Consumer Protection in the Communications Industry: Moving to best practice - Issues Paper (July 2008)

3.4. Privacy

Codes of conduct can be developed by industry and approved by the Office of the Privacy Commissioner (OPC) under Section 18BB of the Privacy Act 1988.

To gain the official approval of the OPC, a privacy code has to meet certain criteria. In contrast to some other sectors, there is a strong emphasis on the content of the code, not just process matters relating to code development and consultation.

A primary requirement is that the code must be, overall, equivalent to or stronger than the National Privacy Principles (NPPs) contained in the Privacy Act 1988. The registered privacy code scheme allows variations on these Principles – but the changes should offer a higher level of protection to consumers than would normally be afforded under the Principles.

Once registered, the OPC continues to play an ongoing role in monitoring code compliance.

The code has to provide for an annual report to the OPC on the operation of the code. This report should include:

  • Complaint statistics and demographics, including unresolved cases, and waiting times;
  • Statistics on enquiries;
  • Any systemic problems revealed by complaints;
  • Some representative case studies;
  • Information to demonstrate equitable access is being provided;
  • A list of code members, noting changes to the list, and those code members who have not met their obligations; and
  • Any significant recent policy or technological developments in the area.

The code should also provide for the independent review of the code’s overall operation (including a commitment to funding this review). Normally the review would occur a year after the code’s introduction, and thereafter every three years.

There are also significant requirements relating to stakeholder consultation during the development of codes,[33] although in practice this has not always been implemented.

In practice, very few codes have been registered, and the codes that have been registered have very low industry membership (e.g. just four organisations have signed the Biometrics Industry Privacy Code).[34] This may reflect the ease with which most industries can comply with the NPPs. Another reason for low take-up of Codes is the perceived high cost to industry compared to the benefit, given that decisions of Code Adjudicators can be appealed to the Privacy Commissioner.

The co-regulatory approach in Privacy was developed at the request of industry. In practice, most sectors have simply chosen to comply with the legislation.

[33] Office of the Federal Privacy Commissioner, Revised Version of the Code Development Guidelines, September 2001, <>.

[34] Biometrics Institute, Biometrics Institute Privacy Code Public Register, 4 March 2008, <>