Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Credit Smart Day

Speech by Timothy Pilgrim to ARCA breakfast, Melbourne / Sydney 6 and 7 May 2015

Good morning, everyone. I would like to begin by acknowledging the Gadigal people of the Eora Nation, the traditional custodians of this land and pay my respects to their Elders both past and present.

I would like to thank Damien Paull for giving me with the opportunity to speak with you at this morning’s breakfast.

We are three days into Privacy Awareness Week (PAW) — it’s been a big week so far, so thank you for your assistance in raising privacy awareness amongst your staff and stakeholders.  Attendance at PAW events has been very encouraging, with our launch event on Monday sold out, as were our privacy impact assessment workshops in both Sydney and Canberra.  We have had over 200 partners register to make a commitment to privacy and I know there are a lot of Australian Retail Credit Association (ARCA) members here today who have joined us in our campaign so thank you very much.

As you are no doubt aware, it has been an extremely busy year for privacy, and credit reporting in particular.  The introduction of comprehensive credit reporting, implementing measures to comply with the new requirements in the Privacy Act 1988 (Privacy Act) and the Privacy (Credit Reporting) Code, as well as the development of the credit industry’s code on Principles of Reciprocity and Data Exchange, have all been significant and resource intensive changes for the credit industry.  But it is that very fast-paced and transformative nature of the past year that, to my mind, makes opportunities to engage with colleagues in this industry all the more important.

For our office, the last 12 months has seen us direct our focus on increasing organisations’ and agencies’ understanding of compliance with the new laws.  Significant effort has been given to developing guidance that increases awareness and education of individuals, organisations and agencies, about their rights and responsibilities under the Privacy Act.  This in turn has necessitated extensive engagement with our stakeholders in the credit industry, and also more generally with stakeholders captured by the Australian Privacy Principles (APPs).  For those in the room that have contributed to our consultations thank you.

That said, alongside this education and awareness campaign, there is also a significant role played by our office regarding ongoing compliance with the Privacy Act.  This financial year we have already received 2475 privacy-related complaints, including dealing with a number of credit-related representative and group complaints, and we have also received 94 data breach notifications.

In relation to complaints to our office, of the 1093 credit-related complaints received since 12 March 2014, 216 are about conduct that occurred after that date.  The main issues in those complaints remain similar to previous years, ie; disputed defaults and enquiries, accuracy (particular in relation to merged files) and difficulties in freely accessing and correcting credit reporting information. 

I have also made 6 privacy determinations this financial year and, for the first time, used the new enforceable undertaking power.  However, in line with our Privacy Regulatory Action Policy released last year, prior to utilising the new regulatory powers, our office will continue to work with organisations to try and achieve good privacy practice outcomes in the first instance.  And just on that topic, yesterday we released for public exposure the remaining chapters of our accompanying Guide to privacy regulatory action.  This follows the first set of chapters being released last year.

This guide complements our regulatory action policy by addressing each of the major regulatory powers under the Privacy Act and giving stakeholders a more detailed explanation of how we will exercise each power.  Read together, these two resources will help you understand, and work with our regulatory approach, so we look forward to any feedback you may have on these chapters.

Fourteen months into the new world, our regulatory focus is changing.  We need to move from tick box compliance to look more holistically at how we create the right environment to make sure privacy is built into business as usual and is used as a tool to enhance customer trust and confidence.  We are turning to focus on the requirement in APP 1.2 that organisations take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs.  This makes clear that the protections of privacy cannot be considered an afterthought, but instead should be integrated into all business processes. Furthermore, this highlights that personal information is an important asset to any business, and the promotion of privacy as an asset to be respected, managed and protected, should be the cornerstone of all business decisions.

The Privacy Management Framework

On Monday I launched the Office of the Australian Information Commissioner’s (OAIC) new Privacy management framework (Framework), a tool to help organisations to embed a culture of privacy and comply with APP 1.2.  We recognise that this is an area where organisations need some help so we have developed the Framework to assist with developing, implementing and reviewing privacy management programs and related governance structures.  There is a growing international awareness of the need for this kind of framework to assist organisations with the fundamentals of privacy governance.  Privacy governance is essential to make sure you have the leadership, resources and accountability to put the necessary practices, procedures and systems in place to ensure good privacy management.  The Framework emphasises governance, leadership and accountability as forming the basis of robust privacy management. It provides practical guidance on how to establish a privacy management plan, an action oriented document that sets out how you will embed a culture of privacy that enables compliance, establish robust and effective privacy practices, procedures and systems, and evaluate and enhance them.

Within each of the four steps in the Framework are a range of commitments that you should make to protect privacy and improve your processes.  Not all commitments will be appropriate for all organisations or agencies, but, as with all aspects of compliance with the APPs, you need to make informed decisions about what is right for your organisation.  I encourage all organisations here this morning to carefully consider how they can implement this framework.  As part of this encouragement, it is useful to note that it is more effective, and ultimately cheaper, for organisations to embed privacy in day-to-day processes than it is to respond to privacy issues and data breaches as they arise.

As leaders in the credit industry and in your organisations, your commitment to a culture of privacy that values personal information will help embed this culture in your organisation, and in turn create a wider recognition of the integral role that privacy needs to play in today’s business community.  Further, taking steps to implement the framework by developing and implementing a privacy management plan will assist your organisation to demonstrate that it has taken reasonable steps to comply with APP 1.2, and other APPs, in the case of a complaint or a data breach.

Whilst we are on the topic of APP 1, I would also like to mention that we have developed an assessment schedule that allows us to strategically assess specific privacy-related issues.  An essential component of a privacy management program is having an APP privacy policy and we’ve just completed an assessment of the privacy policies of 20 public and private sector websites, checking for APP 1 compliance.  The assessment considered the online privacy policies of organisations and agencies across a variety of sectors, including finance, government, media and social media.  On the positive side all 20 entities had a privacy policy that was easy to find.  However our findings indicated that there was certainly room for improvement in the quality and readability of some of the privacy policies.  Now is a good time to review your organisation’s policy.

Credit

Credit education

Turning now to the credit reporting system, as I noted earlier, over the past twelve months our office has focussed on providing guidance and advice aimed at increasing awareness and education about the reforms to the Privacy Act, including the new credit reporting laws.

The importance of this educative role in the credit reporting environment cannot be underestimated.  In a recent survey conducted by Experian, 65 per cent of the 1000 Australians surveyed incorrectly believed that contributing to superannuation, or saving money, can have a positive impact on their credit score. Furthermore, 33 per cent of participants said they were nervous about their ability to access and manage credit, while only 23 per cent understand what a credit score is, and how it is used by lenders to grant credit.

What these figures demonstrate is the big role that the credit industry, in conjunction with the OAIC, still needs to play to address this misunderstanding.  In an industry that deals with highly technical and sensitive information, raising the general level of understanding about how an individual’s credit information is handled should be a key objective of all participants in the credit industry.  This greater level of understanding, coupled with increased transparency of the personal information handling practices that occur within the credit reporting system itself, will ultimately benefit your organisations by engendering trust from individuals towards the credit industry.

I am therefore encouraged to see services such as the Credit Smart website that aims to help consumers understand, in simple and engaging ways, how credit reporting operates in Australia.  This is an invaluable, industry-led resource for individuals to decipher how their credit information is being handled and utilised by credit reporting bodies and complements our own credit fact sheets series for consumers.

Free credit reports

Aside from these online services, the best way to assist individuals to understand their own credit information is by giving them access to their credit reports. Shortly after the commencement of the 2014 amendments, the OAIC saw a spike in credit-related enquiries.

Encouraging individuals to access their free credit reports and simplifying the process for them, is an important part of giving people the tools and knowledge to be able to exercise their privacy rights.

Corrections requests

When we discuss the role of continued education in the credit environment, it is also important that we cast our attention inwardly on the industry itself. Whilst the adoption of the new credit reporting laws set out in the Privacy Act and the Credit Reporting Code have progressed well, our office is aware that further work is needed in certain areas.  One area is the corrections process established by the new Part IIIA of the Privacy Act, whereby the recipient of a correction request from an individual must deal with that request, rather than referring it to another organisation.  Further, that as part of dealing with the request, the recipient must consult with relevant stakeholders, such as other credit providers.

I understand that there are currently divergent approaches to handling corrections requests, and disputes about those requests, across the industry.  In particular, I understand there may perhaps be some confusion as to the level of consultation required by credit providers and credit reporting bodies in handling these disputes.  Our office, as the regulator of the Privacy Act, has a role to provide clarity and consistency in interpreting the Privacy Act.  Our preference is always to strive towards a consistent approach to implementing the Privacy Act. It is this consistency that assists entities to understand how to satisfactorily comply with the Privacy Act, and individuals on how their information is being handled.

With this in mind, our office will soon commence a consultation process to seek more information about how the corrections process operates on a practical level today.  With a more informed understanding of the issues faced by credit providers and credit reporting bodies in handling correction requests, we will be in a better position to offer guidance around how to comply with these provisions of the Privacy Act. We look forward to working with you in the coming months on this matter.

Conclusion

The last year has been a time of uncertainty for our office, following the May announcement that the OAIC would be disbanded.  However, the Bill has not been considered by the Senate and we remain operational.  A number of our freedom of information (FOI) functions have moved to other agencies, but we are still completing FOI work, as well as all of our existing privacy functions, and we will be continuing in this way into the next financial year.

Whether the Bill passes or not, our privacy functions will continue to be undertaken by the same highly experienced staff, working as either the OAIC or as a new organisation.

So, despite this uncertainty, we’re committed to moving forward with a full work plan.  In that sense, it’s business as usual for privacy.  There will be a Privacy Commissioner regulating the Privacy Act.

With all that said, I would like to end on the following note.

The twelve months ahead for the credit industry will be no less busy than the previous year has been.  The implementation of the Principles of Reciprocity and Data Exchange industry code and the expected commencement of sharing comprehensive credit information will make sure of that.  However I urge you not to forget that with an ever-increasing level of public awareness around credit reporting, you have a captive audience ready and willing to listen to you, and with it, an opportunity to promote your commitment to privacy.  I wish you all the very best for Credit Smart Day and the rest of Privacy Awareness Week and I look forward to continued engagement with you over the coming year.

Thank you.