-
On this page
The aim of this resource is to assist entities to understand their obligations under Part VIA of the Privacy Act 1988 (Privacy Act) when handling personal information in declared emergencies or disasters. The information has been updated to reflect changes made by the Privacy and Other Legislation Amendment Act 2024.
Examples of Emergency Declarations made prior to 2024 can be found on the Attorney-General’s Department website.
The information provided below is of a general nature and is not a substitute for legal advice.
Key points
- The Privacy Act is not a barrier to necessary information sharing in a declared emergency or disaster
- Special privacy provisions in Part VIA of the Privacy Act take effect if the Prime Minister or the Attorney General makes an Emergency Declaration (ED)
- When an ED is in force, entities should be familiar with the specific arrangements in the ED as the ED may be targeted to specific entities, specific kinds of personal information, specific purposes or acts and practices, and may have a specified or ongoing duration of up to 12 months
- Entities that collect, use or disclose personal information about individuals affected by the emergency or disaster must act within the scope of the ED and comply with Part VIA
- Entities will not be in breach of the Australian Privacy Principles (APPs) in respect of collection, use or disclosure of personal information if they have complied with Part VIA
- State and territory authorities receiving personal information under an ED are bound by their obligations under state and territory privacy laws and the information received under an ED should not be used for any purpose other than a permitted purpose under the ED and Privacy Act
- Entities should consider preparing a Personal Information Handling Plan that addresses how personal information will be handled before, during and after an emergency or disaster
- The security and destruction obligations under the Privacy Act continue to apply to entities in relation to information received under an ED. This includes requirements to destroy or de-identify information when it is no longer required, such as when the ED is no longer in effect.
Legislation background
Part VIA of the Privacy Act regulates how entities may collect, use and disclose personal information in a declared emergency or disaster. It provides clarity around the handling of personal information in a declared emergency or disaster, for example information about deceased, injured and missing individuals.
Part VIA enhances the information sharing arrangements permitted under the Australian Privacy Principles (APPs). It operates in conjunction with the APPs to allow entities to collect, use and disclose information in accordance with the APPs, whilst also permitting entities to share information in ways that would otherwise not be permitted under the APPs.
Emergency declarations (ED)
Under Part VIA, the Prime Minister or the Attorney General may declare an emergency or disaster if they are satisfied that an emergency or disaster has occurred and it:
- has affected (one or more) Australian citizens or permanent residents in or outside of Australia,
- is of national significance, and
- is of such a kind that the need to effectively respond outweighs the need for the privacy protections that would ordinarily apply.
The Prime Minister or the Attorney General may also make an ED if:
- a national emergency declaration is in force, and
- they are satisfied that an emergency to which the national emergency declaration relates is of such a kind that it is appropriate in the circumstances for Part VIA to apply.
An ED only triggers the operation of Part VIA and is not connected to any other emergency legislation or non-legislative schemes. It is a legislative instrument that is not subject to disallowance under section 42 of the Legislation Act 2003.
Scope and duration of an ED
An ED must set out the following matters for which information handling is authorised (section 80KA):
- the kind or kinds of personal information to which the declaration applies
- the entity or class of entities that may collect, use or disclose the personal information
- the entity or class of entities that the personal information may be disclosed to, and
- one or more permitted purposes of the collection, use or disclosure.
Depending on the ED, an entity can include a person, agency and organisation (section 80G). For example, this may include: Australian Government agencies and State and Territory authorities, private sector organisations, non-government organisations and others. In all circumstances, an ED cannot authorise disclosures to a media organisation (subsection 80KA(2)(b))
An emergency declaration may cease to be in force at the earliest of either: a time specified in the instrument; when repealed; or after a period of 12 months after commencement (section 80N).
Handling personal information in accordance with an ED
The collection, use and disclosure of personal information about individuals caught up in emergencies and disasters is permitted where (section 80P):
- the entity reasonably believes that the individual may be involved in the emergency or disaster, and
- the collection, use or disclosure is for a permitted purpose specified in the ED, and
- the type of information to be collected, used or disclosed is of a kind specified in the ED, and
- in the case of disclosure, the disclosure occurs between entities and individuals as specified in the ED, and
- any specified conditions for information handling are satisfied.
While Part VIA enables personal information to be disclosed to state and territory agencies (subsection 80KA(2)(a)), Part VIA does not override state and territory laws that may apply to the handling of personal information. State and territory authorities receiving personal information under an ED are bound by their obligations under state and territory privacy laws and the information received under an ED must be used in accordance with the ED. For example, it should not be used for any purpose other than a permitted purpose under the ED. This may be considered an offence for unauthorised secondary disclosure under subsection 80Q(1).
Note: Although Part VIA permits entities to collect, use and disclose personal information in certain circumstances, it does not require them to (subsection 80R(2)).
What is a ‘permitted purpose’?
Although there are some limits, permitted purposes are those specified in the relevant ED.
A ‘permitted purpose’ is one that directly relates to the Commonwealth’s response to the declared emergency or disaster (section 80KA(3)) and may, depending on the relevant ED, include:
- identifying those who are, or may be, injured, missing or dead, or involved in the emergency or disaster
- identifying those who are, or may be at risk of injury, going missing, death, being involved in or affected by the emergency or disaster
- helping individuals to access services including repatriation, medical or other treatment, health services and financial or other humanitarian assistance
- helping law enforcement with the emergency or disaster
- coordinating or managing the emergency or disaster
- ensuring that people who are responsible for individuals[1] are kept appropriately informed about those individuals and the emergency response to those individuals.
For the purposes of Part VIA of the Privacy Act, personal information includes information about individuals who are deceased (subsection 80G(2)).
Limits on disclosures
An ED will specify who an entity can disclose information to and the permitted purposes for which they can disclose information (section 80KA ). While the permitted disclosures in an ED may be broad, entities should limit the personal information they disclose to that which is necessary to meet an individual’s needs. It is an offence to disclose information received under Part VIA in a way not permitted by Part VIA or other provisions in the Privacy Act (section 80Q).
Examples of permitted disclosures
Example 1: The Attorney General has issued an ED for flooding in QLD. Damian and Julie are parents to Christopher. Christopher is 19 years old. The flooding prevents Damian and Julie from reaching their property, where Christopher is. The ED that has been issued is broad enough to authorise state emergency response teams (and others involved in managing the disaster) to keep Damian and Julie up to date about their son’s welfare, such as the steps they are taking to reach him, where they will be taking him, and any health updates they may have about Christopher.
Example 2: The Attorney General has issued an ED for bushfires in NSW and Victoria. John and Anne, long standing clients of support Agency A, lost their home and all their belongings in the bushfire. The ED that has been issued is broad enough to enable Agency A to give them new proof of identity documents and some emergency financial assistance. In line with the ED, Agency A can disclose personal information about John and Anne to the Australian Defence Force that are facilitating emergency accommodation and other assistance for bushfire victims.
Example 3: The Prime Minister has issued an ED for bushfires in NSW. A private sector organisation is providing temporary emergency aid and accommodation for the bushfire victims. The organisation has checked the ED and decided it can disclose the personal information it collects about these individuals to Centrelink, Medicare, The Salvation Army and law enforcement agencies who are also providing care and assistance to bushfire victims.
Disclosure under APP 6 of the Privacy Act
In a declared emergency or disaster, entities can disclose information in accordance with the permitted disclosures under APP 6, in addition to those permitted under the ED and Part VIA. An entity may also be able to use or disclose personal information in accordance with APP 6 where an emergency or disaster exists, but an ED has not been made under Part VIA.
Under APP 6, an APP entity may use or disclose personal information for a purpose for which it was collected or for a secondary purpose, where an exception applies. Relevant exceptions in APP 6 include where:
- a permitted general situation exists (APP 6.2(c)). This includes, for example, locating a person reported as missing or where there is a serious threat to an individual’s life, health or safety, or to public health and safety (section 16A).
- in the case of an organisation, a permitted health situation exists. This includes, for example, disclosure of health information to a responsible person for the individual (section 16B).
- the APP entity reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body (APP 6.2(e)).
Security and destruction obligations
The security and destruction obligations under the Privacy Act continue to apply to entities in relation to information received under an ED. This includes requirements to destroy or de-identify information when it is no longer required, such as when the ED is no longer in effect.
Secrecy and duty of confidence
Entities that use and disclose personal information as authorised under subsection 80P(1) will not be in breach of secrecy provisions, unless it is a secrecy provision designated under subsection 80P(7) (subsection 80P(2)).
Similarly, an entity will not be in breach of a duty of confidence if it discloses information in accordance with subsection 80P(1) (subsection 80P(3)).
Preparing for a declared emergency or disaster – developing a Personal Information Handling Plan
The Office of the Australian Information Commissioner (OAIC) encourages entities that may be involved in disaster or emergency management or support services to prepare a Personal Information Handling Plan in advance, which addresses how the entity will handle and protect personal information and other privacy issues.
Appendix A of this resource contains information that will help entities prepare and implement a Personal Information Handling Plan.
Appendix A — Preparing and implementing a Personal Information Handling Plan
Entities that may have to respond to an emergency or disaster should consider preparing a Personal Information Handling Plan in advance. The Personal Information Handling Plan should address how personal information will be handled before, during and after an emergency or disaster. It should clearly outline the policies and procedures for handling personal information that will apply during an emergency or disaster and outline how staff will be trained in these. An entity’s Personal Information Handling Plan should form part of its broader emergency response plan. This will ensure privacy is integrated into an entity’s entire emergency or disaster response.
Before an emergency or disaster
It is vital that all staff that may be involved in an emergency or disaster have a clear understanding of their obligations under Part VIA. Entities should have clear, up-to-date, written policies and procedures outlining how staff should handle personal information in an emergency or disaster. Entities should also train staff in how to respond in an emergency situation. It should be clear to staff what special privacy rules apply to the collection, use and disclosure of personal information in an emergency or disaster, including:
- what information should be collected and disclosed
- how to avoid collecting or disclosing unnecessary information
- where and how information will be stored securely
- how long information should be kept and safely destroyed or de-identified when it is no longer needed
- how to avoid accessing information inappropriately.
Emergencies and disasters can be diverse, widespread and may affect many individuals. Your own staff may be:
- personally affected by the emergency or disaster, or
- troubled by the scale of the emergency or disaster they are dealing with.
This should be taken into account when developing policies, procedures and training.
Prior to an emergency or disaster being declared, entities should take steps to ensure individuals are able to be given information about how their personal information will collected, used and disclosed in an emergency or disaster. Entities should consider:
- creating an emergency/disaster help page or FAQs on their website
- preparing pamphlets that include information about how personal information will be handled during an emergency or disaster, as well as considering how media announcements will be made
- making arrangements so that either a designated privacy advice help line or key privacy officer are able to answer privacy questions and respond to internal and external enquiries, including complaints and access or correction requests, during the emergency or disaster
- developing a data breach response plan to ensure any data breaches are responded to effectively
- making all information as helpful and inclusive as possible by addressing literacy, language and disability requirements
Entities should also consider establishing information sharing arrangements with other entities that are likely to be involved in disaster or emergency management and support prior to an emergency or disaster being declared. Entities should ensure that privacy protections are built into these arrangements.
During an emergency or disaster — collecting, using and disclosing personal information
When an emergency or disaster is declared, entities should coordinate their response in accordance with the policies, procedures and training processes outlined in their Personal Information Handling Plan, taking into account the particular circumstances of the emergency or disaster. Entities should:
- Understand the scope of any relevant Emergency Declaration (ED), especially any rules specifying:
- the kinds of personal information to which the ED applies
- the entities to which the ED applies
- the entities that personal information can be disclosed to
- the permitted purposes of the collection, use or disclosure
- ensure they only collect, use and disclose personal information in accordance with the ED and the Privacy Act and that they only disclose the personal information necessary to meet an individual’s needs
- take steps to ensure the security of the personal information they share and receive
- where possible, record details about disclosures of information, including:
- the date of the disclosure
- details of the personal information that was disclosed
- who the personal information was disclosed to
- the purpose for which the personal information was disclosed, and
- the basis for the entity’s ‘reasonable belief’ that the individual may be involved in the emergency or disaster.
Good record keeping will help the entity assure itself that the provisions in s 80P apply, and it may be a useful reference if the entity later needs to justify the action it took.
Social media can play an important role in providing timely, up-to-date and relevant information during an emergency or disaster. Entities should think about how they use social media to gather information, communicate with the community and, if appropriate, respond to comments from individuals. Entities should also think about what measures they need to take to ensure the quality of the information on their social media platforms and to ensure that personal information is not unlawfully disclosed.
After an emergency or disaster
Once a declaration of emergency or disaster under Part VIA ceases, it is important that entities resume their normal procedures for collecting, using, disclosing and destroying personal information. Entities should ensure all staff are aware that the special privacy provisions in Part VIA have ceased and assist them in resuming normal personal information handling procedures. Entities should also consider:
- evaluating how they handled personal information in the emergency or disaster and how effective their policies, procedures and training were
- identifying areas where their collection, use or disclosure of personal information could be improved
- updating the policies, procedures and training processes in their Personal Information Handling Plan, as required.
For more information about emergency management visit the Department of Home Affairs.
The information provided in this resource is of a general nature and is not a substitute for legal advice.
Footnote
[1] Under s 6AA, a responsible person for an individual is a parent of the individual; a child or sibling of the individual, provided the child is at least 18 years old; a spouse or de facto partner of the individual; a relative of the individual, provided the relative is at least 18 years old and is a member of the individual’s household; a guardian of the individual; a person exercising an enduring power of attorney over the individual, which was granted by the individual and relates to decisions about the individual’s health; a person who has an intimate personal relationship with the individual; or a person who is nominated by the individual to be contacted in case of emergency.