Greenleaf, Graham --- "Standards and open procedures needed for Codes of Practice" [1997] PrivLawPRpr 5; (1997) 3(9) Privacy Law & Policy Reporter 174
Standards and open procedures needed for Codes of Practice
Extracts from Graham Greenleaf's submission on the Discussion Paper
Codes of practice play a key role in the Discussion Paper's proposals, as they should. They provide the necessary degree of both detail and (through modifications) flexibility in the application of necessarily broad principles to very varying organisations and practices.
Standards for modification of codes of practice Codes of practice will fulfil the general `exemption' function currently played in the Act by `public interest determinations' (which are now to be restricted to `one off' situations).
Since codes of practice are disallowable instruments (and therefore subject to legislative veto), it is not unreasonable that they should be able to modify the operation of the IPPs.
However, the extent to which codes can modify the application of the IPPs needs to be made more clear, by spelling out the standards that the Commissioner must apply in determining a modification:
- In `prescribing standards that were more or less stringent than the IPPs' (the words of the Discussion Paper), such modifications should only be able to be made `within the general purpose of the IPP' (or some such wording). A code should not be able to be `more ... stringent' by effectively adding a new IPP, but it is reasonable that stricter standards of compliance with a general principle should be required in some contexts.
- In `exempting any action from an IPP' the position is different, because `exemptions' may effectively recognise that an IPP should have virtually no operation in some contexts because of competing public interest considerations. As with the existing s 72, the Commissioner should be required to be satisfied that `the public interest in the [organisation] doing the act, or engaging in the practice, outweighs to a substantial degree the public interest in adhering to that Information Privacy Principle'.
The proposal that codes of practice should not be able to `limit or restrict' access rights is an unnecessarily inflexible approach, provided a general right of mediated access is accepted (as explained below). It is hard to see why there could be any justification for a code limiting correction rights, so inflexibility here probably does not matter very much.
Procedures for codes of practice
Procedures for the Commissioner to issue Codes after open consultation, and disallowance, are the key to acceptability of the whole approach of modification by Codes. The proposed Code-making procedures are generally appropriate, but have some striking deficiencies and incompleteness:- There is no procedure specified for anyone to formally request or require the Commissioner to issue a code of conduct. Anyone should be able to so request, include those who consider the Act is being used to unfairly withhold information from them (for example, researchers). Such formal requests should be public documents (except where confidentiality is justified on normal grounds), Generally the decision to act on a request (or requests) by proceeding to public notice of a proposed code should be in the discretion of the Commissioner. However, the Minister should be able to direct the Commissioner to proceed to that step where the Minister considers this is necessary. This would be an appropriate level of political intervention, as it is still up to the Commissioner what the code says, and up to Parliament to approve it.
- There is no mention of submissions concerning Codes being public documents (except where confidentiality is justified on normal grounds). They must be, particularly if any codes are to be issued without public hearings, or it will be unduly difficult for industry claims for exemptions to be criticised by public interest organisations (or vice versa).
- There is no mention of public hearings (such as a s 76 conference in the current Act). While it is not desirable that the Act be quite as prescriptive about Conferences as is Pt VI at present, it should at least explicitly authorise the Commissioner to provide an opportunity for oral submissions and argument wherever a proposed Code was of sufficient public significance to justify this.
Publicity (or the prospect of it) is some antidote against industry groups seeking to take undue advantage of their lobbying skills and ability to apply concentrated resources on processes.
Any more fundamental change so that Codes become issued by Regulations (ie Ministers) -- as in the ill-fated proposed Bill in NSW in 1994 -- destroys the whole process and removes it to the realm of political lobbying behind closed doors and special pleading open only to powerful lobby groups.
Urgent Codes
When does an `urgent' Code come into force? `Urgency' may require something faster than 28 days. I assume that such Codes come into force at the date of publication. The Discussion Paper also does not specify that urgent Codes will be disallowable, but they obviously should be disallowable.`One-off' exceptions (`Public interest determinations')
This proposal is confusing, because the requirements for both consent and overriding public interest seem inconsistent. Also, how can prior consent of (unknown) individuals be obtained in relation to future practices? `One off' seems to be limited to a single instance, not the unusual circumstances of a single business. Are they disallowable (as with current Public Interest Determinations)? The purpose of this proposal needs clarification.Special provisions concerning credit reporting (Pt IIIA etc)
The Discussion Paper is silent on the effect of the extension of the Act on the existing provisions dealing with credit reporting -- but the credit industry is unlikely to remain silent.Two policy objectives must be preserved in any proposals affecting Pt IIIA of the Act and associated sections (for example, s 18, s 18A):
(i) An appropriate balance of privacy interests in relation to credit reporting was exhaustively considered by Parliament in relation to the 1990 amendments to the Act, and there is no justification for change to those basic policy decisions. In effect, Parliament decided in detail what should be the content of a `code of conduct' for credit reporting. If it has imposed a somewhat more stringent standard than is now being imposed `across the board' on the private sector, that is of little account, as a code of practice may impose more stringent standards.
(ii) Provided that these Parliamentary-determined standards are preserved, there is no reason why the credit industry should be subjected to quite different procedures (including for remedies) than other parts of the private sector. To the extent that it is possible to bring credit reporting within the general approach to the private sector, this should be done.
These objectives could be reconciled by provisions that (i) allowed the Commissioner to develop a code of conduct which implemented the same legislative objectives as Pt IIIA; and (ii) made Pt IIIA not directly enforceable (but still extant as a legislative statement of objectives) once that code came into force, and allowed the Commissioner to revoke the existing s 18A Code.
In my view, if the substantive content of Pt IIIA is preserved, there is no need for the credit industry to be subject to different enforcement provisions from other private sector organisations. If the IPPs are generally to be enforced through civil rather than criminal sanctions, then credit information should have the same treatment.
Medical research guidelines -- repeal of s 95 proposed
An anomaly of longer standing in the Privacy Act is the special position of medical research under s 95, where the National Health and Medical Research Council (NH&MRC), not the Privacy Commissioner, issues guidelines which are in effect a Code of Practice modifying the IPPs. These guidelines only affect acts done by agencies, but once the Act is extended to the private sector, there will be a need for a Code of Practice for medical research concerning information held by private sector doctors, hospitals and others. The Privacy Commissioner will also be involved in many other non-research uses of medical records.Since the NH&MRC is not being given any general Code-making powers concerning medical records, it would seem an appropriate time to simply bring medical research within the normal provision for a Code of Practice. I suggest that s 95 be repealed and replaced by a provision which says that the Commissioner will issue a Code of Practice concerning medical research, and that the existing NH&MRC guidelines will cease to be of effect when this occurs.