Privacy rules, codes and guidelines

17.52 In addition to the Privacy Act and state and territory legislation, various privacy rules, codes and guidelines regulate the handling of personal information.[53]

17.53 Part IIIAA of the Privacy Act allows private sector organisations and industries to develop and enforce their own privacy codes. Once a privacy code has been approved by the Privacy Commissioner, it replaces the NPPs for those organisations bound by the code. The Privacy Act requires that these codes contain standards equivalent to those in the NPPs, which would otherwise apply, or to a standard that secures individuals’ privacy rights to a higher standard.[54]

17.54 A number of approved privacy codes provide higher standards than those provided in the NPPs. For example, the Biometrics Institute Privacy Code provides a number of ‘Supplementary Biometrics Institute Privacy Principles’ relating to protection, control and accountability.[55] There is no overlap with the NPPs,as a code replaces the NPPs for those organisations bound by it. An organisation, however, may still be subject to other privacy regulation that is inconsistent with these codes. For example, an organisation that provides health services may engage in activities other than those dealt with under the Biometrics Institute Privacy Code, and is subject to the Privacy Act or a state or territory privacy regime in relation to these activities.

17.55 Federal legislation other than the Privacy Act also requires the development of privacy guidelines or codes. For example, under s 8A of the Australian Security Intelligence Organisation Act 1979 (Cth), the Minister may give the Director-General written guidelines to be observed by the Australian Security Intelligence Organisation (ASIO). The Attorney-General has issued a set of guidelines concerning ASIO’s functions.[56] The guidelines include rules relating to the treatment of personal information. The guidelines are discussed further in Chapter 37.

17.56 Some state regulatory regimes have adopted provisions from the Privacy Act. For example, the Victorian Essential Services Commission has developed Guideline No 10 (Confidentiality and Informed Consent: Electricity and Gas) (Guideline No 10). Guideline No 10 requires Victorian electricity and gas retailers to comply with the NPPs whether or not they are ‘organisations’ under the Privacy Act and regardless of when the personal information was collected. Guideline No 10 also protects ‘corporate customer information’ as personal information. The Law Council of Australia has noted that this is a ‘curious provision’, given that the High Court of Australia has decided that corporations do not have a right to privacy at common law and that the Privacy Act protects the rights of individuals, not corporations.[57]

17.57 The Law Council has also noted that Guideline No 10 requires retailers to apply the NPPs in a narrow way. For example, even if a retailer is providing the same customer with gas and electricity, Guideline No 10 requires the retailer to handle separately customer information about the supply of each service. The Law Council argues that this is a much higher standard than the reasonable expectation test under NPP 2.1(a), and illustrates how the incorporation of NPP-like requirements into state legal regimes can lead to divergence over time.

17.58 Industry organisations have also developed guidelines. Some of these guidelines are not required by legislation. The Australian Direct Marketing Association (ADMA) has developed a Direct Marketing Code of Practice that binds ADMA members and all employees, agents, subcontractors and suppliers of ADMA members.[58] The Code includes a schedule that outlines principles to govern fair conduct relevant to consumer data protection.[59] The principles are based on the NPPs and deal with such matters as: limitations on the amount of information that companies can collect about individuals; informing consumers about who is collecting information, and how the company can be contacted; and the intended use of the personal information. Consumers must be given the opportunity to opt out of future direct marketing approaches and block transfer of their contact details to any other marketer.

Submissions and consultations

17.59 A number of stakeholders noted that if rules, codes and guidelines are not aligned with the Privacy Act, they can contribute to inconsistency and fragmentation.[60] The OVPC noted that codes, rules and guidelines can offer less protection than is available under privacy laws where they do not offer individuals a right of complaint or the ability to seek redress for harm suffered.[61] The Australian Retailers Association submitted that a central resource of information on regulatory instruments, including industry codes of practice, should be established and maintained by the OPC.[62]

17.60 Stakeholders also noted, however, that while it is important to limit unnecessary fragmentation of privacy law, additional privacy rules, codes and guidelines can clarify sector-specific issues and provide more detailed protection for personal information where appropriate.[63] The Australian Privacy Foundation submitted that the wide range of privacy rules, codes and guidelines contribute to fragmentation and inconsistency in the regulation of personal information, but noted that with a unified set of privacy principles and greater national consistency there would still be a valuable role for sector or activity specific guidelines and codes.[64]

ALRC’s view

17.61 The ALRC acknowledges that privacy rules, codes and guidelines can be beneficial where there is a need for privacy rules to be crafted to the specific needs and practices of particular organisations or industry groups. These documents, however, can contribute to fragmentation and inconsistency of privacy regulation when they are not aligned with existing privacy laws.

17.62 When agencies and organisations are developing privacy rules, codes and guidelines best practice dictates that they should consult with the relevant body responsible for privacy for their industry or sector to ensure that the rules, codes or guidelines will interact and operate effectively with existing privacy laws. Further, agencies and organisations should ensure that the privacy rules, codes and guidelines outline whom an individual can approach with a privacy issue or complaint.

[53] See Ch 2.

[54]Privacy Act 1988 (Cth) s 16A.

[55] Biometrics Institute, Biometrics Institute Privacy Code—Public Register (2006) <www.> at 8 May 2008, 16–18.

[56] Australian Security Intelligence Organisation, Attorney-General’s Guidelines in relation to the performance by the Australian Security Intelligence Organisation of its function of obtaining, correlating, evaluating and communicating intelligence relevant to security (including politically motivated violence) <> at 3 April 2008.

[57] Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199. This case is discussed in Ch 74. Law Council of Australia, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act, 22 December 2004.

[58] Australian Direct Marketing Association, Direct Marketing Code of Practice (2001), [6]. For further discussion of the Code see Ch 1.

[59] Ibid, sch E.

[60] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; CSIRO, Submission PR 176, 6 February 2007; AAMI, Submission PR 147, 29 January 2007; Confidential, Submission PR 143, 24 January 2007; Fundraising Institute—Australia Ltd, Submission PR 138, 22 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; K Pospisek, Submission PR 104, 15 January 2007.

[61] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.

[62] Australian Retailers Association, Submission PR 131, 18 January 2007.

[63] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[64] Australian Privacy Foundation, Submission PR 167, 2 February 2007.