industry codes and practice
Codes of practice developed and administered by industry
bodies but formally recognised by the Office of the Federal
Privacy Commissioner play a significant part in the operation
of the Commonwealth Privacy Act.
Other industry codes, of varying efficacy, underpin other
legislation or the marketing activity of bodies such as
the Australian Press Council and the Australian Direct
This page looks at codes under the Privacy Act and codes
associated with other legislation. It also looks at the
New Zealand regime.
It covers -
The 2000 Commonwealth Privacy Amendment (Private Sector)
Act discussed on the preceding pages of this profile
and in the Privacy guide
essentially commits private sector bodies to the National
Privacy Principles, derived in the first instance from
the 1998 National Principles for the Fair Handling
of Personal Information and ultimately from the OECD
Private sector bodies, however, have the option of developing
Codes of Practice that reflect the NPPs and serve as an
"overall equivalent" of the NPPs, "upholding
the privacy rights of individuals while allowing some
flexibility of application for organisations".
That option reflects the government's emphasis on private
sector self-regulation. It reflects the horse-trading
that led to passage of the 2000 legislation, with vigorous
lobbying by particular businesses, industry associations
and industry sectors. It presumably also reflects a sense
in some sectors that industry has appropriate expertise
and resources which would otherwise need to be acquired
by a federal government agency, a process that might equip
that entity with inappropriate power.
The Codes are to be formally accepted by the Office of
the Privacy Commissioner, in effect becoming subordinate
legislation. Development of Codes was to accord with guidelines
(revised September 2001) and meet prescribed standards
In practice, progress towards establishment of codes has
been slow. The first Code - the General Insurance
Information Privacy Code - was submitted by the Insurance
Council of Australia (ICA)
and approved in April 2002. It was revoked in January
The Clubs Queensland Industry Privacy Code
was submitted by an entertainment sector body (CQ)
and approved in August of that year.
Other proposals appears to be mired within the Office.
These include one from the Internet Industry Association
and nine-member Australian Casino Association Privacy
from the Australian Casino Association (ACA).
In discussing mechanisms such as privacy trustmarks
and site privacy statements we highlighted questions about
the efficacy of some industry codes that are biased against
consumers (eg contain fundamental exclusions or are merely
unintelligible) or are poorly administered (eg there is
no effective compliance by industry organisations if members
of a code breach commitments). Codes authorised by the
Australian Federal Privacy Commissioner under the 2000
legislation would appear to have some bite, although detailed
information about implementation is unavailable.
Nigel Waters perceptively asked whether many private sector
it worthwhile to develop and submit codes for approval.
Given that the standards cannot be less than the NPPs,
the only advantage to an organization or industry sector
in submitting their own principles would seem to be
the opportunity to couch them in industry specific language
given past difficulties in gaining endorsement by the
Australian Competition & Consumer Commission.
The answer would appear to be a perceived advantage in
providing for privacy complaints to be handled - in the
first instance - by an industry-specific body, on the
model provided by the Telecommunications Industry Ombudsman
(sometimes criticised as dominated by the major telcos).
A more subtle question is whether the Federal Commissioner
and counterparts have the resources necessary for effective
and timely consideration of proposed codes and subsequent
monitoring of their implementation by private sector bodies.
The Canadian government's Electronic Commerce Task Force
on Regulating Privacy in Canada: An Analysis of Oversight
& Enforcement in the Private Sector commented
that "law without an effective mechanism for compliance
monitoring can be worse than no law at all".
It went on to suggest that
the context of private sector oversight, the threat
of bad publicity can go a long way to securing compliance
with the data protection principles
sanctions in the form of fines are "not a significant
inducement towards compliance" and "civil remedies
are also ineffective because of the difficulty of proving
actual damages from the wilful mistreatment of personal
under the federal Privacy Act
As of August 2003 three Codes have been approved under
the federal Act
Insurance Information Privacy Code (GIIPC) | here
Clubs Queensland Industry Privacy Code |
Market & Social Research Privacy Code |
latter, under the auspices of the Market Research Society
of Australia (MRSA)
and the Association of Market Research Organisations (AMRO),
was described by the Privacy Commissioner as featuring
standards that are at least equivalent to the National
Privacy Principles (in the Privacy Act) and in some
cases are higher. It has higher standards for notifying
participants in research about why their information
is being collected and how it will be used and disclosed.
It also gives individuals the choice of having their
information de-identified, destroyed or deleted as an
alternative to gaining access to it.
GIIPC, as noted above, was revoked in January 2006. It
had featured provisions that complaints under the Code
be handled by an independent adjudicator, rather than
the Privacy Commissioner.
The Insurance Council of Australia commissioned a review
of the GIIPC in 2005, which noted that 24 organisations
had agreed to be bound by the Code and that since 2002
the GIIPC adjudicator had received five complaints (with
expenditure equal to $65,330 per complaint). The Privacy
Commissioner however reported 82 complaints about the
The reviewer concluded that "as a result of the cost,
the low number of privacy complaints, and the degree of
industry take-up of the Code" it could not be said
that "there was value in the continued operation
of the Code".
A range of public and private sector entities have developed
other industry codes in relation to the 1988 Privacy Act
or other legislation. These include -
Australian Communications Industry Forum Industry
Code for the Protection of Personal Information
of Customers of Telecommunications Providers
Direct Marketing Association
Code of Practice
Council of Australia Privacy Principles
General Insurance Code
Bankers Association Code
of Banking Practice and Electronic Funds Transfer
Code of Conduct
Code of Practice
Code of Practice
Medical Association Code
Code of Ethics
Australian College of General Practitioners
Code of Practice
Health and Medical Research Council Guidelines
in New Zealand
The 1993 New Zealand Privacy Act provides that
the national Privacy Commissioner can approve codes developed
by organisations (ie the Australian model) or independently
develop an industry/issue-specific code of practice.
Such Codes may "modify the Information Privacy Principles
set out in the Privacy Act to take into account the special
characteristics of specific industries, agencies or types
of personal information". Provisions in a code "may
be more stringent or less stringent than the principles"
with complaint procedures
with information matching
the impact of the legislation (ie soften legislated
increase the impact of the legislation (eg increase
the stringency of particular standards).
of June 2003 the Commissioner has issued a range of Codes
on a permanent and temporary basis. Those in effect are
Information Privacy Code 2003 here
Information Privacy Code 1994, revised 2000 (PDF)
Sector Unique Identifier Code 1998 here
Information Privacy Code 1997 here,
revised 2001 here
Schemes Unique Identifier Code 1995 here
Education Unique Identifier Code 2001 here
1996-97 the credit industry submitted two draft codes
covering credit information privacy. One was confined
to credit reporting
agencies, the other included credit providers. The Commissioner
sought public comment on a proposed unitary code in mid-2001.
Perspectives on the Australian codes are provided
by comparison with overseas codes.
There is a useful introduction in Nigel Waters' 2001 PLPR
Privacy codes – What are they? Where are they?
In Canada the Canadian Association of Internet Providers
(CAIP) has developed a Privacy Code
based on the Model Code for the Protection of Personal
Information developed by CSA International (the Canadian
Standards Association). The CSA Model Code - highlighted
here - embodies ten Fair
Information Practices, consistent with the Australian
National Privacy Principles.
The Canadian Bankers Association has a Privacy Model Code,
similar to the Consumer Code
of Ethics from the Canadian Life & Health Insurance
Association and the Insurance Bureau of Canada's Model
Personal Information Code.
The Canadian Medical Association has adopted a voluntary
Health Information Privacy Code (HIPC)
that reflects the CSA 10 Fair Information Practices.
The Canadian Pharmacy Association Code of Ethics merely
states that "A Pharmacist Shall protect the patient's
right to confidentiality." The Canadian Marketing Association
has a Code
of 7 Privacy Principles; the Better Business Bureau (BBB)
encourages members to abide by a somewhat vacuous code
of business ethics.
There is a valuable overview in Steven Vogel's Freer
Markets, More Rules: Regulatory Reform in Advanced Industrial
Countries (Ithaca: Cornell Uni Press 1996) and Global
Business Regulation (Cambridge: Cambridge Uni Press
2000) by John Braithwaite & Peter Drahos, complemented
by David Moss' When All Else Fails: Government As
The Ultimate Risk Manager (Cambridge: Harvard Uni
The 1997 US Department of Commerce study
on Privacy & Self-Regulation In The Information
Age is also of interest.