Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Draft National Consumer Credit Reform legislation; Submission to the Commonwealth Treasury (May 2009)

Draft National Consumer Credit Reform legislation Submission to the Commonwealth Treasury May 2009

pdfsub_draft_consumer_credit

Submission to the Commonwealth Treasury

May 2009

Key Recommendations

  1. The Office of the Privacy Commissioner (the Office) notes that the draft National Consumer Credit Reform legislation is part of the first phase of the Australian Government’s plan to put in place a framework for the simple, standard, national regulation of consumer credit.
  2. The protection of personal credit information is an important privacy concern for individuals because of the serious consequences that may arise through the mishandling of their credit information. It is therefore crucial to ensure there is a framework in place which will provide appropriate privacy protections.
  3. The Office has a number of recommendations to enhance and clarify certain aspects of the draft National Consumer Credit Reform legislation including that:
    1. a clause be inserted into the Bill which would have the effect of clarifying that the provisions of the Bill should be interpreted in such a way that they do not diminish the existing privacy protections contained in the Privacy Act. It may also be beneficial to set out the intended interaction between the Bill and the credit reporting regime in the Privacy Act in the Explanatory Memorandum for the Bill. (paras 15-19)
    2. all licensees under the Bill which are not covered by the Privacy Act, are placed under the Privacy Act’s coverage for the collection and handling of credit reporting information. This can be done through the use of existing mechanisms in the Privacy Act. (paras 21-28)
    3. any information about licensees which is made publicly available, either through the Australian credit register or otherwise, is necessary to fulfil its purpose in accordance with good privacy practice. (paras 29-31)
    4. consideration be given to aligning the definition of ‘credit’ in the draft National Credit Code with that of Part IIIA of the Privacy Act in respect of the coverage of credit extended for the purchase of services. (paras 32-38)
    5. consideration be given to aligning the definition of ‘credit provider’ in the draft National Credit Code with that of Part IIIA of the Privacy Act. (paras 39-43)
    6. The Office believes that any expansion of the credit reporting system as recommended by the ALRC should only be considered after all responsible lending reforms have been implemented. Further, the Office agrees that credit providers, as defined in the Privacy Act, not included in the responsible lending reforms should be excluded from accessing expanded credit reporting data (i.e. the fifth data element). (paras 44-46)
    7. the Bill and Explanatory Memorandum clarify that the assessment processes identified in Parts 3.1 and 3.2 of the Bill should not be interpreted as approving or endorsing pre-screening activities. (paras 47-50)
    8. the rights the Privacy Act confers upon individuals and the Office’s role in dealing with privacy related complaints should also be expressly highlighted in the Bill and Explanatory Memorandum and guidance material be produced by ASIC, in consultation with the Office, which clearly explains the complaint handling procedures available under both the Bill and the Privacy Act. (paras 52-56)
    9. the Bill and the Explanatory Memorandum expressly clarify that a credit provider’s obligations under Part IIIA of the Privacy Act will operate with the draft National Credit Code’s default notice provisions. (paras 57-60)

Office of the Privacy Commissioner

1) The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, private health service providers and some small businesses. In addition, the Office has regulatory functions under other Acts, such as the Telecommunications Act 1997 and the Crimes Act 1914. The Office particularly draws attention to its regulatory functions in regard to the handling of credit reporting information under Part IIIA of the Privacy Act.

Overview

2) The Office appreciates the opportunity to make a submission to the Commonwealth Treasury on the draft National Consumer Credit Reform legislation.[1] The Office understands that the draft National Consumer Credit Reform legislation forms part of the first phase of the Australian Government’s commitment to creating a single, standard and nationally consistent corporate and financial services regime for Australia. It arises from the Council of Australian Government’s (COAG) agreement in March and June 2008 that the Commonwealth would assume responsibility for the regulation of consumer credit and a related cluster of additional financial services. The Office notes the aim of the draft National Consumer Credit Reform legislation is to create a new national consumer credit regulatory framework.

3) Consumer credit is an essential part of the Australian economy. With the advent of the digital age individuals can now access credit in ways and for purposes that had not previously been contemplated. Individuals can now open a bank account, complete financial transactions, and even apply for credit online. For example, the first credit transaction for many young people may be when they obtain a mobile phone, often while still at school.

4) The protection of personal credit information is an important privacy concern for individuals. Research that the Office has undertaken shows that the type of information individuals are the most reluctant to provide is financial information and details about their income.[2] It is therefore crucial to ensure any consumer credit regulatory framework put in place provides appropriate privacy protections. Since 1990 the Privacy Act has been providing Australians, through Part IIIA, with privacy protections in respect of credit reporting.

5) The Office has a number of suggestions to enhance and clarify certain aspects of the draft National Consumer Credit Reform legislation. These are discussed in more detail below.

Credit Reporting under the Privacy Act

6) The privacy regulation of consumer credit reporting in Australia is found in Part IIIA of the Privacy Act 1988 (Cth)(Privacy Act).

7) Part IIIA of the Privacy Act provides safeguards for individuals in relation to consumer credit reporting. In particular, it governs the handling of credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers.

8) The term ‘credit provider’ is defined in section 11B of the Privacy Act to include finance organisations such as banks, building societies, credit unions and retail businesses which provide loans or issue credit cards. Persons doing tasks reasonably necessary for purchasing, funding or managing, or processing an application for a loan through a securitisation arrangement also fall within this definition.

9) The Privacy Commissioner has the power under s.11B of the Privacy Act to determine additional organisations or agencies that may be included as credit providers for the purposes of the Privacy Act. For example, the current Classes of Credit Provider Determination allows corporations to be regarded as credit providers if they provide goods or services on terms that allow deferral of payment for at least seven days[3].

10) Credit reporting agencies and credit providers may be required to comply with the National Privacy Principles (NPPs) in the Privacy Act in their dealings with commercial credit information, and the personal information which they hold more generally. There are also some provisions in Part IIIA that relate to commercial credit information. However, in general, Part IIIA is aimed at consumer credit rather than commercial credit.

11) The key requirements of Part IIIA include:

  1. Limits on the type of information which can be held on an individual’s credit information file by a credit reporting agency. There are also limits on how long the information can be held on file
  2. Limits on who can obtain access to an individual’s credit file held by a credit reporting agency. Generally only credit providers may obtain access and only for specified purposes
  3. Limits on the purposes for which a credit provider can use a credit report obtained from a credit reporting agency
  4. A general prohibition on the disclosure by credit providers of credit worthiness information about an individual (which includes when the information in a credit report is received from a credit reporting agency)
  5. Rights of access and correction for individuals in relation to their own personal information contained in credit reports held by credit reporting agencies and credit providers.

12) Under section 18A(1) of the Privacy Act, the Privacy Commissioner is required to issue a Credit Reporting Code of Conduct [4] relating to credit information files and credit reports. Section 18B obliges credit reporting agencies and credit providers to comply with the Credit Reporting Code of Conduct. Under section 28A the Commissioner has the power to investigate an infringement of the Credit Reporting Code of Conduct and conduct audits to ensure that it is being complied with.[5]

13) In 2008 the Australian Law Reform Commission (ALRC) ‘Report 108 For Your Information: Australian Privacy Law and Practice[6] was released. The ALRC made a number of recommendations in relation to reforming the credit reporting provisions in the Privacy Act. The Australian Government is currently considering its response to the ALRC’s recommendations.

14) The recommendations include repealing the credit reporting provisions of the Privacy Act, regulating credit reporting under the general provisions of the Privacy Act (including the new model Unified Privacy Principles proposed by the ALRC), and creating new specific Regulations under the Privacy Act covering the handling of credit reporting information.

Role of credit reporting regulation

15) An individual’s credit file contains an aggregation of different types of personal information such as name, date of birth, and credit history.[7] The protection of this personal credit information is an important privacy concern for individuals because of the serious consequences that may arise if this information is inaccurate or mishandled. As research that the Office undertook in 2007 illustrates, the type of information individuals are the most concerned about is their financial information.[8] On this basis, there is a cogent reason as to why the regulation of credit reporting should always be seen as an integral part of any consumer credit regulatory framework.

16) In Australia, Part IIIA was introduced into the Privacy Act through the Privacy Amendment Act 1990 (Cth) in response to a proposal by the Credit Reference Association of Australia to implement a new system of positive credit reporting. The Second Reading Speech for the Privacy Amendment Bill 1990 states:

‘The great majority of Australians meet their credit commitments. In determining the appropriate form of privacy regulation for the credit reporting industry, what must be paramount is the fundamental right of these individuals to privacy. However, this must be balanced against both the need for businesses to operate efficiently, and the right of credit providers to protect their commercial interests. Also, the welfare of those borrowers who may get into difficulties or who are led into difficulties must not be forgotten. This Bill achieves that difficult balance.’[9]

17) The importance of privacy protection has not diminished over time. For this reason, the Office believes it is important that the privacy protections that currently exist within the credit reporting provisions in Part IIIA are not diminished by the draft National Consumer Credit Reform legislation.

18) The Office notes that whilst the National Consumer Credit Protection Bill 2009 (the Bill) addresses the interaction between Commonwealth credit legislation and State and Territory laws, it does not appear to deal with the interaction with the Privacy Act’s credit reporting provisions.

19) The Office recommends that a clause be inserted into the Bill which would have the effect of clarifying that the privacy provisions of the Bill should be interpreted in such a way that they do not diminish the existing protections contained in the Privacy Act. It may also be beneficial to set out a discussion on the intended interaction between the Bill and the credit reporting regime in the Privacy Act in the Explanatory Memorandum for the Bill.

Australian Credit Licensing Regime

20) The Office notes that the licensing regime in Chapter 2 of the Bill authorises the Australian Securities and Investment Commission (ASIC) to issue Australian credit licences upon application to either authorised deposit–taking institutions (ADIs) or other persons. Licensees under ^LIC250 of the Bill may give a person (credit representative) written notice authorising them to engage in specified credit activities on their behalf.

Privacy Act Coverage

21) The Privacy Act applies to the activities of Commonwealth and ACT government agencies as well as private sector organisations. Organisations are defined to include all businesses with an annual turnover of more than $3 million, all private health service providers and a range of small businesses. The activities of individuals acting in a private capacity are generally not subject to the Privacy Act.

22) Licensees that meet the definition of a credit provider in section 11B of the Privacy Act will have obligations under Part IIIA of the Privacy Act, as will their credit representatives. However, whilst Part IIIA generally regulates the handling of an individual’s credit information by credit reporting agencies and credit providers, it does not regulate credit reports or the general credit worthiness information held by credit providers. Consequently, it does not set out obligations with regard to that information in terms of notice, data security, access and correction.

23) The handling of this type of information will only be protected under the Privacy Act if the licensee falls under the coverage of the Privacy Act by meeting the definition of ‘organisation’. In that circumstance this information would be subject to the application of the NPPs. Likewise, licensees which are not subject to Part IIIA of the Privacy Act because they are not credit providers will not be obliged to protect the personal information of individuals unless they fall within the jurisdiction of the NPPs.

24) This gap in privacy protection already exists under the current Uniform Consumer Credit Code. However, as the draft Bill seeks to expand coverage of the Privacy Act to include mortgage brokers and other intermediaries the Office is concerned it is likely that the gap in privacy regulation will continue, and may possibly even expand, under the draft Bill.

25) The result could be fragmented and inconsistent privacy protections. For example, there may be a category of licensees, such as small businesses operators, that may fall outside the Privacy Act’s jurisdiction for some aspects of the handling of credit reporting information and similarly, may not be obliged to protect this information as required under the NPPs given their status as small businesses under the Privacy Act.

26) To address this potential gap in coverage, the Office suggests that one of a number of existing Privacy Act mechanisms be utilised to bring all licensees and their credit representatives under the Bill, and which are not already covered by the Privacy Act, under that Privacy Act’s coverage for the collection and handling of credit reporting information.

27) This could be achieved through an amendment to the provisions of the Privacy Act which would treat licensees as organisations for the purposes of the Privacy Act. This method was most recently used to bring ‘reporting entities’ under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the AML/CTF Act) under the coverage of the Privacy Act (for specific acts or practices relating to their activities under the AML/CTF Act).[10]

28) Alternatively, a regulation under the Privacy Act could be prescribed that will treat licensees, who are not already subject to the Privacy Act, as organisations under the Privacy Act. This provision[11] has most recently been used to prescribe residential tenancy database operators as organisations for the purposes of the Privacy Act.[12]

Australian Credit Register

29) Paragraph 2.222 in the commentary for the Bill refers to the Australian credit register. It appears it is intended that such a register would be managed by ASIC and be used by persons, including consumers, to verify the status of the person they are dealing with. There is no further detail as to the type of information which would be contained on the register although the provisions in the Bill dealing with banning orders do require that these orders be published on ASIC’s website.[13]

30) The Office has previously expressed the view that when determining what information should be made available on public registers there is a need to appropriately balance transparency against the protection of an individual’s personal privacy. Personal information that is contained in a public register or published on a website accessible by members of the public usually falls within the Privacy Act’s definition of a ‘generally available publication’.[14] An agency does not have any obligations under the Privacy Act to protect personal information in a generally available publication as the Information Privacy Principles (IPPs) in section 14 of the Privacy Act only apply to personal information contained in a ‘record’. A ‘record’ is defined in section 6(1) of the Privacy Act to expressly exclude generally available publications.

31) It is important that careful consideration be given as to what personal information is put in a ‘generally available publication’. For example, it may not be appropriate, or indeed necessary, for a public register to contain details of a person’s residential address if the primary aim of the register is to verify the person’s status. Generally, the Office recommends it would be good privacy practice for ASIC to make sure that any information about licensees which is made publicly available, either through the Australian credit register or otherwise, is necessary to fulfil its purposes.

Definition of ‘credit’

32) The draft National Credit Code contained in Schedule 1 of the Bill applies to the provision of credit wholly or predominantly for:

  • personal, domestic or household purposes; or
  • to purchase, renovate or improve residential property for investment purposes

33) The Office notes the definition of (consumer) credit in the Privacy Act is similar but not identical to that proposed for the National Credit Code. The definition given to credit in section 6(1) of the Privacy Act refers to it ‘being a loan that is intended to be used wholly or primarily for domestic, family or household purposes’.

34) Further, the definition of a loan contained in section 6 of the Privacy Act includes credit which is extended for the purchase of a service such as the hiring of goods or deferred payment for services such as utilities.

35) In most cases ‘credit’ under the draft National Credit Code would be considered ‘credit’ under the Privacy Act but there will be cases where it will not. For example, a loan by an individual for the purpose of financing a rental property may not be considered credit under Part IIIA of the Privacy Act, as this borrowing could be considered a commercial transaction and therefore not ‘intended to be used wholly or primarily for domestic, family or household purposes’ within the meaning of the Privacy Act. However, a loan by an individual to finance an investment property would be covered by the definition in the draft National Credit Code. In this example, the differing definitions of credit may create a gap which will result in some activities of licensees covered by the draft National Credit Code not falling within the jurisdiction of Part IIIA of the Privacy Act.

36) In its submission to the ALRC’s DP 72, the Office recommended that the proposed Privacy Act credit regulations should apply to personal information relating to credit sought or obtained by an individual for any purpose and not limited to ‘domestic, family or household’ purposes as currently the case under the definition of ‘credit’ in the Privacy Act[15]. However, the ALRC decided on balance not to recommend any change to the definition of credit in the Privacy Act. This matter is currently being considered by the Australian Government in the context of preparing its response to the ALRC’s recommendations.

37) In addition, consumer leases under the draft National Credit Code only apply to contracts for the hire of goods not services. This is in contrast to section 6(1) of the Privacy Act which defines a loan as including contracts, arrangements or understandings for the hire, lease or renting of goods and services. In this example, the differing definitions of credit may create a gap which may result in some activities of licensees falling within the jurisdiction of Part IIIA of the Privacy Act not being covered by the draft National Credit Code.

38) This situation may lead to a potentially divergent, fragmented and inconsistent approach to the regulation of privacy protections. The Office suggests that consideration be given to aligning the definition of credit in the draft National Credit Code with that of the Privacy Act in respect of the coverage of credit extended for the purchase of services.

Definition of ‘credit provider’

39) The draft National Credit Code contained in Schedule 1 of the National Consumer Credit Bill defines a credit provider as a ‘person that provides credit and includes a prospective credit provider’. ^7 of the draft National Credit Code expressly excludes short term credit from the Code’s operation. Short term credit includes the provision of credit limited to a period not exceeding 62 days.

40) As pointed out in paragraph 9 above, the Privacy Commissioner has made a determination which allows corporations to be regarded as credit providers if they provide goods or services on terms that allow deferral of payment for at least seven days.

41) Further, Part 3.4 of the Bill provides for a debt collector to provide a credit guide to a debtor as soon as practicable after a credit provider has authorised them to collect repayments on their behalf. However, it is not clear in the Bill whether a debt collector would be regarded as a credit provider. Part IIIA of the Privacy Act expressly excludes external debt collectors from accessing an individual’s credit file or credit report.

42) The different approach to the definition of ‘credit provider’ in the draft National Credit Code and Part IIIA of the Privacy Act may create a gap which will result in some credit providers subject to Part IIIA of the Privacy Act not having any obligations under the draft National Credit Code.

43) The Office is of the view this may create an inconsistent approach to consumer credit regulation and add to the complexity of the regulatory framework. It could also potentially create confusion amongst both credit providers and consumers as to the compliance obligations of credit providers. The Office notes the ALRC has recommended a simplified definition of ‘credit provider’ be adopted for the Privacy Act under which those agencies and organisations that are currently credit providers for the purposes of the Privacy Act should generally continue to be credit providers[16]. The Office recommends that further consideration be given to aligning the definitions of ‘credit provider’ in the draft National Credit Code with the same definition in the Privacy Act.

Responsible Lending Conduct

Responsible Lending Obligations

44) The ALRC’s Review of Privacy proposed a progressive expansion towards comprehensive credit reporting, subject to the introduction of responsible lending obligations for credit providers. The ALRC recommended that four additional data elements be incorporated into the proposed new credit regulations and the fifth data element (24 months repayment history) only be implemented by the Australian Government after it was satisfied that there was an adequate framework imposing responsible lending obligations in Commonwealth, state and territory legislation[17].

45) Chapter 3 of the Bill imposes responsible lending obligations upon licensees if they are suggesting, or entering into, a credit contract with a consumer. For example, Chapter 3 expressly prohibits a licensee from providing or suggesting an unsuitable credit contract to a consumer. The Office notes it is proposed that further legislative initiatives to address specific responsible lending conduct obligations, such as credit card limit extension offers, will be introduced in the second phase of the reform process.

46) The Office believes that any expansion of the credit reporting system as recommended by the ALRC should only be considered after all responsible lending reforms have been implemented. Further, the Office agrees that credit providers, as defined in the Privacy Act, not included in the responsible lending reforms should be excluded from accessing expanded credit reporting data (i.e. the fifth data element).

Pre-screening

47) As the Office understands it, under Chapter 3 of the Bill licensees providing credit assistance will be required to conduct a preliminary assessment of the unsuitability of a credit contract before proceeding to offer credit assistance pursuant to ^R150 of the Bill[18]. Reasonable inquiries about the consumer’s requirements and financial situation must be made by the licensee before making a preliminary assessment under ^R150 of the Bill[19]. These inquiries are to include the licensee taking reasonable steps to verify the consumer’s financial situation. Similar obligations are imposed upon credit providers before entering or increasing the limit of a credit contract[20].

48) The Office has some concern that the requirement the Bill places upon licensees to conduct a preliminary assessment and make reasonable inquiries about a consumer’s financial situation could be misinterpreted as allowing pre-screening activities. Pre-screening can be described as the ability of credit providers to use credit files to exclude individuals from direct marketing offers to increase limits or refinance loans’[21]. In the Office’s view the current provisions in Part IIIA of the Privacy Act prohibit pre-screening[22]. Generally, Part IIIA of the Privacy Act only permits access to a credit information file when a loan application has been made and is under assessment. Under the provisions of the Bill referred to above, it does not appear that it is necessary for a loan application to have been made before the assessment processes are undertaken.

49) The Office supports continuing the prohibition. This position is consistent with the ALRC’s recommendation in it’s Report 108 that any new credit regulations should expressly prohibit the use or disclosure of credit reporting information for the purposes of direct marketing, including in relation to the ‘pre-screening’ of direct marketing lists[23].For example, the pre-screening process lacks transparency. The making of an assessment of individuals’ credit worthiness based on their credit reporting information, outside the context of an application for credit (where the individual would expect such an assessment to take place), is neither transparent nor open.

50) There is also a risk that by allowing pre-screening activity to occur the privacy protections currently in place within the credit reporting system will be significantly weakened. An individual’s credit file may be accessed and their credit information used and disclosed in circumstances where the individual is unaware that these activities would have occurred. The Office recommends that the Bill and Explanatory Memorandum clarify that the assessment processes identified in Parts 3.1 and 3.2 of the Bill should not be interpreted as approving or endorsing pre-screening activities.

Dispute Resolution

51) The Bill sets out a three tier dispute resolution structure. Under the first tier licensees are obliged to have an internal dispute resolution procedure in relation to credit activities available to consumers[24]. If consumers are unable to resolve their dispute through internal processes they may access an approved external dispute resolution scheme (EDR)[25]. The third tier allows consumers to resolve disputes through the court system. The broad definition of credit activities contained in the Bill will encompass credit reporting. Accordingly, there may be an overlap between the dispute resolution framework in the Bill and the privacy complaint handling regime set out in Part V of the Privacy Act.

52) The Office, whilst generally supportive of the three tier consumer dispute resolution framework as set out in the Bill, believes its effectiveness could be enhanced if the role of privacy matters in credit disputes was specifically addressed. In particular, there would be benefits in clarifying the extent to which the Bill’s dispute resolution framework works within the context of privacy disputes. The rights the Privacy Act confers upon individuals and the Office’s role in dealing with privacy related complaints should also be expressly highlighted in the Bill and Explanatory Memorandum. Such an approach will benefit both consumers and licensees by reducing the confusion, complexities and inefficiencies associated with dual credit complaint handling processes.

53) For example, the practice of initially referring any complaint to an internal procedure is consistent with the Office’s obligations under section 40(1A) of the Privacy Act[26]. The Office would recommend making it clear in the Explanatory Memorandum that, if a consumer’s complaint involves a privacy issue, the privacy aspect of the complaint will fall within the Privacy Commissioner’s jurisdiction and the Privacy Commissioner would generally expect a similar internal dispute procedure to be adopted.

54) The commentary to the Bill in relation to EDR schemes states ‘Privacy matters in relation to EDR Schemes are covered by the Privacy Act 1988 and rely on contractual arrangements, as currently occurs’. It is not clear what is meant by this statement and the Office recommends that its meaning be clarified.

55) The Office would also recommend that guidance material be produced by ASIC, in consultation with the Office, which clearly explains the complaint handling procedures available under both the Bill and the Privacy Act and the interaction between them. Such guidance material will benefit both consumers and licensees and will help reduce any potential confusion over credit complaint handling processes.

56) As stated in paragraph 22 above, the jurisdiction of the Privacy Act may not extend to all licensees. From the consumer’s perspective this may lead to a situation where there will be no dispute resolution remedy available under the Privacy Act when a licensee mishandles their personal credit information. The Office reiterates its suggestion that all licensees be brought under the Privacy Act’s coverage to avoid this potential gap in privacy regulation.

Default Notices

57) The Office believes the provisions relating to default notices in the draft National Credit Code may potentially cause confusion about a credit provider’s obligations under Part IIIA of the Privacy Act. For example, the Bill does not make it clear that even if a credit provider is exempt from issuing a default notice in accordance with section ^80(4) of the draft National Credit Code, there is still a requirement to comply with separate notice obligations under Part IIIA of the Privacy Act before listing the default on an individual’s consumer credit information file.

58) Similarly, the operation of section ^172 of the draft National Credit Code which provides that a credit provider may be relieved from giving notice or other documents in certain circumstances does not detract from the obligation under 2.7 of the Credit Reporting Code of Conduct. This section requires that a written notice be sent to the individual’s last known address, both advising them of the overdue payment and requesting payment of the amount outstanding, before the amount on the individual’s consumer credit file can be listed.

59)Further, under section ^79A a credit provider must give the debtor, and any guarantor, a direct debit default notice on the first occasion a default occurs. This provision may create an inconsistency with the application of section 18N(1)(ba) of the Privacy Act which has the effect of preventing a credit provider disclosing the information to a guarantor except for the proper enforcement of the guarantee. Under the current application of the subsection a payment overdue by a few days would not necessarily meet this requirement.

60) To overcome these issues, the Office recommends that the Bill and the Explanatory Memorandum expressly clarify that a credit provider’s obligations under Part IIIA of the Privacy Act will operate with the draft National Credit Code’s default notice provisions.



[1] See the Commonwealth Treasury’s website at http://gov.au/consumercredit/content/legislation.asp

[2]Office of the Privacy Commissioner survey results: 2007 Community attitudes towards privacy in Australia. Available on the OPC website at www.privacy.gov.au/business/research/index.html#1b

[3] See Credit Provider Determination No. 2006-4 (Classes of credit providers) at www.privacy.gov.au/act/credit/deter4_06.html. Corporations which acquire the rights of a credit provider in respect of a repayment of a loan are also regarded as credit providers under Part IIIA of the Privacy Act – see Credit Provider Determination No 2006-3 (Assignees) at www.privacy.gov.au/act/credit/deter3_06.html.

[5] Further information relating to the operation of Part IIIA of the Privacy can be found on the Office’s website - www.privacy.gov.au.

[6] ALRC Report 108, May 2008, available at: www.austlii.edu.au/au/other/alrc/publications/reports/108/

[7] See section 18E of the Privacy Act which sets out the specified content of an individual’s credit information file.

[8]Office of the Privacy Commissioner survey results: 2007 Community attitudes towards privacy in Australia. Available on the OPC website at www.privacy.gov.au/business/research/index.html#1b

[9] See Hon M.J. Duffy, Second Reading Speech for the Privacy Amendment Bill 1990, Commonwealth Hansard, House of Representatives, 4 December 1990.

[10] See section 6E(1A) of the Privacy Act.

[11] See section 6E (1) and (2) of the Privacy Act.

[12] See, Privacy (Private Sector) Amendment Regulations 2007 (No. 3) available at www.comlaw.gov.au/ComLaw/Legislation/LegislativeInstrument1.nsf/0/40617C959BA055ECCA25732B00150FEB?OpenDocument

[13] See ^LIC 335 of the Bill.

[14] Section 6(1) of the Privacy Act states a ‘generally available publication means a magazine, book newspaper or other publication (however published) that is or will be generally available to members of the public’.

[15] See Proposal 50-10, p547 Vol 2 of the Office’s submission to DP72 www.privacy.gov.au/publications/submissions/alrc_72/PartG.html

[16] See Recommendation 54-4 of ALRC Report 108, May 2008, available at: www.austlii.edu.au/au/other/alrc/publications/reports/108/

[17] See recommendations 55-2 and 55-3 in the ALRC Report 108, May 2008, available at: www.austlii.edu.au/au/other/alrc/publications/reports/108/

[18] Under ^DEF7 of the Bill ‘credit assistance’ is defined to include suggesting to a consumer that they apply for the provision of credit, or an increase to the credit limit, of a particular credit contract.

[19] ^R160 of the Bill.

[20] See ^R250 and ^R260 of the Bill.

[21] See paragraph 53.57 of the ALRC’s DP72 www.privacy.gov.au/publications/submissions/alrc_72/PartG.html

[22] See sections 18K, 18L and 18N of the Privacy Act.

[23] See recommendation 57-3 in the ALRC Report 108, May 2008, available at: www.austlii.edu.au/au/other/alrc/publications/reports/108/

[24] Each licensee is required to belong to an EDR - see^LIC170(1)(h) of the Bill.

[25] See ^LIC170(1)(i) and (j) of the Bill.

[26] Under this sub-section the Privacy Commissioner must not investigate a complaint if the complainant did not first to complain to the respondent. However, the sub-section does contain a discretion for the Privacy Commissioner to commence an investigation if he or she considers it was not appropriate for the complainant to complain to the respondent.