney-General are required to give any reasons. All they need to say is that in their opinion this is a matter of national importance or national emergency. Let us draw comparisons with what is unfortunately a growing number of examples in other areas in the Attorney-General’s purview or areas like migration. There is, sadly, a growing number of areas where ministers can just make determinations or declarations, say it is in the public interest or the national interest and not need to give any reasons at all—just simply say: ‘It is because I say so.’ I do not believe, and the Democrats certainly do not believe, that that is adequate protection. The current regime also requires the commissioner to specify a time period for which a public interest declaration is to be in force. Limiting the time is something that the Prime Minister or the Attorney-General is not so adequately obliged to do by the declaration process contained in the legislation before us.
To give another example: another process for addressing emergencies that we currently have in place would begin by leaving the privacy regime and existing protections in place but suspending the effect of sanctions for breaching the privacy provisions—effectively, providing for exceptions in cases of national emergency. This already exists under section 23YUF of the Crimes Act, where the minister has the discretion to determine any situation to be an incident appropriate for the usual sanctions to be suspended. The Bali bombings are a specific example of one such incident. Why is it not possible to utilise these existing sections, which already—and quite reasonably, I might say—allow for part of our laws to be overridden where there is a genuine emergency?
Certainly, some aid organisations which gave evidence to the so-called ‘Big Brother’ inquiry expressed frustration that, following the Bali bombing and tsunami incidents, some organisations were still reluctant to disclose details of names, dates, actions and personal details of individuals, and this occasionally added to the difficulties in tracking down and assisting victims and their families. It should be emphasised that there were a lot of much larger difficulties that also impeded that important task. It must be emphasised that these incidents were of an enormous magnitude and a relatively uncommon type. The appropriate and proportional response is to allow limited circumstances for departure from our privacy regime for such uncommon and limited situations.
I do not believe that the departures contained in this legislation are very limited at all. I think they are quite disproportionate. The government’s bill will insert a whole new part into the Privacy Act, a whole new regime that can be implemented in place of our current regime at the stroke of a pen. The bill before us will allow emergencies to be declared in any type of situation that the Prime Minister or Attorney-General considers to be of national significance. The lack of definition or constraints around that do cause concern. It is worth noting that the government has explicitly included the words ‘assisting with law enforcement’ as a single legitimate permitted purpose for the purposes of such a declaration. How convenient it is for the government to be able to dispense with all manner of privacy protection for individuals when enforcing the law following a disruption that the government considers significant.
I believe that Australians should be concerned about the new power this gives to the Prime Minister and the Attorney-General—and to all future prime ministers and attorneys-general. Australians should be concerned about the capacity of government agencies, organisations and individuals to disclose and use their personal information in these as yet unknown circumstances and for potentially very significant amounts of time. Furthermore, if you, as an individual, have had your personal information disclosed by and to other entities, the government, in this legislation, has conveniently overlooked the need to destroy such information once the disaster is over or the information is no longer needed for the specific purpose at hand. It provides an open door to abuse of an individual’s privacy, all for the sake of government convenience.
I can understand the attraction for the government in having it made convenient and easy for them, but that is precisely why we have protections like these in the first place. It is always more convenient for government to not have to worry about these sorts of constraints and requirements for protecting citizens’ rights. That is inevitably the case. Again, I can point to a range of examples, both in Australia and amongst some of our allies overseas, where governments have seen great benefit to themselves in being able to work around or ignore the so-called constraints that ensure that the rights of individuals are protected. There are always those constraints, but they are meant to be constraints. They are there precisely because history shows us time and time again that, if you do not have the constraints, governments will abuse their powers. That is not particularly having a shot at this government; it is a simple inevitability. It is the nature of government, particularly for governments that have been in place for a prolonged period of time, to not respect the individual rights of citizens unless there are constraints in place that require them to do so.
Instead of addressing problems encountered during disasters and emergencies, the government has created a privacy disaster situation. The Democrats’ preferred approach would have been to modify only what is necessary under the existing privacy legislation structure, but we are not in a position to implement our preferred approach here; instead, we will be seeking to move amendments to the legislation in the committee stage of the debate to try to address some of the wrongs against our basic civil rights that arise under this bill.
It is worth emphasising that passing this bill unamended does not mean that the current government will automatically breach those rights. It does not mean that I am alleging that there is some devious, nasty, hidden plan where the government is just waiting for this bill to be passed so that it can leap forward into the breach and immediately start abusing privacy rights. But the legislation does, completely unnecessarily, open a significant loophole that will allow any government—future governments as well—to avoid complying with basic privacy rights if they happen to believe at the time that it is convenient or necessary. And what might seem necessary to a government is often very different from what might seem necessary to the wider community.
A balanced solution is possible—one that addresses the concerns of aid agencies and victims in times of emergency while protecting the Australian population from the overzealous dismantling of our privacy laws merely for government convenience. Again, I remind the community that it took a long time to put these privacy laws in place and it has taken a lot of effort to get them strengthened to the point they are at now. Of course, there are still inadequacies with those laws. Not least is the fact that political parties are not required to comply with the privacy laws. That is a perfect example of how political parties have chosen to exempt themselves from inconvenience. We in the Democrats try to ensure that we operate in a way that complies with the privacy laws even though we are exempt from them, because we believe that, in principle, political parties should be required to comply with them. It is an inconvenience—there is no doubt about that—but I think the Australian community would judge that it is an important or necessary inconvenience as a way of ensuring that people’s privacy rights are protected, or at least maximising the prospect of that.
If the government has been criticised for its slow response to emergencies in the past, I do not think that it can seriously blame the Privacy Act for that. A much better place to look is in its own internal procedures for responding promptly. It should have done that before invoking such a radical and unnecessary regime to deal with emergencies. We also need to recognise that in emergencies such as those I have been describing it is very easy to just point to the Privacy Act or some other piece of regulation and say, ‘That’s the problem there; it’s not our fault; it’s something else.’ We need to recognise that these circumstances, precisely because they are disasters, are inevitably chaotic. While that should not be used as an excuse for a slow response, we also need to recognise and accept across the political spectrum that we do not immediately leap in and start criticising agencies, whether government or otherwise, for failing to respond instantly. Sometimes that is just not possible; sometimes responding in a slightly more measured but well thought through way will lead to a much better long-term response than immediate and instant action for the sake of making it look as though action is happening.
On balance, this bill tips the balance too far against the individual in favour of restoring some of the ‘Big Brother’ power to government. I do not believe it is necessary in the circumstances. The Democrats will seek to remedy the situation, at least somewhat, via amendments in the committee stage.
1:13 pm
Chris Ellison (WA, Liberal Party, Minister for Justice and Customs) Share this | Link to this | Hansard source
I thank senators for their contribution to the debate on the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006. This is an important bill. It is important because it amends the Privacy Act and makes consequential amendments to the Australian Security Intelligence Organisation Act.
The bill enhances information exchange between Australian government agencies, state and territory authorities, private sector organisations, non-government organisations and other bodies in an emergency or disaster situation. We have seen that happen with recent events, and I will not go into those at length; other speakers have canvassed the Bali bombings, the tsunami disaster and other emergencies which have required an immediate response from Australian authorities. I just want to say at this point that the response is required in a substantial form, not just for cosmetic reasons, as some might say. In fact I would totally reject that. When you have a disaster, you need to respond in a whole-of-government sense and you need to have that exchange of information between the agencies.
How does this interact with privacy in the privacy legislation? It is interesting. When you look at the evidence given to the Senate Standing Committee on Legal and Constitutional Affairs, which looked into this bill, you see that the Office of the Privacy Commissioner considered the issue of balancing the flow of information and privacy considerations during times of large-scale emergencies. It noted:
The scale and gravity of large scale emergencies have tested the application of the Privacy Act and raised questions as to how privacy protection should operate in such situations. The Privacy Act received criticism in the media after the tsunami disaster for lacking commonsense and for being unable to anticipate and cope with the extent of the tsunami disaster.
That came from the Office of the Privacy Commissioner. It was a concern that was echoed in the evidence given to the Senate Standing Committee on Legal and Constitutional Affairs—that is, we need to do something to address this need for exchange of information during an emergency. That is precisely what we are doing here.
I commend the Senate Standing Committee on Legal and Constitutional Affairs for its work. In fact, as a result of that report the government will be putting forward two amendments in the committee stage. I will not go into those details; I will leave that for the committee. But there are a number of issues that were raised by Senator Ludwig and Senator Bartlett, and I feel I need to address those in my speech in reply.
Senator Ludwig talked of the lack of notice given in relation to these amendments. As I understand it, the Senate committee reported last Thursday. The government then obtained approval for amendments to be made. They were circulated yesterday. I understand the Attorney-General spoke with the shadow Attorney-General’s office in relation to that, but that could not be done until policy approval had been obtained. What we had was a fairly quick consideration of the committee report, a response from the government and communication of that to the opposition.
Senator Ludwig also inquired as to the way we were couching this amendment in relation to the legislation that is in existence. Consideration was given to amending the Information Privacy Principles and the National Privacy Principles in the Privacy Act, as these principles govern the collection, storage, use and disclosure of personal information. However, the proposed amendments do not lend themselves to a simple amendment of these IPPs and NPPs, and the government thought it would be much clearer if a new part VIA was inserted in the Privacy Act to comprehensively deal with information exchange in an emergency or disaster situation. That deals with the point that Senator Ludwig makes as to how we have framed this amendment. We believe it is much clearer to have a new part VIA inserted in the act.
Senator Bartlett queried why this bill is needed when the Privacy Act already has exemptions which allow for disclosure of information in an emergency or disaster situation. Certainly disclosure of personal information in an emergency or disaster situation is permitted, but only if consistent with the Privacy Act. Some agencies and organisations take an unduly restrictive view of this; certainly that has impeded them in relation to the exchange of information in a disaster or an emergency situation. In an emergency, there simply may not be the time to resolve any potential privacy issues and apply the Privacy Act on the case-by-case basis that is required.
Of course, we have already gone over the fact that this delay in the exchange of information and in the response by government authorities, which is so important, can cause trauma to the families of victims. We believe these amendments provide a clear and certain legal basis for the collection, use and disclosure of personal information about deceased, injured and missing Australian individuals in an emergency or disaster situation. This gives a clear direction to those authorities, which is so needed in these events.
The other point raised by Senator Bartlett was the question that we were in some way displacing the Privacy Act or doing away with it. This bill provides for an emergency declaration; it will not displace the usual operation of the Privacy Act. It is a mechanism only for the emergency response for the whole of government, and the proposal to use this declaration is very much one which can accommodate the urgent needs of the situation at hand. We would submit that the public interest determination which can be used in the Privacy Act is too slow. It involves consultation and would simply be unwieldy in a situation where you needed that immediate response. We believe the emergency declaration, as such, is preferable over the current regime but, in other respects, the usual operation of the Privacy Act is not dispelled.
Senator Bartlett also asked why we do not adopt existing declaration mechanisms in other legislation, such as the Crimes Act, instead of creating this new emergency declaration mechanism. Of course there are a number of other mechanisms available in other pieces of legislation. But what senators have to remember is that this is related to an emergency situation, or a disaster, as it applies vis-a-vis privacy considerations. Those other determinations or declaration mechanisms that Senator Bartlett referred to involve different trigger mechanisms and different situations. It really would become somewhat of a muddle if we did not have a specific regime which applied to disasters and emergency situations as they related to the Privacy Act.
That deals with the points I wanted to cover in the speech in reply to the points raised by senators opposite. This bill will assist agencies and organisations in applying the Privacy Act less restrictively and with greater confidence, but it will also maintain those safeguards, which are so important. As I say, the government has two amendments in the committee stage which will reflect recommendations made by the Senate Standing Committee on Legal and Constitutional Affairs. I commend this bill to the Senate.
Question agreed to.
Bill read a second time.