Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Personal Property Securities Reform Discussion Paper Regulations to be made under the Personal Property Securities Act August 2008; Submission to the Attorney-Generals Department (November 2008)

Personal Property Securities Reform Discussion Paper Regulations to be made under the Personal Property Securities Act August 2008 Submission to the Attorney-General’s Department November 2008

pdfPersonal Property Securities Regulations Discussion Paper; Submission to the Attorney-General's Department (November 2008)

Submission to the Attorney-General’s Department

 

November 2008

Key Recommendations

The Office recommends that, in the absence of the following matters being included in the draft Bill, the regulations should:

  • limit the collection of personal information to that which is necessary to achieve the objects of the Register
  • provide that search results displayed be limited to the information necessary to satisfy the search and, where possible, limit searches to a ‘challenge response’ model
  • state that in certain instances searching should be restricted to use of the serial number only and not include the grantor’s name
  • prescribe that data-matching should only take place when necessary and when restricted to well-defined parameters
  • require that the Office’s voluntary guidelines for data-matching by agencies, form the basis for any data-matching conducted between the Register and other databases
  • define the meaning of security interest narrowly and limit the information to be included on the Register to that which is necessary to fulfil the purpose of the Register
  • require the Registrar to issue grantors with notice directly
  • set out the matters to be included in the grantor’s notice about the handling of their personal information held in the Register. For example, these matters should include but are not limited to:
    • the information to be held on the Register (from the DP the Office understands this will the grantor’s name and date of birth)
    • the purpose for which the information will be recorded on the Register
    • what laws give authority to collect the information; and
    • advice that the information will be publicly available
  • include the following as cases where the Registrar should consider suspending access to the Register:
    • security of the information stored on the Register being compromised e.g. data breach
    • discovery or suspicion of inappropriate access to the Register (an incident has the potential to result in a data breach occurring).
  • suggest the Registrar adopt the Office’s voluntary ‘Guide to handling personal information security breaches’ to assess and manage any such incidents
  • as an important privacy safeguard, allow grantors to access and correct their personal information held on the Register
  • clearly specify the government agencies that are authorised to access personal information held on the Register and the purposes for which they may access the information
  • provide that a warning notice is displayed before a search is commenced, explaining that improper searching could constitute an interference with privacy under the Privacy Act.

About the Office and the Privacy Act

The Office of the Privacy Commissioner (‘the Office’) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

The Privacy Act contains eleven Information Privacy Principles (‘IPPs’) which apply to Australian and ACT Government agencies. It also includes ten National Privacy Principles (‘NPPs’) which apply to all businesses with an annual turnover of more than $3 million and some small businesses. Part IIIA of the Privacy Act regulates credit providers and credit reporting agencies. In addition, some states and territories have privacy legislation that covers their respective public sectors.

The coverage of the Privacy Act is limited to ‘personal information’. This is defined in section 6 of the Act as information or opinion, whether true or not, about an individual whose identity is apparent or can be reasonably ascertained from that information.[1]

Overview

The Office appreciates the opportunity to comment on the Discussion Paper (‘DP’) for the PPS Regulations to be made under the proposed Personal Property Securities Act 2008).

The Office notes that a significant portion of the legislative framework for the Personal Property Securities Register (‘the Register’) will be contained in the Personal Property Securities Regulations (‘the PPS Regulations’) to be made under the proposed Personal Property Securities Act 2008 (‘the PPS Act’).

In February 2007, the Office responded[2] to Discussion Paper 1 relating to the Register. The Office also commented on the consultation draft of the Personal Property Securities Bill 2008 (‘the draft Bill’) and the corresponding commentary in August 2008[3].

In its response to the draft Bill, the Office suggested that the privacy protections for personal information contained on the Register should generally be specified in the primary legislation. The Office notes that the content of the draft Bill is still being considered.

The Office considers that the privacy issues raised in our submission on the draft Bill remain important relevant considerations for the draft Bill or the PPS Regulations.

Terms used in this submission

‘Grantor’ refers to the individual who owns the personal property where a security interest is attached. Put simply, the grantor is the party who receives finance in return for a security interest in that piece of personal property.

‘Secured party’ meaning the party holding a security interest. Generally this is the party providing finance.

‘PPS Regulations’ refers to the regulation instrument made under the proposed PPS Act.

‘regulations’ refer to the individual regulations proposed in the DP to give effect to various sections and parts of the PPS Act.

Content of the Personal Property Securities Register

Information to be kept on Register to be prescribed by regulations

According to the proposed regulation under section 19 (outlined at paragraph 27 of the DP), the types of information to be included in the Register would consist of an individual’s name and address. Furthermore under the regulation pursuant to section 195 the registration of subordination details would include the details and address of a benefitting secured party that does not have a PPS registration.

As stated in our previous submission,[4] it may be unnecessary for residential addresses to be retained on the Register. In practice, business addresses or post-boxes (where different from residential addresses) would seem appropriate for Register purposes, such as receiving verification statements.

The Office submits that only personal information necessary to achieve the objectives of the Register should be collected.

Dates of birth

Under the regulations, dates of birth will be entered on to the Register and used to search the Register. The draft Bill provides that a person may search the Register by reference to a grantor or secured party’s details (s 228).

Date of birth information, when linked to other information can lead to comprehensive stores of personal information related to individuals. As such, the regulations should prevent date of birth information being used in search results. This would lessen the possibility of that data being misused leading to detailed profiles of individuals.

The Office reiterates its previous position that including date of birth data and searching by reference to dates of birth is not desirable. If date of birth information is deemed necessary to differentiate between individuals of the same name then such searches should be on a ‘challenge-response’ basis, rather than returning the actual dates of birth for the relevant individuals.

The Office notes that the regulations should include the option of recording the middle initials of grantors’ names and suggests that this may be more appropriate than using dates of birth.

Collateral/serial numbers

The Office welcomes the proposed regulation which would describe property on the Register by serial number where possible [such as vehicle identification numbers (VIN) for motor vehicles].

This measure could operate as a privacy safeguard, as the goods would be identifiable by serial number, rather than by the grantor’s name. However, the Office suggests that the regulation proposed under section 228 could state that in such instances searching should be restricted to use of the serial number only and not include the grantor’s name.

The ability to search the Register by the grantor’s name as well as the serial number would seem to undermine the potential privacy benefits of including the VIN in place of grantor’s name. This is consistent with accuracy principles contained in the Privacy Act.

Data sources, verifying identification and data-matching

The proposed regulation to be made under section 19 also prescribes the process for verifying identity and other information against data sources. Section 19 sets out the specific sources of data to be recorded on the Register. This includes data held by the secured party pursuant to AML-CTF Act, drivers licence issued by the relevant state or territory licensing body and Australian passports. The Office welcomes this development as it provides clarity as to what types of information will be checked for validity and what data sources will be used during this process.

However, data-matching can be privacy intrusive as it brings together personal information that may not have been originally collected for that purpose. Given this, it should only take place when necessary and within well-defined parameters.

The Office has issued voluntary guidelines for data-matching by agencies, which could form the basis for any data-matching conducted between the Register and other databases[5] under the proposed regulations.

Scope of the Personal Properties Securities Register

The Office is of the view that the broad definition of security interest under Section 21 of the draft Bill should be narrowed so that the Register will only capture personal information it needs to fulfil its purpose.

In terms of the regulations, the current definition would appear to have the effect of broadening the scope of the Register to bring a wide class of transactions within the operation of the Bill and regulations. The definition would have the effect (under sections 192-193) of prescribing certain personal property interests other than security interests that would be registrable.

By retaining this broad definition could mean that interests involving state and territory agencies that administer state and territory motor vehicle confiscation and impoundment legislation, confiscation of proceeds of crime legislation, as well as guardianship orders issued by state and territory Public Trustees over motor vehicles would be included.

Increasing the scope and purpose of the Register could lead to it becoming the repository of vast amounts of personal information, to such an extent it could be possible to develop a financial profile of an individual. In addition, such a database could lead to ‘function creep’.

The term ‘function creep’ describes the incremental expansion in the purpose of a system, to a point where information is used for purposes not initially agreed to or envisaged and unrelated to its original intent. Such expansion is generally organic in nature and lacks overall direction, planning or oversight.

The Office believes the draft Bill should be amended to narrow the definition of security interest so that the information captured by the Register is limited to that which is necessary to fulfil its purpose.

However, if the Bill is not amended to provide a narrower definition of security interest, the Office suggests that the regulations prescribed under section 21 and sections 192-193 could be utilised to narrow the definition of security interest and limit the types of interests which can be registered in order to prevent privacy risks such as ‘function creep’ from crystallising.

Notice

Part 11 of the draft Bill is partially concerned with the giving of notices. As was noted in our previous submission, under the draft Bill, grantors would not necessarily be given notice that their personal information will be disclosed to the Register before registration. Nor, will they receive notice directly from the Registrar.

Consistent with the draft Bill, the PPS Regulations propose that secured parties will receive ‘verification statements’ from the Registrar immediately after verifiable events.

Verifiable events include:

  • registrations
  • amendments to registrations (including corrections and the ending of an effective registration)
  • the removal and restoration of data in a registration
  • the inclusion of any data approved by the Registrar.[6]

As the Office understands, it is the secured party’s responsibility to provide the grantor with a copy of the verification statement, as soon as reasonably practicable (immediately before and or immediately after the verifiable event).

The Office reiterates the recommendation made in our submission to the draft Bill, that grantors should receive notice directly from the Registrar, at or as soon as is practicable after their information has been entered onto the Register.

However, should that recommendation not be accepted, the Office recommends that the notice provisions in the PPS Regulations should be strengthened consistent with the requirements under the Privacy Act.

Adequate notice would allow grantors to know their personal information will be accessible on a public register. The notice should state why the information is to be recorded on the Register, what laws give the authority to record it, and that the information will be publicly available.

On this basis, the Office submits that any proposed regulation made under Part 11 would also need to detail the form of the notice given. This should include the specific details of the information to be recorded on the Register, for example, according to the DP this would include name, date of birth and possibly address.

Accessing and amending the Register

Section 191 provides that the Registrar must ensure that the Register is operated at all times, except if the Registrar considers that it is not practical to provide access to the Register or in other circumstances prescribed by the regulations. Where the Registrar considers that it is not practical to provide access to the Register, the Registrar may refuse access or suspend the operation of the Register, in whole or in part.

The Office suggests that the regulation pursuant to section 191 prescribing any other circumstances in which the Registrar may need to refuse access or operation of the Register could include cases involving

  • security of the information stored on the register being compromised e.g. data breach
  • discovery or suspicion of inappropriate access to the Register (as such an incident has the potential to result in a data breach occurring).

The regulations could also suggest that the Registrar adopt the Office’s voluntary “Guide to handling personal information security breaches” to assess and manage any such incidents[7].

Section 207 contains a table setting out the amendments to a registration that would be authorised under the Bill. According to the DP this should be read in conjunction with section 195 which sets out the contents required for a collateral registration. In our previous submission we noted that grantors can only request change to:

  • end the registration of collateral
  • omit the collateral (section 210).

However, the secured party is able to make amendments to a wider range of information on the Register including:

  • the grantor’s details
  • the collateral description
  • the end time of the registration
  • as authorised by the regulations.

As the Office has noted previously, this appears to create a discrepancy between the types of information which may be amended by the grantor and the secured party. Furthermore, the ability to access and, where necessary, correct personal information is an important privacy safeguard for individuals[8].

The Office submits that the regulations made pursuant to sections 195, 207 and 210 should prescribe additional amendments to a registration that can made by a grantor. The Office acknowledges that the secured party has the responsibility for ensuring the accuracy of information on the Register. However, ensuring rights to access and, where necessary, to correct personal information is important to complying with the Privacy Act and ensuring good privacy practice. The Office suggests that the regulations should provide for a grantor to be given an appropriate amount of control over amending their personal information.

The following measures could also be stipulated in the regulations in order to help promote and protect privacy:

  • the grantor could request amendments to their personal information directly from the Registrar instead of asking the secured party to amend the details
  • the grantor could have power to amend a greater range of information such as their details and the collateral description
  • authorised government agencies and the purposes for which they may access personal information should be clearly specified.

Searching the Register

Search-general: Authorised purposes for searching the Register

The Office generally supports the approach on authorised purposes for searching the Register.

The Office also supports the regulation proposed at paragraph 182 of the DP and the statement that the ‘Register does not unduly impact on the privacy of individuals’ and the ‘clear imperative to withhold data about an individual from the search results of the Register’ so to prevent unauthorised searches of the Register.

Search results

It is proposed that a regulation be made under section 231, relating to written search results, which prescribes the form in which the written search results will be issued by the Registrar.

The Office submits that greater clarity is required about what information will be displayed in the results of a search of the Register both in electronic and written form. The regulation should stipulate that information displayed in the search results should be relevant to the search. For the Office’s view on search results relating to dates of birth see below.

The regulations should also require that the Register display a warning regarding improper searching. Before a search can be conducted, a warning notice should explain that improper searching could constitute an interference with privacy under the Privacy Act. Such notice may deter improper use of the Register.

General privacy issues

The Office’s previous submissions raised a number of general privacy issues relevant to the PPS legislative framework. The Office believes that these are important issues for the implementation of the Register and therefore reiterates that consideration be given to:

  • the possible effect of section 18N of the Privacy Act, which places limits on disclosure by credit providers of personal information contained in reports relating to credit worthiness and does not include (under s 18N(9)) a credit report or any other record or information in which the only personal information relating to individuals is publically available information
  • a PIA being conducted to help identify and address potential privacy issues.[9] The Office released its Privacy Impact Assessment Guide (‘the Guide’), which can be used by Australian Government and ACT Government agencies as an introduction to the PIA process[10]
  • the Register meeting the Privacy Act definition of a ‘generally available publication’[11], as the Register itself may not be covered by the Privacy Act. As Part 10 of the Bill contains the legislative framework to establish the single national PPS Register, a regulation pursuant to it could be made to determine which personal information is made publicly available and what should be collected but not publicly available.

Questions asked by the Discussion Paper

The Office’s comments about three specific questions raised in the DP follow.

Q: Comment is invited as to whether the above rules (section 19) cover all entities against which PPS registrations might be made, and whether the information required would be sufficiently particular to identify grantors and secured parties.

As noted above, the Office is of the view that the rules contained in the proposed regulation made under section 19 are sufficient in terms of covering all entities against which PPS registrations might be made and is sufficiently particular to identify grantors and secured parties. Furthermore the Office submits that to differentiate between individuals and collateral/serial numbers and, the middle initials of the grantors’ names could be used rather than using dates of birth in place of the grantor’s name. This would also have the effect of reducing the information risks of misuse

Q: Comment is invited generally on the contents of this proposed regulation (s 194(2)(d) – Prohibited registrations)

The Office submits that personal information not necessary for the purposes of the Register, information which is irrelevant, inaccurate, incomplete, collected unfairly or unlawfully or in an unreasonably or intrusive way and any type of sensitive information (as defined in section 6 of the Privacy Act), would be inappropriate to register on the PPS Register. This approach is consistent with the Privacy Act.

Q: Comment is invited generally on the contents of this proposed regulation (s 195 – collateral must be described by serial number)

The Office welcomes the use of serial numbers to describe collateral. However, as noted above, searching should be restricted to use of the serial number only and not include the grantor’s name. The ability to search the Register by the grantor’s name as well as the collateral/serial number would seem to undermine the potential privacy benefits of where possible to use them in place of grantor’s name including serial numbers. This is consistent with accuracy principles contained in the Privacy Act.


[1]Information relating to the operation of the Privacy Act can be found on the Office’s website at www.privacy.gov.au. Specific information outlining the privacy provisions covering private sector organisations and Australian government agencies can be found at:

www.privacy.gov.au/business/index.html for businesses

www.privacy.gov.au/government/index.html for government

[5] More information on the voluntary data-matching Guidelines can be found at: http://www.privacy.gov.au/act/datamatching/index.html.

[6] Sections 223 and 224 Personal Property Securities Bill 2008.

[8] IPPs 3-7 govern accuracy of and storage, access and amendment to personal information held by Australian and ACT agencies. NPPs 3 & 4 relate to information quality and security and NPP 6 relates to access and correction of information. Furthermore, sections 18G, 18H, and 18J of the Privacy Act relate to the accuracy of credit information files and credit reports, and access and amendment to credit information files and credit reports.

[9] Review of the law on Personal Property Securities, Discussion Paper 1, Registration and Search Issues; Submission to the Attorney-General’s Department (February 2007) available at http://www.privacy.gov.au/publications/subpps220207.html; Submission to the Attorney-General’s Department - Consultation Draft of the Personal Property Securities Bill 2008 (‘the draft Bill’) and the corresponding commentary in August 2008 available at http://www.privacy.gov.au/publications/sub_ppsb_0808.html

[11] Section 6(1) of the Privacy Act 1988 (Cth) ‘A generally available publication means a magazine, book, newspaper or other publication (however published) that is or will be generally available to member of the public’.