Privacy Codes of Practice

A privacy code of practice is a legal instrument which allows a public sector agency or organisation to make changes to an Information Protection Principle (IPP) or provisions that deal with public registers, specify how that rule will apply in a particular situation.

What is a Privacy Code of Practice?

A Privacy Code of Practice is a legal instrument which allows a public sector agency or organisation to make changes to:

• an Information Protection Principle (IPP)
• provisions that deal with public registers
• specifically, how that rule will apply in a particular situation.

Codes must not be stricter than the principles and they should not be seen as a tool for blanket exemptions to the principles. Codes of Practice must still meet a number of requirements to ensure that they protect privacy.

Who can make a Code of Practice?

Both agencies and the Privacy Commissioner can prepare Privacy Codes of Practice. Agencies must consult the Privacy Commissioner when preparing Privacy Codes of Practice to modify the application of one or more IPPs or the public register provisions of the Privacy and Personal Information Protection Act 1998 (PPIP Act), or specify how they are to be applied to particular activities or classes of information. Draft Codes need to be submitted to the Attorney General or Minister for Health who may decide to make the Code.

Health Privacy Codes of Practice can be made by an agency/organisation or the Privacy Commissioner to modify the application of one or more Health Privacy Principles (HPPs) of the  Health Records Information Privacy Act 2002 (HRIP Act) or the provisions for the private sector.

How is a Privacy Code of Practice made?

Codes of Practice under both the PPIP Act and the HRIP Act follow a five-step process. Agencies wishing to apply for a Privacy Code of Practice under the PPIP Act can do so under Part 3 of the Act. Agencies/organisations who wish to apply for a Health Privacy Code of Practice can do so under Part 5 of the HRIP Act.

The five-step process: 

1. The draft Privacy Code needs to be submitted by the agency/organisation to the Privacy Commissioner before it is submitted to the Attorney General or Minister for Health
2. The Privacy Commissioner may make a submission to the Attorney General or Minister for Health
3. The Minister may, after considering any submission by the Privacy Commissioner (and Attorney General, in the case of HRIP Act), decide to make the Code 
4. Parliamentary counsel then completes a final drafting 
5. The Code is published in the Gazette.

It is highly recommended that agencies wishing to submit a Code give advance notice to the Privacy Commissioner on the need for a Code and any supporting material such as a business case before preparing their draft Code.

For further information, the Privacy Commissioner has issued a Guidance on the preparation and assessment of Privacy Codes of Practice under the PPIP Act and HRIP Act.

Codes of Practice

To date, the following Privacy Codes of Practice have been approved and gazetted.

• Privacy Code of Practice for IDSupport NSW 1 July 2022
• Privacy Code of Practice for the Judicial Commission of NSW 22 October 2021
• Privacy Code of Practice for Local Government revised 20 December 2019
• Privacy Code of Practice for the Public Service Commission 3 August 2018
• Privacy Code of Practice for the Automatic Referral Pathway updated November 2022
• Privacy Code of Practice for the exchange of information by participating agencies in the Youth on Track scheme 29 March 2018
• Privacy Code of Practice for the Extra Offender Management Service May 2017
• Privacy Code of Practice for the NBN 2016
• Privacy Code of Practice: Department of Education and Training 2012
• Privacy Code of Practice (General) 2003 (external link) includes Part 4 dealing with Human Services made and commenced 1 July 2005, Part 5 dealing with Corrective Services, Part 6 dealing with Ageing, Disability and Home Care Services, Part 7 dealing with Registry of Births Deaths and Marriages and Part 8 dealing with Domestic Violence Intervention Court Model. Part 5 and 6 were commenced on 15 September 2006, Part 7 on 31 December 2009 and Part 8 on 4 June 2010.
• Privacy Code of Practice for the Bureau of Crime Statistics and Research 30 June 2000 (PDF)
• Privacy Code of Practice for the Office of the Director of Public Prosecutions 30 June 2000 (PDF)
• Privacy Code of Practice: Department of Housing 30 June 2000 (PDF)
• Privacy Code of Practice: Law enforcement and investigative agency access to personal information contained in public registers (PDF)
• Privacy Code of Practice for the Legal Aid Commission 30 June 2000 (PDF)
• Privacy Code of Practice: NSW Police Service 30 June 2000 (PDF)
• Privacy Code of Practice for the Office of Fair Trading (PDF)

To date the following Health Privacy Codes of Practice have been approved and gazetted.

• Health Records and Information Privacy Code of Practice for the Automatic Referral Pathway 9 November 2018
• Health Privacy Code of Practice for the Public Service Commission 28 September 2018
• Health Privacy Code of Practice for exchange of information by participating agencies in the Youth on Track scheme 13 April 2018
• Health Records and Information Privacy Code of Practice 2005 (external link)
• Privacy Code of Practice for NSW Health 30 June 2000 (PDF)

Expired Codes

• Privacy Code of Practice for Law Enforcement and Investigative Agency Access to Public Registers

Codes can also be made under the HRIP Act, see Exemptions and Codes made under the HRIP Act.