Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Review of Credit Provider Determinations: Consultation Paper No.1

Assignees and Classes of credit providers

Closing date for comment 3 June 2011

Purpose

The Office of the Australian Information Commissioner (OAIC) is reviewing Credit Provider Determinations. The OAIC has issued this paper to assist individuals, organisations, credit providers and credit reporting agencies to prepare comments as part of that review.

The determinations discussed in this paper are:

The Assignees Determination and the Classes of Credit Providers Determination were issued by the then Privacy Commissioner under section 11B(1)(b)(v)(B) of the Privacy Act 1988 (Cth) (Privacy Act) and will expire on 31 August 2011.

The OAIC has also issued Consultation Paper No. 2 in relation to Credit Provider Determination No. 2006-5 (Indigenous Business Australia) (IBA Determination).

Both this Consultation Paper No. 1 and Consultation Paper No. 2 are available from the OAIC's web site at http://www.oaic.gov.au/ or in hard copy on request.

How to make comments

The Australian Information Commissioner invites your comments on the matters raised in this Consultation Paper. The closing date for comment is 3 June 2011.

Submissions can be made to consultation@oaic.gov.au, GPO Box 5218 Sydney NSW 2001 or TTY 1800 620 241 (no voice calls).

Note: The OAIC intends to make all submissions publicly available.  Please indicate when making your submission if your submission contains confidential information which you do not wish to make public. Requests for access to confidential comments will be determined in accordance with the Freedom of Information Act 1982 (Cth).

Privacy collection statement

The OAIC will use the personal information it collects in the course of this review only for the purpose of its review of Credit Provider Determinations.

Scope of the review

The review of Credit Provider Determinations is a general review of the Assignees Determination, the Classes of Credit Providers Determination and the IBA Determination.

The OAIC recognises that a review of the Credit Provider Determinations may raise other issues which are not directly related to the definition of ‘credit provider'. This consultation is focused on those matters covered by each of the Credit Provider Determinations. 

Senate Inquiry

The OAIC notes that the Senate Finance and Public Administration Committee is currently conducting an inquiry into Exposure Drafts of Australian Privacy Amendment Legislation, including an Exposure Draft of proposed new credit reporting provisions (new credit reporting provisions). More information about that inquiry and the new credit reporting provisions can be found at: http://www.aph.gov.au/senate/committee/fapa_ctte/priv_exp_drafts/index.htm.

If the new credit reporting provisions are passed in their current draft form, the three Credit Provider Determinations which are the subject of this review are likely to become redundant.   This is because the Australian Government proposes to:

  • designate in the legislation itself those entities currently covered by Credit Provider Determinations as ‘credit providers’[1]
  • remove the Australian Information Commissioner's determination power in relation to the ‘credit provider’ definition.[2]

The OAIC considers that the appropriate forum in which to debate the long-term merit of the substance of the Credit Provider Determinations is the Senate inquiry.

Preliminary View   

Subject to the result of this consultation, the OAIC proposes renewing each Credit Provider Determination without substantive amendment for a period of 3 years. 

Legislation overview and background

Part IIIA of the Privacy Act

Part IIIA of the Privacy Act provides safeguards for individuals in relation to consumer credit reporting. It regulates the handling of credit information files (credit files) and other credit worthiness information about individuals by credit reporting agencies (CRAs) and credit providers. While some provisions in Part IIIA relate to commercial credit information, in general Part IIIA regulates consumer credit reporting.

The key requirements of Part IIIA include:

  • limits on the type of information that a CRA can hold on an individual's credit file, and how long it can be held on file (for example, 5 years for defaults)
  • limits on who can obtain information from an individual's credit file held by a CRA, and for what purposes. (Generally only credit providers may obtain a credit report in connection with an individual's application for credit.)
  • a general prohibition on the disclosure of credit reports and other credit worthiness information by credit providers
  • rights of access and correction for individuals in relation to personal information in credit files and reports held by CRAs and credit providers.

To supplement Part IIIA, the Privacy Act requires the Australian Information Commissioner to issue a Credit Reporting Code of Conduct with which CRAs and credit providers must comply.[3]

The Australian Information Commissioner also has the power to:

  • investigate an infringement of the Code of Conduct or Part IIIA
  • conduct audits to verify the compliance of CRAs and credit providers with the Code of Conduct and Part IIIA.[4]

Credit providers

The term 'credit provider' is defined in section 11B of the Privacy Act to include finance organisations such as banks, building societies, credit unions and retail businesses which provide loans or issue credit cards. Persons doing tasks reasonably necessary for purchasing, funding or managing, or processing an application for a loan through a securitisation arrangement also fall within this definition.

In addition, the Privacy Act empowers the Australian Information Commissioner to determine that particular organisations or agencies are credit providers for the purposes of the Act. These powers are contained in sections 11B(1)(b)(v), 11B(1)(d) and 28A(1)(d) of the Privacy Act. These sections do not specify the duration of the determinations.

The Assignees Determination and the Classes of Credit Providers Determination were both issued under section 11B(1)(b)(v) and made for a period of 5 years.

 

 

Credit Provider Determination No. 2006-3 (Assignees)

Background

The Assignees Determination provides that a corporation which acquires the rights of a credit provider with respect to the repayment of a loan shall, in relation to that loan, be regarded as the credit provider for the purposes of the Privacy Act. Further, that assignee will be regarded as the credit provider who provided the loan or the credit provider to whom the loan application was submitted.

The effect of the Assignees Determination is to allow a corporation which acquires such rights to undertake credit reporting in respect of the particular loan. This includes:

  • collecting a payment on the overdue loan
  • listing an overdue payment or serious infringement in relation to the loan
  • updating as paid an existing default listing on the loan
  • correcting information previously reported on the loan.

The Assignees Determination extends to non-corporate entities by the operation of section 11B(1)(c) of the Privacy Act.

The first determination in relation to Assignees was made in 1995, following representations from a mortgage insurer who wished to conduct credit reporting in relation to a loan it had acquired upon the borrower's default. A consultation was undertaken by the then Privacy Commissioner before the initial determination was issued. Determinations regarding assignees were issued with no substantive changes in 1997, 2002, 2003, February 2006 and August 2006. The current Assignees Determination will expire on 31 August 2011.

Issues raised in the 2006 Consultation Paper No. 1 and submissions

In the most recent public consultation on the Assignees Determination conducted in 2006, the Office of the Privacy Commissioner (OPC)[5] received submissions from a range of industry participants, consumer groups and regulators.

The issues raised during that consultation included the following:

  • the listing of statute-barred debts by credit providers covered by the Assignees Determination
  • unlawful double listings of debts by credit providers covered by the Assignees Determination
  • issues with record-keeping practices of credit providers covered by the Assignees Determination.

From the consultation, the then Privacy Commissioner concluded that, while there were some recurring issues requiring attention, these issues had not prevented the Assignees Determination from in general operating satisfactorily.[6]  As a result, the Assignees Determination was renewed without substantive amendment for a period of 5 years. 

To address the concerns that were raised in relation to assignees accessing the credit reporting system, the Explanatory Statement accompanying the Assignees Determination contained clarification about assignor and assignee rights and obligations under the Assignees Determination and the Privacy Act, including rights and obligations in relation to:

  • statute-barred debts
  • double listing of defaults
  • record keeping, including ensuring that all relevant records relating to the loan are transferred to the assignee with the loan.

Questions

  1. Is there any evidence demonstrating a reason not to renew the Assignees Determination?
  2. (A) Is there any evidence demonstrating a reason to amend the Assignees Determination?
    (B) If there is any such evidence:
    1. How could theAssignees Determination be amended to reduce the problem?
    2. Is there any evidence to support the proposed amendment?
  3. (A) Do you agree with the OAIC's proposal to renew the Assignees Determination for a period of 3 years?
    (B) If you disagree, please suggest an alternative period and provide supporting reasons.

Credit Provider Determination No. 2006-4 (Classes of Credit Providers)

Background

The Classes of Credit Providers Determination provides that corporations belonging to the following classes are to be regarded as credit providers for the purposes of the Privacy Act in relation to their specific credit activities:

  • a corporation where, in relation to a transaction, it is considering providing or has provided a loan in respect of the provision of goods or services on terms which allow the deferral of payment, in full or in part, for at least 7 days
  • a corporation engaged in the hiring, leasing or renting of goods, where, in relation to a transaction, no amount, or an amount less than the value of the goods, is paid as deposit for return of the goods, and the relevant arrangement is one of at least 7 days duration.

The effect of the Classes of Credit Providers Determination is that businesses who on occasions offer loans or credit, but for whom the giving of loans or credit is not a substantial part of their business, can access the credit reporting system in relation to those loans or credit. Those businesses must comply with the obligations imposed by Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct.  The determination extends to non-corporate entities by the operation of section 11B(1)(c) of the Privacy Act.

The Classes of Credit Providers Determination covers businesses in industries such as the retail, professional services and hire industries who meet the requirements of the determination. Although the question of whether or not an entity is covered by the Classes of Credit Providers Determination needs to be determined on a case-by-case basis, examples of such entities might include medical practices, law firms, newspaper publishers in relation to classified advertisements, and businesses that lease or rent out goods other than as a substantial part of their business.

The purpose of the Classes of Credit Providers Determination is to ensure that businesses which have a legitimate need for access to the credit reporting system can access the system, while at the same time protecting the privacy of individuals' consumer credit information.

The Classes of Credit Providers Determination was first issued in 1991.  The determination was re-issued without substantive change in 1993, 1996, 2001, 2002, 2003, February 2006 and August 2006.  The current Classes of Credit Providers Determination will expire on 31 August 2011.

Issues raised in the 2006 Consultation Paper No. 1 and submissions

In the most recent public consultation conducted in 2006, the OPC received submissions from a range of industry participants, consumer groups and regulators. 

The issues raised during that consultation included whether there were systemic issues in relation to non-compliance with Privacy Act obligations by credit providers covered by the Classes of Credit Providers Determination.

From the consultation, the then Privacy Commissioner concluded that, while there were some recurring issues requiring attention, there were no systemic issues with the operation of the Classes of Credit Providers Determination and that the Classes of Credit Providers Determination had operated satisfactorily in general.[7] As a result, the Classes of Credit Providers Determination was also renewed without substantive amendment for a period of 5 years. 

To address the concerns that were raised in relation to entities covered by the Classes of Credit Providers Determination accessing the credit reporting system, the Explanatory Statement accompanying the Classes of Credit Providers Determination contained information about the rights and obligations of non-traditional credit providers covered by the Classes of Credit Providers Determination, including requirements relating to:

  • notifying the individual of information that will be disclosed to a CRA
  • issuing notices to an individual when credit is refused
  • reporting overdue payments
  • disclosing information to other credit providers.

Questions

  1. Is there any evidence demonstrating a reason not to renew the Classes of Credit Providers Determination?
  2. (A) Is there any evidence demonstrating a reason to amend the Classes of Credit Providers Determination?
    (B) If there is any such evidence:
    1. How could the Classes of Credit Providers Determination be amended to reduce the problem?
    2. Is there any evidence to support the proposed amendment?
  3. (A) Do you agree with the OAIC's proposal to renew the Classes of Credit Providers Determination for a period of 3 years?
    (B) If you disagree, please suggest an alternative period and provide supporting reasons.

Attachment A

Credit Provider Determination No. 2006-3 (Assignees)

Privacy Act 1988

Under s.11B(1)(b)(v)(B) of the Privacy Act 1988, I, Karen Curtis, Privacy Commissioner,  determine that:

1. A corporation which acquires the rights of a credit provider with respect to the repayment of a loan (whether by assignment, subrogation or other means) shall, in relation to that loan, be regarded as the credit provider for the purposes of the Privacy Act.

2. A corporation deemed to be a credit provider by virtue of paragraph 1, above, shall, for the purposes of the Privacy Act, be regarded as the credit provider to whom the loan application was submitted, or who provided the loan.

3. This Determination relates to those corporations which are not already credit providers by virtue of paragraphs (a) or (b)(iii) to (iv) of s. 11B(1) of the Privacy Act.

4. This Determination continues the effect of Determination 2003 No.2 which expires on 31 August 2006.

5. This Determination is effective from 1 September 2006 to 31 August 2011 (inclusive).

The background to, and reasons for, making this determination are set out in the explanatory statementlodged for registration, together with this determination, on the Federal Register of Legislative Instruments.

 

 

 

Karen Curtis

Privacy Commissioner

 

21 August 2006


Attachment B

Credit Provider Determination No. 2006-4 (Classes of credit providers)

Privacy Act 1988

Under s.11B(1)(b)(v)(B) of the Privacy Act 1988, I, Karen Curtis, Privacy Commissioner, determine that:

1. All corporations belonging to the following classes are to be regarded as credit providers for the purposes of the Privacy Act:

  • a corporation where, in relation to a transaction, it is considering providing or has provided a loan in respect of the provision of goods or services on terms which allow the deferral of payment, in full or in part, for at least 7 days; or
  • a corporation engaged in the hiring, leasing or renting of goods, where, in relation to a transaction, no amount, or an amount less than the value of the goods, is paid as deposit for return of the goods, and the relevant arrangement is one of at least 7 days duration.

2. This Determination affects those businesses which are not already credit providers by virtue of paragraphs (a) or (b)(iii) to (iv) of s. 11B(1) of the Act.

3. This Determination continues the effect of Determination 2003 No.1 which expires on 31 August 2006.

4. This Determination is effective from 1 September 2006 to 31 August 2011 (inclusive).

The background to, and reasons for, making this determination are set out in the explanatory statement lodged for registration, together with this determination, on the Federal Register of Legislative Instruments.

 

 

Karen Curtis

Privacy Commissioner

21 August 2006


[1] Specifically, in the new credit reporting provisions:

  • section 191 includes those entities currently covered by the Assignees Determination
  • subsections 188(2) and 188(3) include those entities currently covered by the Classes of Credit Providers Determination
  • subsection 188(1)(d) may include IBA. It provides that an agency is a credit provider if it carries on a business or undertaking that involves providing credit and it is prescribed by the regulations, which are yet to be released.

[2] See Enhancing National Privacy, Australian Government First Stage Response to the Australian Law Reform Commission Report 108 (October 2009) (Government Response), Recommendation 54-7, available via www.dpmc.gov.au/privacy/reforms.cfm.

[3] The current Credit Reporting Code of Conduct was issued by the then Privacy Commissioner under s 18A of the Privacy Act in 1991 (amended 1996) following consultation with industry.  It is available at www.privacy.gov.au/materials/types/codesofconduct/view/6787

[4] See section 28A of the Privacy Act.

[5] The Privacy Commissioner and staff of the former OPC are now part of the OAIC.  The OAIC commenced operation on 1 November 2010 and is headed by the Information Commissioner, supported by two other statutory office holders, the Freedom of Information Commissioner and the Privacy Commissioner.

[6] See the Report on the Review of the Credit Provider Determinations for further information.

[7] See the Report on the Review of the Credit Provider Determinations for further information