In the event of emergencies or disasters, the rapid sharing of personal information can be vital for response and recovery efforts. However, this urgency must be balanced with the responsibility to protect individual privacy.
Part VIA of Privacy Act, particularly section 80P, provides a framework for organisations to navigate this delicate balance. This article explores some of the legal requirements for sharing personal information during emergencies and disasters.
Requirements under section 80P of the Privacy Act
Under Section 80P of the Privacy Act an organisation[1] may, at any time during an emergency or disaster collect, use or disclose personal information relating to an individual if:
The organisation reasonably believes the individual may be involved in the emergency or disaster, and
The collection, use or disclosure is for a permitted purpose (see below) in relation to the emergency or disaster, and
The disclosure is to a Government agency OR to a person or entity prescribed by the Privacy Regulations or specified by the Minister under this section. Disclosure is also permitted to be made to any organisation directly involved in providing repatriation services, medical or other treatment, health services, financial or other humanitarian services relating to the disaster or emergency.
An entity is not permitted to disclose any personal information to media, under this section.
It is also important to note that this section does not apply to ‘designated secrecy provisions’, which may only be relevant to those organisations involved in offering services to certain Commonwealth providers.[2]
It is important to note that an organisation can only rely on section 80P if the Australian Prime Minister or relevant Minister has made a declaration under section 80J of the Privacy Act that there is an emergency or disaster of national significance and section 80P can be relied upon.
If this occurs it should be published on the OAIC’s website, including when this declaration will take effect.
If an organisation discloses personal information in relation to an emergency or disaster that has not been declared by the Prime Minister or Minister in accordance with section 80J then the organisation has committed an offence under the Privacy Act. This could result in substantial penalty or one year imprisonment, or both.
Permitted Purpose
Permitted Purpose is defined under section 80H of the Privacy Act and is a purpose that relates directly to the Commonwealth Government’s response to an emergency or disaster (that has been declared under section 80J) and includes any of the following:
Identifying those who are, or may be, injured, missing, involved or dead (and keeping any responsible person informed- such as a parent of a child that might be missing)
Helping individuals to access services including repatriation, medical treatment, health services and financial or humanitarian assistance
Helping law enforcement in relation to the emergency or disaster, or
Coordination or management of the disaster or emergency
How to Comply in the Event of an Emergency or Disaster
Not all organisations will need to declared emergencies or disasters. If think your organisation may need to consider how it handles personal information during a declared emergency or disaster you may wish to consider developing a Personal Information Handling Plan that specifically addresses how personal information will be handled before, during or after an emergency or disaster.
It is recommended that you seek assistance from a legal or privacy professional with the development of your Personal Information Handling Plan.
This help article does not purport to be legal advice and it is recommended that organisations seek independent legal advice to better understand their legal obligations under Privacy Act.
[1] Or person. This part applies to both organisation and person.
[2] Law firms captured by the Privacy Act should take note of section 80P(3), which exempts an organisation from being liable for contravening a duty of confidence in respect of use or disclosure of personal information under Part VIA of the Privacy Act, but this does not extend to legal professional privilege.