Privacy Law and Policy Reporter
Nigel Waters ASSOCIATE EDITOR
This article reviews a number of recent developments in relation to privacy Codes of Practice in Australia and New Zealand. As noted in the first of these columns, codes have many different manifestations in relation to privacy laws, and it can be quite confusing, even to those affected; understanding the status of codes — the main distinction being between those that are legal requirements and those that are mere guidance.
Private sector Codes under the federal Privacy Act
Market Research Code slips through
On 27 August 2003, the Federal Privacy Commissioner (the Commissioner) announced that he had approved a privacy code developed by the Market Research Society of Australia (MRSA) and the Association of Market Research Organisations (AMRO). The Market and Social Research Privacy Principles (the MR Code) becomes the third private sector code approved under Pt IIIAA of the Privacy Act 1988 (Cth). It substitutes a customised set of privacy principles for the NPPs, but leaves the complaint handling function with the Privacy Commissioner (like the Queensland Clubs Code but unlike the General Insurance Code which has its own Code Adjudicator body as an intermediate complaint handler between internal review and the Commissioner).
Although the Commissioner’s website has indicated for some time that a market research code was under development, approval of the MR Code has come as a surprise to many public interest groups, who have not been consulted by MRSA/AMRO. Given the requirement for the Commissioner to be satisfied that members of the public have been given an adequate opportunity to comment on a draft, it is surprising that major consumer and privacy organisations have not been aware of any formal public consultation process.
The MRCode is the first to diverge significantly from the wording of the NPPs (the General Insurance Code repeats the National Privacy Principles (NPPs) verbatim, while the Queensland Clubs Code has only cosmetic changes). It has presumably been approved on the basis of ‘overall equivalence’ as provided for in s 18BB(2)(a), but this presumption highlights another curious feature (weakness) in Pt IIIAA –— the absence of any requirement for the Commissioner to give any reasons for approval or analysis of submitted codes.
The new MR Code took effect on 1 September 2003.
Draft Casino Privacy Code adds value
The Australian Casino Association has been consulting on a draft Privacy Code (Casino Code) which it intends to submit to the Commissioner for registration under the Privacy Act 1988. The association has prepared the Casino Code for the guidance of member casinos on how to comply with the NPPs in the Act in the particular circumstances of their operations.
Like the market research Code just approved (see above), the Casino Code actually takes the opportunity to vary the principles, in this case in a way that provides greater protection for casino customers, although other aspects of the draft are disappointing.
The Casino Code adds a new principle of ‘Surveillance’, which provides explicit guidance for the operation of CCTV surveillance camera as in casinos. Specific signage is required (and a template notice provided) although this is then held to mean that patrons have given ‘deemed’ consent.
The Casino Code also rectifies one of the EU criticisms of the Australian Privacy Act by extending the coverage of its correction rights under Principle 6 to any individual (not just Australian citizens and permanent residents). Provision is made for notification of any corrections to organisations which have already received personal information about an individual — a significant strengthening of individuals rights.
The major weakness of the draft Casino Code is its failure to provide for an independent complaint handling process (code adjudicator) — the function has been given to the code administrator. As independence is one of the pre-conditions for registration (if a code wishes to include a complaint handling function), it seems likely that the association will have to revise this part of the Casino Code. Another disappointment is the omission of the use and disclosure limits on unique identifiers, which counters the positive effect of broadening the scope of the identifier principle.
Internet Industry Privacy Code in a black hole?
The other draft code listed on the Commissioner’s website as ‘under consideration’ is the Privacy Code of the Internet Industry Association (IIA). The IIA website says that is was submitted for approval in March 2003, but interested parties have heard nothing formally since the round of consultation on the draft code in 2001. This is disappointing given that the early versions of the code had some very positive features including an attempt to satisfy the EU adequacy criteria. It is a matter of some concern to privacy and consumer advocates that another of the IIA’s codes — on cybercrime — which has major privacy implications, has now overtaken the privacy code, which would have provided a useful foundation — see further under telecommunications codes below.
Low profile for General Insurance Code
The General Insurance Code General Insurance Information Privacy Code, despite covering a sector that could be expected to generate significant privacy issues, has had little visibility since its approval, as the first private sector code, in April 2002. It is the only code approved to date with its own complaint handling process standing between members’ internal processes and the Commissioner. There are currently 22 signatories to the General Insurance Code, which includes only a few of the larger Australian general insurers — the others have chosen to remain subject to the default statutory scheme. It is understood that there have been only a very small number of complaints reach the Code Compliance Committee, compared to more than 40 insurance cases dealt with by the Commissioner’s office since July 2001. The first annual report on the code to the Commissioner was due at the end of August.
New South Wales Privacy Act — exemption for pre-existing arrangements expired in July
The NSW Privacy Commissioner gave notice in April 2003 to NSW government agencies subject to the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) that he would not extend a significant provision in the s 41 direction on information transfers between agencies. Since PPIPA took effect, this direction has exempted agencies from compliance with the information protection principles for exchanges of information ‘reasonably necessary’ for the performance of agreements (whether formal or informal) between agencies which were in effect in the 12 months prior to 1 July 2000.
Privacy NSW reminded agency CEOs that the intention of this provision was to provide agencies with a period of grace during which they could continue information exchanges which would otherwise be unlawful under the PPIPA, while developing alternative arrangements or bases of authority. These alternatives could include other exemptions or codes of practice under PPIPA, specific legal authority, or steps to comply with the Information Protection Principles (IPPs). The NSW Commissioner put agencies on notice that this three year period of grace would not be extended and they cannot continue information exchanges after 1 July 2003 which do not either comply with the IPPs or have some other legal basis for exemption.
General code provides foundation for variations in NSW
As at September 2003, the Privacy NSW website shows 12 codes of practice and eight s 41 directions, all of which authorise departures from the IPPs and/or Public Register Principles. Some of these deal with very specific issues, while others apply broadly across all agencies. The s 41 directions are mostly filling a gap pending the approval of further codes of practice.
The NSW Privacy Commissioner is attempting to rationalise the variations represented by the remaining codes of practice through the issue of a Privacy Code of Practice (General) 2003, which commenced on 9 May 2003.
This ‘general’ code has few provisions at this stage, but according to Privacy NSW provides a base on which future departures from the IPPs or public register provisions can be built. The Attorney-General is still working on sector wide codes covering research, investigations and inter-agency transfers.
The only provisions in the General code to date deal with the Environment Protection Authority (EPA), the Roads and Traffic Authority (RTA) and the Sheriff’s Office.
Part 2 authorises the RTA to give vehicle registration information to the EPA so that they can give warnings to car owners or drivers if their vehicle is harming the environment. The warning does not amount to investigation or prosecution, hence the need for a code provision. Part 2 also authorises the Sheriff’s Office to verify car registration details with the RTA.
Part 3 tackles the question of making the EPA’s public registers available on the internet. This provision recognises that it is in the public interest to report environmental offences, which in this case outweighs the privacy concerns. However, it has been agreed that the EPA needs to limit the publication of sensitive information.
Telecommunications privacy strengthened in New Zealand
Telephone subscribers will not have to pay to keep personal details out of phone directories under the new Telecom-munications Information Privacy Code (NZ Telecommunications Code). Issued by Privacy Commissioner Bruce Slane, the code was gazetted on 16 May after 18 months of public and industry consultation. Telecommunications agencies have been given six months to prepare, with the new Telecommunications Code taking effect on 1 November 2003.
The Privacy Act 1993 (NZ) principles have applied to the telecommunications industry since 1993, but the new NZ Telecommunications Code explains what the practical requirements of compliance are in the telecommunications context. It affects telecommunications agencies in their handling of personal information about customers and users of telecom-munications services. It covers telephone companies, publishers of telephone directories, internet service providers, mobile telephone retailers and many call centres.
The NZ Telecommunications Code confirms that a subscriber’s details may be included in a directory or released through a directory service only with the subscriber’s authorisation, and that individuals cannot be charged for having their details left out. It also prohibits the inclusion of personal details in a ‘reverse search facility’ without individual consent, and provides more control to subscribers about the way in which names and addresses appear in the telephone book (this particular requirement is delayed until 2005 to provide time for changes to telephone directories).
‘Blocking’ options ensuring that subscribers’ details are not released through caller identification systems will also be free of charge and agencies will be required to make telephone users aware of these options. (This is the same as the requirements in Australia under the mandatory Australian Communications Industry Forum (ACIF) Calling Number Display Code of Practice.)
Data gained from subscribers switching to another telephone network will be prohibited from use in unauthorised direct marketing.
The new NZ Telecommunications Code also requires internal complaints handling processes, which must meet certain minimum standards.
A notable omission from the NZ Telecommunications Code is any additional rule relating to retention of traffic data. As a separate memorandum explains, earlier draft rules limiting retention to six months have been left out because of the complexity of the issues and a lack of consensus about appropriate rules, both for the needs of telecommunications businesses themselves and for the needs of other agencies such as law enforcement.
Telecommunications codes in Australia
In Australia, the matters covered by the NZ Telecommunications Code are dealt with variously in the Telecommunications Act 1997 (Cth) or in ACIF codes of practice, some of which are binding by virtue of registration by the Australian Communications Authority (ACA). One of these deals with the integrated public number database (IPND) — a database to which all carriers and carriage service providers assigning public number are required to contribute. An ACIF working committee is currently reviewing this code in light of concerns about uses of IPND data expressed by the ACA. The review will also have to address the considerable uncertainty that remains about the interaction of the Telecommunications Act regime and the Privacy Act, to which most telecommunications providers are now also subject. Issues include the extent to which IPND data can be used to verify or populate other databases — such as customer lists or credit reference files — on a commercial scale, and the extent to which the IPND provisions of the Telecommunications Act apply to all directory publishers so as to achieve a level playing field with consistent protection for consumers’ data.
The telecommunications data retention issues which the New Zealand Commissioner has left out of his code are equally controversial in Australia. In July, the IIA issued a draft Cybercrime Code of Practice (Cybercrime Code) for comment. Although this is not intended to be registered under either the Telecommunications Act or the Privacy Act, it is highly significant for privacy. Developed after months of consultation between ISPs, representatives of ISPs and law enforcement agencies, but without any privacy or consumer input, the draft Cybercrime Code proposes a regime of data preservation (retention) which goes considerably further than many of the proposals under discussion in other jurisidictions. This would involve greater co-operation by ISPs with law enforcement than at present, and as a consequence greater intrusion into communications privacy. Consumer and privacy groups have reacted strongly with critical submissions, which among other points question the lawfulness of the Cybercrime Code’s proposals, under both telecommunications and privacy laws.
Credit Information Codes in NZ and Hong Kong
In July, the NZ Privacy Commissioner released a proposed Credit Information Privacy Code (Credit Code) for public consultation. The proposed Credit Code follows a discussion with the industry over a long period. Submissions on the code were invited by 10 September 2003.
The NZ Commissioner acknowledged that credit reporting agencies play an important and legitimate function in consumer credit. However, their activities also intrude into privacy and individuals can be harmed when things go wrong. The Credit Code places a special emphasis upon seeking to ensure that information in credit reporting systems is accurate and reliable. It also seeks to promote transparency and to ensure that consumers are in a position to really know what is going on and what information is being stored about them.
The Credit Code sets out how the statutory privacy principles apply in this activity, including what information may be collected, the uses to which it can be put and rules for access by the people reported on and others.
A useful information paper accompanies the draft Credit Code. It covers the same issues as the Credit Code — accuracy, access to credit reports, content of reports, transparency and individuals rights, security, complaints, retention and destruction. It also set the proposed code in the context of the role of credit reporting in business, and of regulation of credit reporting in other jurisdictions.
Meanwhile, the Hong Kong Privacy Commissioner’s Code of Practice on Consumer Credit Data (Credit Data Code), which first came into operation in 1998, has been revised for a second time — the latest version taking effect on 2 June 2003. The HK Commissioner has also released a report on his consultation on a possible extension of the Credit Data Code to permit so called positive credit reporting. This is a very controversial issue in Australia, where proposals for sharing of positive credit data (that is, information associated with normal repayments of loans irrespective of any defaults) led to the strict limitations on credit reporting incorporated into the federal Privacy Act in 1989. Australian finance and credit reporting interests are known to be preparing a new case for positive reporting. l
Nigel Waters, Associate Editor, Consultant in Fair Information Practices & Privacy.
. ‘Privacy Codes — What are they? Where are they?’ (2001) 7(8) PLPR 161.
. See <www.amro.com.au/privacy_ advice.htm>.
. See <www.auscasinos.com/>.
. See <www.ica.com.au/privacy principles/>.
. See <www.lawlink.nsw.gov.au/ pc.nsf/pages/april03news>.
. See <www.lawlink.nsw.gov.au/ pc.nsf/pages/codesmade>.
. See <www.privacy.org.nz/comply/ teletop.html>.
. Code C555:2002 — see <www.aca. gov.au/telcomm/industry_codes/codes/ c555b.pdf>.
. See <www.iia.net.au/cybercrimevt. html>.
. See submissions from Electronic Frontiers Australia <www.efa.org.au/> and Australian Privacy Foundation <www.privacy.org.au/>.
. See <www.pco.org.hk/english/ ordinance/codes.html>.