CONTACT US: 
Site Changes
- Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
- Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.
Types
Privacy Code Development (September 2001)
pdf (190.16 KB)
FOREWORD
The Privacy Amendment (Private Sector) Act 2000 extends the operation of the Privacy Act 1988 to cover much of the private sector. An integral feature of the Amendment Act is the option for organisations to develop their own privacy codes, which when approved, replace compliance with the National Privacy Principles.
The co-regulatory approach offered by the legislation allows for some flexibility in how organisations approach their privacy obligations but, at the same time, ensures that minimum enforceable standards apply to the protection of personal information.
Trust will be the new weapon in winning and maintaining customer loyalty. Good privacy practices will give business a competitive edge. The development and adoption of a code by an organisation could be used to send a powerful message to consumers that the organisation is conscious of the privacy concerns of individuals and is active in protecting their privacy rights.
The recent research on community, business and government attitudes towards privacy conducted by the Office shows Australians place a high value on their privacy. It makes good business sense for many organisations to take control of their privacy obligations by the development of a code. Privacy Codes will contribute to the Office's goal of promoting an Australian culture that respects privacy.
This document will assist organisations in deciding whether it is appropriate for them to develop a privacy code. It also informs and carefully outlines the matters that will need to be addressed in the development and approval of a code.
Malcolm Crompton Federal Privacy Commissioner August 2001
Code Development Guidelines
Foreword
Summary of Code Development Guidelines
Chapter one - Explanation of these guidelines
1.1 Purpose of these guidelines1.2 Organisations that may develop a code1.3 Key termsChapter two - Legislative overview
2.1 Background to the legislation2.2 A co-regulatory approach2.3 Related publicationsChapter three - Some helpful advice before developing privacy codes
3.1 Reasons for developing a code3.2 Assessing the need for a code3.3 Options for complaint resolution3.4 Resource requirements3.5 Getting help3.6 The Australian Competition and Consumer Commission (ACCC)Diagram: Flow chart of co-regulatory privacy scheme overviewChapter four - Developing privacy codes
4.1 Consultation on draft codes - section 18BB(2)(f)4.1.1 The consultation process4.1.2 Defining adequate consultation4.1.3 Additional help4.2 NPP equivalency requirements - section 18BB(2)(a)4.3 Developing explanatory material4.3.1 Consideration of explanatory material by the Commissioner4.3.2 Consideration of explanatory material by a code adjudicator4.4 Coverage specifications - section 18BB(2)(b) and section 18BB(2)(d)4.5 Voluntary membership - section 18BB(2)(c)4.6 Code reviews4.7 Codes with limited lives - section 18BB(6)4.8 Codes with limited coverage - section 18BB(7)4.9 Drafting to a professional standard4.10 Openness and code promotion as best practiceChapter five - Complaint handling procedures
5.1 Complaint handling procedures under Part V5.2 Reasons for complaint handling procedures5.3 Requirements for complaint handling procedures - section 18BB(3)(b) to (l)5.4 Code adjudicator decisions5.5 Determinations enforced in Federal Court5.6 Review of determinations in Federal Court5.7 Prescribed standards for complaint handling procedures - section 18BB(3)(a)(i)5.8 Commissioner's guidelines for complaint handling procedures - section 18BB(3)(a)(ii)5.8.1 Representative complaints5.8.2 Respondent complaint resolution5.8.3 Referral to the Commissioner5.8.4 Referral to another code adjudicator5.8.5 Reporting requirements for complaint handling proceduresDiagram: Flow chart of complaint handling procedures under an approved codeChapter 6 - Approval applications
6.1 The application6.2 Timeframes6.3 Notification6.4 RegisterChapter 7 - Privacy code variations
7.1 Amendments to a code7.2 Revoking a code7.3 Revoking complaint handling proceduresAppendices Appendix A Prescribed standardsAppendix B Checklist
SUMMARY OF CODE DEVELOPMENT GUIDELINES
Section 18BB(2) sets out the matters the Commissioner must be satisfied are met before a privacy code may be approved. In deciding whether to approve a code section 18BB(4) also allows the Commissioner to consider matters specified in any guidelines issued by the Commissioner.
Where it is proposed to have complaint handling procedures under a code, section 18BB(3) sets out additional matters that the Commissioner must be satisfied are met. These matters include that the complaint handling procedures meet the prescribed standards issued by the Minister and any guidelines issued by the Commissioner.
A summary of both the Commissioner's guidelines relating to code approval and the Commissioner's guidelines relating to complaint handling procedures are provided below. Code proponents should consider these guidelines in the context of the broader document.
Guidelines relating to code approval
Consultation
1. In most cases the code proponent will be expected to allow a minimum of six weeks for public consultation where the first day of the consultation period does not start or end on a public holiday or a weekend.
2. To assist the Commissioner in deciding if members of the public have been given an adequate opportunity to comment on a draft of the code, the Commissioner requires code proponents to submit a statement of consultation with the application for code approval. This statement will need to contain the following details:
i) The beginning and ending date that the code was available for public consultation.
ii) The people or groups likely to be affected by the privacy code.
iii) The methods that were employed by the code proponent to consult with these groups.
iv) A list of the individuals or groups who made submissions to the draft code.
v) Where a draft code was changed, the details of these changes.
vi) A summary of any issues raised by individuals or groups that remain unresolved (if any).
vii) The reasons why any feedback was not incorporated into the final document.
viii) A list of organisations likely to adopt the proposed code.
Equivalence
1. The Act requires codes to incorporate all the NPPs or set out obligations that, overall, are at least the equivalent of all the obligations under the NPPs. In deciding if this condition has been met, the Commissioner requires code proponents to include a statement of claims detailing:
i) how the obligations under the code differ from the obligations under the NPPs;
ii) the rationale for the change to any obligation provided in the NPPs; and
iii) how, in the opinion of the code proponent, the obligations set out in the code are at least equivalent of all the obligations set out in the NPPs.
Explanatory material
1. The Commissioner considers it appropriate for code proponents submitting an application for code approval to include any explanatory material that has been prepared in relation to a code.
Coverage
1. In most cases the Commissioner will expect codes to make provision for the establishment and appropriate funding of a code administrator.
2. To ensure the legislative requirements are met in relation to the coverage of the code, the Commissioner requires the code to provide for the maintenance of an accurate, up to date and easily accessible record of code members. The Commissioner also requires the application to include a statement as to how this record will be maintained. Where the proposed approach does not include an online record of members with links to the Commissioner's website, the Commissioner will ordinarily expect the application to state how individuals will not be unreasonably disadvantaged by the proposed alternative system.
Voluntary membership
1. In order to be satisfied that the code is voluntary, the Commissioner will require organisations submitting an application for code approval to include a statement as to how they will ensure that agreeing to be bound by a code requires a voluntary act of an organisation. Ordinarily, it is expected that any such statement will also highlight the procedures in which an organisation can opt in and out of the code.
Code review
1. Ordinarily, the Commissioner expects codes to:
i) include a process for independent review - to occur at least once every three years;
ii) include a stated commitment to allocate sufficient resources to the review of the code; and
iii) require the code administrator to produce a response to the independent review report and to submit this response to the Commissioner, along with the review report, within 30 days of the review report being finalised.
Limited life codes
1. Where codes are to have a limited life, the Commissioner expects the code to clearly articulate when or under what circumstances it is to terminate.
2. Ordinarily, the Commissioner expects limited life codes to include arrangements for how the cessation will be communicated to consumers and to pre-establish procedures for termination.
Limited coverage
1. The Commissioner expects codes with limited coverage to clearly articulate what type of personal information, activity and/or profession the code is to cover.
Code drafting
1. The Commissioner expects codes to be written to a professional standard using language that is clear and easy for individuals to understand.
Openness and code promotion
1. The Commissioner expects codes to require code members to make available a copy of the code and any relevant explanatory material on request.
Guidelines relating to complaints handling procedures
Representative complaints
1. A code must provide a procedure for accepting, investigating and making a decision on a representative complaint.
Attempt to resolve complaint directly with respondent
1. A code must provide that, before a code adjudicator determines a complaint, the adjudicator must be satisfied that the complainant has first complained to the respondent before making the complaint to the adjudicator but that either:
i) the complaint has not been resolved to the satisfaction of the complainant; or
ii) the respondent has not responded to the complainant within 60 days from the date that the complaint was lodged with the respondent.
Referral to the Commissioner
1. A code must provide that an adjudicator is to refer a complaint to the Commissioner in accordance with section 40(1B) where:
i) the complaint includes a matter that relates to Consumer Credit information - Part IIIA; Tax File Number information - Part III, Division 4 and the Tax File Number Guidelines; or Spent Conviction information - Part VIIC of the Crimes Act 1914;
ii) the respondent to the complaint is not a subscriber to the code under which the code adjudicator makes decisions on complaints and the code adjudicator is unable to identify another approved code under which the complaint could be more appropriately handled; or
iii) there would be a conflict of interest if the code adjudicator made a decision on the complaint.
| NOTE: |
Where a complaint relates to an organisation that is carrying out functions or services that involve the handling of personal information under a contract with a Commonwealth agency, section 40A of the Act requires the adjudicator to refer the matter to the Commissioner for determination. The Commissioner must accept the complaint and investigate the matter as if the complaint had been made to the Commissioner under section 36. |
Referral to another adjudicator
1. A code is only to allow an adjudicator to refer a complaint to another code adjudicator if the first-mentioned code adjudicator considers that another code is more appropriate in its application or provides remedies more appropriate to the circumstances of the complaint. However, before referring a complaint to another code adjudicator, the first-mentioned code adjudicator must:
i) consult with the other code adjudicator about whether the complaint would be more appropriately determined by that code adjudicator; and
ii) advise the complainant of the reasons for the proposed referral and obtain the agreement of the complainant to such a referral.
Reporting to the Privacy Commissioner
1. In accordance with section 18BB(3)(h), the code must provide that the report on the operation of the code is to be provided to the Commissioner in an electronic format as specified, from time to time, by the Commissioner and using a template issued annually by the Commissioner.
2. In accordance with section 18BB(3)(i), the code must provide that the report to the Commissioner on the operation of the code for a given financial year is to be provided to the Commissioner within two months of the end of the financial year.
3. In addition to the matters set out in section 18BB(3)(k), the code must provide that the report to the Commissioner on the number and nature of complaints made to an adjudicator under the code during the relevant financial year is to include:
i) the number of complaints received during each calendar month;
ii) the geographical source of complaints by State or Territory of Australia;
iii) the nature of the complaint by reference to the relevant provisions of the code;
iv) the number of complaints that were resolved to the satisfaction of both parties without proceeding to a determination;
v) the number of complaints received during the financial year that were referred to another code adjudicator or to the Commissioner for determination and the reasons for the referral;
vi) the number of enquiries that the code adjudicator received during the financial year, set out in categories agreed to in consultation with the Commissioner during the process of approving the code;
vii) the number of unresolved complaints as at the end of the financial year and the status of those complaints categorised as follows:
(a) no action taken yet;(b) seeking clarification of facts/issues;
(c) awaiting outcome of related proceedings;
(d) awaiting response from respondent;
(e) awaiting comment from complainant on response; and
(f) settlement under negotiation;
ii) the number of complaints received during the financial year that have been referred by the adjudicator to the code member to attempt to resolve the matter directly with the complainant;
iii) the number of complaints that were resubmitted to the code adjudicator following an unsuccessful attempt by the code member to resolve the matter with the complainant;
iv) any systemic problems arising from complaints;
v) examples of representative case studies;
vi) information about how the scheme ensures equitable access;
vii) a list of code members, together with any changes to the list during the year;
viii) the names of any code members that do not meet their obligations as members of the code; and
ix) information about new developments or key areas in which policy or education initiatives are required.
4. In addition to the matters referred to in section 18BB(3)(ka), the code must provide that the report is to include the time taken to finally deal with each complaint during the relevant financial year.
Chapter one / Chapter two / Chapter three / Chapter four / Chapter five / Chapter 6 / Chapter 7 /Appendix A Prescribed standards / Appendix B Checklist
CHAPTER ONE - EXPLANATION OF THESE GUIDELINES
1.1 Purpose of these guidelines
The Privacy Act (1988)(Cth) (the Act) as amended by the Privacy Amendment (Private Sector) Act 2000 gives important privacy rights to individuals but also recognises the rights of business to achieve its objectives in an efficient way. The Federal Privacy Commissioner (the Commissioner) is required to uphold this ideal and to work with all stakeholders, in a balanced manner, to ensure that the privacy rights of individuals are protected while enabling business to continue to operate efficiently.
One way the Act works to achieve this goal is by allowing organisations to have and to enforce their own privacy codes that continue to uphold the privacy rights of individuals while allowing some flexibility of application for organisations.
However, before the Commissioner may approve a privacy code, the Act provides that the Commissioner must be satisfied with a number of important matters. For instance:
| · Section 18BB(2) sets out matters that the Commissioner must be satisfied are met before a privacy code may be approved. These are: | |
| - the code must set out obligations that, overall, are at least the equivalent of all the obligations in the NPPs; - the code must specify which organisations are bound by the code (or specify how to determine which organisations are bound by the code); - the code must only bind organisations that have consented to be bound by the code, and set out a procedure by which an organisation can cease to be bound by the code; and - the Commissioner must also be satisfied that members of the public are given an adequate opportunity to comment on the draft of the code. | |
· Where the code proposes separate complaint handling procedures, section 18BB(3) sets out additional matters in paragraphs (a) to (l) that the Commissioner must be satisfied are met before a privacy code may be approved.
· Included among these additional matters, section 18BB(3)(a)(i) requires the Commissioner to be satisfied that any proposed complaint handling procedures meet the prescribed standards issued by the Minister. The Minister's standards may be found in Appendix A.
· Similarly, section 18BB(3)(a)(ii) requires the Commissioner to be satisfied that the complaint handling procedures meet any guidelines issued by the Commissioner under section 18BF(1)(b). These are set out in bold print in Chapter 5 of this document and repeated in the summary of guidelines provided at the beginning of the document.
· In deciding whether to approve a privacy code, section 18BB(4) provides that the Commissioner may also consider the matters specified in guidelines issued by the Commissioner under section 18BF(1)(a) and (c). Individual summaries of these guidelines are set out in bold print in Chapter 4 with a consolidated summary of the guidelines provided at the beginning of the document.
The purpose of this document is to detail all of the guidelines the Commissioner has made under section 18BF(1) in relation to the development and approval of a privacy code.
1.2 Organisations that may develop a code
Any sole organisation, group of organisations or industry association representing the interests of its members may make an application to the Commissioner to have a privacy code approved. This includes profit seeking third parties (that is, non-representative bodies) that intend to attract organisations to their dispute resolution scheme.
Each code will be judged on its merits and in relation to the Act and these requirements regardless of the nature of the code proponent. However the Commissioner will also be considering how codes interact and relate with each other, especially where approval could lead to more than one code applying to a particular set of circumstances. The Commissioner will be particularly mindful of the views of other stakeholders and consumers on the impact of potential overlap.
1.3 Key terms
Code adjudicator - is a decision maker identified in section 18BB(3)(b) of the Act, that is responsible for the determination of complaints where there is a separate complaint handling process under a code. The code adjudicator is required to have a well-defined independence from the members of the scheme. The code adjudicator may be the Commissioner or another individual, panel of individuals or entity (refer to the prescribed standards).
Code administrator - is a body established to oversee the running and operation of the code and, where applicable, the separate complaint handling process.
Code member - is any organisation or business that has agreed to be bound by a privacy code and is registered with the code administrator (refer to section 18BB(2)(b) of the Act).
Code proponent - is an organisation, or association of organisations that has responsibility for developing, seeking approval for and/or implementing a code (refer to section 18BA of the Act).
Complainant - is an individual who lodges a complaint with a code adjudicator or the Commissioner.
National Privacy Principles (NPPs) - are a set of 10 high level principles that are intended to form the basis for the protection of personal information. Private sector organisations are bound by the NPPs unless they have their own privacy code that is approved by the Privacy Commissioner. The NPPs cover matters such as the collection, use and disclosure of personal information, data quality, access and data security. The NPPs are located in Schedule 3 to the Act and are not to be confused with the Information Privacy Principles, which apply to Commonwealth agencies.
The Office - means the Office of the Federal Privacy Commissioner
Organisation - is defined by the Act to be an individual, a body corporate, a partnership, any other unincorporated association or a trust that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory authority. The Act goes on to define which entities are covered by the Act and which are not. For example, some small businesses are exempt from the coverage of the Act. The full definition is more formally set out in section 6C and 6E of the Act.
Respondent - is the code member that is subject to a privacy complaint by an individual.
The Act - means the Privacy Act 1988 (Cth).
The Health Privacy Guidelines - are a set of guidelines made by the Commissioner under section 27(1)(e) of the Act that are designed to give organisations that are health service providers practical help on how to apply the NPPs to their operations. To obtain a copy of the Health Privacy Guidelines go to: www.privacy.gov.au (the Commissioner's website).
The Minister - means the Commonwealth Attorney-General.
The NPP Guidelines - are a set of guidelines made by the Commissioner under section 27(1)(e) of the Act that are designed to give organisations practical help on how to apply the NPPs to their operations. To obtain a copy of the NPP Guidelines go to: www.privacy.gov.au (the Commissioner's website).
The prescribed standards - are a set of principles that complaint handling procedures must meet before the Commissioner can approve a code (refer to section 18BB(3) of the Act). The prescribed standards cover matters to do with the accessibility, independence, fairness, accountability, efficiency and effectiveness of complaints handling procedures. The prescribed standards, as set down in regulation, may be found at Appendix A.
Chapter one / Chapter two / Chapter three / Chapter four / Chapter five / Chapter 6 / Chapter 7 /Appendix A Prescribed standards / Appendix B Checklist
CHAPTER TWO - LEGISLATIVE OVERVIEW
This chapter gives organisations an explanation of how privacy codes fit within the privacy legislative framework. It explains what is meant by the term "co-regulation" in the context of the Act and discusses the responsibilities of organisations and the Office of the Federal Privacy Commissioner (the Office) under this regime. The chapter also places the Code Development Guidelines into a broader context by discussing how they relate to the NPPs and the National Privacy Principles Guidelines and the Health Privacy Guidelines issued by the Commissioner.
2.1 Background to the legislation
The Act establishes a framework for a national and consistent set of privacy standards for the private sector. The Act does this by implementing a set of National Privacy Principles (the NPPs) that outline minimum requirements in relation to how private sector organisations should collect, use, keep secure and disclose personal information. The principles also give individuals a right to know what information an organisation holds about them and a right to correct it if it is wrong. The Act also provides arrangements for enforcing these rights.
In addition to the minimum requirements of the NPPs (which operate as a set of default privacy principles), the Act establishes a framework in which organisations are able to develop specialised binding codes for the handling of personal information. These privacy codes, when approved, replace the NPPs. This "co-regulatory" component in the legislation is designed to allow for flexibility in an organisation's approach to privacy but, at the same time, guarantees consumers that their personal information is subject to minimum standards that are enforceable in law.
The Act does exempt some organisations and practices from its coverage. Information Sheets and other details about these exemptions are available at www.privacy.gov.au (the Commissioner's website).
A flow chart detailing the co-regulatory privacy scheme is provided at the end of this chapter.
2.2 A co-regulatory approach
The co-regulatory approach adopted in the Act was developed on the basis that the privacy concerns of consumers can best be addressed if organisations are allowed room to negotiate an appropriate privacy standard with their customers. This approach ensures that an effective and comprehensive data protection framework is provided for the private sector in Australia while still allowing some flexibility in its application.
The term "co-regulation" is difficult to define in a general sense as it has the potential to apply to an array of regulatory systems. However, as the term relates to the Act, it can be thought of as a legislative framework in which organisations can gain official recognition for codes of practice that they themselves develop and implement. A "co-regulatory" approach, however, is quite distinct from "self-regulation", because organisations covered by the Act that choose not to have a code, must handle personal information in accordance with the NPPs in the Act. Both the NPPs and approved codes are enforceable by law.
The co-regulatory approach allows organisations:
· to tailor the NPPs to fit industry specific sensitivities or market needs; and
· to adopt an industry-based complaints handling mechanism with either the Commissioner or some other person or body as the independent code adjudicator.
While there is some flexibility in this co-regulatory approach, it is important to recognise that the Act does not give an organisation complete freedom when collecting and handling personal information. The privacy rights of an individual cannot be lessened by the use of a code. For instance, the Commissioner must approve each privacy code in accordance with the Act, the prescribed standards and guidelines issued by the Commissioner, before a code can replace the minimum privacy standards embodied in the NPPs. When deciding whether or not to approve a code, the Commissioner must also consider whether the code incorporates all the NPPs or sets out obligations that, overall, are at least the equivalent of all the obligations set out in the NPPs.
Where an organisation consents to be bound by an approved code, the code operates in place of the NPPs until the organisation ceases to be bound by the code. Where an organisation chooses not to adopt an approved code it will be bound by the NPPs.
2.3 Related publications
These guidelines should not be read in isolation. They are designed to help organisations understand and develop privacy codes and to set out requirements on the development of codes. Organisations planning to develop a code are encouraged to first gain a detailed understanding of the legislation and, in particular, the NPPs.
To help organisations understand the legal obligations contained in the NPPs, the Commissioner will release guidelines that explain the NPPs. Separate guidelines on the application of the NPPs in the health services sector will also be issued by the Commissioner to assist organisations that handle personal health information as well as provide health services. The NPP Guidelines and the Health Guidelines spell out how the Commissioner expects the NPPs to be applied in practice. Code proponents should bear the NPP and Health Guidelines in mind when preparing their own codes given that the Act intends that codes be overall equivalent to the NPPs.
Organisations intending to submit a code should consult the NPP guidelines, and where appropriate the Health Privacy Guidelines, before submitting a privacy code for approval.
More information on these additional guidelines is available from: www.privacy.gov.au (the Commissioner's website).
Chapter one / Chapter two / Chapter three / Chapter four / Chapter five / Chapter 6 / Chapter 7 /Appendix A Prescribed standards / Appendix B Checklist
CHAPTER THREE - SOME HELPFUL ADVICE BEFORE DEVELOPING A PRIVACY CODE
Organisations that are unclear about what is involved in developing and implementing a privacy code may find this chapter useful. It is designed to help an organisation build a basic understanding of the substance and role of codes. This chapter may also assist an organisation in deciding whether to develop a code and, if so, the resources that will need to be allocated to its development and maintenance.
3.1 Reasons for developing a code
Some of the reasons why an organisation may wish to adopt a code rather than simply comply with the baseline NPPs are listed below:
· The adoption of a code can give an organisation a sense of ownership of its privacy obligations and put the organisation in an active position rather than just being the passive recipient of legislative obligations.
· A code can make good business sense by sending a positive statement to the community that a particular organisation/industry is conscious of the privacy concerns of individuals and is active in protecting their privacy rights. This can be done by:
| - | adopting a code that incorporates higher standards for privacy protection than the NPPs require, thus allowing organisations/industries to differentiate themselves in the marketplace; and |
| - | a code administrator committing the scheme to a stronger assurance process (through independent audit or monitoring programs) as a way of further differentiating an organisation/industry in the marketplace. |
· A code can be a good way of changing the culture of an organisation or industry by raising awareness of privacy and by introducing a compliance regime.
· A code may serve as a guide to regulation by providing organisations with a single document that incorporates all its related legislative requirements (both Commonwealth and State) and industry standards written in industry specific language. · A successful code can promote industry integrity that, among other things, may serve to lessen consumer demand for further regulatory intervention.
· It is often quicker and easier to amend codes than it is to amend the law, allowing organisations/industries to be more responsive to the concerns of individuals.
· A code can allow organisations/industries to develop higher standards or introduce different principles in order to comply with the privacy directives of other countries or trading partners. This will be particularly relevant to organisations with global operations.
· A code that incorporates complaint handling procedures can give industry a sense of ownership in dispute resolution. Also, there may be an existing dispute resolution system operating in an organisation/industry that can operate as a "one-stop-shop" for consumers seeking redress.
3.2 Assessing the need for a code
In deciding whether to develop a privacy code or comply with the default NPPs, an organisation may wish to consider the following matters:
· What are the benefits and risks involved for the organisation?
· What kinds of personal information are held by the organisation?
· Does the organisation want to incorporate higher standards for privacy protection than the NPPs require so as to distinguish itself from its competitors?
· Does the organisation need to promote cultural change through the introduction of a privacy scheme?
· Does the organisation want to have all of its policies concerning privacy and other consumer codes in the one document?
· Does the organisation have sufficient resources to develop and administer a privacy code?
· Could the organisation prepare its own explanatory material on the application of the NPPs in an organisation/industry context without the need to develop a code?
· Is there an existing privacy code that may have been developed by industry that may be suitable for adoption without the need to develop a separate code?
3.3 Options for complaint resolution
The Act provides for a number of options when dealing with complaints under a code. For instance, a code proponent may decide to use the complaint handling procedures established under the Act. This would mean that a complaint about a breach of a code would be dealt with in the same way as a complaint about a breach of the NPPs. Alternatively, the code proponent may decide to have a code with complaint handling procedures. When a code provides for separate complaint handling procedures, an independent adjudicator must be nominated to decide these complaints. Either the Commissioner or some other person or body may be nominated as the independent adjudicator.
A summary of options for complaint resolution is set out in the table below.
| Method of Compliance | Method of Complaint Resolution |
| Organisation which intends to comply with the NPPs | Commissioner |
| Code without complaints handling procedure | Commissioner |
| Code with a separate complaint handling procedure | Can ask Commissioner to be the independent adjudicator or can nominate other person or body to be the independent adjudicator |
More information about the requirements of complaint handling procedures under a code is provided in Chapter 5.
3.4 Resource requirements
Organisations need to be aware that to develop and implement a privacy code requires a commitment of resources. Obviously the costs will vary greatly from scheme to scheme. Likely variants are whether or not the scheme establishes its own complaint handling body, the size and nature of the organisation/industry that will be covered by the code and the nature of the code itself.
In developing and implementing a code, resources may need to be allocated to the following matters:
The development of a code
· investigating the need for a code;
· writing and publishing the code;
· seeking legal or professional advice; and
· involving all stakeholders (including consumers) in an effective consultation program.
The implementation of a code
· maintaining a register of members;
· implementing systems and educating and training staff;
· establishing a code administrator to oversee the operation of a code; and
· costing a review of the code.
There are unlikely to be any further costs where an organisation does not wish to develop complaint handling procedures of its own but wishes to rely on the Commissioner investigating code complaints under Part V of the Act, in a similar manner to complaints relating to the NPPs. However, where an organisation wishes to develop its own complaint handling procedures, additional resources will need to be allocated to the following matters:
The development of complaint handling procedures
· investigating the need for complaint handling procedures;
· developing the complaint handling procedures;
· seeking legal or professional advice; and
· consultation with regards to appointment of an adjudicator.
The implementation of complaint handling procedures
· costing compliance with the prescribed standards, such as the promotion of the scheme in the media or by other means; publishing determinations and reviewing systemic problems and notifying members;
· understanding the increased costs associated with a code administrator administering complaint handling procedures, including the cost of providing reports to the Commissioner on the operation of the procedures;
· establishing and adequately funding an independent code adjudicator;
· providing sufficient funding, support staff and administrative services to be able to carry out independent investigations;
· being aware of costs associated with annual reporting requirements to the Commissioner;
· costing the review of complaint handling procedures; and
· understanding the additional cost of training staff in the operation of the complaint handling procedures.
3.5 Getting help
The Office is able to provide some assistance to organisations that are considering or are in the process of developing a code, although these guidelines will be the first source of assistance.
The Office is also able to provide some support to steering committees or related groups through privacy introduction workshops or presentations early in the code development process.
The Office may be able to provide a contact officer from its policy section to provide general (non-legal) advice to code development steering committees and to assist them to resolve any difficult privacy issues. Depending on the complexity of the issue, the advice would be given by telephone, email or in some cases in writing. Any advice provided by the contact officer will be given with the understanding that the advice provided is a "good practice" view of the issue and not approval of the practice. Approval of a practice is the responsibility of the Commissioner through the code approval process. However, the contact officer is able to offer comment and recommendations on the draft of the code (that is, the draft before it is released for public comment) on a "without prejudice" basis.
To ensure that there is no potential conflict of interest between providing advice and the formal approval of a code by the Commissioner, the Office is not available to participate as a full-time or part-time member or observer in any private sector code development committee.
3.6 The Australian Competition and Consumer Commission (ACCC)
In drafting a privacy code organisations should be careful to ensure that it does not breach the Trade Practices Act 1974 (the TPA). The TPA prohibits various forms of anti-competitive conduct including:
· contracts, arrangements or understandings that have the purpose or effect of substantially lessening competition in a market in which a business operates;
· contracts, arrangements or understandings that contain an exclusionary provision. Sometimes referred to as a 'primary boycott', these are agreements between persons in competition with each other which exclude or limit dealings with a particular supplier or customer, or a particular class of suppliers or customers.
The vast majority of privacy codes will not raise issues under the TPA, especially where they impose conditions that are no more onerous than the requirements set down in the NPPs, or where the relevant standards apply to only one organisation. Furthermore, membership of a code on its own would not amount to anti-competitive conduct.
However, concerns may arise if the development and implementation of a privacy code involves an agreement or understanding between competitors to comply with standards that go beyond the legislative requirements of the NPPs and where the purpose or effect is to restrict competition. For example, it may be argued that an industry-wide privacy code, implemented by the relevant industry association, which requires members to invest in expensive computer software which is not necessary to comply with the NPPs, could restrict entry to the relevant industry and lessen competition in breach of the TPA. Another example of where a requirement of this type could potentially be anti-competitive is where the code required competitors not to deal with other competitors who do not have that software.
In cases like this, parties should seek legal advice as to whether the relevant provisions are likely to breach the TPA. If so, consideration should be given to excluding or amending the relevant clauses. Alternatively, parties may consider applying to the Australian Competition and Consumer Commission (ACCC), the body responsible for administering the TPA, for authorisation of the clauses.
Authorisation provides protection from action by the ACCC or any other party for certain potential breaches of the TPA. It will only be granted where the applicant can demonstrate that benefits to the public result from conduct and that the detriment resulting from the conduct, including any lessening of competition, are outweighed by those benefits.
Authorisation can only be initiated by parties to the conduct, and will be granted only after a public process of assessment.
Further information regarding the TPA and the authorisation process can be obtained from: http://www.accc.gov.au (the ACCC website).
Overview of co-regulatory privacy scheme
 |
Chapter one / Chapter two / Chapter three / Chapter four / Chapter five / Chapter 6 / Chapter 7 /Appendix A Prescribed standards / Appendix B Checklist
CHAPTER FOUR - DEVELOPING PRIVACY CODES
Once an organisation has decided to develop a privacy code there are a number of things that will need to be considered further.
Section 18BB of the Act sets out the conditions under which the Commissioner may approve a code. These conditions cover things such as consultation, privacy standards and coverage. In deciding whether to approve a code, section 18BB(4) provides that the Commissioner may consider the matters specified in guidelines issued by the Commissioner under sections 18BF(1)(a) and (c). This chapter sets out the Commissioner's guidelines under these sections and sets out summaries of these guidelines in bold print. There is also a consolidated summary of the guidelines provided at the beginning of the document.
Chapter 5 outlines the requirements that must be met, in accordance with section 18BB(3) of the Act, before the Commissioner will approve a code with complaint handling procedures.
4.1 Consultation on draft codes - section 18BB(2)(f)
One of the key features of the co-regulatory approach to the Act is that industry has the opportunity to benefit from developing privacy codes and handling any complaints associated with the operation of those codes. However, along with this opportunity comes the responsibility of ensuring that codes, which are essentially replacing the legislation, are adequately discussed with the relevant stakeholders.
When government initiates and develops regulation, and industry develops voluntary codes of conduct on other issues, extensive consultation is generally a key element. Privacy codes should not offer less opportunity for the public to comment, and to examine industry led regulation, particularly when the code seeks to replace consumer protection under default legislation. Effective consultation will ensure that codes adequately meet the needs and expectations of both industry and individuals. The credibility and integrity of the co-regulatory approach depends on privacy codes gaining widespread support and acceptance from stakeholders (including consumers).
4.1.1 The consultation process
When formulating a consultation strategy, the Commissioner encourages organisations to have regard to the following matters:
· Identify the main parties or stakeholders that are likely to be affected by, or have an interest in, the proposed code, including consumers.
· Identify the most appropriate technique for seeking the views of affected stakeholders (for example, notices in the media, in-store advertising, establishing focus groups, presentations at industry conferences, and face-to-face discussions with appropriate government agencies and consumer representatives).
· Define a consultation period that ensures stakeholders are given an adequate and real opportunity to comment on the draft code.
· Ensure that the techniques used to seek the views of affected stakeholders do not impose barriers or restrict opportunities for certain groups to respond. For example, stakeholders with disabilities or with limited English language skills may find it difficult using some communication channels or may need different timeframes in order to participate in the consultation process.
· Ensure that a full and proper consideration is given to the comments raised by the affected parties or stakeholders consulted.
· Ensure that comments are considered promptly and, where appropriate, relevant stakeholders are included in any redrafting exercise as part of an ongoing consultation process.
4.1.2 Defining adequate consultation
Section 18BB(2)(f) of the Act states that the Commissioner can only approve a code after being "satisfied that members of the public have been given an adequate opportunity to comment on a draft of the code". The term adequate is a subjective one and therefore will be judged according to varying conditions and circumstances. For example, where an industry is highly specialised and has a distinct clientele it may not be necessary to consult directly with a broad range of interest groups. Instead, adequate consultation in this circumstance may involve consulting only a small number of industry and community representatives who specialise in the field.
However, in each case the Commissioner will need to be satisfied that the code proponent has consulted as many interested parties as is reasonable in the circumstances. Consultation strategies will play an important part in the process of judging adequate consultation. It is important that consultation strategies not put up barriers or restrict opportunities for certain groups to respond. Some members of the community likely to have a legitimate interest in a proposed code may find it difficult to participate in a consultation process. Code proponents should consider the methods it chooses to use for consultation and examine them for any potential access problems.
Government agencies may be key stakeholders in relation to proposed codes. Code proponents must take account of the information requirements of industry regulators and other law enforcement agencies, especially where a law of the Commonwealth, or of a State or Territory mandates these requirements. Consulting with regulators and other agencies on proposed codes is a good way for organisations to assess any other legal requirements associated with their information handling practices.
When considering a code for approval, the Commissioner will have particular regard to stakeholder views as to how the proposed code relates to laws and other privacy codes operating in the marketplace.
Furthermore, the Commissioner is unlikely to approve a code unless the code proponent has sought to address any legitimate and reasonable concerns raised by stakeholders after having been given an adequate opportunity to comment. The Act provides for the Commissioner to contact "any person the Commissioner considers appropriate" before deciding to approve a code. This becomes an important step in the consideration process if a code proponent cannot clearly demonstrate that all relevant stakeholders have had an adequate opportunity to comment on a draft of a code. However, relying on the Commissioner to undertake consultation will generally mean that the approval process will be subject to considerable delay.
During consultation, the Commissioner will not act to broker a resolution between the code proponent and stakeholders who have raised legitimate objections. The code proponent is expected to make a reasonable effort to work with stakeholders to resolve issues before a code is submitted for approval. Failure to do so could adversely affect the approval decision.
4.1.3 Additional help
Code proponents who have little experience in consulting stakeholders may need to seek additional help. The two publications listed below may be of assistance in this regard. They are listed only as a source of general advice on consultation and should not be regarded as requirements for consultation in relation to privacy codes. These publications are:
· The Consumer Affairs Division of the Department of the Treasury has issued a paper entitled Getting it Right: Ideas for Consulting Communities. This document describes the three key elements of effective consultation - careful planning, appropriate implementation and responsible outcomes and provides helpful advice on how to conduct effective public consultation. The document is available from: www.treasury.gov.au/publications (the Consumer Affairs website).
· The Department of Family and Community Services has issued a paper called Inclusive Consultation: A Practical Guide to Involving People with Disabilities. This guide has been developed to provide practical advice on how best to consult people with disabilities. It also offers strategies that are relevant for all consultations in order to cater for the broad needs of the community. This document is available from: http://www.facs.gov.au/disability/ood/consgide.htm (the Department of Family and Community Services website).
Summary of guidelines - consultation
1. In most cases the code proponent will be expected to allow a minimum of six weeks for public consultation where the first day of the consultation period does not start or end on a public holiday or a weekend.
2. To assist the Commissioner in deciding if members of the public have been given an adequate opportunity to comment on a draft of the code, the Commissioner requires code proponents to submit a statement of consultation with the application for code approval. This statement will need to contain the following details:
i) The beginning and ending date that the code was available for public consultation.
ii) The people or groups likely to be affected by the privacy code.
iii) The methods that were employed by the code proponent to consult with these groups.
iv) A list of the individuals or groups who made submissions to the draft code.
v) Where a draft code was changed, the details of these changes.
vi) A summary of any issues raised by individuals or groups that remain unresolved (if any).
vii) The reasons why any feedback was not incorporated into the final document.
viii) A list of organisations likely to adopt the proposed code.
4.2 NPP equivalency requirements - section 18BB(2)(a)
Section 18BB(2)(a) of the Act provides that the Commissioner can approve a privacy code if, and only if, the code incorporates all the NPPs or sets out obligations that, overall, are at least the equivalent of all the obligations set out in the NPPs.
This means that the Act does not limit the drafting of codes to an exact reproduction of the NPPs. Instead it gives organisations the option of modifying the default principles to best suit an organisation's needs. Some examples of how the default principles can be modified in codes include:
· adding to the existing principles in order to raise the standard of privacy protection;
· including industry specific language as a guide to the principles in order to customise the principles to an industry; and/or
· restating the obligations of the NPPs in an alternative way.
However, as stated above, a code that modifies the NPPs in any way must still be at least overall equivalent. When deciding whether a code is overall equivalent, the Commissioner will view the principles outlined in a code as a unified set of guidelines, These should complement each other to produce an overall privacy outcome that is equivalent to the outcome provided by the NPPs, rather than interpreting each principle narrowly and in isolation. Furthermore, when deciding if the obligations are equivalent, the Commissioner will have regard to any guidelines the Commissioner has issued as well as the views of consumers and other stakeholders when deciding if the obligations are equivalent.
Codes cannot be approved if there is the potential that individuals will have less protection than they would otherwise be afforded under the default principles.
The Commissioner recommends code proponents not refer to the privacy principles set out in a code as "the National Privacy Principles" or "the NPPs". It is important that consumers clearly understand that when an organisation is bound by a code they are no longer bound by the default principles. Alternative references might include: "Privacy Principles", "Clauses", "Provisions", or "Standards". The Commissioner recommends the use of alternative terminology even when the principles set out in a code are an exact reproduction of the NPPs in schedule 3 of the Act. However, it is highly appropriate for codes to state that the privacy principles in the code set out obligations for the organisation that, overall, are at least the equivalent of all the obligations set out in the NPPs.
| EXAMPLE 4.1 - Higher obligations
An organisation that collects personal information for a primary purpose only, may decide not to use and disclose personal information for a secondary purpose even though the secondary purpose is a related purpose and there is a reasonable expectation (as allowed NPP 2.1 (a)). Instead, they may choose to rely mainly on obtaining consent from the individual before using personal information for a secondary purpose should the need arise. This approach would offer additional protection to the individual, and the removal of this subsection does not detract from any of the organisation's obligations. As such, a code that incorporated only this change would be considered at least equivalent. EXAMPLE 4.2 - Industry Specific Language and Context An industry association, which represents organisations that predominantly collect consumer profiling information, may wish to modify NPP1 in the following way: 1.1 An organisation must not collect personal information (including consumer profiles) unless the information is necessary for one or more of its functions or activities. The addition of the bracketed words does not detract from the broader definition of personal information. It may, however, help the members understand what is meant by personal information in the context of the industry. Note that the same outcome could have been achieved by the addition of explanatory material to the code which makes it clear to the member organisations that consumer profiling information is personal information. |
1. The Act requires codes to incorporate all the NPPs or set out obligations that, overall, are at least the equivalent of all the obligations under the NPPs. In deciding if this condition has been met, the Commissioner requires code proponents to include a statement of claims detailing:
i) how the obligations under the code differ from the obligations under the NPPs;
ii) the rationale for the change to any obligation provided in the NPPs; and
iii) how, in the opinion of the code proponent, the obligations set out in the code are at least equivalent of all the obligations set out in the NPPs.
4.3 Developing explanatory material
Explanatory material to a code can help to tailor a set of privacy principles to the specific needs of an organisation or industry. It is likely that explanatory material will take the form of practical examples or written statements suggesting ways that certain principles can be practically followed.
4.3.1 Consideration of explanatory material by the Commissioner
If a privacy code does not include complaint handling procedures, the Act provides that the Commissioner will handle any complaints made under the code.
In this situation the complaint handling procedure will be governed by the Act. However, in assessing whether or not a breach of the code has occurred, the Commissioner will consider the standards contained in the code as well as any explanatory material prepared in relation to the code. (The Commissioner will not be bound by any such explanatory material unless it is part of an approved code.) In situations where no explanatory material of relevance has been prepared, any appropriate guidelines issued by the Commissioner (for example, the NPP Guidelines) may be useful as a guide for interpreting the code.
4.3.2 Consideration of explanatory material by the code adjudicator
Where a code is to include complaint handling procedures the Act provides that an independent code adjudicator must be appointed to handle complaints. A code proponent may wish to develop materials that will help the code adjudicator to more effectively handle complaints. In some cases the NPP Guidelines may be used for this purpose but it is possible for an organisation to develop industry/organisation specific explanatory material.
In this situation the complaints handling procedure will be governed by the code (not the Act), and the independent code adjudicator must have regard to the standards contained in the code. The adjudicator may also have regard to any related explanatory material. However, the adjudicator will not be bound by the explanatory material unless it is part of the approved code. The flow chart at the end of Chapter 3 includes an outline of further review processes.
Summary of guidelines - explanatory material
1. The Commissioner considers it appropriate for code proponents submitting an application for code approval to include any explanatory material that has been prepared in relation to a code.
4.4 Coverage specifications - section 18BB(2)(b) and section 18BB(2)(d)
Section 18BB(2)(b) of the Act requires that before the Commissioner can approve a code, the code must either:
· specify the organisations bound by the code; or
· provide a way of determining the organisations that are, or will be, bound by the code.
Allowing individuals and other stakeholders to readily determine those organisations bound by a code is essential to the operation of the co-regulatory regime. It must be clear to the Commissioner, other regulators and individuals, which organisations (or parts/activities of organisations) are bound by a code at any given time. Therefore, one of the obligations of a code administrator will be to maintain a clear, accurate and up to date record of code members that is easily accessible.
A code administrator is a body established to oversee the running and operation of the code and, where applicable, the separate complaint handling procedures. It is envisaged that code administrators will take responsibility for administrative matters in relation to a code, including the maintenance of an accessible record of code members and receiving complaints about the operation of the code.
Section 18BG of the Act requires the Commissioner to keep a register of approved privacy codes, which must be made available to the public. The Act also gives the Commissioner discretion in determining how this register is to be kept and the Commissioner has determined that a register using the World Wide Web is the most effective option in most instances.
The register is to take the form of a page on the Commissioner's website with appropriate links to a web page established, maintained and kept up to date by each code administrator. The code administrator's website is to list all current code members or note that this list is embedded in the code itself. The code administrator's web page will also link directly to the code and to: www.privacy.gov.au (the Commissioner's homepage).
If the code is intended to cover an organisation that is the parent company of a number of subsidiary organisations, and it is intended that each of the subsidiary organisations are to be bound by the code, then the names of all subsidiary organisations are to be included in the record of code members.
The Commissioner also advises organisations (or their code administrator) to devise ways to make membership information readily available to individuals who do not have access to the Internet. This could be in the form of a printed version of the list/web page, which is made available to individuals on request.
Organisations or industries that would prefer not to maintain an online record of members would need to convince the Commissioner that individuals would not be unreasonably disadvantaged by an alternative system. In each case the record of members would need to be well maintained and up to date.
The Commissioner considers that failure to maintain an up to date record of members would constitute a prima facie reason to revoke a code.
It is possible that several privacy codes will operate within a particular industry or sector, or that a single organisation will be bound by more than one privacy code at any given time. The existence of multiple codes may not lead to an overall satisfactory outcome for business and consumers. Therefore, before approving a code the Commissioner will need to be satisfied that, among other things, the code does not create consumer confusion about privacy protection. An important way to alleviate consumer confusion will be to actively maintain and publicise a record of members and the activities the code is intended to cover.
If an organisation states that it complies with an approved privacy code but is not registered in some way with the code administrator, then under the Act, the organisation is not bound by the code. Such organisations should also consider the implications of this behaviour in terms of other legal requirements, including the Trade Practices Act 1975 (Cth).
The Act provides that organisations to which the Act applies, but that are not found to be registered with an approved code, will be covered by the default principles under the Act.
Summary of guidelines - coverage
1. In most cases the Commissioner will expect codes to make provision for the establishment and appropriate funding of a code administrator.
2. To ensure the legislative requirements are met in relation to the coverage of the code, the Commissioner requires the code to provide for the maintenance of an accurate, up to date and easily accessible record of code members. The Commissioner also requires the application to include a statement as to how this record will be maintained. Where the proposed approach does not include an online record of members with links to the Commissioner's website, the Commissioner will ordinarily expect the application to state how individuals will not be unreasonably disadvantaged by the proposed alternative system.
4.5 Voluntary membership - section 18BB(2)(c)
The Commissioner can only approve a privacy code when being bound by the code is a voluntarily act of an organisation, that is, when it is not compulsory for any organisation to be bound. This requirement is set out in the Act to ensure that the flexible approach embodied in the co-regulatory regime is supported.
It is important to note that, in most cases, the Commissioner will still consider a code to be voluntary when an industry association makes compliance with the code a condition of membership. However, industry associations that represent organisations for which membership of the association is required by law (for example, professional accreditation bodies) will need to take particular care that any proposed privacy code does not become a requirement of membership. This will also be an issue for organisations that are required by law to be bound by a code of conduct that regulates other industry practices for which the proposed privacy code is to be incorporated.
Organisations that choose not to be bound by a code will by default be bound by the NPPs established by the Act.
|
EXAMPLE 4.3 A Government regulator requires, as a condition of licensing, an organisation to be bound by an industry code of conduct that regulates one aspect of its operations. The industry body is seeking to incorporate the National Privacy Principles into this code of conduct as a way of streamlining its complaint handling processes. In this situation the Commissioner could not approve the proposed code as the code would appear to bind all members of a particular industry. In this situation the best solution may be for the industry body to allow the privacy elements of the proposed code to be optional for its member organisations. |
Summary of guidelines - voluntary membership
1. In order to be satisfied that the code is voluntary, the Commissioner will require organisations submitting an application for code approval to include a statement as to how they will ensure that agreeing to be bound by a code requires a voluntary act of an organisation. Ordinarily, it is expected that any such statement will also highlight the procedures in which an organisation can opt in and out of the code.
4.6 Code reviews
The Commissioner considers that periodic, independent reviews of a code and its operations are essential to the success of the co-regulatory regime. Such a requirement helps ensure that the code is meeting all the proposed objectives and remains relevant and up to date in a changing marketplace.
The Commissioner encourages the code administrator to notify the Office in advance of a review and provide the Commissioner with an opportunity to comment on the operation of a code. The Commissioner also encourages the review process to include and take account of the views of other government agencies, consumers and relevant stakeholders.
The Commissioner encourages the code administrator to produce a written response to the independent report based on the review and for both reports to be released for public comment.
If the Commissioner becomes aware that an independent review has not occurred after the period indicated at the time of code approval, the option of revoking the code may be considered.
Summary of guidelines - code review
1. Ordinarily, the Commissioner expects codes to:
i) include a process for independent review - to occur at least once every three years;
ii) include a stated commitment to allocate sufficient resources to the review of the code; and
iii) require the code administrator to produce a response to the independent review report and to submit this response to the Commissioner, along with the review report, within 30 days of the review report being finalised.
4.7 Codes with limited lives - section 18BB(6)
Section 18BB(6) of the Act allows for the Commissioner to approve a privacy code that is intended to operate for a limited period of time, or that will expire in certain circumstances. If an organisation intends to submit a limited life code, efforts will need to be focused on averting any consumer confusion that might be associated with the limitation. The Commissioner considers it important for such codes to clearly illustrate:
· the period during which the code will operate; or
· the circumstances in which the code will cease to operate.
Where there is a limited life code it is unlikely that consumers will be in a position to clearly understand the time limitation if, for example, the only mention of a cessation date is that which is printed in the code document itself. The Commissioner expects that code adjudicators will take reasonable steps to communicate the limitation to individuals in other ways, particularly in the lead up to the cessation date.
When a code is set to expire in certain circumstances, there is even more likelihood that consumers will be unsure of the limitation. Therefore, the Commissioner expects the circumstances leading to cessation of the code to be made very clear in order to avoid any disputes at a later time about whether or not the conditions for cessation have been met. If the circumstances cannot be clearly articulated, the code may not be approved as a limited life code. An alternative approach would be for an organisation to apply to have the code revoked at a later stage should circumstances for cessation arise. (See Chapter 7 on Revocation of a code).
Summary of guidelines - limited life codes
1. Where codes are to have a limited life, the Commissioner expects the code to clearly articulate when or under what circumstances it is to terminate.
2. Ordinarily, the Commissioner expects limited life codes to include arrangements for how the cessation will be communicated to consumers and to pre-establish procedures for termination.
4.8 Codes with limited coverage - section 18BB(7)
Section 18BB(7) of the Act provides for the Commissioner to approve a code that covers only certain operations of an organisation. For example, a code can apply to:
· a specified type of personal information;
· a specified activity or class of activities; or
· a specified industry sector and/or profession.
If an organisation proposes a code to cover only certain aspects of its operations, then stakeholders affected by the code will expect to understand clearly what operations are covered by the code and what operations are bound by the default principles. The key here is avoiding any type of consumer confusion as to what is covered by a code. Therefore, depending on the nature of the proposal it may be appropriate for the code administrator to implement additional (or more directed) measures to advertise the existence of the code to consumers and clearly explain the circumstances of the code's operations.
Summary of guidelines - limited coverage
1. The Commissioner expects codes with limited coverage to clearly articulate what type of personal information, activity and/or profession the code is to cover.
4.9 Drafting to a professional standard
An approved privacy code will replace the default privacy principles in the Act, meaning that the code will be binding on its signatory members as though it were a piece of legislation. It is therefore very important that a code is carefully drafted to an appropriate legal standard, especially if the code modifies the existing principles or includes a complaint handling mechanism.
It will help with consultation and enforcement processes if each paragraph is numbered.
If the code is written using plain English techniques in language that is unambiguous and clear, then individuals and organisations will be in a better position to understand their rights and obligations.
Industry specific language or jargon may stop some consumers from fully understanding their rights under a code. The Commissioner wishes to discourage the use of jargon unless such words are readily understood by all stakeholders or includes a list of definitions that clearly explain industry terms.
If an organisation does not have expertise in drafting codes, it may be useful to enlist outside experts.
Summary of guidelines - code drafting
1. The Commissioner expects codes to be written to a professional standard using language that is clear and easy for individuals to understand.
4.10 Openness and code promotion as best practice
Most organisations are likely to want to actively promote their codes. The Commissioner encourages promotion of a code as a "good practice" way of ensuring that individuals are aware that an organisation is bound by a code. A commitment to code promotion is also likely to help eliminate any consumer confusion with regard to privacy protection and the coverage of a code.
Where a code makes provision for complaints handling procedures the prescribed standards, in fact, require code administrators to promote the existence of a code in the media or by other means.
Under the default principles in the Act, NPP5 requires organisations to set out in a document, their clearly expressed policies on management of personal information. This includes information about whether the organisation is bound by an approved code or the NPPs. The organisation must also make this document available to anyone who asks for it.
In meeting the equivalency requirements of the Act (refer to 4.2 above), codes will need to make provision for similar information disclosure.
The Commissioner considers it reasonable that any openness principles set out in a code will require code members to provide a copy of the code and any relevant explanatory material on request.
Summary of guidelines - openness and code promotion
1. The Commissioner expects codes to require code members to make available a copy of the code and any relevant explanatory material on request.
Chapter one / Chapter two / Chapter three / Chapter four / Chapter five / Chapter 6 / Chapter 7 /Appendix A Prescribed standards / Appendix B Checklist
CHAPTER FIVE - COMPLAINT HANDLING PROCEDURES
A code proponent may rely on the Commissioner to deal with complaints under an approved code using the general complaint investigation powers outlined in Part V of the Act. These would be dealt with in the same way as a complaint relating to the NPPs. Alternatively, a code proponent may develop separate complaint handling procedures for the making and dealing with complaints. This chapter details some of the reasons why a code proponent may wish to have separate complaint handling procedures and the requirements that must be met under the Act before the Commissioner is able to approve such procedures. These requirements are:
· that the matters set out in paragraphs (b) to (l) of section 18BB(3) of the Act are complied with;
· that the complaint handling procedures comply with the prescribed standards issued by the Minister - section 18BB(3)(a)(i); and
· that the complaint handling procedures comply with the guidelines issued by the Commissioner under section 18BF(1)(b) to section 18BB(3)(a)(ii).
5.1 Complaint handling procedures under Part V
Under section 36, an individual may complain to the Commissioner about an act or practice that may interfere with the privacy of the individual. In relation to private sector organisations, the complaint may relate to an alleged breach of the NPPs or an alleged breach of an approved code, where a code does not have complaint handling procedures. The complaint may also relate to a contracted service provider contracted with a Commonwealth agency to provide services under section 95B.
In addition to these matters, the Commissioner has separate jurisdiction over private sector organisations to handle complaints relating to Consumer Credit Information (Part IIIA), Tax File Number Information (Part III Division 4 and Tax File Number Guidelines) and Spent Conviction Information (Part VIIC of the Crimes Act 1914).
Where the Commissioner receives a complaint, the Commissioner is obliged to investigate the matter under section 40(1)(b). However, section 40(1A) provides that the Commissioner must not investigate the matter if the complainant has not complained to the respondent before making the complaint to the Commissioner, unless the Commissioner considers that it was not appropriate for the complainant to complain to the respondent. This is to ensure that the respondent is given an opportunity to resolve the matter without the intervention of the Commissioner. Section 41 also permits the Commissioner in certain limited circumstances to decide not to investigate the matter. Section 42 permits the Commissioner to make preliminary enquiries with the respondent prior to conducting an investigation of the complaint to assist the Commissioner in exercising the powers under section 41.
Where the Commissioner considers it appropriate to investigate the complaint, section 43 provides some powers and restrictions on the way investigations will be conducted. Sections 44 and 45 also provide the Commissioner with wide powers to obtain information and documents relevant to the investigation and to examine witnesses. Where the Commissioner forms the view that a credit reporting offence or tax file number offence may have been committed, section 49 requires the Commissioner to cease the investigation and refer the matter to the Police or Director of Public Prosecutions for appropriate action. Generally speaking, the Commissioner attempts to resolve complaints by means of mutually satisfactory agreement between the parties. If such an agreement cannot be reached, the matter will be decided under section 41 of the Act. If necessary, the Commissioner may make a determination under section 52.
5.2 Reasons for complaint handling procedures
A code proponent may wish to have a code with complaint handling procedures for the following reasons:
· it may give an organisation a sense of ownership in the dispute resolution;
· there may be an existing dispute resolution system operating in an organisation/industry that can operate as a "one-stop-shop" for customers seeking redress;
· an organisation may be able to build and maintain strong relationships with its customers if it is successfully able to address customers' concerns, including concerns about information privacy;
· the details of any complaints resolved under the separate complaint handling procedures (after having been edited to remove any information identifying the parties) could be circulated to all code members to assist them in understanding how customers expect their personal information to be handled. This would allow the development of best practice for the sector covered by the code and may also assist code members by allowing them to learn from the experiences of others.
5.3 Requirements for complaint handling procedures - section 18BB(3)(b) to (l)
Where there are separate complaint handling procedures, section 18BB(3)(b) requires there to be also an independent adjudicator to determine complaints made under the code. A code proponent may either request the Commissioner to be the independent adjudicator or may decide to have some other person or body perform this function, provided such a person or body satisfies the prescribed standards and other requirements under the Act. However, where a code proponent decides to have some other person or body as the independent adjudicator, the Commissioner is not involved in the merits of the particular appointment. The role of the Commissioner under section 18BB(3) is only to be satisfied that the code complies with the prescribed standards and guidelines in relation to the process of appointment.
As part of the process of approving a code, section 18BB(3)(c) requires the Commissioner to be satisfied that the code provides that adjudicators will have due regard for important human rights and social interests which compete with privacy, such as the general desirability of the free flow of information to the Australian public through the media. This requirement is consistent with the obligation imposed on the Commissioner under section 29(a). Similarly, section 18BB(3)(d) provides that the determinations, findings, declarations, orders and directions that the adjudicator may make under the code after investigating a complaint are the same as those that the Commissioner may make under section 52 after investigating a complaint under the Act.
The Commissioner must also be satisfied that the code obliges organisations not to repeat or continue conduct that the adjudicator has declared constitutes an interference with the privacy of the complainant; and that the organisation complies with any declaration made by the adjudicator to redress loss or damage suffered by the complainant. Further, the code must also provide for certain reports on the operation of the code to be made and provided to the Commissioner and members of the public on request - see sections 18BB(3)(e) to (l).
5.4 Code adjudicator decisions
Section 18BI(1) provides that an individual who is not satisfied with a determination by a code adjudicator may request the Commissioner to review the determination, except where the Commissioner is the code adjudicator.
A review by the Commissioner of a code adjudicator's determination is treated in the same way as a complaint received by the Commissioner under Part V of the Act - that is, in accordance with the general complaint investigation powers. The review may involve either a fresh investigation of the complaint or it may only be necessary for the Commissioner to reconsider the decision, if the Commissioner is satisfied that all the relevant issues have been investigated and all the material has been obtained.
5.5 Determinations enforced in Federal Court
A determination made by an independent code adjudicator, or a determination made by the Commissioner in reviewing a decision made by a code adjudicator under section 18BI(1), is enforceable in the Federal Court or the Federal Magistrates Service in a similar manner to determinations made by the Commissioner in relation to breaches of the NPPs. To enforce a determination, the court will conduct a fresh hearing to ascertain if the respondent has breached the Act or an approved code and, if so, will consider making appropriate orders. However, a respondent does not have standing under the Act to commence enforcement proceedings as a means of instituting a review of a finding that the Act or an approved code has been breached.
5.6 Review of determinations in Federal Court
A person dissatisfied with the determination of the Commissioner under Part V of the Act may seek a review of that determination in the Federal Court under section 5 of the Administrative Decisions (Judicial Review) Act 1977 (Cth). However, it would be limited to a review of process-based issues, such as a breach of natural justice, lack of jurisdiction or error of law. The review would not deal with the merits of the decision itself.
A flow chart has been provided at the end of this chapter illustrating the options for dealing with a complaint under an approved code.
5.7 Prescribed standards for complaint handling procedures - section 18BB(3)(a)(i)
For reasons of consistency, the complaint handling procedures under a code must adhere to many of the same principles with which the Commissioner is required to comply when handling complaints under the Act. For instance, both sets of procedures must be readily accessible and simple for individuals to understand without the need for legal representation. Also, as many individuals may have little experience in dealing with such matters, it is essential that the process be structured in such a way that gives individuals confidence in the way their complaint is handled. To ensure this outcome, section 18BB(3)(a)(i) requires the Commissioner to be satisfied that the complaint handling procedures under a code meet the prescribed standards issued by the Minister. The prescribed standards address in detail ways to ensure compliance with the following principles:
Accessibility The scheme makes itself readily available to customers by promoting knowledge of its existence, being easy to use and having no cost barriers.
Independence The decision-making process and administration of the scheme are independent from scheme members.
Fairness The scheme produces decisions which are fair and seen to be fair by observing the principle of procedural fairness, by making decisions on the information before it and by specific criteria upon which its decisions are based.
Accountability The scheme publicly accounts for its operation by publishing its determination and information about complaints and highlighting any systemic industry problems.
Efficiency The scheme operates efficiently by keeping track of complaints, ensuring complaints are dealt with by the appropriate process or forum and regularly reviewing its performance.
Effectiveness The scheme is effective by having appropriate and comprehensive terms of reference and periodic independent reviews of its performance.
The Minister has prescribed these standards in a regulation made under the Act. A copy of the prescribed standards is provided at Appendix A.
5.8 Commissioner's guidelines for complaint handling procedures - section 18BB(3)(a)(ii)
In addition to the prescribed standards, the Commissioner has issued guidelines relating to the making and dealing with complaints in accordance with section 18BF(1)(b). These guidelines are intended to supplement the prescribed standards and to provide specific guidance in relation to the matters outlined in section 18BB. Before approving a code, section 18BB(3)(a)(ii) requires the Commissioner to be satisfied that the complaint handling procedures comply with these guidelines. These guidelines are detailed below together with an appropriate explanation.
5.8.1 Representative complaints
Section 38 allows a representative complaint to be lodged with the Commissioner for investigation. This allows the Commissioner to undertake a single investigation involving a number of people who may have complaints against the same person in respect of, or arising out of, the same, similar or related circumstances; and where all the complaints give rise to substantial common issues of law or fact. The purpose of this guideline is to ensure that representative complaints can be lodged where a code includes complaint handling procedures.
Summary of guidelines - representative complaints
1. A code must provide a procedure for accepting, investigating and making a decision on a representative complaint.
5.8.2 Respondent complaint resolution
Before attempting to determine a complaint, the code adjudicator should first be satisfied that an attempt was made by the complainant and the respondent to resolve the matter. Under existing jurisdiction, the Commissioner takes the view that it is reasonable for a respondent to have 60 days in which to deal with an individual's complaint before the Commissioner considers investigating the matter. The Commissioner considers that code adjudicators should have a similar discretion.
If the complainant complains to the code member directly and does not receive a reply or is not satisfied with the response, the code adjudicator must proceed to determine the complaint.
Summary of guidelines - Attempt to resolve complaint directly with respondent
1. A code must provide that, before a code adjudicator determines a complaint, the adjudicator must be satisfied that the complainant has first complained to the respondent before making the complaint to the adjudicator but that either:
i) the complaint has not been resolved to the satisfaction of the complainant; or
ii) the respondent has not responded to the complainant within 60 days from the date that the complaint was lodged with the respondent.
5.8.3 Referral to the Commissioner
Section 40(1B) permits a code adjudicator to refer a complaint that would normally be investigated by the code adjudicator to the Commissioner for determination. However, the Commissioner is not obliged to accept such complaints and, generally, takes the view that where an approved code provides for complaint handling procedures, the code adjudicator is to deal with all complaints received except in a limited range of circumstances.
The Commissioner has specific jurisdiction over private sector organisations in respect to the handling of Consumer Credit Information (Part IIIA), Tax File Number Information (Part III Division 4 and the Tax File Number Guidelines) and Spent Conviction Information (Part VIIC of the Crimes Act 1914). However, it is possible that a complaint may comprise a code compliance issue and an issue concerning one of these specific areas of jurisdiction. In these circumstances, as an independent adjudicator is unable to determine a complaint relating to such matters, the Commissioner requires a code to provide that the independent adjudicator is to refer the complaint to the Commissioner.
The situation may also arise where a respondent to a complaint is not a subscriber to the code and the code adjudicator is unable to identify another approved code under which the complaint could be more appropriately handled. Again, in these circumstances, the Commissioner requires the code to provide that the code adjudicator is to refer the complaint to the adjudicator for determination.
Similarly, where there would be a conflict of interest if the code adjudicator made a decision on the complaint, the Commissioner requires that the code provide that the code adjudicator is to refer the complaint to the Commissioner for determination.
Summary of guidelines - referral to the Commissioner
1. A code must provide that an adjudicator is to refer a complaint to the Commissioner in accordance with section 40(1B) where:
i) the complaint includes a matter that relates to Consumer Credit information - Part IIIA; Tax File Number information - Part III, Division 4 and the Tax File Number Guidelines; or Spent Conviction information - Part VIIC of the Crimes Act 1914;
ii) the respondent to the complaint is not a subscriber to the code under which the code adjudicator makes decisions on complaints and the code adjudicator is unable to identify another approved code under which the complaint could be more appropriately handled; or
iii) there would be a conflict of interest if the code adjudicator made a decision on the complaint.
| NOTE: | Where a complaint relates to an organisation that is carrying out functions or services that involve the handling of personal information under a contract with a Commonwealth agency, section 40A of the Act requires the adjudicator to refer the matter to the Commissioner for determination. The Commissioner must accept the complaint and investigate the matter as if the complaint had been made to the Commissioner under section 36. |
5.8.4 Referral to another code adjudicator
A code adjudicator may also refer a complaint to another code adjudicator if the jurisdiction of another code is considered more appropriate in its application or provides remedies more appropriate to the circumstances of the complaint. However, before referring a complaint, the code adjudicator is to inform the complainant of the reasons for the proposed referral and to obtain the agreement of the complainant to the referral. The code adjudicator is also to consult with the alternate adjudicator to whom it is proposed to refer the complaint.
Summary of guidelines - referral to another adjudicator
1. A code is only to allow an adjudicator to refer a complaint to another code adjudicator if the first-mentioned code adjudicator considers that another code is more appropriate in its application or provides remedies more appropriate to the circumstances of the complaint. However, before referring a complaint to another code adjudicator, the first-mentioned code adjudicator must:
i) consult with the other code adjudicator about whether the complaint would be more appropriately determined by that code adjudicator; and
ii) advise the complainant of the reasons for the proposed referral and obtain the agreement of the complainant to such a referral.
5.8.5 Reporting requirements for complaint handling procedures
To ensure that the Australian public maintains confidence in the co-regulatory privacy model, it is vital that information on the effectiveness of complaint handling procedures under approved codes is made readily available. To ensure this, section 97(2A) requires the Commissioner to include in the Commissioner's annual report to the Minister a statement about the operation of approved codes that contain complaints handling procedures. The statement is to include details about the action taken by adjudicators to monitor compliance with codes and details about the number, nature and outcome of complaints made under codes.
Although the Commissioner is able to gain some insight into the effectiveness of complaint handling processes under approved codes by way of the decisions that are submitted for review, the most comprehensive way in which the Commissioner is able to assess the effectiveness of these processes is from the reports that must be provided to the Commissioner in accordance with section 18BB(3)(h) to (l).
Confidence in the complaint handling process under a particular code may be placed at risk if proper reporting to the Commissioner does not occur. Therefore, if these reports are not provided or they indicate inconsistencies with other similar schemes or there appear to be anomalies in the statistics, the Commissioner may decide to review the code, in accordance with section 18BH. If the Commissioner is of the opinion, after conducting such a review, that the complaint handling procedures under a code are flawed, the Commissioner may proceed to revoke the code. (More information on the procedures for revoking a code is available in Chapter 7).
Summary of guidelines - reporting to the Privacy Commissioner
1. In accordance with section 18BB(3)(h), the code must provide that the report on the operation of the code is to be provided to the Commissioner in an electronic format as specified, from time to time, by the Commissioner and using a template issued annually by the Commissioner.
2. In accordance with section 18BB(3)(i), the code must provide that the report to the Commissioner on the operation of the code for a given financial year is to be provided to the Commissioner within two months of the end of the financial year.
3. In addition to the matters set out in section 18BB(3)(k), the code must provide that the report to the Commissioner on the number and nature of complaints made to an adjudicator under the code during the relevant financial year is to include:
i) the number of complaints received during each calendar month;
ii) the geographical source of complaints by State or Territory of Australia;
iii) the nature of the complaint by reference to the relevant provisions of the code;
iv) the number of complaints that were resolved to the satisfaction of both parties without proceeding to a determination;
v) the number of complaints received during the financial year that were referred to another code adjudicator or to the Commissioner for determination and the reasons for the referral;
vi) the number of enquiries that the code adjudicator received during the financial year, set out in categories agreed to in consultation with the Commissioner during the process of approving the code;
vii) the number of unresolved complaints as at the end of the financial year and the status of those complaints categorised as follows:
(a) no action taken yet;(b) seeking clarification of facts/issues;
(c) awaiting outcome of related proceedings;
(d) awaiting response from respondent;
(e) awaiting comment from complainant on response; and
(f) settlement under negotiation;
ii) the number of complaints received during the financial year that have been referred by the adjudicator to the code member to attempt to resolve the matter directly with the complainant;
iii) the number of complaints that were resubmitted to the code adjudicator following an unsuccessful attempt by the code member to resolve the matter with the complainant;
iv) any systemic problems arising from complaints;
v) examples of representative case studies;
vi) information about how the scheme ensures equitable access;
vii) a list of code members, together with any changes to the list during the year;
viii) the names of any code members that do not meet their obligations as members of the code; and
ix) information about new developments or key areas in which policy or education initiatives are required.
4. In addition to the matters referred to in section 18BB(3)(ka), the code must provide that the report is to include the time taken to finally deal with each complaint during the relevant financial year.
Complaint handling procedures under an approved code
 |
Chapter one / Chapter two / Chapter three / Chapter four / Chapter five / Chapter 6 / Chapter 7 /Appendix A Prescribed standards / Appendix B Checklist
CHAPTER SIX - APPROVAL APPLICATIONS
This chapter is designed to help direct organisations wanting to submit a code to the Commissioner for approval under the Act. It will also provide a summary of what can be expected during the consideration process.
6.1 The application
An application for approval of a privacy code should be made in writing or email and must be accompanied by supporting documentation. There is no formal application form to complete. However, the application document should set out the following:
· a request from the organisation for the Commissioner to consider the code for approval;
· the preferred title of the code;
· the name of the organisation that is applying for code approval and the name of the organisation that will be the code administrator and
· a contact name, address, telephone number and, where available, email address of an officer in the organisation who is best qualified to assist the Office with any additional matters relating to the approval process and the proposed operation of the code.
Attached to this application should be those items listed in the checklist at Appendix B.
The application should be forwarded to:
Office of the Federal Privacy Commissioner GPO Box 5218 Sydney NSW 1042
Or delivered to: level 8, 133 Castlereagh Street, Sydney, 2000 Or by email to: codes@privacy.gov.au
Please note that if submitting a code for approval via email that the transaction may not be a secure transaction. Due care will be needed to protect any confidential or personal information accompanying the application.
6.2 Timeframes
Upon receiving an application to approve a privacy code from an organisation, the Office will send an acknowledgement letter to the code proponent within seven (7) days.
Timeframes for assessing a code application will vary depending on a number of factors. These may include:
· the complexity of the code - for example, if the code is substantially a copy of the NPPs, equivalency will be relatively easy to determine. However, if principles are substantially rewritten, determining equivalency may be more difficult and time consuming;
· the comprehensiveness of the public consultation process undertaken by the organisation - if the Commissioner is not satisfied that members of the public have been given an adequate opportunity to comment on the draft of the code, then the Commissioner will undertake additional consultation. Given the limited resources of the office, this additional step may delay the code approval process;
· whether all documentation has been provided to the Office at the time the code is submitted for approval; and
· the number of codes the Commissioner has to assess at any one time.
As a general rule, the Office intends to assess proposed codes within two months of receiving an application.
6.3 Notification
The Commissioner's approval for a code will be made to the code proponent in writing. The approval will include the date when approval is to take effect, which will not be before the day on which approval is given.
If the Commissioner has made a decision not to approve a code, the code proponent will be notified in writing. Notification will include:
· the date that the decision was made;
· the reasons that the code was not approved;
· the steps (if any) that the Commissioner recommends the code proponent take before the code should be resubmitted for approval; and
· any avenues of appeal that may be available to the code proponent.
6.4 Register
Section 18BG of the Act requires the Commissioner to keep a register of approved codes. When a code is approved, the title, the name of the code administrator and contact details are included on the Commissioner's register of approved privacy codes. The register is available in an up-to-date format at: www.privacy.gov.au (the Commissioner's website).
There are requirements for code administrators in relation to the maintenance of this register. For more information refer to Chapter 4.4.
Chapter one / Chapter two / Chapter three / Chapter four / Chapter five / Chapter 6 / Chapter 7 /Appendix A Prescribed standards / Appendix B Checklist
CHAPTER SEVEN - PRIVACY CODE VARIATIONS
This chapter explains the procedures for amending or terminating a code and outlines the conditions under which the Commissioner can revoke a code approval.
7.1 Amendments to a code
Section 18BD allows an organisation to apply in writing to the Commissioner for approval for a variation to an approved privacy code. Such an application is to include a copy of the amended code.
In deciding whether to approve the variation, the Act requires the Commissioner to consider all the matters that the Commissioner would consider in deciding whether to approve such a code. However, if the amendment is minor in nature, the Commissioner can choose to waive the organisation's obligation to consult with members of the public. If the Commissioner chooses this option, it is likely that the Commissioner will undertake some direct consultation with appropriate consumer and stakeholder representatives.
If the proposed amendment is considered to be a major amendment (that is, it is likely to have a significant effect on the operations embodied in the code or is likely to have a measurable impact on a group of individuals), the Commissioner will have regard to those matters in Chapter 4, including that adequate consultation was conducted on the proposed change.
7.2 Revoking a code
Under section 18BE, the Commissioner has the power to revoke an approved privacy code. Revocation can occur at the discretion of the Commissioner or on request of the code administrator.
The following are some likely triggers that would lead the Commissioner to consider revoking a code:
· If after approving a privacy code, the Commissioner is satisfied that approval was given on the basis of information that was false or misleading.
· The circumstances under which approval was granted have changed (for example, legislative controls, technology, government policy, community attitudes etc) resulting in a measurable affect on the privacy protection of individuals.
· The Commissioner is satisfied that the code administrator has not met all the conditions of the code approval.
· It becomes apparent that decisions made by a code adjudication body are consistently (or systematically) being overturned on appeal to the Commissioner.
· If a review of the code by the Commissioner shows the operation of the code to be inadequate and efforts to help the code administrator have not resulted in acceptable improvements.
Where the Commissioner is alerted to any of these matters, the Commissioner will first consult with code administrators and/or relevant organisations in an attempt to resolve the matter without proceeding to revoke the code.
However, if the Commissioner's concerns are not adequately addressed, a review of the code's content and operation will be conducted. The review will include a consultation process involving the Office, the code administrator and key stakeholders. The aim of the review will be to define clearly any weaknesses in a code or its operation and to reach a consensus on how these weaknesses can be rectified.
If consensus cannot be reached the Commissioner may begin procedures for revocation. The procedures will be:
1. A revocation plan will be drawn up with appropriate stakeholder input. The plan will consider things such as the timing of the revocation, appropriate ways to inform the general public and the handling of any outstanding complaints.
2. The Commissioner will advise the general public of the intention to revoke and will outline the timeframe and circumstances for doing so.
3. A formal notice of revocation will be issued to the code administrator.
In each case the Commissioner will consider ways to best advise the general public on the planned revocation. If a code is to be revoked on the request of the code administrator, one option may be for the code administrator to conduct a public education campaign informing consumers of the intent to have the code revoked and the effects this is likely to have on the protection of their personal information.
7.3 Revoking complaint handling procedures
If the Commissioner forms the view that the complaint handling process under a code is seriously flawed and the code administrator does not submit a code with appropriate variations for approval to address these problems, the Commissioner's only option is to revoke the code in full in accordance with the revocation process set out in section 18BE. This is because the Commissioner is unable to revoke only part of a code and leave the remainder intact; nor is the Commissioner able to vary a code under section 18BD of his own volition so as to sever only the complaint handling process from the approved code.If the Commissioner forms the view that a complaint handling process under an approved code may not subsequently comply with the prescribed standards, the Commissioner may review the operation of the code and may proceed to revoke the code, unless the code administrator proposes a suitable variation to the code.
Chapter one / Chapter two / Chapter three / Chapter four / Chapter five / Chapter 6 / Chapter 7 /Appendix A Prescribed standards / Appendix B Checklist
APPENDIX A
"Section 18BB(3) of the Privacy Act says that before a code that has procedures for making and dealing with complaints can be approved, the Commissioner must be satisfied that the procedures meet the prescribed standards. These standards are contained in the Privacy (Private Sector) Regulations 2001. A copy of the regulations is available at:" SCALEplus website
Full version of Appendix A to be inserted soon.
Chapter one / Chapter two / Chapter three / Chapter four / Chapter five / Chapter 6 / Chapter 7 /Appendix A Prescribed standards / Appendix B Checklist
APPENDIX B
Checklist
Before submitting a code for approval please ensure that the following documentation has been included with the application:
° Printed copy of the code in its final version ° Electronic copy of the code in its final version ° A letter of application (see Chapter 6.1) ° A statement of consultation (see Chapter 4.1) ° A statement of equivalency (see Chapter 4.2) ° A copy of any explanatory material that has been prepared (at the time of application) in relation to a code ° A statement as to how the record of code members will be maintained with appropriate links to the Office (see Chapter 4.4) ° A statement explaining the voluntary nature of belonging to a code if this is not spelt out in the code itself (see Chapter 4.5)
The application should be forwarded to:
Office of the Federal Privacy Commissioner GPO Box 5218 Sydney NSW 1042
Or delivered to: level 8, 133 Castlereagh Street, Sydney, 2000
Or by email to: codes@privacy.gov.au
Get RSS feeds