Privacy flexibility in disaster management - information sharing scenarios

The privacy principles in the Information Privacy Act 2009 (IP Act) provide generous flexibility for disaster event managers and other Queensland public sector entities to deal with personal information in a range of circumstances as indicated below.

Key points to note include:

  • privacy obligations only apply where there is personal Information (information about a living person who can be identified directly, or reasonably indirectly, from the information)1
  • personal information can be used or disclosed where it is reasonably necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare2
  • aggregated or de-identified data does not raise privacy issues and could be used where the identity of individuals is not needed (e.g. “two people with diabetes, four pregnant women, two elderly people and five children are currently in the evacuation centre”)
  • the IP Act applies to Queensland public sector agencies including the Department of Communities, Disability Services and Seniors, Queensland Fire and Emergency Services, Queensland Police Service (QPS), local governments, and State, district and local disaster management groups3
  • Consent is a strong privacy ‘permission’ – always ask where practicable4;
  • Other legislated restrictions about confidentiality may apply and will override privacy obligations5.

Information sharing scenarios

Scenario 1: The Queensland Government wants to release geo-coded information about damage to a large number of individual properties to ensure the community better understands the danger to the community in accessing the area.

Even where such information included personal information, it is likely it could be released as the agency could reasonably be satisfied it was necessary to prevent or lessen a serious threat to public safety.

Scenario 2: Managers of evacuation centres may wish to release specific information about registered occupants to recovery agencies so that their individual needs can be serviced better.

Consent should be obtained where possible, particularly if sensitive information such as health information is involved. In some cases it will be appropriate to rely on implied consent where it is impracticable to obtain consent and had consent been obtained, the individual would have consented. For example, an agency could usually assume that it could imply consent where the individual would benefit from the use of the information. However, if a person does not give or subsequently retracts their consent the agency will need to factor this into their management of the individual.

Scenario 3: Managers of evacuation centres may want agencies with a knowledge of those who pose a risk to other members of the community to share that information about people on the registered list of occupants so that mitigation strategies can be put in place.

Other Queensland public sector agencies such as QPS, the Department of Child Safety, Youth and Women, and the Department of Communities, Disability Services and Seniors also have obligations under the IP Act. The IP Act permits an agency to share personal information where it is to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare. However often agencies also have strict confidentiality requirements they must comply with under other specific legislation about certain information and may therefore be restricted from sharing information. Information obtained must be stored securely.

Scenario 4: A disaster management group need to use a range of media, including social media such as Twitter and Facebook, to communicate critical information for the community.

Where possible use de-identified information, aggregated information or information that is about property rather than identifying individuals when publishing online. Alternatively, obtain the person’s agreement to use the personal information where practicable. In some cases legislation authorises certain information to be posted on an agency’s web-site (only). Where there is a serious threat to health or safety the IP Act permits agencies to publish information online, however once the threat passes the information must be removed from the internet.

Scenario 5: Information collected during post-disaster interviews may be useful to a variety of organisations to assist with response and recovery activities, but may have been collected without the necessary privacy release declaration.

De-identified and aggregated data may be provided without revealing personal information. If more specific information that would identify an individual is required, consider whether consent can be obtained or whether consent would be implied in the circumstances. The information can also be shared where it is to prevent or lessen a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare.

Accessing information from Australian Government agencies

Entities responsible for disaster management at State, District and Local level may require personal information from Australian Government agencies to assist in providing appropriate services. Australian Government agencies are required to comply with similar Commonwealth privacy legislation when disclosing information. Such legislation has equivalent flexibility for sharing personal information for health and safety and law enforcement purposes.

For example, local governments may want to know information about individuals who may be vulnerable during a disaster, such as people with disabilities living independently, who may receive assistance from the Australian Government. When requesting information it will be important to explain the purpose for collecting the information and how it will be used. It is important that the information is kept up to date and accurate, and stored securely.

Current as at: November 19, 2018