Proposed revocation of the Biometrics Institute Privacy Code: Consultation paper
On 1 February 2012, the Privacy Commissioner received a letter from the Biometrics Institute (Institute) requesting that the Commissioner exercise his power to revoke the Biometrics Institute Privacy Code (BI Code) on his own initiative.
In summary, the Institute seeks revocation of the BI Code on the basis that:
- The subscription rate from Institute members has been low
- The BI Code has become less relevant in the context of other privacy awareness raising activities and materials developed by the Institute
- The BI Code has become less relevant in the context of the changing environment of privacy threats in relation to biometric technology
- The Institute wishes to pursue a more flexible targeting of privacy awareness programs and policies
- The Institute is seeking to build a privacy promotion strategy that better reflects the diversity of its members.
- The Institute seeks to move away from promoting a culture of privacy protection in terms of basic compliance, towards promoting it as leading practitioners.
The Privacy Commissioner invites your comments on the proposed revocation of the BI Code.
What is a privacy code?
The National Privacy Principles (NPPs), set out in Schedule 3 to the Privacy Act 1988 (Cth) (the Privacy Act), regulate the way that private sector organisations collect, use, keep secure and disclose personal information.
Part IIIAA of the Privacy Act provides for organisations and industries to have and to enforce their own privacy codes.
Organisations may apply to the Information Commissioner for the approval of a privacy code (s18BA).
Once the Commissioner approves a code, it replaces the NPPs for the organisations bound by the code.
Privacy codes allow for some flexibility in how a class of organisations or a specialised industry approaches its privacy obligations but, at the same time, ensure that minimum enforceable standards apply to the protection of personal information.
The Commissioner may revoke his approval of a privacy code on his own initiative (s18BE(1)(a)), or on application by an organisation bound by the code (s18BE(1)(b)).
More information about privacy codes is available at: http://www.privacy.gov.au/business/codes
The Biometrics institute
The Institute (http://www.biometricsinstitute.org/) is an independent and international association engaged in research, analysis and education for biometric users, vendors and government agencies. The Institute has over 120 members.
The Biometrics Institute Privacy Code
The BI Code was developed by the Institute.
On 19 June 2006 the Institute applied for the Privacy Commissioner's approval of the BI Code.
In 19 July 2006, the then Privacy Commissioner granted approval to the BI Code. The approval and the BI Code are available here: http://www.comlaw.gov.au/Details/F2006L02406
The BI Code took effect on 1 September 2006.
The Institute is the administrator of the BI Code.
The aims of the BI Code are as follows:
- to facilitate the protection of personal information provided by, or held in relation to, biometric systems;
- to facilitate the process of identity authentication in a manner consistent with the Privacy Act and the NPPs; and
- to promote biometrics as privacy enhancing technologies (PETs).
The BI Code applies to those members of the Institute that subscribe to the BI Code.
To date, the Institute advises that 4 of its members are subscribed to the BI Code.
Section 18BE(2) of the Privacy Act provides that, before deciding whether to revoke the approval of a privacy code, the Commissioner must:
- (a) if practicable, consult the organisation that originally sought approval of the code or variation; and
- (b) consult any other person the Commissioner considers appropriate; and
- (c) consider the extent to which members of the public have been given an opportunity to comment on the proposed revocation.
If the Commissioner were to revoke the approval, the subscribers to the BI Code that are organisations covered by the Privacy Act would again be required to comply with the NPPs.
The Privacy Commissioner invites your comments on the proposed revocation of the BI Code, as requested by the Institute.
How to make comments
Comments on the proposed revocation should be submitted to the OAIC by COB 21 March 2012.
Submissions can be made by email to email@example.com, or by post to GPO Box 5218, Sydney NSW 2001.
To assist the OAIC to meet its obligations with respect to accessibility requirements, it is requested that email submissions be made in HTML, Rich Text Format (.rtf), or in Microsoft Word (.doc or .docx) format.
Note: The OAIC intends to make all submissions publicly available. Please indicate when making your submission if your submission contains confidential information which you do not wish to make public. Requests for access to confidential comments will be determined in accordance with the Freedom of Information Act 1982 (Cth).
Privacy collection statement
The OAIC will use the personal information it collects in the course of this review only for the purpose of its review of the BI Code.