Joe Ludwig (Queensland, Australian Labor Party, Manager of Opposition Business in the Senate) Share this | Hansard source

I rise today to speak on the Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006. This bill inserts a new part VIA in the Privacy Act to enhance the information exchange in an emergency or disaster situation. New part VI permits but does not compel the collection, use and disclosure of personal information about deceased, injured and missing individuals involved in an emergency or disaster, whether in Australia or overseas, between Australian government agencies, state and territory authorities, private sector organisations, non-government organisations and others.

Schedule 2 of the bill makes consequential amendments to the Australian Security Intelligence Organisation Act 1979. The need for these measures to address the practical issues faced by government agencies, the private sector and non-government organisations in times of emergency or disaster situations was highlighted during recent experiences, including September 11, the Bali bombings, the 2004 Asian tsunami and the evacuation of Australians out of Lebanon. While schedule 3 of the Privacy Act 1988 contains provisions that allow for the disclosure of personal information in times of emergency and disaster, the structure of the act is such that it is expected that these provisions will be applied on a case-by-case basis after careful analysis of the circumstances.

Recent emergencies and disasters highlighted the difficulties of applying these provisions with confidence during large-scale emergencies. In its review of the private sector provisions of the Privacy Act 1988, the Office of the Privacy Commissioner considered the issue of balancing the flow of information and privacy considerations during times of large-scale emergencies and noted:

The scale and gravity of large scale emergencies have tested the application of the Privacy Act and raised questions as to how privacy protection should operate in such situations. The Privacy Act received criticism in the media after the tsunami disaster for lacking commonsense and for being unable to anticipate and cope with the extent of the tsunami disaster.

Evidence to the OPC inquiry and to a subsequent inquiry into the Privacy Act 1988 by the Senate Legal and Constitutional References Committee revealed that some government agencies and private sector organisations adopted what can only be described as an overly cautious approach to interpreting the Privacy Act, impeding effective and timely assistance to Australians caught up in emergency situations.

The OPC’s March 2005 review, for example, highlighted the difficulty faced by airlines in the aftermath of the 2004 tsunami, when many Australians contacted them to find out whether those who were believed missing had continued flying after the tsunami hit. The Senate Legal and Constitutional References Committee report also noted similar evidence from the Department of Foreign Affairs and Trade, DFAT, and from the Australian Red Cross in relation to the Privacy Act’s impact on information-sharing on response and recovery in emergency situations overseas.

DFAT noted that the privacy legislation had restricted its ability to coordinate a whole-of-government response to these crises and that it particularly impeded its ability to access personal information held by other government agencies to help in its location, identification and assistance efforts, to provide personal information to other government agencies directly involved in the crisis response and to provide personal information to other government agencies to ensure that inappropriate actions, such as those concerning Centrelink payments and the like, were not taken against affected Australians.

DFAT noted its difficulty in accessing information from private sector organisations, particularly airlines and travel agencies, whose records would be useful in locating Australians. The submission by the Australian Red Cross to the committee highlighted difficulties experienced by the organisation in the aftermath of the 2002 Bali bombing. The ARC, for example, was unable to access lists held by DFAT of deceased, injured or missing persons nor was it able to share its own list of deceased and injured persons. The ARC noted that the organisation had to seek individual client permission to share even basic information about assistance provided. It observed that many affected Australians suffering injury and trauma expressed surprise and concern about having to provide the same information to many different agencies and, quite frankly, did not understand why this information could not be provided once and then shared across relevant agencies.

The OPC review and the Senate committee report both made a number of recommendations to address these difficulties. While the bill addresses the issue raised by both of these reviews, it does not act on the specific recommendation of the OPC as endorsed by the Senate committee. Rather than amend existing provisions to deal with emergencies and disasters through temporary public interest determinations made by the Privacy Commissioner, as recommended by the OPC, the bill inserts a new part and framework into the Privacy Act.

The bill covers both government agencies and private sector organisations and addresses information-sharing between government agencies in emergency situations as recommended by the Senate committee. Recent events where difficulties were experienced not only by departments and agencies such as DFAT, organisations such as the Australian Red Cross and travel related industries such as airlines but also by Australian families caught up in these tragedies demonstrate that these amendments to the Privacy Act should not be delayed.

Labor understands that the Attorney-General’s Department consulted extensively with stakeholders in drafting this bill and notes that most submissions to the Senate Standing Committee on Legal and Constitutional Affairs examination of the bill expressed broad support for the proposed amendments. Labor is satisfied that the proposed laws offer greater assurance to both government agencies and private organisations that personal information may be lawfully disclosed and exchanged during times of emergency or disaster either at home or abroad. This legislation will further ensure that assistance and relief to victims and their families will not be unduly delayed or complicated by privacy concerns.

I will now turn to some of the specific provisions in the bill. Time will not permit me to deal with all but perhaps some of the more important or cogent ones. Schedule 1 of the bill inserts a new part VIA in the Privacy Act 1988. The new provision in part VIA will operate only upon the making of a declaration under clause 80J or clause 80K that an emergency or disaster has occurred in Australia or overseas. These provisions specify that the emergency or disaster must have occurred. A declaration cannot be made in respect of an imminent event or warning.

Clause 80J provides the preconditions for the declaration by the Prime Minister or the Attorney-General of an emergency or disaster in Australia. Clause 80K provides the preconditions for the declaration by the Prime Minister or the Attorney-General in consultation with the Minister for Foreign Affairs of an emergency or disaster outside Australia. The requirement for the Minister for Foreign Affairs to be consulted in relation to events outside Australia reflects the sensitivity to diplomatic relations with other countries—an approach which Labor concurs with. According to clause 80L(1), an emergency declaration must be in writing and signed by the person making the declaration and it has effect from the time at which it is signed.

Clause 80M provides that an emergency declaration cannot be retrospective. It has effect from the time at which it was signed. Clause 80L(2) requires that an emergency declaration must be published on the Attorney-General’s Department website as soon as practicable after it has taken effect and by notice published in the Gazette. Clause 80N provides for when declarations cease to have effect. The Senate Standing Committee on Legal and Constitutional Affairs recommended that a maximum period of 12 months should apply to a declaration of emergency under clause 80J and clause 80K. We understand somewhat belatedly that the government has proposed amendments to reflect this recommendation, and I will deal with those in the committee stage of the bill.

However, it does bear comment that the Attorney-General’s Department realised that what was proposed in the recommendations was worthy of support. Therefore, we are surprised that it took them so long to get to that place and also to ensure that, if they are going to read committee reports and pick up any recommendations, it is necessary for them to signal at the earliest possible time that they intend to do that. The simple courtesy of contacting the office of the shadow minister for the Attorney-General and letting them know that these amendments are to be forthcoming might make the passage through both houses of parliament a little easier, rather than just dropping the amendments in here and expecting us all to read them and work out that they relate to those recommendations and are a true reflection of them. If they have departed from them, then they can take that up as well. We will look carefully at the amendments during the committee stage of the bill.

The making of an emergency declaration under clause 80J or clause 80K triggers the operation of new part VIA. Clause 80R(1) provides that part VIA of the bill has a broad operation and is not limited by any other secrecy provisions in the law of the Commonwealth unless that secrecy provision expressly excludes the operation of 80R. Importantly, clause 80R(2) provides that nothing in the part compels the collection or use or disclosure of personal information; it is simply a permissible act. The decision to disclose personal information will remain at the discretion of the individual agency or organisation.

Clause 80H defines the meaning of ‘permitted purpose’. Clause 80H(2) provides examples with that limitation of the types of situations in which the collection, use and disclosure of personal information may be authorised under clause 80P. We note that the Senate Standing Committee on Legal and Constitutional Affairs recommended that clause 80H(1) be amended to limit ‘permitted purpose’ to a purpose that directly relates to the Commonwealth’s response to an emergency or disaster. We also understand that the government has proposed amendments to this effect. As I said, we will deal with those during the committee stage.

Clause 80H(2)(e) confirms that a disclosure of relevant information to a person responsible, as defined in National Privacy Principle 2.5 of the Privacy Act, for the individual involved in the emergency or disaster, is a permitted purpose under part VIA. According to the explanatory memorandum, this clause addresses the concern that people, such as relatives, could be denied information regarding the welfare of family members because of concerns about the application of the Privacy Act. This provision takes up the OPC’s recommendation to enable disclosure of personal information to a ‘person responsible’ in times of emergency, but it has not extended or clarified the definition of ‘person responsible’ in National Privacy Principle 2.5.

We are concerned that there is no mechanism providing for the number of family members who may come within the definition of ‘person responsible’ under National Privacy Principle 2.5. It may be preferable in such situations for one such person to be a nominated individual, rather than for information to be disclosed numerous times—or it may be vital that all can have access. That is a matter that needs to be looked at further. In addition, National Privacy Principle 2.5 appears to define ‘person responsible’ for the purposes of 2.4, relating to the disclosure of health information, and therefore may require amendment if it is for this wider purpose. We urge the government to address these concerns.

Clause 80P(1) permits the collection, use or disclosure of personal information relating to an individual if the person, agency or organisation collecting, using or disclosing the information reasonably believes that the individual may be involved in the emergency or disaster; and the collection, use or disclosure is for a permitted purpose. Clause 80P(1)(c) deals with who government agencies may disclose personal information to. There are a couple of other provisions. Time will not permit me to deal with some of the other matters in detail.

Clause 80P(2) ensures that an entity is not liable for contravening a secrecy provision by using or disclosing personal information—it is important to ensure that the legislation contains that safeguard—unless the secrecy provision is a designated secrecy provision. A designated secrecy provision is defined in clause 80P(7) to include secrecy provisions binding the Inspector-General of Intelligence and Security. In that way we ensure that there are reasonable safeguards in the legislation. It also does not exclude, but deals with, the secrecy issues that sometimes, unfortunately, arise. Clause 80P(3) provides that an entity is not liable for contravening a duty of confidence in respect of disclosing personal information where authorised to do so by clause 80P(1). The department has advised that this most commonly would relate to the common-law duty of confidentiality to which banks are subject.

Clause 80Q creates an offence for unauthorised secondary disclosures. The government is proposing to put in place a scheme where you can protect the information that is disclosed and also protect any secondary disclosure. It is also intended to ensure that the bill has its widest possible operation, consistent with Commonwealth and constitutional legislative power. As such, we have clause 80S, concerning severability. Clause 80T concerning compensation for acquisition of property is, according to the EM, ‘the standard constitutional safety net provision’. It is comforting to see that the government has sought to ensure that that is there. The Auditor-General’s Department advises that, although it is not expected that the new part VIA will result in an acquisition of property within the meaning of that expression in the Constitution, clause 80T was included on advice from the AGS—perhaps with an overabundance of caution, given that it was the Australian Government Solicitor. This seems an inappropriate provision in this bill and we cannot understand why it is here, even out of an abundance of caution. It seems a little inappropriate, but maybe we will get an opportunity at the committee stage to question that further.

Schedule 2 of the bill is a consequential amendment to section 18(3) of the Australian Security Intelligence Organisation Act 1979, which provides for circumstances where the Director-General of ASIO, or a person authorised by the director-general, may communicate information that has come into the possession of ASIO in the course of performing its functions under section 17 of the ASIO Act. It adds a paragraph which enables ASIO to disclose information where an emergency is declared under schedule 1 of the bill, to ensure that their work continues.

Labor believe that our privacy laws need to strike a balance between the value of sharing information for the benefit of individuals and the wider community and the privacy considerations that protect an individual’s personal information. It is important that the need for efficient responses to emergency and disaster situations are balanced by laws and systems that protect personal information from misuse. Labor support this bill. We believe that the measures it contains effectively strike the delicate balance that is needed. We commend the bill.