WHO SHOULD READ THIS

  • Entities assisting individuals that may be involved in the current Australian bushfire emergencies as well as affected individuals.

WHAT YOU NEED TO KNOW

  • Privacy (Australian Bushfires Disaster) Emergency Declaration (No 1) 2020 enlivens the provisions of the Privacy Act 1988 (Cth) which authorise entities to collect, use and disclose personal information about an individual for certain purposes that directly relate to the Commonwealth's response to the declared bushfire emergency. These purposes go beyond the collection, use and disclosure of personal information which would otherwise be permitted under the Australian Privacy Principles.

On 20 January, the Attorney-General made the Privacy (Australian Bushfires Disaster) Emergency Declaration (No 1) 2020 (Declaration) under s80J of the Privacy Act 1988 (Cth) (Privacy Act) as a response to bushfires in Australia resulting in death, injury and/or property damage from August 2019 into 2020. The Declaration enlivens Part VIA of the Privacy Act (Emergency Provisions) and is effective for 12 months. It will expire on 20 January 2021.

The Emergency Provisions

Part VIA of the Privacy Act provides that agencies, organisations and people (entities) may collect, use or disclose personal information for a purpose that is directly related to the Commonwealth's response to an emergency (Permitted Purpose) if the entity reasonably believes that the individual may be involved in the emergency. Examples of Permitted Purposes include:

  • identifying individuals who are, or may be, injured, missing or dead, or involved in the emergency or disaster;
  • assisting individuals to obtain services, including repatriation, medical or other treatment, health services and financial or other humanitarian assistance;
  • helping law enforcement with the emergency or disaster;
  • coordinating or managing the emergency or disaster; and
  • ensuring that responsible persons for individuals are kept appropriately informed about the matters that are relevant to those individuals, or the response to emergency or disaster relating to those individuals.

It is important to note that, if the disclosing entity is an Australian Government agency, any disclosure of personal information under the Emergency Provisions must only be to:

  • another Australian Government agency;
  • a State or Territory authority;
  • an organisation as defined under the Privacy Act, including health service provider and private sector businesses with a turnover of more than $3 million;
  • a responsible person for the individual (e.g. parent or guardian; spouse or de facto partner; a relative of the individual, provided the relative is over 18 years old); or
  • any other entity that is, or likely to be, involved in the managing, or assisting in the management of, the emergency,

and individual officers or employees of an agency may only collect, use or disclose personal information if authorised to do so by the agency.

If an organisation or person is disclosing personal information under the Emergency Provisions, it can only make the disclosure to:

  • an agency; or
  • any entity that is directly involved in providing repatriation services, medical or other treatment, health services or financial or other humanitarian assistance services to individuals involved in bushfire emergency.

Updating your Privacy Policy or Personal Information Handling Plan

Entities who intend to take advantage of the Emergency Provisions should take extra care to ensure its employees understand the additional authorisations and its other obligations under the Privacy Act. We recommend updating your privacy policy or preparing a standalone 'Personal Information Handling Plan' to supplement your standard privacy policy. The updated policy or supplementary plan should outline:

  • what the Permitted Purposes are (including those which are most likely to be applicable to your particular entity);
  • how an individual (e.g. an employee) should form a reasonable belief that a Permitted Purpose exists based on the circumstances, including the entity's role and responsibility during the emergency; and the entities to whom personal information may be disclosed; and
  • any additional data security processes and procedures which are in place.

Other points of note

It is also worth noting that:

  • there are certain secrecy provisions (such as under the Office of National Intelligence Act 2018 (Cth)) which continue to apply, so care should be exercised before disclosing information which is otherwise the subject of a secrecy provision;
  • no disclosure is permitted to a media organisation under the Emergency Provisions (and any such disclosure would need to be compliant with Australian Privacy Principle 6);
  • entities must ensure that they comply with their other obligations (including notice and information security requirements) as required under the Privacy Act; and
  • for the purposes of the Privacy Act, personal information includes such information about a person who is deceased.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.