16 September 2019

The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the exposure draft of the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019 (the draft Bill).[1]

Importantly, the draft Bill differs from the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 (the 2018 Bill) by including amendments to the Privacy Act 1988 (Cth) (the Privacy Act) that change the reporting of financial hardship arrangements. The OAIC considers that aspects of this draft Bill that relate to comprehensive credit reporting are substantially similar to the 2018 Bill. The OAIC understands that the measures set out in this draft Bill are predominately intended to mandate the comprehensive credit reporting regime by requiring credit providers who are ‘eligible licensees’[2] to transition to the comprehensive credit reporting regime in two tranches by 29 June 2021.[3]

The OAIC understands that the regime is intended to provide credit providers (CP) and credit reporting bodies (CRB) with a more comprehensive view of a consumer’s financial situation and enable CPs to better meet their responsible lending obligations. The regime is also intended to provide consumers with better access to consumer credit through a more efficient and competitive credit market, and the ability to better demonstrate their credit worthiness.[4]

The full transition of eligible licensees to the comprehensive credit reporting regime will result in a significant increase in the volume of information in the consumer credit reporting system. The OAIC considers that the protections contained in the Privacy Act and the Privacy (Credit Reporting) Code 2014 (the CR Code) provide an important framework for managing the risks to personal information associated with these changes. These frameworks require entities operating in the credit reporting system to have robust information handling practices, which is essential to ensure that consumers are appropriately protected and have trust in the regime.

The OAIC understands that these amendments are intended to improve the comprehensiveness of credit reporting while appropriately balancing the interests of participants in the credit reporting system. An object of the Privacy Act is to ‘facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected’.[5] Striking an appropriate balance between the interests of participants of the credit reporting system, including individuals, CRBs and CPs, is therefore a central concern of the Privacy Act.

By proposing the collection and disclosure of additional credit information, the draft Bill will necessarily impact on privacy. Where new legislation has an impact on privacy, it is important to ensure that proposed measures are reasonable, necessary and proportionate to achieving a legitimate policy aim. One way to mitigate privacy risks is to establish safeguards and oversight mechanisms which are commensurate to the increased risk.

In this regard, the proposed amendments to s20Q of the Privacy Act, which we understand are intended to strengthen existing consumer credit data protections, confer new and technical regulatory functions on the Australian Information Commissioner. The Information Commissioner will also be required to approve amendments to the CR Code to particularise the rights and obligations of participants in the credit reporting system in relation to the proposed hardship reforms. The OAIC notes that effective oversight of these safeguards requires appropriate levels of resourcing to help to ensure that individuals have trust in the credit reporting system.

This submission covers several issues that arise under the draft Bill which are relevant to the privacy and information management functions of the OAIC, including:

  • data supply requirements in the draft Bill, including exceptions to the requirements
  • increased specificity as to the timeframes for the reporting and updating of consumer credit information
  • stronger data protection requirements for the storage of consumer credit information under the Privacy Act
  • the reporting of financial hardship information.

Data Supply

The OAIC supports the continuation of the existing co-regulatory arrangement between the Australian Securities and Investments Commission (ASIC) and the OAIC, as set out in the draft Bill.

Importantly, while the draft Bill introduces new measures, including obligations to facilitate the transition of eligible licensees to the comprehensive credit reporting regime, these measures do not alter the existing functions of the OAIC, nor do they  limit the application of Part IIIA of the Privacy Act and the CR Code to consumer credit information.

As mentioned in previous submissions to Treasury[6] and the Senate Committees (enclosed),[7] several proposed amendments to the Credit Act in relation to the supply of consumer credit information will result in further intersections between the Credit Act and Privacy Act, creating areas of interoperability and joint administration.

Chief amongst these areas of interoperability is the requirement for CPs to supply information to CRBs in accordance with ‘supply requirements’,[8] which include amongst other things, that the information supply is in accordance with the CR Code.
The OAIC notes that while ASIC gains the power to impose additional requirements on the supply of data by issuing a determination or approving technical standards under subsections 133CQ(2) and 133CQ(4) of the Credit Act, the CR code will prevail, to the extent of any inconsistency arising.[9]

The OAIC will continue to engage with the ASIC where areas of regulatory oversight coincide, however, to ensure consistency with the privacy framework, the OAIC recommends the draft Bill include a requirement for ASIC to consult the Australian Information Commissioner prior to exercising data-related powers.

Updating Consumer Credit Information

The OAIC notes that the draft Bill introduces additional specificity to the supply and updating requirements around consumer credit information.

Where an obligation under the Privacy Act or CR Code requires a CP who has supplied information to a CRB to update that information and no timeframe is otherwise specified in the Privacy Act or CR Code, the amendments to subsection 133CU(1) will now require information to be supplied within 45 days of the relevant change or update. That information can be supplied in bulk and need not be supplied separately for each event set out under that subsection.

The OAIC supports this reform, which will assist CPs and CRBs to understand their reporting obligations where no timeframe is specified under the Privacy Act or CR Code.

Stronger Data Protections

The OAIC welcomes measures in the draft Bill that are intended to strengthen existing consumer credit data protections.

In particular, under the proposed section 133CS of the draft Bill, a CP will not be required to supply consumer credit information to a CRB where the CP reasonably believes that the CRB is not complying with the data security requirements set out under section 20Q of the Privacy Act (including both existing requirements and new requirements). In doing so, the CP must notify the CRB, ASIC and OAIC.[10]

The OAIC also notes the proposed amendments to section 20Q of the Privacy Act regarding the storage of credit reporting information by CRBs, which are intended to place additional protections on this information.

This amendment imposes obligations on CRB’s to ‘store’ credit information. The use of the word ‘store’, however, may cause ambiguity as it is not a term that is used in the Privacy Act. A more common concept under the Privacy Act is the word ‘hold’ which is defined under section 6 as follows:

an entity holds personal information if the entity has possession or control of a record that contains the personal information.

The OAIC has provided further clarification on the meaning of this term in the context of the Australian Privacy Principles, including that:

  • the term ‘holds’ extends beyond physical possession of a record to include a record that an APP entity has the right or power to deal with
  • whether an APP entity ‘holds’ particular information may therefore depend on the particular information collection, management and storage arrangements it has adopted.[11]

We ask the Treasury to consider whether it is appropriate use the term ‘hold’ rather than ‘store’ in the proposed amendments to s20Q.

These proposed amendments also envisage a role for the Australian Information Commissioner in determining requirements for how a CRB must store credit reporting information. It will be important to ensure that the provisions create certainty about the envisioned role of any legislative instrument proposed by the Commissioner. We look forward to discussing these measures further with the Treasury in order to address any ambiguity.

Reporting of financial hardship information

The draft Bill proposes the introduction of financial hardship information into the credit reporting system. This includes two types of indicators under the definition of financial hardship information; a hardship arrangement indicator where repayments are made in accordance with a temporary variation to the terms and conditions of consumer credit, and a contractual variation indicator where a repayment is made on a permanently varied contract.

We understand that a purpose of introducing financial hardship information in the credit reporting system is to resolve an inconsistency in the reporting of repayment history information in situations where a hardship arrangement is in place. In particular, we note that the definition of hardship arrangement is intended to be broadly defined to include informal forbearances, indulgences and simple arrangements. We ask that the Treasury consider whether the proposed indicator applies to all circumstances where an individual might enter into a temporary arrangement with a CP, including these informal measures.
The OAIC acknowledges that there were a number of issues for industry and consumers associated with reporting financial hardship information, and that the reforms to the credit reporting system proposed in the draft Bill were prepared after consultation with stakeholders during the recent review into financial hardship arrangements.

We recommend that any additional amendments to the draft Bill continue to focus on finding the most appropriate balance between the interests of relevant participants in the credit reporting system. Protections for financial hardship information should be appropriate, proportionate, and complement the existing protections for hardship arrangements contained under the National Credit Code.

The OAIC is available to engage with the Treasury further regarding issues raised as the Review progresses. If you would like to discuss these comments further, please contact Sarah Croxall, Director, Regulation & Strategy, on sarah.croxall@oaic.gov.au or 02 9284 9828.
Yours sincerely

Angelene Falk
Australian Information Commissioner
Australian Privacy Commissioner

16 September 2019

Footnotes

[1] https://www.treasury.gov.au/consultation/c2019-t401119

[2] Under the draft Bill, an eligible licensee must be a credit provider as defined in the Privacy Act 1988 (Cth) (see s 5(1) and 133CN of the draft Bill).

[3] National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019, Exposure Draft Explanatory Materials (Draft EM), para 1.17.

[4] Draft EM, para 1.12..

[5] Privacy Act 1988 (Cth), s 2A

[6] https://treasury.gov.au/sites/default/files/2019-03/c2018-t279594-OAIC.pdf

[7] https://oaic.gov.au/engage-with-us/submissions/national-consumer-credit-protection-amendment-mandatory-comprehensive-credit-reporting-bill-2018-submission-to-the-senate-standing-committees-on-economics/

[8] Sections 133CR(1)(c) and 133CR(3)(c) of the Draft Bill.

[9] Section 133CQ(5) of the draft Bill.

[10] Section 133CS of the draft Bill.

[11] OAIC 2019, Australian Privacy Principles guidelines – Chapter B: Key concepts https://oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-b-key-concepts/#holds.