Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Green Paper on National Credit Reform; Submission to the Department of the Treasury (September 2010)

Office of the Privacy Commissioner 

Green Paper on National Credit Reform

1. The Office of the Privacy Commissioner (the Office) welcomes the opportunity to make a submission to the Department of the Treasury (the Treasury) on the Green Paper on National Credit Reform (Green Paper).[1]

2. The protection of consumer credit information is regulated by the Privacy Act 1988 (Cth) (Privacy Act) and is an important privacy issue for individuals.[2] The Office considers that it is very important to ensure that privacy protections are considered as part of any potential changes to the consumer credit regulatory framework. It is also important that the Privacy Act and the consumer credit regulatory framework are as clear and consistent as possible.[3] Inconsistencies can arise because of differences in things such as the definition of 'credit' and 'credit provider'. This process presents an opportunity to promote clarity and consistency.

3. Generally, the Office has not responded to specific questions posed in the Green Paper. Rather, the Office has directed its comments below to issues raised in each of the Green Paper's Chapters that intersect with privacy and/or the Privacy Act.

The Office of the Privacy Commissioner and credit reporting regulation

4. The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, private health service providers and some small businesses.

5. The Office also has regulatory functions in regard to the handling of individuals' consumer credit information under Part IIIA of the Privacy Act.

6. From 1 November 2010, the Office will be integrated into a new statutory agency, the Office of the Australian Information Commissioner (OAIC). The OAIC will bring together the three functions of privacy, freedom of information and advising the Australian Government on information management generally.[4]

Background to national credit reform

History of reform agenda

7. The Office understands that the Green Paper initiates the second phase of the Council of Australian Governments' (COAG's) credit reform agenda:

  • on 26 March 2008, COAG reached an in-principle agreement that the Australian Government would assume responsibility for regulating mortgage credit and advice, including non-bank lenders and mortgage brokers, as well as margin loans. COAG also agreed to investigate what other credit products, such as store credit and personal loans, best sat within the Commonwealth's regulatory responsibility
  • on 3 July 2008, COAG subsequently agreed that the Australian Government would assume responsibility for regulating all consumer credit products
  • on 2 October 2008, COAG agreed to a two phase implementation plan for the Australian Government to assume responsibility for all areas of consumer credit (Phase One and Phase Two).

Phase One of COAG's reform agenda

8. The Office understands that, as part of Phase One, the National Consumer Credit Protection Act 2009 (Cth) (Credit Act) was introduced. The Credit Act includes the National Credit Code at Schedule 1. The Credit Act commenced on 1 July 2010 and replaced the State and Territory administered Uniform Consumer Credit Code (UCCC).

9. The Office made two submissions during Phase One:

  • May 2009 submission to Treasury on the Draft National Consumer Credit Reform legislation
  • July 2009 submission to the Senate Economics Legislation Committee on the National Consumer Credit Protection Bill 2009.[5]

The Credit Act and credit regulation

10. The Office understands that the Credit Act regulates the provision of consumer credit by credit providers and other persons involved in the credit process, such as brokers and other intermediaries. A credit provider is defined in the Credit Act to mean a person that provides credit and includes a prospective credit provider.[6]

11. Under the Credit Act, credit providers are required to:

  • comply with the National Credit Code
  • hold an Australian Credit Licence (ACL) and comply with licensing obligations
  • comply with responsible lending obligations.

Phase Two of COAG's reform agenda - the Green Paper

12. Treasury states that the Green Paper canvasses community views on potential reform proposals being considered as part of Phase Two.[7] It sets out key issues for consideration, and in some cases, high level proposals for addressing some of these issues. The issues cover topics including:

  • provision of credit to small business
  • credit cards
  • reverse mortgages
  • investment lending
  • small amount short term lending
  • consumer leases
  • enhancements to the Credit Act
  • coverage of credit under the Credit Act and avoidance practices.

Privacy Act and credit reporting regulation

13. Part IIIA of the Privacy Act provides safeguards for individuals in relation to consumer credit reporting. In particular, it governs the handling of credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers.

14. The term 'credit provider' is defined in section 11B of the Privacy Act to include finance organisations such as banks, building societies, credit unions and retail businesses which provide loans or issue credit cards. Persons doing tasks reasonably necessary for purchasing, funding or managing, or processing an application for a loan through a securitisation arrangement also fall within this definition.

15. The Privacy Commissioner has the power under section 11B of the Privacy Act to determine additional organisations or agencies that may be included as credit providers for the purposes of the Privacy Act. For example, the current Classes of Credit Provider Determination provides that corporations are to be regarded as credit providers if they provide goods or services on terms that allow deferral of payment for at least seven days.[8]

16. Credit reporting agencies and credit providers may be required to comply with the National Privacy Principles (NPPs) in the Privacy Act in their dealings with commercial credit information, and the personal information which they hold more generally. There are also some provisions in Part IIIA that relate to commercial credit information. However, in general, Part IIIA is aimed at consumer credit rather than commercial credit.

17. The key requirements of Part IIIA include:

  • limits on the type of information which can be held on an individual's credit information file by a credit reporting agency. There are also limits on how long the information can be held on file
  • limits on who can obtain access to an individual's credit file held by a credit reporting agency. Generally only credit providers may obtain access and only for specified purposes
  • limits on the purposes for which a credit provider can use a credit report obtained from a credit reporting agency
  • a general prohibition on the disclosure by credit providers of credit reports and other credit worthiness information about an individual
  • rights of access and correction for individuals in relation to their own personal information contained in credit reports held by credit reporting agencies and credit providers.

18. Under section 18A(1) of the Privacy Act, the Privacy Commissioner is required to issue a Credit Reporting Code of Conduct[9] relating to credit information files and credit reports. Section 18B obliges credit reporting agencies and credit providers to comply with the Credit Reporting Code of Conduct. Under section 28A the Commissioner has the power to investigate an infringement of the Credit Reporting Code of Conduct and conduct audits to ensure that it is being complied with.[10]

Role of credit reporting regulation

19. An individual's credit file contains an aggregation of different types of personal information such as name, date of birth, and credit history.[11] The protection of this personal credit information is an important privacy issue for individuals because of the serious consequences that may arise if this information is inaccurate or mishandled. As research that the Office undertook in 2007 illustrates, the type of information individuals are the most concerned about is their financial information.[12] On this basis, there is a cogent reason as to why the regulation of credit reporting should always be seen as an integral part of any consumer credit regulatory framework.

20. In Australia, Part IIIA was introduced into the Privacy Act through the Privacy Amendment Act 1990 (Cth). The Second Reading Speech for the Privacy Amendment Bill 1990 states:[13]

'The great majority of Australians meet their credit commitments. In determining the appropriate form of privacy regulation for the credit reporting industry, what must be paramount is the fundamental right of these individuals to privacy. However, this must be balanced against both the need for businesses to operate efficiently, and the right of credit providers to protect their commercial interests. Also, the welfare of those borrowers who may get into difficulties or who are led into difficulties must not be forgotten. This Bill achieves that difficult balance.'

21. The importance of privacy protection has not diminished over time. For this reason, the Office believes it is important that the privacy protections that currently exist within the credit reporting provisions in Part IIIA are not diminished by reforms considered by the Green Paper.

22. It is also important that any reforms promote consistency across the Privacy Act and other regimes regulating credit.

Reform of the Privacy Act and Part IIIA

23. In 2008, the Australian Law Reform Commission (ALRC) 'Report 108 For Your Information: Australian Privacy Law and Practice'[14] (Report 108) was released. The ALRC made a number of recommendations in relation to reforming the Privacy Act, including the credit reporting provisions.

24. The Australian Government has committed to address the ALRC's recommendations in two stages. In December 2009, the Australian Government released its First Stage Response to the ALRC Report 108 (First Stage Response).[15]

25. In its First Stage Response, the Government supported redrafting the credit reporting provisions of the Privacy Act to make them clearer and easier to understand. The Government also supported more comprehensive credit reporting.

26. The Australian Government's draft legislative changes, reflecting its First Stage Response, are currently being considered by the Senate Finance and Public Administration Committee with a final reporting date of 1 July 2011.[16] The draft legislation is to be released and subject to the Committee's scrutiny in 4 stages:

  • the Australian Privacy Principles provisions (released June 2010)
  • credit reporting provisions
  • health and research provisions
  • provisions relating to the privacy powers of the Australian Information Commissioner.
  • 27. It is important that the reforms canvassed in the Green Paper are considered in light of the Government's proposed changes to the Privacy Act.

Chapter 2 of the Green Paper - Regulation of credit cards

Comprehensive credit reporting

28. The Green Paper refers to the Australian Government's 'proposed changes to the Privacy Act to accommodate positive credit reporting'. The Green Paper notes that as part of those changes, five additional categories of information will be included in an individual's credit file, including 'repayment performance history' information.[17]

29. The Office draws Treasury's attention to the following matters in the First Stage Response:[18]

  • the changes to the Privacy Act proposed by the Australian Government include changes to allow comprehensive credit reporting[19]
  • the proposed changes that allow comprehensive credit reporting are subject to sufficient privacy protections being put in place[20]
  • it is proposed that information about an individual's 'repayment performance history' may only be handled by credit providers subject to responsible lending obligations in the Credit Act.[21]

Unsolicited credit limit offers

30.  The Office refers to the Green Paper's discussion of 'unsolicited credit limit offers'.[22]   The Office understands that unsolicited credit limit offers may involve 'pre-screening' of individuals.  Pre-screening can be described as the ability of credit providers to use credit files to decide whether to exclude individuals from direct marketing offers, such as offers to increase credit limits.  In the Office's view, the current provisions in Part IIIA of the Privacy Act prohibit the use of credit files or credit reports for the purposes of:

  • direct marketing, such as deciding whether to include individuals in direct marketing offers
  • pre-screening of direct marketing lists.[23]

31. The ALRC considered the use and disclosure of personal information for the purposes of direct marketing and 'pre-screening' in its Report 108. [24] The ALRC Report 108 recommended that any new credit regulations should expressly prohibit the use or disclosure of credit reporting information for the purposes of direct marketing, including in relation to the pre-screening of marketing lists.[25]

32. The use of credit reporting information for the purposes of direct marketing or pre-screening raises significant privacy issues and is inconsistent with the policy objective of a robust regulatory scheme for credit reporting information. Generally, Part IIIA of the Privacy Act only permits credit providers to access and use credit files in connection with assessing an individual's application for credit. The use of credit files outside of this context, such as for direct marketing or pre-screening marketing lists, runs counter to this policy and is neither transparent nor open. The Office supported continuing the Privacy Act's prohibition on pre-screening in its May 2009 submission on the Draft National Consumer Credit Reform legislation,[26] and its July 2009 submission to the Senate Economics Legislation Committee on the National Consumer Credit Protection Bill 2009.[27]

33. In its First Stage Response, the Australian Government did not support the ALRC's recommendation in relation to 'pre-screening'. Rather, it proposed changes to the Privacy Act to allow the use or disclosure of credit reporting information for the purposes of 'pre-screening' where the purpose of the pre-screening is to exclude adverse credit risks from marketing lists. That pre-screening would be subject to specific requirements and limitations.[28]

34. The Office awaits detailed information on those specific requirements and limitations before it can make a considered analysis of the merits of any proposed change to the current protections in the Privacy Act. In the meantime, the Office would suggest that any proposals to change the regulation of credit limit offers that allow, approve or endorse (or could be misinterpreted as doing so) pre?screening activities that are not permitted by the current Privacy Act be advanced directly through the privacy law reform process.

Chapter 4 of the Green Paper - Regulation of investment lending

35. The Office understands that the Credit Act currently applies to credit provided to individuals for personal, domestic or household purposes, as well as credit provided to purchase residential investment properties.

36. Part IIIA of the Privacy Act currently applies to credit "that is intended to be used wholly or primarily for domestic, family or household purposes".[29]

37. As part of the proposed changes to the Privacy Act, the Australian Government intends to extend the protections of Part IIIA to credit provided to purchase residential investment properties.[30]

38. The Office supports that change. If it is made, it is understood that the types of credit to which the protections in Part IIIA of the Privacy Act apply will be similar (but not identical) to the types of credit to which the Credit Act currently applies.[31]

39. In its First Stage Response, the Australian Government explained the reason for the proposed extension of the Privacy Act:

'...[i]t is appropriate to ensure that credit transactions that are afforded protection under the [Credit Act] are adequately protected under the credit reporting provisions [in Part IIIA].'

40.  The Green Paper presents an option that may extend the types of credit regulated by the Credit Act to credit provided to individuals for investment purposes beyond the purchase of residential investment properties.[32]   Extension of the Credit Act in such a way will create further differences between the types of credit regulated by the Privacy Act and the Credit Act.  These differences may create a gap that results in some activities of providers of credit regulated under the Credit Act not falling within the Privacy Act's jurisdiction. This may lead to a divergent, fragmented approach to the regulation of privacy protections.

41. Accordingly, if additional types of credit provided to individuals are regulated by the Credit Act, the Office suggests that consideration be given to whether it is appropriate to extend the protections of Part IIIA of the Privacy Act to those types of credit.

Chapter 5 of the Green Paper - Regulation of short-term small-amount lending

Regulation of short-term loan credit providers

42. The Office notes that credit providers that provide "low-cost short-term" credit (that is, low-cost credit that is provided for a period not exceeding 62 days) are not regulated under the Credit Act.[33]

43. In contrast, corporations that provide goods or services on terms that allow deferral of payment for at least seven days are regarded as 'credit providers' for the purposes of the Privacy Act and fall within the jurisdiction of Part IIIA.[34]

44. As part of the proposed changes to the Privacy Act, the Australian Government intends to adopt a simplified definition of 'credit provider' under which those organisations and agencies that are currently credit providers for the purposes of the Privacy Act should generally continue to be credit providers.[35]

45. The differing types of credit providers to which the Credit Act and the Privacy Act apply may create a gap which may result in the activities of some short-term credit providers falling within the jurisdiction of Part IIIA of the Privacy Act but not the Credit Act.

46. The Office believes that this may create an inconsistent and more complex approach to privacy and consumer credit regulation. It may also create confusion amongst both credit providers and consumers as to the compliance obligations of credit providers.

47. The Office supports further consideration of aligning the types of credit providers covered by the Credit Act with those that fall within the jurisdiction of Part IIIA of the Privacy Act.

48. The Office made a similar submission in its May 2009 submission to Treasury on the Draft National Consumer Credit Reform legislation.[36]

Comprehensive credit reporting

49. See comments under 'Unsolicited credit limit offers' at paragraph 30 above.

Chapter 6 of the Green Paper - Regulation of consumer leases

50. The types of credit to which Part IIIA of the Privacy Act applies include loans that are:

  • hire-purchase agreements
  • contracts, arrangements or understandings for the hire, lease or renting of goods or services, other than a contract, arrangement or understanding under which:
    • full payment is made before, or at the same time as, the goods or services are provided
    • in the case of hiring, leasing or renting goods, an amount equal to the value of the goods is paid as a deposit for the return of the goods.[37]

51. The Green Paper sets out the current arrangements for the regulation of consumer leases in the Credit Act and raises the possibility of broadening the scope of the 'consumer leases' regulated by that Act.[38]

52. The Privacy Act extends to the hire, lease or renting of services. Currently, the Credit Act does not.

53. The differing types of leases to which the Credit Act and the Privacy Act apply may create a gap which may result in some activities of lessors falling within the jurisdiction of Part IIIA of the Privacy Act but not the Credit Act.

54. The Office believes this may lead to a divergent, fragmented approach to the regulation of privacy protections. It may also create confusion amongst lessors and consumers as to the compliance obligations of lessors.

55. For this reason, the Office suggests that consideration be given to whether it is appropriate to extend the protections of the Credit Act to the leasing of services.

56. The Office made a similar submission in its May 2009 submission to Treasury on the Draft National Consumer Credit Reform legislation.[39]

Chapter 7 of the Green Paper - Enhancements to the National Consumer Credit Protection regime

Canvassing of consumer credit at home

57. The Green Paper discusses the requirements of the Credit Act and other regulatory regimes that prevent or limit the ability of credit providers to make unsolicited sales of credit.

58. To the extent that any personal information is used for the purposes of making unsolicited contact with an individual, current and proposed provisions of the Privacy Act may prevent or limit the ability of credit providers to do so. In particular, the Office draws Treasury's attention to:

National Privacy Principle 2 .1(c) which contains requirements about the use of personal information for the 'secondary purpose' of direct marketing[40]

proposed Australian Privacy Principle 7 which will replace National Privacy Principle 2 .1(c) and which contains limitations and requirements about the use of personal information for the purpose of direct marketing. [41]

59. Any changes to the regulation of unsolicited sales of credit that are inconsistent with the privacy protections in the Privacy Act would be a departure from current policy. The Office believes that any such departure would need to demonstrate significant community benefit and be accompanied by strong privacy protections.

Chapter 8 of the Green Paper - Coverage of credit under the Credit Act and avoidance practices

60. The Green Paper discusses the practice of intermediaries arranging credit for individuals from private lenders.[42] Questions 6 and 7 in Chapter 8 of the Green Paper ask whether this type of lending should be regulated by the National Credit Code and if so, whether the lender should be required to hold a licence, or whether they should be exempt provided the intermediary is licensed.

61. In order to be a 'credit provider' for the purposes of the Privacy Act, the provision of loans must be a substantial part of the private lender's business or undertaking. [43] Private lenders not meeting that requirement would fall outside the jurisdiction of Part IIIA of the Privacy Act.

62. For reasons similar to those set out at paragraph 40 above in relation to Chapter 4 of the Green Paper, if additional persons are regulated under the National Credit Code and/or are required to be licensed, the Office would support consideration being given to the appropriateness of bringing those persons within the Privacy Act's jurisdiction.


[1] See the Commonwealth Treasury's website at http://www.treasury.gov.au/contentitem.asp?NavId=038&ContentID=1852

[2] See the Office of the Privacy Commissioner survey results: 2007 Community attitudes towards privacy in Australia.  Available on the Office's website at http://www.privacy.gov.au/business/research/index.html#1b

[3] The Green Paper at page iv states that the 'policy rationale is to provide a consistent national credit regime...'.

[4] Under the Australian Information Commissioner Act 2010 (AIC Act), commencing 1 November 2010, the Office of the Privacy Commissioner will be integrated into the new Office of the Australian Information Commissioner (OAIC), which will assume the regulatory functions under the Privacy Act 1988. The OAIC will have 3 statutory appointees: the Australian Information Commissioner as the CEO, the Privacy Commissioner and an FOI Commissioner. With the commencement of the AIC Act, references to the Office of the Privacy Commissioner will be deemed to be to the OAIC.

[5] The Office's submission are available at http://www.privacy.gov.au/materials/types/submissions?sortby=65

[6] See section section 204 of the National Credit Code at Schedule 1 to the Credit Act.

[7] See http://www.treasury.gov.au/contentitem.asp?NavId=038&ContentID=1852

[8] See Credit Provider Determination No. 2006-4 (Classes of credit providers) at http://www.privacy.gov.au/act/credit/deter4_06.html. Corporations which acquire the rights of a credit provider in respect of a repayment of a loan are also regarded as credit providers under Part IIIA of the Privacy Act - see Credit Provider Determination No 2006-3 (Assignees) at http://www.privacy.gov.au/act/credit/deter3_06.html

[9] http://www.privacy.gov.au/publications/crcc.doc

[10] Further information relating to the operation of Part IIIA of the Privacy can be found on the Office's website - http://www.privacy.gov.au/

[11] See section 18E of the Privacy Act which sets out the specified content of an individual's credit information file.

[12] Office of the Privacy Commissioner survey results: 2007 Community attitudes towards privacy in Australia. Available on the OPC website at http://www.privacy.gov.au/business/research/index.html#1b

[13] See Hon M.J. Duffy, Second Reading Speech for the Privacy Amendment Bill 1990, Commonwealth Hansard, House of Representatives, 4 December 1990.

[14] ALRC Report 108, May 2008, available at: http://www.austlii.edu.au/au/other/alrc/publications/reports/108/ 

[15] The Government First Stage Response is available at http://www.dpmc.gov.au/privacy/reforms.cfm.  The Office's synopsis of the main aspects of the Government First Stage Response is available at http://www.privacy.gov.au/law/reform

[16] More information can be found on the Senate Finance and Public Administration Committee's inquiry webpage.

[17] Green Paper, page 21.

[18] The Government First Stage Response is available at http://www.dpmc.gov.au/privacy/reforms.cfm

[19] The Commonwealth Government's proposed changes to allow comprehensive credit reporting are outlined at Chapter 55 of the Government First Stage Response.

[20] See response to Recommendation 55-1 in the Government First Stage Response.

[21] See response to Recommendation 55-3 in the Government First Stage Response.

[22] Green Paper, pages 29-30.

[23] See sections 18K, 18L and 18N of the Privacy Act.

[24] See paragraphs 57.63 to 57.128 of the ALRC Report 108, available at http://www.austlii.edu.au/alrc/publications/reports/108/

[25] See recommendation 57-3 in the ALRC Report 108, available at http://www.austlii.edu.au/alrc/publications/reports/108/

[26] See paragraphs 47 to 50 of the Office's May 2009 submission to Treasury on the Draft National Consumer Credit Reform legislation, available at http://www.privacy.gov.au/materials/types/submissions?sortby=65

[27] See paragraphs 26-31 of the  Office's July 2009 submission is to the Senate Economics Legislation Committee on the National Consumer Credit Protection Bill 2009,  available at http://www.privacy.gov.au/materials/types/submissions?sortby=65

[28] See response to Recommendation 57-3 in the Government First Stage Response.

[29] See definition of 'credit' in section 6(1) of the Privacy Act.

[30] See response to Recommendation 54-4 in the Government First Stage Response.

[31] See section 5 of the National Credit Code contained in Schedule 1 of the Credit Act.

[32] Green Paper, page 54.

[33] Section 204 of the National Credit Code, contained in Schedule 1 to the Credit Act, defines a credit provider as a 'person that provides credit and includes a prospective credit provider'.   Section 6(1) of the Code excludes short term credit from the Code's operation.  Short term credit includes the provision of credit limited to a period not exceeding 62 days, subject to limitations on the maximum amount of fees and charges, and interest charges.

[34] Credit Provider Determination No. 2006-4 (Classes of credit providers) at  http://www.privacy.gov.au/act/credit/deter4_06.html

[35] See response to Recommendation 54-4 in the Government First Stage Response.

[36] See paragraphs 39ff of the Office's May 2009 submission to Treasury on the Draft National Consumer Credit Reform legislation, available at http://www.privacy.gov.au/materials/types/submissions?sortby=65

[37] See the definitions of 'credit' and 'loan' in section 6(1) of the Privacy Act.

[38] Green Paper, pages 70-72 and 77.

[39] See paragraphs 37-38 of the Office's May 2009 submission to Treasury on the Draft National Consumer Credit Reform legislation, available at http://www.privacy.gov.au/materials/types/submissions?sortby=65

[40] The National Privacy Principles are contained in Schedule 3 to the Privacy Act.

[41] See clause 9 of the Exposure Draft of the Australian Privacy Principles, released for consultation on 24 June 2010. The Exposure Draft is currently being considered by the Senate Finance and Public Administration Committee and is available at http://www.aph.gov.au/senate/committee/fapa_ctte/priv_exp_drafts/index.htm

[42] Green Paper, pages 98-99.

[43] See section 11(B) of the Privacy Act.