Civil Defence National Emergencies (Information Sharing) Code 2020
The Office of the Privacy Commissioner has summarised the effect of the Civil Defence National Emergencies (Information Sharing) Code as follows:
The code provides agencies with broader discretion to collect, use and disclose personal information in the rare event of a major disaster that has triggered a state of national emergency. In particular, the code will facilitate the disclosure of personal information to public sector agencies to assist in the government response to a national emergency.
The code promotes the vital interests of individuals in national emergencies by, for example, facilitating the sharing of information to help identify individuals who have been caught up in the emergency, to assist individuals to obtain essential services and to coordinate the management of the emergency.
(Content on the Office of the Privacy Commissioner’s website is licensed for use under a Creative Commons Attribution 3.0 New Zealand (CC BY 3.0 NZ) licence.)
Real value of the Code
The real value of the Code is that it makes it easier for agencies to share personal information with one another during an emergency, where the Privacy Act’s information privacy principles (IPPs) or the Health Information Privacy Code might not otherwise permit the sharing. It can also enable agencies that already hold personal information collected for another purpose to use it for an emergency response purpose (which the Code calls the ‘permitted purpose’), even if ordinarily the Privacy Act’s IPP10 (Limits on use of personal information) or rule 10 of the Health Information Privacy Code (Limits on use of health information) would not allow it.
In most cases of agencies collecting personal information directly from the individuals concerned for the purpose of helping them deal with the emergency or its effects, the agencies wouldn’t need to rely on the Code because, in the vast majority of cases, they could already do so under the Privacy Act. This is because, usually, the collection would be reasonably necessary for a lawful purpose connected with an agency’s functions or activities (thereby satisfying IPP1). Agencies would still need to comply with the transparency requirements of IPP3 (Collection of information from subject), and that would remain the case if an agency sought to rely on the Code for permitted collection directly from individuals (because the Code does not affect the application of IPP3). That said, in an emergency situation, there could well be situations where it’s just not reasonably practicable to inform individuals at the point of collection of the matters listed in IPP3.
Assessment
To assess whether your agency’s proposed collection, use or sharing of personal information is covered by the Code, fill out the form below, review the feedback that appears as you do and, once you’re done, download your summary PDF report.