Caslon Analytics elephant logo title for Aust Privacy profile
home | about | site use | resources | publications | timeline   spacer graphic   blaw





1988 Act

other law

2000 Act
















cases 1

cases 2


related pages icon




related pages icon


& Cyberspace




100 Points


section heading icon     industry codes and practice

Codes of practice developed and administered by industry bodies but formally recognised by the Office of the Federal Privacy Commissioner play a significant part in the operation of the Commonwealth Privacy Act.

Other industry codes, of varying efficacy, underpin other legislation or the marketing activity of bodies such as the Australian Press Council and the Australian Direct Marketing Association
. This page looks at codes under the Privacy Act and codes associated with other legislation. It also looks at the New Zealand regime.

It covers -

subsection heading icon    introduction

The 2000 Commonwealth Privacy Amendment (Private Sector) Act discussed on the preceding pages of this profile and in the Privacy guide essentially commits private sector bodies to the National Privacy Principles, derived in the first instance from the 1998 National Principles for the Fair Handling of Personal Information and ultimately from the OECD guidelines.

Private sector bodies, however, have the option of developing Codes of Practice that reflect the NPPs and serve as an "overall equivalent" of the NPPs, "upholding the privacy rights of individuals while allowing some flexibility of application for organisations".

That option reflects the government's emphasis on private sector self-regulation. It reflects the horse-trading that led to passage of the 2000 legislation, with vigorous lobbying by particular businesses, industry associations and industry sectors. It presumably also reflects a sense in some sectors that industry has appropriate expertise and resources which would otherwise need to be acquired by a federal government agency, a process that might equip that entity with inappropriate power.

The Codes are to be formally accepted by the Office of the Privacy Commissioner, in effect becoming subordinate legislation. Development of Codes was to accord with guidelines (revised September 2001) and meet prescribed standards (RTF).

In practice, progress towards establishment of codes has been slow. The first Code - the General Insurance Information Privacy Code - was submitted by the Insurance Council of Australia (ICA) and approved in April 2002. It was revoked in January 2006.

The Clubs Queensland Industry Privacy Code was submitted by an entertainment sector body (CQ) and approved in August of that year.

Other proposals appears to be mired within the Office. These include one from the Internet Industry Association (IIA) and nine-member Australian Casino Association Privacy Code (PDF) from the Australian Casino Association (ACA).

subsection heading icon    questions

In discussing mechanisms such as privacy trustmarks and site privacy statements we highlighted questions about the efficacy of some industry codes that are biased against consumers (eg contain fundamental exclusions or are merely unintelligible) or are poorly administered (eg there is no effective compliance by industry organisations if members of a code breach commitments). Codes authorised by the Australian Federal Privacy Commissioner under the 2000 legislation would appear to have some bite, although detailed information about implementation is unavailable.

Nigel Waters perceptively asked whether many private sector organisations will

find it worthwhile to develop and submit codes for approval. Given that the standards cannot be less than the NPPs, the only advantage to an organization or industry sector in submitting their own principles would seem to be the opportunity to couch them in industry specific language ...

particularly given past difficulties in gaining endorsement by the Australian Competition & Consumer Commission.

The answer would appear to be a perceived advantage in providing for privacy complaints to be handled - in the first instance - by an industry-specific body, on the model provided by the Telecommunications Industry Ombudsman (sometimes criticised as dominated by the major telcos).

A more subtle question is whether the Federal Commissioner and counterparts have the resources necessary for effective and timely consideration of proposed codes and subsequent monitoring of their implementation by private sector bodies. The Canadian government's Electronic Commerce Task Force report on Regulating Privacy in Canada: An Analysis of Oversight & Enforcement in the Private Sector commented that "law without an effective mechanism for compliance monitoring can be worse than no law at all".

It went on to suggest that

in the context of private sector oversight, the threat of bad publicity can go a long way to securing compliance with the data protection principles

as sanctions in the form of fines are "not a significant inducement towards compliance" and "civil remedies are also ineffective because of the difficulty of proving actual damages from the wilful mistreatment of personal data".

subsection heading icon    codes under the federal Privacy Act

As of August 2003 three Codes have been approved under the federal Act

General Insurance Information Privacy Code (GIIPC) | here

Clubs Queensland Industry Privacy Code | here

Market & Social Research Privacy Code | here

The latter, under the auspices of the Market Research Society of Australia (MRSA) and the Association of Market Research Organisations (AMRO), was described by the Privacy Commissioner as featuring

privacy standards that are at least equivalent to the National Privacy Principles (in the Privacy Act) and in some cases are higher. It has higher standards for notifying participants in research about why their information is being collected and how it will be used and disclosed. It also gives individuals the choice of having their information de-identified, destroyed or deleted as an alternative to gaining access to it.

The GIIPC, as noted above, was revoked in January 2006. It had featured provisions that complaints under the Code be handled by an independent adjudicator, rather than the Privacy Commissioner.

The Insurance Council of Australia commissioned a review of the GIIPC in 2005, which noted that 24 organisations had agreed to be bound by the Code and that since 2002 the GIIPC adjudicator had received five complaints (with expenditure equal to $65,330 per complaint). The Privacy Commissioner however reported 82 complaints about the insurance industry.

The reviewer concluded that "as a result of the cost, the low number of privacy complaints, and the degree of industry take-up of the Code" it could not be said that "there was value in the continued operation of the Code".

subsection heading icon    other codes

A range of public and private sector entities have developed other industry codes in relation to the 1988 Privacy Act or other legislation. These include -

  • Australian Communications Industry Forum Industry Code for the Protection of Personal Information of Customers of Telecommunications Providers
  • Australian Direct Marketing Association Code of Practice
  • Insurance Council of Australia Privacy Principles and
    General Insurance Code of Practice
  • Australian Bankers Association Code of Banking Practice and Electronic Funds Transfer Code of Conduct
  • Building Society Code of Practice
  • Credit Union Credit Code of Practice
  • Australian Medical Association Code Code of Ethics
  • Royal Australian College of General Practitioners Code of Practice
  • National Health and Medical Research Council Guidelines

subsection heading icon    codes in New Zealand

The 1993 New Zealand Privacy Act provides that the national Privacy Commissioner can approve codes developed by organisations (ie the Australian model) or independently develop an industry/issue-specific code of practice.

Such Codes may "modify the Information Privacy Principles set out in the Privacy Act to take into account the special characteristics of specific industries, agencies or types of personal information". Provisions in a code "may be more stringent or less stringent than the principles" and -

  • deal with complaint procedures
  • deal with information matching
  • reduce the impact of the legislation (ie soften legislated standards)
  • increase the impact of the legislation (eg increase the stringency of particular standards).

As of June 2003 the Commissioner has issued a range of Codes on a permanent and temporary basis. Those in effect are -

  • Telecommunications Information Privacy Code 2003 here
  • Health Information Privacy Code 1994, revised 2000 (PDF)
  • Justice Sector Unique Identifier Code 1998 here
  • EDS Information Privacy Code 1997 here, revised 2001 here
  • Superannuation Schemes Unique Identifier Code 1995 here
  • Post-Compulsory Education Unique Identifier Code 2001 here

In 1996-97 the credit industry submitted two draft codes covering credit information privacy. One was confined to credit reporting agencies, the other included credit providers. The Commissioner sought public comment on a proposed unitary code in mid-2001.

subsection heading icon    points of reference

Perspectives on the Australian codes are provided by comparison with overseas codes.

There is a useful introduction in Nigel Waters' 2001 PLPR article Privacy codes What are they? Where are they?

In Canada the Canadian Association of Internet Providers (CAIP) has developed a Privacy Code based on the Model Code for the Protection of Personal Information developed by CSA International (the Canadian Standards Association). The CSA Model Code - highlighted here - embodies ten Fair Information Practices, consistent with the Australian National Privacy Principles.

The Canadian Bankers Association has a Privacy Model Code, similar to the Consumer Code of Ethics from the Canadian Life & Health Insurance Association and the Insurance Bureau of Canada's Model Personal Information Code. The Canadian Medical Association has adopted a voluntary Health Information Privacy Code (HIPC) that reflects the CSA 10 Fair Information Practices.

The Canadian Pharmacy Association Code of Ethics merely states that "A Pharmacist Shall protect the patient's right to confidentiality." The Canadian Marketing Association has a Code of 7 Privacy Principles; the Better Business Bureau (BBB) encourages members to abide by a somewhat vacuous code of business ethics.

There is a valuable overview in Steven Vogel's Freer Markets, More Rules: Regulatory Reform in Advanced Industrial Countries (Ithaca: Cornell Uni Press 1996) and Global Business Regulation (Cambridge: Cambridge Uni Press 2000) by John Braithwaite & Peter Drahos, complemented by David Moss' When All Else Fails: Government As The Ultimate Risk Manager (Cambridge: Harvard Uni Press 2002)

The 1997 US Department of Commerce study on Privacy & Self-Regulation In The Information Age is also of interest.

icon for link to next page   next page (money)

this site
the web


version of May 2006
© Caslon Analytics