That Code was developed by the Institute under Part IIIAA of the Privacy Act 1988 (Cth), which as part of the co-regulatory regime embodied in that Act provides for organisations and industries to have - and enforce - their own privacy codes. The private codes supersede the National Privacy Principles (NPPs) that would otherwise bind the organisations subscribing to the particular codes. Code development involves a representative organisation applying under s18BA of the Act to the Privacy Commissioner (now part of the national Information Commissioner's office) for formal approval of a privacy code. Under s 18BE(1)(a) the Commissioner may revoke approval of a privacy code on his/her own initiative. Under s18BE(1)(b) the code may also be revoked on the basis of an application by an organisation bound by the code.
The Institute's letter requested that the Commissioner exercise his power to revoke the Biometrics Institute Privacy Code on his own initiative. That mechanism is interesting and may reflect past practice where the Office of the Privacy Commissioner appears to have solicited requests by particular stakeholders, a closeness that for some observers raises questions about potential conflicts involving a government agency that has both a policymaking and deliberative function.
In response to the letter the Privacy Commissioner has invited public comment on the proposed revocation of the Code, issuing a consultation paper to assist comments. Unfortunately the consultation paper, consistent with similar Privacy Commission documents, is very thin ... so thin as to have little value to most readers.
The Code aims to -
• facilitate the protection of personal information provided by, or held in relation to, biometric systems;The Institute seeks revocation of the Code on the basis that -
• facilitate the process of identity authentication in a manner consistent with the Privacy Act and the NPPs; and
• promote biometrics as privacy enhancing technologies (PETs)
• The subscription rate from Institute members has been low (a mere four of the Institute's members are subscribed to the Code)Comments on the proposed revocation should be submitted by 5pm 21 March 2012.
• The Code has become less relevant in the context of other privacy awareness raising activities and materials developed by the Institute
• The Code has become less relevant in the context of the changing environment of privacy threats in relation to biometric technology
• The Institute wishes to pursue a more flexible targeting of privacy awareness programs and policies
• The Institute is seeking to build a privacy promotion strategy that better reflects the diversity of its members
• The Institute seeks to move away from promoting a culture of privacy protection in terms of basic compliance, towards promoting it as leading practitioners.
The consultation raises questions about the efficacy of the various privacy codes. Do we indeed need discrete industry-specific codes, rather than a more coherent statement of principles (supplemented by operational guidance) and meaningful enforcement on the part of the Information Commissioner's office?
The Institute's site indicates that -
The Biometrics Institute Privacy Code was designed for the protection of Institute members and their clients. It has been approved by the Australian Privacy Commissioner in 2006 and is part of the Australian Privacy Act. It enables you to guarantee that you protect your clients’ privacy in a professional manner. It is your benchmark and your evidence that you have in place systems and procedures that comply with Australia’s Privacy Act.The same site indicates that the Institute has developed a Biometrics Privacy Charter and a Privacy Awareness Checklist, as follows -
Due to the delays in finalising the new privacy legislation in Australia and the more international outreach of the Biometrics Institute, we have decided to be proactive and upgrade our suite of privacy protection and awareness measures through a Privacy Charter and other related information. The Biometrics Institute has therefore requested a review of the Code and the potential need to de-register it.
Biometrics Privacy CharterOn a quick examination the Institute's commitment to transparency does not appear to be truly heartfelt, as neither the Charter nor the Checklist appear to be readily available to non-members. (Membership starts at $704 as of this year). The value to the public of a somewhat inaccessible document - "the public's assurance" - is unclear.
The Biometrics Institute has launched a Biometrics Privacy Charter in November 2011. It has been designed by the Biometrics Institute to provide a universal guide for suppliers, end users, managers and purchasers of biometric systems. It is the public’s assurance that the biometric managers have followed best practice privacy principles when designing, implementing and managing biometric based projects.
Members of the Biometrics Institute can access this Privacy Charter and become Supporters who demonstrate a commitment to privacy protection.
Biometrics Institute Privacy Checklist (PAC)
The Biometrics Institute launched its Privacy Awareness Checklist (PAC) for members of the Biometrics Institute in May 2010 to assist members in a quick an easy way to assess privacy impacts when using biometrics. It provides a snapshot in time of where the organisation sits in regards to privacy.
Members can access this PAC.
And the Code? Given that the Institute's moved on the Code is not readily discernible on that organisation's site (although it can be found via a link on the Privacy Commissioner's increasingly moribund site). It is most easily found as the Schedule in the Approval of the Biometrics Institute Privacy Code (F2006L02406) in the Commonwealth Register of Legislative Instruments, accessible through a link in the consultation paper.