Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Compliance

Information Sheet (Private Sector) 11 - 2001: Privacy Codes

New private sector provisions in the Privacy Act 1988 (Cth) (the Privacy Act) regulate the way the private sector organisations collect, use, keep secure and disclose personal information. The private sector provisions aim to give people greater control over the way information about them is handled in the private sector by requiring organisations to comply with ten National Privacy Principles (NPPs).

The NPPs set the base line standards for privacy protection. However, organisations or industries may have and enforce their own privacy codes. The Privacy Commissioner (the Commissioner) must approve the code first, but once it has been approved the code will replace the NPPs for those organisations bound by the code. The Commissioner can revoke a code.

Options for complaint resolution

A code can include its own complaint handling mechanism. If it does, it must provide for the appointment of a code adjudicator to determine complaints. A code adjudicator would be bound by the processes spelled out in a code when handling complaints and must abide by the requirements of the Privacy Act and the Code Development Guidelines.

A code that incorporates a complaints handling mechanism can give industry a sense of ownership in dispute resolution. In some cases there will be an existing dispute resolution system operating in an organisation/industry that is equipped to handle complaints about breaches of a privacy code.

If a code does not provide for a complaint handling mechanism, the Office of the Privacy Commissioner (the Office) will handle complaints and the Commissioner will be the code adjudicator.

Code approval

Before a code can be approved, the Privacy Act requires the Commissioner to be satisfied that:

the obligations in the code are, overall, at least the equivalent of the NPPs; and
the members of the public have been given an adequate opportunity to comment on a draft of the code.

If the code includes a complaints handling mechanism, the Commissioner must also be satisfied that the code:

provides for a code adjudicator; and
meets the prescribed standards and the Commissioner's guidelines in relation to making and dealing with complaints.

Organisations not bound by a code must comply with the NPPs set out in Schedule 3 of the Privacy Act. The Commissioner handles complaints in these circumstances. A copy of the NPPs is available on the Commissioner's web site or by contacting the Office.

Considering the resource requirements

Organisations will need to be aware that developing and implementing a privacy code will necessarily require a commitment of resources. Obviously the costs will vary greatly from scheme to scheme with likely variants being whether or not the scheme establishes its own complaint handling body, the size and nature of the organisation/industry that will be covered by the code, and the nature of the code itself.

There are also several steps involved in developing a code that will require an allocation of resources. These steps include investigating the need for a code, writing and publishing the code, seeking external legal or professional advice, implementing code relevant systems, and educating and training staff. There could also be costs involved in:

consulting the community on the proposed code; and
running an effective code adjudication scheme. (Sufficient resources will need to be allocated to ensure independence and effective complaint handling.)

Organisations that choose to adopt a privacy code are encouraged to allocate resources to its promotion.

Seeking further advice

Privacy codes can deliver a range of benefits to organisations seeking to tailor the NPPs to a specific circumstance. However, before embarking on the code process, organisations are advised to consult with their industry association and/or other stakeholders on the need for a privacy code.

Guidelines for code development

The Privacy Commissioner has released a set of Code Development Guidelines to explain the procedures and requirements for having a privacy code approved.

Copies of the Code Development Guidelines are available on the Commissioner's web site.

About Information Sheets

Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bind organisations.)

Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.

Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with.

Organisations may also wish to consult the Commissioner's guidelines and other information sheets.

Office of the Privacy Commissioner ISBN 1 - 877079 - 14 - 6 Privacy Hotline 1300 363 992 (local call charge)