Privacy Law and Policy Reporter
Copies of the Code are available from the Asia-Pacific Smart Card Forum (Deborah Stanley, (06) 247 4655), The Department of Industry, Science & Technology (Pasqualino Strangis, (06) 276 1995 or (02) 209 4012), and The Warren Centre (Rod Galloway, (02) 351 3752).
The key provisions of the draft that relate to privacy issues are reproduced below.
1.1 'Consent' means any freely-given specific and informed indication of wishes by which the cardholder signifies agreement.
'Minimal Data Requirement' means the principle requiring the minimal collection of personal data as established in cl 2.1.
'Personal data' means any personal information relating to a cardholder which will or may directly disclose the identity of the cardholder.
6.1 Code Subscribers must observe the 'minimal data requirement' principle. The requirements of this principle are:
(a) the data must be adequate, relevant and not excessive in relation to the purposes for which it is processed;
(b) the purposes must be explicit and legitimate and must be determined at the time of the collection of the data;
(c) the purposes of processing data after collection must be compatible with the purposes that are specified by the Code Subscriber;
(d) data must be accurate and, where necessary, kept up-to-date;
(e) every reasonable step must be taken to ensure that data which is inaccurate or incomplete, having regard for the purposes for which it was collected or for which it is further processed, is erased or rectified;
(f) data will be kept in a form which permits identification of cardholders for no longer than is necessary for the purposes for which the data was collected or for which it is further processed or as required by law;
(g) Code Subscriber staff must be trained to observe the requirements of these principles.
6.2 Code Subscribers must:
(a) ensure cardholder records are kept confidential;
(b) ensure no person other than an employee or agent of the Code Subscriber, the cardholder or any other person authorised by the cardholder may have access to personal data without the cardholder's explicit consent;
(c) ensure suitable security systems are installed to prevent access to personal data of a consenting cardholder my anyone other than an employee or agent of the Code Subscriber;
(d) only lawful means are used to collect data;
(e) ensure that on request it provides a cardholder with the personal data relating to that cardholder held by that Code Subscriber;
(f) correct personal data as requested by a cardholder
6.3 Despite paragraphs 6.2(a) and (c) a Code Subscriber may disclose personal data relating to an associated service provider which has:
(a) a need to know the personal data for the purpose of fulfilling its contractual obligations to the Code Subscriber but for no other purposes;
(b) agreed to keep the personal data confidential;
6.4 Nothing in cl 6.2 prevents:
(a) disclosure compelled by law;
(b) disclosure made with the consent of the cardholder.
6.5 Where appropriate a card principal must provide a cardholder or prospective cardholder with:
(a) smart card application procedures, and the personal information required from cardholders to fulfil application procedures;
(b) the Card Principal's obligations regarding confidentiality of information relating to the cardholder;
(c) advice that personal data of the cardholder will not be disclosed without the cardholder's consent;
(d) complaint handling procedures;
(e) fees or charges for a service of additional service;
(f) the need for a cardholder to advise promptly when a card has been lost or stolen;
(g) the procedures for cardholder's review of personal data.
6.6 A Card Principal shall provide a cardholder or prospective cardholder upon request with general descriptive information about the personal data requirements of personalised smart cards and the options available to the cardholder or prospective cardholder under legislation.
6.7 If a Card Principal intends to introduce a fee or a charge (other than a government charge), the card principal must provide written notice of the charge to each affected cardholder.
10.1 Complaints that a Code Subscriber has not observed a provision of the Code (Complaint) may be made by:
(a) a Code Subscriber; or
(b) a cardholder. (Complainant) to the executive officer of Smart Card Forum of the Code Subscriber about whom complaint is made.
10.2 If a complaint is made to the Smart Card Forum the Executive Officer must refer the complaint to the Code subscriber.
10.3 If a complaint is made to the Code Subscriber or referred by the Executive Officer the following provisions apply:
10.4 In the first instance:
(a) a senior staff member of the Code Subscriber must investigate the complaint and if appropriate, propose a course for resolution;
(b) the Code Subscriber must advise the Complainant in writing:
(i) the measures taken to investigate the complaint
(ii) its view of the complaint;
(iii) if appropriate, the proposed course for resolution of the complaint.
10.5 If the Complainant does not accept the proposed course for resolution of the complaint it may require the Code Subscriber to enter into a mediation procedure.
10.6 If the Complainant makes a request under cl 10.5 the Code Subscriber must request the Smart Card Forum to appoint a mediator to attempt to resolve the dispute.
10.7 The Smart Card Forum will appoint a mediator from a panel of mediators maintained by the Smart Card Forum.
10.8 The costs of the mediation will be borne by the Code Subscriber.
10.9 If the mediation is unsuccessful in resolving the dispute the Complainant may request Smart Card Forum to institute sanctions procedures.
11.1 If a request is made under 10.9 the Executive Officer must:
(a) obtain particulars of the complaint in writing;
(b) make such other inquiries considered appropriate; and
(c) if the Executive Officer considers the complaint is trivial, frivolous, vexatious or does not relate to a breach of the Code, decide to take no further action; or
(d) send particulars of the complaint to the Code Subscriber and ask that code Subscriber to comment on the complaint within 14 days.
11.2 In its reply to a request under 11.1(d) the Codes subscriber may:
(a) deny the accuracy of the complaint; or
(b) admit the breach and advise the Executive Officer of measures it is taking to rectify the breach and ensure non-repetition.
11.3 If the Executive Officer is not satisfied with the Code Subscriber's reply, the Executive Officer may notify the Codes subscriber that the matter is to be referred to the Sanctions Committee ('the Sanctions Notice').
11.4 The Sanction Committee shall consist of thee people appointed by the Board.
11.5 The Sanctions Notice must contain:
(a) particulars of sections of sections of the Codes which are alleged to be breached;
(b) particulars of the compliant on which the reliance is placed;
(c) the date on which the complaint will be heard; and
(d) particulars of the sanctions that may be applied under this clause.
11.6 If the Sanctions Committee finds a Code Subscriber has breached the Code it may:
(a) find the breach requires no action to be taken;
(b) reprimand the Code Subscriber;
(c) suspend the Code Subscriber from the Smart Card Forum or Code Membership for a specified period; or
(d) expel the Code Subscriber from membership of Smart Card Forum or Code Membership.
11.7 Complaints against Code Subscribers shall be dealt with in confidence except in so far as it is necessary to divulge material for the purpose of obtaining information of assistance for the purpose of the inquiry, but the Sanctions Committee may publish its findings and any sanction imposed as it sees fit.
11.8 Legal representation before the Sanctions Committee may only be permitted by the Sanctions Committee in those exceptional circumstances when that Committee considers it necessary to do so to accord the parties natural justice.