Recent attacks in Beirut and Paris have highlighted that governments have to deal swiftly with emergencies – whether deliberately caused or naturally occurring – and have in place statutory powers to restore security and public confidence.
In New Zealand, Parliament’s Regulations Review Committee is currently considering what overarching principles should govern the delegation of law-making powers in the context of recovery from a national emergency.
Although national emergencies are exceedingly rare in New Zealand, this is an important topic for a seismically active country like ours where the next big earthquake could be in 50 years’ time or tomorrow afternoon. It is an issue that also has relevance in the context of privacy law.
The Regulations Review Committee is exploring the question as part of a wider inquiry into the constitutional and legislative aspects of the legislative framework for national emergency response and recovery.
The purpose of this inquiry is to establish the most appropriate legislative model for managing the aftermath of national emergencies once a state of emergency has been lifted – a model that maintains consistency with essential constitutional principles, the rule of law, and good legislative practice.
Christchurch quake information sharing
The context is the prolonged recovery from the 2011 Christchurch Earthquake for which certain extraordinary statutory measures remain in place and seem likely to stay for some time.
In the earthquake’s aftermath, the then-Privacy Commissioner Marie Shroff faced the question of whether existing law should remain unchanged in the face of a national emergency. She concluded that some limited relaxation of the principles in the Privacy Act was warranted to assist in the emergency and for a month following the lifting of the state of national emergency.
On 24 February 2011, Ms Shroff used the urgency power in section 52 of the Privacy Act to issue a code of practice within 24 hours of the declaration of the national emergency. The code relaxed legal restrictions on the collection, use and disclosure of personal information by expressly providing authority for certain additional permitted purposes. For anyone interested in the temporary 2011 code, there’s information about it here.
Data protection and natural disasters
The sort of reasons behind the temporary code were explained in a Resolution on Data Protection and Major Natural Disasters which was adopted by the International Conference of Data Protection and Privacy Commissioners in late 2011.
This included that public responses to a major natural disaster may warrant:
The Office of the Privacy Commissioner has made a submission to the current inquiry and it offers principles obtained from the 2011 experience. We suggested that:
Our submission also highlighted the recommendation to governments in the 2011 resolution to include consideration of privacy in their civil defence planning, including to:
“Ensure that any special measures that may limit the normal operation of data protection law are appropriately justified, proportional to the emergency, contain appropriate safeguards and endure only for so long as warranted by the disaster.”
Submissions from others
The inquiry has received about 28 other submissions. Various suggestions have been made as to the principles that should apply to the derogation from normal laws in times of national emergency.
For example, the Christchurch City Council in its submission endorsed the views of the Legislation Advisory Council that “emergency legislation should be prepared in advance and triggered at a defined time by declaration of a post-state of emergency recovery period” thus enabling better public scrutiny than is possible when legislating in the heat of an emergency itself.
Civil Defence code
A similar stance was taken two years after the earthquake with the Civil Defence National Emergencies (Information Sharing) Code 2013 which contained provisions modelled on the temporary 2011 code.
The Commissioner took the view that a code would be needed only for the ‘response phase’ and would expire one month after the emergency is lifted. Information handling in the latter phases of the recovery and reconstruction period could easily be accomplished in accordance with the normal requirements of the Privacy Act (which includes provision for authorised information sharing agreements if warranted).
Protection for volunteers
Another submission from two professors and a PhD student at Canterbury University propose that there should be better legal protection for volunteer disaster relief responders.
While those submitters’ concerns are directed to a somewhat different set of issues than those that led to the issuing of the 2011 and 2013 code, there is a common concern. The codes sought to give agencies comfort that the disclosure of information to public authorities would be legally compliant and avoid risk-averse agencies needlessly hesitating if asked to release records needed for the response.
The Regulations Review Committee is expected to report back next year.
Image credit: The old Robertson's Bakery building, Victoria Street, Christchurch - photo by Kebabette via Digital NZ.