Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Review of the law on Personal Property Securities, Discussion Paper 1, Registration and Search Issues; Submission to the Attorney-General''s Department (February 2007)

Discussion Paper 1 Registration and Search Issues Comments to the Attorney-Generals Department February 2007 Office of the Privacy Commissioner The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, establish...

pdfReview of the law on Personal Property Securities, Discussion Paper 1, Registration and Search Issues; Submission to the Attorney-General’s Department (February 2007)

Discussion Paper 1 Registration and Search Issues Comments to the Attorney-General's Department

February 2007

Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia.

The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act) has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses.

The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

In November 2006 the Australian Attorney-General released the first in a series of three Discussion Papers on key policy issues arising as part of a Standing Committee of Attorneys-General (SCAG) review of Australian personal property securities law. 1

This review is about the creation of a national register that will consolidate all security interests2 that are created by a contractual agreement and which are held over personal property. Personal property is generally any form of property other than land or buildings. Personal property can include both tangibles (for example; vehicles or crops) and intangibles (for example; shares or intellectual property).

The Office welcomes the opportunity to provide these comments on the first Discussion Paper3 to assist in ensuring that privacy issues are carefully considered during the review and particularly in relation to any development of a national register of security interests. It is much easier to design a system that builds privacy protections in at the beginning, rather than to try and bolt privacy considerations on at the end.

The Discussion Paper focuses on security interest registration and register search issues and primarily addresses the content, design and administration of a national register.

Detailed issues considered by the Discussion Paper include the following:

  • the policy and legislative framework for the registration of security interests
  • the security interests to be registered, how they would be registered and how a registration could be amended;
  • the privacy issues that need to be considered and procedures for ensuring information on the register is kept up to date;
  • compensation schemes for registry error;
  • the design and support structures of the register; and
  • transitional arrangements from existing securities registration regimes to the register.

Developing a National Personal Property Securities Register

A single national Personal Properties Securities Register has the potential to produce a range of positive public policy outcomes, including:

  • harmonisation of laws (national consistency was a key theme in the Office's Review of private sector privacy provisions in 2005);
  • legal certainty for consumers, sole proprietors and businesses;
  • reduction in legal disputes; and
  • reduction in costs and red tape.

The Office notes that a national register that would include personal information relating to financial and credit affairs of a large number of individuals has the potential to raise a number of privacy related issues. It is important to ensure that privacy protections are built into the proposal from the early stages of development.

Privacy impact assessment (PIA)

The Office recommends that privacy impact assessments (PIAs) be undertaken at appropriate stages during the development of the proposal. In August 2006, the Office released a Privacy Impact Assessment Guide.4

The guide provides Australian Government and ACT Government agencies with an introduction to the PIA process. It describes the purpose and general features of a PIA.

The Office recommends that an initial PIA be undertaken early in the development phase to help inform the policy makers of potential privacy issues and then, as the proposal develops, a further PIA be conducted.

Privacy law

The Privacy Act contains eleven Information Privacy Principles (IPPs) which apply to Commonwealth and ACT government agencies. It also has ten National Privacy Principles (NPPs) which apply to all businesses with an annual turnover of more than $3 million and some small businesses. Part IIIA of the Privacy Act regulates credit providers and credit reporting agencies.

In addition, some States and Territories have privacy legislation that covers their respective public sectors.

The Office notes that, if the register meets the Privacy Act definition of a generally available publication, then the register itself may not be covered by the Privacy Act. However, the collection and storage of personal information would be covered by the Privacy Act.5 It will be important to establish whether existing privacy regulation, including the Privacy Act, will apply to the register and to the personal information flows relating to the register. This could be done as part of an initial PIA.

Information relating to the operation of the Privacy Act can be found on the Office's website at www.privacy.gov.au. Specific information outlining the privacy provisions covering private sector organisations and Australian government agencies can be found at:

In addition to having to comply with the National Privacy Principles, private sector organisations may have other privacy obligations including:

This information will assist in determining whether privacy provisions apply to the proposed register, and if so which ones, as well as the personal information flows relating to the register.

Review of the law on Personal Property Securities Discussion Paper I

The Office welcomes the recognition in the Discussion Paper that it will be necessary to consider issues related to personal privacy (part 8). The Office notes that it will be important to ensure where possible, that any adverse privacy impacts regarding the register are minimised.

The Office acknowledges that the proposal is in its early stages. From the information available, the Office has identified a number of issues relating to the protection of personal information that might arise during the development of the project. The issues are discussed below in general terms.

The Office notes that many securities to be registered may not necessarily include any personal information as they will be securities held by a financial institution over personal property owned by, for example, a public company. However, in some instances personal information will be involved even though the debtor or creditor is a 'corporate' entity for example, sole traders or partnerships. Our comments are directed to the protection of personal information of individuals in relation to the register, however, that information comes to be involved in the registration process.

General comments about the proposed register

The Office notes that this project will endeavour to consolidate disparate information about all of security interests into a common access point. Information on security interests can reveal a lot about an individual's financial status. Under the current system, the information about security interests is spread across various different sources in different jurisdictions.

Currently, it would be difficult for a casual browser to obtain all the pieces of information required to build a comprehensive profile of any one person with regard to security interests held over their personal property. The proposed register would consolidate this information into one centralised database which may allow a casual browser to more easily know all or most of the security interests held over the personal property of an individual.

The Office has some reservations about the privacy implications that may arise from the ability to develop a financial profile of any one individual, either in relation to the personal property they hold or in relation to the extent of their indebtedness or, in some cases, the extent of the security interests a particular individual holds.

In the interests of privacy, it would be prudent to ensure that only those individuals or entities that have a demonstrated need to access information on the database are able to do so. If the purpose of the register is in part to help creditors ascertain information on the borrowers' risk profile,6 it might be worthwhile considering the inclusion of access controls similar to the ones placed on credit reporting, which is currently regulated under the Privacy Act. In particular, these credit provisions strictly control who has access to this information and limits accessibility to entities that most require the information.

The Office recognises the need for register functionality and efficacy but seeks to ensure that this should not impact on the privacy of individuals unnecessarily.

Notification

In the Office's view, notification of a listing should be provided to the concerned debtor and should take place before registration. This would allow debtors to be made fully aware that their personal information will be uploaded on a public register, as well as the specific details of their personal information that would be included.

Further, furnishing comprehensive notification to the individual about registration before entering into a contractual arrangement provides an opportunity for the individual to not proceed with a security arrangement or contract before it takes effect.

Personal information on the Register

The Office understands that as part of the proposed registration process, personal information may be placed on financing statements which will then be uploaded onto the register. Some comments are provided below with respect to some of the personal information that is proposed to be included on the financing statements.

Dates of birth

The Discussion Paper suggests that the information to be included on the financing statement may include the debtor's date of birth and that this information will be available when a user conducts a search for a debtor on the register. The Discussion Paper indicates that, not only might there be some privacy concerns as a result of date of birth entries, but some identity theft concerns as well.7 The Office would agree that the inclusion of date of birth information raises these privacy risks. The Discussion Paper notes that there are examples of existing registers of this type where dates of birth are not required, for example in Canadian provinces other than Ontario. It would be preferable if the personal property security register is able to function effectively without a person's date of birth being included on the financing statement.

Address requirements

The Discussion Paper also canvasses the option of an individual being able to use a postal address, rather than a residential address, as the address to be included on the financing statement.8 Amongst other things, this would prevent an improper search of the register by an individual seeking to obtain the residential address of another individual. The Office strongly supports that the scheme permit debtors the option to provide postal addresses, in lieu of residential addresses, given that the disclosure of residential addresses may have more significant consequences for some people. In any case, people who do not wish their residential address to be uploaded on the register, for personal security or other reasons, should have access to a mechanism that will achieve this.

Unique identifiers

The Discussion Paper also canvasses the option of combining addresses with a unique identifier, such as a drivers' licence, to ensure that a search on the register yields a return that accurately identifies an individual.9 The Office understands that a unique identifier, such as a driver's licence, would be used as another method of identifying the correct individual by providing an additional tool to distinguish between individuals with similar basic personal details.

The Office has concerns with the collection, retention, use and open accessibility of any Government issued identifier, as this may pose a considerable risk of fraud and identity theft. This is especially the case if the information is accessible for a generally available publication. In this context it is useful to note that NPP 7 restricts private sector organisations from using Commonwealth Government issued identifiers as a method of recording or identifying people.10

Collateral numbers

The Discussion Paper also raises the possibility of registering property by its collateral number, where it exists, in lieu of personal information. This option, out of these put forward, appears the most privacy friendly as it would limit the amount of personal information that would need to be included on financing statements. As such, the Office supports that where collateral numbers exist on personal property, the related financing statement is registered by collateral numbers only and not against the debtor's personal information.

System features

The Discussion Paper refers extensively to the model adopted in New Zealand as established under the Personal Property Securities Act 1999 (NZ).11 The Office understands that, under this model, before a searcher can use the register, a fee has to be paid. The payment of fees acts as a partial deterrent to searchers who would wish to browse through the register for improper purposes. The Office is supportive of similar mechanisms being built into the proposed register. However, the Office also notes that such a feature should not be the sole mechanism used to deter improper searches and there would need to be additional means of enhancing the privacy protections for individuals.

Search functions on the Register

The Discussion Paper canvases various possible functions for searching the register, the criteria to be used in a search and the possible results that could be returned. 12

The Office understands that there are presently two options under consideration. One is a search system that would allow for a wide return of results whereby the search results yield the names and details of a wide range of debtors that may fit the description provided by the searcher. The searcher would then be able to identity and select the correct debtor from the list that is generated (the 'close match' search). The alternative option is that the search is more limited, and the return that is generated only includes the details of individuals that precisely fit the description provided by the searcher (the 'exact match' search).

The suggested 'exact match' search, with its narrow tolerance for error, would lessen the risks that irrelevant personal information is retrieved during the search and thus reduce the risk that the privacy of others is compromised. The Office generally favours an approach that has the least privacy risks. The exact match option would appear to have the least privacy risk of these options.

The Discussion Paper also refers to the possibility of having an 'exact match' searching with a wild card option.13 This also runs the risk that a searcher could inappropriately browse for personal information. As noted in the Discussion Paper,14 this could run the risk of a searcher seeking one individual but deliberately use the wildcard operator to allow for multiple responses. The Office is concerned about the potential risks of increased privacy interferences and the potential for identity theft this could pose.

Complaints processes

The Discussion Paper notes that in New Zealand, the Personal Property Securities Act 1999 (NZ) addresses privacy concerns by establishing rules that detail what is a prescribed legitimate purpose of searching the register and deeming that any search not carried out in accordance with a prescribed legitimate purpose is to be considered a breach of the Privacy Act 1993 (NZ).15 The effect of this is that the aggrieved individual is then able to lodge a complaint with the New Zealand Privacy Commissioner.

Similarly, under the Privacy Act, the Australian Privacy Commissioner has powers to investigate complaints and make determinations of compensation where there has been an interference of privacy. However, under section 6(1) of the Privacy Act, generally available publications are specifically excluded from the application of the Privacy Act. From the information provided in the Discussion Paper, it appears that the intended register will be made publicly available, similar to a land titles registry or the electoral roll, and therefore handling complaints relating to the register may fall outside of the Privacy Commissioner's jurisdiction.

However, depending on the agency or organisation involved, the handling of the personal information, including its collection, storage, use and disclosure outside of the register, might be covered by the Privacy Act. Complaints regarding the handling of personal information might therefore be able to be addressed by the Privacy Commissioner under certain circumstances. These circumstances can only be established once further details about the register's operation are released.

In any case, the Office strongly supports the development of a privacy standard that would be used to regulate the handling of all personal information that is held on the register. The Office also strongly supports the creation of a suitable complaints mechanism to ensure proper compliance with the privacy standard.

Additional privacy considerations

Data quality

Information on the register should be accurate, complete and up to date.

The Discussion Paper outlines the method in which the New Zealand legislation obliges secured creditors to update the register if they have knowledge that the financing statement is not up to date, for example, if the debtor's address changes or they become aware that the entry relating to the debtor's date of birth is inaccurate.16 The Office supports the development of a similar provision being included in the Australian scheme so that an obligation is imposed on creditor to ensure the information about the relevant individual on the register is accurate.

Data retention

The Discussion Paper addresses the issue of what to do with financing statements when the security interest has been discharged. Some of the options that are canvassed include whether the creditor should be obliged to remove the financing statement from the register, whether the financing statements should remain registered indefinitely unless actually deregistered, or whether the registration should lapse automatically after a specified period.17

The Office shares the concerns that have been raised in the Discussion Paper that a searcher may mistakenly be led to believe that an item of personal property is subject to a security agreement if the information on the register is not updated frequently.18 As a result, these errors could have financial consequences for the debtor.

As a general rule, unless it is required to be retained by law, personal information should be destroyed when it is no longer necessary for any use or purpose for which it was collected. Once the debts which gave rise to security being registered have been discharged, the financing statement should be deleted from the register.19

The Discussion Paper notes that in New Zealand, a requisite time period of 15 days is provided in which time creditors are obliged to deregister financing statements. In Canada, the requisite period is at 30 days.20 If a similar scheme is adopted, the Office would suggest that information be updated or removed as soon as possible after the security interest has been discharged.

To supplement mandatory deregistration obligated upon the creditor, the Office also supports a default provision so that in the event that the creditor neglects to remove the listing when required, the listing would be automatically flagged for review after a specified time. This would go some way to ensuring that a faulty listing does not remain on the register indefinitely.

Data security

The register should have appropriate protections built in to ensure that there is no unauthorised access of the system.

Access

As the administrators of the register hold personal information about an individual, they should be obliged to provide the individual with access to that information upon request. The Office recommends that this access should not carry a cost to the individual.