31
Clubs Queensland Privacy Code. Codes currently being considered
include the Australian Casino Association Privacy Code; the Internet
Industry Privacy Code; and the Biometrics Institute Privacy Code. The
Commonwealth Attorney General has recently asked the Federal Privacy
Commissioner to conduct a review of, among other matters, the
effectiveness of the co-regulation model using industry codes.
4.3.15 In addition to fostering industry codes, legislation or policy can mandate
or encourage Privacy Impact Assessments (PIAs) as a method to
anticipate privacy problems before they occur. PIAs, which have been
used extensively in New Zealand and are now being adopted in other
jurisdictions,19 are useful to assess risks arising from new technologies
or new applications of technology (e.g., electronic road pricing or
intelligent transportation systems) or where the use of privacy intrusive
technologies is being expanded (e.g., expanding data matching, drug
testing, or the use of closed circuit TVs in public places). New
endeavours, often initiated by governments, such as “smart cards” or
mergers of public data registries may also be suitable for PIAs.
4.3.16 Self-assessment of privacy protection by organisations is encouraged by
a number of countries. The Data Protection Commission in Ireland has
created a Data Protection Checklist20that allows companies to selfassess the adequacy of their own data protection policies. The Checklist
sets out a structured examination of data protection issues that can be
converted into a clear policy position on data protection by the company.
In Ontario, Canada, the Information and Privacy Commissioner has
developed a set of Best Practices for on-line data protection.21 These
outline areas that should be addressed by an organisation to effectively
protect the privacy of on-line customers and draw upon the OECD
Guidelines. The OECD itself has published a Privacy Statement
Generator, which provides guidance on conducting an internal review of
existing personal data practices and on developing a privacy policy
statement.22 Similar guidance has been provided by authorities in a
19
In Canada, for example, federal government departments are required to carry out a PIA for
any activity or action that may have privacy implications; see Treasury Board of Canada,
Privacy Impact Assessment Policy; www.tbs-sbt.gc.ca See also, the Guidelines issued by the
Management Board Secretariat in Ontario, Canada: www.gov.on.ca?MBS/english/fip/pia;
United States, E-Government Act, www.whitehouse.gov/omb/memoranda/mo3-22.html
20
www.dataprivacy.ie/3k.htm
21
Best Practices for Online Privacy Protection, www.ipc.on.ca
22
www.oecd.org; see also, OECD Working Party on Information Security and Privacy, Privacy
Online: Policy and Practical Guidance, 21-Jan-2003, DSTI/ICCP/REG(2002)2/Final.