Privacy Codes of Practice

A privacy code of practice is a legal instrument which allows a public sector agency or organisation to make changes to an information protection principle (IPP) or provisions that deal with public registers, specify how that rule will apply in a particular situation.

What is a Privacy Code of Practice?

A Privacy Code of Practice is a legal instrument which allows a public sector agency or organisation to make changes to:

  • an Information Protection Principle (IPP); or 
  • provisions that deal with public registers; or
  • specifically how that rule will apply in a particular situation.

Codes must not be stricter than the principles and they should not be seen as a tool for blanket exemptions to the principles. Codes of Practice must still meet a number of requirements to ensure that they protect privacy.

Who can make a Code of Practice?

Both agencies and the Privacy Commissioner can prepare Privacy Codes of Practice. Agencies must consult the Privacy Commissioner when preparing Privacy Codes of Practice to modify the application of one or more IPPs or the public register provisions of the Privacy and Personal Information Protection Act 1998 (PPIP Act), or specify how they are to be applied to particular activities or classes of information. Draft Codes need to be submitted to the Attorney General or Minister for Health who may decide to make the Code.

Health Privacy Codes of Practice can be made by an agency/organisation or the Privacy Commissioner to modify the application of one or more Health Privacy Principles (HPPs) of the  Health Records Information Privacy Act 2002 (HRIP Act) or the provisions for the private sector.

How is a Privacy Code of Practice made?

Codes of Practice under both the PPIP Act and the HRIP Act follow a five-step process. Agencies wishing to apply for a Privacy Code of Practice under the PPIP Act can do so under Part 3 of the Act. Agencies/organisations who wish to apply for a Health Privacy Code of Practice can do so under Part 5 of the HRIP Act.

The five-step process: 

  • The draft Privacy Code needs to be submitted by the agency/organisation to the Privacy Commissioner before it is submitted to the Attorney General or Minister for Health
  • The Privacy Commissioner may make a submission to the Attorney General or Minister  for Health
  • The Minister may, after considering any submission by the Privacy Commissioner (and Attorney General, in the case of HRIP Act), decide to make the Code 
  • Parliamentary counsel then completes a final drafting 
  • The Code is published in the Gazette.

It is highly recommended that agencies wishing to submit a Code give advance notice to the Privacy Commissioner on the need for a Code and any supporting material such as a business case before preparing their draft Code.

For further information, the Privacy Commissioner has issued a Protocol: Assessing Draft Privacy Codes of Practice.

Codes of Practice

To date, the following Privacy Codes of Practice have been approved and gazetted.

To date the following Health Privacy Codes of Practice have been approved and gazetted.

Expired Codes

  • Privacy Code of Practice for Law Enforcement and Investigative Agency Access to Public Registers

Codes can also be made under the HRIP Act, see Exemptions and Codes made under the HRIP Act.

Rating: 
4 out of 5 star rating
Average: 4 (1 vote)
Archive: 
0
Teaser: 
A privacy code of practice is a legal instrument which allows a public sector agency or organisation to make changes to an IPP or provisions that deal with public registers.