Privacy Legislation Amendment (Emergencies and Disasters) Act 2006

The Privacy Legislation Amendment (Emergencies and Disasters) Act 2006 is a Commonwealth amending Act. Its main practical effect is to amend the Privacy Act 1988 by inserting Part VIA, titled Dealing with personal information in emergencies and disasters.

Part VIA creates a special framework for the collection, use and disclosure of personal information during certain emergencies and disasters. The object of the Part is to make special provision for handling personal information in those situations. The legislation is aimed at situations where urgent information sharing may be needed to identify affected people, help them obtain services, support law enforcement, coordinate the response, and keep responsible persons appropriately informed.

This is not a general suspension of privacy law. It is a targeted regime with specific trigger points, a reasonable belief test, permitted purposes, recipient limits and offence provisions for some onward disclosures.

The emergency privacy rules only operate when an emergency declaration is in force. That declaration is the legal trigger for Part VIA. The legislation expressly notes that a declaration is merely a trigger for the operation of the Part and is not directly related to any other legislative or non-legislative emergency scheme.

A declaration may be made by the Prime Minister or the Minister in two main situations. First, for an emergency or disaster of national significance where it is appropriate for Part VIA to apply and one or more Australian citizens or permanent residents have been affected, whether within Australia or overseas. Second, for an emergency or disaster that has occurred outside Australia where it is appropriate for Part VIA to apply and one or more Australian citizens or permanent residents have been affected.

This means the regime can apply both to domestic emergencies and to overseas events affecting Australians. The legislation does not make the privacy regime permanent or self-activating. Businesses should not assume that a public emergency announcement, disaster declaration under another law, or operational crisis automatically activates Part VIA.

The declaration must be in writing and signed by the Prime Minister or the Minister. It must be published as soon as practicable on the Department's website and by notice in the Gazette. It takes effect from the time it is signed. It ends at the earliest of the time stated in the declaration, the time it is revoked, or 12 months after it is made.

The legislation uses the term entity, which includes a person, an agency and an organisation. That means the regime can potentially apply across government bodies, private sector organisations and individuals, depending on the circumstances.

For businesses, the most relevant users of the regime are likely to be organisations directly involved in providing repatriation services, medical or other treatment, health services, financial assistance or other humanitarian assistance to individuals involved in the emergency or disaster. Businesses may also be involved because they are assisting agencies, handling data, operating contact centres, coordinating transport, or supporting the management of the event.

There are also clear limits. A disclosure authorised under section 80P must not be made to a media organisation. That means the emergency disclosure pathway cannot be used to brief the media about affected individuals. Another limit applies to agency staff. If an officer or employee of an agency collects, uses or discloses personal information in the course of duty, the conduct is only authorised if that officer or employee is authorised by the agency to do so.

Businesses should also remember that being generally involved in a crisis does not automatically mean every disclosure is covered. The Act still requires a declaration, a reasonable belief about the individual's involvement, a permitted purpose, and a recipient that fits the statutory category for the disclosing entity.

Even when a declaration is in force, an entity cannot rely on Part VIA for every kind of information handling. Section 80P only authorises collection, use or disclosure if the entity reasonably believes the individual may be involved in the emergency or disaster and the handling is for a permitted purpose.

A permitted purpose is a purpose that directly relates to the Commonwealth's response to the emergency or disaster. The Act gives examples. These include identifying individuals who are or may be injured, missing or dead, or otherwise involved in the event; assisting individuals involved in the event to obtain repatriation services, medical or other treatment, health services, financial assistance or other humanitarian assistance; assisting with law enforcement in relation to the event; coordinating or managing the emergency or disaster; and ensuring that responsible persons are appropriately informed about matters relevant to the individual's involvement or the response concerning that individual.

The reasonable belief requirement is important. Your business does not need certainty, but it should have a genuine and objectively supportable basis for believing the person may be involved. A rushed assumption or broad data sweep without a proper basis may fall outside the authorisation.

The Act also makes clear that personal information for this Part includes information about an individual who is not living. That matters in disaster situations where information may need to be handled about people who are dead or may be dead.

The recipient rules differ depending on who is making the disclosure. This is one of the most important practical points for businesses.

If the discloser is an agency, the information may be disclosed to an agency, a State or Territory authority, an organisation, an entity likely to be involved in managing or assisting in the management of the emergency or disaster, or a person responsible for the individual.

If the discloser is an organisation or another person, the permitted recipients are narrower. The information may be disclosed to an agency, an entity directly involved in providing repatriation services, medical or other treatment, health services or financial or other humanitarian assistance services to individuals involved in the emergency or disaster, or a person or entity prescribed by regulations or specified by the Minister by legislative instrument for that purpose.

In every case, the disclosure must not be to a media organisation. Businesses should therefore check both sides of the transaction: who is disclosing, and who is receiving. A disclosure that would be allowed for an agency may not be allowed for a private organisation.

If a use or disclosure is authorised by section 80P, the Act gives important protections. An entity is not liable to proceedings for contravening a Commonwealth secrecy provision in respect of that authorised use or disclosure, unless the secrecy provision is a designated secrecy provision. The Act also says an entity is not liable to proceedings for contravening a duty of confidence in respect of an authorised disclosure.

The legislation also states that an agency does not breach an Information Privacy Principle, and an organisation does not breach an approved privacy code or a National Privacy Principle, in respect of a collection, use or disclosure authorised by section 80P. These references reflect the privacy framework used in the legislation.

However, the protection is not unlimited. The Act specifically preserves designated secrecy provisions, including listed provisions in the Australian Security Intelligence Organisation Act 1979, the Inspector-General of Intelligence and Security Act 1986, the Intelligence Services Act 2001, and any additional Commonwealth provisions or kinds of provisions prescribed by regulations.

Part VIA also says its operation is not limited by another Commonwealth secrecy provision unless that secrecy provision expressly excludes the operation of section 80R. That is helpful, but it still does not mean every secrecy rule disappears. Businesses should be especially careful where intelligence, security or specially protected information may be involved.

Just as importantly, nothing in Part VIA requires an entity to collect, use or disclose personal information. The Act creates an authorisation pathway, not a mandatory obligation to share.

The Act does more than authorise first disclosures. It also regulates what happens after information has been shared because of Part VIA. Section 80Q creates an offence where personal information is disclosed to a person because of the operation of Part VIA, and that person later discloses it again, unless an exception applies and the person is not responsible for the individual.

The penalty stated in the legislation is 60 penalty units or imprisonment for 1 year, or both.

There are important exceptions. The offence does not apply to disclosures permitted under the applicable privacy rules for agencies or organisations, disclosures permitted under section 80P, disclosures made with the individual's consent, disclosures to the individual, disclosures to a court, or disclosures prescribed by regulations. The legislation also says that if a disclosure is covered by one of those exceptions, the disclosure is authorised by section 80Q.

For businesses, this means the compliance task does not end once information is received. Teams need to control onward sharing and make sure staff understand that emergency information cannot simply be passed around internally or externally without checking the legal basis each time.

If your business may be involved in emergency response, the safest approach is to treat Part VIA as a conditional exception that must be checked step by step. The Act does not prescribe a detailed record-keeping system, but practical governance is still important if you want to show your organisation acted within the statutory conditions.

Before relying on the regime, confirm that a declaration is in force, identify the permitted purpose, confirm the individual may be involved, and check the recipient category. If your staff are acting for an agency, make sure they are properly authorised. If your organisation receives information under the regime, control onward disclosure carefully because secondary disclosure can be an offence unless an exception applies.

It is also sensible to align your privacy procedures with emergency scenarios. That may include escalation rules, approval pathways, staff instructions on media requests, and a process for checking whether a declaration has expired or been revoked. Businesses should also check whether regulations or a Ministerial specification affect who can receive information in the particular emergency.

The Act received Royal Assent on 6 December 2006 and commenced on the day after Royal Assent, being 7 December 2006. It is in force.

The emergency declaration mechanism under Part VIA is time limited. A declaration starts when it is signed and ends at the earliest of the time specified in the declaration, revocation, or 12 months after it is made. Because the regime only operates while a declaration is in force, businesses should always check the current status before relying on it.

Before acting, check the current declaration status, the exact wording of any declaration, whether any regulations prescribe additional persons, entities or secrecy provisions, and whether any Ministerial specification affects the recipient pathway for organisations or other persons. If your organisation handles health information, security-related information, or information received from government under contract, extra caution is warranted. The Act can authorise certain emergency disclosures, but it does not give a blank cheque to share personal information outside the statutory conditions.