You are here:
AustLII >>
Databases >>
Privacy Law and Policy Reporter >>
1997 >>
[1997] PrivLawPRpr 5
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Help
Greenleaf, Graham --- "Standards and open procedures needed for Codes of Practice" [1997] PrivLawPRpr 5; (1997) 3(9) Privacy Law & Policy Reporter 174
Standards and open procedures needed for Codes of Practice
Codes of practice play a key role in the Discussion Paper's proposals, as they
should. They provide the necessary degree of both
detail and (through
modifications) flexibility in the application of necessarily broad principles
to very varying organisations and
practices.
Standards for modification of codes of practice Codes
of practice will fulfil the general `exemption' function currently played in
the Act by `public interest determinations' (which are now to be restricted to
`one off' situations).
Since codes of practice are disallowable instruments (and therefore subject to
legislative veto), it is not unreasonable that they
should be able to modify
the operation of the IPPs.
However, the extent to which codes can modify the application of the IPPs needs
to be made more clear, by spelling out the standards
that the Commissioner must
apply in determining a modification:
-
In `prescribing standards that were more or less stringent than the IPPs'
(the words of the Discussion Paper), such modifications
should only be able to
be made `within the general purpose of the IPP' (or some such wording). A code
should not be able to be `more
... stringent' by effectively adding a new IPP,
but it is reasonable that stricter standards of compliance with a general
principle
should be required in some contexts.
- In `exempting any action from an IPP' the position is different, because
`exemptions' may effectively recognise that an IPP should
have virtually no
operation in some contexts because of competing public interest considerations.
As with the existing s 72, the
Commissioner should be required to be satisfied
that `the public interest in the [organisation] doing the act, or engaging in
the
practice, outweighs to a substantial degree the public interest in adhering
to that Information Privacy Principle'.
The proposal that codes of practice should not be able to `limit or restrict'
access rights is an unnecessarily inflexible approach,
provided a general right
of mediated access is accepted (as explained below). It is hard to see why
there could be any justification
for a code limiting correction rights, so
inflexibility here probably does not matter very much.
Procedures
for the Commissioner to issue Codes after open consultation, and disallowance,
are the key to acceptability of the whole
approach of modification by Codes.
The proposed Code-making procedures are generally appropriate, but have some
striking deficiencies
and incompleteness:
-
There is no procedure specified for anyone to formally request or require the
Commissioner to issue a code of conduct. Anyone should
be able to so request,
include those who consider the Act is being used to unfairly withhold
information from them (for example,
researchers). Such formal requests should
be public documents (except where confidentiality is justified on normal
grounds), Generally
the decision to act on a request (or requests) by
proceeding to public notice of a proposed code should be in the discretion of
the
Commissioner. However, the Minister should be able to direct the
Commissioner to proceed to that step where the Minister considers
this is
necessary. This would be an appropriate level of political intervention, as it
is still up to the Commissioner what the code
says, and up to Parliament to
approve it.
- There is no mention of submissions concerning Codes being public documents
(except where confidentiality is justified on normal grounds).
They must be,
particularly if any codes are to be issued without public hearings, or it will
be unduly difficult for industry claims
for exemptions to be criticised by
public interest organisations (or vice versa).
- There is no mention of public hearings (such as a s 76 conference in the
current Act). While it is not desirable that the Act be
quite as prescriptive
about Conferences as is Pt VI at present, it should at least explicitly
authorise the Commissioner to provide
an opportunity for oral submissions and
argument wherever a proposed Code was of sufficient public significance to
justify this.
Publicity (or the prospect of it) is some antidote against industry groups
seeking to take undue advantage of their lobbying skills
and ability to apply
concentrated resources on processes.
Any more fundamental change so that Codes become issued by Regulations (ie
Ministers) -- as in the ill-fated proposed Bill in NSW
in 1994 -- destroys the
whole process and removes it to the realm of political lobbying behind closed
doors and special pleading
open only to powerful lobby groups.
When
does an `urgent' Code come into force? `Urgency' may require something faster
than 28 days. I assume that such Codes come into
force at the date of publication. The Discussion Paper also
does not specify that urgent Codes will be disallowable, but they obviously
should be disallowable.
This
proposal is confusing, because the requirements for both consent and overriding
public interest seem inconsistent. Also, how
can prior consent of (unknown)
individuals be obtained in relation to future practices? `One off' seems to be
limited to a single
instance, not the unusual circumstances of a single
business. Are they disallowable (as with current Public Interest
Determinations)?
The purpose of this proposal needs clarification.
The
Discussion Paper is silent on the effect of the extension of the Act on the
existing provisions dealing with credit reporting
-- but the credit industry is
unlikely to remain silent.
Two policy objectives must be preserved in any proposals affecting Pt IIIA of
the Act and associated sections (for example, s 18,
s 18A):
(i) An appropriate balance of privacy interests in relation to credit reporting
was exhaustively considered by Parliament in relation
to the 1990 amendments to
the Act, and there is no justification for change to those basic policy
decisions. In effect, Parliament
decided in detail what should be the content
of a `code of conduct' for credit reporting. If it has imposed a somewhat more
stringent
standard than is now being imposed `across the board' on the private
sector, that is of little account, as a code of practice may
impose more
stringent standards.
(ii) Provided that these Parliamentary-determined standards are preserved,
there is no reason why the credit industry should be subjected
to quite
different procedures (including for remedies) than other parts of the private
sector. To the extent that it is possible
to bring credit reporting within the
general approach to the private sector, this should be done.
These objectives could be reconciled by provisions that (i) allowed the
Commissioner to develop a code of conduct which implemented
the same
legislative objectives as Pt IIIA; and (ii) made Pt IIIA not directly
enforceable (but still extant as a legislative statement
of objectives) once
that code came into force, and allowed the Commissioner to revoke the existing
s 18A Code.
In my view, if the substantive content of Pt IIIA is preserved, there is no
need for the credit industry to be subject to different
enforcement provisions
from other private sector organisations. If the IPPs are generally to be
enforced through civil rather than
criminal sanctions, then credit information
should have the same treatment.
An
anomaly of longer standing in the Privacy Act is the special position of
medical research under s 95, where the National Health and Medical Research
Council (NH&MRC), not
the Privacy Commissioner, issues guidelines which are
in effect a Code of Practice modifying the IPPs. These guidelines only affect
acts done by agencies, but once the Act is extended to the private sector,
there will be a need for a Code of Practice for medical
research concerning
information held by private sector doctors, hospitals and others. The Privacy
Commissioner will also be involved
in many other non-research uses of medical
records.
Since the NH&MRC is not being given any general Code-making powers
concerning medical records, it would seem an appropriate time
to simply bring
medical research within the normal provision for a Code of Practice. I suggest
that s 95 be repealed and replaced
by a provision which says that the
Commissioner will issue a Code of Practice concerning medical research, and
that the existing
NH&MRC guidelines will cease to be of effect when this
occurs.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/1997/5.html