Privacy Code (revoked)
You can access the document here: Biometrics Institute Privacy Code (de-registered) (Word 186KB).
The Biometrics Institute's mission is to promote the responsible use of biometrics. This mission has not changed since the Institute's establishment in October 2001.
Privacy principles in some form will be integral to the successful implementation of biometric technology, particularly in terms of the use and disclosure of the public’s personal information.
Biometrics will continue to play an important role in the security and privacy protection provided that there are rules which gain community acceptance. If the community has significant concerns about privacy there will be less co-operation with new security procedures.
Reasons for the Privacy Code Development
Surveys conducted by the Institute in 2004 showed that there was a concern by a proportion of the community about threats to their privacy, which may be a by-product of the increased security regime.
This is why the Biometrics Institute as a result of sponsorship from the Australian government developed a Biometrics Institute Privacy Code, providing the Australian community with confidence that privacy protection will always be included when dealing with biometrics.
The Privacy Code was also developed to fill gaps in the Australian privacy legislation as the Australian Privacy Act 1988 is over 20 years old. Organisations could develop their own privacy codes, which when approved, replace compliance with the Australian National Privacy Principles.
The Australian Privacy Commissioner Karen Curtis approved the binding Biometrics Institute Privacy Code on the 19 July 2006. The Code came into operation on 1 September 2006, and was intended to cover the biometric industry in Australia. It formed part of the Australian privacy legislation.
Member organisations were invited to voluntarily sign up to the Code to comply. The number of signatories remained low but several members indicated they used the Privacy Code as a reference point for their privacy planning and operations.
Overview of the Privacy Standards of the Code (for guidance)
The Code included privacy standards that were at least equivalent to the Australian National Privacy Principles (NPPs) in the Australian Privacy Act and also incorporated higher standards of privacy protection in relation to:
- certain acts and practices in relation to employee records that otherwise would be exempt.
- the addition of three new Supplementary Biometrics Institute Privacy Principles 11, 12, and 13 in the Code:
- Principle 11 deals with the protection of biometric information and in some ways supplements the data security obligations in NPP 4.
- Principle 12 includes some added notice requirements, restricts some secondary uses without express free and informed consent and confers a right to request the removal of biometric information from a system. These obligations enhance NPP 1.3, NPP 1.5, NPP 2 and NPP 4.
- Principle 13 introduces an obligation of accountability through an extra notice obligation, requires an audit of biometric systems to be undertaken, introduces the concept of holistic privacy management in relation to a biometric product or service, and mandates the use of privacy impact assessments. These requirements augment NPP 1, NPP 4 and NPP 5.1.
- the inclusion of specific requirements in the Code for code subscribers to be aware of and take account of relevant national and international standards for information protection and biometric systems.
Review of the Privacy Code in 2009
A review of the Code conducted in 2009 indicated several problems for member organisations to become a Code signatory. It was the view of both management and the reviewers that a major stumbling block to members formally signing up to the Code was the inadequate nature of the Privacy Act 1988. In particular members polled pointed to the lack of national unified principles in the Act, the number of exemptions that were allowed under the Act and the various jurisdictions that regulated privacy in this country.
The Biometrics Institute wrote to the Australian Privacy Commissioner expressing its views that the Privacy Act desperately needs to be updated in order to reflect all the changes that have been made in society and technology since the Act was first implemented in 1988.
The Privacy Code Review particularly nominated the following weaknesses:
- the separation of government and non-government privacy principles
- the exemption from the Privacy Act of small business, media and those who work for political parties
- the separation of State and Federal jurisdictions especially the variations from State to State
- the exemption of employee records from the Act
- the fact that, in the Act, Privacy Impact Assessments and Audits are not mandatory as is the case with the Biometrics Institute Privacy Code.
The Institute decided to continue promoting the content of the Privacy Code but also provide members with a Best Practice Privacy Awareness Checklist (PAC).
Biometrics Institute and Privacy Guidance 2012 and Beyond
In 20111, the Biometrics Institute examined the factors that are creating a changing environment for privacy and biometrics. Some of these relate to the Institute itself which has grown significantly in membership and international reach. Other factors such as changing technologies, market place developments, the increasing difficulties of jurisdictions dealing with a much more internationalised environment and the growth of major data base companies have motivated the Institute to make certain changes in its privacy strategies and policies.
In addition, there are delays in finalising the new privacy legislation in Australia, the Privacy Act 1988 is still under review.
The Biometrics Institute therefore requested the revocation of the Privacy Code and focus on other more effective ways to promote the responsible use of biometrics.
The revocation was granted on the 10 April 2012 by the Australian Privacy Commissioner. The information about the Code will continue to be available from this site as guiding information.
Further, any complaints made after the Code is revoked will be accepted by the Office of the Australian Information Commissioner (OAIC) pursuant to section 36 of the Act where such complaints relate to acts and practices that occured while the Code was in force.
The Biometrics Institute has always maintained a suite of activities and policies to ensure that privacy considerations are built into all biometric projects and services. This suite has included:
- the former Biometrics Institute Privacy Code, which was in essence part of the Australian Privacy Act,
- the Privacy Awareness Checklist (PAC) for advising members implementing biometrics,
- a range of education and awareness programmes including o advisories to non-members using biometrics and o the presentation of special privacy sessions at conferences and seminars, and
- the Privacy Guidelines, which recognises that biometrics is now an international technology in an international market place covering a wide variety of regulatory regimes.