Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Consultation on Personal Property Securities Bill and Commentary (Consultation Draft); Submission to the Attorney-General''s Department (August 2008)

August 2008 Executive Summary General privacy issues The Office suggests that: a Privacy Impact Assessment be conducted to help identify potential privacy issues and suggest solutions the proposed Registers potential status as a generally available publication be clarified how the Privacy Act will apply to per...

pdfConsultation on Personal Property Securities Bill and Commentary (Consultation Draft); Submission to the Attorney-General’s Department (August 2008)

August 2008

Executive Summary

General privacy issues

The Office suggests that:

  • a Privacy Impact Assessment be conducted to help identify potential privacy issues and suggest solutions
  • the proposed Registers potential status as a 'generally available publication' be clarified
  • how the Privacy Act will apply to personal information flows relating to the Register be clarified.

Personal Property Securities Register and credit reporting

The Office suggests that consideration be given to the degree to which any credit worthiness information stored on the Register will be afforded privacy protections that are consistent with those specified in Part IIIA of the Privacy Act.

Personal Property Securities Register and notice

Telling people how their personal information may be handled is an important privacy measure.  The Office suggests that:

  • a grantor should receive notice that a listing will be placed on Register before registration
  • consideration be given to grantors, in particular individuals, also receiving verification statements directly from the Register
  • notice be provided before any party searches the Register, explaining that improper searching would constitutes an interference with privacy under the Privacy Act.

Amending the Personal Property Securities Register

Ensuring rights to access and, where necessary, to correct personal information is important to good privacy.  The Office suggests that further consideration be given as to whether a grantor would have an appropriate amount of control over amending their personal information.

Subordinate Legislation under the draft Bill

Permitted contents of the Register are a key privacy issue.  The Office suggests that:

  • permitted types of information should generally be specified in the primary legislation
  • only personal information necessary to achieve the objects of the Register should be collected

Verifying Identification and Data-matching

In regard to verifying identify and other information types, the Office suggests:

  • the types of information and data sources that may be used for verification should be clearly defined
  • if matching between databases is undertaken, it should be supported by an appropriate privacy framework, such as the Privacy Commissioner's voluntary data matching guidelines.

Date of Birth

The Office submits that:

  • if a date of birth is necessary to differentiate between individuals with the same name then search results should not contain the date of birth information
  • the Office suggests that it may be more appropriate to use an individual's middle initial rather than using dates of birth to differentiate between individuals of the same name.

Searching the Personal Property Securities Register

The Office suggests that:

  • greater clarity is needed about what information will be displayed in the search results
  • authorised government agencies and the purposes for which they may access personal information should be clearly specified.

Office of the Privacy Commissioner

The Office of the Privacy Commissioner ('the Office') is an independent statutory body whose purpose is to promote and protect privacy in Australia.

The Office, established under the Privacy Act 1988 (Cth) ('the Privacy Act') has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. 

The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background to this Submission

The Office is pleased to comment on the consultation draft of the Personal Property Securities Bill 2008 ('the draft Bill') and the corresponding commentary. In February 2007, the Office responded[1] to Discussion Paper 1 relating to Personal Property Securities Register ('the Register'). This submission discussed issues relating to registration and searching the Register.

The Office welcomes the opportunity to make the following comments in relation to the Register.

Terms used in this submission

'Grantor' refers to the individual who owns the personal property where a security interest is attached. Put simply, the grantor is the party who receives finance in return for a security interest in that piece of personal property.

'Secured party' refers to the party holding a security interest. Generally this is the party providing finance. For definitions see clause 19 the draft Bill.

Privacy regulation

The Privacy Act contains eleven Information Privacy Principles (IPPs) which apply to Australian and ACT Government agencies.  It also inculdes ten National Privacy Principles (NPPs) which apply to all businesses with an annual turnover of more than $3 million and some small businesses.  Part IIIA of the Privacy Act regulates credit providers and credit reporting agencies.

In addition, some states and territories have privacy legislation that covers their respective public sectors.

The regulation of the Privacy Act is limited to 'personal information'.  This is defined in section 6 of the Act as information or opinion, whether true or not, about an individual whose identity is apparent or can be reasonably ascertained from that information.[2]

Developing a National Personal Property Securities Register

The Office acknowledges the wide ranging benefits and efficiencies potentially resulting from the Register. The Office recognises the potential benefits of Register, including:

  • harmonisation of laws
  • legal certainty for consumers, sole proprietors and businesses
  • reduction in legal disputes
  • reduction in costs
  • efficiency in service delivery.

Privacy impact assessment (PIA)

The Office reiterates its previous recommendation that a PIA be conducted to help identify and address potential privacy issues.[3] A PIA allows agencies to identify and analyse privacy impacts during a project's design phase. A project that underestimates privacy impacts can place its overall success at risk by breaching privacy legislation or by not meeting the expectations of the community as to how personal information may be handled.

In August 2006, the Office released a Privacy Impact Assessment Guide providing Australian Government and ACT Government agencies with an introduction to the PIA process.[4]

The Guide describes the purpose and general features of a PIA. A PIA would help to identify the various information flows relating to the Register and how privacy regulation might apply to them.

Privacy enhancing features of the Register

In the Office's February 2007 submission, a number of suggestions were made to enhance good privacy practice. The draft Bill incorporates a number of system features which go some way to enhance privacy protection. The Office welcomes the following privacy enhancing features:

  • illegitimate purpose for searches characterised as an 'interference with privacy' for the purposes of the Privacy Act (clause 230)
  • establishment of complaint handling mechanisms for improper searches of the Register (clause 230)
  • exact name matching searching of the Register (Commentary at 10.112)
  • mechanisms for the Registrar to analyse patterns of search records for illegitimate purposes and report illegitimate searches to the Privacy Commissioner (clause 230).

Personal Property Securities Register as a Generally Available Publication and application of Privacy Act

The Office understands that the Register might constitute a 'generally available' publication as defined in the Privacy Act.[5]

The Office recognises there can be important public interests served by public record information.  This includes shareholder registries, electoral rolls, and births, deaths and marriage registries. However, such public interests need to be balanced against the public interest in protecting the privacy of individuals. This is more important in an era where technologies are readily available to search and aggregate published electronic data so as to use it for other purposes.

If the Register meets the Privacy Act definition of a 'generally available publication', the Register itself may not be covered by the Privacy Act. However, the act of collecting personal information for inclusion in the Register would likely be covered by the Privacy Act, as would any uses once the information was taken from the Register.[6]

Clarifying the application of the Privacy Act to personal information collected to populate the Register, as well as personal information sourced from the Register, could usefully be addressed by a Privacy Impact Assessment.

Credit reporting

The Office notes that the draft Bill allows searching the Register to check an individual or body corporate's credit worthiness. According to the Table in clause 229[7], a person may search the Register to establish whether to provide credit to, or obtain a guarantee or an indemnity from individuals whose information may be contained on the Register.

As noted above, Part IIIA of the Privacy Act sets out requirements in the handling of information in relation to credit reporting.

As the Register is partly intended to help creditors find information on a borrowers' risk profile, it may be appropriate to consider whether privacy protections afforded to the Register are consistent with those specified in Part IIIA of the Privacy Act. A Privacy Impact Assessment could consider this matter in detail.

General comments on the Personal Property Securities Bill

Individuals and corporate entities on the Register

The Office observes that many securities to be registered may not include any personal information.  For example, securities held by a financial institution over personal property owned by public company might not include personal information.

In general, the Privacy Act does not protect the information privacy of corporate entities. However, in some instances business information will also include personal information. This may be the case for information about sole traders or partnerships. Consideration should be given as to whether such personal information is appropriately protected.  The Office suggests that such protections need not necessarily be as robust as those that would apply to individuals in a privacy capacity.

Building financial profiles from the Register

Currently, given the disparate nature of existing registers, it would be difficult for a casual browser to obtain sufficient information to build a comprehensive profile of any one person and their security interests held over their personal property. The Register would consolidate this information into one database. This may allow a casual browser to more easily know the degree to which personal properties have security interests held over them.

The ability to develop a financial profile of an individual raises privacy implications. Information may be about: personal property held by an individual, the level of an individual's indebtedness, and an individual's security interests. 

The Office discusses below additional measures that could be taken to promote privacy.

Comments about the draft Personal Property Securities Bill

Notification

The Office suggests that a grantor should receive notice that a listing will be placed on the Register before registration. Notice should include the specific details of the information to be disclosed to the Register. This would allow grantors to know their personal information will be accessible on a public Register. As mentioned in the commentary,[8] all individuals named on the Registermust know about information that might affect their capacity to sell personal property or secure finance.

However, according to the draft Bill, grantors would not necessarily be given notice that their personal information will be disclosed to the Register before registration. Under the draft Bill, secured parties receive 'verification statements' from the Registrar immediately after verifiable events.

Verifiable events include:

  • registrations
  • amendments to registrations (including corrections and the ending of an effective registration)
  • the removal and restoration of data in a registration
  • the inclusion of any data approved by the registrar.[9]

It is then the secured party's responsibility to ensure that a notice of the statement is given as soon as reasonably practicable to the grantor immediately before and or immediately after the verifiable event (clauses 226(2) and (6)).

As the Office understands, failure to send a verification statement to the grantor would not alter the operation of the registration, but may give rise to a claim for damages against the secured party under clause 240.

In the Office's view, telling the grantor that they will be Registered, allows them to make informed choices about whether or not to proceed with a security agreement. Such choice promotes good privacy practice.

Additionally, the Office suggests that consideration be given to individual grantors receiving verification statements directly from the Register.

Consequences of insufficient notice

The Office is unsure whether the remedy available against secured parties for failing to provide notice to grantors under clause 240 is sufficient.

The Office submits that it may be difficult for grantors to establish evidence of loss or damage resulting from failure to provide notice. In particular, proving that such loss was 'reasonably foreseeable' may be difficult to establish. As such, there may be merit in considering what other remedies should be available to individuals where a secured party fails to give notice of a verification statement.

Notice to users before searching the Register

Neither the commentary nor the draft Bill explains whether users would be given notice of the consequences of improper searching of the Register before searches. The Office suggests that notice be provided before searching the Register, explaining that improper searching would constitute an interference with privacy under the Privacy Act. Such notice may deter improper use of the Register.

Amendment to the Register

The draft Bill sets out procedures for grantors to demand change to the Register only for:

  • ending the registration of collateral
  • omitting the collateral (clause 210).

Conversely, the secured party is able to make amendments to a wider range of information on the Register including:

  • the grantor's details
  • the collateral description
  • the end time of the registration
  • as authorised by the regulations (clauses 206 and 207).

This appears to create a discrepancy between the types of information which may be amended by the grantor and the secured party.

This discrepancy is further exacerbated by the different avenues for amendment. The secured party would be able to apply directly to the Registrar, whereas the grantor must ask the secured party to amend the information on the Register.

There are judicial and administrative avenues[10] available for the grantor to enforce amendment to the Register if the secured party fails to amend the Register.  However, even with these measures it appears that the grantor would appear to face greater difficulty in amending their details than would secured parties.

This discrepancy is somewhat inconsistent with good privacy. The ability to access and, where necessary, correct personal information is an important element to information privacy.

The Office acknowledges that the secured party has the responsibility for ensuring the accuracy of information on the Register. However, the Office suggests that further consideration be given to whether a grantor would have sufficient accessibility to correction mechanisms.

The following measures may help promote and protect privacy:

  • the grantor could request amendments to their personal information directly from the Registrar instead of asking the secured party to amend the details
  • the grantor could have power to amend a greater range of information such as their details and the collateral description.

Information to be kept on Register to be prescribed by Regulations

The Office notes that there remains considerable scope for regulations to prescribe the types of information to be kept on the Register (clause 192, 195 and 196). The Office recognises that provision for the use of legislative instruments can sometimes provide appropriate flexibility to regulatory and administrative schemes. However, given the potential impact on individuals' privacy, the Office suggests that the types of information permitted on the Register should be substantially defined in the primary legislation.

It may be useful starting point to consider what types of information would not be necessary for the Register. For example, it may be unnecessary for residential addresses to be retained on the Register. In practice, business addresses or post-boxes (where different from residential addresses) would seem appropriate for Register purposes, such as to receive verification statements.

The Office would welcome further consultation on the types of personal information that may be permitted on the Register, whether by primary or delegated legislation.

Data-matching

The commentary[11] suggests that the Register system will perform 'validity checks' against other databases, such as the National Exchange of Vehicle and Driver Information (NEVDIS) and the Australian Securities and Investments Commission's (ASIC) Register of Companies to maintain the accuracy of registrations.

It is unclear from the commentary what information will be checked for validity. The Office suggests that greater clarity be provided as to what types of information will be checked for validity and what databases will be used in the process, as well as whether they are sufficiently accurate to be used for validity checking.

Further, the Office submits that data-matching should only take place when necessary and when restricted to well-defined parameters. Adopted without due regard for privacy, data-matching can be privacy intrusive by bringing together personal information that may not have been originally collected for that purpose.

The Office has issued voluntary guidelines for data-matching by agencies. Guidelines such as these could form a basis for any data-matching conducted between the Register and other databases.[12]

Identification verification

The commentary states that the Regulations would 'stipulate the sources of identification from which names would be drawn and the format that data is to be entered on the Register'. [13] The Office would welcome the opportunity to be consulted as this Regulation is prepared.

Dates of birth

The draft Bill and commentary anticipates individuals (whether secured parties or grantors) would be identified by name and date of birth.[14] The commentary also states that the details about a grantor or secured party to be included on the Register would be prescribed by regulation.

It appears that dates of birth will also be used to search the Register. Clause 228 of the draft Bill provides that a person may search the Register by reference to a grantor or secured party's details. As mentioned above, it is likely these details will include date of birth information.

Date of birth information, when linked to other information can lead to aggregating comprehensive profiles of individuals. As such, preventing date of birth information from search results should lessen the possibility of that data being misused to form profiles of individuals.

The Office reiterates its previous position that including date of birth data and searching by reference to dates of birth is not desirable.

If date of birth information is deemed necessary to differentiate between individuals of the same name then such searches should be on a 'challenge-response' basis, rather than returning the actual dates of birth for the relevant individuals.

The Office notes that the commentary canvasses the option of recording the middle initials of grantors' names. [15]  The Office suggests that this may be more appropriate than using dates of birth.

Collateral numbers

The Office welcomes the proposal to describe property on the Register by serial number where possible (such as vehicle identification numbers for motor vehicles).[16]

This measure potentially promotes privacy protection as the goods would be identifiable by serial number, rather than by the grantor's name. However, the Office suggests that in such instances searching should be restricted to use of the serial number only and not include the grantor's name, as is proposed in the commentary at 10.109.

The ability to search the Register by the grantor's name as well as the serial number would seem to undermine the potential privacy benefits of including serial numbers.

Searching the Register

Search results

The Office submits that greater clarity is required about what information will be displayed in the results of a search of the Register.

Authorised purposes for searching the Register

The Office generally supports the approach that the Bill stipulate authorised purposes for searching Register. The Office also supports the characterisation of an unauthorised search of the Register as an 'interference with privacy' for the purposes of sections 13 and 13A of the Privacy Act.[17]

Government entities authorised to search the Register

The Office notes that the draft Bill authorises a broad range of government entities to search the Register for purposes that relate to their powers or functions for law enforcement purposes (clause 229, Table items 17 and 18).

The Office suggests that these permitted uses should be specifically listed. For example, the Office notes the greater degree of specificity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 regarding which agencies' may obtain information held by Austrac.

Complaints processes

The Office welcomes the complaint mechanisms established under clause 230 allowing individuals and, in some circumstances the Registrar, to complain to the Privacy Commissioner about an alleged and unauthorised access to the Register. Clear and accessible complaint mechanisms are important to promoting information privacy.

Jurisdiction of the Privacy Act in relation to complaints

The Office notes that clause 230 would only apply to the extent that the alleged unauthorised access is by an 'agency' or 'organisation'.[18]

Questions asked by the commentary

Q: Is the 5 years allowed to correct the Register appropriate?

The Office understands that the secured party has the responsibility to ensure information contained on the Register is complete, accurate and up to date.

In circumstances where a registration may become prima facie erroneous due to a name change (or other change in information) which occurred after registration, it is proposed that a secured party would have a period of 5 years to amend the registration before it becomes ineffective.

The Office would welcome further consideration of whether this period would disadvantage individual grantors by misrepresenting the extent to which their personal property had security held over them.

Q: Does a period of 5 business days provide secured parties with sufficient opportunity to consider whether a registration should be amended (noting possible prejudice to persons who are named in the registration as a grantor)?

As mentioned above, it would be desirable for grantors to be able to exercise a greater degree of control over their personal information. However, in lieu of grantors having greater direct control over their financial information on the Register, it is preferable that secured parties take steps to make amendments at the request of grantors as quickly as practicable.

Personal information of financial nature needs to be accurate and correct to ensure individuals avoid negative credit ratings or difficulties in obtaining credit. The Office would be concerned at the period being longer than five business days.

Q: Should the registrar be able to initiate the change demand process by sending a change demand request to the secured creditor?

The Office considers that this is likely to be an appropriate method to initiate change demands.

Q: When the grantor is a sole trader, should it be possible to search against the sole trader's name and the relevant ABN (noting that the registration would be ineffective if either included an error).

The Office considers that is it unnecessary to search by both parameters. It would be preferable to search only against the relevant ABN as it is desirable for sole traders to preserve a different financial profile for their business as distinct from their personal dealings.

[1] Submission available at: http://www.privacy.gov.au/materials/types/submissions/view/6675.

[2] Information relating to the operation of the Privacy Act can be found on the Office's website at http://www.privacy.gov.au/.  Specific information outlining the privacy provisions covering private sector organisations and Australian government agencies can be found at:

www.privacy.gov.au/business/ for businesses

www.privacy.gov.au/government/ for government

[3] Review of the law on Personal Property Securities, Discussion Paper 1, Registration and Search Issues; Submission to the Attorney-General's Department (February 2007) available at http://www.privacy.gov.au/materials/types/submissions/view/6675.

[4]http://www.privacy.gov.au/publications/pia06/index.html.

[5] Section 6(1) of the Privacy Act 1988 (Cth) 'A generally available publication means a magazine, book, newspaper or other publication (however published) that is or will be generally available to member of the public'.

[6] See section 16B(1) of the Privacy Act 1988 (Cth).

[7] Clause 229, Table, items 7,8 and 9 Personal Property Securities Bill 2008.

[8] At 10.98

[9] Clauses 223 and 224 Personal Property Securities Bill 2008.

[10] Clauses 211 - 216 Personal Property Securities Bill 2008.

[11] At 10.20 and 10.21 Commentary.

[12] More information on the voluntary data-matching Guidelines can be found at: http://www.privacy.gov.au/law/other/datamatch/.

[13] At 10.19 and 10.20 Commentary.

[14] At10.19  and 10.110 Commentary.

[15] At 10.20 Commentary.

[16] At 10.32 Commentary.

[17] Clause 230 Personal Property Securities Bill 2008.

[18] Sections 6 and 6C of the Privacy Act 1988 (Cth).