Part IIIAA Privacy codes

48.2 When bringing organisations within the ambit of the Privacy Act, Parliament decided to adopt a co-regulatory approach. It established a framework in which organisations are able to develop specialised codes for the handling of personal information which, when approved, replace the National Privacy Principles (NPPs).[1] This approach was ‘designed to allow for flexibility in an organisation’s approach to privacy, but at the same time, guarantees consumers that their personal information is subject to minimum standards that are enforceable in law’.[2]

Commissioner’s powers in relation to codes

48.3 Part IIIAA sets out provisions on privacy codes. Generally, the Commissioner has the power to:

  • approve privacy codes and variations of approved privacy codes and to revoke those approvals;[3]
  • review the operation of approved privacy codes;[4]
  • prepare and publish guidelines about the development, approval and variation of privacy codes, and about complaint-handling processes under codes;[5]
  • act as an adjudicator under an approved privacy code where the Commissioner has been appointed as the independent adjudicator under that code;[6] and
  • consider applications for review of determinations of adjudicators (other than where the Commissioner is the adjudicator) in relation to a complaint.[7]

Requirements for codes

48.4 The content of a code must meet set standards. In particular, a code must incorporate all of the NPPs or set out ‘obligations that, overall, are at least the equivalent of all the obligations set out in those Principles’.[8] Subscription to a code is voluntary. Codes must specify the organisations to which they apply, and may be approved even where they apply for a limited period or to a specified activity or industry sector.[9] If a code sets out procedures for making and dealing with complaints, these processes must comply with the Commissioner’s guidelines and the prescribed standards.[10]

48.5 Codes are legislative instruments under s 5 of the Legislative Instruments Act 2003 (Cth). A privacy code approved under Part IIIAA, however, is not subject to disallowance by Parliament.[11] As at April 2008 there were three codes listed on the Register of Approved Privacy Codes on the website of the Office of the Privacy Commissioner (OPC) and two code applications are being considered by the OPC.[12]

Code development process

48.6 Before the Commissioner can approve a code, he or she must be satisfied that members of the public have been given an adequate opportunity to comment on a draft of the code.[13] This requirement for public consultation is just one part of the process involved in developing a code. The Guidelines on Privacy Code Development (Code Guidelines) issued by the OPC in 2001 set out the detailed process involved in making a privacy code, including requirements in relation to NPP equivalence, explanatory material, coverage, voluntary membership, code review and drafting standards. In deciding whether to approve a privacy code, the Commissioner may consider the matters specified in the Code Guidelines.[14]

48.7 Following various comments from stakeholders about the complex and costly code approval process, the OPC review of the private sector provisions of the Privacy Act (OPC Review) recommended that the OPC review the Code Guidelines with a view to simplifying them.[15]

48.8 In the Issues Paper, Review of Privacy (IP 31), the ALRC asked whether the provisions for approving privacy codes were appropriate and effective, whether privacy codes were an appropriate method of regulating and complying with the Act, and why privacy codes had been so little used.[16]

48.9 The OPC submitted that, ‘given the lack of take up in codes and the revocation of the only code that established its own complaint handling process, it is reasonable to conclude that the code making provisions have not been highly successful in their current form’.[17] The OPC raised several issues with codes, one being that there is tension between the concept of national consistency and industry privacy codes, in that a proliferation of industry codes may increase the complexity and fragmentation of privacy regulation. The OPC also noted that it had not derived any significant efficiency benefits from codes, as the Commissioner remains the complaint-handling body. This, in turn, raises the risk that the OPC’s compliance role will become increasingly complex and cumbersome, as complaint staff will have to apply different sets of principles to different complaints.[18]

Submissions and consultations

48.10 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC identified support in submissions and consultations for the scope for co-regulation provided by Part IIIAA of the Privacy Act.[19]Particular issues with the current code provisions were identified by stakeholders, however, including that the current provisions for voluntary codes added to the complexity of the privacy regime;[20] and that the code-making process was resource intensive, with little identifiable benefit.[21]

48.11 The OPC submitted that the code provisions needed to be amended to take into account interests of efficiency and national consistency, suggesting that codes should operate in addition to the privacy principles, rather than replacing them.[22] The privacy principles would then apply as a base standard across the community (supporting national consistency) and codes would provide specific and binding guidance on how the principles should be applied in particular sectors. Other stakeholders also supported the idea that codes could prove useful in interpreting the application of privacy principles in the context of specific sectors or technologies.[23]

48.12 In DP 72, the ALRC proposed that the Privacy Act should be amended to specify that privacy codes approved under Part IIIAA operate in addition to the proposed UPPs and do not replace those principles. The ALRC also proposed that the Act should be amended to state that a privacy code may provide guidance or standards on how any one or more of the proposed UPPs should be applied, or are to be complied with, by the organisations bound by the code, provided such guidance or standards contain obligations that are at least equivalent to those under the Act.[24]

48.13 The majority of stakeholders who commented on this proposal supported it.[25] The Association of Market and Social Researcher Organisations and the Australian Market and Social Research Society agreed that:

the role of Codes is to provide various industry sectors with greater clarity in respect of the particular nuances and information handling practices of the industry, enabling organisations to operate with certainty and reduce the risk of a legal challenge and material threat to the business. In contrast, application of the NPPs may not always be obvious. This has certainly been the experience in the market and social research industry. Moreover, as mentioned above, such industry codes allow a given industry voluntarily to raise the bar, affording greater protection to the public.[26]

48.14 The Public Interest Advocacy Centre (PIAC) agreed that the privacy principles should operate as the base standard, with codes simply filling in detail where necessary. In PIAC’s view, this will ensure that the privacy principles are not undermined, and will ‘reduce fragmentation, complexity and confusion in privacy regulation’.[27] The Department of Human Services submitted that enabling privacy codes to operate in conjunction with, rather than instead of, the UPPs, will lead to a consistent understanding and implementation of the Privacy Act requirements—particularly by small businesses who have limited resources available for compliance issues. The Department argued that the proposed reform also will assist health and social services providers in better understanding, and complying with, relevant privacy requirements.[28]

48.15 The Cyberspace Law and Policy Centre stressed that consultation with all stakeholders is important if the code process is going to deliver benefits. While Part IIIAA contains requirements for consultation, in the Centre’s experience, the consultation process in developing codes to date has been inadequate.[29]

48.16 GE Money Australia expressed concern that the ALRC’s proposal further complicated the layers of regulation that may apply to an organisation.

It would, under the proposal, be possible for an organisation to be bound by the UPPs in addition to a Privacy Code, Regulations made under the Act that may provide more or less onerous obligations than under either the Act or the Code, Binding Rules issued by the Privacy Commissioner as well as needing to refer to the very extensive guidance that is to be issued by the Office of the Privacy Commissioner. It is suggested that this has the potential to be a very complex matrix of potentially overlapping obligations.[30]

ALRC’s view

48.17 One of the consistent themes discussed by stakeholders in this Inquiry is the need to promote national consistency and to reduce fragmentation, complexity and confusion in privacy regulation. In support of this goal, codes should operate in addition to the privacy principles, rather than replacing them. At all times the privacy principles should operate as the base standard for agencies and organisations subject to the Privacy Act. Consistent with the ALRC’s recommended regulatory model, set out in Chapter 4, the privacy principles only should be able to be displaced through subordinate legislation and public interest determinations. As outlined above, the ALRC has received substantial support for this view in submissions to this Inquiry.

48.18 Codes could facilitate an understanding of, or compliance with, the UPPs by an organisation bound by the code. This would resemble the operation of codes in New Zealand.[31]

48.19 Under this model, the guidelines contained in a code must impose obligations equivalent to those imposed by the relevant privacy principle. This relationship between the principles and the guidelines in a code can be illustrated as follows. A real estate industry code could prescribe an exhaustive list of information that can be considered ‘necessary’, under the ‘Collection’ principle, to collect in a tenancy application process.[32] By specifying particular types of information as those necessary to collect in a tenancy application form, the guidelines would contain equivalent obligations to the principle, as both require that only information that is necessary be collected. The code, however, would provide more detailed guidance than the principle and would assist real estate agencies to meet the policy outcome set by the principle.

Recommendation 48-1 Part IIIAA of the Privacy Act should be amended to specify that a privacy code:

(a) approved under Part IIIAA operates in addition to the model Unified Privacy Principles (UPPs) and does not replace those principles; and

(b) may provide guidance or standards on how any one or more of the model UPPs should be applied, or are to be complied with, by the organisations bound by the code, as long as such guidance or standards contain obligations that, overall, are at least the equivalent of all the obligations set out in those principles.

[1]Privacy Act 1988 (Cth) s 16A. The code may also cover exempt acts or practices: s 18BAA.

[2] Office of the Federal Privacy Commissioner, Guidelines on Privacy Code Development (2001), 16. See also the comments made in the Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 19.

[3]Privacy Act 1988 (Cth)s 27(1)(aa).

[4] Ibids 27(1)(ad). Review occurs under s 18BH.

[5] Ibids 27(1)(ea).

[6] Ibids 27(1)(ac).

[7] Ibids 27(1)(ae). See also s 18BI.

[8] Ibids 18BB(2)(a).

[9] Ibidss 18BB(2)(b)–(c), (6)–(7).

[10] Ibids 18BB(3)(a).

[11]Legislative Instruments Act 2003 (Cth) s 44(2), item 44; Legislative Instruments Regulations 2004 (Cth) sch 2 cl 8. Note that an approval of a variation of a privacy code, a revocation of an approval of a privacy code, or a revocation of a variation of a privacy code are also legislative instruments that are not subject to disallowance: Legislative Instruments Act 2003 (Cth) sch 2 cls 8A, 8B.

[12] Codes in operation as at April 2008 were the Market and Social Research Privacy Code, administered by the Association of Market Research Organisations; the Queensland Club Industry Privacy Code, administered by Clubs Queensland; and the Biometrics Institute Privacy Code, administered by the Biometrics Institute. There was a fourth code approved by the Privacy Commissioner (the General Insurance Information Privacy Code), which was revoked on 30 April 2006. Code applications being considered by the OPC as at April 2008 were the Australian Casino Association Privacy Code and the Internet Industry Privacy Code. See Office of the Privacy Commissioner, Privacy Codes <www.privacy.gov.au/business> at 23 April 2008.

[13]Privacy Act 1988 (Cth)s 18BB(2)(f).

[14] Ibids 18BB(4).

[15] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 47. See also discussion about codes at 166–171.

[16] See Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 6–20.

[17] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[18] Ibid.

[19] Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007; Fundraising Institute—Australia Ltd, Submission PR 138, 22 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[20] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[21] Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[22] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[23] See, eg, Australian Direct Marketing Association, Submission PR 298, 29 June 2007.

[24] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 44–9.

[25] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; Association of Market and Social Research Organisations and Australian Market and Social Research Society, Submission PR 502, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Youth Affairs Council of Victoria Inc, Submission PR 388, 6 December 2007.

[26] Association of Market and Social Research Organisations and Australian Market and Social Research Society, Submission PR 502, 20 December 2007.

[27] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[28] Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[29] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[30] GE Money Australia, Submission PR 537, 21 December 2007.

[31] See Privacy Act 1993 (NZ) s 46(2)(b).

[32] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.