Federal Register of Legislation - Australian Government

Primary content

Privacy (Market and Social Research) Code 2014

Authoritative Version
Codes & Codes of Practice as made
This instrument is an industry developed APP code that sets out how the Australian Privacy Principles are to be applied and complied with by members of the Association of Market and Social Research Organisations (AMSRO) in the market and social research sector.
Administered by: Attorney-General's
Registered 16 Dec 2014
Tabling HistoryDate
Tabled HR09-Feb-2015
Tabled Senate09-Feb-2015

Explanatory Statement

Issued by the Authority of the Australian Privacy Commissioner

Privacy (Market and Social Research) Code 2014

This explanatory statement relates to the Privacy (Market and Social Research) Code 2014 (the AMSRO code) registered under s 26U(1) of the Privacy Act 1988 (Privacy Act).

This explanatory statement fulfils the Information Commissioner’s obligations under s 26(1) of the Legislative Instruments Act 2003 (the Legislative Instruments Act).

Authority for the registration of the AMSRO code

On 11 September 2014, the Association of Market and Social Research Organisation (AMSRO) applied to the Office of the Australian Information Commissioner (OAIC) to register the AMSRO code as an APP code under s 26F of the Privacy Act.

In accordance with Part IIIB of the Privacy Act, if an application for registration of an APP code is made by a code developer under s 26F of the Privacy Act, the Information Commissioner is empowered by s 26H(1) of the Privacy Act to register that APP code.  

Under s 12(4)(a) of the Australian Information Commissioner Act 2010, with the approval of the Information Commissioner, the Privacy Commissioner may perform the functions, and exercise the powers conferred on the Information Commissioner by Part IIIB of the Privacy Act. The Information Commissioner approved the Privacy Commissioner to exercise this power for the recognition of the AMSRO code.

Purpose and operation of the AMSRO code

In accordance with s 26C of the Privacy Act, an APP code performs the following functions:

·         sets out how one or more of the Australian Privacy Principles (APPs) are to be applied or complied with (s 26C(2)(a))

·         species the APP entities that are bound by the code, or a way of determining the APP entities which are bound by the code (s 26C(2)(b))

·         sets out the period during which the code is in force (which must not start the day before the code is registered under section 26H) (s 26C(2)(c)).

In addition, an APP code may:

·         impose additional requirements to those imposed by one or more of the APPs, so long as the additional requirements are not contrary to, or inconsistent with, those principles (s 26C(3)(a))

·         cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3) of the Privacy Act (s 26C(3)(b))

·         deal with the internal handling of complaints (s 26C(3)(c))

·         provide for the reporting to the Privacy Commissioner about complaints (s 26C(3)(d))

·         deal with any other relevant matters (s 26C(3)(e)).

The AMSRO code was initiated and developed by AMSRO. AMSRO is the peak body for the market and social research industry, and the ‘APP code developer’ of the AMSRO code, as defined in s 6(1) of the Privacy Act. The AMSRO code will only be binding on AMSRO members, referred to as ‘research organisations’ in the AMSRO code.

In accordance with s 26B(1), the AMSRO code comes into force when it is included on the OAIC Codes Register kept under s 26U(1) of that Act, and will remain in force until it is repealed.

The AMSRO code replaces the former Market and Social Research Privacy Code (the former AMSRO code). The former AMSRO code was in operation from 1 September 2003 until the introduction of amendments to the Privacy Act on 12 March 2014. 

Reasons for the decision to register the AMSRO code

In deciding to register the AMSRO code, the Privacy Commissioner has had regard to the objects of the Privacy Act, in particular:

·                to promote the protection of the privacy of individuals (s 2A(a))

·                to promote responsible and transparent handling of personal information by entities (s 2A(d)).

The Privacy Commissioner has taken into account the requirements for an APP code under s 26C of the Privacy Act, the procedural requirements for the development of an APP code under s 26E of the Privacy Act, and the making of the application for registration under s 26F of the Privacy Act.

In addition, the Privacy Commissioner has had regard to the Guidelines for developing codes (the Guidelines) issued under s 26V of the Privacy Act. The Appendix to those Guidelines sets out a non-exhaustive checklist of the primary matters that the Privacy Commissioner will consider when deciding whether to register a code, including an APP code. Those matters include:

·         whether there are appropriate governance arrangements in place to administer the code

·         whether there are appropriate reporting mechanisms

·         whether entities bound by the code are clearly identified

·         whether there are standardised internal privacy complaint handling procedures

·         whether there was initial notification of, and updates on, the code’s development

·         whether a code developer satisfied the public consultation requirements and considered views of stakeholders obtained during the consultation (set out in more detail below)

·         whether the code meets the drafting style requirements

·         whether the openness and transparency matters have been addressed

·         any matters raised by any person whom the Information Commissioner consults.

The Privacy Commissioner is satisfied that the AMSRO code adequately addresses those criteria.

Consultation

Consistent with the requirements of s 17 of the Legislative Instruments Act, the Privacy Commissioner has considered the consultation process undertaken by AMSRO as the APP code developer.

Section 26F of the Privacy Act requires that before an APP code developer makes an application to register an APP code, it must:

·         make a draft of the APP code publicly available (s 2F(2)(a))

·         invite the public to make submissions to the developer about the draft within a specified period (which must run for at least 28 days) (s 2F(2)(b))

·         give consideration to any submissions made within the specified period (s 2F(2)(c)).

On 18 March 2014, AMSRO released a draft of the AMSRO code on its website for public consultation. That consultation ran for a period of 32 days, which satisfies the requirement in s 26F that the consultation run for a period of at least 28 days.

The information submitted to the OAIC by AMSRO on 11 September 2014 in support of its application, included correspondence showing that all AMSRO members that will be bound by the AMSRO code were individually notified about the public consultation. Further, AMSRO provided copies of the correspondence between itself and the two AMSRO members who made submissions in relation to the draft AMSRO code. AMSRO responded to the concerns outlined in those submissions, and amended the AMSRO code to address them.

The Privacy Commissioner is satisfied, for the reasons set out above, that the consultation process undertaken by AMSRO adequately addresses the criteria required by s 26F of the Privacy Act.

The Office of Best Practice Regulation (OBPR) was also consulted on the AMSRO code. OBPR advised that the AMSRO code did not require a Regulatory Impact Statement.


 

Statement of compatibility with human rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

The Privacy (Market and Social Research) Code 2014 (the AMSRO code), submitted by the Association of Market and Social Research Organisations (AMSRO) to the Privacy Commissioner for registration on 11 September 2014, is compatible with the human rights and freedoms recognised or declared in the international instruments listed in s 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Operation

The AMSRO code is a binding written code of practice about information privacy developed under Part IIIB of the Privacy Act 1988 (the Privacy Act). The AMSRO code supplements the provisions of the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act and outlines how the entities bound by the code must apply or comply with the APPs. It also imposes a number of requirements additional to the APPs with which the entities bound by the AMSRO must comply.

In accordance with s 26B(1), the AMSRO code comes into force when it is included on the OAIC Codes Register kept under s 26U(1) of that Act, and will remain in force until it is repealed.

Human rights implications

The AMSRO code engages Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Article 17 provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation, and that everyone has the right to the protection of the law against such interference or attacks. 

The AMSRO code protects against the arbitrary interference with privacy, and advances the right to the protection of the law against such interference by:

·         setting out how the APPs in Schedule 1 of the Privacy Act are to be applied and complied with in the market and social research industry (Part E)

·         introducing additional privacy enhancing requirements for research organisations to apply in the market and social research industry when handling personal information, including:

·         the additional matters that a research organisation bound by the AMSRO code must notify an individual participating in market research about, and the timeframe for providing that notice (paragraphs 5.3 – 5.4)

·         the circumstances under which a research organisation bound by the AMSRO code can use and disclose certain personal information (paragraphs 6.2A – 6.2B)

·         the specific purposes which a research organisation bound by the AMSRO code can rely upon to permit the retention of personal information (paragraph 11.3)

·         the steps that a research organisation bound by the AMSRO code must take to de-identify certain personal information (paragraph 11.4)

·         when a research organisation bound by the AMSRO code is permitted to retain certain personal information (paragraph 11.5)

·         the reasonable steps a research organisation bound by the AMSRO code must take to ensure that certain personal information that it discloses is protected (paragraphs 11.6(a) – (c))

·         the limited circumstances when a research organisation bound by the AMSRO code is not required to comply with a request to destroy or de-identify certain personal information (paragraph 11.7).

The AMSRO code does not limit any of the rights and freedoms contained in the seven core human rights treaties to which Australia is a party. 

Conclusion

The AMSRO code is compatible with human rights because it advances the protection of human rights by supplementing and strengthening the APPs through the introduction of additional, privacy enhancing requirements for the handling of personal information by the entities that it binds.