Save Search

Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

 

 

 

 

 

2004-2005-2006

 

 

 

 

 

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

 

 

 

 

 

SENATE

 

 

 

 

 

 

 

PRIVACY LEGISLATION AMENDMENT

(EMERGENCIES AND DISASTERS) BILL 2006

 

 

 

 

 

 

EXPLANATORY MEMORANDUM

 

 

 

 

 

 

 

 

 

(Circulated by authority of the Attorney-General,

the Honourable Philip Ruddock MP)



PRIVACY LEGISLATION AMENDMENT

(EMERGENCIES AND DISASTERS) BILL 2006

 

OUTLINE

 

The Privacy Legislation Amendment (Disasters and Emergencies) Bill 2006 makes amendments to the Privacy Act 1988 and the Australian Security Intelligence Organisation Act 1979 .

 

Schedule 1 of the Bill inserts a new Part VIA in the Privacy Act to enhance information exchange between Australian Government agencies, State and Territory authorities, private sector organisations, non-government organisations and others, in an emergency or disaster situation.  The Privacy Act already has exemptions concerning use and disclosure of personal information that afford agencies and organisations some flexibility in an emergency or disaster situation.  However, these have proven difficult to apply with confidence in crises involving mass casualties and missing persons, because of uncertainty as to the extent of their application.  Part VIA of the Bill is aimed at addressing the practical issues faced by agencies, the private sector and non-government organisations, which were highlighted during events such as the Asian tsunami in December 2004.

 

Part VIA establishes a clear and certain legal basis for the management of the collection, use and disclosure of personal information about deceased, injured and missing individuals involved in an emergency or disaster, whether it occurs in Australia or overseas.  Part VIA does not compel disclosure of personal information but confirms that disclosure is permitted.  Part VIA places beyond doubt the capacity of the Australian Government and others to lawfully exchange personal information in an emergency or disaster situation.  Part VIA ensures that agencies make clear and timely decisions on information exchange in order to deliver necessary services to victims of tragedies.  Part VIA will assist agencies and organisations in applying the Privacy Act less restrictively and with greater confidence in regard to the personal information that may be disclosed under the Privacy Act.

 

Part VIA will operate only upon the making of a declaration by the Prime Minister or the Attorney-General.  In order for information exchange to occur effectively, Part VIA overrides most agencies’ secrecy provisions.  However, Part VIA is not intended to override agencies’ internal information management processes.  It assumes that all disclosures will take place in conformity with the usual authorisations and other internal controls.

 

Schedule 2 of the Bill makes a consequential amendment to the Australian Security Intelligence Organisation Act 1979 to ensure that ASIO is not prevented from disclosing personal information when an emergency is declared under Part VIA .

 

 



FINANCIAL IMPACT STATEMENT

 

As the effect of the Bill is to clarify and confirm the basis on which personal information may be lawfully exchanged, it is not expected that there will be any new significant financial impact.



NOTES ON CLAUSES

 

Clause 1: Short title

 

1.  This clause sets out the title by which the Bill, when enacted, is to be cited - Privacy Legislation Amendment (Emergencies and Disasters) Act 2006.

 

Clause 2: Commencement

 

2.  This clause provides that the Bill, when enacted, will come into operation on the day after the Bill receives Royal Assent.

 

Clause 3: Schedule(s)

 

3.  This clause provides that the amendments made by the Bill, when enacted, are as set out in the Schedules.

 

 

SCHEDULE 1 - Privacy Act 1988

 

1.  After Part VI

 

Part VIA - Dealing with personal information in emergencies and disasters

 

4.  Item 1 inserts a new Part VIA in the Privacy Act.

 

Division 1 - Object and interpretation

 

5.  The purpose of Part VIA is to enhance information exchange between Australian Government agencies, State and Territory authorities, private sector organisations, non-government organisations and others in the event of an emergency or disaster, when an emergency declaration is in force under the Bill.

 

6.  The proposed amendments will establish a clear and certain legal basis for the management of the collection, use and disclosure of personal information about deceased, injured and missing individuals involved in an emergency or disaster.

 

Clause 80F  Object

 

7.  Clause 80F sets out the object of Part VIA.

 

8.  The effect of this clause is to establish that the overriding policy objective in Part VIA is to enhance the exchange of personal information in an emergency or disaster.

 

Clause 80G  Interpretation

 

9.  Clause 80G defines key terms in Part VIA.

 



10.  Relevantly, a secrecy provision means a provision of the law of the Commonwealth, including a provision of the Privacy Act, that prohibits or regulates the use or disclosure of personal information generally, or in specified circumstances.  A  secrecy provision does not include a provision that authorises collection of information.

 

Clause 80H  Meaning of permitted purpose

 

11.  Clause 80H defines the meaning of a permitted purpose.   This is relevant to clause 80P.

 

12.  The effect of this clause is to limit the types of situations in which the collection, use and disclosure of personal information may be authorised under clause 80P.

 

13.  A permitted purpose is a purpose that has some temporal, physical or other connection to action taken by the Commonwealth in response to an emergency or disaster in respect of which an emergency declaration under the Bill is in force.

 

14.  Subclause 80H(2) provides a list of purposes which may be construed as having a sufficient connection to the Commonwealth’s response to an emergency or disaster.  The list is intended merely as a guide and should not be interpreted to limit the generality of the definition in subclause 80H(1).  The purposes listed are:

 

·           identification of individuals involved in the emergency or disaster;

·           assisting those individuals to obtain necessary services;

·           assisting with law enforcement in relation to the emergency or disaster;

·           coordination or management of the response to the emergency or disaster; and

·           ensuring people who are responsible (as defined in National Privacy Principle 2.5 of the Privacy Act) for individuals who are, or may be, involved in the emergency or disaster are appropriately informed of matters concerning the individual’s involvement in the emergency or disaster, or the response to the emergency or disaster in relation to those individuals.

 

15.  Importantly, paragraph 80H(2)(e) confirms that informing a person responsible (as defined in National Privacy Principle 2.5 of the Privacy Act) for the individual involved in the emergency or disaster of matters relevant to the individual’s involvement in the emergency or disaster, is a permitted purpose under Part VIA. 

A person responsible includes a parent, child and spouse.  Paragraph 80H(2)(e) addresses the concern that people, such as relatives, could be denied information regarding the welfare of family members because of concerns about the application of the Privacy Act.  This provision makes it clear that a disclosure to a relative or person nominated by the individual to be contacted in case of emergency is permissible in the circumstances contemplated in Part VIA.

 



Division 2 - Declaration of emergency

 

Clause 80J  Declaration of emergency - events of national significance

 

16.  Clause 80J enables either the Prime Minister or the Attorney-General to make an emergency declaration, if the conditions listed in clause 80J are satisfied.

 

17.  The emergency declaration has the effect of triggering the operation of Part VIA, which otherwise would not operate.

 

18.  The preconditions to the making of an emergency declaration in paragraph 80J(a) are:

 

·           an emergency or disaster has occurred; and

·           the emergency or disaster is of a kind which would make it appropriate that personal information be exchanged; and

·           the emergency or disaster is of national significance (for the reasons listed in paragraph 80J(c)); and

·           the emergency or disaster has affected at least one or more Australian citizens or permanent residents.

 

19.  The words emergency and disaster are not defined in the Bill and therefore have their ordinary meaning.  This ensures flexibility in the operation of the Bill, as the types and circumstances of emergency or disaster are too numerous to allow for sensible definition.

 

20.  The note attached to clause 80J makes it clear that an emergency declaration under clause 80J is made solely for the purpose of triggering the operation of Part VIA.  The emergency declaration does not have any effect under any other legislative or non-legislative scheme relating to emergencies, such as that relating to emergency management.  The emergency declaration is a self-contained mechanism in the Bill which is not linked in any way to other declarations.

 

Clause 80K  Declaration of emergency - events outside Australia

 

21.  The effect of clause 80K is that when the conditions in subclause 80K(1) are satisfied, a declaration of an overseas emergency may be made by either:

 

·          the Prime Minister; or

·          the Attorney-General in consultation with the Minister for Foreign Affairs.

 

22.  The emergency declaration has the effect of triggering the operation of Part VIA, which otherwise would not operate.

 

23.  The preconditions to the making of an emergency declaration in subclause 80K(1) are:

 

·           an emergency or disaster has occurred outside Australia; and

·           the emergency or disaster is of a kind which would make it appropriate that personal information be exchanged; and

·           the emergency or disaster has affected at least one or more Australian citizens or permanent residents.

 

24.  The words emergency and disaster are not defined in the Bill and therefore have their ordinary meaning.  This ensures flexibility in the operation of the Bill, as the types and circumstances of emergency or disaster are too numerous to allow for sensible definition.

 

25.  The note attached to clause 80K makes it clear that an emergency declaration under clause 80K is made solely for the purpose of triggering the operation of Part VIA.  The emergency declaration does not have any effect under any other legislative or non-legislative scheme relating to emergencies, such as that relating to emergency management.  The emergency declaration is a self-contained mechanism in the Bill which is not linked in any way to other declarations.

 

Clause 80L  Form of declarations

 

26.  Clause 80L provides that the emergency declaration must be in writing and signed by the person making the declaration (who is either the Prime Minister or the Attorney-General).

 

27.  Subclause 80L(2) provides that the emergency declaration must be published on the Attorney-General’s Department Internet website and in the Gazette , so that it is publicly known that an emergency declaration has been made.

 

28.  The effect of subclause 80L(3) is that an emergency declaration is not a legislative instrument within the meaning of section 5 of the Legislative Instruments Act 2003 .  A legislative instrument is defined in section 5 of the Legislative Instruments Act.  In general terms, a legislative instrument is a written document that is of a legislative character and is made in the exercise of a power delegated by Parliament.  Requirements relating to registration, tabling, scrutiny and sunsetting of all Commonwealth legislative instruments are imposed under the Legislative Instruments Act.  Subclause 80L(3) has been included to assist readers of the Bill, so that they are aware that the requirements imposed by the Legislative Instruments Act do not apply to an emergency declaration under the Bill.

 

29.  The declaration is an administrative declaration which does not constitute a legislative instrument within the meaning of the Legislative Instruments Act.  All the consequences of the declaration are set out in the Bill and there is nothing in the declaration itself that sets out new rules or imposes obligations.

 

Clause 80M  When declarations take effect

 

30.  Clause 80M provides that the emergency declaration has effect from the time at which it is signed.  The emergency declaration will have prospective operation only.

 



Clause 80N  When declarations cease to have effect

 

31.  Clause 80N ensures that the emergency declaration does not operate indefinitely.

 

32.  Clause 80N provides that an emergency declaration expires either:

 

·           at a date specified in the declaration; or

·           if no date is specified, on the date on which the declaration is revoked.

 

33.  If no date is specified for the expiry of the emergency declaration and the declaration has not been revoked, the declaration will automatically expire 12 months after the declaration is made.

 

Division 3 - Provisions dealing with the use and disclosure of personal information

 

Clause 80P  Authorisation of collection, use and disclosure of personal information

 

34.  Clause 80P permits an entity (as defined in subclause 80P(7)) to collect, use or disclose personal information in the event of an emergency declaration.  An emergency declaration under clause 80J or clause 80K must be in force for clause 80P to operate.

 

35.  Subclause 80P(1) permits the collection, use or disclosure of personal information relating to an individual if:

 

·          the person, agency or organisation collecting, using or disclosing the information reasonably believes that the individual may be involved in the emergency or disaster; and

·          the collection, use or disclosure is for a permitted purpose (as defined in clause 80H).

 

36.  Paragraphs 80P(1)(c) and 80P(1)(d) place special limits on the types of bodies to whom agencies, organisations and persons can disclose personal information under Part VIA.

 

37.  Paragraph 80P(1)(c) enables agencies to pass relevant information to the bodies listed in paragraph 80P(1)(c).  This enables agencies to perform their functions and provide assistance.

 

38.  Subparagraph 80P(1)(c)(v) makes it clear that disclosure can occur to a person responsible (as defined in National Privacy Principle 2.5 of the Privacy Act) for the individual.  A person responsible includes a parent, child and spouse.

 

39.  Paragraph 80P(1)(e) makes it clear that disclosure to a media organisation is not permitted under Part VIA.  If any disclosures need to be made to the media, they should be made in accordance with the normal operation of the Privacy Act.

 

40.  Subclause 80P(2) ensures that an entity (as defined is subclause 80P(7)) is not liable for contravening a secrecy provision by using or disclosing personal information, where it is authorised to do so by subclause 80P(1), unless the secrecy provision is a designated secrecy provision (as defined in subclause 80P(7)).

 

41.  Subclause 80P(3) ensures that an entity (as defined is subclause 80P(7)) is not liable for contravening a duty of confidence in respect of disclosing personal information, where authorised to do so by subclause 80P(1).  An example of a duty of confidence is the common law duty of confidentiality to which banks are subject.

 

42.  Subclause 80P(4) ensures that an agency does not breach an Information Privacy Principle in the Privacy Act in respect of the collection, use or disclosure of personal information, where it is authorised to do so by subclause 80P(1).

 

43.  Subclause 80P(5) ensures that an organisation normally subject to the National Privacy Principles in the Privacy Act, does not breach either an approved privacy code or a National Privacy Principle in respect of the collection, use or disclosure of personal information, where it is authorised to do so by subclause 80P(1).

 

44.  Subclause 80P(6) ensures that collection, use or disclosure of personal information can only occur by an officer or employee of an agency who is authorised to collect, use or disclose personal information.

 

45.  Subclause 80P(7) defines the term designated secrecy provision to include secrecy provisions binding the Inspector-General of Intelligence and Security and the intelligence agencies.  The term designated secrecy provision is used in subclause 80P(2).  The Inspector-General of Intelligence and Security and most intelligence agencies are completely exempt from the Privacy Act.  Other intelligence agencies are partially exempt in relation to their intelligence collection and analysis activities.  It would not be appropriate to override secrecy provisions on the use and disclosure of information in legislation that applies to the Inspector-General of Intelligence and Security and the intelligence agencies.  In addition, the Bill does not affect requirements on the collection of intelligence in legislation governing those agencies.

 

46.  Subclause 80P(7) defines the term entity.   This term is used in clauses 80P and 80R.

 

Division 4 - Other matters

 

Clause 80Q  Disclosure of information - offence

 

47.  Clause 80Q creates an offence for unauthorised secondary disclosures.  A secondary disclosure occurs when a person to whom personal information has been disclosed under Part VIA subsequently discloses that information.  The penalty applying to this offence is 60 penalty units or one year imprisonment, or both.

 

48.  The offence does not apply to a person responsible (as defined in National Privacy Principle 2.5 of the Privacy Act) for the individual involved in the emergency or disaster.  A person responsible includes a parent, child and spouse.  This ensures that a person with a close connection to the individual, such as a relative, is not penalised for passing on information regarding the welfare of the individual received under these arrangements.  This reflects the policy that the Privacy Act does not generally apply to individuals, as distinct from agencies and organisations.

 

49.  Subclause 80Q(2) authorises secondary disclosure of personal information received under Part VIA in prescribed circumstances.  The offence provision therefore does not apply to those disclosures.  The disclosures that are permitted are those:

 

·          made by an agency under an Information Privacy Principle in the Privacy Act;

·          made by an organisation under an approved privacy code or a National Privacy Principle in the Privacy Act;

·          permitted under clause 80P;

·          made with the consent of the individual to whom the information relates;

·          made to the person to whom the information relates;

·          made to a court; and

·          prescribed by the regulations.

 

50.  The note attached to subclause 80Q(2) makes it clear that a defendant bears the evidential burden of establishing any of the exceptions listed in subclause 80Q(2).  This is because of the operation of subsection 13.3(3) of the Criminal Code.  It is appropriate for the defendant to bear the onus of proving these matters as they are matters that, by their nature, are peculiarly within the knowledge of the defendant.

 

51.  Subsection 9.3(2) of the Criminal Code has the effect that the prosecution will not be required to establish that the person knew or was aware that the information was disclosed because of the operation of  Part VIA - only that the information was disclosed.  Consequently, subsection 9.3(1) of the Criminal Code will apply, and ignorance of, or mistake about, the law will not preclude criminal liability.

 

Clause 80R  Operation of Part

 

52.  Clause 80R ensures that Part VIA of the Bill has a broad operation and is not limited by any other secrecy provision in a law of the Commonwealth unless that secrecy provision expressly excludes the operation of clause 80R.

 

53.  Subclause 80R(2) makes it clear that Part VIA is intended only to permit , and not to compel persons, agencies or organisations to collect, use or disclose personal information in an emergency or disaster situation.

 

Clause 80S  Severability - additional effect of Part

 

54.  Clause 80S is intended to ensure that the Bill is given the widest possible operation consistent with Commonwealth constitutional legislative power.

 



Clause 80T  Compensation for acquisition of property - constitutional safety net

 

55.  It is not expected that any provisions in Schedule 1 of the Bill will result in an acquisition of property within the meaning of that expression in the Constitution.  However, clause 80T is the standard constitutional safety net provision.

 



SCHEDULE 2 - Australian Security Intelligence Organisation Act 1979

 

1  At the end of subsection 18(3)

 

56.  Item 1 is a consequential amendment to subsection 18(3) of the Australian Security Intelligence Organisation Act 1979 .

 

57.  Section 18 of the ASIO Act is a secrecy provision which limits the communication of intelligence on behalf of ASIO to the Director-General of ASIO or a person acting within the limits of authority conferred on the person by the Director-General.

 

58.  Subsection 18(3) of the ASIO Act provides for circumstances where the Director-General or a person authorised by the Director-General may communicate information that has come into the possession of ASIO in the course of performing its functions under section 17 of the ASIO Act.  Communications under this subsection are limited to information in relation to the commission of an indictable offence in Australia, or to information that has come into the possession of ASIO outside Australia or concerns matters outside Australia.

 

59.  Section 18 of the ASIO Act is a designated secrecy provision (as defined in subclause 80P(7) of the Bill).  Item 1 is necessary to enable ASIO to disclose information where an emergency is declared under Schedule 1 of the Bill.  Relevant information could then be disclosed if authorised in those circumstances by the Director-General or by a person authorised by the Director-General for that purpose.

 

60.  This item ensures consistency with the operation of similar secrecy provisions in legislation governing other intelligence agencies, in the circumstance where an emergency declaration is made under the Bill.