2.0 Nature of Codes of Practice
4.0 Operational Procedures
6.0 General Content
7.0 Detailed Content
8.0 The Privacy Commissioner's Involvement
9.0 Further Information
10.0 Guidelines Kept Under Review
Appendix A Formulation of a Code of Practice
Appendix B Preferred style for Codes of practice
1.1 This note considers codes of practice as provided for in the Privacy Act 1993. It seeks to explain the nature of codes of practice, their possible format and matters to be included.
1.2 These comments are simply guidelines and do not represent a definitive or binding view of the Privacy Commissioner. Reference must be made to Part VI of the Privacy Act. Public register codes are issued under Part VII of the Act but are not discussed here.
2.0 NATURE OF CODES OF PRACTICE
2.1 The term 'code of practice' is used by different organisations in many different ways and covers varying levels of policy and practice. Codes of practice in other contexts can range from internal guidelines at one extreme to fully enforceable standards at the other. The term will continue to mean different things to different people in different contexts.
2.2 A code of practice under the Privacy Act is a legal document. It is enforceable through the Commissioner and the Complaints Review Tribunal (although not usually through the ordinary courts). For some purposes it has the status of a regulation. The statutory basis for codes of practice will be found in Part VI of the Privacy Act and copies of ss.46-53 (as amended) are attached.
2.3 Codes of practice generally provide how agencies in a particular industry, sector or activity must comply with the Information Privacy Principles ('IPPs'). Codes should be aimed at those responsible for information privacy within organisations (including senior management and those responsible for formulating policies) and be intelligible to people in the particular industry who will need to refer to the code. Codes may modify the application of the IPPs (e.g. by prescribing more stringent or less stringent standards or by exempting actions) or may prescribe how the IPPs are to be compiled with.
2.4 Codes will typically be promoted or initiated by trade associations, representative or professional bodies or Government departments, and will cover the application of the IPPs to particular groups of 'agencies' (e.g. health sector, law enforcement agencies, direct marketing companies etc) or for particular types of information (e.g. employment information, credit information). The Privacy Commissioner may also initiate codes of practice.
3.1 Drafters of codes of practice should bear in mind that the Privacy Act is concerned with the rights of individuals. In drafting codes the interests of people about whom personal information is held should be a primary concern. As well as industry consultation, people about whom information is held should be consulted during the drafting of codes.
3.2 Consideration should also be given to consultation with Maori and ethnic groups if the personal information concerned may have a particular cultural sensitivity. The Privacy Commissioner will expect to be informed which interest groups, relevant individuals or organisations have been consulted when receiving draft codes submitted to him.
3.3 The steps that would normally be expected to be followed in formulating a code of practice are set out in Appendix A.
4.0 OPERATIONAL PROCEDURES
4.1 Codes of practice should be distinguished from what might be known as operational procedures.
4.2 Many organisations will need to develop internal operational procedures in order to apply the IPPs or a code of practice in their agency. These will typically deal in detail with particular aspects of information privacy as they are related to the agency's business or to its employees. They may take the form of rules or procedures relating to the use of particular systems or equipment, or to particular functions and may be included in already existing internal documents, such as office manuals. In some sectors there will be understandable pressure from employees for guidance on their responsibilities under the Privacy Act. There is no reason why such employee procedures cannot be developed in advance of, or in parallel with, a sector code of practice.
4.3 Codes of practice are complementary to operational procedures and both depend upon each other to a certain extent. In preparing codes, experience from existing operational procedures might be drawn upon. Once a code is adopted, the operational procedures should reflect its provisions. However, operational procedures are normally a matter for individual agencies and the Privacy Commissioner will not usually be involved in them.
4.4. Some industries which anticipate that a code of practice may be necessary may find that attention to operational procedures, and a reassessment and modification of existing practices to conform with the IPPs, may obviate any need for a code.
5.1 Not every code will follow the format of others. As greater experience is developed of codes of practice, further guidelines might be issued concerning preferred formats. In the meantime, the following ideas may be of assistance to those drafting codes of practice.
5.2 Generally, the IPPs should not be paraphrased. Although the Commissioner does not rule out the possibility of a code containing a very careful paraphrasing of the principles, the dangers of doing so are such that normally this will not be desireable. It will be recalled that codes of practice are enforceable under the Act. Precision is obviously of great importance and paraphrasing can introduce unintended differences and ambiguities.
5.3 It is possible to follow the words of the IPPs and simply provide for specific departures, procedures, standards or exceptions. Or a new set of rules can substitute for the principles. Either way there must be a rule or standard against which a complaint can be measured. The purpose of the code of practice is to increase relevance, certainty, precision and clarity, not to substitute some other language which might create uncertainty.
5.4 To be most useful, it is expected that codes might include practical examples. Sometimes this may take the form of a rule prescribing how the principle is to apply in such a case. However, in many cases, it will be inappropriate for those examples to be included in the formal code as issued as a legally binding document. Accordingly, it is suggested that a format be adopted whereby parts of the code intended only for illustrative purposes are distinguished from the operative parts of the code. The illustrative parts will be excluded from the formally issued document but retained in codes publicly available and in everyday use. There may be other information that would similarly not be included in the formal code but within the code as generally made available, such as a foreword, suggestions as to operational procedures, contact addresses for sources of advice, extracts from relevant statutes, reference to relevant parts of the Privacy Act (e.g. obligation to appoint a privacy officer, access and correction) etc.
5.5 Generally codes under the Act will need to be more detailed and precise than the more discursive codes found in some other areas and in other jurisdictions. This relates to the fact that the code will have to be capable of legal interpretation.
5.6 None of these comments concerning formality and precision preclude the code being written in 'plain English' or complementary summary booklets or leaflets being published for the public, along the lines of 'A Guide to the Code' or 'Your rights explained' etc.
5.7 Appendix B addresses certain matters of style.
6.0 GENERAL CONTENT
6.1 A substantial portion of a code of practice should deal explicitly with the IPPs covering how compliance with each principle is to be secured.
6.2 Some of the principles will bear more heavily on some sectors than on others and will require more detailed consideration. The balance of a code between the twelve principles will therefore vary considerably. However the code is structured and laid out, the relationship between the content of the code and one or more principles should be clear to the reader. A very workable approach is to have a rule corresponding to each IPP.
6.3 In limited circumstances it may be appropriate to phase in the introduction of a code. One or more of the principles could be covered in an interim code, which would then be extended as soon as practicable to cover the remaining principles or aspects. This approach would allow enforceable standards to be set without waiting for the resolution of particularly complex or controversial issues. Where this phased approach is adopted, the interim version of the code should clearly explain its status, and that it does not purport to cover all aspects of information privacy. The unmodified IPPs would continue to apply to those principles not covered by the interim code.
6.4 Those sections of a code which relate to one or more of the IPPs will typically include:
- an explanation of how the principle applies to the activity of member organisations;
- either firm recommendations as to measures to be taken to comply (where systems and practices are sufficiently common) or standards as to procedures for deciding on specific measures (where systems and practices are more diverse). In the latter case, it may be appropriate to give examples of the sort of specific measures which can be, or are being, used in particular circumstances.
6.5 An example of a firm recommendation might be that information held for purpose X should be destroyed (or deleted from a computer system) Y months after the last transaction. An example of the alternative 'guideline' approach would be to say that information held for purpose X should be reviewed at set intervals to see if it could be deleted, and that the length of the set interval should take account of factors A, B and C. This guideline approach could be supplemented by examples e.g. that firms operating in a particular subsector use a 6-month period because of ... while those in another subsector use a 12-month period for ... reasons. If the 'alternative' is chosen then the principle will apply in the event of any complaint i.e. no longer than is required for the purposes for which the information may lawfully be used.
6.6 There is no reason why subsections of a code should not deal with the application of the IPPs to standard forms or specific systems or databases if these are widely enough used within the sector to justify their inclusion.
6.7 Some industries or professions may already have existing codes of practice, codes of conduct or ethical rules which touch upon privacy issues and other matters unrelated to information privacy. Where this is the case, the Privacy Act code of practice need not necessarily reproduce relevant parts in full but might refer to the other document and explain how they relate to the principles in question.
7.0 DETAILED CONTENT
7.1 In addition to rules corresponding to each of the principles a code of practice will likely include provisions for:
- Commencement and, if appropriate, review and expiry.
- A precise definition of the scope or application of the code.
- A complaints procedure and how individuals can exercise any rights flowing from the code. Depending upon the nature of the particular sector, this may range from an independent complaints mechanism (e.g. for legal practitioners) to an obligation for the privacy officer of an agency to reconsider any complaint received, or perhaps where the size of the agency permits this function could be handled by a senior person independent of the person whose decision is complained about.
7.2 Furthermore the code may have non-binding commentary on aspects such as:
- A brief summary of the main provisions of the Privacy Act i.e. what it is about.
- A description of the coverage of the code - the types of organisations involved, their principal activities; the types of person about whom personal information is being held and for what purposes; the status of the representative bodies that have drafted the code, typical information held. It may also be useful to mention what the code does not cover - e.g. an industry or sector code will not normally cover employee information.
- guidance on an appropriate allocation of responsibilities for information privacy matters, arrangements for monitoring uses of personal information, suggestions as to arrangements for internal training and discipline relating to information privacy, appointment of privacy officers, internal audit and review.
- any arrangements for advice on information privacy and on compliance with the code from the representative bodies and reference to other sources of information and advice.
- cross-reference to any relevant statutory provisions or to guidance from other regulatory bodies affecting the handling of personal information with which agencies covered by the code must comply.
- the sanctions that may follow from a breach of the code.
8.0 THE PRIVACY COMMISSIONER'S INVOLVEMENT
8.1 Sometimes the Commissioner may encourage the preparation of codes of practice by trade associations and other bodies using personal information. More often an organisation (trade body, professional association etc) may want to initiate a code itself which, in due course, will need to be formally submitted to the Commissioner if it is to obtain statutory recognition under the Privacy Act. However, the Commissioner can take a more active role where he considers a code is necessary.
8.2 The first step in the preparation of a code of practice should be to contact the Privacy Commissioner's office informally to discuss the matter. Contact should be made with the Manager, Codes & Legislation, in the Commissioner's Auckland Office. There are good reasons for making early contact:
- The Commissioner has a discretion not to issue a code in a particular case and will decline to do so if he forms the view that no code is needed in the particular case or that the code submitted is unsatisfactory. Initial informal contact will enable the Commissioner to either express a view or undertake consultation as to the need for a code.
- A code may already be in the course of preparation by an industry group.
- The Commissioner's office may be able to give some initial guidance to assist in the preparation of a code.
8.3 Codes of practice are vital to the effective implementation of the Privacy Act. The Commissioner's office would normally prefer not to undertake the initial drafting of codes as it is better for those who are going to use the code to do this with their expertise and special knowledge of their particular industry or sector. However, the Commissioner or a staff member will usually be willing to provide some informal advice during the drafting process but this must not be taken to amount to 'pre-approval' or give rise to any legitimate expectation of approval in any form in due course.
9.0 FURTHER INFORMATION
9.1 Drafters of codes of practice will find it helpful to study a code that the Commissioner has actually issued. Copies of the Health Information Privacy Code 1994 can be purchased from the Commissioner's office or Bennetts Government Bookshops. Reference can also be made to a Ministry of Consumer Affairs publication 'Guidelines on Developing a Code of Practice' (October 1993).
10.0 GUIDELINES KEPT UNDER REVIEW
10.1 This guidance note will be revised from time to time. The Privacy Commissioner's office can advise if this copy is the most recent revision. The Commissioner welcomes comments upon these guidelines, their usefulness and suggestions for other guidelines.
Issue No. 5 dated 5 December 1994
FORMULATION OF A CODE OF PRACTICE
Steps normally expected to be taken.
Step 1: Question of need for code raised Normally agencies handling personal information, or industry groups representing groups of agencies, will first anticipate the need for a code. The issue may arise through difficulties encountered in applying the IPPs or through appreciation of advantages of a code (e.g. PR, tailor-made to particular sector etc). Sometimes the Commissioner will initiate the process, perhaps as a result of complaints received.
Step 2: Initial consultation with Commissioner's Office.
If a sector group intends to commence drafting a code of practice, informal contact should be made with the Commissioner's office. The Commissioner may know that a code in this field has already been commenced by some other group. The Commissioner may make useful suggestions. Or, the Commissioner may be unsure that a code is warranted in the particular case. Contact should be made with the Manager Codes & Legislation, in the Commissioner's Auckland Office.
Step 3: Commissioner to review whether a code warranted. Sometimes it will be obvious that a code could have significant benefits. However, the need may not always be so apparent. In the latter case the Commissioner might consult with representative groups or seek public comment.
Step 4: Industry group prepares draft code. In nearly all cases it will be the industry group (or Government department, public interest group etc) which prepares a draft code. The Commissioner's office will not normally undertake this work.
Step 5: Draft code submitted to Commissioner. Normally the drafter of the code will have undertaken some consultation. Details of that consultation should be notified to the Commissioner. For some codes sensitivity to minority, ethnic and consumer group views would be appropriately met by some prior consultation.
Step 6: Commissioner gives public notice. The Commissioner gives notice that an application to issue a code of practice has been received and invites submissions (s.47(4) - only relevant to a code sought by a representative body - not applicable to a Commissioner initiated code).
Step 7: Submissions on code received. Submissions are then taken by the Commissioner. Further consultation with the promoter of the code and others will normally follow (s.47(4)(b)).
Step 8: Notification of intention to issue code. The Commissioner will give public notice of his intention to issue the code and stating that written submissions may be made within a specified period. (s.48).
Step 9: Determination of code. The Commissioner, having given public notice, consulted with affected persons and considered submissions, finalises the code and formally issues it.
Step 10: Notification, availability and commencement. Once issued, notice in the Gazette is given telling where copies are available. The code comes into force not earlier than 28 days after notification (s.49).
1. These 10 steps relate to the circumstances in which a person proposes a draft code to the Commissioner. Where the Commissioner initiates the process himself the process may be slightly different as s.47 does not apply.
2. There is also provision for the urgent issue of a temporary code which would last for no more than twelve months (s.52). Although the 28-day period before which the code comes into force is waived, as is the formal notification and consultation procedures, the Commissioner may, if there is sufficient time, undertake consultation with the main Government departments or interest groups involved in the particular area.
3. A code or parts of a code may be disallowed by the House of Representatives under the Regulations (Disallowance) Act 1989.
4. These steps indicate what would commonly occur in the formulation of a code. However, in a particular case, the Commissioner may follow a different procedure within the framework permitted by the Act.
PREFERRED STYLE FOR CODES OF PRACTICE
Codes of practice should be written in clear modern English. Even where no substantive change is made from the information privacy principles the style and layout should be modelled upon the Health Information Privacy Code 1994. Some of the key stylistic and layout changes include the following:
1. Headings (or 'marginal notes')
Heading should appear in bold on a separate line from the clause or rule to which they related.
2. Clause numbers
The clause numbers should follow the heading to the clause on a new line. This differs from the standard approach in New Zealand statutes.
Where a clause or rule includes a list the phrase preceding the list should conclude with a colon and not some other formulation (such as a dash (-)or a dash combined with a comma (,-)). Generally each line in the list should commence with a lower case letter and conclude with a semi-colon.
Definitions should appear in the interpretation clause in the manner shown in clause 3(1) of the Health Information Privacy Code. That is, the word or phrase being defined should be shown in bold rather than within quotation marks.
5. 'Shall' not to appear
The word 'shall' should be replaced with, depending upon the context, either 'must' or 'is to'. For guidance see the Health Information Privacy Code.
The information privacy principles sometimes use the formulation 'subclause (1) of this principle'. This is to be avoided. Within a rule the reference should simply be to 'subrule (1)'. Within another rule the reference should be to 'subrule (1) of rule 6'.
7. Contents Page
Codes should include a list of their contents. The Health Information Privacy code shows how this may be displayed.
Indenting should follow the Health Information Privacy Code style.
9. Schedules and Appendices
Lists of items or detailed procedural steps can usefully be removed to a schedule if this will improve clarity. A schedule will form part of the code as formally issued. Appendices may be used to restate useful information (such as extracts from statistics) which do not form part of the code.
Generally codes issued under Part VI of the Act will be entitled 'name of agency, sector, type of information or activity Information Privacy Code year of issue'. A code issued under Part VII will usually include the name of the register in the title. A code issued in reliance on s.52 will have 'temporary' appear at the end of the title.
11. Capital letters
Capital letters should not be overused but reflect normal modern usage. Be guided by the Health Code.