Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Exposure Draft Personal Property Securities Bill 2008; Submission to the Senate Legal and Constitutional Affairs Committee (December 2008)

December 2008 Key Recommendations The Office recommends that the proposed Personal Property Securities Bill 2008 (the PPS Bill) should: Cleary identify the information to be contained on the Personal Property Securities Register (the PPS Register), to ensure that the information is limited to that...

pdfExposure Draft Personal Property Securities Bill 2008; Submission to the Senate Legal and Constitutional Affairs Committee (December 2008)

December 2008

Key Recommendations

The Office recommends that the proposed Personal Property Securities Bill 2008 ('the PPS Bill') should:

  • Cleary identify the information to be contained on the Personal Property Securities Register ('the PPS Register'), to ensure that the information is limited to that which is necessary to fulfil the purpose of the PPS Register
  • Include offence provisions to cover misuse of all personal information and associated records related to the PPS Register
  • Include offence provisions to cover misuse of register information by organisations and agencies where such misuse is not covered by the Privacy Act
  • Clarify whether the PPS Register is considered a 'generally available publication' for the purposes of the Privacy Act
  • Recast section 228 so that the Registrar can only lodge a complaint with the Privacy Commissioner over inappropriate search or use of personal information, if the individual whose personal information has been inappropriately used or accessed has given consent to the Registrar
  • Recast section 228 so that the complainant is required to initially complain to the organisation or agency which they believe has inappropriately handled their personal information, in accordance with section 40(1A) of the Privacy Act
  • Define the meaning of security interest so that personal property interests other than security interests would not be registrable
  • Ensure that data-matching should only take place where necessary and restricted by well-defined parameters
  • Define the types of information contained on the PPS Register that will be checked for validity and the databases that will be used in the checking process
  • Ensure that where possible, the Registrar does not include personal information in the verification statement
  • Limit the search results to information necessary to satisfy the search and, where possible, limit searches to a 'challenge response' model.
  • Include the search criteria and what information will be displayed in the search results of the PPS Register both in electronic and written form
  • Clearly specify the government agencies that are authorised to access personal information held on the PPS Register and the purposes for which they may access the information.

Office of the Privacy Commissioner

The Office of the Privacy Commissioner ('the Office') is an independent statutory agency responsible for promoting an Australian culture that respects privacy.  The Office, established under the Privacy Act 1988 (Cth) ('the Privacy Act'), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses[1]. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

The Office welcomes the opportunity to provide comments to the Senate Legal and Constitutional Committee ('the Committee') on the Exposure Draft of the PPS Bill[2].

In February 2007, the Office responded[3] to Discussion Paper 1 relating to the the PPS Register. The Office also commented on the consultation draft of the PPS Billand the corresponding commentary in August 2008[4]. The Office also provided comments on the Discussion Paper ('DP') for the Personal Property Securities Regulations ('PPS Regulations')[5] to be made under the Exposure Draft of the PPS Bill[6].

The Office appreciates that some of our previous comments have been reflected in the current draft of the PPS Bill. However, there are some further issues that the Office believes are relevant to the Committee's examination of the exposure draft.

Primary Legislation and the Regulations

In its response to the consultation draft Bill and the DP for the PPS Regulations, the Office suggested that the privacy protections for personal information contained on the PPS Register should generally be specified in primary legislation. In this submission the Office maintains that position.

However, the Office notes that under the Exposure Draft there remains scope for the PPS Regulations to prescribe how the PPS Register will handle personal information[7]. The Office recognises that provision for the use of legislative instruments can sometimes provide appropriate flexibility to regulatory and administrative schemes.

Content of the PPS Register

The PPS Bill would establish a single national online PPS Register under which personal property that is or may be subject to a security interest can be registered[8].

The Office acknowledges the wide ranging benefits and efficiencies potentially resulting from the PPS Register including:

  • harmonisation of laws
  • legal certainty for consumers, sole proprietors and businesses
  • reduction in legal disputes
  • reduction in costs
  • efficiency in service delivery.

However, given the potential impact on individuals' privacy, the Office submits that only personal information necessary to achieve the objectives of the PPS Register should be collected.

In determining this, it may be useful to consider what types of information would not be necessary for the PPS Register. For example, it may be unnecessary for residential addresses to be retained on the PPS Register. In practice, business addresses or post-boxes (where different from residential addresses) would seem appropriate for PPS Register purposes, such as to receive verification statements.

Dates of Birth

The Office also suggests that including date of birth data may not be necessary. Date of birth information, when linked to other information can potentially lead to the creation of comprehensive databases of personal information related to individuals. This is important in regards to date of birth information being used in search results (discussed later).

If the collection of date of birth information has been proposed in order to differentiate between individuals of the same name then the Office submits there may be other methods to achieve this. For example, the Exposure Draft of the PPS Bill could include the option of recording the middle initials of grantors'[9] names to differentiate between individuals of the same name. Other methods to differentiate between individuals of the same name might also need to be considered for those circumstances where individuals share a middle initial.

Collateral/Serial Numbers

The Office welcomes the proposal, where possible, to describe property on the PPS Register by serial number [such as vehicle identification numbers (VIN) for motor vehicles].[10] This measure could operate as a privacy safeguard, as the goods would be identifiable by serial number, rather than by the grantor's details.

Data Sources, Verifying Identification and Data-matching

It is proposed that the PPS Register would take the place of existing State and Territory schemes for registering encumbrances over motor vehicles and would extend to other property assigned a serial number in accordance with recognised standards[11]. The PPS Bill Revised Commentary ('the Commentary')[12] suggests that this would allow the PPS Register to provide 'validity checks' against other databases, such as the National Exchange of Vehicle and Driver Information (NEVDIS).

The Office recommends that the PPS Bill should state that data-matching such as this should only occur within well-defined parameters. Furthermore, the PPS Bill should define the types of information that may also be contained on the PPS Register that can be checked for validity. It would assist if the regulations were to nominate the databases to be used in the checking process.

The Office has issued voluntary guidelines for data-matching by agencies. Guidelines such as these could form a basis for an appropriate privacy framework if any data-matching occurs between the PPS Register and other databases.[13]

Definition of Security Interest

The Office is of the view that the definition of security interest under Section 28 of the Exposure Draft of the PPS Bill should ensure that the PPS Register will only capture personal information it needs to fulfil its purpose.

The current definition would appear to have the effect of creating a broad scope for the PPS Register that would encompass personal property interests other than security interests. 

For example, retaining this broad definition could mean that interests involving state and territory agencies that administer state and territory motor vehicle confiscation and impoundment legislation, confiscation of proceeds of crime legislation, as well as guardianship orders issued by state and territory Public Trustees over motor vehicles could be included.

Increasing the scope and purpose of the PPS Register could potentially lead to it becoming the repository of large amounts of personal information, to the extent that it could be possible to develop a personal profile of an individual. The availability of such a database could lead to 'function creep'.

Function Creep

The term 'function creep' describes the incremental expansion in the purpose of a system, to a point where information is used for purposes not initially agreed to or envisaged and unrelated to its original intent. Such expansion is generally organic in nature and lacks overall direction, planning or oversight. 

Therefore in order to reduce the potential for 'function creep', the Office believes that the PPS Bill be amended so that personal property interests other than security interests would not be registrable. This, along with suggestions mentioned earlier in relation to residential addresses, dates of birth and serial numbers could result in the information captured by the PPS Register being limited to what is necessary to fulfil its purpose and reduce the privacy risks. 

Building Financial Profiles from the PPS Register

Currently, given the disparate nature of existing registers, it would be difficult for a casual browser to obtain sufficient information to build a comprehensive profile of any one person and the security interests held over their personal property. The proposed PPS Register would consolidate this information into one database. This may allow a casual browser to build financial profiles of individuals. Therefore suggestions mentioned earlier in relation to narrowing the definition of security interest, residential addresses, dates of birth and serial numbers could be useful in preventing the building of such profiles.

The potential for a comprehensive profile to be developed could be increased as the Registrar may keep a record of the removed data in whatever form the Registrar considers appropriate (section 218)[14]. This could lead to the Registrar administering another record (other than the PPS Register) that could contain large amounts of personal information. However, records created under section 218 would likely be separately subject to the information handling requirements of the IPPs including notice, security, access, use and disclosure.

The Office also notes that under section 224, the Registrar may publish, in a way prescribed by the Regulations, a single verification statement. Under section 220, the verification statement includes other data (if any) approved by the Registrar for that form in relation to the verifiable event, a secured party[15], a grantor, or collateral. Therefore it is possible that personal information could be published under section 224.

Given this, consideration could be given to amending section 224 so that where appropriate the Registrar would not approve a form for these statements that allows the inclusion of personal information.

Individuals and Corporate Entities on the PPS Register

The Office observes that many securities to be registered may not include any personal information as defined in the Privacy Act. For example, securities held by a financial institution over personal property owned by public company might not include personal information.

In general, the Privacy Act does not protect the information privacy of corporate entities. However, in some instances business information will also include personal information. This may be the case for information about sole traders or partnerships. Consideration should be given as to whether such personal information is appropriately protected.

Generally Available Publication

Whether the PPS Register will meet the Privacy Act definition of a 'generally available publication'[16] needs to be clarified. If the PPS Register does meet the definition, the handling of personal information contained on the PPS Register may not be covered by the Privacy Act. However, it should be noted that the IPPs would continue to apply to any personal information that the agency has collected for publication in the PPS Register and then continues to hold in a separate record such as in another database.

The Commentary states the main object of the PPS Register would be to provide a 'real-time online noticeboard of personal property over which a security interest has been, or may be taken'[17]. Additionally, a simple targeted electronic registration would provide 'notice to the world' of any actual or prospective security interests[18]. The PPS Register would be accessible for search purposes by direct online access or by making a written application to the Registrar. 

Section 225 states that a person may apply to search the PPS Register for data and to obtain a written search result in relation to that data. Users would not have to be registered to undertake a PPS Register search. However, a search must be authorised under section 226 which outlines the criteria by which a person would be able to search and section 227 which lists the authorised search purposes. A search fee will need to be paid.

Section 228 states that an unauthorised search or use of the personal information obtained in a search by an 'agency' or 'organisation' (within the meaning of the Privacy Act) would constitute an act or practice interfering with the privacy of an individual. Therefore, it will be important to establish whether existing privacy regulation, including the Privacy Act, will apply to the handling of personal information contained on the PPS Register.

Searching the PPS Register

Complaints under the Privacy Act

The Office supports the approach on authorised purposes for searching the PPS Register contained in section 227 of the PPS Bill. Subject to considerations above regarding the PPS Register's status, the Office also supports the characterisation of an unauthorised search and use of the Register as an 'interference with privacy' for the purposes of sections 13 and 13A of the Privacy Act.[19] The Office also welcomes the complaint mechanisms established under section 228, allowing individuals and, in some circumstances the Registrar, to complain to the Privacy Commissioner about an alleged and unauthorised access to the PPS Register. Clear and accessible complaint mechanisms are important to promoting information privacy. However, the Office notes that a large number of small businesses and individuals who might access the PPS Register are currently exempt from the Privacy Act[20].

It should be noted that as currently drafted, section 228 does not appear to align with some aspects of the Privacy Act's requirements, and the Office's complaint handling processes. In particular, the Office has concerns over the Registrar being able to make a complaint to the Privacy Commissioner if the Registrar believes that a search or use of personal information may be an interference with the privacy of the individual[21]. The Exposure Draft of the PPS Bill proposes that a complaint could be made by an individual or the Registrar, and that Part V of the Privacy Act would apply, with such modification as circumstances require, as if the complaint were an IPP complaint (within the meaning of the Act) made under section 36 of that Act[22].

Section 40(1A) of the Privacy Act, requires complainants to initially complain to the organisation or agency which they believe has inappropriately handled their personal information. The Office recommends recasting section 228 so that it reflects this requirement.                     

Under the Privacy Act an individual can make a complaint to the Privacy Commissioner or a representative complaint can be made on their behalf[23]. Section 228 should only allow the Registrar to lodge a complaint with the Privacy Commissioner, if the Registrar is authorised by the affected party to make a representative complaint on their behalf. Additionally, the Registrar should provide to an affected party the details of the inappropriate search or use of their personal information, so that the affected party can choose whether or not to make their own complaint.

The Office's voluntary "Guide to handling personal information security breaches ('the Guide')"[24] may assist the Registrar in the event of a significant security breach.

The Office is also willing to provide advice during the development of the PPS Bill and the PPS Regulations to ensure that the proposed provisions are consistent with the requirements of the Privacy Act.

Offence Provisions and Civil Remedies

The Office believes that the Exposure Draft of the PPS Bill could benefit from additional provisions aimed at deterring inappropriate searching and use of personal information contained on the PPS Register. More specifically the Office is concerned that the Exposure Draft of the PPS Bill might contain legislative gaps, by not considering exemptions under the Privacy Act and the actions of individuals.

The Commentary states that sections 228 and 236 are intended to remove the ability of users, including information brokers, to recycle data obtained from the PPS Register for other purposes[25].

The Office is of the view that the provisions of sections 236 and 228 may not be sufficient to deter, or provide appropriate remedies, for unauthorised searches and use of the PPS Register. In the first instance, section 228 would only apply to the extent that the alleged unauthorised access is by an 'agency' or 'organisation'.[26] Second, there should also be some deterrents for individuals searching records associated with but not necessarily part of the PPS Register. For example there should be provisions to deter inappropriate browsing of the database records by agency staff acting in their own capacity.

The Office recommends that the PPS Bill contain additional offence provisions. This could include specific secrecy provisions to cater for the activities of agency employees and additional civil remedies to penalise unauthorised access and misuse:

  • by individuals as well as agencies and organisations
  • of personal information
  • in relation to the PPS Register and associated records.

These provisions could also be complemented with specific privacy guidance and training for agency staff that have to access the database records associated with the PPS Register in the course of their work.

Under section 237, damages for loss would not be recoverable from certain persons acting honestly under a power conferred upon them by the PPS Bill or the PPS Regulations. The Office notes that it would be concerned if there are limits placed on compensation for affected parties in circumstances not covered by the Privacy Act. It is important that penalties and offences are clearly drawn in order to provide affected individuals with an adequate means of redress.

Searching by Date of Birth

The Exposure Draft of the PPS Bill provides that a person may search the PPS Register by reference to a grantor or secured party's details[27] to ensure that register users obtain accurate search results from the PPR Register[28]. According to the Commentary, register searches would generally be undertaken for grantors who are natural persons against their date of birth[29].

Date of birth information, when linked to other information can allow large databases of personal information being created. As such, the PPS Bill should prevent date of birth information being returned in search results. This would lessen the possibility of that data being misused and inappropriate searches of the PPS Register from occurring.

If date of birth information is deemed necessary to differentiate between individuals of the same name then such searches should be on a 'challenge-response' basis, rather than returning the actual date of birth.

Serial Numbers

As stated earlier, the Office welcomes the proposal in the case of serial numbered goods, to describe and search property on the PPS Register by reference to serial number only by which collateral may (or must) be described, where possible [such as vehicle identification numbers (VIN) for motor vehicles][30].

While the Office welcomes this approach we note that the search criteria to be prescribed by regulation is not yet settled[31] and reiterate the view that search criteria should be contained in the primary legislation.

Search Results

The Office believes the PPS Bill, should stipulate what information will be displayed in the results of a search of the PPS Register both in electronic and written form. The PPS Bill should also stipulate that information displayed in the search results should be relevant to the search and not display personal information which the searcher does not need to view.

Under section 226(2) the Registrar must ensure that the way in which results of a search are resolved in response to a search application is determined in accordance with any regulations made for such purposes. The Commentary explains that this provision would allow the regulations to determine rules for applying technological solutions for working out search results[32].

The Office believes there should be a provision which would give users a warning notice of the consequences of improper searching of the PPS Register before searches are conducted or at the time the search results are displayed. A warning notice could explain that improper searching would constitute an offence and possibly an interference with privacy under the Privacy Act and help to deter improper use of the PPS Register. Furthermore, this could be incorporated into the rules which will outline technological solutions for search results.

Government Entities Searching the PPS Register

The Office also notes that the Exposure Draft of the PPS Bill authorises a broad range of government entities to search the PPS Register for purposes that relate to their powers or functions for law enforcement purposes[33] The Office recommends that these permitted uses should be clearly specified. For example, the Office notes the greater degree of specificity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 regarding which agencies' may obtain information held by AUSTRAC and believes that a similar approach should be applied to the PPS Bill.

Reports Relating to Credit Worthiness

According to the Table in section 227, a person may search the PPS Register to establish whether to provide credit to, or obtain a guarantee or an indemnity from individuals whose information may be contained on the PPS Register.

The search results returned by the PPS Register might be considered a 'report' as defined under section 18N (9) of the credit reporting provisions of the Privacy Act. Section 18N of the Privacy Act places limits on disclosure by credit providers of personal information contained in reports relating to credit worthiness. However, these limits would not apply if the information is publicly available[34]. Therefore, it is important to know whether the PPS Register is a generally available publication to determine if section 18N will apply to such disclosures.

Other Privacy Issues

The Office's previous submissions raised a number of other privacy issues relevant to the PPS legislative framework.  The Office believes that these are important issues for the implementation of the PPS Register.

Privacy Impact Assessment (PIA)

The Office recommends a PIA be conducted to help identify and address potential privacy issues. A PIA allows agencies to identify and analyse a project's privacy impacts. A project that underestimates privacy impacts can place its overall success at risk by breaching privacy legislation or by not meeting the expectations of the community as to how personal information may be handled[35].

Notice

The Office believes that grantors should receive notice directly from the Registrar, at or as soon as is practicable after their personal information has been entered onto the PPS Register. Notice provisions should be consistent with the requirements under the Privacy Act.

The Office also believes that a grantor should receive notice that a listing will be placed on the PPS Register before registration. Notice should include the specific details of the information to be disclosed to the PPS Register. This would allow grantors to know their personal information will be accessible on a public Register. As mentioned in the Commentary,[36] all individuals named on the PPS Registermust know about information that might affect their capacity to sell personal property or secure finance.

Adequate notice would allow grantors to know their personal information will be accessible on a public register. The notice should state why the information is to be recorded on the PPS Register, what laws give the authority to record it, and that the information will be publicly available. On this basis, the Office submits that the PPS Bill would need to detail the form of the notice given. This should include the specific details of the information to be recorded on the PPS Register.

Accessing and Amending the PPS Register

Section 186 provides that the Registrar must ensure that the PPS Register is operated at all times, except if the Registrar considers that it is not practical to provide access to the PPS Register or in other circumstances prescribed by the regulations. Where the Registrar considers that it is not practical to provide access to the PPS Register, the Registrar may refuse access or suspend the operation of the PPS Register, in whole or in part.

The Office suggests that the PPS Bill could prescribe other circumstances in which the Registrar may need to refuse access or operation of the PPS Register. For example, this could include cases involving the discovery or suspicion of inappropriate access to the PPS Register (as such an incident has the potential to result in a data breach occurring).

The Office notes that this appears to be a discrepancy between the types of information which may be amended by the grantor and the secured party. This discrepancy is further exacerbated by the different avenues for amendment. The secured party would be able to apply directly to the Registrar, whereas the grantor must ask the secured party to amend the information on the PPS Register[37].

The ability to access and, where necessary, correct personal information is an important and ensuring good privacy practice[38]. The Office submits that the PPS Bill should prescribe additional amendments to a registration that can be made by a grantor.

[1] Information relating to the operation of the Privacy Act can be found on the Office's website at http://www.privacy.gov.au/.  Specific information outlining the privacy provisions covering private sector organisations and Australian government agencies can be found at:

www.privacy.gov.au/business/ for businesses

www.privacy.gov.au/government/ for government

[2]http://www.aph.gov.au/Senate/committee/legcon_ctte/personal_property/info.htm

[3] Submission available at: http://www.privacy.gov.au/materials/types/submissions/view/6675.

[4] Submission available at: http://www.privacy.gov.au/materials/types/submissions/view/6702

[5] Submission available at: http://www.privacy.gov.au/materials/types/download/8943/6701 ;

[6] In this submission, the proposed PPS Act is also referred to as the PPS Bill

[7] PPS Bill, sections 187, 191 and 192; PPS Bill Revised Commentary December 2008 at Paragraph 10.44

[8] PPS Bill, Chapter V

[9] 'Grantor'refers to the individual who owns the personal property where a security interest is attached. Put simply, the grantor is the party who receives finance in return for a security interest in that piece of personal property.

[10] Commentary at paragraph 10.33

[11] Commentary at paragraph 10.32

[12] Commentary at paragraph 10.35.

[13] More information on the voluntary data-matching Guidelines can be found at: http://www.privacy.gov.au/law/other/datamatch/.

[14] Under sections 215 and 216, the Registrar may remove data (including an entire registration) from the PPS Register if the Registrar is satisfied that the data is frivolous or vexatious, the registration of data is prohibited by Regulations,  or to remove old data

[15] 'Secured party' meaning the party holding a security interest. Generally this is the party providing finance.

[16]Privacy Act 1988 (Cth) s 6(1)

[17] Commentary at Paragraph 10.2

[18] Commentary at Paragraph 10.5

[19] Section 228

[20] The Privacy Act applies to Australian and ACT Government agencies, businesses with an annual turnover of more than $3 million and some small businesses

[21] Section 228(6)

[22] Section 228(7)

[23] See Part V of the Privacy Act

[24] See http://www.privacy.gov.au/materials/types/guidelines/view/6478

[25] Commentary at paragraph B53

[26]Privacy Act 1988 (Cth) sections 6 and 6C

[27] Section 226

[28] Commentary at paragraph 10.114

[29] Paragraph 10.114

[30] Commentary at paragraphs 10.33 and 10.112

[31] Paragraph 10.113

[32] Paragraph 10.117

[33] Section 227, Table items 17 and 18

[34] Section 18N(9)

[35] The PIA Guide is available at http://www.privacy.gov.au/publications/pia06/index.html

[36] At 10.99

[37] Sections 191 and 204

[38] IPPs 3-7 govern accuracy of and storage, access and amendment to personal information held by Australian and ACT agencies. NPPs 3 & 4 relate to information quality and security and NPP 6 relates to access and correction of information. Furthermore, sections 18G, 18H, and 18J of the Privacy Act relate to the accuracy of credit information files and credit reports, and access and amendment to credit information files and credit reports.