Privacy Law and Policy Reporter
This is the latest in a series looking at developments in relation to codes of practice and their role in privacy regulation.
The Privacy Commissioner re-issued his Code Development Guidelines in September <www.privacy.gov.au>. The Guidelines appear to have benefited from the consultation period in that they are more concise and have dropped some unnecessary requirements, but it remains clear that the process for developing and gaining approval for a Code under the Privacy Act 1988 (Cth) will be time consuming, costly and onerous — as it should be for establishing a partial alternative to statutory regulation.
Most industry groups are still deciding whether or not to seek approval for codes of practice under the Privacy Act. The last minute inclusion of a right of appeal from decisions of code adjudicators to the Privacy Commissioner (s 18BI) has removed one of the major advantages of a code. The only real advantage that remains is the ability of existing ADR schemes to continue to provide a ‘one stop shop’, and this is more a consumer benefit than an advantage for organisations.
It appears the Insurance Council is still keen to submit the General Insurance Information Privacy Principles, now re-drafted as a code and circulated for industry comment, although the commitment of member insurers — most of whom have not yet adopted the earlier Principles — remains suspect. The Australian Direct Marketing Association is still considering whether to submit their existing code which went through the lengthy and ‘painful’ ACCC approval process only two years ago. The Australian Bankers Association is also considering whether to submit a code to allow the Banking Industry Ombudsman to continue to handle privacy complaints, and the Australian Communications Industry Forum Privacy Advisory Committee continues to discuss the merits and practicality of the Telecommunications Industry Ombudsman becoming a code adjudicator, and the complexity of the relationship between the privacy and telecommunications regimes and the existing ACIF Customer Personal Information Code.
The other ‘existing’ Code under consideration for Privacy Act registration is the Internet Industry Association Code, a new version of which was launched in August <www.iia.net.au/privacy.html>, although this does not include a code adjudicator — it proposes that complaints be handled by the Privacy Commissioner under the default scheme. The draft IIA Code is interesting in that it has two versions — one meeting the minimum standards required by the court, and the other ‘optional’ version purporting to meet the ‘adequacy’ criteria of the European Union in relation to its Data Protection Directive.
The Commonwealth Privacy Act now contains two indirect references to codes of practice which can have the effect of ‘relieving’ organisations from certain obligations.
The first is in the media exemption (s 7B(4)) which exempts a ‘media organisation’ engaging in ‘journalism’, but only if the organisation is publicly committed to observing published media specific privacy standards. It is expected that media businesses will seek the benefit of this exemption on the basis of existing codes of practice such as the Press Council’s Statement of Principles (cl 3 of which requires respect for privacy), the various Broadcasting Codes, and the Australian Journalists’ Association Code of Ethics (see Cl 11). But these existing codes do not come anywhere near covering the same ground as the National Privacy Principles, and this will leave media organisations open to challenge.
The other ‘waiver’ role for codes in the Privacy Act is in Principle 10 concerning ‘Sensitive data’. Collection of health information without consent is permitted for health care and for research, management and monitoring purposes in certain circumstances, with one of the conditions being that the information is collected ‘in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind [the collecting] organisation’ (NPP 10.2 and 10.3). The Privacy Commiss-ioner’s draft Health Privacy Guidelines contain the startling assertion that the Commissioner is not aware of any existing rules that would satisfy this requirements (p 37). The Guidelines emphasise the need for any rules to be not only issued by a competent body but also to be binding.
In respect of health research, there is an alternative route via guidelines approved by the Commissioner under s 95A of the Act, which can cover both use and disclosure otherwise in breach of NPP 2.1, and collection otherwise in breach of NPP 10.
The NSW Privacy Commissioner, Chris Puplick, has now ‘made’ 11 codes of practice, with a further 25 either under consideration or proposed (these include some duplication, with different agencies seeking the same waivers). The codes range from the fairly trivial (for example allowing disclosures without consent where a person is being considered for an honour or award), to the highly significant; such as the regime for data transfers to other jurisdictions. Speaking at a recent conference, Puplick attributed the need for so many Codes partly to the poor drafting of the Act, which in turn is due to the messy history and introduction of the law. Some common themes seem to be emerging from the applications, such as the need in many circumstances for collection from third parties — contrary to the surprisingly ‘tough’ Principle 2 (s 9). Further details of the Codes are available on the Privacy NSW web-site <www.lawlink.nsw.gov.au>. The Commissioner has reached an agreement with the Office of Parliamentary Counsel for Counsel to draft future codes to legislative instrument standard — leaving the few Privacy NSW staff more free to focus on the policy issues.
Nigel Waters, Associate Editor.