Petro Georgiou (Kooyong, Liberal Party) Share this | Hansard source

The Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006 seeks to amend areas of both the Privacy Act 1988 and the ASIO Act 1979. The object is to facilitate a better network of information sharing between government and non-government agencies involved in emergency response operations both in Australia and abroad. The driving force behind this legislation is the need to respond effectively to disasters. As evidenced by submissions to the Senate Standing Committee on Legal and Constitutional Affairs, the broader community has welcomed this clarification of the privacy laws in crisis situations. For example, the Office of the Privacy Commissioner concluded:

This clarification will assist individuals directly affected by an emergency or disaster and will also assist government agencies and private sector organisations, where appropriate, to collect, use or disclose personal information to assist those individuals directly affected. This will allow the Australian Government to provide an appropriate and timely response to the emergency or disaster.

In light of recent large-scale disasters in our own region, a modification to our privacy laws is a necessity. This bill acknowledges the frustrations experienced by disaster relief agencies during recent emergencies such as the 2002 Bali bombing and the 2004 Boxing Day tsunami. It establishes a clear legal basis for the sharing of personal information between relevant organisations, and it will result in a more efficient operation of emergency information management. All agencies and organisations will, with confidence in the protection of the law, be able to assist each other in the exchange of personal information about those directly affected by the disaster. Victims and their families will be spared the added distress of having to repeat the same information over and over to different agencies. We will not in the future, hopefully, encounter the situation experienced by the Australian Red Cross during the aftermath of the Bali bombing. The Red Cross, unable to access lists of deceased, injured or missing victims held by other agencies, saw the suffering of those affected by the disaster exacerbated.

It is becoming increasingly apparent with recent global events that there is a need to reduce the complexity of current legal arrangements. The Privacy Act 1988 does already allow for the suspension of customary privacy regulations in particular circumstances. Exemptions, however, can only be applied after detailed consideration of the specifics of the situation on a case-by-case basis. Some have argued that this is adequate if the Privacy Act is properly understood; consequently, the sensible use of the current act merely requires a greater awareness of the existing exemptions, which can be achieved by broader education. However, in times of crisis, restricting information sharing to a case-by-case basis is not efficacious. The amendments made by this bill will eliminate any unnecessary ambiguity in the law. Confident of their rights and obligations in emergency situations, organisations will be able to collect, use and disclose information to best serve the needs of victims and their families. Faced with a crisis situation, there will no longer be a lack of clear understanding as to the legalities of sharing information. The bill does not compel disclosure and it will not force agencies to exchange information. It will, however, create an environment where agencies can be confident in sharing and seeking information in the pursuit of effective emergency management without fear of legal penalty. This in turn should ensure that victims and their families receive accurate information about their loved ones without unnecessary delay.

The bill before us has been extensively researched. Upon introduction to the Senate it was referred to the Senate Standing Committee on Legal and Constitutional Affairs for further analysis and debate. The committee heard from a variety of state and federal government agencies, private sector organisations and non-government organisations. These included the Acting Privacy Commissioner, CrimTrac, the Queensland Police Service and St John Ambulance Australia. Upon the conclusion of the inquiry, the committee put forward two substantive recommendations to the Attorney-General. I would like to commend the work of the Senate Standing Committee on Legal and Constitutional Affairs with regard to this bill. In fact, I think that this committee does a very effective job on other bills that are even more controversial than this one. Its analysis has resulted in both recommendations from the report being accepted and included by the government.

The committee first recommended that the wording of subclause 80H(1) be changed to reflect more adequately the highly unusual circumstances in which such a deviation from normal privacy laws could occur. As it originally stood, this clause defined ‘permitted purpose’ as:

... a purpose that relates to the Commonwealth’s response to an emergency or disaster in respect of which an emergency declaration is in force.

The committee recommended that the term ‘permitted purpose’ be amended to a purpose that ‘directly relates to the Commonwealth’s response to an emergency or disaster’. The introduction of this amendment into the bill is an important addition as it imposes limits on the circumstances in which the disclosure of personal information can be sought. The purpose must now relate directly to the Commonwealth’s response to the situation. It also establishes that the type of personal information available to be shared is of direct relevance to the emergency response operation at hand.

One of the criticisms levelled at the bill was that it went too far. It has been argued that to insert a whole new part into the Privacy Act overemphasises the need for change, focusing on incidents which are relatively uncommon and which thereby allow a departure from our privacy regime which is inappropriate and disproportionate to such limited situations. I believe that the second committee recommendation alleviates this concern. In the committee hearing stage, concerns were raised about the lack of limitation on the duration of an emergency declaration being in effect. In light of this, the committee recommended that an emergency declaration should cease to have effect at the end of a 12-month period. The bill now incorporates this recommendation. If no date is specified for the expiration of the emergency declaration and the declaration has not been revoked, it will automatically expire 12 months after the declaration is made.

The acceptance of this recommendation into the bill is a significant amendment. It recognises, having taken account of numerous submissions, that there is a need to impose a time limit on such declarations. Some agencies, however, still expressed concern about the length of time that ordinary privacy requirements could be suspended and could therefore be open to misuse. This was raised in reference to the balancing of access to information and respect for privacy concerns. These concerns were shared by the Senate committee, but the Attorney-General has emphasised that the bill does not displace the usual operations of the Privacy Act.

When the Senate’s two recommended changes are placed alongside each other the law is able to have a two-pronged effect. Firstly, the bill allows sufficient time for the processes of victim identification to be largely completed when responding to a major emergency or disaster. Secondly, it ensures that the privacy rights of people not involved in the emergency are protected for the entirety of the emergency declaration. Mr Deputy Speaker, where legislation might impact upon individual rights, even when we speak only about rare and limited situations, we do need to be cautious. We need to be careful that our responses are proportionate and appropriate. Thankfully, emergency and disaster incidents remain relatively uncommon. As such, departures from our normal privacy regimes need to be quite rare. It must be ensured that provisions enacted for the explicit purpose of information sharing in direct relation to a particular and extreme situation are not misused. This means having strict and clear guidelines. It means providing clear legislation about how such personal information is used, as is specified in clause 80P, and for how long the exchange of such personal information is permitted, as specified in clause 80N. It also means having a clear understanding of the purpose for which the release of information has been permitted, as outlined in clause 80H. It is also important that data acquired for particular and extraordinary purposes be destroyed when the disaster has been dealt with, for much of this information will be of a sensitive and delicate nature.

In times of uncertainty it is important to institute the necessary means to best serve the interests of a majority of people. It is also important to respect the interests of the individual. It is to be remembered that such emergencies of national significance are rare and that it is only within the context of such isolated events that these steps will be taken. This legislation will allow for the better serving of the interests of Australians in times of dire need, and I commend the bill to the House.

See this speech in context