30
4.3.11 Most countries, with the exception of the United States, have set up data
protection agencies (i.e., Data Protection Commissioners, Privacy
Commissioners) with varying degrees of oversight, enforcement power,
and regulatory or advisory powers. In some regimes, self-regulation
through industry codes of practice plays a stronger role than in others.
4.3.12 Canada has taken an approach with both broad coverage across the
public and private sectors generally and legislative regime that has
proved to be controversial and, some would argue, confusing and
burdensome to implement. These concerns may be indicative of the fact
that the regime is in its early stages and that there are a mix of federal
and provincial legislation, but do raise questions of whether Botswana
should look to Canada as a model. The federal Canadian legislation,
which is coupled with e-commerce legislation (discussed above), is the
Personal Information Protection and Electronic Documents Act.17 Like
most personal privacy protection regimes, the Canadian legislation
provides for exceptions to the application of the Principles. For example,
information about an individual may be collected without his knowledge
or consent in the course of an investigation into a contravention of laws
or if it is for the purpose of acting in respect of an emergency that
threatens life or health. Disclosures may be made for such purposes as
national security, law enforcement or where required by law. These are
common exemptions, but statutory language and scope require careful
consideration.
4.3.13 Australia, New Zealand, the Netherlands, Ireland, the United Kingdom
and Hong Kong (among others) have approaches to personal privacy
protection that place a more specific emphasis on industry or situational
codes of conduct. For example, the UK Data Protection Registrar has
developed a Code of Practice on Closed Circuit Television Cameras.
New Zealand has several codes that may impose more or less stringent
conditions on particular industries, including a Code for the Health Care
Industry and a Telecommunications Information Privacy Code.18
4.3.14 Australia’s Privacy Act 1988 (Cth) was the first to establish National
Privacy Principles that could be replaced by authorised industry-specific
codes that met the objectives of the Principles. Each code must have a
“code administrator” to enforce the code. Fewer codes have been
registered than anticipated, but include the Market and Social Research
Privacy Code; the General Insurance Information Privacy Code; and the
17
18
S.C. 2000, c.5.
See www.privacy.org/nz