Bushfires Disaster Emergency Declaration – Privacy Act

Key Points

• On 20 January 2020, the Attorney-General made the Privacy (Australian Bushfires Disaster) Emergency Declaration (No. 1) 2020.
• This declaration permits entities that are subject to the Privacy Act 1988 (Cth) to handle personal information of those affected by bushfires for specific purposes.

Background
 
In response to recent bushfires, on 20 January 2020 the Attorney-General made the Privacy (Australian Bushfires Disaster) Emergency Declaration (No. 1) 2020 (“Declaration”).
 
This Declaration was made under section 80J of the Privacy Act 1988 (Cth) (“Privacy Act”). This section allows the Australian government to make a declaration when an emergency or a disaster of national significance affecting Australians has occurred.
 
Handling personal information under the Declaration
 
Once a declaration is made, special provisions under the Privacy Act apply which regulate how entities that are subject to the Privacy Act may handle personal information in a declared emergency or disaster. These provisions also permit such entities to exchange information that is not otherwise allowed under the Privacy Act or the Australian Privacy Principles (“APPs”) in normal circumstances.
 
In order for an entity to rely on these provisions to collect, use or disclose personal information, the following conditions must be satisfied:

1. the entity reasonably believes that the individual (to which the personal information relates to) is involved in the bushfire; and
2. the collection, use, or disclosure of the personal information is for a “permitted purpose” in relation to the bushfire.

Permitted purposes under the Declaration
 
Section 80H of the Privacy Act defines a “permitted purpose” as a “purpose that directly relates to the Commonwealth’s response to an emergency or disaster in respect of which an emergency declaration is in force”. In the context of the current Declaration, examples of a “permitted purpose” where an entity subject to the Privacy Act may disclose personal information of affected individuals include:

• identifying individuals who are or may be injured, missing or dead as a result of the bushfires (for example to assist the NSW State Emergency Service in conducting search and rescue missions);
• assisting individuals involved in the bushfire to obtain medical treatment, financial assistance, or health services (for example to assist Services Australia in issuing Australian Government Disaster Recovery Payments to affected individuals)
• assisting with law enforcement in relation to the bushfires;
• coordination or management of the bushfires (for example to assist the NSW Rural Fire Service’s evacuation efforts in bushfire-affected regions and areas);
• ensuring that responsible persons for individuals who are, or may be, involved in the bushfire are appropriately informed about the individual and the emergency response to the individual (for example to assist a hospital in notifying relatives of individuals injured by bushfires of their treatment statuses).

The Declaration does not permit disclosures of personal information to media organisations.
 
Duration of the Declaration
 
The Declaration expires on 20 January 2021.
 
Entities subject to the Privacy Act should note that while the Declaration is in effect, all other obligations under Privacy Act still apply, for example APP 5 in relation to notification of the collection of personal information.
 
Key takeaways
 
The Australian government recognises that the parameters surrounding the safeguards and protections of an individual’s privacy under the Privacy Act and APPs may need to change in times of emergencies or disasters.
 
The separate regime for the collection, use and disclosure of personal information in circumstances of declared emergencies or disasters enhances information sharing between government agencies and entities. This allows such agencies and entities to respond to and manage emergencies or disasters effectively, while at the same time ensuring that the personal information of those affected are adequately protected.
 
More information about the current Declaration can be accessed via the Office of the Australian Information Commissioner’s published guidance note for the Declaration.

Post by John Kell and Michael Fong