Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

'S' and Veda Advantage Information Services and Solutions Limited [2012] AICmr 33

Determination and reasons for determination of Privacy Commissioner, Timothy Pilgrim

Summary of case details
Applicant:

'S'

Respondent: Veda Advantage Information Services and Solutions Limited
Decision date: 20 December 2012
Application number: C12590
Catchwords:

Privacy — Privacy Act — Credit reporting — (CTH) Privacy Act 1988 s 52 — s 18G(a) — accurate, up-to-date, complete and not misleading — s 18R(1) — misleading credit report — non-economic loss — assessment of damages measured by statute, assisted by rules in tort — aggravated damages not awarded

 

  Contents

Summary
Allegations and remedy sought
The law
Investigation process
General considerations
Table A: Similar enquiry listings
Table B: Identical enquiry listings
Findings

Finding on damages
Economic loss
Non-economic loss
Aggravated damages
Determination

 Summary

  1. Veda Advantage Information Services and Solutions Limited (Veda) interfered with the complainant's privacy by failing to take reasonable steps to ensure that the personal information contained in the complainant's credit information file was accurate, up to date, complete and not misleading, in breach of s 18G(a) of the Privacy Act 1988 (Cth) (Privacy Act). Veda also provided the complainant's credit report, which contained misleading information, to other entities in breach of s 18R(1) of the Privacy Act.
  2. To redress this matter Veda shall:
    • apologise in writing to the complainant within four weeks of the date of this determination
    • amend the complainant's credit information files in compliance with s 18G(a) of the Privacy Act by removing duplicated enquiry listings on cross-referenced files that are similar (but not identical to the initial listing) where both resulted from the same credit application
    • cease to provide the complainant's credit report to any entity, prior to the removal of the similar enquiry listings
    • pay the complainant $2000 for non-economic loss caused by the interferences with the complainant's privacy.
  3. In relation to Veda's practice of recording similar enquiry listings, I recommend that Veda:
    • develop revised training packages and user information guides for subscribers, which clearly address the issue of similar enquiry listings and how to interpret them
    • engage an independent auditor to assess Veda's cross-referencing processes, both the multiple identity report (MIR) option and the non-MIR alternative, in compliance with s 18G(a) of the Privacy Act.

 Allegations and remedy sought

  1. In April 2009, the complainant lodged a complaint with the Office of the Privacy Commissioner (now the Office of the Australian Information Commissioner (OAIC)) against Veda, under s 36 of the Privacy Act.
  2. The complainant alleged that:
    • Veda held two credit information files for her (one in her original name and one in her then married name) and that the two files should be merged as she no longer used her then married name.
    • The two credit information files were cross-referenced by Veda.
    • Each time the complainant made a credit application, a duplicate enquiry listing for that application was recorded on her cross-referenced credit file (in her then married name). The complainant noted that sometimes the dates, amounts or credit provider details were identical between the two credit information files and sometimes the details varied (despite the fact that the details related to the same credit application).
    • Veda's practice of duplicating credit enquiries on the complainant's credit information files suggested to subscriber credit providers that she had submitted more credit applications to credit providers than she had. The complainant considered that the credit enquiries were 'unnecessarily repeated and incorrect'.
    • Veda's practice resulted in Veda's subscribers being supplied with misleading information concerning her credit worthiness, which resulted in her being refused credit or losing the opportunity to obtain credit on more favourable terms.
    • Veda did not respond appropriately to her complaint once it became aware that particulars listed on her credit information files, i.e. credit enquiries, may have been inaccurate and/or misleading.
  3. The complainant seeks a declaration by me that she is entitled to compensation of $100,000-$150,000 for economic and non-economic losses. The complainant is also requesting that her personal information be listed correctly and not in a misleading manner.

 The law

  1. The credit reporting provisions found in Part IIIA of the Privacy Act govern the handling of consumer credit reports, credit information files and other credit worthiness information about individuals by credit reporting agencies and credit providers.
  2. Section 11A of the Privacy Act defines a 'credit reporting agency' as 'a corporation that carries on a credit reporting business'.
  3. A 'credit reporting business' is defined in s 6(1) of the Privacy Act as:

    a business or undertaking ... that involves the preparation or maintenance of records containing personal information relating to individuals (other than records in which the only personal information relating to individuals is publicly available information), for the purpose of, or for purposes that include as the dominant purpose the purpose of, providing to other persons (whether for profit or reward or otherwise) information on an individual's:

    1. eligibility to be provided with credit; or
    2. history in relation to credit; or
    3. capacity to repay credit;

    whether or not the information is provided or intended to be provided for the purposes of assessing applications for credit.

  4. A 'credit information file' in relation to an individual is defined in s 6(1) to mean:

    ... any record that contains information relating to the individual and is kept by a credit reporting agency in the course of carrying on a credit reporting business (whether or not the record is a copy of the whole or part of, or was prepared using, a record kept by another credit reporting agency or any other person).

  5. A 'credit report' is defined in s 6(1) to mean:

    ... any record or information, whether in a written, oral or other form, that:

    1. is being or has been prepared by a credit reporting agency; and
    2. has any bearing on an individual's:
      1. eligibility to be provided with credit; or
      2. history in relation to credit; and
      3. is used, has been used or has the capacity to be used for the purpose of serving as a factor in establishing an individual's eligibility for credit.
  6. One of the 'permitted contents' of a credit information file, widely referred to as a 'credit enquiry' is described at s 18E(1)(b) as:

    The information is a record of:

    1. both:
      1. a credit provider having sought a credit report in relation to an individual in connection with an application for credit or commercial credit made by the individual to the credit provider; and
      2. the amount of credit or commercial credit sought in the application.
  7. Section 18G(a) of the Privacy Act states that a credit reporting agency in possession or control of a credit information file or a credit report must take reasonable steps to ensure that the personal information contained in the credit file or report is accurate, up-to-date, complete and not misleading.
  8. Section 18M of the Act requires a credit provider to provide the individual with a written notice if an application for credit is rejected and the rejection is based wholly or partly on the information contained in a credit report obtained from a credit reporting agency.
  9. Section 18R(1) of the Privacy Act states that a credit reporting agency must not provide to any other person or body (whether or not the other person or body is a credit reporting agency or credit provider) a credit report that contains false or misleading information.
  10. After investigating a complaint, I may, under s 52 of the Privacy Act, make a determination:
    • dismissing the complaint (s 52(1)(a)) or
    • finding the complaint substantiated and declaring:
      • that the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct (s 52(1)(b)(i)(A)), and/or
      • the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant (s 52(1)(b)(ii)), and/or
      • the complainant is entitled to compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint (s 52(1)(b)(iii)), and/or
      • it would be inappropriate for any further action to be taken in the matter (s 52(1)(b)(iv)).

 Investigation process

  1. The OAIC's investigation of this complaint involved the following:
    • On 3 June 2009, the Assistant Commissioner Compliance opened an investigation into the complainant's allegations pursuant to s 40(1) of the Privacy Act.
    • Written information supplied by both Veda and the complainant was considered.
    • Veda and the complainant were provided with the opportunity to respond to he OAIC's preliminary view of the complaint dated 29 October 2009, which onsidered that Veda had breached s 18G(a).
    • In response to the OAIC's preliminary view, additional written information was supplied by Veda, disputing the view.
    • This additional information did not cause the OAIC to change its preliminary view and conciliation was attempted.
    • The parties were unable to achieve a mutually agreeable resolution through conciliation and so I decided to determine the matter.
    • Both parties were provided with the opportunity to provide written and oral submissions pursuant to s 43(5) of the Privacy Act before a determination was made.
    • Both parties declined the opportunity to make oral submissions, but provided written submissions.
    • I have considered the written submissions and gathered additional information to clarify claims made by the parties. To obtain an understanding of how credit providers interpret identical and similar enquiry listings (outlined below), I collected information from three financial sector credit providers.

 General considerations

  1. The first table (Table A) below illustrates what I will call similar enquiry listings recorded on the complainant's cross-referenced credit information files from 2006–09. It is my understanding these listings relate to the same credit application. However, in the listings, one or more of the details such as subscriber branch name, date or amount applied for, are different.
  2. The second table (Table B) illustrates what I will call identical enquiry listings recorded on the complainant's credit information files from 2007–08. In the listings, the details of the enquiry such as the subscriber branch name, date, and amount applied for, are exactly the same on the complainant's cross-referenced credit files.

 

Table A: Similar enquiry listings

Original name file

Then married name file

8/12/2009 CREDIT PROVIDER A

Amount: An unspecified amount

9/12/2009 CREDIT PROVIDER A

Amount: An unspecified amount

15/9/2008 CREDIT PROVIDER B

Amount: An unspecified amount

17/9/2008 CREDIT PROVIDER B

Amount: An unspecified amount

10/9/2008 CREDIT PROVIDER A NEW ACCTS NSW

Amount: An unspecified amount

11/9/2008 CREDIT PROVIDER A NEW ACCTS NSW

Amount: An unspecified amount

26/2/2008 CREDIT PROVIDER C

Amount: $600,000

25/2/2008 CREDIT PROVIDER C

Amount: $600,000

25/11/2007 CREDIT PROVIDER D FIN DIST 2

Amount: $27,650

25/11/2007 CREDIT PROVIDER D NSW

Amount: $27,650

26/7/2007 CREDIT PROVIDER E PERSONAL LOANS

Amount: $20,000

25/7/2007 CREDIT PROVIDER E PERSONAL LOANS

Amount: $20,000

20/7/2007 CREDIT PROVIDER F SMALL BUSINESS OPERATIONS

Amount: An unspecified amount

20/7/2007 CREDIT PROVIDER F GRP PFS OPS & TECH

Amount: $20,125

29/1/2007 CREDIT PROVIDER G CREDIT CARD NSW
Amount: $12,000

25/1/2007 CREDIT PROVIDER G NSW
Amount: $2000

1/9/2006 CREDIT PROVIDER G HEAD OFFICE

Amount: $30,000

31/8/2006 CREDIT PROVIDER G HEAD OFFICE

Amount: $30,000

12/7/2006 CREDIT PROVIDER H VICTORIA

Amount: An unspecified amount

12/7/2006 CREDIT PROVIDER H DECISION POINT

Amount: An unspecified amount

 

 

Table B: Identical enquiry listings

Original name file

Then married name file

25/11/2008 CREDIT PROVIDER I

Amount: $650,000

25/11/2008 CREDIT PROVIDER I

Amount: $650,000

31/3/2008 CREDIT PROVIDER J

Amount: $560,000

31/3/2008 CREDIT PROVIDER J

Amount: $560,000

26/11/2007 CREDIT PROVIDER K

Amount: $27,182

26/11/2007 CREDIT PROVIDER K

Amount: $27,182

25/1/2007 CREDIT PROVIDER F BANK CARDS AUST VIC

Amount: An unspecified amount

25/1/2007 CREDIT PROVIDER F BANK CARDS AUST VIC

Amount: An unspecified amount

25/1/2007 CREDIT PROVIDER L

Amount: $500,000

25/1/2007 CREDIT PROVIDER L

Amount: $500,000

 

  1. Veda is an information services and aggregation business that provides credit risk assessment services. Veda ensures that consumer and commercial credit reports generated electronically from Veda's credit reporting database (which holds and maintains individuals' credit information files) are available to subscriber credit providers.
  2. Veda has informed the OAIC that its database contains more than 15 million records and that it holds credit data on 16.5 million credit active individuals and 4.4 million businesses. Credit providers, who are subscribers, supply information to the credit information files in Veda's database, and are able to extract information (in the form of credit reports) to make decisions about applications for credit based on the information contained in those credit reports. The information contained in Veda's database is extracted and supplied by credit providers constantly.
  3. Veda, through its database, re-composes data fed into it by credit providers into a new form or record. By Veda preparing the information entered into its database by subscribers in this way and then granting access to that newly formed information, Veda can be said to be in control or possession of a 'credit report'.[1]
  4. Credit providers are reliant on accurate, up-to-date, complete and not misleading reports generated by Veda for the purpose of assessing the credit risk of an individual, as are individuals whose credit information is directly related to their eligibility to obtain credit.
  5. Veda has provided documentation to me (within one of its subscriber training manuals of February 2009) which indicates that when a credit provider wishes to access Veda's database, to supply or extract information, it gains access through Veda's web-based system, and is required to submit personal information in order to extract information regarding an individual.
  6. Veda has explained that when an individual makes an application for credit to a credit provider, the provider may make an enquiry on the Veda credit reporting database to assist it in assessing the application for credit. When such an enquiry is made, the individual's credit file is made available to the credit provider.
  7. When a credit provider makes an enquiry on Veda's database, it also has the option of viewing any cross-referenced files. If the credit provider views a cross-referenced file, a record of the application is placed on each file the credit provider views to register all activity on the credit file.
  8. Veda has stated that this process ensures that credit providers are able to match the records held by Veda to an individual (regardless of the number of names or identifiers that the individual may be known by or used at any particular time).
  9. Veda has noted that credit providers access the cross-referenced files to view information that may not be on the 'main' file (the file initially accessed). Veda considers, by doing so, credit providers 'are looking for points of difference, such as additional enquiries and defaults, between the two files so that they can have access to the [applicant's] full credit history'.
  10. In its correspondence to the OAIC of 14 May 2012, Veda noted that 'each time a credit provider views a file they see all the enquiries on that file including their own'.
  11. Veda agrees, as a credit reporting agency, it is within the jurisdiction of the Privacy Act however contests that it failed to take reasonable steps to ensure that the complainant's personal information was accurate, up-to-date, complete and not misleading, or that it was in breach of the Privacy Act. Nor does Veda consider that it has provided to credit providers and individuals credit reports that contain false or misleading information.
  12. In its letter to the OAIC of 24 June 2009, Veda confirmed that there are often variances in the detail of duplicated enquiry listings between the complainant's cross-referenced files (as in Table A above). Veda is of the view that:
    • where details regarding the amounts of credit sought in an application vary between duplicated enquiry listings (relating to the same credit application), 'these accurately reflect the information input by the credit provider'
    • the date for an enquiry recorded on the cross-referenced files 'is the date the credit provider accessed the file and is not misleading'
    • it does not list credit applications on credit files and that in the case of the complainant, the relevant credit providers recorded the listings.
  13. Veda has said that its practice of duplicating credit enquiries on cross-referenced files is long-standing and well understood by subscribing credit providers. It has noted that it does not consider that credit providers would interpret identical or similar enquiry listings recorded on cross-referenced credit information files as different credit applications.
  14. Veda has also stated that it has not received questions from credit providers about identical or similar enquiry listings or how to interpret them, and that, in its opinion, credit providers are not misled when accessing all cross-referenced files as part of one application for credit.
  15. As outlined in my letter to Veda of 20 April 2010, I consider that Veda has, in accordance with s 18G(a), taken reasonable steps to ensure the personal information contained in the complainant's credit information files is 'accurate, complete and up to date'.
  16. However, although Veda may have reasonable steps in place to ensure the accuracy of the personal information contained in the complainant's credit information files under s 18G(a), it must also have sufficient steps in place to ensure that information is not misleading under s 18G(a).
  17. Therefore, in this complaint I need to consider the following:
    • whether under s 18G(a):
      • Veda took reasonable steps to ensure that the complainant's personal information contained in her credit information files was not misleading
    • whether under s 18R(1):
      • the identical credit enquiries on the complainant's cross-referenced credit information files are misleading
      • the similar credit enquiries on the complainant's cross-referenced credit information files are misleading
      • Veda passed the complainant's credit report (containing misleading information) to other entities.
  18. In the event that I reach the conclusion that Veda has not taken reasonable steps to ensure credit enquiry listings on the complainant's credit information files are not misleading, that either the identical or similar enquiries are misleading, and that Veda has passed on that misleading information (in credit reports) to other entities, I also need to consider an appropriate remedy including considering any loss the complainant suffered.

 Findings

  1. I find that Veda is a 'credit reporting agency' and carries on a 'credit reporting business' within the meaning of the Privacy Act. Veda is therefore obliged to comply with Part IIIA of the Privacy Act, including ss 18G(a) and 18R(1).

 The meaning of 'misleading'

  1. The word 'misleading' is not defined in the Privacy Act. Nor has the meaning of the term, in the context of ss 18G(a) and 18R(1) of the Privacy Act, been considered judicially.
  2. Given misleading is not defined in the Privacy Act, I consider it is appropriate to refer to the ordinary meaning of that word, its meaning as enunciated by courts and in other consumer law contexts.
  3. The Macquarie Dictionary defines 'misleading' (mislead), as:
    1. to lead or guide wrongly; lead astray
    2. to lead into error of conduct, thought, or judgement.[2]
  4. Courts have considered the word misleading in the context of Australian consumer law.
  5. For conduct to be 'misleading', it must 'mislead or deceive'.[3] Conduct will be misleading or deceptive if:
    • the overall impression that a statement or representation conveys is false, not entirely accurate, or incomplete; or
    • it induces or may induce error.[4]
  6. A statement that is literally true, for example, may still be misleading if it is capable of inducing error.[5]
  7. Therefore information may be misleading because it is inaccurate, out-of-date or incomplete. However it may also be misleading without being any of these things.
  8. Veda has said that the complainant has not submitted evidence, nor has the OAIC considered evidence, which indicates that credit providers or any other person has been misled by the duplicate credit enquiry listings on the complainant's two credit information files. In my view conduct can be 'misleading' without evidence that a person has been misled.[6]
  9. Veda has said that misleading conduct must also be considered by reference to the persons who come within the relevant section of the public to whom the representation is made.[7] Those persons, for the purpose of this determination, are the credit providers that may access the complainant's credit file or the complainant.
  10. The complainant has not complained of being misled by the duplicate enquiry listings, but is complaining that the duplicate listings on her cross-referenced credit information files convey to credit providers a false impression of the number of applications for credit she has made. Therefore, the relevant class of persons is Veda's subscribing credit providers.
  11. As I have identified the class of persons, I consider the relevant test to be 'what is the likely reaction to the representation of the ordinary or reasonable members of the class to whom the representation is directed?'[8] When considering this question, the persons or relevant section of the public to whom the statement or representation is made must be more than confused by the information.[9]
  12. To examine this issue, I have considered the information provided by three credit providers that made enquiries on the complainant's credit information files, and which I consider represent the credit providers that make up the relevant class of persons for the purpose of considering whether information contained in a credit information file is misleading. I have also considered whether there is a difference in credit providers' perceptions of identical and similar enquiry listings and whether one type of listing, but not the other, may mislead credit providers regarding the number of credit applications an applicant has made.
  13. The credit providers stated that the number of credit enquiries recorded on an individual's credit report is considered in the assessment of a loan application.
  14. The credit providers indicated that when they encounter identical enquiry listings on two or more of an individual's cross-referenced credit files (as shown above in Table B), they would generally consider that the duplicate enquiry listings are in fact the same credit enquiry made in relation to the one credit application. One credit provider noted that if there is any doubt as to whether an enquiry is a duplicate or not, it would contact the borrower to clarify the issue. The remaining credit providers stated that identically duplicated enquiries are not considered in the assessment of a loan application.
  15. In the case of similar enquiry listings, two credit providers noted that where the credit enquiry details vary, even if similar, the enquiries are considered different and treated as 'unique' enquiries. The remaining credit provider stated that where there are minor differences between two or more enquiry listings, which may cast doubt on whether they in fact relate to the same credit enquiry, and when the information is relevant to the loan assessment, it will contact the borrower to clarify the issue.
  16. Based on the information provided by the three credit providers, I am satisfied of the following:
    • subscriber credit providers generally take account of, and their decision in relation to an individual's credit application is influenced by, in a manner that can be unfavourable to an individual applying for credit, the number of credit enquiries on an individual's credit information file or files
    • where duplicate credit enquiries, which are identical in detail, appear on two or more credit information files, credit providers are aware that the duplicate listings relate to only one credit enquiry (and one credit application)
    • there is some information that suggests that where duplicate credit enquiries listed on two or more credit information files are similar but not identical in detail, although they in fact relate to the same credit enquiry, the listings may mistakenly be assessed by credit providers as different enquiries relating to separate credit applications.
  17. Further, although I acknowledge that the criteria for approving an individual's credit application varies between credit providers, I accept that a credit provider is more likely than not to take into account, in a manner that can be unfavourable to the individual applying for credit, duplicated listings of credit enquiries which are similar but not identical in detail, which are recorded on two or more credit files.
  18. The information provided to me by the credit providers surveyed suggests that credit providers do not wrongly assess duplicated enquiry listings, which are identical in detail, as two or more separate credit enquiries relating to two or more credit applications. I am of the view that identical enquiry listings do not induce error on the part of credit providers when they are assessing a credit application. I therefore find that duplicated enquiry listings which are identical in detail, are, on the balance of probabilities, not misleading to credit providers.
  19. However, in respect to similar enquiry listings, where there are minor variances in the details of the duplicated enquiry listings, I consider there is sufficient information before me to indicate that some credit providers are induced into wrongly assessing such listings as different enquiries relating to different credit applications. I am therefore of the view that Veda's practice of duplicating similar enquiry listings can induce error on the part of credit providers when they are assessing a credit application, and such a practice fails to ensure that a credit file or report is not misleading.

 Finding in relation to s 18R(1)

  1. Section 18R(1) imposes on Veda an obligation not to give its subscriber credit providers a credit report that contains false or misleading information. As I am satisfied that some credit providers do not understand similar enquiry listings to be of the same credit enquiry relating to the same credit application, I am of the view that such information contained in a credit report extracted from Veda's database is misleading information.
  2. During the period 2006-09, the complainant's credit information files contained a number of duplicated credit enquiry listings, where the enquiry details varied slightly but related to the same credit enquiry (and the same credit application). I consider that, on the balance of probabilities, at least some of those credit providers accessing the complainant's cross-referenced credit files during that period would have misunderstood the similar enquiries listing information they contained. As such, I am of the view that Veda breached s 18R(1) of the Privacy Act when it provided that information to subscriber credit providers, and that Veda has interfered with the complainant's privacy in this respect.

 Finding in relation to s 18G(a)

  1. Under s 18G(a), Veda must take reasonable steps to ensure that the personal information contained in a credit information file or credit report is accurate, up to date, complete and not misleading.
  2. In making an assessment of the 'reasonable steps' required of a credit reporting agency under s 18G(a) I have considered the following:
    • the size and nature of an organisation such as Veda and how Veda's practices may impact on a large number of individuals and credit providers
    • the nature of the personal information held by Veda and its data handling practices
    • the importance to credit providers and individuals of credit file information which is accurate and not misleading, balanced against the cost to Veda to ensure that the credit information files it holds do not contain misleading information
    • the risk of harm to the individuals concerned if the information is misleading
    • the ease with which any particular step can be implemented.
  3. Veda has advised, in its December 2011 submission, that it 'has a number of processes and procedures which are specifically directed at Veda's obligations under s 18G(a)' including, but not limited to:
    • an Operations team that administers requests for amendments to credit information files held by Veda
    • an Investigations Team that conducts investigations and provides responses to individuals' complaints about the accuracy of information listed on their credit information files
    • staff and subscriber training on the Privacy Act and the National Privacy Principles[10]
    • the provision to subscribers of a number of user guides and online service manuals about how to interpret the information relating to individuals' creditworthiness in Veda's database
    • the presence of a call centre which provides assistance and advice to both subscribers and individuals about credit information files and the credit reports generated from the information contained in credit files
    • its website infrastructure which addresses, through set fields and edit rules, Veda's obligations under the Privacy Act
    • its matching rules which are designed to only return a credit information file when there are sufficient matches in identity details for Veda to form the view that the identity information provided by the credit provider matches the information on the credit file
    • its employment of a data management team to monitor its database and address any issues or irregular patterns emerging.
  4. As I will discuss below, Veda has changed its processes in some ways since this complaint was made, but my findings are based on the steps in place at the time of the complaint.
  5. One of the credit providers I contacted stated it had not received explanatory material or guidelines from Veda on how similar enquiry listings may be interpreted. I have no information before me that indicates Veda provided subscriber credit providers with sufficient training, information or guidelines in relation to the nature of similar enquiry listings on an individual's cross-referenced files, or how to interpret them.
  6. I do not consider that, prior to mid-2009, it would have been overly arduous or costly to an organisation such as Veda to provide explanatory material to subscriber credit providers to assist them in understanding that duplicated enquiry listings, despite slight differences in the enquiry details, related to the same credit enquiry and loan application.
  7. Based on the information before me, I do not consider that Veda has taken reasonable steps under s 18G(a) of the Privacy Act to ensure that information on credit information files held in its database was not misleading. It is my view that Veda had insufficient steps in place to ensure that subscriber credit providers received adequate information regarding similar enquiry listings, in order to prevent an interpretation of such listings that would contribute to an adverse assessment of an individual's credit worthiness.
  8. I am satisfied that Veda has interfered with the complainant's privacy under s 18G(a).

 Changes since the complaint

  1. Veda has advised of the introduction, since mid-2009, of a 'multiple identity report' (MIR) feature, which has 'fundamentally changed the way in which Veda provides credit reports to approximately 90% of its credit provider subscribers'.
  2. Veda has stated that with the MIR feature 'the content of all the individual's files ... is merged and de-duplicated, and the resulting merged file is provided to the credit provider as a comprehensive credit report on the individual'. It has noted as the merged file provides all information relevant to the credit worthiness of an individual, it is not necessary to provide the credit provider with the details of any cross-referenced files.
  3. Adopting the MIR system is optional for each subscriber, and as I understand it, this revised system presently applies to 90 per cent of credit provider subscribers. Even assuming that the MIR system addresses the matters raised in this determination, there remains a percentage of credit providers who have not opted into the MIR system. Consequently there exists a group of individuals, the clients of those credit providers which did not 'opt-in' to the new system, who may potentially be assessed unfavourably as a result of similar enquiry listings on cross-referenced files.
  4. In so far as the complainant is concerned, Veda indicated in its 10 February 2009 letter to the complainant that it 'has been able to remove some duplicate enquiries'. However, I have not been provided with any explanation as to why some duplicate enquiries, and not others have been removed.

 Finding on damages

  1. Having found the complaint substantiated, I have the discretion under s 52(1)(b)(iii) of the Privacy Act to award compensation for 'any loss or damage suffered by reason of' the interference with privacy.

 Economic loss

  1. The complainant claims that as a result of Veda's practice, she was unable to obtain credit which has, in turn, resulted in her incurring significant financial loss.
  2. She claims that she was forced to borrow money at high interest rates as she was viewed by lenders as 'high risk'. The complainant has advised that she was 'almost bankrupted' due to her circumstances, and had to enter a debt agreement in February 2011 as she was 'unable to sustain the repayments for several small loans with extremely high interest rates'. She also maintains that she was forced to 'sell [her] family home at a loss because mortgage lenders were unable to help with re-financing of [her] home loan at cheaper and [more] sustainable interest rates'.
  3. It is therefore necessary for me to determine whether the complainant has suffered economic loss by reason of Veda's practice and if so whether an award of damages is warranted for that loss.
  4. Veda claims that 'even if the complainant suffered adverse credit outcomes', which it denies, 'these outcomes are not of Veda's doing'. Veda has submitted that the complainant would be declined credit whether her credit information files contained duplicate enquiries or not.
  5. In support of her claim for economic loss, the complainant has provided a receipt from a credit repair agency, debt agreement documents, property purchase documents, property resale documents, divorce settlement documents, letters and default notices regarding the security over the property, a document which demonstrates the early release of superannuation funds, loan and credit card statements and a letter of consideration regarding her claim. The complainant contends that her current financial circumstances flow from Veda's practice of duplicating enquiry listings on cross-referenced credit files. The complainant did not otherwise address the issue of economic loss in detail.
  6. The complainant has not produced any notices from credit providers advising that her applications for credit were refused wholly or partly because of the information on her credit report, as required under s 18M of the Privacy Act. I have not been provided with any information which indicates the complainant has lost particular income or incurred particular debt as a result of Veda's breach. Any economic disadvantage the complainant may have suffered in terms of having to accept loans at high interest rates and having to sell the family home, has not been sufficiently substantiated to link the loss complained of with Veda's breach of her privacy.
  7. Having considered the information available, to the extent that the complainant has provided information on loss, I am not satisfied that the complainant was refused credit or would have been able to obtain credit on more favourable terms had the similar listings not been made.
  8. I am consequently of the view that, on the information before me, there is no basis for awarding compensation for the alleged economic loss.

 Non-economic loss

  1. The complainant's correspondence to both Veda and the OAIC has indicated that she has undergone stress and anxiety as a result of Veda's practices. This is referenced in her initial complaint letter to Veda of 15 January 2009 and in correspondence with the OAIC on 19 October 2011, 3 April 2012 and 10 September 2012. In support of her claim for non-economic loss, the complainant has provided letters from doctors. The first letter dated 21 March 2012 states that she was prescribed Desvenlafaxine, an anti-depressant drug used for treating moderate to severe symptoms of depression and anxiety. The second letter dated 28 March 2012 states that the complainant was treated with Desvenlafaxine for the management of depression, anxiety and stress.
  2. The medical information provided does not consider the factors that could have had an impact on the complainant's diagnosed stress and anxiety. However I accept the complainant was stressed or made more anxious by the appearance that she had applied for credit many more times than she actually had. I also note that this is a case where the relevant history of the interference with the complainant's privacy spanned a substantial period of time.
  3. It is my view that the complainant suffered some stress and anxiety because she considered Veda's practice of duplicating credit enquiries on cross-referenced files was affecting her ability to attain credit.
  4. Section 52(1A) makes it clear that the damage referred to in s 52(1)(b) includes injury to the complainant's feelings and damages for non-economic loss of that nature may be awarded under the Privacy Act.
  5. It is my view that some of the complainant's stress and anxiety is by reason of Veda's practice and an award of damages is consequently appropriate.
  6. In deciding appropriate damages for non-economic loss I have considered previous Privacy Commissioner determinations[11], as well as the law relating to the assessment of damages under the Sex Discrimination Act 1984[12].
  7. It has long been established that damages should be assessed on tort-based principles[13], while on the other hand, damages awards compensating for injured feelings should not be so low as to diminish respect for the public policy to which the legislation gives effect.[14]
  8. In 'D' v Wentworthville Leagues Club[15] I awarded $7500 for non-economic loss caused by the interference with the complainant's privacy. That case concerned an unauthorised disclosure of the complainant's former gambling habits which caused the complainant to suffer humiliation as well as serious anxiety, panic attacks and physical symptoms. In making that decision, I was guided by the Administrative Appeals Tribunal's (AAT) decision in the case of Rummery and the Federal Privacy Commissioner & Anor[16]. The AAT was guided by the complainant's evidence as to the injury to his feelings and humiliation, and made a declaration awarding $8000 to Mr Rummery. The amount was awarded for loss and damage in circumstances where personal information concerning Mr Rummery's background and former employment was disclosed by an officer of Mr Rummery's former employer to the ACT Ombudsman, during an investigation into a public interest disclosure Mr Rummery made to the ACT Ombudsman.
  9. I consider the present case of non-economic loss to the complainant to be less serious than the previously mentioned cases.
  10. I have also taken account of other Privacy Commissioner determinations that have resulted in lower awards of damages. In 'A', Complainant and the Secretary, Department of Defence[17], 'A' suffered 'considerable humiliation and embarrassment' as a result of an improper disclosure of his Army record to his new employer. The Commissioner considered that compensation in the amount of $2500 was appropriate where the humiliation and embarrassment was serious for 'A' but related to an isolated event. In Complainant v ACT Government Solicitor[18], the Commissioner declared that the complainant was entitled to $1000 for non-economic loss as a result of an unlawful disclosure of the identity of the complainant to a third party dog owner, who was the subject of a complaint by the complainant.
  11. I conclude that the range of compensation that might be awarded for injury to feelings in a case such as the present would therefore be in the range of $1000 to $2500. The complainant in this case was made anxious by Veda's practice of duplicating enquiry listings and I consider that this stress and anxiety has spanned the substantial period of time of her complaint about Veda's practice. In all the circumstances, I have decided that compensation in the amount of $2000 for non-economic loss would therefore be appropriate.

 Aggravated damages

  1. The power to award damages 'by way of compensation for any loss or damage suffered' is found in s 52 of the Privacy Act. Damages 'by way of compensation' include general damages and aggravated damages.[19] There is no place for the award of punitive damages within the provisions of s 52.[20]
  2. In 'D' v Wentworthville Leagues Club[21], I made reference to the following principles which guide in the determination of aggravated damages:
    • aggravated damages may be awarded where the respondent behaved 'high-handedly, maliciously, insultingly or oppressively in committing the act of discrimination.'[22]
    • the 'manner in which a defendant conducts his or her case may exacerbate the hurt and injury suffered by the plaintiff so as to warrant the award of additional compensation in the form of aggravated damages.'[23]
  3. The complainant in this case has complained that her stress and anxiety has been exacerbated by the prolonged nature of the complaint and by the manner in which Veda has responded to her complaint.
  4. Veda has said that when the complainant lodged her complaint regarding her credit files with it on 21 July 2008, it investigated the matter and responded accordingly. It has stated:
    • It advised the complainant, via a credit repair agency, that Veda had a statutory obligation to make a notation of disclosures of personal information in credit information files.
    • It also informed the complainant that she could, if she wished, add a statement to her file, and that if she was unhappy with the outcome of Veda's investigation she could contact the Office of the Privacy Commissioner.
    • It subsequently investigated the complainant's second complaint lodged on 15 January 2009, in which the complainant questioned why her two credit files could not be merged.
    • It wrote to the complainant explaining the enquiries were not erroneous and again offered to add a statement on the complainant's file.
    • It also advised the complainant that she could have the matter re-investigated by Veda's Customer Relations team if she so wished.
  5. I accept the respondent's submission that it investigated the matter in accordance with its normal practice and procedures. I do not consider the way in which Veda has conducted its case is high-handed, malicious, insulting or oppressive.
  6. I do not consider there is a case for an award of aggravated damages.

 Determination

  1. I declare in accordance with s 52(1)(b)(i)(B) of the Privacy Act that:
    • the complainant's complaint is substantiated
    • Veda has not taken reasonable steps to ensure that the information contained in the complainant's credit information files and credit reports is not misleading
    • Veda has breached the Privacy Act by providing misleading information in the complainant's credit report to credit providers.
  2. I declare, in accordance with s 52(1)(b)(ii) of the Privacy Act that Veda must:
    • issue a written apology to the complainant within four weeks of this decision
    • amend the complainant's credit information files in compliance with s 18G(a) of the Privacy Act, specifically, by amending/removing duplicate similar enquiry listings
    • not provide the complainant's credit report to any other person or body until it has amended/removed the misleading content from the credit report.
  3. In relation to Veda's practice of recording similar enquiry listings, I recommend that Veda:
    • develop revised training packages and user information guides for subscribers, which clearly address the issue of similar enquiry listings and how to interpret them
    • engage an independent auditor to assess Veda's cross-referencing processes, both the MIR option and the non-MIR alternative, in compliance with s 18G(a) of the Privacy Act.
  4. I declare in accordance with s 52(1)(b)(iii) that the complainant is entitled to $2000 for the non-economic loss suffered as a result of Veda's interference with her privacy.

 

Timothy Pilgrim
Australian Privacy Commissioner

20 December 2012

 


[1]Dale v Veda Advantage Information Services and Solutions Limited [2009] FCA 305, [48].

[2]Macquarie Dictionary (2009), 5th edn, Macmillan Publishers Australia.

[3]Taco Co of Australia Inc v Taco Bell Pty Ltd [1982] FCA 136.

[4]Johnson Tiles Pty Ltd v Esso Australia Ltd [2000] FCA 1572, [63] per French J.

[5]National Exchange Pty Limited v ASIC [2004] FCAFC 90 per Jacobson and Bennett JJ.

[6]Annand & Thompson Pty Ltd v Trade Practices Commission [1979] FCA 36.

[7] Taco Co of Australia Inc v Taco Bell Pty Ltd [1982] FCA 136.

[8]Campomar Sociedad, Limitada v Nike International Limited [2000] HCA 12.

[9]Parkdale Custom Built Furniture Pty Limited v Puxu Pty Limited [1982] HCA 44.

[10] The National Privacy Principles (NPPs) in Schedule 3 of the Privacy Act regulate the way certain organisations are to handle personal information. An information sheet outlining the NPPs can be found at: www.oaic.gov.au/publications/privacy_fact_sheets/Privacy-factsheet2_NPPs_online.pdf.

[11]'D' v Wentworthville Leagues Club [2011] AlCmr 9 (9 December 2011); 'A', Complainant and the Secretary, Department of Defence [1993] PrivCmrACD 1 (22 December 1993); Complainant v ACT Government Solicitor [2003] PrivCmr ACD 1 (2 April 2003).

[12]Hall & Ors v Sheiban Pty Ltd & Ors [1989] FCA 72.

[13]Haines v Bendall (1991) 172 CLR 60.

[14] Hall & Ors v Sheiban Pty Ltd & Ors [1989] FCA 72 per Wilcox J, adopting as a statement of principle what was said by May LJ, Alexander v Home Office (1988) 1 WLR 968, 975.

[15]'D' v Wentworthville Leagues Club [2011] AlCmr 9 (9 December 2011).

[16]Rummery and the Federal Privacy Commissioner & Anor [2004] AATA 1221.

[17] 'A', Complainant and the Secretary, Department of Defence [1993] PrivCmr ACD 1 (22 December 1993).

[18]Complainant v ACT Government Solicitor [2003] PrivCmr ACD 1 (2 April 2003).

[19]Rummery and the Federal Privacy Commissioner & Anor [2004] AATA 1221, [32].

[20]'D' v Wentworthville Leagues Club [2011] AlCmr 9 (9 December 2011), [50]; Hall v A & A Sheiban Pty Ltd [1989] FCA 72, [74] per Lockhart J.

[21]'D' v Wentworthville Leagues Club [2011] AlCmr 9 (9 December 2011), [51], [52].

[22]Hall v A & A Sheiban Pty Ltd [1989] FCA 72, [75].

[23]Elliott v Nanda & Commonwealth [2001] FCA 418, [180].