You are here:
AustLII >>
Australia >>
Journals >>
PLPR >>
1997 >>
[1997] PLPR 5
[Global Search]
[PLPR Search]
[PLPR Homepage]
[Help]
Standards and open procedures needed for Codes of Practice
Codes of practice play a key role in the Discussion Paper's proposals, as they
should. They provide the necessary degree of both detail and (through
modifications) flexibility in the application of necessarily broad principles
to very varying organisations and practices.
Standards for modification of codes of practice Codes
of practice will fulfil the general `exemption' function currently played in
the Act by `public interest determinations' (which are now to be restricted to
`one off' situations).
Since codes of practice are disallowable instruments (and therefore subject to
legislative veto), it is not unreasonable that they should be able to modify
the operation of the IPPs.
However, the extent to which codes can modify the application of the IPPs needs
to be made more clear, by spelling out the standards that the Commissioner must
apply in determining a modification:
-
In `prescribing standards that were more or less stringent than the IPPs'
(the words of the Discussion Paper), such modifications should only be able to
be made `within the general purpose of the IPP' (or some such wording). A code
should not be able to be `more ... stringent' by effectively adding a new IPP,
but it is reasonable that stricter standards of compliance with a general
principle should be required in some contexts.
- In `exempting any action from an IPP' the position is different, because
`exemptions' may effectively recognise that an IPP should have virtually no
operation in some contexts because of competing public interest considerations.
As with the existing s 72, the Commissioner should be required to be satisfied
that `the public interest in the [organisation] doing the act, or engaging in
the practice, outweighs to a substantial degree the public interest in adhering
to that Information Privacy Principle'.
The proposal that codes of practice should not be able to `limit or restrict'
access rights is an unnecessarily inflexible approach, provided a general right
of mediated access is accepted (as explained below). It is hard to see why
there could be any justification for a code limiting correction rights, so
inflexibility here probably does not matter very much.
Procedures
for the Commissioner to issue Codes after open consultation, and disallowance,
are the key to acceptability of the whole approach of modification by Codes.
The proposed Code-making procedures are generally appropriate, but have some
striking deficiencies and incompleteness:
-
There is no procedure specified for anyone to formally request or require the
Commissioner to issue a code of conduct. Anyone should be able to so request,
include those who consider the Act is being used to unfairly withhold
information from them (for example, researchers). Such formal requests should
be public documents (except where confidentiality is justified on normal
grounds), Generally the decision to act on a request (or requests) by
proceeding to public notice of a proposed code should be in the discretion of
the Commissioner. However, the Minister should be able to direct the
Commissioner to proceed to that step where the Minister considers this is
necessary. This would be an appropriate level of political intervention, as it
is still up to the Commissioner what the code says, and up to Parliament to
approve it.
- There is no mention of submissions concerning Codes being public documents
(except where confidentiality is justified on normal grounds). They must be,
particularly if any codes are to be issued without public hearings, or it will
be unduly difficult for industry claims for exemptions to be criticised by
public interest organisations (or vice versa).
- There is no mention of public hearings (such as a s 76 conference in the
current Act). While it is not desirable that the Act be quite as prescriptive
about Conferences as is Pt VI at present, it should at least explicitly
authorise the Commissioner to provide an opportunity for oral submissions and
argument wherever a proposed Code was of sufficient public significance to
justify this.
Publicity (or the prospect of it) is some antidote against industry groups
seeking to take undue advantage of their lobbying skills and ability to apply
concentrated resources on processes.
Any more fundamental change so that Codes become issued by Regulations (ie
Ministers) -- as in the ill-fated proposed Bill in NSW in 1994 -- destroys the
whole process and removes it to the realm of political lobbying behind closed
doors and special pleading open only to powerful lobby groups.
When
does an `urgent' Code come into force? `Urgency' may require something faster
than 28 days. I assume that such Codes come into force at the date of publication. The Discussion Paper also
does not specify that urgent Codes will be disallowable, but they obviously
should be disallowable.
This
proposal is confusing, because the requirements for both consent and overriding
public interest seem inconsistent. Also, how can prior consent of (unknown)
individuals be obtained in relation to future practices? `One off' seems to be
limited to a single instance, not the unusual circumstances of a single
business. Are they disallowable (as with current Public Interest
Determinations)? The purpose of this proposal needs clarification.
The
Discussion Paper is silent on the effect of the extension of the Act on the
existing provisions dealing with credit reporting -- but the credit industry is
unlikely to remain silent.
Two policy objectives must be preserved in any proposals affecting Pt IIIA of
the Act and associated sections (for example, s 18, s 18A):
(i) An appropriate balance of privacy interests in relation to credit reporting
was exhaustively considered by Parliament in relation to the 1990 amendments to
the Act, and there is no justification for change to those basic policy
decisions. In effect, Parliament decided in detail what should be the content
of a `code of conduct' for credit reporting. If it has imposed a somewhat more
stringent standard than is now being imposed `across the board' on the private
sector, that is of little account, as a code of practice may impose more
stringent standards.
(ii) Provided that these Parliamentary-determined standards are preserved,
there is no reason why the credit industry should be subjected to quite
different procedures (including for remedies) than other parts of the private
sector. To the extent that it is possible to bring credit reporting within the
general approach to the private sector, this should be done.
These objectives could be reconciled by provisions that (i) allowed the
Commissioner to develop a code of conduct which implemented the same
legislative objectives as Pt IIIA; and (ii) made Pt IIIA not directly
enforceable (but still extant as a legislative statement of objectives) once
that code came into force, and allowed the Commissioner to revoke the existing
s 18A Code.
In my view, if the substantive content of Pt IIIA is preserved, there is no
need for the credit industry to be subject to different enforcement provisions
from other private sector organisations. If the IPPs are generally to be
enforced through civil rather than criminal sanctions, then credit information
should have the same treatment.
An
anomaly of longer standing in the Privacy Act is the special position of
medical research under s 95, where the National Health and Medical Research
Council (NH&MRC), not the Privacy Commissioner, issues guidelines which are
in effect a Code of Practice modifying the IPPs. These guidelines only affect
acts done by agencies, but once the Act is extended to the private sector,
there will be a need for a Code of Practice for medical research concerning
information held by private sector doctors, hospitals and others. The Privacy
Commissioner will also be involved in many other non-research uses of medical
records.
Since the NH&MRC is not being given any general Code-making powers
concerning medical records, it would seem an appropriate time to simply bring
medical research within the normal provision for a Code of Practice. I suggest
that s 95 be repealed and replaced by a provision which says that the
Commissioner will issue a Code of Practice concerning medical research, and
that the existing NH&MRC guidelines will cease to be of effect when this
occurs.
AustLII:
Feedback |
Privacy Policy |
Disclaimers
URL:
http://www.austlii.edu.au/au/journals/PLPR/1997/5.html
