Additional comments and points of Dissent by the Australian Democrats

Additional comments and points of Dissent by the Australian Democrats

1.1        While we understand that government agencies and non-government organisations need to use personal information in times of disaster relief, we believe that this need can be accommodated by minor legislative amendment to the current framework for these limited circumstances, without the necessity to invoke such far reaching changes to our current privacy regime as are envisaged by this bill. 

1.2        Among the aims of the bill stated in the Explanatory Memorandum is that it will ensure that agencies make clear and timely decisions on information exchange in order to deliver necessary services to victims.[1]  Recent and particularly large scale disasters such as the Bali bombing and Boxing Day tsunami have highlighted the anguish and distress of victims of these disasters and their loved ones back home, in trying to locate individuals who may be affected, and to access assistance from organisations involved in disaster relief.  Indeed, there are already provisions (contained in Information Privacy Principle 10.1 and 11.1 and National Privacy Principle 2.1) that permit the use of personal information to assist in situations like these. 

1.3        However the breadth and size of those international disasters has caused criticism to be directed towards the Privacy Act 1988 as inhibiting the location and assistance of individuals.  The Democrats believe the current legislation can be modified to facilitate this assistance, while still leaving the current privacy architecture in place.  This bill however, would permit the Minister or Prime Minister to completely dismantle the system and processes of protections we currently enjoy at the stroke of a pen.  It would allow information to be disclosed to, and by, a far greater range of organisations and individuals, for a far greater range of situations, and for far longer than most Australians would consider reasonable.  The Democrats share the concerns expressed by the Australian Privacy Foundation in its submission, and draw attention to the following specific concerns. 

The circumstances in which an emergency can be declared are unnecessarily broad and may include so-called ‘emergencies’ far different from the Bali bombing or Boxing Day tsunami type of emergency most Australians would imagine.  

1.4        In declaring a situation of emergency, the bill envisages that:

    1. an emergency has occurred – subclause 80J(a), and
    2. is considered to be of “national significance” – subclause 80J(c), and
    3. has affected at least one person – subclause 80J(d).

1.5        The definition of “national significance” in paragraph 80J(c)) is extremely broad, and may relate to the “nature” or “extent” of the situation.  Assuming the “extent” refers in some way to size, no indication is given as to what threshold test (eg. affecting how many people, or costing how much money) constitutes sufficient “extent” to be considered significant.  The “nature” (paragraph 80J(c)) of the situation is left completely open to interpretation, and may permit a wide range of vaguely problematic situations to be deemed by the Minister or Prime Minister, as of a type “appropriate” (paragraph 80J(b)) for declaration.  Paragraph 80J(c) explicitly allows for “indirect” effects of an emergency to be considered by the Minister to be of “national significance”.  The Democrats are concerned that in these circumstances, it will be possible for an emergency to be declared and privacy protections dispensed with, in situations not contemplated or able to be questioned by Parliament. 

1.6        While this may give flexibility to the Minister or Prime Minister to declare an emergency in unforeseen events, the Democrats believe when Australians contemplate the Bali bombing and Boxing Day tsunami situation, they have a particular and limited set of circumstances in mind, in which privacy protection might reasonably be reduced.  We therefore do not believe that such a emergency cannot be accommodated by legislative amendment within the current legislative framework.  We agree with the Office of the Federal Privacy Commission and the Australian Privacy Foundation, that deeming of “National Emergency” should be determined by the Minister to be an ‘incident’ under section 23YUF of the Crimes Act 1914

The capacity for “entities” to determine the circumstances in which information can be disclosed is inappropriate.  

1.7        The current National Privacy Principles permit the disclosure and use of personal information in particular health, life and safety situations, but places limits on the circumstances and people to whom this information can be disclosed.  The proposed bill contain none of these safeguards. 

1.8        According to this bill, when the proposed “emergency declaration” is in force, an entity (being a person, agency or organisation) may collect, use or disclose personal information relating to an individual, where:

    1. the entity “reasonably believes” the individual MAY be involved in the emergency; and
    2. it is for a “permitted purpose.”

1.9        Government agencies are authorised by subclause 80P to disclose personal information, (with no definitional limit to the type of information) to a wide range of people and entities, and may include any person that “is likely to be” involved in “assisting” (paragraph 80P(1)(c)) in the emergency.  There is no guide as to what type or level of “assisting” a person or organisation needs to be undertaking, nor any indication as to how a government agency officer might determine if the person or agency “is likely to be” involved in assisting, before disclosure to the person is lawful. 

1.10      The bill purports to limit the collection, use and disclosure of information, to situations of “permitted purpose” (clause 80H), the principal purpose being any action that forms part of the “Commonwealth’s response” (subclause 80H(1)) to the emergency.  What follows in subclause 80H(2) is an inclusive list of examples of purposes, including assisting with law enforcement (paragraph 80H(2)(c)) that can be considered part of the response. 

1.11      The Democrats agree with the Committee’s view that the current definition of “permitted purpose” is unnecessarily broad.  We are, in addition particularly concerned that a “declaration” may be made in relation to domestic matters not related to a natural disaster or international terrorist situation, and that having overridden the normal privacy protections, individuals may unfairly be subject to infringement of their right to privacy under the rubric of “assisting with law enforcement”, where this purpose is only indirectly related to the “emergency”.  Moreover, the bill contains none of the protections on dissemination of disclosed information contained in the current legislation, but permits an agency or organisation to determine whether it is appropriate to divulge personal information in the circumstances. 

1.12      The findings by the Australian Law Reform Commission in its Issue Paper 31: Review of Privacy indicate Australians continue to be concerned about the handling of their personal details by government and private companies.  The Democrats consider that the current bill gives too broad a discretion for “entities” to determine when an individual’s personal information may be disclosed and for the net to be cast too wide in allowing entities with an “indirect” connection to the emergency, to access or disclose information.

1.13      In evidence to the Senate Legal and Constitutional References Committee, Mr Greg Heesom of the Australian Red Cross suggested that a solution could include a Public Interest Determination exemption by the Privacy Commissioner, or an amendment to the Information Privacy Principle 11 to provide a specific limited exemption for emergency disaster situations.[2]  We also note that the submission by the Officer of the Federal Privacy Commissioner refers to the definitions of “emergency” and “disaster” contained in the Civil Contingencies Act 2004 (UK) as assisting to identify relevant criteria upon which an emergency of disaster may be declared.  The Democrats support the limiting of circumstances in which an “emergency” may be declared, where the outcome of such declaration is removing of privacy protections for individuals, and the limiting of entities permitted to use information to those having only a “direct” connection to the emergency. 

1.14      The bill proposes that the “emergency declaration” continue to be in force for one year (clause 80N) unless it is declared to end earlier.  The Democrats agree with the Committee’s view that the period of time for which normal operation of the Privacy Act is suspended should be limited to a specified time, but consider that 12 months is too long.

Even if it was felt necessary to allow a greater sharing of information between agencies to address the concerns outlined by the Australian Red Cross in its submission, there are other ways in which the sharing of information can be facilitated, without resorting to such major changes as the bill proposes. 

1.15      The Explanatory Memorandum asserts this bill will assist in clarifying the provisions relating to disclosure of personal information during emergencies.[3]  Far from clarifying the situations in which personal information can be disclosed and the types of people, organisations and other bodies that can receive or disclose information, this bill adds a level of legislative ambiguity and uncertainty to the foundation of privacy protections, that may erode Australians' confidence that their personal information will be protected in all but the most dire of circumstances, and thereby undermine the integrity of out current system of privacy protection. 

1.16      We note the Committee reference to the Privacy Commissioner’s findings in its report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 that following the tsunami disaster, the Privacy Act received criticism in the media for being “unable to anticipate and cope” with the extent of the tsunami disaster.[4]  Certainly, the extent of the tsunami was on a scale previously unimagined, and not contemplated during the original drafting of the Privacy Act.  However, the rarity and unusual severity of that event and its consequences cannot be justification for completely re-writing the privacy regime which has until such recent disasters, served the Australian public reasonably well.  Even in times of disaster, there must be a balancing of the rights of an individual to privacy in their activities and movements, as against the need to obtain otherwise confidential information in relation to an individual.  This is acknowledged by the Senate Legal and Constitutional References Committee in The Real Big Brother: Inquiry the Privacy Act 1988 [5] and the Privacy Commissioner in her recommendations in relation to large scale emergencies.[6]

1.17      Both the Office of the Federal Privacy Commissioner and the Australian Privacy Foundation have highlighted the fact that the current legislation allows for the disclosure of information where there is a serious and imminent threat to the life or health of individuals, and both have proposed changes in the current legislation that would go a long way towards alleviating the problems experienced by the ARC in assisting individuals in the recent disasters, while limiting the purpose for which disclosure is permitted.[7]  The Democrats support the proposals of the Office of the Federal Privacy Commission and Australian Privacy Foundation as providing a better balance between the privacy rights of individuals and the expectations of Australians during times of disaster.

 

Senator Andrew Bartlett                                      Senator Natasha Stott Despoja

Australian Democrats

 

Navigation: Previous Page | Contents | Next Page