In response to the recent Australian bushfires, on 20 January 2020, the Attorney-General made the Privacy (Australian Bushfires Disaster) Emergency Declaration (No 1) 2020. The Declaration was made under section 80J of the Privacy Act 1988 (Cth).
What does the Declaration achieve?
The Declaration declares "Bushfires in Australia resulting in death, injury and/or property damage occurring from August 2019 into 2020" to be a "disaster" for the purposes of section 80J of the Privacy Act.
Subject to meeting the conditions set out below, the Declaration allows Commonwealth agencies and certain private sector entities subject to the Privacy Act to collect, use or disclose personal information in circumstances otherwise not permitted by the Privacy Act.
The following conditions must be satisfied before any collection, use or disclosure of personal information is made:
- the entity must have a reasonable belief that the individual concerned is involved in the bushfire emergency; and
- the proposed collection, use or disclosure must be for a "permitted purpose".
Section 80H of the Privacy Act defines a "permitted purpose" as "a purpose that directly relates to the Commonwealth's response to an emergency or disaster in respect of which an emergency declaration is in force". Some examples of "permitted purposes" include:
- identifying individuals who are, or may be, missing, injured or dead, or who are otherwise involved in the bushfire;
- assisting individuals involved in the bushfire to obtain medical treatment, health services or financial or other humanitarian assistance;
- assisting law enforcement in relation to the bushfire; and
- co-ordinating or managing the bushfire.
Important points to note
- The Declaration only applies to entities covered by the Privacy Act. It does not override State and Territory privacy laws which regulate the collection, use and disclosure of personal information.
- Under section 80P of the Privacy Act, there are limits on who personal information can be disclosed to. The specific limits depend on whether the disclosure is by an agency or an organisation or other person. For example, Commonwealth agencies can only disclose personal information to Australian government agencies, State and Territory authorities, the person(s) responsible for the concerned individual, an "organisation" (as defined under the Privacy Act), and any other entity involved in managing the bushfire emergency.
- The Declaration does not permit disclosure to media organisations.
- Entities will still need to comply with other obligations under the Privacy Act, including collection notices.
How long does the Declaration last?
The Declaration is effective for 12 months (that is, until 20 January 2021). After this time, entities governed by the Privacy Act will no longer be permitted to collect, use or disclose personal information for the reasons listed above, unless the relevant use or disclosure is permitted by other provisions of the Privacy Act or another relevant law.
How should entities respond?
Entities subject to the Privacy Act should familiarise themselves with the implications of this Declaration. In particular, they should ensure that they understand the Declaration's parameters.
The Office of the Australian Information Commissioner has published some guidance material on this topic for Commonwealth agencies and private sector organisations.
If you require further information about the Declaration and its effects, please get in touch.