Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Information Sheet (Public and Private Sectors) 1 - Emergencies and disasters

Note: This resources has been archived as it relates to law that is no longer current. More information on the Australian Privacy Principles (APPs) can be found on the APPs page.

pdfPrintable version588.89 KB

Key Messages

This Information Sheet discusses how Part VIA of the Privacy Act 1988 (Cth) applies to the handling of personal information in declared emergencies or disasters.

Special privacy provisions in Part VIA take effect if the Prime Minister or the Minister declares an emergency or disaster that affects Australians, either in Australia or overseas.

The Privacy Act is not a barrier in an emergency or disaster.

Personal information may be collected, used and disclosed during a declared emergency or disaster.  Under Part VIA:

  • there must be a reasonable belief that the individual is involved in the emergency or disaster
  • information must only be collected for a permitted purpose related to the emergency or disaster
  • there are limits on the entities that the information can be disclosed to
  • these entities (agencies, organisations or persons) must be directly involved in providing specific services, such as repatriation, medical, health, financial or other humanitarian assistance.

Agencies covered by the Privacy Act will not be in breach of the Information Privacy Principles if they have complied with Part VIA. 

Organisations covered by the National Privacy Principles will not be in breach of the Privacy Act if they have complied with Part VIA.

Agencies and organisations should have privacy policies and procedures in place (including staff training) in the event of a declared emergency or disaster.

Background

About this Information Sheet

This Information Sheet discusses the collection, use and disclosure of personal information during an event of national significance declared under Part VIA of the Privacy Act. 

The declared emergency or disaster may affect Australian citizens or permanent residents in Australia, or overseas.

Who is this Information Sheet for?

This Information Sheet is for agencies and organisations or other entities (including persons) that may need to collect, use or disclose personal information about individuals affected by the declared emergency or disaster.

Part VIA of the Privacy Act

Part VIA gives agencies, organisations and other entities a clear, certain legal basis for the handling of personal information about deceased, injured and missing individuals in a declared emergency or disaster.  It is based on the existing privacy obligations contained in Information Privacy Principles (IPPs) 10 and 11 and National Privacy Principle (NPP) 2.1 (see Other use and disclosure principles below). 

It sets out how personal information can be handled in emergencies or disasters, including:

  • the collection, use and disclosure of personal information (s 80P)
  • offences and inappropriate disclosure of personal information (s 80Q).

Declaration of emergency

Under Part VIA, the Prime Minister or Minister may declare an emergency or disaster if satisfied that:

  • an emergency or disaster has occurred (s 80J and s 80K)
  • it is the type of emergency or disaster that Part VIA provisions would apply to (s 80J and s 80K)
  • the nature and extent or the direct or indirect effect of the emergency or disaster must be of national significance if it occurs in Australia (s 80J), and
  • the emergency or disaster has affected one or more Australian citizens or permanent residents, either in Australia or overseas (s 80J and s 80K).

An emergency declaration:

  • must be in writing and signed by the Prime Minister or the Minister making the declaration (s 80L)
  • takes effect at the time it is signed (s 80M)
  • must be published as soon as practicable and is not a legislative instrument (s 80L).

Under ss 80J or 80K, a declaration of emergency only triggers the operation of Part VIA of the Privacy Act.  This declaration is not directly related to any other emergency legislation or non-legislative schemes.

Declarations cease to have effect:

  • at a time specified in the declaration
  • when the declaration is revoked, or
  • 12 months after the declaration was made.

Emergency declarations are listed on the Department of the Prime Minister and Cabinet website at www.dpmc.gov.au/privacy/emergency_declaration/index.cfm.

Handling personal information in declared emergencies and disasters (s 80P)

The Privacy Act does not stop you helping in a declared emergency or disaster.

When an emergency declaration is in force, Part VIA enhances and enables the collection, use and disclosure of personal information between:

  • Australian Government agencies, and
  • State and Territory authorities, private sector organisations, non-government organisations and others.

Personal information may be collected, used or disclosed for a 'permitted purpose' (s 80P(1)(b)).

'Permitted purposes' allow necessary uses and disclosures of personal information.

What is a 'permitted purpose' (s 80H)?

A 'permitted purpose' must relate directly to the Commonwealth's response to the declared emergency.  Although there are some limits, permitted purposes are broad in scope and may include:

  • identifying those who are, or may be injured, missing or dead, or involved in the emergency
  • helping individuals to get services including repatriation, medical or other treatment, health, financial or other humanitarian aid
  • helping law enforcement
  • coordinating or managing the emergency
  • making sure that people who are responsible for individuals[1] are kept appropriately informed about them and the emergency response to those individuals.

Note: Under Part VIA of the Privacy Act, personal information (s 6) includes information about individuals who are deceased.

Use and disclosure of personal information

Section 80P authorises the collection, use and disclosure of personal information about individuals caught up in emergencies and disasters.  This includes:

  • that the entity has a reasonable belief that the individual is involved in the emergency or disaster
  • the information is only collected for a permitted purpose related to the emergency or disaster
  • limits on disclosure of information
  • that these entities (agencies, organisations or persons) are directly involved in providing specific services, such as repatriation, medical, health, financial or other humanitarian assistance.

Limits on disclosures

The Privacy Act places some limits on the disclosure of information in a declared emergency or disaster, but the permitted disclosures are broad-ranging.

Agencies and organisations should make sure they disclose only the personal information necessary to meet an individual's needs.

Disclosures by agencies (s 80P(1))

If an agency reasonably believes that an individual may be involved in the declared disaster and the disclosure is for a permitted purpose, then the agency may disclose personal information to:

  • another agency
  • a State or Territory authority
  • an organisation
  • an entity involved or likely to be involved in managing or assisting in managing the emergency or disaster, or
  • a person who is 'responsible' for the individual.

Under Part VIA, agency officers or employees may only collect, use or disclose personal information if authorised to do so by the agency (s 80P(6)).

Agencies covered by the Privacy Act will not be in breach of the Information Privacy Principles (IPPs) if they have complied with Part VIA. 

Example 1: Damian is 'responsible' for his brother Hector who has a disability and is confined to a wheelchair in their shared home.  Widespread flooding prevents Damian from reaching their property.  State emergency response teams and others involved in managing the disaster can keep Damian up to date about his brother's welfare.  This could include the steps they are taking to reach him, where they will be taking him or any health updates they may have about Hector.

Example 2: John and Anne, long standing clients of support Agency A, lost their home and all their belongings in a bushfire.  Agency A is able to give them some emergency financial assistance and new proof of identity documents.   Under Part VIA, Agency A can disclose personal information about John and Anne to a private sector organisation that is arranging emergency accommodation, clothing and other assistance for bushfire victims.

Disclosures by organisations and persons (s 80P(1)(d))

If an organisation or person reasonably believes that an individual may be involved in the declared disaster and the disclosure is for a permitted purpose then the organisation or person may disclose personal information to:

  • an agency
  • an entity directly involved in providing services, including repatriation, medical or other treatment, health, financial or other humanitarian assistance to individuals involved in the emergency or disaster, or
  • a person or entity prescribed by regulation or legislative instrument.

Example:  E-Care, (a private sector organisation) is providing temporary emergency aid and accommodation for bushfire victims.

E-Care can disclose the personal information it collects about these individuals to other agencies or entities providing care and assistance that these individuals may need, such as Centrelink, Medicare, The Salvation Army or law enforcement agencies.

Note:  Agencies, organisations or persons must not disclose personal information to a media organisation.

Organisations covered by the NPPs will not be in breach of the NPPs when complying with Part VIA.

It is good privacy practice for agencies and organisations to record all disclosures made during the emergency or disaster.

Secrecy and duty of confidence

Part VIA makes clear that entities which use and disclose personal information as authorised under s 80P(1) will not be in breach of secrecy provisions unless it is a secrecy provision designated under s 80P(7).

An entity will also not be in breach of a duty of confidence if it discloses information in accordance with s 80P(1).

Policies, procedures and training - preparing for a declared emergency or disaster

Many agencies and organisations and other entities supply 'front line' support, advice and information in an emergency or disaster - often in very difficult and stressful circumstances. 

The Privacy Commissioner encourages agencies, organisations and other entities that may be involved in disaster or emergency management or support services to prepare in advance for disasters or emergencies.

A disaster response plan should address the handling of personal information.

Clear, written privacy policies and procedures and staff training are key steps to effective disaster or emergency response.

Internal

It is vital that employees have a clear understanding of Part VIA obligations in the Privacy Act when they collect, use and disclose personal information in emergency or disaster situations. 

Having policies, procedures and training in place means:

  • a well-informed staff that is better equipped to respond in an emergency situation
  • it is clear to the agency, organisation or other entity what special privacy rules apply to personal information collected, used or disclosed in an emergency or disaster, including:
    • how long the information should be kept
    • where and how it will be stored
    • not accessing information inappropriately
    • what collecting or disclosing unnecessary information means, and
    • how the information is kept secure and safely destroyed when it is no longer needed.

Emergencies and disasters can be diverse (for example, flood, fire or terrorist activity), widespread, and may affect many individuals.  Your own staff may be:

  • personally affected by the emergency or disaster, or
  • affected by the scale of the emergency or disaster they are dealing with.

This should be taken into account when developing policies, procedures and training.

External

Agencies and organisations should also think about information they may need to give their clients about privacy and the collection, use and disclosure of personal information.  Consider:

  • an emergency/disaster help page or FAQs on your agency/organisation website
  • distributing pamphlets, media announcements (including in languages other than English) that include information about how personal information will be handled during the emergency or disaster
  • having a designated privacy advice help line 
  • making the above information outlets as helpful and inclusive as possible by addressing literacy, language and disability issues.

Other matters

Section 80Q of Part VIA sets out offences and penalties related to inappropriate disclosure of personal information during an emergency or disaster.  Penalties can include imprisonment for one year.

Section 80S describes the additional operational effects of Part VIA.

Section 80T sets out safety net provisions related to compensation for property acquisition.

Other use and disclosure principles in the Privacy Act

IPPs 10 and 11 (agencies) and NPP 2.1(e) (private sector organisations) more generally allow for the use and disclosure of personal information where there is a serious and imminent threat to an individual's life, health or safety. 

NPP 2.1(e) also permits use and disclosure of personal information where there is a serious threat to public health or safety.

More information

About Information Sheets

Information sheets are advisory only and are not legally binding.  The Information Privacy Principles (IPPs) section 14 of the Privacy Act legally bind agencies. The National Privacy Principles (NPPs) in Schedule 3 of the Privacy Act legally bind organisations.

Information sheets are based on the Office of the Privacy Commissioner's understanding of how the Privacy Act works.  They provide explanations of some of the terms used in the IPPs and NPPs and good practice or compliance tips.  They are intended to help agencies and organisations apply the IPPs and NPPs (respectively) in ordinary circumstances.  Agencies and organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.

Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the IPPs and NPPs in the way that seems most appropriate to the facts of the case being dealt with.  Agencies and organisations may also wish to consult the Commissioner's guidelines and other information sheets.

 


[1] Under NPP 2.5, a person is responsible for an individual if the person is a parent, a child or sibling at least 18 years of age, a spouse or defacto, a guardian, has an intimate personal relationship, is nominated to be contacted in case of emergency, or has enduring power of attorney granted by the individual exercisable in relation to decisions about the individual's health.