Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Scollay, Moira --- "Issues in developing voluntary codes" [1997] PrivLawPRpr 32; (1997) 4(2) Privacy Law & Policy Reporter 36

• Existing standards
  
• Five important factors
  

Issues in developing voluntary codes

Moira Scollay

The following is an extract from a speech by the Commonwealth Privacy Commissioner to the Life Insurance and Superannuation Association (LISA) — Second Annual Summit, 23 May 1997, ‘Developments in Privacy Related Reforms — How will these impact on the Life Insurance and Superannuation Industry?’

The Commissioner’s general approach to the development of voluntary privacy codes are set out in her accompanying article on the roles of a Privacy Commissioner. This article expands on the specifics of code development.

Sub-headings have been added and amended (Editor).

From my most recent consultations there are of course immediate concerns which come to mind.

• Should a single set of standards apply across all businesses, or should industry specific codes developed?
• How could we achieve industry-wide compliance with a voluntary scheme?
• What benefits would there be for those businesses who adhere to the standards and what forms of redress would consumers have for the actions of those who do not?
• What level of privacy standards would be appropriate in such a scheme?

These are the challenges confronting my office as well as industry and consumer organisations at the moment.

Existing standards

We are fortunate to have a wealth of experience and material to draw from in developing privacy protection standards for the private sector. International standards set down in the OECD guidelines and the European Union Directive, for example, were drafted to cover both the public and private sector. Most of the 15 members of the EU already have laws covering the private sector (these are Austria, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Luxembourg, the Netherlands, Spain, Sweden and the UK). The other two EU members (Greece and Portugal) will have legislation by October next year. In addition, outside Europe, Hong Kong, NZ, Taiwan and Canada have developed standards which apply to the private sector.

New Zealand has had a Privacy Act in place since 1993 which covers both public and private sectors. A number of you would be familiar with it. The NZ Act contains a set of privacy principles, with the option for the Privacy Commissioner to issue a Code of Practice where this is required to meet the different needs of particular industries, organisations or professions or for specified information or activities.

The Canadian experience demonstrates the advantages of involving business, consumer groups and government from the very early stages of the consultation process. In March last year, a National Standard of Canada entitled Model Code for the Protection of Personal Information was issued, and the Canadian Federal Government is now proposing that the model code should form the basis of a statutory regime. The standard was developed in consultation with a large number of private and public sector representatives. The advantage of this kind of process, from the perspective of the private sector, is that input from industry was considered an essential part of the process from day one. As a result, if, or when, the legislation is put in place, it will be in a form which has already incorporated many of the major concerns of business.

Five important factors

Based on my earlier discussion of consumers’ expectations and current privacy standards, it should be evident that any ‘best-practice’ approach to handling personal information should be in a manner which is open and transparent. From the first point at which a customer’s information is collected, they need to know what their information will be used for, who will have access to it and who it may be passed on to.

I am open to discussion and consultation as to what voluntary standards should apply and how they could be implemented, but there are a number of factors which I consider to be particularly important if any standards are going to be really effective and not simply add to the burden of red tape for business. These are:

They should be as uncomplicated and cost-effective as possible — to benefit both consumers and businesses. Some argue that the cost for small business of implementing national privacy regulation will be an unnecessary burden. However, I am not sure that this is the case. It seems to me that businesses may in fact face greater costs if they are required to work within a patchwork of industry codes and State legislation. It would no doubt be difficult to undertake an accurate cost-benefit analysis of different schemes of privacy protection, but nonetheless, I think that there are significant arguments which favour a nationally consistent privacy protection scheme as representing the simplest and most cost-effective method of providing privacy protection for consumers and certainty for the private sector.

They should provide a workable complaints mechanism. The issue of whether complaints should be dealt with by industry bodies or government needs to be addressed. At the moment I can see strong arguments in favour of encouraging complaints to be addressed by industry bodies in the first instance, and only if the complaint could not be resolved at that level, or the individual had a reason for not wanting to deal with the industry body, would complaints be dealt with by a government body such as my office.

Voluntary standards must be flexible and broad enough to apply across a range of sectors and at the same time provide strong enough protection for individuals. There is a need to look at whether a national standard should be supported by many separate industry codes, or whether exceptions in certain circumstances should be permitted under the national standard.

They should be consistent with developments by State governments, and with developments in the Privacy Act. For example, it appears that the coverage of the Privacy Act is likely to be extended following the Government’s decision to outsource information technology services. The Minister for Finance has announced that privacy would be protected using contractual guarantees and through amendment to existing privacy legislation.

They should meet the minimum standards of the EU Directive on the processing of personal data. This Directive, adopted by the European Union in 1995, requires all its members to pass laws which protect individuals’ right to privacy and which promote the free flow of personal data within the European Union (EU). The members must also pass laws which restrict data being passed on to countries outside the EU unless those countries can ensure an adequate standard of privacy protection. This is a strong argument in favour of Australia ensuring that it has privacy protection standards which reflect the level of international best practice.

Moira Scollay, Commonwealth Privacy Commissioner.