AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 1997 >> [1997] PrivLawPRpr 5

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Greenleaf, Graham --- "Standards and open procedures needed for Codes of Practice" [1997] PrivLawPRpr 5; (1997) 3(9) Privacy Law & Policy Reporter 174

Standards and open procedures needed for Codes of Practice

Extracts from Graham Greenleaf's submission on the Discussion Paper

Codes of practice play a key role in the Discussion Paper's proposals, as they should. They provide the necessary degree of both detail and (through modifications) flexibility in the application of necessarily broad principles to very varying organisations and practices.

Standards for modification of codes of practice Codes of practice will fulfil the general `exemption' function currently played in the Act by `public interest determinations' (which are now to be restricted to `one off' situations).

Since codes of practice are disallowable instruments (and therefore subject to legislative veto), it is not unreasonable that they should be able to modify the operation of the IPPs.

However, the extent to which codes can modify the application of the IPPs needs to be made more clear, by spelling out the standards that the Commissioner must apply in determining a modification:

The proposal that codes of practice should not be able to `limit or restrict' access rights is an unnecessarily inflexible approach, provided a general right of mediated access is accepted (as explained below). It is hard to see why there could be any justification for a code limiting correction rights, so inflexibility here probably does not matter very much.

Procedures for codes of practice

Procedures for the Commissioner to issue Codes after open consultation, and disallowance, are the key to acceptability of the whole approach of modification by Codes. The proposed Code-making procedures are generally appropriate, but have some striking deficiencies and incompleteness:

Publicity (or the prospect of it) is some antidote against industry groups seeking to take undue advantage of their lobbying skills and ability to apply concentrated resources on processes.

Any more fundamental change so that Codes become issued by Regulations (ie Ministers) -- as in the ill-fated proposed Bill in NSW in 1994 -- destroys the whole process and removes it to the realm of political lobbying behind closed doors and special pleading open only to powerful lobby groups.

Urgent Codes

When does an `urgent' Code come into force? `Urgency' may require something faster than 28 days. I assume that such Codes come into force at the date of publication. The Discussion Paper also does not specify that urgent Codes will be disallowable, but they obviously should be disallowable.

`One-off' exceptions (`Public interest determinations')

This proposal is confusing, because the requirements for both consent and overriding public interest seem inconsistent. Also, how can prior consent of (unknown) individuals be obtained in relation to future practices? `One off' seems to be limited to a single instance, not the unusual circumstances of a single business. Are they disallowable (as with current Public Interest Determinations)? The purpose of this proposal needs clarification.

Special provisions concerning credit reporting (Pt IIIA etc)

The Discussion Paper is silent on the effect of the extension of the Act on the existing provisions dealing with credit reporting -- but the credit industry is unlikely to remain silent.

Two policy objectives must be preserved in any proposals affecting Pt IIIA of the Act and associated sections (for example, s 18, s 18A):

(i) An appropriate balance of privacy interests in relation to credit reporting was exhaustively considered by Parliament in relation to the 1990 amendments to the Act, and there is no justification for change to those basic policy decisions. In effect, Parliament decided in detail what should be the content of a `code of conduct' for credit reporting. If it has imposed a somewhat more stringent standard than is now being imposed `across the board' on the private sector, that is of little account, as a code of practice may impose more stringent standards.

(ii) Provided that these Parliamentary-determined standards are preserved, there is no reason why the credit industry should be subjected to quite different procedures (including for remedies) than other parts of the private sector. To the extent that it is possible to bring credit reporting within the general approach to the private sector, this should be done.

These objectives could be reconciled by provisions that (i) allowed the Commissioner to develop a code of conduct which implemented the same legislative objectives as Pt IIIA; and (ii) made Pt IIIA not directly enforceable (but still extant as a legislative statement of objectives) once that code came into force, and allowed the Commissioner to revoke the existing s 18A Code.

In my view, if the substantive content of Pt IIIA is preserved, there is no need for the credit industry to be subject to different enforcement provisions from other private sector organisations. If the IPPs are generally to be enforced through civil rather than criminal sanctions, then credit information should have the same treatment.

Medical research guidelines -- repeal of s 95 proposed

An anomaly of longer standing in the Privacy Act is the special position of medical research under s 95, where the National Health and Medical Research Council (NH&MRC), not the Privacy Commissioner, issues guidelines which are in effect a Code of Practice modifying the IPPs. These guidelines only affect acts done by agencies, but once the Act is extended to the private sector, there will be a need for a Code of Practice for medical research concerning information held by private sector doctors, hospitals and others. The Privacy Commissioner will also be involved in many other non-research uses of medical records.

Since the NH&MRC is not being given any general Code-making powers concerning medical records, it would seem an appropriate time to simply bring medical research within the normal provision for a Code of Practice. I suggest that s 95 be repealed and replaced by a provision which says that the Commissioner will issue a Code of Practice concerning medical research, and that the existing NH&MRC guidelines will cease to be of effect when this occurs.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback