On March 4, Privacy Commissioner Marie Shroff issued a code of practice that permits broad information sharing in the event of national emergencies. In a statement accompanying the release of the new code, Ms Shroff said:
When a national emergency strikes, response agencies need to be certain whether they can share information with others. The last thing they need is to spend time second-guessing. And agencies that are planning for future emergencies have to be certain what the law will allow them to do, so they can factor that into their planning process.
This code gives them certainty. Once a national emergency is declared, it will allow personal information to be collected, used and disclosed as part of managing the response and recovery process. For instance, it allows personal information to be collected and used to identify people present, missing, or injured in a disaster zone. It also makes sure families of those affected can be kept updated.
The new code was the result of a temporary code the Privacy Commissioner immediately after the Canterbury Earthquake in February 2011. At that time, the Privacy Commissioner issued a temporary code of practice to authorize information sharing that would help with the response. The temporary code proved to be useful and led to the development of the new code, which will go into effect on April 15. Guidance material on the code is also available on the Privacy Commissioner’s site.
The permissible collection, use, and disclosure of information under the code continues in effect after the expiration of a state of emergency for a further 20 working days in relation to the emergency. What I don’t see in the code, though, is whether/when the agencies have to delete or destroy any data they have collected to facilitate response to the emergency. Perhaps a NZ privacy advocacy group can clarify that for me?