Privacy Law and Policy Reporter
Nigel Waters | Associate Editor
Mixed experiences with private sector codes
Two and a half years after the commencement of the private sector extension of the federal Privacy Act 1988, there are still only three registered Codes of Practice under Part IIIA of the Act replacing the National Privacy Principles, with three more having been submitted and being under consideration.
The approved Codes are the General Insurance Privacy Code , the Clubs Queensland Industry Privacy Code , and the Market and Social Research Privacy Principles . Only the first of these has a separate Code Adjudicator – the Insurance Enquiries and Complaints Limited Privacy Compliance Committee , as a ‘first tier’ external complaints body standing between insurers’ internal processes and the Privacy Commissioner. The Clubs Queensland and Research Codes defer to the default complaint handling mechanism in the Act, with complainants dissatisfied with internal complaints outcomes appealing directly to the Privacy Commissioner.
Biometrics vs market research
The Biometrics Institute submitted its Biometrics Privacy Code to the Privacy Commissioner in May 2004, after extensive public and industry consultations on the draft issued in December 2003. Leaving aside judgement on the content (which will be reviewed in a future issue of PLPR) - the Institute must be applauded for the thoroughness and openness of the Code development process, which provides an excellent model for any future Codes. The Institute engaged two consultants to assist it, and proactively sought consultation with consumer and privacy groups as well as Institute members and other interested parties, both before and after issuing a draft Code in December 2003. Overall, six months were available for input.
Unlike with other approved and submitted codes, the submitted version is available on the Institute’s website together with a ‘statement of equivalency’ and a schedule of submissions. The only other document which would be helpful is a ‘marked’ version of the Code to show changes from the draft. nor any explanation of what changes, if any, have been made.
The diligence of the Biometrics Institute process unfortunately highlights the inadequacy of the process followed with the other Codes to date. The Commissioner’s Code Development Guidelines require a ‘statement of consultation’ to be submitted with an application for Code approval , but there is no requirement for this to be made public. Unless either the Commissioner or the proponent publishes it (as the Biometrics Institute has done), and unless the Commissioner comments on the statement in their approval, there is no basis for interested parties to assess how well they have fulfilled some of their key responsibilities under the Act.
This potential weakness has been best illustrated by the history of the Market and Social Research Privacy Principles. This was approved in August 2003, having been submitted by the Association of Market Research Organisations (AMRO) in March 2002. In response to criticism from the Australian Privacy Foundation (APF) that there had been no opportunity for consultation, the OFPC referred to public advertisements and other proactive consultation by AMRO during the period October 2001 to February 2002. This had however been missed by the APF, partly because the OFPC web site did not have information about proposed Codes until after March 2002. The APF expressed surprise that the OFPC did not feel it appropriate to require AMRO to consult with known interested parties (such as APF), especially in view of the long delay between the submission and approval.
APF also criticised the absence of any statement of reasons for approval of the Research Code. In response, OFPC merely asserted that the Commissioner had found the Code to ‘incorporate obligations that, overall, are at least the equivalent to all of the obligations set out in the NPPs’. No further reasoning had been provided, despite the Code having some significant variations from the NPPs.
Other Codes under consideration
The OFPC website records two other Codes, apart from the Biometrics Code already discussed, as having been submitted and being under consideration. These are the Internet Industry Association (IIA) Privacy Code and the Australian Casino Association Privacy Code. Both of these have were submitted more than a year ago. In neither case was a ‘statement of consultation’ made public, although it is assumed that such statements were submitted as required. The Commissioner’s website and Annual Report for 2002-03 are silent as to the progress of consideration.
The Internet Industry Association Code is known to have been ‘held up’ by the inability of the Commissioner under the Privacy Act to approve a Code covering ‘exempt matters’. The IIA Code covers employee records, in an attempt to overcome one of the criticisms made of the Privacy Act 1988 by the European Union, and in the hope of gaining an ‘adequacy’ assessment from the EU which would simplify data transfers from Europe for Code signatories. This problem with the Act was addressed by the government in the Privacy Amendment Act 2004, which received Royal Assent on 21 April. This should now clear the way for the Commissioner to approve the IIA Code. However, there must now be a question as to whether it makes any sense to approve a Code which is over a year old dealing with such a fast moving area as the Internet. Since the Code was drafted there have not only been massive technological and market developments, but also significant relevant new regulation including the Spam Act 2003. It might be appropriate for the Commissioner to require at least a brief further round of consultation to ensure that the Code as drafted in 2001-02 still makes sense in 2004.
Progress on the Casinos Code is unknown. For example, the Australian Privacy Foundation made a submission to the Casinos Association on its Code in May 2003, but has received no feedback from either the Association or the OFPC, and there is no information available as to what if any other submissions were received.
To complete the picture, the OFPC Annual Report for 2002-03 notes that an application from Screenrights (Audio-Visual Copyright Society Ltd) was withdrawn. A proposed Code from the Information Technology Contract and Recruitment Association (ITCRA), prepared in March 2002, was apparently never formally submitted.
Experience under the approved Codes
As at 31 May 2004, 24 signatories to the General Insurance Privacy Code are listed on the IEC Ltd website. Several major Australian insurers – including Suncorp Metway, Promina (AAMI, Australian Pensioners and Vero) and IAG (NRMA and RACV Insurance, SGIO and CGU), are not signatories of the Code and are therefore directly subject to the National Privacy Principles and the complaints jurisdiction of the Privacy Commissioner. (Suncorp and AAMI remain amongst 16 signatories to the voluntary General Insurance Information Privacy Principles which pre-dated the Code, but these are now effectively superseded by the NPPs.) The Chair of the IEC Ltd Privacy Compliance Committee notes in the IEC’s latest Annual Review the sluggish uptake of the Code by the industry, but expressed the hope “that continued active promotion of the Privacy Code by the Insurance Council of Australia will eventually lead to an increase in membership.” There appears to have been surprisingly little activity under the General Insurance Code. The report by IEC Ltd (the Code administrator) to the Privacy Commissioner for 2002-03 – the first full year - records that 21 complaints were handled by members under internal procedures with only 2 complaints proceeding to the external IEC Privacy Compliance Committee. One of these, involving Principles 1, 2 & 6 (Collection, Use and Disclosure and Access) was ultimately referred to the Privacy Commissioner as it turned out to be against an organisation that was not a code signatory. The other, involving Principle 6 (Access), was still being dealt with at the year end.
While no further details of the internal complaints are given in the Code report to the Commissioner, the IEC Ltd Annual Review does give some further information. It records that:
“Eight complaints concerned the manner in which organisations used and disclosed personal information. Of these complaints, three were settled in favour of the consumer, three in favour of the organisation and two remain outstanding. In six complaints consumers sought access to and correction of personal information. All of these complaints were settled in favour of the individuals concerned. Five complaints concerned the collection of personal information. Three were settled in favour of the consumer, one in favour of the organisation with one complaint left outstanding.
The remaining two complaints concerned data security (which was settled in favour of the organisation) and openness (which remains outstanding).
Overall, the IPCP process has resolved 57% of complaints in favour of consumers and 24% in favour of the organisation.”
The report in the Review from the Chair of the Privacy Compliance Committee repeats the information about the two complaints dealt with, and also records that IEC Ltd reviewed compliance with the Code by six signatories during the year, finding several areas of non-compliance by two of the six, mainly involving inadequately documented procedures or a lack of adequate public information. The insurers concerned addressed and rectified the weaknesses .
Despite the publicity surrounding the introduction of the private sector amendments, the level of complaints reaching the external stage under the Insurance Code is no higher than it was under the four years that the largely unknown voluntary Principles operated, with an almost identical internal and external complaints regime. By comparison, the Office of the Federal Privacy Commissioner handled 44 complaints against insurers during the period July 2001 to February 2003, and approximately 30 in the year 2002-03 .
As at 31 May 2004, 40 Clubs are listed as signatories to the Clubs Queensland Industry Privacy Code on the Clubs Queensland website . Because this Code only replaces the NPPs and does not have a separate Complaints Adjudicator, there is no requirement for an Annual Report. Clubs Queensland does however have clear information about the Code on its web site, including helpful FAQs.
Market & Social Research
This Code has only been operating since August 2003 and has not therefore yet been the subject of an annual report. No information is available as to experience under this Code.
Conclusions to date
Experience of private sector codes under the Privacy Act 1988 remains limited, and it is difficult to draw any firm conclusions yet about how useful the provision for Codes will be in the long term. What can be seen is that the formal processes of consultation and approval have been generally inadequate, although this has been compensated to some degree where the proponent has taken the initiative, as the Internet Industry Association and Biometrics Institute have done. The long delays in approvals, and the lack of information about progress and about the eventual reasons for approval from the Office of the Federal Privacy Commissioner are disappointing.
Only the Insurance Code has established a Code Adjudicator, and the very limited activity of this Committee is frustrating – it seems unlikely that it is reflects a lack of privacy issues arising in the insurance sector, and its performance invites further scrutiny.
The other Codes have been developed solely to vary the Principles – to a greater or lesser extent – leaving complaint handling to the Privacy Commissioner. It will take time and experience of complaints before a judgment can be made on whether the modifications approved, or proposed, represent a strengthening or a weakening of privacy protection.
Nigel Waters is Associate Editor of PLPR
 The author declares an interest as the consumer member, since its inception, of the IEC Privacy Compliance Committee.
 OFPC Code Development Guidelines, September 2001, Consultation Guideline 2.
 See http://www.privacy.org.au/
 IEC Annual Review 2002-03, p 42
 IEC Annual Review 2002-03, p 12.
 IEC Annual Review 2002-03, p 42.
 2001-03 figure supplied by OFPC. 2002-03 figure estimated from bar chart in Annual Report, p.67.
 3 http://www.clubsqld.com/privacy_code/PC_main.html