Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

National Consumer Credit Protection Bill; Submission to the Senate Economics Legislation Committee (July 2009)

Inquiry into National Consumer Credit Protection Bill 2009 Submission to the Senate Economics Legislation Committee July 2009

pdfsub_consumer_credit_protection

Submission to the Senate Economics Legislation Committee July 2009

Key Recommendations

  1. The Office of the Privacy Commissioner (the Office) notes that the draft National Consumer Credit Reform legislation is part of the first phase of the Australian Government’s plan to put in place a framework for the national regulation of consumer credit.
  2. The Office has a number of suggestions aimed at enhancing aspects of the National Consumer Credit Protection Bill 2009 . These are as follows:
    1. A clause could be included in the Bill clarifying that the provisions of the Bill should be interpreted in such a way that they do not diminish the existing privacy protections or definitions contained in the Privacy Act. These include the related provisions in sections 6(1) and 11B Privacy Act which define the terms ‘credit’, ‘loan’ and ‘credit provider’. It may also be beneficial to provide a discussion on the intended interaction between the Bill and the credit reporting regime of the Privacy Act in the Explanatory Memorandum to the Bill.
    2. One of a number of existing Privacy Act mechanisms be utilised to ensure that all licensees and their representatives under the Bill, who are not already covered by the Privacy Act, are brought under the Privacy Act’s coverage for the collection and handling of credit reporting information.
    3. It would be good privacy practice to ensure that any information about licensees which is made publicly available either through registers or publication of Banning Orders is reasonably necessary to achieve the stated objectives of the licensing scheme.
    4. The Bill and Explanatory Memorandum should clarify that the assessment processes identified in Parts 3-1 and 3-2 of the Bill should not be interpreted as approving or endorsing credit pre-screening activities.
    5. Section 120(1) and the note to 155(1) of the Bill, which remove an individual’s right to access information held about them by a licensee, should be clarified to ensure that these provisions only cover evaluative information generated internally in connection with a commercially sensitive decision-making process. However, if all licensees and their representatives are brought under coverage of the Privacy Act as discussed in paragraphs 19-21 the Office recommends these provisions be removed from the Bill as the Privacy Act already contains appropriate restrictions on access to evaluative material.
    6. The rights the Privacy Act confers upon individuals and the Office’s role in dealing with privacy related complaints should also be expressly highlighted in the Bill and Explanatory Memorandum.

Office of the Privacy Commissioner

1) The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, private health service providers and some small businesses. In addition, the Office has regulatory functions under other Acts, such as the Telecommunications Act 1997 and the Crimes Act 1914 in the context of this submission. The Office particularly draws attention to its regulatory functions in regard to the handling of credit reporting information under Part IIIA of the Privacy Act.

Preliminary

2) The Office appreciates the opportunity to make a submission to the Senate Economics Legislation Committee Inquiry into theNational Consumer Credit Protection Bill 2009. [1] The Office has previously made a submission to the Commonwealth Treasury on the Draft National Consumer Protection Bill 2009 [2] which this submission also draws upon.

3) The Office understands that the National Consumer Credit Protection Bill and related legislation forms part of the first stage of the Australian Government’s commitment to creating a nationally consistent corporate and financial services regime for Australia. It flows on from the Council of Australian Government’s (COAG) agreement in March and June 2008 that the Commonwealth would assume responsibility for the regulation of consumer credit and a related cluster of additional financial services. The Office notes the aim of the National Consumer Credit Protection Bill is to create a new national consumer credit regulatory framework.

4) The protection of personal credit information is an important privacy concern for individuals. Research that the Office has undertaken shows that the type of information individuals are the most reluctant to provide is financial information. [3] It is therefore important to ensure any consumer credit regulatory framework put in place enhances existing privacy protections.

5) The Office has a number of suggestions on privacy issues to enhance and clarify certain aspects of the National Consumer Credit Protection Bill. These are discussed in more detail below.

Clarifying the interaction with the Privacy Act

6) The privacy regulation of consumer credit reporting in Australia is found principally in Parts II and IIIA of the Privacy Act 1988 (Cth) (Privacy Act). Part IIIA of the Privacy Act provides privacy safeguards for individuals in relation to consumer credit reporting. In particular, it governs the handling of credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers

7) The Office notes that consumer credit is an essential part of the modern Australian economy. With the advent of the digital age individuals can now access credit in ways that had not been contemplated in 1990 when Part IIIA of the Privacy Act was enacted. For example, individuals can now open a bank account, complete financial transactions, and apply for credit online.

8) However, the importance of privacy protection has not diminished over time. For this reason, the Office believes it is important that the privacy protections that currently exist within the credit reporting provisions in Part IIIA are not impliedly repealed or otherwise diminished by the National Consumer Credit Protection Bill (the Bill).

9) The Office notes that whilst the Bill in Chapter 1, Division 3, addresses the interaction between Commonwealth credit legislation and State and Territory laws, it does not appear to deal with its interaction with the Privacy Act’s credit reporting provisions. These include the related provisions in sections 6(1) and 11B Privacy Act which define the terms ‘credit’, ‘loan’ and ‘credit provider’.

10) The Office suggests that a clause be inserted into the Bill which would have the effect of clarifying that the provisions of the Bill should be interpreted in such a way that they do not diminish the existing privacy protections or definitions contained in the Privacy Act, particularly in relation to credit. It may also be beneficial to provide a discussion on the intended interaction between the Bill and the credit reporting regime of the Privacy Act in the Explanatory Memorandum for the Bill.

Licensing of those engaging in credit activities

11) Chapter 2 of the Bill establishes a system of licensing persons to engage in credit activities overseen by the Australian Securities and Investments Commission (ASIC) ‘as the sole regulator’. [4] In general, a person cannot engage in a credit activity if the person does not hold an Australian Credit Licence. It requires persons who engage in credit activities to initially be registered with ASIC, and to subsequently hold an Australian Credit Licence.

12) It is expected that licensees engaged in credit activity will collect a significant amount of personal information from their clients as part of the licensees’ procedures to assess eligibility for credit. This information would be used to assess loan risk and would include details of their clients’ personal finances such as assets, income, expenditure and loan liabilities.

13) The Bill appears to provide some privacy protection to the handling of some personal information collected by licensees. [5] It appears that there is an assumption that the provisions in the Privacy Act will be the primary source of protection for the handling of personal information collected by all licensees and by ASIC. However, there may be some gaps in this coverage.

14) The Privacy Act applies to the activities of Commonwealth and ACT government agencies as well as private sector organisations. Organisations are defined to include all businesses with an annual turnover of more than $3 million, all private health service providers and a range of small businesses. The activities of individuals acting in a private capacity are generally not subject to the Privacy Act.

15) Licensees that meet the definition of a ‘credit provider’ in section 11B of the Privacy Act and the credit provider determinations made by the Privacy Commissioner will have certain privacy obligations under Part IIIA of the Privacy Act, as will their credit representatives.

16) Whilst Part IIIA generally regulates the handling of an individual’s credit information by credit reporting agencies and credit providers it does not regulate some significant areas of personal information handling. It does not regulate credit reports or the general credit worthiness information held by credit providers or their obligations to that information in terms of the provision of notice, data security, plus access and correction rights found in the NPPs.

17) Part IIIA also has limited coverage in relation to the secondary use of that information by credit providers. Licensees who are not credit providers will not be subject to Part IIIA of the Privacy Act. As such, they may not be obliged to protect the personal information of individuals unless they fall within the jurisdiction of the NPPs on the basis that the licensee is an ‘organisation’ within the meaning of section 6C of the Privacy Act.

18) This gap in privacy protection already existed under the Uniform Consumer Credit Code of the states and territories. However, as a Commonwealth enactment, this Bill seeks to expand coverage to include mortgage brokers and other intermediaries and therefore it is likely that the gap in privacy regulation could continue. The result could be fragmented and inconsistent privacy protections. The Australian Law Reform Commission (ALRC) Report 108 For your information: Australian Privacy Law and Practice [6] noted that national consistency should be one of the goals of privacy regulation. For example, there may be a category of licensees, such as ‘small businesses operators’ [7] , that may fall outside the Privacy Act’s jurisdiction for some aspects of the handling of credit reporting information and will not be obliged to protect this information as required under the NPPs.

19) To address this potential gap in coverage, the Office suggests that one of a number of existing Privacy Act mechanisms be utilised. The purpose of doing this is to bring all those licensees and their credit representatives under the Bill, which are not already covered by the Privacy Act, under the Privacy Act’s coverage.

20) This could be achieved through an amendment to the provisions of the Privacy Act which would deem licensees as organisations for the purposes of the Privacy Act. This method was most recently used in two separate instances. First, it was used to bring ‘reporting entities’ under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the AML/CTF Act) under the coverage of the Privacy Act. [8] Secondly, ‘protected action ballot agents’ under the Fair Work Act 2009 and ‘association of employees’ registered or recognised under the Fair Work (Registered Organisations) Act 2009 were both deemed as organisations thus requiring compliance with the NPPs in the Privacy Act in relation to certain acts and practices. [9]

21) Alternatively, a regulation under the Privacy Act could be prescribed that will treat licensees, who are not already subject to the Privacy Act, as organisations under the Privacy Act. This provision [10] has most recently been used to prescribe residential tenancy database operators as organisations for the purposes of the Privacy Act. [11]

Credit Register, Register of Documents and Publication of Banning Orders

22) Chapter 5 of the Bill refers to two types of registers that will be established. Section 213 establishes ‘credit registers’ in relation to credit activities and section 219 refers to a ‘register of documents’. Section 214 states that ASIC may make the credit registers, or any part of them, available to the public on its website or by other means. Section 219(4) states that ‘ASIC is not required to ...make any part of document registers available to the public’. It is not clear if section 219 intends to remove the right of individuals to access information held about them by an Australian Government agency under IPP 6 or under FOI legislation. It appears it is intended that the registers would be managed by ASIC. The credit register (and if permitted by ASIC the register of documents) may be used by persons, including individuals, to verify the status of the person they propose to deal with.

23) ASIC is also required by section 84(3) of the Bill to publish a copy of the Banning Order on its website when making or varying such an order. By requiring the actual Banning Order to be published it is assumed that the agency will be unable to mask personal information not needed to identify an individual subject to the order. [12]

24) The Office’s view is that when determining what information should be made available or published on public registers there is a need to appropriately balance transparency against the protection of an individual’s personal privacy. Personal information that is contained in a public register or published on a website accessible by members of the public falls within the Privacy Act’s definition of a ‘generally available publication’. [13] An Australian government agency does not have any obligations under the Privacy Act to protect personal information in a generally available publication. This is because the Information Privacy Principles (IPPs) in section 14 of the Privacy Act only apply to personal information contained in a ‘record’ which excludes a generally available publication. [14]

25) It is important that careful consideration be given as to what personal information is put in a generally available publication or otherwise made publicly available. For example, it may not be appropriate, or indeed necessary, for a public register to contain details of a person’s residential address if the primary aim of the register is to verify the person’s status. Generally, the Office observes it would be good privacy policy and practice to ensure that any information about licensees which is made publicly available either through registers or publication of Banning Orders is reasonably necessary to achieve the stated objectives of the licensing scheme. The registers should not inadvertently disclose personal information.

Pre-screening

26) As the Office understands it, under Chapter 3 of the Bill licensees providing credit assistance will be required to conduct a preliminary assessment of the unsuitability of a credit contract before proceeding to offer credit assistance pursuant to section 116 of the Bill. [15] Reasonable inquiries about the consumer’s requirements and financial situation must be made by the licensee before making a preliminary assessment under section 117 of the Bill [16] . These inquiries are to include the licensee taking reasonable steps to verify the consumer’s financial situation. [17]

27) The Office is uncertain whether the requirement the Bill places upon licensees to conduct a preliminary assessment and make reasonable inquiries about a consumer’s financial situation encourages and could be interpreted as sanctioning pre-screening activities.

28) Pre-screening can be described as the ability of credit providers to use credit files to exclude individuals from direct marketing offers to increase limits or refinance loans’ [18] . In the Office’s view the current provisions in Part IIIA of the Privacy Act prohibit pre-screening [19] . Generally, Part IIIA of the Privacy Act only permits access to a credit information file when a loan application has been made and is under assessment. Under the provisions of the Bill referred to above, it does not appear that it is necessary for a loan application to have been made before the assessment processes are undertaken.

29) The Office supports continuing the prohibition on pre-screening on the basis the practice of pre-screening raises significant privacy issues. This position is consistent with the ALRC’s recommendation in its Report 108 that any new credit regulations should expressly prohibit the use or disclosure of credit reporting information for the purposes of direct marketing, including in relation to the ‘pre-screening’ of direct marketing lists [20] . For example, the making of an assessment of individuals’ credit worthiness based on their credit reporting information, outside the context of an application for credit (where the individual would expect such an assessment to take place) is neither transparent nor open. Individuals affected by this activity are unaware that their information is being used and disclosed in this way.

30) There is also a risk that by allowing pre-screening activity to occur in another context the privacy protections currently in place in relation to the credit reporting system would be weakened. In the Office’s view, if pre-screening is to be permitted, there should be a number of legislative privacy safeguards put in place.

31) The Office recommends that the Bill and Explanatory Memorandum clarify that the preliminary assessment processes identified in Parts 3-1 and 3-2 of Chapter 3 of the Bill should not be interpreted as approving or endorsing credit pre-screening activities.

Access to preliminary credit assessment and credit assessment

32) Access to one’s own personal information is an essential component of an effective privacy framework. Section 120(1) and the note to 155(1) of the Bill appear to remove an individual’s right to access personal information held about them by a licensee.

33) National Privacy Principle 6.1 in the Privacy Act permits an individual access to information held about them by an organisation unless an exception applies. In this regard, the effect of section 120(1) and the note to section 155(1) would be to allow a licensee to deny access under the exception in NPP 6.1(h) as the denial of access would be ‘required by law’.

34) It is not clear from the Bill or Explanatory Memorandum what is the policy rationale for this proposal. If for example, it is because the preliminary credit assessment or later credit assessment is evaluative information generated internally in connection with a commercially sensitive decision- making process, then such information is already excepted from access under NPP 6.2 in the Privacy Act.

35) The Office suggests that as this clause could potentially diminish an individual’s privacy rights currently afforded by NPP 6.1, it be clarified to specify that it is intended to cover evaluative information. Alternatively, if all licensees and their representatives are brought under coverage of the Privacy Act as discussed in paragraphs 19 – 21 then in the Office’s view this clause may not be necessary.

Dispute Resolution

36) The Bill sets out a three tier dispute resolution structure. Under the first tier, licensees are obliged to have an internal dispute resolution procedure in relation to credit activities available to consumers. If consumers are unable to resolve their dispute through internal processes they may access an approved external dispute resolution scheme (EDR). The third tier allows consumers to resolve disputes through the court system. [21] The broad definition of credit activities contained in the Bill will encompass credit reporting. Accordingly, there will be an overlap between the dispute resolution framework in the Bill and the privacy complaint handling regime set out in Part V of the Privacy Act.

37) The Office, whilst generally supportive of the three tier consumer dispute resolution framework as set out in the Bill, believes its effectiveness could be enhanced if the role of privacy matters in credit disputes was specifically addressed. In particular, there would be benefits in clarifying the extent to which the Bill’s dispute resolution framework works within the context of privacy disputes. The Office also suggests that the rights the Privacy Act confers upon individuals and the Office’s role in dealing with privacy related complaints should be expressly highlighted in the Bill or Explanatory Memorandum. Such an approach will benefit both consumers and licensees by reducing the confusion, complexities and inefficiencies associated with dual credit complaint handling processes.

38) For example, the practice of initially referring any complaint to an internal procedure is consistent with the Office’s obligations under section 40(1A) of the Privacy Act [22] . The Office recommends making it clear in the Explanatory Memorandum that if a consumer’s complaint involves a privacy issue the privacy aspect of the complaint will fall within the Privacy Commissioner’s jurisdiction and would generally expect a similar internal dispute procedure to be adopted.

39) The Office would also recommend that guidance material be produced by ASIC, in consultation with the Office, which clearly explains the complaint handling procedures available under both the Bill and the Privacy Act and the interaction between them. Such guidance material will benefit both consumers and licensees and will help reduce any potential confusion over credit complaint handling processes.

40) As stated in paragraphs 16 to 18 above, the jurisdiction of the Privacy Act may not extend to all licensees. From the consumer’s perspective this may lead to a situation where there will be no dispute resolution remedy available under the Privacy Act when a licensee mishandles their personal credit information. The Office reiterates its suggestion that all licensees be brought under the Privacy Act’s coverage to avoid this potential gap in privacy regulation.



[1] See Inquiry into the National Consumer Credit Protection Bill 2009 www.aph.gov.au/Senate/committee/economics_ctte/consumer_credit_09/index.htm

[3] Office of the Privacy Commissioner survey results: 2007 Community attitudes towards privacy in Australia. Available on the OPC website at www.privacy.gov.au/business/research/index.html #1b

[5] See for example, section 73(1)-(10) in chapter 2 of the Bill which imposes restrictions on the use or disclosure (including secondary uses or disclosures) of personal information given to a licensee about their representative by ASIC. A contravention is a criminal offence but does not require a licensee to compensate an affected individual.

[6] ALRC Report 108, May 2008, paragraph 3.13, available at: www.austlii.edu.au/au/other/alrc/publications/reports/108/ .

[7] A small business operator is a business that has an annual turnover of $3 million or less and is therefore exempt from coverage of the NPPs – see s.6D Privacy Act.

[8] See section 6E(1A) of the Privacy Act.

[9] See section 6E(1B), (1C) and 6E(3) of the Privacy Act.

[10] See section 6E(1) and (2) of the Privacy Act.

[11] See, Privacy (Private Sector) Amendment Regulations 2007 (No. 3) available at www.comlaw.gov.au/ComLaw/Legislation/LegislativeInstrument1.nsf/0/40617C959BA055ECCA25732B00150FEB?OpenDocument

[12] A similar provision exists in section 60(3) of the Bill which states that ASIC must publish a notice of a variation, suspension, revocation of a suspension or cancellation on its website.

[13] Section 6(1) of the Privacy Act states a ‘generally available publication means a magazine, book newspaper or other publication (however published) that is or will be generally available to members of the public’.

[14] However, it is noteworthy the same personal information contained a duplicate record by the agency which is not publicly available will continue to be covered by the IPPs.

[15] See also section 139 of the Bill in relation to a preliminary assessment of unsuitability of the consumer lease.

[16] See also section 129 in relation to assessment of the unsuitability of the credit contract and section 152 of the Bill in relation to conducting an assessment of the unsuitability of a consumer lease.

[17] See section 153 of the Bill.

[19] See sections 18K, 18L and 18N of the Privacy Act.

[20] See recommendation 57-3 in the ALRC Report 108, May 2008, available at: www.austlii.edu.au/au/other/alrc/publications/reports/108/

[22] Under this sub-section the Privacy Commissioner must not investigate a complaint if the complainant did not first to complain to the respondent. However, the sub-section does contain discretion for the Privacy Commissioner to commence an investigation if he or she considers it was not appropriate for the complainant to complain to the respondent.