The Privacy Amendment (Enhancing Privacy Protections) Act 2012 (Privacy Amendment Act) introduces a number of reforms to the Privacy Act 1988 (Privacy Act), which will commence on 12 March 2014.
These reforms include a new Part IIIA which regulates the handling of credit reporting information. In particular, the new s 20M prohibits a credit reporting body from using or disclosing credit reporting information that is de-identified, except for the purpose of conducting research in relation to credit.
Section 20M states:
- a credit reporting body holds credit reporting information; and
- the information (the de-identified information) is de-identified
- Subsection (1) does not apply to the use or disclosure of the de-identified information if:
- the use or disclosure is for the purposes of conducting research in relation to credit; and
- the credit reporting body complies with the rules made under subsection (3).
- The Commissioner may, by legislative instrument, make rules relating to the use or disclosure by a credit reporting body of de-identified information for the purposes of conducting research in relation to credit.
- Without limiting subsection (3), the rules may relate to the following matters:
- the kinds of de-identified information that may or may not be used or disclosed for the purposes of conducting the research;
- whether or not the research is research in relation to credit;
- the purposes of conducting the research;
- consultation about the research;
- how the research is conducted.
the body must not use or disclose the de-identified information.
The OAIC has prepared a draft Privacy (Credit Related Research) Rule 2014 (Rule) for public consultation. For your reference, personal information is considered to be de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.
Purpose and Operation of the Rule
The purpose of s 20M is to only permit the use or disclosure of de-identified information for credit related research and where the use or disclosure complies with rules that the Commissioner makes under s 20M(3).
The Rule has been drafted in consideration of the matters set out in s 20M(4). The intention of the Rule is to provide a balance between credit reporting bodies’ use and disclosure of de-identified credit reporting information, and the protection of an individual’s privacy.
It should be noted that the Rule is intended to deal specifically with the use or disclosure of de-identified credit reporting information for the purpose of conducting credit related research. It does not apply to aggregated results arising from that research process, more specifically where those aggregated results cannot be disaggregated to extract or reconstruct de-identified credit reporting information.
Types of credit reporting information
Credit reporting information consists of two categories of personal information: the credit information about an individual that was disclosed to the credit reporting body by credit providers and credit reporting body (CRB) derived information. The OAIC has not attempted to limit the types of de-identified credit reporting information that may be used by the credit reporting bodies in the Rule.
Purpose of Research
The Rule lists three categories of research as permitted purposes. This coverage for the use and disclosure of de-identified information is counter-balanced with privacy protective measures.
There is an absolute prohibition on the re-identification or attempted re-identification of de-identified information (except where re-identification is required by law). Further, de-identified information that is unintentionally re-identified must be destroyed.
Credit reporting bodies are also required to perform risk assessments to identify the appropriate techniques to de-identify information, and take reasonable steps to ensure the de-identified information cannot be re-identified. For guidance on de-identification methods and reasonable steps to be taken to de-identify credit reporting information, refer to the OAIC’s guidance on De-identification of data and information.
Measures have been included in the Rule to restrict the disclosure of de-identified information by credit reporting bodies’ to other entities. Under the Rule, credit reporting bodies are limited to disclosing de-identified information for a permitted purpose to entities with an Australian link. This replicates the general position of Part IIIA that the credit reporting system is to be an Australian credit reporting system.
Credit reporting bodies must also take reasonable steps to ensure that when disclosing de-identified credit reporting information the entity receiving the information does not re-identify or attempt to re-identify the de-identified information, destroys information if it is re-identified unintentionally, and does not disclose the de-identified information to any other entity.
What are reasonable steps will depend on the circumstances but it is generally expected that a credit reporting body will enter into an enforceable contractual arrangement with the entity receiving the information to comply with these requirements.
To promote greater openness and transparency around the handling of de-identified information, credit reporting bodies are required, in their privacy policies, to disclose to customers that they use de-identified information when conducting credit related research.
How to make a submission
Submissions can be made by:
- Email: firstname.lastname@example.org
- Post: GPO Box 5218 Sydney NSW 2001.
Electronic lodgement of submissions is preferred. Submissions must be received by Friday 21 March 2014.
Note: The OAIC intends to make all submissions publicly available. Please indicate when making your submission if your submission contains confidential information which you do not wish to make public. Requests for access to confidential comments will be determined in accordance with the Freedom of Information Act 1982 (Cth).
To assist the OAIC to meet its obligations with respect to accessibility requirements, we request that emailed submissions be made in HTML, Rich Text Format (.rtf) or Microsoft Word (.doc or .docx) format.
Privacy collection statement
The OAIC will only use the personal information it collects during this consultation for the purpose of revising and finalising the rules.