Privacy Law and Policy Reporter
Codes of practice have become an almost mandatory feature of privacy and data protection laws around the world. But they can of course take many forms, and have very different ‘status’ and purposes. At one extreme, there are statutory codes which form part of the law, one example being the Code of Conduct for Credit Reporting issued by the Privacy Commissioner under Part IIIA of the Privacy Act 1988. At the other end of the spectrum are codes of practice developed and issued by industry bodies as a ‘token’ form of self-regulation, with no effective supervision, monitoring or enforcement processes — see Bob Gellman’s critiques of the BBB Online and TrustE programs in the US in (2000) 7 PLPR 118 and 145. The pros and cons of codes of practice are concisely summarised in the New Zealand Privacy Commissioner’s 1998 review of the NZ Privacy Act 1993.
This regular column will monitor the development of privacy codes of practice, with particular emphasis on those in Australia, New Zealand and the Asia Pacific region more generally.
The position is complicated by the inconsistent and overlapping terminology — some instruments are called guidelines but have binding force as part of the law, while many so called codes are purely voluntary. For the purposes of the column, privacy codes are defined as instruments which set out to regulate the behaviour of organisations in the way in which they handle personal information; in other words, they have to be more than simply advisory or guidance status. There are also other instruments under privacy laws which have binding effect, such as Public Interest Determinations under the Commonwealth Act, and Directions under the NSW Privacy and Personal Information Protection Act 1998. These generally deal with exceptional ‘one-off’ circumstances, and will not be considered as codes for the purpose of this column. However, just to complicate matters still further, Credit Reporting Determinations under the Commonwealth Act, which supplement Part IIIA of the Act itself and apply generally, will be considered part of the ‘code’ regime for consumer credit reporting.
Previous articles have dealt with the important role of codes under the NSW Act (2000) 7 PLPR 15 & 53. Progress with the NSW codes will be reviewed in future columns. The new Victorian Information Privacy Act 2000 provides for Codes as an alternative to the default legislative scheme. Under Part 4, public sector organisations in Victoria can submit a code to the Privacy Commissioner for approval. Codes may cover both standards (which must be at least as stringent as the IPPs) and procedural aspects, and can cover matters not addressed by the IPPs. As noted in earlier review of the Bill ((2000) 7(2) PLPR 24) this means that codes can extend and toughen the effect of the Act, but cannot restrict or weaken it. This is a significant contrast to the NSW Act which allows codes to derogate from or waive the statutory principles, and expressly rules out any strengthening (s 29(7)(b)). Neither in Victoria nor NSW are codes subject to parliamentary approval (unlike most of the various statutory Codes under the Commonwealth Act — see below), although this is arguably less of an issue in Victoria because of the ‘minimum standard’ provision.
The Commonwealth Privacy Act 1988 provides not only for the Credit Reporting Code (first issued by the Commissioner in 1991, and most recently in 1996) but also a range of Guidelines which are in effect statutory codes with binding effect. These include:
The 2000 amendments to the Commonwealth Privacy Act envisage a major new role for Codes of Practice in relation to the private sector, which will become subject to the Act from 22 December 2001. Under new Part IIIAA, the Privacy Commissioner may approve codes submitted to him/her by any organisation. Codes may deal with variations to the standards set out in the National Privacy Principles (NPPs) or with complaint handling processes. The Commissioner may only approve variations to the Principles which are ‘at least the equivalent of’ all of the obligations in the NPPs, and in relation to complaint handling, which meet strict criteria set down in the Act. The Commissioner may issue guidelines in relation to codes, and has indicated his intention to do so during 2001.
It remains to be seen whether private sector organisations find it worthwhile to develop and submit codes for approval. Given that the standards cannot be less than the NPPs, the only advantage to an organization or industry sector in submitting their own principles would seem to be the opportunity to couch them in industry specific language. In relation to complaint handling, some sectors may perceive an advantage in providing for privacy complaints to be handled in the first instance by an industry specific body (a code adjudicator under the Act), although this advantage was arguably eroded by a late amendment to make determinations of code adjudicators subject to appeal to the Commissioner — replacing a more limited but more powerful right to judicial review.
Most likely to apply immediately for Code approval are the two industry sectors with existing self-regulatory Codes, Insurance and Direct Marketing. Both sectors have already established schemes incorporating an earlier version of the National Principles, and dispute resolution bodies (see 1999 6 PLPR(4)57 for an account of the General Insurance industry scheme, and 1999 6 PLPR (2) 22 for a note on the Australian Direct Marketing Association (ADMA) scheme). Both sectors will need to make a decision early in 2001 as to whether the benefits of continuing with a ‘first line’ dispute resolution scheme outweighs the cost to members, when the same standards will apply in any case from December and defaulting to the statutory scheme will mean that the costs of complaint handling are borne by the taxpayer. Their decision may also be influenced by the experience of ADMA in 1998-1999 in getting approval for their code from the Australian Competition and Consumer Commission (ACCC). This was a relatively long, drawn out and painful process for ADMA. Given the criteria in Part IIIAA that need to be satisfied, and the likelyhood that consultation will be required (not mandatory, but in accordance with the Commissioner’s guidelines), industry associations may be somewhat wary of the process.
A further complication in the Australian Federal regulation is the special dedicated scheme for Telecommunications. Under the Telecommunications Act 1997 (Cth), which encourages a co-regulatory approach, codes of practice can be developed by industry bodies. These can either be administered by the industry itself on a purely voluntary basis or, in certain circumstances, can be registered by the Australian Communications Authority (ACA), which thereby acquires certain powers to enforce the provisions of the Code. The Act specifically mentions privacy as a priority area for code development, and an industry body, the Australian Communications Industry Forum (ACIF) has developed and issued a number of codes, two of which deal expressly with privacy issues:
Both of these Codes went through an extensive process of consultation before being registered by the ACA in 2000. As a result they are now binding on industry participants. Complaints about breaches of the Codes can be taken to the Telecommunications Industry Ombuds-man (TIO). It is not yet clear how this sector specific regime will interact with the new private sector privacy regime. The Privacy Commissioner may be asked to approve some or all of the Code provisions under the Privacy Act with effect from December 2001 (see 2000 7 PLPR(1) 16).
The New Zealand Privacy Act 1993 provides for codes of practice which can vary the legislated standards either upwards (to become more stringent) or downwards (to become less stringent) and which can also deal with complaint procedures or information matching in the private sector. The Privacy Commissioner can either approve codes submitted by organisations, or take the initiative and develop and issue a code on his own account. To date, the Commissioner has issued a number of temporary or permanent Codes, of which the following remain in force:
The Commissioner has also issued a draft Code on Credit Information for consultation, and has announced his intention to issue a Code on Telecom-munications Privacy.
The Hong Kong Personal Data (Privacy) Ordinance enacted in 1995 provides for the Privacy Commissioner for Personal Data to issue Codes of Practice, but these do not amount to delegated legislation. They cannot vary the standards set in the Ordinance (the Data Protection Principles), but are instead intended to provide ‘practical guidance in respect of ... requirements under [the] Ordinance imposed on data users’. As such, they are more like some of the non-binding guidelines issued by the Australian Federal Commissioner. However, unlike the Commonwealth law, the Ordinance provides expressly for these ‘guidance’ codes of practice to be taken into account in proceedings under the Ordinance.
The HK Commissioner can either develop and issue a Code on his own initiative or approve a Code submitted to him by an organization. To date, he has issued three codes:
Mention of consultation above raises a significant point in relation to all codes. Most of the statutory provisions relating to privacy codes of practice make mention of the desirability of consultation in their development and prior to approval. But the extent to which consultation is required, and whether it should be public or can be confined to immediate stakeholders, varies considerably. As noted above, consultation on Part IIIAA of the private sector codes under the Commonwealth Act is at the discretion of the Commissioner. The NSW Commissioner is given a similar discretion, while the yet to be appointed Victorian Commissioner is also free to decide who to consult, but ‘must have regard to the extent to which members of the public have been given an opportunity to comment on the code or variation’. In contrast, the Federal Privacy Commissioner ‘must’ consult on the Credit Reporting Code and Medicare Guidelines, although the extent of consultation on the TFN, Medical Research and Data-matching Guidelines is left to his/her discretion. The New Zealand Act places considerable emphasis on consultation on codes, with a requirement for public notice and a specified period for submissions on a draft. The Hong Kong Commissioner must also consult, at least with relevant data user representatives.
As already noted, the importance of adequate consultation depends partly on whether a code can vary the legislated standards downwards (as in NSW and NZ) or whether a code is subject to parliamentary disallowance (some Commonwealth and all NZ Codes). While a disallowance provision theoretically provides a safeguard against gross oversights or unconscionable failures to take account of important interests, in practice the safeguard is limited. There are usually significant thresholds to be crossed to gain the attention of busy legislatures, particularly where the law provides only for ‘negative’ disallowance — that is, where an instrument becomes law unless the legislature passes a disallowance motion, as opposed to having to pass a positive motion to allow the instrument.
The ways in which the various Australasian laws deal with amendment or revocation varies considerably and are too complex for easy analysis. Suffice to say that it is obviously important that provisions relating to the issue of codes — such as minimum standards and requirements for consultation — cannot be subverted or undermined by less stringent provisions for amendment, revision or revocation.
Codewatch will keep a particularly keen eye on proposed changes to codes as and when they emerge.
Nigel Waters, Associate Editor.