Our reference: D2015/006907
SACC Review Secretariat
Financial Systems and Services Division
PARKES ACT 2600
Review of the small amount credit contract laws
I welcome the opportunity to comment on the Treasury’s consultation paper on the Review of the small amount credit contract laws (SACC Review). The Office of the Australian Information Commissioner (OAIC) is the national privacy regulator with responsibility for administering the credit reporting provisions contained in Part IIIA of the Privacy Act 1988 (Cth) (Privacy Act).
My comments below are focused on the privacy considerations raised in the consultation paper, and in particular on the parts of question 10 that raise privacy considerations. Question 10 seeks feedback on whether a national database for small amount credit contracts (SACCs) would enhance the ability of SACC providers to meet their responsible lending obligations. I consider that other stakeholders are better placed to comment on other aspects of question 10 (such as the costs and fees that should apply to use of the proposed database, and how use of the database should interact with other responsible lending obligations) and the other questions in the consultation paper.
In making the comments below, I recognise the importance of having a consumer credit regulatory framework that ensures that credit providers engage in responsible lending practices within Australia. I am also mindful that in order to comply with the responsible lending obligations contained in the National Consumer Credit Protection Act 2009 (the Credit Act), credit providers may be required to access personal information. However, any proposal to create a national database should balance the need to ensure that SACC providers can effectively meet their responsible lending obligations, with the interests of individuals in protecting their personal information.
The OAIC’s 2013 submission to ASIC
In February 2013 I made a submission (the OAIC’s ASIC submission) to the Australian Securities and Investment Commission (ASIC) on its Review of the effectiveness of an online database for small amount lenders (ASIC Review). The ASIC Review proposed a model for an online database which would contain information on SACCs to assist SACC providers to meet their responsible lending obligations. Question 10 in the current review seeks stakeholders’ input on the creation of a similar database to that proposed in the ASIC Review. The OAIC’s ASIC submission was comprehensive and the majority of the remarks made in that submission remain relevant to the current Review. The OAIC’s ASIC submission made the following key points:
- any proposal to make disclosure to (or use of) the proposed database mandatory would represent a significant shift away from current policy under Part IIIA of the Privacy Act, under which participation in the credit reporting system is voluntary
- mandatory disclosure to (and use of) such a database would have significant privacy impacts. There is also a risk that it may promote the collection and handling by SACC providers of more personal information than they may otherwise require for the purposes of assessing an individual’s creditworthiness, or in the information being used for purposes other than those originally intended, and
- if a database is established, the risks posed by mandatory disclosure to the database and the use of the personal information contained in it could be mitigated in a number of ways, for example by restricting the information to be returned to SACC providers when they make an enquiry, to only the information necessary to discharge the relevant responsible lending obligations (for example, only whether the SACC candidate is ‘suitable’ or ‘unsuitable’, based on whether they have any listed SACC defaults, or have been party to more than two SACCs in the past 90 days).
These points are in summary form only, and I refer the Treasury to the entirety of the OAIC’s ASIC submission, subject to the further remarks made below.
2014 amendments to the Privacy Act
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 commenced in March 2014 and made substantial changes to the Privacy Act, including the introduction of more comprehensive credit reporting regulated under a new Part IIIA. In addition to expanding the types of information permitted to be held in the consumer credit reporting system, those amendments also broadened the definitions of ‘credit provider’ and ‘credit reporting body’.
The obligations in Part IIIA are also supported by a new binding code, the Privacy (Credit Reporting) Code 2014 (Version 1.2) (CR Code), which was developed by the Australian Retail Credit Association (ARCA) in consultation with industry and approved by the Information Commissioner. The CR Code sets out in detail how credit providers and credit reporting bodies can comply with their obligations in Part IIIA, and also imposes some additional obligations on these bodies in relation to their credit-reporting activities.
Database users and the administrator should be subject to appropriate data protection obligations
I reiterate the view that I expressed in the OAIC’s ASIC submission, that if a SACC database were to be created, all SACC providers, and the database administrator, should be subject to data protection obligations equivalent to those imposed on credit providers and credit reporting bodies by Part IIIA of the Privacy Act.
As a result of the 2014 amendments, it is likely that all SACC providers would now meet the definition of a credit provider, and any administrator of a future SACC database would likely meet the definition of a credit reporting body (as a body which carries on a business involving collecting, holding, using and/or disclosing personal information for the purposes of providing information to other entities about individuals’ creditworthiness). Therefore, if a SACC database were to be created, all participating SACC providers, and the database administrator, would likely be required to comply with the credit-reporting obligations imposed by Part IIIA in relation to information contained in that database.
In addition to imposing a range of obligations on both SACC providers and the administrator of any future SACC database, this will have implications for the types of information that would be able to be included in such a database.
Information to be included in the database
As outlined in TOR 2.1 of the SACC Review consultation paper, the Credit Act imposes a number of responsible lending obligations on SACC providers, including that SACC providers must not enter into a SACC with an individual who is receiving at least 50 % of their income from Centrelink, where the total repayments from all SACCs the individual is (or would be) a party to would exceed 20 per cent of the individual’s gross income.
To that end, I note that any personal information about an individual’s activities in relation to consumer credit that is not ‘credit information’ is notpermitted to be disclosed to a credit reporting body under the Privacy (Credit Reporting) Code 2014 (Version 1.2)(CR Code). The CR code gives effect to the intention of the new Part IIIA, which is that only limited types of information about an individual’s’ credit activities should be able to be included in an individual’s credit report. ‘Credit information’ is exhaustively defined in s 6N of the Privacy Act, and as noted in the consultation paper, does not include information about a person’s gross income, or Centrelink payment status. Therefore, the disclosure of this information by a SACC provider to the administrator of the proposed SACC database would not be permitted under the CR Code and would likely be an interference with the privacy of an individual under s 13(2) of the Privacy Act.
Principles of Reciprocity and Data Exchange (PRDE)
The SACC Review consultation paper seeks stakeholders’ views on whether a SACC database could allow SACC providers to access additional information that is not currently available to them through the credit reporting system. In that regard, I note that the Australian Competition and Consumer Commission (ACCC) has recently released a draft authorisation (A91482) in relation to the Principles of Reciprocity and Data Exchange (PRDE), developed by ARCA. The OAIC understands that the PRDE seeks to facilitate the implementation of more comprehensive consumer credit reporting, as permitted by the new Part IIIA of the Privacy Act. In particular, the PRDE seeks to introduce the principle of reciprocity, which I understand will determine the categories of credit information that credit providers are able to access from a credit reporting body, and oblige them to share the same categories with that credit reporting body in return. The OAIC understands the PRDE is intended to incentivise greater participation in the more comprehensive credit reporting system, and will likely lead to signatories sharing more credit information (and with more entities) than was previously the case.
As I commented during the ACCC’s consultation on the PRDE, the OAIC is not qualified to comment on the general advantages or disadvantages to the credit reporting market of the PRDE scheme, or on how the PRDE would interact with any proposed SACC database. However, I suggest that the Treasury should consider the potential effects of the PRDE when considering whether (and on what terms) a SACC database should be created.
Privacy Impact Assessment (PIA)
I also reiterate my recommendation in the OAIC’s ASIC submission that, should the proposal to create a national SACC database be adopted, the responsible Department should conduct a PIA as early as possible in the design process. A PIA is a written assessment which may assist the responsible Department in identifying the privacy impacts of the proposal, and provides an opportunity to set out any recommendations for managing, minimising or eliminating those impacts. In particular, undertaking a PIA may assist the responsible Department to determine:
- whether the proposal as a whole effectively balances the needs of SACC providers with any impacts on individuals’ privacy
- how the existing credit reporting laws in Part IIIA of the Privacy Act would impact upon the proposal to create a national SACC database, and
- if a database is to be established, whether any further safeguards are necessary to ensure that individual privacy is protected and, in particular, that the database is not used for purposes other than those for which it is intended.
I note that the OAIC strongly encourages the publication of all PIAs. For further information on undertaking a PIA please see the OAIC’s Guide to undertaking a privacy impact assessment.
Acting Australian Information Commissioner
19 October 2015
 See Part A of the OAIC’s ASIC Submission.
 Ibid, see Part D.
 See the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which entered into force in March 2014.
 See Parts B and C of the OAIC’s ASIC Submission.
 See section 6G of the Privacy Act.
 See sections 6 (definition of ‘credit reporting body’) and 6P of the Privacy Act.
 See, eg, paragraph 5.1 of the CR Code.
 See, eg, pages 3, 90 and 93 of the Explanatory Memorandum (EM) to the Privacy Amendment (Enhancing Privacy Protection) Act 2012. The EM also contains the Statement of Compatibility with Human Rights, which explains why, in the government’s view, any interferences with personal privacy authorised by the new Bill are justifiable and proportionate in light of the legitimate objectives pursued by Part IIIA (see pages 47-8).
 See pages 2-3 and 14-29 of the EM, above n 9.
 See the Key Recommendations and Part A of the OAIC’s ASIC Submission.
Was this page helpful?
If you would like to provide more feedback, please email us at email@example.com