16.08.2010
44.98 On 7 December 2006, a new Part VIA of the Privacy Act commenced operation.[125] Part VIA provides a separate regime for the collection, use and disclosure of personal information where there is a connection to an emergency that has been the subject of a declaration by the Prime Minister or a minister. The Part is intended to enhance information exchange between Australian Government agencies, state and territory authorities, organisations, non-government organisations and others, in emergencies and disasters.[126]
44.99 Part VIA arose partly as a response to the concern that the provisions of the Privacy Act impeded the ability of agencies and organisations to respond to the emergencies of the terrorist attacks in the United States on 11 September 2001, the Bali bombings of 2002 and the Boxing Day tsunami of 2004.
44.100 In summary, Part VIA operates as follows:
The application of Part VIA is triggered by the making of a declaration by the Prime Minister or the relevant minister, where he or she is satisfied of a number of matters, including that there has been an emergency or disaster affecting one or more Australian citizens or permanent residents.[127]
The declaration commences when it is signed and ceases to have effect at a specified time, when revoked or after a maximum of 12 months.[128]
While such a declaration is in force, s 80P provides that an entity (which is defined to mean an agency, organisation or other person) may, for a ‘permitted purpose’,[129] collect, use or disclose personal information relating to an individual if: the entity reasonably believes the individual may be involved in the emergency or disaster; and the disclosure is to one of the persons specified.
Section 80Q creates an offence to disclose information obtained under Part VIA in certain circumstances, punishable by a penalty of 60 penalty units[130] and/or imprisonment for one year.
Division 4 of Part VIA also contains a number of technical provisions including a severability provision and a provision dealing with compensation.
44.101 Before the Privacy Legislation Amendment (Emergencies and Disasters) Act 2006 (Cth) was passed, a number of stakeholders informed the ALRC that the Privacy Act hinders operations in emergency situations. Following the introduction of the amendment, however, a number of stakeholders have indicated that most, if not all, of the problems arising from the handling of personal information in emergency situations have been dealt with adequately by the advent of Part VIA.[131]
44.102 In the ALRC’s view, it would be premature to propose changes to the regime before there has been any opportunity to evaluate how well the provisions operate in practice.
[125]Privacy Legislation Amendment (Emergencies and Disasters) Act 2006 (Cth).
[126] See Privacy Act 1988 (Cth) s 80F; Explanatory Memorandum, Privacy Legislation Amendment (Emergencies and Disasters) Bill 2006 (Cth).
[127] See Privacy Act 1988 (Cth) ss 80J, 80K, 80L.
[128] Ibid ss 80M, 80N.
[129] The term ‘permitted purpose’ is defined in s 80H and includes: identifying injured, missing, dead or affected individuals; assisting affected individuals in accessing services; and assisting law enforcement and coordinating the management of the situation.
[130] Currently this amounts to $6,600.
[131] See, eg, Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Australian Federal Police, Submission PR 186, 9 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Taxation Office, Submission PR 168, 15 February 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007.