The Civil Defence National Emergencies (Information Sharing) Code 2013 (Civil Defence Code, a code of practice under the Privacy Act) is a powerful tool for agencies that need to collect, use or disclose personal information as part of responding to the COVID-19 epidemic (or any state of national emergency). In substance, when it applies, it modifies some of the standard information privacy principles relating to collection, use and disclosure of personal information. In other words, some of the Privacy Act’s usual controls on the collection, use and disclose of personal information yield to the exigencies of the emergency at hand.
The Code’s existence is clearly a good thing. It enables agencies to act quickly to help those affected by an emergency. At the same time, it’s a somewhat curious beast. Its designers, no doubt acting at speed after the Canterbury earthquakes, clearly wanted to make it punchy and brief. However, in my view, with that brevity came a lack of clarity in certain areas, and I thought it helpful to comment on those areas because a lack of clarity is the last thing that agencies relying on it in an emergency need.
IPPs that are modified
The Code doesn’t state expressly which IPPs it modifies. It seems clear enough that, when the elements of its clause 6 (Authority for collection, use and disclosure of personal information) are met, it modifies the application of IPPs 1 and 2 (where an agency is collecting personal information), IPP10 (where an agency wishes to use personal information it holds, for an emergency-related purpose, that it originally collected for another purpose) and IPP11 (where an agency wishes to share personal information with another agency for emergency-related purposes). I suggest it would be helpful, though, if it were to say so expressly. The Code does say that the authority it confers in clause 6(1) is in addition to, and does not restrict, any other authority for collection, use or disclosure contained in the IPPs, but greater clarity would, I think, be helpful.
IPPs that are left untouched
Similarly, those familiar with the other main codes of practice under the Privacy Act, such as the Health Information Privacy Code, will be familiar with codes that contain a complete replacement set of IPPs. The Civil Defence Code is quite different. It is silent on IPPs 3, 4, 5, 6, 7, 8, 9 and 12. As such, these IPPs continue to apply, even during an emergency. In some cases, their own in-built exceptions may mean there’s no or only a minimal compliance requirement, but I think it would be helpful if the Code were to remind agencies that these IPPs still apply. During an emergency, agencies and their advisors will have a high cognitive load. When they look at the Civil Defence Code, they’ll be looking at something quite different to the other main codes and there may be a risk of overlooking other IPPs. A single additional sentence in the Code would remove this risk.
“But the Code doesn’t modify the IPPs” (yes it does…)
Before moving to the next point, I should perhaps note that some may interpret the Civil Defence Code as providing discrete authority for the collections, uses and disclosures of personal information it covers, without modifying the IPPs at all. On this interpretation, they may conclude that my comments above are barking up the wrong tree. In my view, the Civil Defence Code cannot and should not be interpreted this way, because to interpret it as a source of authority entirely separate to the IPPs would be to treat it as akin to a separate and specific statutory authority when that is not what codes of practice are designed to do. Under section 46 of the Privacy Act, a code of practice may:
- modify the application of 1 or more IPPs, by prescribing different standards or exempting their application to certain actions;
- apply 1 or more IPPs (but not all of them) without modification; and/or
- prescribe how 1 or more of the IPPs are to be applied or complied with.
Section 46 does not authorise the Commissioner to issue separate, free-standing authorities to collect, use or share personal information in a manner that doesn’t affect the IPPs in any way (that’s a job for Parliament). This is why we must interpret the Civil Defence Code as modifying some of the IPPs, while leaving the others untouched. I believe that was the intention, and I’m suggesting the Code would benefit from greater clarity in this regard.
Finally, the Code contains no reminder to agencies that it does not override specific statutory provisions in other legislation that may prevent the use of personal information collected for one purpose, for another purpose, or that prohibit the disclosure of personal information to another agency unless specifically authorised by primary legislative provisions. The Code does say it doesn’t restrict authorities for the collection, use or disclosure in other enactments, but it is silent on statutory prohibitions. Whilst the prevailing of statutory prohibitions over the Code is a conclusion that flows from section 7 of the Privacy Act, again it would be helpful to make that clear in the Code, so as to remove the risk of agencies thinking the Code opens the door to information use or disclosure that primary legislation may otherwise restrict.
It’s likely that this point will only be relevant to agencies that operate under statutory secrecy requirements that override the IPPs but the fact that a small minority of public sector agencies do operate in such environments makes this point potentially important. Inland Revenue, which does operate in such an environment, is probably a good example. It needs to share various kinds of personal and other information in responding to the COVID-19 outbreak but, to enable it do so, Parliament amended the Tax Administration Act 1994. To cut a long legislative story short, the COVID-19 Response (Taxation and Social Assistance Urgent Measures) Act 2020 (2020 No 8) inserted a new clause 23B into Part C of Schedule 7 to the Act which states that section 18 (Confidentiality of sensitive revenue information) “does not prevent the Commissioner disclosing to a government agency information about a person or entity for the purpose of enabling the government agency to provide or fulfil any duty, obligation, or other thing in relation to any person or entity in connection with COVID-19 (including, without limitation, for the purpose of enabling the government agency to carry out an audit, review, or other enforcement function in relation to COVID-19-related assistance provided to any person or entity).”
The purpose of this post is not to have a crack at the Civil Defence Code. The Code is a very useful and pragmatic code that will, I’m sure, have been relied on by agencies responding to the COVID-19 epidemic. However, I think there’s room for improving it so as to make certain points clearer to agencies, thereby enabling them to apply it faster and without losing sight of the application of unmodified IPPs and, for a minority of public sector agencies, statutory prohibitions that override it.