Developing a Binding APP Code Under Part IIIB

Statutory framework

Part IIIB of the Privacy Act 1988 (sections 26A to 26W) establishes the legal framework for APP codes and credit reporting codes. An APP code is a written code of practice that details how the Australian Privacy Principles (APPs) are to be applied and which entities are bound by the code.

The Information Commissioner has the power to initiate the development of an APP code. This can occur through a request to a code developer under section 26G, if the Commissioner believes it is in the public interest. Alternatively, the Commissioner may develop and register a code themselves under section 26H, for example, if no industry developer responds to a request or the Commissioner deems it appropriate.

Crucially, any APP code must either impose additional obligations or be consistent with the APPs. The code cannot reduce the privacy rights of an individual as provided for within the Privacy Act.

Code development process

The process for developing a binding APP code requires adherence to the OAIC’s Guidelines for developing codes issued under Part IIIB. Code developers must undertake specific steps to ensure the code’s integrity and relevance.

A key requirement is consultation. Code developers must consult with APP entities likely to be bound by the code and consider any submissions received. Furthermore, members of the public must be given an adequate opportunity to comment on a draft of the code.

To submit a code for approval, developers must provide the Commissioner with three documents: a draft of the code itself, a statement detailing the consultation undertaken, and a statement explaining how the code complements the Australian Privacy Principles.

Registration and binding effect

A binding APP code must first be approved before it can have effect. Once approved, the Commissioner enters the code on the Codes Register kept under section 26U.

Registered codes are legislative instruments and are subject to disallowance by either House of Parliament under the Legislation Act 2003. This process provides parliamentary oversight of approved codes.

An APP entity bound by a registered code commits an interference with the privacy of an individual if it breaches the code. This is established under section 26A and means the Commissioner may investigate, accept undertakings or seek civil penalty orders for breaches of a registered code, in the same way as for breaches of the APPs OAIC investigation powers and s 52 determinations.

Current and upcoming codes

Several codes are currently registered under the Australian Privacy Principles (APP) framework. These include the Privacy (Market and Social Research) Code 2014, which applies to organisations within specific industry bodies, and the Privacy (Credit Reporting) Code 2024, registered under Part IIIA and binding credit providers and reporting bodies. The Privacy (Persons Reported as Missing) Rule 2024 provides guidance in relation to missing person investigations, supporting section 16AA.

A significant development is the forthcoming Children's Online Privacy Code Children's Online Privacy Code 2026. This code is mandated by the Privacy and Other Legislation Amendment Act 2024 and must be in place by 10 December 2026.

The Children's Online Privacy Code Children's Online Privacy Code 2026 will specifically address the privacy practices of social media services, relevant electronic services, and designated internet services that children are likely to access.