Federal Register of Legislation - Australian Government

Primary content

Approvals as made
This instrument revokes the approval of the Biometrics Institute Privacy Code granted on 19 July 2006 under s18BB of the Privacy Act 1988.
Administered by: Attorney-General's
Registered 16 Apr 2012
Tabling HistoryDate
Tabled HR08-May-2012
Tabled Senate10-May-2012
Date of repeal 17 Oct 2014
Repealed by Spent and Redundant Instruments Repeal Regulation 2014 (No. 2)

 

Office of the Australian Information Commissioner logo

 

 

 

 

 

 

 

 

Explanatory Statement

 

Revocation of the Biometrics Institute Privacy Code

 

Decorative ribbon imageApril 2012

 

 

 

 

 

 

 

 

 

 


Explanatory Statement

Revocation of the Biometrics Institute Privacy Code

This explanatory statement relates to an instrument made under s18BE of the Privacy Act 1988 (Cth) (the Privacy Act) entitled ‘Revocation of the Biometrics Institute Privacy Code’ (Revocation).

This explanatory statement has been drafted for the purpose of fulfilling the Privacy Commissioner’s obligations under s26(1) of the Legislative Instruments Act 2003 (Cth) (the Legislative Instruments Act).

1. Purpose

The purpose of the Revocation is to revoke the Privacy Commissioner’s approval of the Biometrics Institute Privacy Code (the Code) under Part IIIAA of the Privacy Act.

The Privacy Commissioner approved the Code on 19 July 2006.

The Code commenced on 1 September 2006.

On 30 January 2012, the Biometrics Institute requested that the Privacy Commissioner exercise his power under s18BE of the Privacy Act to revoke the Code on his own initiative.

After conducting public consultation on that proposal, the Privacy Commissioner has decided to revoke the Code for the reasons set out in this statement.

2. Approved Privacy Codes

The Privacy Amendment (Private Sector) Act 2000 (Cth) extended the operation of the Privacy Act to cover much of the private sector. A feature of the Privacy Act is the option for organisations to develop their own privacy codes which, when approved, impose obligations that replace the obligations arising under the National Privacy Principles (NPPs) for those organisations bound by the code.

The co-regulatory approach adopted in the Act was developed on the basis that the privacy concerns of consumers can best be addressed if organisations are allowed flexibility to develop an appropriate privacy standard with their customers. This approach ensures that an effective and comprehensive data protection framework is provided for the private sector in Australia while still allowing some flexibility in its application.

The privacy rights of an individual cannot be lessened by the application of a privacy code.

For instance, the Privacy Commissioner must approve each privacy code in accordance with the Act, and the prescribed standards and guidelines issued by the Privacy Commissioner. When deciding whether or not to approve a code, the Privacy Commissioner must consider whether the code incorporates all the NPPs or sets out obligations that are, overall, at least the equivalent of all the obligations set out in the NPPs.

Where an organisation consents to be bound by an approved privacy code, the code operates in place of the NPPs until the organisation ceases to be bound by the code. Where an organisation chooses not to adopt an approved code it will be bound by the NPPs.

Where the approval of a code is revoked, organisations that were bound by the code prior to the revocation will again be bound by the NPPs.

3. Authority for Revoking Approved Privacy Codes

The revocation by the Privacy Commissioner of the approval of an approved privacy code is governed by s18BE of the Privacy Act, which provides:

Revoking the approval of an approved privacy code

(1) The Commissioner may revoke his or her approval of an approved privacy code or a variation of an approved privacy code:

(a) on his or her own initiative; or

(b) on application by an organisation that is bound by the code.

(2) Before deciding whether to revoke the approval of a code or variation, the Commissioner must:

(a) if practicable, consult the organisation that originally sought approval of the code or variation; and

(b) consult any other person the Commissioner considers appropriate; and

(c) consider the extent to which members of the public have been given an opportunity to comment on the proposed revocation.

(3) A revocation must be in writing.

(4) A revocation comes into effect on the day specified in the revocation.

(5) The day specified must not be before the day on which the revocation is made.

Under s12(4) of the Australian Information Commissioner Act 2010 (Cth), certain actions may only be taken by the Privacy Commissioner with the approval of the Information Commissioner, including ‘approvals, variations or revocations of a privacy code under paragraph 27(1)(aa) of the Privacy Act 1988’ (s12(4)(b)).

On 24 January 2012, the Information Commissioner granted such approval to the Privacy Commissioner in relation to the Code.

The revocation of an approval by the Privacy Commissioner of an approved privacy code has the effect of varying the obligations imposed upon an organisation under the Privacy Act, thereby altering the content of the law. As a consequence, the written revocation of a privacy code under section 18BE(1) of the Privacy Act is a legislative instrument for the purposes of the Legislative Instruments Act.

4. Reasons for Revoking the Code

The objectives of the Code are set out in clause B of the Code:

·                To facilitate the protection of personal information provided by, or held in relation to, biometric systems;

·                To facilitate the process of identity authentication in a manner consistent with the Privacy Act and the NPPs; and

·                To promote biometrics as privacy enhancing technologies.

The Code only binds those members of the Institute that subscribe to the Code. There have been low numbers of subscribers to the Code. This was cited by the Biometrics Institute as a reason for seeking the revocation of the Code.

The Privacy Commissioner considers that, given the low level of subscription to the Code since it came into effect on 1 September 2006, the Code does not adequately meet its objectives.

Accordingly, having regard to:

·                the low subscribership of the Code,

·                the request by the Biometrics Institute (being the Code administrator) that the Privacy Commissioner revoke the Code, and

·                public submissions in support of the revocation of the Code,

the Privacy Commissioner has decided to exercise his power under s18BE of the Privacy Act to revoke the Code’s approval.

5. Operation and Effect

The Privacy Commissioner has decided the Revocation of the Code will have effect on and from 17 April 2012.

Small businesses that would normally be exempt from the Privacy Act are required to choose to be treated as an organisation for the purposes of the Privacy Act by writing to the Privacy Commissioner before subscribing to the Code. Therefore, the effect of the Revocation is that those organisations previously bound by the Code will be required to comply directly with the NPPs, and complaints of breaches of the NPPs by such organisations will be investigated by the Privacy Commissioner under Part V of the Privacy Act.

6. Consultation

Section 17 of the Legislative Instruments Act requires that, before a rule-maker makes a legislative instrument, the rule-maker must be satisfied that any consultation that is considered by the rule-maker to be appropriate and that is reasonably practicable to undertake, has been undertaken.

Further, s18BE(2) of the Privacy Act requires the Privacy Commissioner to undertake consultation before revoking the approval of a privacy code. Section 18BE(2) provides:

(2) Before deciding whether to revoke the approval of a code or variation, the Commissioner must:

(a) if practicable, consult the organisation that originally sought approval of the code or variation; and

(b) consult any other person the Commissioner considers appropriate; and

(c) consider the extent to which members of the public have been given an opportunity to comment on the proposed revocation.

The Privacy Commissioner consulted directly with the organisation that originally sought approval of the Code, being the Biometrics Institute.

Further, from 21 February to 21 March 2012, the Privacy Commissioner carried out a public consultation process regarding the Biometric Institute’s request that the Privacy Commissioner revoke the approval of the Code.

·                The Office of the Australian Information Commissioner (OAIC) prepared a consultation paper setting out the background to the proposed revocation, and published that paper together with an invitation to make submissions, on its website.

·                The OAIC publicised the consultation by:

o   facilitating the notification of the consultation to the members of the Biometrics Institute, by the Institute

o   publicising the consultation through its website, and though the OAIC’s mailing lists and social media feeds, and

o   by contacting relevant stakeholders directly.

The Privacy Commissioner is satisfied that the consultation undertaken is adequate to satisfy the requirements of s17 of the Legislative Instruments Act, and s18BE(2) of the Privacy Act.

6. Statement of Compatibility with Human Rights

This Statement of Compatibility with Human Rights has been prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth).

The Revocation is compatible with the human rights and freedoms recognised or declared in the international instruments listed in s3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth).

Objectives of the Revocation

The central public interest objective being served by the Revocation is the revocation of the approval of a privacy code that does not adequately meet its objectives, including the objective of facilitating ‘the protection of personal information provided by, or held in relation to, biometric systems’.

Human rights implications

The Revocation engages the right to privacy. The Revocation has the effect of requiring that subscribers to the Code comply with the NPPs rather than the Code.

Conclusion

The Revocation is compatible with human rights because it does not diminish the protection of human rights.