This aim of this resource is to assist entities to understand their obligations under Part VIA of the Privacy Act 1988 (Privacy Act) when handling personal information in declared emergencies or disasters.
The information provided below is of a general nature and is not a substitute for legal advice.
Key points
- The Privacy Act is not a barrier to necessary information sharing in a declared emergency or disaster
- Special privacy provisions in Part VIA of the Privacy Act take effect if the Prime Minister or the Minister responsible for the Privacy Act (the Minister) declares an emergency or disaster that affects Australian citizens or permanent residents, either in Australia or overseas
- Entities that collect, use or disclose personal information about individuals affected by the declared emergency or disaster need to comply with Part VIA
- Entities will not be in breach of the Australian Privacy Principles (APPs) if they have complied with Part VIA
- Entities should consider preparing a Personal Information Handling Plan that addresses how personal information will be handled before, during and after an emergency or disaster.
Part VIA of the Privacy Act
Part VIA of the Privacy Act regulates how entities may collect, use and disclose personal information in a declared emergency or disaster. It provides clarity around the handling of personal information about deceased, injured and missing individuals in a declared emergency or disaster.
Part VIA enhances the information sharing arrangements permitted under the APPs. It operates in conjunction with the APPs to allow entities to collect, use and disclose information in accordance with the APPs, whilst also permitting entities to share information in ways that would otherwise not be permitted under the APPs.
For the purposes of Part VIA, an entity includes a person, agency and organisation (section 80P).
Declarations of emergency or disaster
Under Part VIA, the Prime Minister or the Minister may declare an emergency or disaster if satisfied that an emergency or disaster of the kind that Part VIA applies to has occurred and:
- if the emergency or disaster occurs in Australia, that it is of national significance and has affected one or more Australian citizens or permanent residents, either in Australia or overseas (s 80J), or
- if the emergency or disaster occurs outside Australia, that it has affected one or more Australian citizens or permanent residents, either in Australia or overseas (s 80K).
An emergency declaration:
- must be in writing and signed by the Prime Minister or the Minister making the declaration (s 80L)
- takes effect at the time it is signed (s 80M)
- must be published as soon as practicable and is not a legislative instrument (s 80L).
A declaration of an emergency or disaster under the Privacy Act only triggers the operation of Part VIA and is not connected to any other emergency legislation or non-legislative schemes.
Declarations cease to have effect at the earliest of:
- at a time specified in the declaration
- when the declaration is revoked, or
- 12 months after the declaration was made.
Emergency declarations are listed on the Attorney-General’s Department website.
Handling personal information in declared emergencies and disasters
When a declaration is in force, Part VIA enhances and enables the collection, use and disclosure of personal information between Australian Government agencies and State and Territory authorities, private sector organisations, non-government organisations and others.
The collection, use and disclosure of personal information about individuals caught up in emergencies and disasters is permitted under s 80P where:
- the entity reasonably believes that the individual may be involved in the emergency or disaster
- the collection, use or disclosure is for a permitted purpose in relation to the emergency or disaster
- in the case of disclosure, the disclosure is limited to certain entities and individuals. There are some differences between who an agency can disclose information to and who an organisation or another person can disclose information to. This is discussed below.
While Part VIA enables personal information to be disclosed to State and Territory agencies, Part VIA does not override State and Territory laws that may apply to the handling of personal information.
Note: Although Part VIA permits agencies and organisations to collect, use and disclose personal information in certain circumstances, it does not require them to (s 80R(2)).
What is a ‘permitted purpose’?
A ‘permitted purpose’ is one that directly relates to the Commonwealth’s response to the declared emergency or disaster (s 80H). Although there are some limits, permitted purposes are broad in scope and may include:
- identifying those who are, or may be, injured, missing or dead, or involved in the emergency or disaster
- helping individuals to access services including repatriation, medical or other treatment, health services and financial or other humanitarian assistance
- helping law enforcement with the emergency or disaster
- coordinating or managing the emergency or disaster
- ensuring that people who are responsible for individuals[1] are kept appropriately informed about those individuals and the emergency response to those individuals.
For the purposes of Part VIA of the Privacy Act, personal information includes information about individuals who are deceased.
Remember: Permitted purposes allow necessary uses and disclosures of personal information.
Limits on disclosures
In a declared emergency or disaster, there are limits on who an entity can disclose information to and the permitted purposes for which they can disclose information(s 80P). While the permitted disclosures are broad-ranging, entities should limit the personal information they disclose to that which is necessary to meet an individual’s needs. It is an offence to disclose information received under Part VIA in a way not permitted by Part VIA or other provisions in the Privacy Act (s 80Q).
There are some differences between who an agency can disclose information to and who an organisation or another person can disclose information to.
Disclosures by agencies (s 80P(1)(c))
If an agency reasonably believes that an individual may be involved in the declared emergency or disaster and the disclosure is for a permitted purpose, then the agency may disclose personal information to:
- another agency
- a State or Territory authority
- an organisation
- an entity involved or likely to be involved in managing or assisting in managing the emergency or disaster, or
- a person who is responsible for the individual.
Under Part VIA, individual officers or employees of an agency may only collect, use or disclose personal information if authorised to do so by the agency (s 80P(6)).
Agencies will not be in breach of the APPs if they have complied with Part VIA.
Example 1: Damian and Julie are parents to Christopher. Widespread flooding prevents Damian and Julie from reaching their property, where Christopher is. State emergency response teams and others involved in managing the disaster can keep Damian and Julie up to date about their son’s welfare. This could include the steps they are taking to reach him, where they will be taking him or any health updates they may have about Christopher.
Example 2: John and Anne, long standing clients of support Agency A, lost their home and all their belongings in a bushfire. Agency A is able to give them some emergency financial assistance and new proof of identity documents. Under Part VIA, Agency A can disclose personal information about John and Anne to a private sector organisation that is arranging emergency accommodation, clothing and other assistance for bushfire victims.
Disclosures by organisations and persons (s 80P(1)(d))
If an organisation or person reasonably believes that an individual may be involved in the declared emergency or disaster and the disclosure is for a permitted purpose, then the organisation or person may disclose personal information to:
- an agency
- an entity directly involved in providing services, including repatriation, medical or other treatment, health, financial or other humanitarian assistance to individuals involved in the emergency or disaster, or
- a person or entity prescribed by regulation or by the Minister by legislative instrument.
Organisations will not be in breach of the APPs when complying with Part VIA.
Example 3: A private sector organisation is providing temporary emergency aid and accommodation for bushfire victims.
The organisation can disclose the personal information it collects about these individuals to other agencies or entities that are providing care and assistance to these individuals, such as Centrelink, Medicare, The Salvation Army or law enforcement agencies.
Disclosures to media organisations (s 80P(1)(e))
Part VIA does not authorise an entity to disclose personal information to a media organisation (s 80P(1)(e)). If any disclosures need to be made to the media, they should be made in accordance with the entity’s obligations under APP 6.
Remember: It is good privacy practice for entities to record all disclosures made during the emergency or disaster.
Secrecy and duty of confidence
Entities that use and disclose personal information as authorised under s 80P(1) will not be in breach of secrecy provisions, unless it is a secrecy provision designated under s 80P(7).
Similarly, an entity will not be in breach of a duty of confidence if it discloses information in accordance with s 80P(1).
Disclosure under APP 6 of the Privacy Act
In a declared emergency or disaster, entities can disclose information in accordance with the permitted disclosures under APP 6, in addition to those permitted under Part VIA. An entity may also be able to use or disclose personal information in accordance with APP 6 where an emergency or disaster exists, but a declaration has not been made under Part VIA.
Under APP 6, an APP entity may use or disclose personal information for a purpose for which it was collected or for a secondary purpose, where an exception applies. Relevant exceptions in APP 6 include where:
- a permitted general situation exists (APP 6.2(c)). This includes, for example, locating a person reported as missing or where there is a serious threat to an individual’s life, health or safety, or to public health and safety (s 16A).
- in the case of an organisation, a permitted health situation exists. This includes, for example, disclosure of health information to a responsible person for the individual (s 16B).
- the APP entity reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body (APP 6.2(e)).
Preparing for a declared emergency or disaster – developing a Personal Information Handling Plan
The Office of the Australian Information Commissioner (OAIC) encourages entities that may be involved in disaster or emergency management or support services to prepare a Personal Information Handling Plan in advance, which addresses how the entity will handle and protect personal information and other privacy issues.
Appendix A of this resource contains information that will help entities prepare and implement a Personal Information Handling Plan.
Appendix A — Preparing and implementing a Personal Information Handling Plan
Entities that may have to respond to an emergency or disaster should consider preparing a Personal Information Handling Plan in advance. The Personal Information Handling Plan should address how personal information will be handled before, during and after an emergency or disaster. It should clearly outline the policies and procedures for handling personal information that will apply during an emergency or disaster and outline how staff will be trained in these. An entity’s Personal Information Handling Plan should form part of its broader emergency response plan. This will ensure privacy is integrated into an entity’s entire emergency or disaster response.
Before an emergency or disaster
It is vital that all staff that may be involved in an emergency or disaster have a clear understanding of their obligations under Part VIA. Entities should have clear, up-to-date, written policies and procedures outlining how staff should handle personal information in an emergency or disaster. Entities should also train staff in how to respond in an emergency situation. It should be clear to staff what special privacy rules apply to the collection, use and disclosure of personal information in an emergency or disaster, including:
- what information should be collected and disclosed
- how to avoid collecting or disclosing unnecessary information
- where and how information will be stored securely
- how long information should be kept and safely destroyed or de-identified when it is no longer needed
- how to avoid accessing information inappropriately.
Emergencies and disasters can be diverse, widespread and may affect many individuals. Your own staff may be:
- personally affected by the emergency or disaster, or
- troubled by the scale of the emergency or disaster they are dealing with.
This should be taken into account when developing policies, procedures and training.
Prior to an emergency or disaster being declared, entities should take steps to ensure individuals are able to be given information about how their personal information will collected, used and disclosed in an emergency or disaster. Entities should consider:
- creating an emergency/disaster help page or FAQs on their website
- preparing pamphlets that include information about how personal information will be handled during an emergency or disaster, as well as considering how media announcements will be made
- making arrangements so that either a designated privacy advice help line or key privacy officer are able to answer privacy questions and respond to internal and external enquiries, including complaints and access or correction requests, during the emergency or disaster
- developing a data breach response plan to ensure any data breaches are responded to effectively
- making all information as helpful and inclusive as possible by addressing literacy, language and disability requirements
Entities should also consider establishing information sharing arrangements with other entities that are likely to be involved in disaster or emergency management and support prior to an emergency or disaster being declared. Entities should ensure that privacy protections are built into these arrangements.
During an emergency or disaster — using and disclosing personal information
When an emergency or disaster is declared, entities should coordinate their response in accordance with the policies, procedures and training processes outlined in their Personal Information Handling Plan, taking into account the particular circumstances of the emergency or disaster. Entities should:
- ensure they only collect, use and disclose personal information for a ‘permitted purpose’ and that they only disclose the personal information necessary to meet an individual’s needs
- take steps to ensure the security of the personal information they share and receive
- where possible, record details about disclosures of information, including:
- the date of the disclosure
- details of the personal information that was disclosed
- who the personal information was disclosed to
- the ‘permitted purposes’ for which the personal information was disclosed, and
- the basis for the entity’s ‘reasonable belief’ that the individual may be involved in the emergency or disaster. This will help the entity assure itself that the provisions in s 80P apply, and it may be a useful reference if the entity later needs to justify the action it took.
Social media can play an important role in providing timely, up-to-date and relevant information during an emergency or disaster. Entities should think about how they use social media to gather information, communicate with the community and, if appropriate, respond to comments from individuals. Entities should also think about what measures they need to take to ensure the quality of the information on their social media platforms and to ensure that personal information is not unlawfully disclosed.
After an emergency or disaster
Once a declaration of emergency or disaster under Part VIA ceases, it is important that entities resume their normal procedures for collecting, using and disclosing personal information. Entities should ensure all staff are aware that the special privacy provisions in Part VIA have ceased and assist them in resuming normal personal information handling procedures. Entities should also consider:
- evaluating how they handled personal information in the emergency or disaster and how effective their policies, procedures and training were
- identifying areas where their collection, use or disclosure of personal information could be improved
- updating the policies, procedures and training processes in their Personal Information Handling Plan, as required.
For more information about emergency management visit the Department of Home Affairs.
The information provided in this resource is of a general nature and is not a substitute for legal advice.
Footnote
[1] Under s 6AA, a responsible person for an individual is a parent of the individual; a child or sibling of the individual, provided the child is at least 18 years old; a spouse or de facto partner of the individual; a relative of the individual, provided the relative is at least 18 years old and is a member of the individual’s household; a guardian of the individual; a person exercising an enduring power of attorney over the individual, which was granted by the individual and relates to decisions about the individual’s health; a person who has an intimate personal relationship with the individual; or a person who is nominated by the individual to be contacted in case of emergency.
