Binding codes

48.20 The Commissioner cannot initiate a privacy code and cannot make a code binding on organisations that do not consent to be bound. The issue of binding codes was discussed in detail in the OPC Review. Stakeholders submitted that the Commissioner should have the power to formulate and impose binding codes even where an organisation does not consent to being subject to a code. It was argued that this would be one way of solving systemic issues in privacy compliance.[33] Although support for this proposition was not universal, the OPC recommended that the Australian Government consider amending the Privacy Act to give the Commissioner the power to make binding codes and suggested a number of models for the power.[34] These models are discussed below.

48.21 The Senate Legal and Constitutional Reference Inquiry into the Privacy Act also considered binding codes, and noted the explanation given by the Commissioner on the difference between privacy codes approved under Part IIIAA and the OPC Review’s proposal for binding codes:

The idea of the binding codes that [the OPC has] suggested is to come up in other areas where perhaps they were not going to be voluntary. The NPP codes are developed on a voluntary basis. The ones that were binding could possibly be done for technology, or for an industry that was not working as well—perhaps the tenancy database area.[35]

48.22 The New Zealand Privacy Commissioner has the power to issue binding codes of practice that become part of the law.[36] The codes may modify the application of one or more of the information privacy principles by prescribing: standards that are more or less stringent than the standards prescribed by the principle; or how any one or more of the principles are to be applied, or are to be complied with.[37] The codes also may modify the operation of the Privacy Act 1993 (NZ) for specific industries, agencies, activities or types of personal information.[38] The Privacy Commissioner may issue a code of practice on his or her initiative. In addition, a body representing the interests of a particular class of agency, industry or profession may apply to the Privacy Commissioner for a code of practice to be issued.[39]

Prescribed industry codes under the Trade Practices Act

48.23 One of the models put forward by the OPC for a binding code power was Part IVB of the Trade Practices Act 1974 (Cth) (TPA). Under the TPA, the Minister has the power to prescribe an industry code of conduct in the regulations.[40] The regulations declare the industry code to be a mandatory industry code or a voluntary industry code. A prescribed mandatory code of conduct is binding on all industry participants.[41] The Act makes the codes enforceable by prohibiting a corporation, in trade or commerce, from contravening an applicable industry code.[42]

48.24 At a practical level, formal proposals for TPA codes are initiated at the ministerial level, ‘following representations from industry participants, consumers or government authorities about problems in a particular industry’.[43] As the regulator under the TPA, the Australian Competition and Consumer Commission is responsible for promoting compliance with codes by providing education and information and, where necessary, by taking enforcement action. Since the introduction of these provisions in 1998, three mandatory codes of conduct have been prescribed under the TPA.[44]

Industry codes and standards in the Telecommunications Act

48.25 Another model put forward by the OPC was Part 6 of the Telecommunications Act 1997 (Cth). Under this Act, bodies and associations that represent sections of certain industries may develop industry codes, which may be registered by the Australian Communications and Media Authority (ACMA). Compliance with the code is voluntary unless otherwise directed by ACMA.[45] In addition, ACMA can request a body or association to develop an industry code.[46] If the request is refused or the code prepared following a request is not registered by ACMA, or if an existing code is deficient, ACMA may determine an ‘industry standard’.[47]

48.26 In making an industry standard, ACMA must be satisfied that it is necessary or convenient for it to determine a standard in order to: provide appropriate community safeguards in relation to the matter; or otherwise regulate adequately participants in that section of the industry.[48] Compliance with an industry standard is mandatory; each participant in the section of an industry to which the standard applies must comply with the standard.[49] Breach of a standard is subject to a civil penalty and ACMA may issue a formal warning if a person contravenes an industry standard registered under Part 6.[50] An industry standard is a disallowable instrument and the Act specifies that ACMA must consult with members of the public, consumer bodies and relevant regulators before determining or varying an industry standard.[51]

Submissions and consultations

48.27 In IP 31, the ALRC asked whether the Commissioner should have the power, on his or her initiative, to develop and impose a binding code on agencies or organisations.[52] In response, a few stakeholders argued that the Commissioner should have such a power.[53] Stakeholders, including the OPC, suggested that such a power would be a useful means of addressing systemic privacy issues. This view was not unanimous, however, and other stakeholders did not think a binding code-making power would be appropriate in a light-touch regime such as the Privacy Act.[54]

48.28 In DP 72, the ALRC proposed that the Commissioner be empowered to request the development of a privacy code to be approved by the Commissioner pursuant to s 18BB of the Privacy Act; and to develop and impose a privacy code that applies to designated agencies and organisations.[55]

48.29 In response to DP 72, there continued to be strong support among stakeholders for a binding code-making power.[56] Anglicare Tasmania submitted that under the current system—given that the development of a code can only be initiated by the industry concerned—it seems highly unlikely for an industry that was not complying with the Privacy Act to take the step of initiating the development of a code. For this reason, Anglicare Tasmania supported giving the Commissioner the power to issue binding codes when there are systemic problems within a particular industry and the industry itself is reluctant to address them.[57]

48.30 PIAC submitted that the ability to develop binding codes would enable the Privacy Commissioner to take a more proactive role in privacy regulation where there is a need for detailed regulation of specific sectors or for specific technologies. It noted, however, that it would be essential to ensure that the Privacy Commissioner is funded adequately for this task.[58]

48.31 A number of stakeholders cautioned against creating another level of regulation in industries where there was already a high compliance burden. The Australasian Compliance Institute, for example, stated:

The financial services industry has adopted various legally or contractually enforceable codes, such as the EFT Code of Conduct, the Code of Banking Practice, Financial Planners Code of Ethics and Rules of Professional Conduct, General Insurance Code of Conduct and IFSA Membership Standards. Existing codes embrace privacy considerations and privacy issues in the context of the industry or conduct it is seeking to regulate. Introducing additional industry codes would create multi layered regulation, increasing the compliance burden on industry. It could impose additional cost and resources in training staff on the various codes and could lead to staff and customer confusion.[59]

48.32 It was also argued that the imposition of industry, organisation or agency specific codes would complicate privacy laws and impose unduly onerous obligations on some organisations. In the view of some stakeholders, the UPPs alone should set out the information-handling standards to which agencies and organisations should adhere.[60]

ALRC’s view

48.33 As discussed in Chapter 4 and above, the ALRC’s approach to reform of the Privacy Act retains the ability of organisations and industries to flesh out the requirements of the privacy principles in voluntary privacy codes approved by the Privacy Commissioner under Part IIIAA.

48.34 As has been noted throughout this Report, a key goal of the ALRC’s recommendations is to reduce the complexity of Australia’s privacy regulation. Although many submissions supported the inclusion of a binding code-making power, the ALRC shares the concerns raised by other stakeholders that empowering the Commissioner to initiate a binding code could result in multiple levels of regulation, and lead to confusion and fragmentation of the federal privacy regime. The ALRC therefore does not recommend that a binding code-making power be included in the Act.

48.35 The ALRC’s recommended regulatory model does, however, accommodate industry-developed regulations that would allow for a particular sector or technology to derogate from the UPPs. These would not be approved under Part IIIAA, as privacy codes under the current and recommended Part IIIAA code provisions cannot derogate from the principles. Instead, these codes would be prescribed following the model in the TPA. Under this model, the relevant minister can prescribe an industry code of conduct which is passed by Parliament in the regulations, using the ALRC’s recommendation for a regulation-making power. The regulations could declare the industry code to be a mandatory industry code, and binding on all industry participants.[61]

[33] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 145.

[34] Ibid, recs 7, 44. See related recommendations in recs 16, 73. For a discussion about models, see Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 46–47.

[35] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), 97–98.

[36]Privacy Act 1993 (NZ) pt 6. Note the Privacy Commissioner in NSW has similar powers to initiate binding privacy codes: Privacy and Personal Information Protection Act 1998 (NSW) pt 3 div 1.

[37]Privacy Act 1993 (NZ) s 46(2).

[38] Ibid s 46(3).

[39] Ibid s 47.

[40]Trade Practices Act 1974 (Cth) pt IVB.

[41] Ibid s 51AE.

[42] Ibid s 51AD.

[43] J Hockey, Prescribed Codes of Conduct: Policy Guidelines on Making Industry Codes of Conduct Enforceable under the Trade Practices Act 1974 (1999) Australian Government Treasury, 6.

[44] See Trade Practices (Industry Codes – Franchising) Regulations 1998 (Cth); Trade Practices (Industry Codes – Oilcode) Regulations 2006 (Cth); Trade Practices (Horticultural Code of Conduct) Regulations 2006 (Cth).

[45]Telecommunications Act 1997 (Cth) s 121.

[46] Ibid s 118.

[47] Ibid ss 123, 125.

[48] Ibid s 123(1)(c).

[49] Ibid s 128.

[50] Ibid s 129.

[51] Ibid s 132–135A.

[52] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 6–20.

[53] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Privacy NSW, Submission PR 193, 15 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[54] Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[55] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 44–10.

[56] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Veda Advantage, Submission PR 498, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007.

[57] Anglicare Tasmania, Submission PR 514, 21 December 2007. This view was shared by the Australian Lawyers Alliance: Australian Lawyers Alliance, Submission PR 528, 21 December 2007.

[58] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[59] Australasian Compliance Institute, Submission PR 419, 7 December 2007. See also Investment and Financial Services Association, Submission PR 538, 21 December 2007; National Australia Bank, Submission PR 408, 7 December 2007.

[60] Australian Direct Marketing Association, Submission PR 543, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Confidential, Submission PR 536, 21 December 2007.

[61] This model of adopting regulations which derogate from the UPPs is recommended by the ALRC in relation to credit reporting information and health information. See Chs 54, 60.