Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Submission to the Australian Law Reform Commission''s Review of Privacy - Issues Paper 32 Credit Reporting Provisions (April 2007)

April 2007 Mr Alan Kirkland Executive Director Australian Law Reform Commission GPO BOX 3708 SYDNEY NSW 2001 Dear Mr Kirkland, I refer to your request of 12 December 2006 for submissions to the A...

pdfSubmission to the Australian Law Reform Commission’s Review of Privacy - Issues Paper 32 Credit Reporting Provisions (April 2007)

April 2007

Mr Alan Kirkland Executive Director Australian Law Reform Commission GPO BOX 3708 SYDNEY NSW 2001

Dear Mr Kirkland,

I refer to your request of 12 December 2006 for submissions to the Australian Law Reform Commission's Review of Privacy - Credit Reporting Provisions Issue Paper 32.

I am pleased to provide you with a submission to the Issues Paper.

I look forward to discussing our submission with the Commission

Yours sincerely

Karen Curtis

Privacy Commissioner

13 April 2007

TABLE OF CONTENTS

EXECUTIVE SUMMARY

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act) has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

2. The Office welcomes the review of the credit reporting provisions of the Privacy Act as part of the wider review being undertaken by the Australian Law Reform Commission (ALRC) of privacy regulation in Australia.

3. With the advent of the digital age individuals can now access credit in ways and for purposes that had not been contemplated in 1990 when Part IIIA was enacted. For example, individuals can now open a bank account, complete financial transactions, and even apply for credit online. For many young people their first credit transaction may be when they obtain a mobile phone, often while still at school.

4. With what seems to be an increasing ease of access to credit, it could be thought that individuals may have become less concerned about the privacy of their personal credit information than they have been in the past. However, research undertaken by this Office suggests that individuals' concern about protecting their financial information has increased, rather than abated, in recent years1.

5. The Office believes that privacy in this electronic age is about making sure that individuals can take up the advantages available to them through online environments and other technological advances, without unnecessarily sacrificing their ability to choose to whom their information is disclosed and how it is used and protected.

6. The protection of personal credit information remains an important privacy concern for individuals because of the serious consequences that may arise through the mishandling of their credit information. It is therefore crucial that the obligations on industry participants are clearly enunciated; that sufficient information is available to individuals to enable them to understand their rights; and that there is an appropriate framework in place to support these objectives.

7. With these aims in mind, the Office considers that it is timely that the ARLC's review focuses on the important issues of overall reform of the credit reporting system and whether the system should be expanded to allow more comprehensive credit reporting.

Key Messages

8. In general, the Office considers that the credit reporting provisions have worked well to provide privacy protection for individuals in relation to their credit information files. However, the Office suggests that reforming the framework of the credit reporting provisions would improve consistency and reduce complexity, thereby assisting credit providers and credit reporting agencies to understand their obligations and making sure individuals are aware of their rights.

9. In terms of the approaches to reform discussed by the ALRC in Chapter 7 of Issues Paper 32, Review of Privacy - Credit Reporting Conditions (IP 32), the Office considers that Part IIIA of the Privacy Act and associate provisions should be repealed in favour of regulating credit reporting under the National Privacy Principles (NPPs) and a binding code.

10. The Office believes that this approach will provide a regulatory regime that is consistent with the principle based approach of the Privacy Act while at the same time imposing specific and enforceable obligations on credit providers and credit reporting agencies, in relation to their credit reporting activities.

11. In our responses to chapter 4 and 5, the Office has drawn on its experience in applying the provisions of Part IIIA and the Privacy Act. The Office believes that the current provisions could be improved by removing some of the gaps and overlaps that exist and resolving inconsistencies between Part IIIA and other provisions of the Privacy Act, for example, the NPPs and the Credit Reporting Code of Conduct (the Code). The Office has also suggested that the current offence provisions should be reviewed with a view to assessing their effectiveness and analysing whether the Privacy Commissioner should be provided with additional mechanisms for dealing with breaches.

12. The Office intends that the recommendations made in response to chapters 4 and 5 be read in terms of reforming the current provisions and achieving the intended outcomes, regardless of whether Part IIIA is retained in its current format or whether the prescriptive detail ends up in a binding code.

13. In relation to comprehensive credit reporting, the Office believes that to date the available research does not provide consistent evidence to support such a change and that the research has not been validated against the legal, regulatory and industry factors that exist in Australia's credit reporting system.

14. The Office believes that the way to progress the discussion on comprehensive credit reporting is for an independent research study to be conducted to determine how such a scheme would impact on the Australian financial system and Australian consumers.

Structure of this submission

15. In general this submission follows the structure of IP32. While seven chapters appear in IP32, the Office has no comment to make in relation to the terms of reference for the review as set out in chapter 1. Further, the Office has not commented on the matters discussed by the ALRC in chapters 2 and 3 of IP32. These chapters deal with the development of the credit reporting provisions and the credit reporting framework and do not contain any specific questions.

16. To follow the structure set by IP32, the Office has titled the sections of its submission consistent with chapters 4 to 7 of the Issues Paper.

SUMMARY OF OFFICE POSITIONS

CHAPTER 4

Question 4-1

Office position:

  1. The Office supports the continuation of the Privacy Commissioner's power to conduct audits of credit reporting activities.
  2. The Office recommends the promotion of self-auditing for credit reporting compliance within the credit reporting industry.

Question 4-2

Office position:

  1. The Office believes that as the credit reporting provisions of the Privacy Act protect the personal credit information of individuals, credit reporting complaints should be handled as privacy complaints under the Privacy Act. .
  2. The Office recommends the adoption of a compliance model that retains the Privacy Commissioner's existing complaint handling functions and conciliation focus but complements this with stronger powers to handle systemic issues and issues arising from industry practice.

Question 4-3

Office position:

  1. The Office supports the retention of a general requirement that individuals complain to the body with whom they have the grievance in the first instance, before making a complaint to the Privacy Commissioner.
  2. The Office submits that the complaint handling process could be improved by amending the credit provisions to include:
    • a requirement that complaint handling information must be included with the currently required s18E(8)(c) notice provided to individuals before their information is passed to a credit reporting agency; and
    • a requirement that individuals must be advised when a CRA takes an action that results in a listing appearing on an individual's credit information file, such as file linking, which may have an adverse impact. This advice must also include details of how and individual may complain if they wish to dispute the listing.
  3. The Office recognises that the Code of Conduct should be reviewed, depending on the reform approach taken in relation to the credit reporting provisions in general.

Question 4-4

Office position:

  1. The Office recommends amending the relevant legislation as required to reflect that proceedings for an offence under Part IIIA may be brought up to 3 years from the date that the offence is discovered, rather than 12 months from the date when the alleged offence occurred.
  2. The Office submits that offence provisions in the Privacy Act should relate to sufficiently serious misconduct and that the test for such offences should be substantially higher than the test for a breach of the Privacy Act.
  3. The Office suggests that the ALRC review the effectiveness of the current offence provisions with a view to providing additional powers to the Privacy Commissioner such as the introduction of enforceable remedies for own motion investigations.

CHAPTER 5

Question 5-1

Office position:

  • The Office submits that the ALRC consider whether the following changes should be made to s18E(1) which sets out the permitted contents of credit information files:
    • Prohibit listings under $500 by introducing a statutory minimum listing amount;
    • Remove dishonoured cheques as a permitted listing;
    • Introduce a graduated time scale, linked to set monetary amounts, for adverse listings;
    • Reduce the listing period from 5 and 7 years to periods of 2 to 4 years, respectively, for minor monetary amounts
    • Remove the term 'bankruptcy orders' and replaced it with the term 'act of bankruptcy';
    • Consider including Part IX and Part X debt agreements as permitted contents and make them subject to a listing time scale of 5 years rather than 7 years;
    • Simplify the definition of serious credit infringement and provide specific guidance about when such a listing can be made;
    • Include personal information relating to commercial credit transactions granted to individuals as permitted content;
    • Include publicly available information as permitted content (see recommendation 5-1 iii below);
    • Allow notification that a credit offer has been made and accepted, in relation to a specific inquiry, without the amount being specified.
  • The Office suggests that the ALRC consider whether the definition of prohibited content of credit information files set out in s.18E(2) should be aligned with the definition of sensitive information in s.6(1) of the Privacy Act.
  • The Office recommends that the definition of a 'credit reporting business' in s.6(1) be amended to remove the exception relating to publicly available information (see recommendation 5-1 i above).

Question 5- 2

Office position:

  1. The Office does not support compulsory reporting by credit providers to credit reporting agencies.
  2. If compulsory reporting is introduced, the Office suggests that the provisions regulating the use and disclosure of credit information for non-credit related purposes should be strengthened.

Question 5-3

Office position:

  1. The Office recommends the re-drafting of the notice provision at s.18E(8)(c) to align it more closely with the requirements under NPP 1.3, and to require that notice is given prior to any listing being made or a debt being assigned.
  2. The Office considers that the notice provided to individuals should include contact information for the credit reporting agency.

Question 5-4

Office position:

  1. The Office suggests that the ALRC consider consolidating provisions that relate to the listing of statute barred loans, so that consistent treatment is applied to debtors and guarantors.
  2. The Office suggests that the ALRC consider specifying a maximum period of time by which listing must occur.
  3. The Office submits that multiple listings in relation to the same debt should be prohibited but that credit providers should be allowed to update default listings.
  4. The Office agrees that it should consider reviewing Credit Advice Summaries regarding the multiple listing of schemes of arrangement.

Question 5-5

Office position:

  1. The Office recommends the inclusion of obligations on credit reporting agencies to take reasonable and proactive steps to maintain the accuracy of credit reporting information. The Office suggests that these provisions could be modelled on those that currently exist in the New Zealand Credit Reporting Privacy Code 2004.
  2. The Office suggests that it produce guidance for credit providers and credit reporting agencies about what measures are considered to be 'reasonable steps' to promote and maintain the accuracy of credit reporting information.
  3. The Office suggests that the ALRC should consider whether there should be provisions to regulate the linking of credit files.
  4. It is the view of the Office that the aggregate components of the listed amount must all be 60 days overdue. The Office suggests that s18E(1)(vi) may need to be re-drafted to make this position clearer.

Question 5-6

Office position:

  1. The Office suggests that the Privacy Act be amended to add provisions requiring credit providers and credit reporting agencies to advise affected individuals of a breach of their personal credit information in certain circumstances.
  2. The ALRC may wish to consider whether there should be an express obligation on credit providers to keep credit worthiness information secure.

Question 5-7

Office position:

  1. The Office suggests that consideration be given to the inclusion of an express provision in Part IIIA prohibiting the collection of an individual's credit information file by employers, insurers and government agencies.

Question 5-8

Office position:

  1. The Office submits that the primary legislation should contain provisions regarding when individuals should be granted access to their credit information file without charge.

Question 5-9

Office position:

  1. The Office suggests that the ARLC consider reviewing s.18K with a view to ensure that the appropriate balance between the needs of law enforcement agencies and some form of transparency in respect to the access by such agencies to the credit information of individuals.
  2. The Office submits that the ALRC should consider whether mortgage and trade insurers should have limited access to and use of individuals' credit information files via credit providers.

Question 5-10

Office position:

  1. The Office suggests that all credit providers should be subject to consistent regulation regarding use and disclosure of credit information.

Question 5-12

Office position:

  1. The Office submits that the definition of credit provider could be improved by defining the meaning and / or breadth of 'substantial'.
  2. The Office believes that state and territory government agencies should have the same rights as Australian government agencies to apply for a credit provider determination, if they provide credit to individuals.

Question 5-13

Office position:

  1. The Office submits that, as a general principle, only credit providers should be able to access information from credit information files unless there are cogent public interest reasons why other persons should.
  2. The Office submits that mercantile agents that receive personal information from credit providers under the provisions of s.18N(1)(c) of the Privacy Act should be subject to a prohibition on the use and disclosure of that information for secondary purposes.

Question 5-14 and 5-15

Office position:

  1. The Office will develop guidance material on bundled consent and short form privacy notices.

Question 5-16

Office position:

  1. The Office submits that the credit reporting provisions should also regulate the uses of credit worthiness information.

Question 5-17

Office position:

  1. The Office submits that the ALRC consider whether credit reporting agencies should be required to inform an individual within 14 days when an adverse listing has been made.

Question 5-18 and 5-19

Office position:

  1. The Office suggests consideration be given to whether an individual's personal information used to determine credit worthiness should be subject to s.18G of the Privacy Act.
  2. The Office suggests that consideration be given to making a specific exception for speech to speech relay services in relation to the use and disclosure of credit reporting information.

Question 5-20

Office position:

  1. The Office supports the intent of the provisions in ss.18P and 18Q and recommends that they remain to regulate the secondary use and disclosure of credit information.
  2. The Office suggests that the ALRC consider whether these provisions should be extended to cover all credit providers.

Question 5-21

Office position:

  1. The Office believes that the current provisions are adequate to enable mercantile agents to have access to sufficient personal information of a debtor to collect a specific debt.

Question 5-22

Office position:

  1. The Office suggests that the ALRC should examine whether or how credit reporting information files are being used internally by credit reporting agencies for other purposes and, if this is the case, whether or how these practices could be regulated.

Question 5-23

Office position:

  1. The Office considers that there is merit in the credit reporting provisions being amended to enable notations to be placed on an individual's file in relation to identity theft.

Question 5-24

Office position:

  1. The Office submits that the ALRC consider shorter adverse credit listing timeframes for minors, for example, 2 years for payment defaults and 4 years for serious credit infringements.

Question 5-25

Office position:

  1. The Office supports the alignment of the definition of credit in the Privacy Act with the definition in the UCCC.
  2. The Office recommends that personal information relating to credit advanced to an individual for commercial purposes should also be covered by Part IIIA of the Privacy Act.

Question 5-26

Office position:

  1. The Office recommends that the definition of a credit reporting business should be amended to remove the exclusion in the phrase 'other records in which the only personal information relating to individuals is publicly available information'.

Question 5-27

Office position:

  1. The Office believes that there are practical and jurisdictional difficulties that exist which indicate that foreign credit providers and foreign loans should continue to be excluded from regulation under the Privacy Act.
  2. The Office suggests that it could assist businesses to better understand their obligations, if the credit reporting provisions explicitly excluded these acts and practices.

Question 5-28

Office position:

  1. In general, the drafting and layout of Part IIIA of the Privacy Act could be improved to assist credit providers, credit reporting agencies and consumers to understand their obligations and rights.
  2. The usefulness of retaining the separate terms (especially the definition of a credit report) needs to be considered. Alternatively, the relationship between the terms needs to be defined with greater precision;
  3. There is also some uncertainty whether deposit bonds used by individuals in lieu of a cash deposit on a house purchase subject to finance falls within the definition of credit in the Privacy Act. The Office suggests that the status of deposit bonds should be examined.

CHAPTER 6

Question 6-1

Office Position:

  1. The Office recommends that independent research be conducted on the impact that comprehensive credit reporting would have on the Australian financial system and Australian consumers.
  2. The Office suggests that independent research should provide recommendations about:
    1. Whether comprehensive credit reporting should be introduced in Australia; and
    2. If comprehensive credit reporting were to be introduced:
      • what model should be adopted;
      • which industry participants should be included in the expanded system; and
      • what compliance framework should be imposed.

Question 6-2

Office Position:

  1. The Office is not in a position to provide expert opinion on the broader economic and social impact that comprehensive credit reporting may have in Australia but suggests that this is included in independent research suggested in recommendations to question 6-1.

Question 6-3

Office Position:

  1. See the office position stated at questions 5-1 and 5-26.

Question 6-4

Office Position:

  1. The Office suggests that when collection occurs, separate notice is provided to the individual regarding the handling of their personal credit information.
  2. Consistent with recommendation 11.3 (xiii), at page 444 of IP31, the Office suggests that the Privacy Act be amended to add a provision requiring agencies and organisations to advise affected individuals of a breach to their personal credit information in certain circumstances.

CHAPTER 7

Question 7-1

Office position:

  1. The Office recommends that the Australian Government repeal Part IIIA of the Privacy Act and associate provisions and regulates credit reporting under the Privacy Act, National Privacy Principles and a binding credit code.
  2. The Office reiterates recommendation 7 from the Private Sector Review that the Australian Government should consider amending the Privacy Act to provide a power to make binding codes.

Question 7-2

Office position:

  1. The Office reiterates recommendation 70 from the Private Sector Review that the Australian Government should consider initiating discussions through appropriate international forums about how to deal with the major international jurisdictional issues arising from the global reach of technologies such as Voice over Internet Protocol (VoIP).
  2. The Office believes that the Privacy Act should provide for the Commissioner to make binding codes that go to certain acts or practices or certain technologies. (See response and recommendation iii to question 11-4 of IP31.)

CHAPTER 4

THE REGULATORY FRAMEWORK

Introduction

1. The Office considers that its role as a complaint handling body for credit reporting complaints is important given the serious consequences for individuals if adverse information is inappropriately recorded on their credit files. The Office believes that there are opportunities to improve the current complaint handling process and this chapter makes a number of suggestions which we believe will benefit credit providers, credit reporting agencies and individuals by making the process more transparent and effective.

2. The Office believes it is beneficial to all parties to maintain the existing process whereby individuals are able to negotiate a resolution of their complaint directly with the respondent while still retaining the ability to lodge a complaint with our Office if the matter is not resolved by the credit provider or credit reporting agency. The compliance experience our Office has in relation to investigating credit reporting complaints tell us that most complaints can be satisfactorily conciliated. However, the Office considers that the current penalty provisions could benefit from being reformed to make them a more effective mechanism to manage interferences with the privacy of credit information.

3. Consistent with our response to Chapter 6 the ALRC's Issues Paper 31, Review of Privacy (IP31), the Office considers that there are grounds for introducing additional mechanisms into the Privacy Act for dealing with systemic issues, including those that relate to the handling of personal credit information. Our response and the suggestions made in this chapter reflect those made in IP31.

4. The Office intends that the recommendations in this chapter should be read in terms of the objective of reforming the credit reporting provisions regardless of whether Part IIIA is retained in its current format or whether the prescriptive detail ends up in a binding Code as outlined in our response to Chapter 7.

4-1 How do the Privacy Commissioner's powers to audit credit information files and credit reports operate in practice? Are the Privacy Commissioner's powers to audit credit information files and credit reports adequate? If not, what powers should the Privacy Commissioner have to audit credit information files and credit reports?

Audit functions

5. Section 28A(1)(g) of the Privacy Act provides that the Privacy Commissioner may audit credit providers and credit reporting agencies for compliance with the requirements of Part IIIA of the Privacy Act.

6. Since the credit reporting provisions were introduced in 1990, the Privacy Commissioner has conducted 144 credit related audits. However, since the 2002/03 financial year the Privacy Commissioner has concentrated the Office's compliance resources on its complaint handling area to deal with the increased number of complaints received by the Office following the introduction of the private sector provisions in the Privacy Act. The Privacy Commissioner has not undertaken any credit reporting audits since this time.

7. Given the serious consequences for individuals if adverse information is inappropriately recorded on their credit files, the Office considers that there remains a strong argument for the retention of the Office's credit reporting audit functions. In support of this, the Office notes that audits not only provide an opportunity to determine the extent of compliance with the Act and to address possible systemic issues but also serve an educative function and allow the Office to promote best privacy practice solutions for an organisation's specific business practices.

8. The Office anticipates that, due to additional budget funding announced in 2006/2007, it will be able to direct more resources to its audit functions in the future and recommence its program for auditing credit providers and credit reporting agencies.

Self Auditing

9. In response to IP31, the Office recommended that private sector organisations be encouraged to undertake self-auditing (Recommendation 6-9(i)). Similarly Recommendation 39 of the Office's Privacy Sector Review states that:

The Office will consider promoting privacy audits by private sector organisations, including by providing information on the value of auditing as evidence of compliance in the event of complaints and by developing and providing privacy audit training for organisations.

10. The Office considers that this activity could be extended to include promotion of self-auditing in the credit reporting industry to complement the Office's audit activities.

Question 4-1

Office position:

  1. The Office supports the continuation of the Privacy Commissioner's power to conduct audits of credit reporting activities.
  2. The Office recommends the promotion of self-auditing for credit reporting compliance within the credit reporting industry.

4-2 How do the procedures under the Privacy Act and the Credit Reporting Code of Conduct for making and pursuing complaints about credit reporting operate in practice? What powers should the Privacy Commissioner have to make preliminary inquiries and investigate complaints about credit reporting?

11. Credit reporting essentially involves the handling of personal information in credit related transactions. The credit reporting provisions of the Privacy Act protect the personal credit information of individuals. For this reason the Office considers that credit reporting complaints should be handled as privacy complaints under the Privacy Act.

12. The Office considers that the complaint handling framework has been largely effective in handling individuals' privacy complaints about credit reporting agencies. In the five year period from 1 January 2002 - 31 December 2006, 17% of complaints received by the Office concerned credit reporting issues. Of the credit cases received in the period, 87% had been closed as at 7 February 2007.

13. Of those closed cases, approximately one third were closed following conciliation or where the credit provider had already taken steps to adequately deal with the matter. Resolutions in these cases commonly included the amending of records and, on occasion, also included the payment of compensation. Another third of the cases were closed on the basis that the respondent had not breached the Act.

14. The Office has also had some success with the handling of systemic privacy issues using its own motion investigation (OMI) powers under s 40(2) of the Privacy Act and/or by meeting with organisations or agencies to discuss issues of concern. For example, in August 2004, approximately 65,000 customer default listings relating to One.Tel (then in liquidation) were removed from credit records after the Office found that the failed telecommunications company did not have systems in place to update customer credit default listings once a debt had been paid.2 In July 2003, following discussions with the Office, Alliance Factoring (a debt purchase organisation) agreed to change its debt collection practices to provide individuals with more time to resolve, query or dispute a debt before a default listing was made.34

15. However, the Office considers that there are grounds for introducing additional mechanisms into the Privacy Act for the handling of systemic issues. The Office's position on this issue is addressed in its response to Chapter 6 of IP31. The Office considers that this position is equally relevant to the handling of serious and systemic credit reporting issues.

Question 4-2

Office position:

  1. The Office believes that as the credit reporting provisions of the Privacy Act protect the personal credit information of individuals, credit reporting complaints should be handled as privacy complaints under the Privacy Act.
  2. The Office recommends the adoption of a compliance model that retains the Privacy Commissioner's existing complaint handling functions and conciliation focus but complements this with stronger powers to handle systemic issues and issues arising from industry practice.

4-3 What other complaint-handling mechanisms would enhance compliance with credit reporting regulation and the resolution of complaints? How might procedures for making and pursuing complaints about credit reporting be streamlined? Should an external dispute resolution scheme be established? If so, how should such a scheme be funded?

Streamlining complaint handling procedures

16. The Office acknowledges that the complaints process in relation to credit reporting complaints may sometimes be confusing for complainants. In particular, individuals will often complain to the credit reporting agency to dispute an adverse listing when the primary respondent, being the source of the listing information, is the credit provider. Further, if the matter is referred to the Office, in accordance with the Act the Office will require the complainant to first complain to the credit provider, before it will consider whether to conduct an investigation.

17. While this is sometimes frustrating for complainants, the Office supports the retention of a general requirement that individuals complain to the respondent in the first instance before making a complaint to the Privacy Commissioner as required under s40(1A). The Office considers that where a complaint can be resolved between the complainant and respondent without the involvement of the Privacy Commissioner, this is the preferred method of resolving the matter. Further, this process provides respondents with an opportunity to take greater control and ownership of their handling of complaints and provides an incentive for respondents to actively deal with matters before they are raised with the Privacy Commissioner.

18. The Office considers that individuals could be better informed about where to direct an initial complaint in relation to a disputed default listing or adverse notation by the CRA such as details about a linked file. One way to achieve this could be to introduce an obligation on credit providers and CRAs to provide better notice to individuals regarding how and where to make complaints if they wish to dispute a default listing or information about linked files. This is consistent with our responses to Chapters 5 and 6 of IP32 where we suggest that consideration is given to amending the notice provision under s18E to provide additional information to individuals at the time their information is collected.

19. The Office submits that the complaint handling process could be improved by amending the credit reporting provisions to include:

  • a requirement that complaint handling information must be included with the currently required s18E(8)(c) notice provided to individuals before their information is passed to a credit reporting agency; and
  • a requirement that individuals must be advised when an adverse listing has been made on their file and that included in this advice must be details of how to complain if they wish to dispute the listing.

External dispute resolution scheme

20. The Office notes that there are currently a number of industry dispute resolution schemes that handle complaints related to credit reporting to some degree, specifically the Telecommunications Industry Ombudsman (TIO) and the Banking and Financial Services Industry Ombudsman (BFSO). The Office acknowledges that such schemes can serve an important role in assisting the resolution of complaints and promoting good practice within an industry.

21. The Office has recommended in its response to IP31 a number of strategies to formalise the relationship between the Office and industry dispute resolution schemes that deal with related complaints. These strategies include amendment of the Commissioner's decline powers to allow the Office to decline a complaint where the matter was being or had been adequately dealt with by a recognised industry dispute resolution scheme and to refer a matter where it would be more suitably handled by a recognised industry body.

22. Given the impact that adverse credit listings can have on an individual and the issues that arise in the credit reporting context from having three parties involved in most complaints (the credit provider, the credit reporting agency and the complainant), there may be benefits in the development of a credit reporting dispute resolution scheme. However, the Office would suggest that any such scheme should still provide that individuals have the option of escalating their complaint to the Privacy Commissioner if they considered that it had not been satisfactorily dealt with through such a scheme.

23. Importantly, however, there is a risk that the complaint handling mechanisms available to consumers could become confused or be further complicated by the introduction of a credit reporting complaint handling scheme if this is additional to the credit reporting complaint handling offered by the Office of the Privacy Commissioner and other existing industry dispute resolutions schemes such as the TIO and BFSO.

Dispute resolution requirements under the Code of Conduct

24. The Privacy Commissioner's Credit Reporting Code of Conduct (Code of Conduct) currently imposes a range of complaint handling requirements on credit providers and credit reporting agencies (see Part 3 of the Code of Conduct). The Office recognises that ideally the adequacy of these requirements and the Code of Conduct in general should be reviewed.

25. However, the Office will determine the proper timing of this task once the ALRC has decided on its approach in relation to the credit reporting provisions in the Privacy Act, recognising that if significant amendments are proposed this may supersede any changes that might be made to the Code of Conduct in the interim.

Question 4-3

Office position:

  1. The Office supports the retention of a general requirement that individuals complain to the body with whom they have the grievance in the first instance, before making a complaint to the Privacy Commissioner.
  2. The Office submits that the complaint handling process could be improved by amending the credit provisions to include:
    • a requirement that complaint handling information must be included with the currently required s18E(8)(c) notice provided to individuals before their information is passed to a credit reporting agency; and
    • a requirement that individuals must be advised when a CRA takes an action that results in a listing appearing on an individual's credit information file, such as file linking, which may have an adverse impact. This advice must also include details of how and individual may complain if they wish to dispute the listing.
  3. The Office recognises that the Code of Conduct should be reviewed, depending on the reform approach taken in relation to the credit reporting provisions in general.

4-4 Should the range of penalties and remedies available to enforce rights and obligations under the credit reporting provisions of the Privacy Act be changed and, if so, how?

26. It appears from our experience that breaches of the credit reporting provisions can be placed into three categories: those that are inadvertent and unintentional breaches; those that are wilful or intended misuse of the credit reporting system; and inadvertent or unintentional breaches that are systematic in nature.

27. In general, the Office supports the retention of offence provisions for credit reporting offences. However, the Office believes the current offences could be reformed to reflect that, in our experience, the best outcome is achieved for individuals when inadvertent or unintentional breaches are conciliated either directly with the respondent, through an alternate dispute resolution scheme, or through the Office.

28. Where wilful or intentional misuse of the credit reporting system has occurred or the act is considered to be systemic in nature, the Office recommends that the penalties should be reflective of the serious nature of these offences and that the Privacy Commissioner should have additional powers to deal with such matters.

29. Further, the Office notes that the penalty provisions in Part IIIA need to be read in conjunction with Chapter 2, s3A of the Criminal Code. It is understood that these provisions provide that proceedings for an offence under Part IIIA must be made within 12 months of the offence occurring.

30. In many cases, Part IIIA offences may not be detected until an individual is refused credit or obtains access to their credit information file and discovers an unauthorised entry on that file. This may not occur until some time (possibly years) after the unauthorised entry was originally made. This situation may undermine the deterrence effect of the penalty provisions and could be remedied by amending the relevant legislation as required to reflect that proceedings for an offence under Part IIIA may be brought up to 3 years from the date that the offence is discovered, rather than 12 months from the date when the alleged offence occurred.

Inadvertent or unintentional breaches

31. The Office has some concerns with the proposal raised in IP32, that the offence provision at s 18R be amended to "impose strict liability civil penalties on a credit reporting agency or credit provider that give to any other person a credit report containing false or misleading information (whether intentionally or otherwise)".

32. The main concern for the Office is that the introduction of strict liability provisions may undermine its conciliation role in relation to cases where an organisation may have inadvertently recorded an erroneous listing on an individual's consumer credit information file.

33. The Office is not convinced that it would be beneficial to the affected individual in such cases for the Office to seek to impose a civil penalty against an organisation rather than attempt to conciliate an outcome (which could include compensation). The Office would, however, be interested in further exploring options that may provide for the application of civil penalties without preventing the Office from conciliating cases.

Wilful or intentional breaches / systemic breaches

34. There are a number of existing offence provisions in Part IIIA of the Privacy Act which reflect the seriousness of wilful or intended misuse of the credit reporting system. However, the Office notes that the current penalties have not been changed since 1990. The Office suggests that where penalties are imposed for serious misuse of the credit reporting system that the penalty amount imposed should be sufficient to act as a deterrent.

35. As noted in response to Chapter 6 of IP 31, the Office considers that a cautious approach should be taken to the introduction of further offence provisions in the Privacy Act. The Office also considers that the test for an offence should be higher than the test for a breach of the Privacy Act in all cases, for example, by the inclusion of a concept of intent into the offence provision, and should address a sufficiently serious level of misconduct.

36. Notwithstanding this, the Office notes that there have been no convictions in relation to the existing credit reporting offences under the Privacy Act since the introduction of the credit reporting provisions. During this time, the Privacy Commissioner has referred a range of matters to the Australian Federal Police (AFP) under s.49 where the Commissioner has formed the opinion that an offence may have been committed. In the Office's experience, few matters referred to the AFP under s.49 as possible credit reporting offences are subsequently prioritised for investigation by the AFP.

37. Given this, the Office considers that it may be appropriate for the ALRC to review the effectiveness of the current offence provisions and if the intention of these provisions is not being met, to consider other options for dealing with serious misuse of the credit reporting system. Such options could include the introduction of a range of enforceable remedies for own motion investigations (such as enforceable compliance notices) providing the Commissioner with the capacity to better pursue serious and systemic credit reporting issues if they arise. The Office has made recommendations to this effect in response to Chapter 6 of IP31.

Question 4-4

Office position:

  1. The Office recommends amending the relevant legislation as required to reflect that proceedings for an offence under Part IIIA may be brought up to 3 years from the date that the offence is discovered, rather than 12 months from the date when the alleged offence occurred.
  2. The Office submits that offence provisions in the Privacy Act should relate to sufficiently serious misconduct and that the test for such offences should be substantially higher than the test for a breach of the Privacy Act.
  3. The Office suggests that the ALRC review the effectiveness of the current offence provisions with a view to providing additional powers to the Privacy Commissioner such as the introduction of enforceable remedies for own motion investigations.

CHAPTER 5

REFORM OF THE CREDIT REPORTING PROVISIONS

Introduction

1. The Office welcomes the opportunity to comment on and make suggestions regarding the operation of the current credit reporting provisions and how they could be improved.

2. The Office understands that as the ALRC is investigating approaches to reforming the credit reporting provisions, Part IIIA of the Privacy Act may not be retained in its current form. For this reason, the Office submits that the comments and suggestions in this chapter should be read in terms of the intended outcome of each suggestion, regardless of whether Part IIIA is retained in its current format. In responding to Chapter 7 of IP32 the Office has made recommendations about an approach to the reform of the credit reporting provisions.5

3. The Office intends that the recommendations in this chapter could be carried across as model provisions for a binding Code in terms of our response to Chapter 7.

General framework

4. The framework of Part IIIA of the Privacy Act was created before the National Privacy Principles (NPPs) were enacted. In comparison to the NPPs, and the Information Privacy Principles, Part IIIA tends to a prescriptive rather than a principles regulatory approach. The Office considers that credit reporting does require a certain of level of prescription to ensure that credit providers, credit reporting agencies and individuals understand their obligations and rights. Adverse personal credit listings can have a significant impact on the life and opportunities of an individual.

5. While many of the provisions in Part IIIA are consistent with privacy principles that relate to the giving of notice (by the credit provider), the use and disclosure of personal information, data quality and data security obligations, and access and correction issues, the approach is fragmented and incomplete.

6. In general the Office considers that the current framework is complex and makes it difficult for credit providers, credit reporting agencies and individuals to understand what their obligations and rights are. For example, the obligations of credit providers and credit reporting agencies are spread throughout Part IIIA and require reference to the Credit Reporting Code of Conduct to ensure compliance with certain provisions. Further, the definitions of 'credit information file' and 'credit report' are complex because of the differing and sometimes overlapping obligations placed on a credit reporting agency or credit provider.

7. The Office believes that compliance with the credit reporting provisions would improve if the obligations of credit providers and credit reporting agencies were clearly set out in a structured way and any overlapping or inconsistent definitions of key terms were resolved.

Interaction with other privacy and credit legislation

8. There are a number of areas where there appear to be unintentional privacy gaps in the regulation of personal credit information by Part IIIA. To some extent these are resolved by invoking provisions under the NPPs (or the Credit Reporting Code of Conduct). For example, there is no specific obligation in relation to the collection of personal information in Part IIIA which means that the NPPs will apply by default but only if the credit provider is an organisation within the meaning of s.6C of the Privacy Act. Other examples are the lack of clear regulation relating to the use of personal information in credit information files by credit reporting agencies and the regulation of a number of aspects of publicly available information of individuals.

9. The Office believes that these gaps make compliance unnecessarily complex for credit providers and credit reporting agencies and may create confusion for individuals and hinder understanding of their rights. These issues are discussed in more detail in our response and recommendations to various questions in this chapter.

10. In addition, there are some fundamental definitional differences between credit reporting terms set out in the Privacy Act and Part IIIA and those set out in other related legislation. For example, the term 'credit' has a different meaning in s.6(1) of the Privacy Act to that stated in the Uniform Consumer Credit Code.6

11. In the answer to Question 5-11 below, the overlap between Part IIIA with Part 13 of the Telecommunications Act 1997 is discussed. A number of provisions in Part 13 allow telecommunications businesses which are also credit providers to use or disclose personal information of individuals not generally permitted by other credit providers under Part IIIA. The Office believes that this inconsistency may lessen privacy protection.

12. Inconsistent regulation of credit reporting has the potential to increase compliance costs for all industry participants and limit the rights of individuals to have complaints resolved. The responses and recommendations that follow have been framed from the objective of reducing the current complexity and fragmentation of the credit reporting provisions.

5-1 What issues are raised by the provisions of the Privacy Act dealing with the permitted content of credit information files? How do these provisions operate in practice, for example, in relation to information about overdue payments, bankruptcy and serious credit infringements? How should the permitted content of credit information files be regulated?

Time limits for permitted content

13. The provisions do not differentiate between adverse listings for minor sums and large sums. This means that in some cases even if the monetary amount in question is quite small the consequences for the individual in attracting an adverse credit listing could be serious as such a listing will persist for 5 or 7 years. The Office considers that there is merit in the ALRC considering whether time limits for adverse listings should be on the basis of set monetary amounts on a graduated scale. For example, consistent with our response to Question 5-24 regarding children and young people, the Office suggests that the ALRC could consider whether periods of between 2 to 4 years could be considered for minor monetary amounts.

Inquiry Information

14. Credit reporting agencies generally provide access to credit information via subscriber arrangements with credit providers. The Office understands the services are usually provided online.

15. Section 18E(1)(b) of the Privacy Act states in part that a permitted content of a credit information file includes both a record of a credit provider having sought a credit report together with the amount of credit sought by an individual. If the credit provider lists the amount sought, the information then recorded will be an accurate snapshot at the time the application for credit is made.

16. In addition, s.18E(1)(b)(v) of the Privacy Act permits a lender to list itself as a current credit provider on the individual's credit information file. This procedure has the effect of alerting a potential lender that there is a current credit facility with another lender, thus assisting a potential lender to assess risk. However, it is understood that the provision is little used possibly because of the compliance obligation to inform the credit reporting agency when the credit provider ceases to be a current credit provider.7

17. The Office agrees with the view expressed in Paragraph 5.9 of IP32 that the statutory provision in s.18E(1)(b)(i) of the Privacy Act which requires the recording of inquiry information on a credit information file is a privacy safeguard. The provision helps to ensure transparency so that the individual is aware of, from reading their credit file, the name of the entity which accessed his or her credit information file on a particular date and the purpose of the access.

18. It may also act as a deterrent to inappropriate access. Although the individual may not be aware of who is accessing their information at the time the access occurs, the record assists the individual to see this information when they obtain their credit file at a later stage. It also facilitates the individual's ability to exercise their rights, including, by lodging a complaint if necessary.

19. However, IP32 notes that there may be some disadvantages to individuals as a result of the inquiries information on their credit files. Paragraph 5.6 of IP32 refers to the Consumer Credit Legal Centre (NSW) Inc's (CCLC) view that in its experience it is increasingly the case that an individual's application for credit is rejected solely on the basis of the number of inquiries on the person's credit report, despite the absence of default listings.

20. In the Office's experience, the number of inquiries recorded on an individual's credit information file may be a factor in lending decisions, particularly for smaller credit providers. Further, some lenders use internally or externally generated confidential risk scorecards for individuals. The Office understands that a number of variables and weightings are used in generating a scorecard including, but not limited to, the number of times an individual has applied for credit in a given period.

21. The Office is aware that where an individual approaches a finance broker in an effort to obtain the most competitive credit, an electronic footprint of accesses and the amount of the credit application is recorded on the individual's credit information file by a number of potential lenders and the broker itself even though only one loan is being sought.

22. The Office recognises the importance of consumers being able to 'shop around' for credit without the concern that the net effect of this may be a negative scorecard due to multiple inquiries listed on their credit file. The Office believes that there may be an issue for some consumers who have applied to a number of credit providers for the same credit amount. A provision for credit providers to note, on a voluntary basis, that they made an offer of credit, without specifying the amount, to an individual in relation to a specific inquiry could go some way to addressing the possible misleading nature of multiple inquires from credit providers over a short time period. The Office believes that consideration should be given to introducing such a provision in the Privacy Act.

Small debts and dishonoured cheques

23. Although, currently, some credit reporting agencies specify a minimum listing amount of $100 on an individual's credit information file, Part IIIA does not specify any minimum listing amount.

24. The adverse impact on an individual's ability to secure credit by the practice of listing small debts may be disproportionate to the potential financial risks encountered by credit providers assessing a loan application.

25. The Office is of the opinion that there should be a statutory minimum amount below which listings should not be a permitted content of a credit file under s.18E of the Privacy Act.

26. CCLC has suggested that such an amount could be $500 and the Office believes there is merit in the ALRC exploring this proposal particularly if it receives broad support. Any changes to this provision will not affect the credit provider's existing rights under the general law to obtain judgment against the individual for an unpaid loan.

27. The Office is of the view that dishonoured cheques of not less than $100 should be removed as a permitted content of a credit information file. It is understood that few if any such listings are made and the Office agrees with the view expressed in Paragraph 5.14 of IP32 which casts doubt on whether a dishonoured cheque constitutes credit as defined in the Privacy Act.

Bankruptcy orders

28. The Insolvency and Trustee Service Australia (ITSA), maintains the National Personal Insolvency Index (NPII) which is a register of bankrupts. This register is publicly available; however the Office understands that the NPII is not the primary source of information on bankrupts for most credit providers. Credit providers would generally rely on the information obtained from credit reporting agencies. The Office considers that an individual's status as a bankrupt is a significant factor in the credit provider assessing the individual's eligibility for credit.

29. At present, Part IIIA of the Privacy Act allows 'bankruptcy orders made against the individual' to be listed on a credit information file but does not allow an 'act of bankruptcy', whether this results from a sequestration order by the Federal Court or debtor's petition by the Official Receiver, as permitted content of a credit information file.8 The Office notes that the term 'bankruptcy order' is not used in the Bankruptcy Act 1966, while the term 'act of bankruptcy' is used.

30. The Office suggests that the term 'bankruptcy orders' should be removed and replaced with the term 'act of bankruptcy' as a permitted content of a credit information file in s.18E of the Privacy Act.

Debt agreements

31. Debt agreements under Part IX and personal insolvency agreements under Part X of the Bankruptcy Act do not constitute bankruptcy orders and, for this reason, are not permitted contents of a credit information file. Part IX and Part X agreements by individuals are publicly available information under the Bankruptcy Act. One credit reporting agency lists Part IX and Part X agreements in a separate record as publicly available information, which means they are not subject to the requirements of Part IIIA of the Privacy Act.

32. To promote consistency and reduce complexity the Office suggests that consideration be given to whether debt agreements under Part IX and personal insolvency agreements under Part X should be made permitted contents of a credit information file. If Part IX and Part X debt agreements are made permitted contents of a credit information file, then the Office supports the deletion of the information after 5 years from the individual's credit information file, rather than 7 years as is the case with bankruptcy orders.

33. Further discussion regarding the regulation of the publicly available personal information of individuals appears under Question 5-26.

Serious credit infringements

34. A 'serious credit infringement' is defined in s.6(1) of the Privacy Act and is a permitted content of an individual's credit information file under s.18E(1)(b)(x).

35. As pointed out in Paragraph 5.23 of IP32, a credit provider can list a serious credit infringement at any time; there is no waiting period as with other listings.

36. However, the listing requirements are quite complex and include:

  • That in the opinion of the credit provider the individual has, in the circumstances specified, committed a serious credit infringement.9
  • An act done by a person that a reasonable person would consider indicates an intention, on the part of the first-mentioned person, to no longer comply with their obligations in relation to credit.10
  • A credit provider must not give to a credit reporting agency personal information relating to an individual if the credit provider does not have reasonable grounds for believing that the information is correct.11

37. The Office recommends that the ALRC consider simplifying the definition of serious credit infringement and the circumstances when such a listing should be made. It also agrees with the view in Paragraphs 5.22-5.24 of IP32 that the Privacy Act should define serious credit infringement with greater precision rather than leaving this to the interpretation of individual credit providers as is currently the case. The Office believes that such changes will not affect the credit provider's existing rights under the general law to obtain judgment against the individual for an unpaid loan.

Commercial credit

38. In the answer to Question 5-25 below the Office suggests that ALRC may wish to consider whether the commercial credit information of an individual should be covered by Part IIIA of the Privacy Act. An individual's commercial credit information may include personal information and credit reporting agencies currently make this information available to credit providers to assess an individual's credit eligibility with the consent of the individual.

39. If this proposal proceeds the permitted content of a credit information file in s.18E could be amended to include commercial credit taken out by individuals.

Publicly available information

40. The Office recommends that that the definition of a 'credit reporting business' in s.6(1) of the Privacy Act should be amended to remove the exclusion in the phrase 'other records in which the only personal information relating to individuals is publicly available information'. This will have the effect of regulating publicly available personal information, such as commercial credit information, including defaults, directorships, judgments and proprietorship information that is collected by a credit reporting agency for the purpose of assessing an individual's eligibility for credit.

41. If this proposal proceeds the permitted content of a credit information file in s.18E should be amended to include publicly available information.

Prohibited content

42. The Office supports the current list of prohibited content of a credit information file in s.18E(2) of the Privacy Act, including the publicly available information on that list, given the highly sensitive nature of the information and the lack of relevancy of the information to an individual's credit worthiness. The prohibited content of a credit information file currently comprises:

  • Political, social or religious beliefs or affiliations
  • Criminal record
  • Medical history or physical handicaps
  • Race, ethnic origins or national origins
  • Sexual preferences or practices
  • Lifestyle, character or reputation.

43. However, to improve consistency the ALRC may wish to consider aligning the definition of prohibited content with the definition of sensitive information in s.6(1) of the Privacy Act which applies to the NPPs. This aspect is also discussed in the answer to Question 5-26.

Question 5-1

Office position:

  1. The Office submits that the ALRC consider whether the following changes should be made to s18E(1) which sets out the permitted contents of credit information files:
    • Prohibit listings under $500 by introducing a statutory minimum listing amount;
    • Remove dishonoured cheques as a permitted listing;
    • Introduce a graduated time scale, linked to set monetary amounts, for adverse listings;
    • Reduce the listing period from 5 and 7 years to periods of 2 to 4 years, respectively, for minor monetary amounts
    • Remove the term 'bankruptcy orders' and replaced it with the term 'act of bankruptcy';
    • Consider including Part IX and Part X debt agreements as permitted contents and make them subject to a listing time scale of 5 years rather than 7 years;
    • Simplify the definition of serious credit infringement and provide specific guidance about when such a listing can be made;
    • Include personal information relating to commercial credit transactions granted to individuals as permitted content;
    • Include publicly available information as permitted content (see recommendation 5-1 iii below);
    • Allow notification that a credit offer has been made and accepted, in relation to a specific inquiry, without the amount being specified.
  2. The Office suggests that the ALRC consider whether the definition of prohibited content of credit information files set out in s.18E(2) should be aligned with the definition of sensitive information in s.6(1) of the Privacy Act.
  3. The Office recommends that the definition of a 'credit reporting business' in s.6(1) be amended to remove the exception relating to publicly available information (see recommendation 5-1 i above).

5-2 Should a credit provider that subscribes to a credit reporting agency be required to provide to the credit reporting agency some or all kinds of information that may be included in a credit information file? What issues would be raised by compulsory reporting, for example, in relation to the cost to credit providers of participating in the credit reporting system?

Compulsory reporting of permitted content

44. The Office does not support compulsory reporting by credit providers to credit reporting agencies. The Office considers that the personal information compulsorily reported to credit reporting agencies could become a rich source of data with the attendant risk that over time other entities may wish to source the information for purposes unrelated to the provision of credit.

45. To address some of the privacy concerns, should such a proposal be adopted, the Office believes that the current use and disclosure provisions should be reviewed so that stronger protections are introduced to prohibit the use or disclosure of permitted content for non-credit related purposes.

46. The Office is not in a position to say whether compulsory credit reporting would add to the compliance costs of medium and small credit providers. However, the Office is concerned that expanding the volume of information reported to credit reporting agencies has the potential to increase the level of inaccuracy.

Question 5- 2

Office position:

  1. The Office does not support compulsory reporting by credit providers to credit reporting agencies.
  2. If compulsory reporting is introduced, the Office suggests that the provisions regulating the use and disclosure of credit information for non-credit related purposes should be strengthened.

5-3 What issues are raised by the provisions of the Privacy Act requiring individuals to be informed about the disclosure of personal information to a credit reporting agency? How do these provisions operate in practice?

47. The notice provision in s.18E(8)(c) of the Privacy Act is important as it promotes transparency between the individuals, credit providers and to some extent credit reporting agencies. However as currently drafted, this provision generates a number of complaints particularly in relation to assigned loans. Such complaints typically occur because notice may be given by a credit provider a long time before a listing is made. Problems may also occur with assigned loans because the assignee may assume notice has been provided by the original credit provider and not provide notice at time of listing . The Office believes that s.18E(8)(c) would benefit from being re-drafted to align the notice requirements with those under NPP1.3.

48. To address these issues, the Office believes that organisations collecting personal information for credit reporting purposes should give separate notice to the individual regarding the handling of their personal information. The Office also believes that this notice should not be bundled with other information about credit terms and conditions and could set out information such as the possible uses and discloses that could occur during the credit relationship in accordance with Part IIIA and how the individual could contact a credit reporting agency to discuss the handling of their personal information or obtain access to their information. These comments are also made in our response to Question 6.4(a).

49. The Office also considers that there is value in requiring credit providers to give individuals notice when certain events occur, such as default listing or a debt assignment, which could result in an adverse listing being placed on their credit information file. The Office notes that these events sometimes occur well after the credit was initially granted. As credit providers, or assignees are likely to be in contact with individuals about these matters, reminding individuals that a listing may be made on their credit information file would involve only a marginal additional compliance cost. The Office suggests that this notice could be incorporated into the letter of demand or debt assignment notice that the credit provider issues, as is currently done by some credit providers.

Question 5-3

Office position:

  1. The Office recommends the re-drafting of the notice provision at s.18E(8)(c) to align it more closely with the requirements under NPP 1.3, and to require that notice is given prior to any listing being made or a debt being assigned.
  2. The Office considers that the notice provided to individuals should include contact information for the credit reporting agency.

5-4 What issues are raised by the provisions of the Privacy Act dealing with the deletion from credit information files of permitted content? How do these provisions operate in practice, for example, in relation to multiple listings in respect of the same debt? How should the deletion of personal information in credit information files be regulated?

Information about statute barred debts

50. Part IIIA of the Privacy Act interacts with state-based statutes of limitation through certain provisions in the Credit Reporting Code of Conduct. Clause 2.8 of the Credit Reporting Code of Conduct provides that 'a credit provider must not give to a credit reporting agency information about an individual being overdue in making a payment where recovery of the debt by the credit provider is barred by the statue of limitations'. In this way the statutes of limitation temporally limit the listing of debts, which may otherwise be listed under the Credit Reporting provisions of the Act.

51. Part IIIA provides that where a loan is statute barred because of provisions in statutes of limitation, the debtor cannot be considered to be 'overdue in making a payment' or to have committed a serious credit infringement 'indicating an intention ... no longer to comply with the ... person's obligations in relation to credit' within the meaning of those terms in the Privacy Act. Statutes of limitation are a state matter and so to apply this provision accurately, credit providers and credit reporting agencies may need to refer to a number of pieces of legislation.

52. The Office supports the consolidation of provisions in the Credit Reporting Code of Conduct (Paragraph 2.8) and s.18E(1)(ba)(i) in the Privacy Act preventing statute barred loans both in relation to debtors and guarantors from being listed on an individual's credit information file.

Time limits for listing defaults

53. With the exception of statute barred debts, the current credit reporting provisions of the Privacy Act do not specify a time limit within which a credit provider must report a payment default or serious credit infringement to a credit reporting agency. Specifying a maximum period of time by which listing must occur may assist affected debtors but could add to business compliance costs. The ALRC may wish to consider this matter further. The Office also notes that some credit reporting agencies have imposed a 12 month limit within which credit providers must report defaults or serious infringements. The Office agrees that this is an appropriate time-frame.

Multiple listing

54. The Office understands multiple listings may occur when a credit provider lists a payment default (or serious credit infringement) and later makes another adverse listing for the same default or serious infringement. This has the effect of extending the period that the listing remains on an individual's credit information file, for example from the usual 5 years to 10 years and is likely to adversely affect an individual's ability to secure credit for an extended period. This practice appears to significantly penalise an individual and may not reflect their current credit worthiness.

55. The Office has taken the view that multiple listings for the same default are not permitted by Part IIIA based on the interaction between s. 18E and s.18F. The Office supports a specific provision to prohibit multiple listings in relation to the same default so that this protection is clearer. The Office suggests that such a provision, or a separate provision, could allow a credit provider to update the amount of the default on an individual's credit information file without an additional listing being made.

Schemes of arrangement

56. In relation to schemes of arrangement12 and default listings the Office agrees it should review its Credit Advice Summaries in relation to payments that becomes overdue under the new arrangement but that have already been listed.

Question 5-4

Office position:

  1. The Office suggests that the ALRC consider consolidating provisions that relate to the listing of statute barred loans, so that consistent treatment is applied to debtors and guarantors.
  2. The Office suggests that the ALRC consider specifying a maximum period of time by which listing must occur.
  3. The Office submits that multiple listings in relation to the same debt should be prohibited but that credit providers should be allowed to update default listings.
  4. The Office agrees that it should consider reviewing Credit Advice Summaries regarding the multiple listing of schemes of arrangement.

5-5 What issues are raised by the provisions of the Privacy Act and Credit Reporting Code of Conduct dealing with the accuracy of credit information files and credit reports? How do these provisions operate in practice? What regulation should apply to ensure the accuracy of credit information files and credit reports?

Definition of 'credit information report' and 'credit report'

57. The Office considers that the terms 'credit information file' and 'credit report' used, respectively, within Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct need to be reviewed to eliminate inconsistencies in their definitions. Other issues related to the inconsistent use of terms are discussed in the response to Question 5-16 below.

Accuracy of files and reports

Accuracy obligations

58. Sections 18G (a) and 18J(1) in the Privacy Act and several paragraphs in the Credit Reporting Code of Conduct13 regulate the accuracy of credit information files and credit reports.

59. Section 18G(a) states in part that a credit reporting agency and a credit provider 'must take reasonable steps to ensure that personal information contained in the (credit information) file or (credit) report is accurate, up-to-date, complete and not misleading'.

60. Section 18J(1) is couched in similar terms, requiring a credit reporting agency to take 'reasonable steps' to make appropriate corrections, deletions and additions, to ensure the personal information in the credit information file or credit report is accurate, up-to-date, complete and not misleading.

61. The Commissioner's advisory Note 7 to the Credit Reporting Code of Conduct states, in relation to s.18G, that 'where there is doubt as to a credit reporting agency's ability to comply with these standards of accuracy, currency, and completeness in respect of any item of information, such items must be removed from the credit information file'. The Explanatory Memorandum to Part IIIA of the Privacy Act at Paragraph 76 says:

Incorrect credit information may have a profound effect on the lives of individuals. Section 18G provides that a credit reporting agency and a credit provider will be required to take steps to ensure that the personal information contained in a credit report [or credit information file] is accurate, up to date and not misleading (Paragraph 18G(a)) ... Where there are disagreements between an individual and a credit reporting agency or credit provider as to the accuracy of a credit record, the individual will be able to request the record-holder to include a statement or note in the credit file or report; see new s.18J.

62. It could be argued that as s.18G is a provision independent of s.18J(1), it imposes an obligation on a credit reporting agency (and credit providers14) to maintain the accuracy of a credit information file or credit report by taking reasonable and proactive steps to do so. As the requirements in s.18G include credit reporting agencies, it is the Office's view that credit reporting agencies cannot rely solely on credit providers to maintain the accuracy of the information held on the credit reporting system. For example, credit reporting agencies could take reasonable steps to maintain the accuracy of their reports by taking a representative sample of records to check for accuracy on a regular basis. The Office believes there may also be other steps that credit reporting agencies could take.

63. To clarify the requirements regarding accuracy the Office supports the inclusion of obligations similar to those outlined in the New Zealand Credit Reporting Privacy Code 2004 and outlined in Paragraph 5.55 of IP32 which requires credit reporting agencies to:

  • enter into agreements with subscribers to ensure accuracy of information
  • establish and maintain controls to ensure that, as far as reasonably practicable, only accurate information is used or disclosed
  • monitor information quality and check on compliance with agreements; and
  • identify and investigate possible breaches of controls.
Linked credit information files

64. It is understood that credit reporting agencies will link the credit information file of an individual to other credit files which are thought to refer to that same individual when, for example, someone is suspected of using an assumed name or a different combination of their first names or first and surnames. In practical terms this means that when an affected individual makes a credit application and the credit provider makes a credit report inquiry, all the linked files can be accessed.

65. It does not appear that individuals are notified when their credit information file has been linked and so they are unlikely to become aware of the linkage until they are refused credit because of the content of their credit file and then make inquiries. The Office appreciates that there may be practical privacy difficulties that a credit reporting agency would face in providing information to an individual about the details of such a linkage. However, it is notable that usually a credit information file will not state that there has been a link to another file, why it was made or where the information came from. The collated and linked information is contained in credit files but the credit providers and individuals are not advised as to the reasons for the linkage.

66. Under s.18(G)(a) credit reporting agencies have obligations to ensure the accuracy of information held on credit information files. In terms of linked credit files, we understand that credit reporting agencies rely on the fact that credit providers have obligations regarding the accuracy of information they use and disclose, rather than making any separate investigation or decision before linking credit files. The Office has received several complaints about this issue. The practice of linking files in this way appears to be a gap in the privacy protections in Part IIIA. The Office also understands that credit reporting agencies may link personal information in credit files based on information supplied by third parties. However, these third-parties do not appear to have any obligations under Part IIIA of the Privacy Act to ensure the accuracy of the information that they supply to a credit reporting agency.

67. The Office suggests that the ALRC should consider whether these practices should be regulated.

Accelerated clauses and related issues in credit loans

68. Section 18E(1)(b)(vi) of the Privacy Act provides in part that a payment that is overdue by at least 60 days may be included in a credit information file. Some credit providers have acceleration clauses in their contracts so that if a single payment is missed the whole balance of the loan, and any fees, charges and interest becomes due and payable. If no payments are made, fees, charges and interest may continue to accrue during the course of recovery action.

69. The Office acknowledges that there is some ambiguity between s.18E(1)(vi) of the Privacy Act and the Commissioner's advisory note 55C to the Credit Reporting Code of Conduct, which are the relevant provisions for such matters. The Office's view is that if the credit provider chooses to list a default in relation to such a matter, the aggregate components of the listed amount must all be 60 days overdue. The Office suggests that s.18E(1)(vi) be re-drafted to clarify the position.

70. In addition to accelerated clauses, there appears to be misunderstanding within the credit reporting industry as to whether s.18E(1)(b)(vi) allows the full amount, including fees and charges, to be listed together with the principal amount overdue. As with acceleration clauses, the Office believes that only amounts which are at least 60 days overdue may be listed under this provision. However, it is uncertain whether a second default listing in relation to these fees and charges could be made once they became at least 60 days overdue.

71. Multiple adverse listings on an individual's credit information file may have significant adverse impact on individuals, as discussed earlier in the response to Question 5-4. The Office supports the clarification of this issue in s.18E so that only one listing is permitted.

Question 5-5

Office position:

  1. The Office recommends the inclusion of obligations on credit reporting agencies to take reasonable and proactive steps to maintain the accuracy of credit reporting information. The Office suggests that these provisions could be modelled on those that currently exist in the New Zealand Credit Reporting Privacy Code 2004.
  2. The Office suggests that it produce guidance for credit providers and credit reporting agencies about what measures are considered to be 'reasonable steps' to promote and maintain the accuracy of credit reporting information.
  3. The Office suggests that the ALRC should consider whether there should be provisions to regulate the linking of credit files.
  4. It is the view of the Office that the aggregate components of the listed amount must all be 60 days overdue. The Office suggests that s18E(1)(vi) may need to be re-drafted to make this position clearer.

5-6 What issues are raised by the provisions of the Privacy Act and Credit Reporting Code of Conduct dealing with the security of credit information files and credit reports? How do these provisions operate in practice? What regulation should apply to ensure the security of credit information files and credit reports?

Mandatory breach reporting

72. The Office considers that credit providers and credit reporting agencies statutory obligations to keep credit information files and credit reports secure is a critical protection for credit information.

73. The Office supports the inclusion of a provision in the Privacy Act to require organisations to advise affected individuals of a breach of their personal information in certain circumstances. This could include reporting of breaches of security concerning credit files, credit reports and credit worthiness information whether by a credit provider or credit reporting agency and whether the breach affects electronic databases or paper based records. At present, the extent of security failures in relation to personal information among Australian businesses is not known. However, The Sydney Morning Herald recently reported the results of research which showed that more than two-thirds of Australian organisations experience six losses of sensitive data each year.15 Further the report stated that one in five organisations loses sensitive data 22 or more times a year. These breaches reportedly include customer, financial, corporate employee and IT security data which is stolen, leaked or destroyed.16

74. The Office made substantive comments regarding breach reporting in response to Question 11-3 of IP31.17 In summary, the Office referred to law enacted in California that deals with reporting breaches of computerised data18 and proposals being considered in Canada and the European Union19. The Office does not favour the approach taken in California as the technological specificity and the prescriptive nature of the legislation is at odds with the principle based approach of the Privacy Act. However in responding to Question 11-3 of IP31, the Office provided suggestions about the key issues that should be addressed by such a provision. These issues include;

  • responding to different levels of security breaches appropriately to ensure the response is proportional to the extent and type of breach
  • to whom agencies and organisations are required to report - affected individuals, the Privacy Commissioner, or publicly; and
  • ensuring that the provision is technology neutral.

Security of credit worthiness information

75. Loan and credit card statements of individuals are examples of credit worthiness information. Section 18G of the Privacy Act deals with the security of credit information files and credit reports held by credit reporting agencies and credit providers. However, Part IIIA does not regulate the security of credit worthiness information held by credit providers, though the obligation may be covered by NPP 4 if the credit provider is an organisation.20 Small business operators21 that are credit providers are exempt from coverage of the NPPs and do not have any obligations under the Privacy Act to keep credit worthiness information secure.

76. The ALRC may wish to consider whether Part IIIA should be amended to include an obligation for all credit providers to keep credit worthiness information secure to remedy this privacy gap.

Question 5-6

Office position:

  1. The Office suggests that the Privacy Act be amended to add provisions requiring credit providers and credit reporting agencies to advise affected individuals of a breach of their personal credit information in certain circumstances.
  2. The ALRC may wish to consider whether there should be an express obligation on credit providers to keep credit worthiness information secure.

5-7 Is there any evidence that employers, insurers or government agencies request individuals to provide copies of their credit reports for employment, insurance, licensing or other purposes unrelated to the provision of credit? If such requests are made, what steps should be taken to address this issue?

77. The Office has received complaints and inquiries from individuals about this practice. Notably there is no express prohibition in Part IIIA on employers, insurers or government agencies asking the individual to provide a copy of their credit information file for purposes unrelated to credit. NPP 1.1 and IPP 1 will mean that organisations or agencies could only collect such information where it is necessary for their functions or activities. However, these functions or activities may extend beyond the intended scope of the credit reporting scheme. Also, while some small business operators and state and territory authorities that may collect this information from individuals are subject to privacy regulation, many are not and the provisions of NPP 1 or IPP 1 would not apply to them.

78. The Office suggests that consideration be given to the inclusion of an express provision in Part IIIA prohibiting the collection of an individual's credit information file by employers, insurers and government agencies.

Question 5-7

Office position:

  1. The Office suggests that consideration be given to the inclusion of an express provision in Part IIIA prohibiting the collection of an individual's credit information file by employers, insurers and government agencies.

5-8 What issues are raised by the provisions of the Privacy Act dealing with individuals' rights of access to, and alteration of, information in credit information files and credit reports? How do these provisions operate in practice? What rights of access and alteration should individuals have?

Access to and alteration of files and reports

79. Paragraph 5.65 of the Issues Paper discusses issues relating to the costs of accessing credit information files. Section 18H of the Privacy Act is silent on whether access to a credit information file is to be provided free of charge. However, the Credit Reporting Code of Conduct in Paragraphs 1.7 and 1.8 does require credit reporting agencies to provide access free of charge in the following circumstances:

  • where it relates to refusal of the individual's application for credit; or
  • is otherwise related to the management of the individual's credit arrangements.

80. The Office continues to take the view that these provisions are necessary, given that the extent of consumer credit and the potentially damaging impact of a negative credit listing. The Office also considers that the right to receive access free of charge under specified conditions should be included in the principal legislation.

81. The Office supports the intent of the access and alteration provisions in ss.18H and 18J of the Privacy Act and similar provisions in Paragraphs 1.13, 1.14 and 3.8 in the Credit Reporting Code of Conduct.

Question 5-8

Office position:

  1. The Office submits that the primary legislation should contain provisions regarding when individuals should be granted access to their credit information file without charge.

5-9 What issues are raised by the provisions of the Privacy Act that limit the disclosure of personal information by credit reporting agencies? How do these provisions operate in practice? What limits should apply to the disclosure of personal information by credit reporting agencies?

Disclosures for law enforcement purposes or as otherwise authorised by law

82. Government agencies at the federal and state level may seek access to credit information files of individuals under the 'required or authorised by or under law' exception in s.18K (1)(m) for purposes unrelated to the provision of credit.

83. The level of transparency of credit information disclosures made by a credit reporting agency for some law enforcement purposes has been altered by amendments to the Privacy Act introduced in 2002 and 2006. The Australian Crime Commission Act 2002 and the Law Enforcement Integrity Commission Act 2006 inserted a note to s.18K(5) of Part IIIA qualifying the obligation on a credit reporting agency to include a note on a credit file of any disclosure it has made.

84. A note to a section does not have the status of law,22 but the practical effect of these amendments is that a credit reporting agency is prevented from making a note of a disclosure on a credit file 'if a notation has been made on a summons, or a notice relating to the disclosure of the information and the notation has not been cancelled'. While accepting the need for covert operations and the disclosures for law enforcement purposes, such disclosures are not transparent because an individual will not be aware that his or her credit file has been collected by a law enforcement agency. To the greatest extent possible, an individual should be able to know what organisations have had access to their personal credit information, and the right balance should be struck.

85. The Office believes that individuals applying for credit may have limited choice about whether to provide their personal information to a credit provider who will in turn disclose that information to a credit reporting agency.

86. The Office suggests that the ARLC consider reviewing s.18K with a view to ensuring the appropriate balance is being achieved between the needs of law enforcement agencies to perform their functions effectively with the need to ensure that there is some form of transparency in respect of accesses made by such agencies to the credit information files of individuals.

Use and disclosure by mortgage insurers and trade insurers

87. Paragraph 5.77 of IP32 raises the issue of use and disclosure of information from credit files by mortgage and trade insurers. The Office suggests that there should be good public policy reasons for mortgage insurers and trade insurers to have direct access to credit reports when other types of insurers do not have direct access.

88. The Office acknowledges that mortgage insurance provides benefits for individuals, particularly the ability to borrow in excess of a credit provider's loan to valuation ratio, which is generally 80% of the cost of a property. However, it could be argued that the insurance is for the benefit of the financial institution (not the individual) in the event of default by the insured borrower, although the individual pays for the one-off premium in advance.

89. Most credit providers have some discretionary power to approve applications for mortgage insurance. However, where a loan proposal does not meet certain criteria and mortgage insurance is required, for example, where the borrowers are self employed, the mortgage insurer will complete their own assessment of the loan proposal. This involves a complete assessment by the mortgage insurer i.e. they require all the documentary evidence provided to the credit provider such as bank statements and income statements and also request a credit check to complete their assessment.

90. The Office believes that Part IIIA could be amended to allow credit providers, but not credit reporting agencies, to disclose an individual's credit report to a mortgage or trade insurer, where access to the report is required to assist in the assessment of the individual's credit worthiness. In addition, the Offices suggests that such a provision may limit the use of this information to the purpose for which it was disclosed and require that the information be destroyed once the insurer had completed their assessment.

91. The Office suggests that a similar approach could be applied to trade insurers.

Question 5-9

Office position:

  1. The Office suggests that the ARLC consider reviewing s.18K with a view to ensure that the appropriate balance between the needs of law enforcement agencies and some form of transparency in respect to the access by such agencies to the credit information of individuals.
  2. The Office submits that the ALRC should consider whether mortgage and trade insurers should have limited access to and use of individuals' credit information files via credit providers.

5-10 What issues are raised by the disclosure of personal information by credit reporting agencies to credit providers covered by the Privacy Commissioner's Credit Provider Determination No. 2006-4 (Classes of Credit Provider)?

5-11 What issues are raised by the disclosure of personal information by credit reporting agencies to credit providers covered by the Privacy Commissioner's Credit Provider Determination No. 2006-3 (Assignees)?

Classes of Credit Provider Determination and Assignees Determination

92. When the Office reviewed considered extending the credit provider determinations (Assignees Determination and Classes Determination),23 submissions to the consultation paper from consumer advocate groups noted the following concerns:

  • A lack of understanding by some non-traditional credit providers covered by the Classes Determination of their obligations under the Privacy Act, mainly in relation to proper notification and record keeping; and
  • The follow-on effect that poor record keeping by non-traditional credit providers covered by the Classes Determination in relation to listing of statute-barred debts and double listing by the assignees.

93. Paragraphs 5.80 - 5.88 of IP32 also discusses the effect of these determinations.

94. There is an argument that to provide greater certainty to business, the effect of the Classes Determination and Assignees Determination should be included within the definition of 'credit providers' in s.11B in the Privacy Act rather than through the Privacy Commissioner making such a determination under s.11B(1)(b)(v)(B). However, this would mean that industry participants and the Office would lose the flexibility that currently exists to review, amend and or remove these Determinations as appropriate.

Overlap with Part 13 Telecommunications Act

95. In the answer to Question 10-1 of IP31 the Office refers to provisions in the Telecommunications Act 1997 which affect some credit providers covered by the Classes Determination which are also telecommunications providers. For example, s.291 of the Telecommunications Act 1997 allows uses and disclosures of personal information of individuals for 'businesses purposes' to other carriers or service providers. There is no equivalent provision in the NPPs or in Part IIIA of the Privacy Act.

96. Other exceptions under Part 13 of the Telecommunications Act 1997 (ss.289 and 290) appear to permit additional uses and disclosures in relation to consumer credit. This area is already covered to an extent by Part IIIA of the Privacy Act. Unlike the NPPs, Part IIIA is prescriptive in nature and provides for criminal penalties in the event of some breaches. The level of protection provided under Part IIIA reflects the significant consequences for individuals if their consumer credit information is misused.

97. The website of the Australian Communications and Media Authority (ACMA) provides an explanation of ss.289 and 290. It states that:

  • Section 289 may operate to authorise the disclosure of affairs or personal particulars of another person in relation to a debt sold to a debt collection agency. This provision covers situations where the other person is reasonably likely to have been aware or made aware that information or a document of that kind is usually disclosed, or used, as the case requires, in the circumstances concerned.
  • Sections 289 and 290 may be relevant to authorise the disclosure of affairs or personal particulars of another person when a carrier or CSP does credit card checks with a credit card company.
  • Section 289 covers situations where the other person is reasonably likely to have been aware or made aware that information or a document of that kind is usually disclosed, or used, as the case requires, in the circumstances concerned.
  • Section 290 applies to situations where it might reasonably be expected that the sender and recipient of the information would have consented to the use or disclosure if they had been aware of it in the circumstances concerned. 24

98. In the Office's view, if the above interpretation is correct, ss.289 and 290 appear to create two problems. First, these exceptions appear to go beyond what a credit provider is permitted to do under the credit reporting provisions in Part IIIA of the Privacy Act. However, because of s.303B of the Telecommunications Act 1997 (noted above), such uses and disclosures are taken to be authorised by law for the purposes of the Privacy Act, when undertaken by telecommunications businesses covered by Part 13.

99. Second, ss.289 and 290 appear to create more permissive conditions for use and disclosure of personal information related to consumer credit for those credit providers that operate in the telecommunications sector, compared to those that operate in the other industries.

100. In responding to Question 10-2 of IP31, the Office suggests that consideration be given to the removal of exceptions under Division 3 of Part 13 and allowing NPP 2 to regulate use and disclosure of information under that Part. Provided that no existing privacy protections are diminished, the Office can see merit in such a change.

101. Alternatively, the ALRC may wish to consider whether the exceptions in Part 13 should be amended to ensure that, at a minimum, the exceptions align with the protections against improper use and disclosure under NPP2. These issues are discussed more fully in the Office's response to Question 10-2 of IP31.25

Question 5-10

Office position:

  1. The Office suggests that all credit providers should be subject to consistent regulation regarding use and disclosure of credit information.

5-12 What issues are raised by the definition of a 'credit provider' for the purposes of the Privacy Act? How does this definition operate in practice?

102. The Credit Reporting Advice Summaries issued by the Office provide guidance on the application of Part IIIA of the Privacy Act. In Advice Summary 1.4 the Office states that the word 'substantial' in the definition of credit provider under s.11B(1)(b)(iii) of the Privacy Act denotes both value and proportion. Therefore, a corporation could satisfy this aspect of the definition of a credit provider where its lending activities involved substantial amounts of money, even if its lending activities did not constitute the dominant part of the corporation's overall business. The Office sees merit in raising awareness of the issue. It also suggests that consideration be given to whether the meaning of 'substantial' should be broadened.

103. Australian government agencies can apply to the Privacy Commissioner under s.11B(d)(ii) of the Privacy Act for a credit provider determination, which allows them to operate as a credit provider in terms of the provisions under Part IIIA. However, state or territory government agencies which grant consumer credit do not appear to invoke the definition of a credit provider (and therefore cannot conduct credit reporting) for the purposes of Part IIIA, unless they are a corporation as defined in s11B (b).

104. The Office believes that state and territory government agencies should have the same opportunity as Australian government agencies to apply for a credit provider determination, if they provide credit to individuals. For example, state housing commissions could be considered credit providers if they lend finance to individuals to purchase homes. Notwithstanding this, the Office does not believe that state or territory agencies providing rental housing should be considered as credit providers within the definition of that term in the Privacy Act. This is because rental agreements usually provide that rent is to be paid in advance. For that reason state or territory agencies providing rental housing should, as is currently the case, not be permitted to access the credit reporting system.

Question 5-12

Office position:

  1. The Office submits that the definition of credit provider could be improved by defining the meaning and / or breadth of 'substantial'.
  2. The Office believes that state and territory government agencies should have the same rights as Australian government agencies to apply for a credit provider determination, if they provide credit to individuals.

5-13 What persons or organisations should be permitted to obtain personal information contained in credit information files held by credit reporting agencies? How should this aspect of the credit reporting system be regulated? Should regulation permit different levels of access to the information contained in credit information files?

105. As a general principle, the Office submits that only credit providers should be able to access information from credit information files unless there are cogent public interest reasons why other persons should. The current exceptions in s.18K permit accesses to an individual's credit information file by, for example, persons and organisations who are mortgage and trade insurers.

106. Real estate agents and landlords are not permitted access to the credit reporting system. The Office supports the continuation of this approach as these entities are not providing credit to individuals. In the case of mercantile agents, the Office is of the view that the current provision in s.18N(1)(c) of the Privacy Act is adequate as it permits a credit provider to disclose specific information from a credit information file (but not the credit file) to a mercantile agent for the purpose of collecting the specific debt that is owed. The restriction on access to an individual's credit information files for debt collection purposes in s.18N(1)(c) of the Privacy Act does not apply to debt collection activities carried out in-house by the credit provider.

107. The Office notes that Part IIIA of the Privacy Act does not place privacy obligations on a mercantile agent who receives the personal information of a debtor under s.18N(1)(c). In these circumstances there may be a privacy gap if the mercantile agent is a small business operator within the meaning of s.6D or is otherwise exempt from coverage of the NPPs.

108. The Office submits that mercantile agents that receive personal information from credit providers under the provisions of s.18N(1)(c) of the Privacy Act should be subject to a prohibition on the use and disclosure of that information for secondary purposes. See also the Office's response to Question 5-21 below.

Question 5-13

Office position:

  1. The Office submits that, as a general principle, only credit providers should be able to access information from credit information files unless there are cogent public interest reasons why other persons should.
  2. The Office submits that mercantile agents that receive personal information from credit providers under the provisions of s.18N(1)(c) of the Privacy Act should be subject to a prohibition on the use and disclosure of that information for secondary purposes.

5-14 What issues are raised by the practice of credit providers seeking 'bundled consent' to a number of uses and disclosures of personal information, including in relation to credit reporting?

5-15 Is reliance on the principle of consent to protect the privacy of personal information in credit reporting effective? What alternative approaches are available to protect individuals' information privacy?

109. Paragraph 5.103 of IP32 discusses the requirement in s.18E(8)(c) in the Privacy Act that a credit provider must not give personal information to a credit reporting agency unless prior notice to that effect has been given to that individual. It notes that there is no express requirement that the individual must have consented to that disclosure. The Office discusses these notice requirements in some detail separately in the response to Question 5-3 above.

110. IP32 notes that a credit provider may be required by the effect of the NPPs, or by common law duties of confidence, to obtain consent before disclosure to a credit reporting agency. In these contexts the paper discusses bundled consent. However, the Office is of the view that the effect of s.18E is to permit a credit provider to undertake credit reporting without the consent of the individual to the extent of the acts and practices covered by this provision.

111. In relation to bundled consent, the Office refers to the response to Question 5.3, 6.4(a) of IP32 and Question 4-11 of IP31.

112. Paragraph 5.114 IP32 refers to the Office's Private Sector Review, which considered the issue of bundled consent. The Office will be developing guidance on bundled consent, noting the possible tension between the desirability of short form privacy notices and the desirability of lessening the incidence of bundled consent.26

Question 5-14 and 5-15

Office position:

  1. The Office will develop guidance material on bundled consent and short form privacy notices.

5-16 What issues are raised by the provisions of the Privacy Act that limit the use by credit providers of personal information contained in credit reports? How do these provisions operate in practice? What limits on the use by credit providers of personal information contained in credit reports should apply, for example, in relation to marketing?

113. Section 18L and s.18P of the Privacy Act specify limits on the uses of credit reports by a credit provider (except in one situation in s.18Q). However, there is no corresponding obligation on uses of credit worthiness information, which is defined in s.18N(9). One example of credit worthiness information is the loan records of an individual held by a credit provider.

114. The definition in s.18N(9) excludes publicly available personal information on a report or record from being regulated by Part IIIA. However, if the credit provider is an organisation within the meaning of s.6C of the Privacy Act, the NPPs will regulate the personal information it has collected from publicly available sources and its use in relation to marketing activities.

115. In responding to Question 5-26 the Office suggests that the definition of a credit reporting business should be amended to remove the exclusion in the phrase 'other records in which the only personal information relating to individuals is publicly available information'. This will have the effect of regulating publicly available personal information included in credit information files under Part IIIA, rather than the NPPs.

116. To promote consistency and reduce complexity, the Office suggests that Part IIIA should regulate not only the uses of personal information from a credit report by credit providers but also the uses of credit worthiness information in its entirety rather than aspects of it as currently the case. This proposal also has the benefit of making the legislation clearer so that it assists businesses to understand their legal obligations and help consumers understand their rights. Further comments regarding credit worthiness information are made in the Office's response to Question 5-20.

Question 5-16

Office position:

  1. The Office submits that the credit reporting provisions should also regulate the uses of credit worthiness information.

5-17 What issues are raised by the provisions of the Privacy Act requiring individuals to be notified when an application for credit is refused based wholly or partly on a credit report? How do these provisions operate in practice? What obligations should apply when an application for credit is refused based on a credit report?

117. IP32 refers to a submission from a consumer advocate that credit reporting agencies (not credit providers) should be obliged to inform an individual within 14 days when an adverse listing has been made, something which is currently not required by Part IIIA of the Privacy Act. The Office considers that this suggestion has potential privacy benefits.

118. While the Office understands that there would be additional compliance costs for credit reporting agencies in providing such notice, this action could have a major effect on an individual's ability to obtain finance, and, on balance, the Office supports further consideration being given to this proposal.

119. On a related issue in responding to Question 5-3, the Office suggested that the ALRC may wish to consider amending the current s.18E(8)(c) notice requirement for credit providers to remove ambiguities in the provision and to provide that, prior to any listing, an individual should be informed that their personal information may be given to a credit reporting agency.

Question 5-17

Office position:

  1. The Office submits that the ALRC consider whether credit reporting agencies should be required to inform an individual within 14 days when an adverse listing has been made.

5-18 What issues are raised by the provisions of the Privacy Act placing limits on the disclosure by credit providers of personal information contained in reports relating to credit worthiness? How do these provisions operate in practice? How should the disclosure by credit providers of personal information relating to credit worthiness be regulated?

5-19 What issues are raised by the application of s.18N of the Privacy Act to 'reports', as defined by s.18N(9)? Should information relating to credit worthiness that is not contained in a credit report be left to be covered by the disclosure principles in NPP 2.1 of the National Privacy Principles?

Publicly available Information

120. In response to question 5-16 the Office notes that the definition of 'report' in s.18N (9) excludes publicly available personal information on a report or record from being regulated by Part IIIA of the Privacy Act. Such information is therefore only regulated by the NPPs, provided they apply. As noted previously, if a credit provider is a small business operator within the meaning of s.6D, they will not be covered by the NPPs and privacy protection will not be afforded to that information. The Office considers that this may lead to inconsistency in the protection offered to the information in the context of the handling of credit information. The issue of regulating publicly available personal information is discussed further in our response to Question 5-26.

Credit worthiness information

121. IP32 observes that the accuracy and data security obligations in s.18G of the Privacy Act apply to credit information files and credit reports but not to credit worthiness information. The result is that data quality and security obligations for credit worthiness information that is held in a record must be regulated by NPP 3 and NPP 4.1 if the credit provider is an organisation within the meaning of s.6C.

122. The Office suggests that the ALRC consider whether an individual's personal information used to determine credit worthiness should be subject to s.18G of the Privacy Act. The Office believes this may reduce complexity through simplified legal obligations for businesses and help consumers understand their rights.

National Relay Service

123. The National Relay Service (NRS) is a telephone access service for individuals who have a speech or hearing impairment. While most large organisations, such as financial institutions and telecommunications service providers, provide a telephone typewriting service (TTY), this does not assist individuals who need to use a speech-to-speech relay service or do not have access to computer with a modem. NRS can assist in these situations by establishing a 3-way conference call.

124. The Office is aware that some financial institutions have refused to discuss financial information with customers who use the NRS, citing privacy concerns. In particular, s.18N of the Privacy Act may not allow a credit provider to disclose credit worthiness information to NRS.

125. The Office believes that NRS provides a valuable service to individuals and that consideration should be given to making a specific exception for speech to speech relay services in Part IIIA.

Question 5-18 and 5-19

Office position:

  1. The Office suggests consideration be given to whether an individual's personal information used to determine credit worthiness should be subject to s.18G of the Privacy Act.
  2. The Office suggests that consideration be given to making a specific exception for speech to speech relay services in relation to the use and disclosure of credit reporting information.

5-20 What issues are raised by the provisions of the Privacy Act placing limits on the use or disclosure of personal information contained in credit reports by those corporations or persons covered by ss.18P and 18Q of the Privacy Act? How do these provisions operate in practice? How should the use or disclosure of personal information by these corporations or persons be regulated?

126. This question deals with the affect of the current provisions regarding limits on the secondary disclosure of information held by mortgage and trade insurers and other specified entities as listed under s.18Q, and whether these should be amended.

127. In responding to Question 5-9, the Office suggested that there should be good public policy reasons for mortgage and trade insurers to be given direct access to credit reports when other types of insurers do not have direct access.. However, if this proposal was accepted, mortgage and trade insurers would still be able to receive access to credit file information via the credit provider. Therefore the requirements of s.18P would still be relevant.

128. The provisions under s.18G also regulate the secondary use and disclosure by related corporations, legal and professional financial advisers and entities that manage loans. The Office believes that consideration should be given to the broadening of these provisions to prohibit the use or disclosure of information collected by all recipients of credit information files or credit worthiness information not just those recipients covered by ss.18P and 18Q.

129. The Office supports the intent of the provisions in ss.18P and 18Q and recommends that they remain to regulate the secondary use and disclosure of credit information.

Question 5-20

Office position:

  1. The Office supports the intent of the provisions in ss.18P and 18Q and recommends that they remain to regulate the secondary use and disclosure of credit information.
  2. The Office suggests that the ALRC consider whether these provisions should be extended to cover all credit providers.

5-21 What issues are raised by the use of the credit reporting system in debt collection? How should the use of personal information contained in credit information files and credit reports for debt collection be regulated?

130. Paragraph 5.131 of IP32 summarises the effect of provisions in Part IIIA of the Privacy Act which allow a mercantile agent to receive from the credit provider information about the debtor. The Office supports the current provisions in Part IIIA that place limits on the disclosure of personal information from credit information files to mercantile agents and others engaged in debt collection.

131. The Office is of the opinion that the current provisions are adequate to enable mercantile agents to have access to sufficient personal information of the debtor in order to collect the specific debt that they have been engaged to collect.

132. The Office does not believe there is a strong argument for widening of those provisions to allow the mercantile agent to have access to the credit information file of the debtor or to have access to some aspects of information on that file. For example, information about credit inquiries that have been recorded on the credit file or whether the individual has had adverse listings recorded.

133. The Office is of the view that such information does not appear to be relevant to the mercantile agent's function of collecting the specific debt and impacts on the privacy of the individual. In responding to Question 5-13 the Office suggests that mercantile agents that receive personal information from credit providers under the provisions of 18N(1)(c) of the Privacy Act should be subject to a prohibition on the use and disclosure of that information for secondary purposes.

134. On a related aspect, the Office draws attention to the Debt collection guideline: for collectors and creditors jointly produced by the Australian Securities and Investments Commission and the Australian Competition and Consumer Commission.27 The guideline contains a number of provisions covering Commonwealth consumer protections laws that apply to debt collection including the application of the Privacy Act to such activity. The Office contributed to the sections in the guideline which discuss the privacy of personal information and those aspects of the guideline reflects the Office's views on the application of the Privacy Act. The publication refers to the NPPs and provides guidance on their application to debt collection activities, covering many of the issues raised in Paragraphs 5.133-5.135 of IP32, for example, the listing of debts by debt collectors and creditors.

Question 5-21

Office position:

  1. The Office believes that the current provisions are adequate to enable mercantile agents to have access to sufficient personal information of a debtor to collect a specific debt.

5-22 What issues are raised by the possible use of credit information files for electronic identification and verification? How should the use of credit information files for electronic identification and verification be regulated?

135. The Office is concerned about opening the credit reporting system to use for purposes unrelated to the provision of consumer credit. Such access is currently prohibited by Part IIIA of the Privacy Act, which prescribes criminal sanctions for non-compliance, including fines of up to $150,000.

136. The Office suggests that any proposal to expand the possible use of credit information files beyond their primary use, which is to assess individuals' eligibility for credit, should be considered in terms of the benefits or otherwise to individuals as a result of this proposal.

137. There is no specific provision in Part IIIA of the Privacy Act which prohibits personal information in credit reports and credit information files being used internally by credit reporting agencies for other purposes. The Office suggests that the ALRC should examine whether or how credit reporting information files are being used internally by credit reporting agencies for other purposes and, if this is the case, whether or how these practices could be regulated.

Question 5-22

Office position:

  1. The Office suggests that the ALRC should examine whether or how credit reporting information files are being used internally by credit reporting agencies for other purposes and, if this is the case, whether or how these practices could be regulated.

5-23 Should credit reporting regulation provide expressly for the problem of identity theft, for example, by permitting credit reports to contain information that the individual concerned has been the subject of identity theft?

138. The Office considers that there is merit in Part IIIA of the Privacy Act being amended to enable an individual to note that they have been subject to identity theft.

139. However, the Offices suggests there may need to be provisions to enable the removal of identity theft notification either by lapsing after a period of time or being removed once the identity theft has been resolved.

Question 5-23

Office position:

  1. The Office considers that there is merit in the credit reporting provisions being amended to enable notations to be placed on an individual's file in relation to identity theft.

5-24 What issues are raised by credit information files and credit reports about children and young people? How should the collection, use and disclosure of personal information relating to children and young people be regulated?

140. Part IIIA of the Privacy Act does not currently make special reference to children and young people. Rather, Part IIIA and the Privacy Act generally, operate on the basis that children and young people have the same rights to privacy as adults. The responsibility for exercising a child's or young person's rights under the Privacy Act falls to another person (usually a parent), until the child reaches a level of maturity where they have the capacity to make decisions independently.

141. The lack of any special reference to young people in Part IIIA of the Privacy Act has meant that credit reporting agencies maintain credit information files on young people less than 18 years of age and permits credit providers to conduct credit reporting on them. This includes making credit inquiries and listing default listings on credit files on the same basis as adults.

142. Paragraph 5.143 of IP32 discusses the capacity of young people to contract at common law. Contracts are not binding on a person under 18 years of age unless it is a contract of 'necessaries' and in NSW the position focuses on the contract being for the benefit of the child or young person where the individual is sufficiently mature to understand their participation in the contract.

143. The matter of incapacity of a minor to legally contract may raise difficulties for the Office conciliating complaints in cases where default listings have occurred. For example, there will be cases where it is arguable that the provision of credit under a contract may not be one of necessity or for the benefit of the individual. In these cases it is not clear that the Office has power to make findings as to the lawfulness of any adverse listing made.

144. Often a young person's introduction to credit is through access to mobile phone services. The Office considers that there is merit in the ALRC considering shorter adverse credit listing timeframes for minors, for example, 2 years for payment defaults and 4 years for serious credit infringements. This could be justified on the basis that young people should not be unnecessarily burdened with an adverse credit listing for a lengthy period into adulthood as a result of their possible inexperience in handling credit as a minor and given that this does not affect the rights of the credit provider to recover the debt under the general law.

Question 5-24

Office position:

  1. The Office submits that the ALRC consider shorter adverse credit listing timeframes for minors, for example, 2 years for payment defaults and 4 years for serious credit infringements.

5-25 Is the distinction in the credit reporting provisions of the Privacy Act between consumer and commercial credit necessary? Should personal information about consumer and commercial credit worthiness be regulated by the same statutory provisions?

Definition of consumer credit

145. The definition of (consumer) credit in the Privacy Act is similar but not identical to that in the Uniform Consumer Credit Code (UCCC).28 The latter refers to credit 'provided or intended to be provided wholly or predominantly for personal, domestic or household purposes'. The definition given to credit in s.6(1) of the Privacy Act refers to it 'being a loan that is intended to be used wholly or primarily for domestic, family or household purposes'.

146. In most cases 'credit' under the UCCC will also be considered 'credit' under the Privacy Act but there will be cases where it will not. For example, a loan by an individual for the purpose of financing a rental property or the purchase of shares or for a similar purpose may not be considered to be credit under Part IIIA as this borrowing could be considered a commercial transaction and therefore not 'intended to be used wholly or primarily for domestic, family or household purposes' within the meaning of the Privacy Act. However, such a loan may be covered by the UCCC.

147. The Office supports the alignment of the definition of credit in the Privacy Act with the definition in the UCCC.

Distinction between consumer and commercial credit in the Privacy Act

148. Credit reporting agencies currently make an individual's commercial credit transactions available to credit providers to assess an individual's credit eligibility. This information is regulated by the NPPs if the credit provider is an organisation within the meaning of s.6C of the Privacy Act (that is if the organisation is not exempt by virtue of the small business exemption). Further, as mentioned in Paragraph 5.150 of IP32, some current sections in Part IIIA already regulate aspects of commercial credit by individuals and this fragmented approach adds to the complexity of the provisions.

149. Given these issues, the Office believes that there may be an argument for personal information about individuals' consumer and commercial credit transactions to be regulated by the same statutory provisions in Part IIIA. The Office therefore suggests that the ALRC consider whether personal information relating to credit advanced to an individual for commercial purposes should also be covered by Part IIIA of the Privacy Act.

Question 5-25

Office position:

  1. The Office supports the alignment of the definition of credit in the Privacy Act with the definition in the UCCC.
  2. The Office recommends that personal information relating to credit advanced to an individual for commercial purposes should also be covered by Part IIIA of the Privacy Act.

5-26 What issues are raised by the collection of publicly available personal information for use in credit reporting? How should the collection, use and disclosure of such information be regulated?

150. The Explanatory Memorandum to Part IIIA of the Privacy Act states that it is not intended to regulate publicly available information. Further the definition of a credit reporting business in s.6(1) of the Privacy Act states that a business is not undertaking a credit reporting business where the personal information on a record only includes publicly available information.

151. However, some categories of permitted contents of a credit information file are publicly available information. For example, court judgments in s.18E (1)(viii) and 'bankruptcy orders' in s.18E(1)(ix). In some circumstances, a serious credit infringement in s.18E(1)(x) could also be considered publicly available information.

152. It is not clear if a record containing 'publicly available information' (an undefined term) is part of the credit report or credit information file because of the definition of 'credit reporting business' in s.6(1) which excludes records containing publicly available information from regulation under Part IIIA.

153. As already mentioned, publicly available information on individuals, which is largely unregulated by Part IIIA of the Privacy Act, is provided by credit reporting agencies to credit providers to assess an individual's eligibility for credit. The Office believes that publicly available personal information, for example, commercial credit information including defaults, directorships, judgments and proprietorship information, collected by a credit reporting agency for the purpose of assessing an individual's eligibility to be provided with credit, should be regulated by Part IIIA of the Privacy Act.

Court judgments

154. Although, a court judgment is permitted content of a credit information file, it can also be recorded as publicly available information. If a credit reporting agency chooses to record details of court judgment as publicly available information, rather than in an individual's credit information file, the judgment record is not regulated by Part IIIA of the Privacy Act. The record may be subject to the NPPs if the business is an 'organisation' but the NPP requirements are less stringent on an organisation and offer less protection for the personal information of individuals.

155. As IP32 discusses in Paragraph 5.155, for example, the court judgment could be retained indefinitely as publicly available information because there are no specified time limitations in the NPPs for retention of information except when it is no longer needed for the purposes for which it was collected (NPP 4.2). If an individual wants access to information relating to the court judgment, processing charges could be applied under NPP 6.4 rather than being free of charge as would be the case under Part IIIA.

156. The Office supports the removal of this inconsistency so that the permitted content of a credit information file under s.18E of the Privacy Act includes court judgments.

Credit reporting business

157. The Office supports the amendment of the definition of credit reporting business in s.6(1) of the Privacy Act to remove the exclusion in the phrase 'other than records in which the only personal information relating to the individuals is publicly available information'. This will have the effect of regulating publicly available personal information, for example, commercial information including defaults, directorships, judgments and proprietorship information, collected by a credit reporting agency for the purpose of assessing an individual's eligibility to be provided with credit under Part IIIA rather than the NPPs.

158. The Office believes that all relevant types of personal information should be regulated by Part IIIA if they are made available to banks and financial institutions in assessing an individual's eligibility to be provided with credit, indicate their credit history or capacity to repay credit. Moreover, a credit provider may have no obligations to comply with the NPPs if they are a small business operator within the meaning of s.6D. The effect will be that the provisions of Part IIIA will regulate this activity not the NPPs.

159. The Office believes that adoption of this recommendation would make the provisions less complex and easier to understand. The permitted contents of a credit information file would need to be expanded to cover the extra categories of publicly available information collected for this purpose.

160. However, the Office submits that the current list of prohibited content of a credit information file in s.18E(2) of the Privacy Act should be retained, subject to their alignment with 'sensitive information' in the NPPs, even if some or all of the information is publicly available information. The policy reasons for this view are discussed in detail in the answer to Question 5-1 above regarding prohibited content of a credit information file.

Question 5-26

Office position:

  1. The Office recommends that the definition of a credit reporting business should be amended to remove the exclusion in the phrase 'other records in which the only personal information relating to individuals is publicly available information'.

5-27 Should information from foreign credit providers or about foreign loans be permitted in credit information files and credit reports? Should foreign credit providers be permitted to obtain credit reports and, if so, in what circumstances? What issues are raised in relation to the enforcement and extra-territorial operation of the credit reporting provisions? How should these matters be regulated?

161. Section 5B(1) of the Privacy Act which took effect on 21 December 2001 says that Part IIIA does not operate extra-territorially.

162. Based on the statutory construction of Part IIIA, the Office has taken the view that the listing of overseas incurred loans (and any information relating to those loans) on an individual's credit information file and the disclosure of personal information in credit information files (or credit worthiness information within the meaning of s.18N(9) except under NPP 9) to a party overseas is not permitted by Part IIIA. As discussed in IP32 at Paragraphs 5.64-5.65, the policy consequences of taking a contrary position include:

  • An overseas-based loan provider does not appear to have to comply with the notice requirements by law in s.18E(8)(c) of the Privacy Act, or indeed any provision in Part IIIA;
  • The protections afforded to personal information on credit information files, credit reports (and credit worthiness information) by Part IIIA are lost; and
  • The Office cannot investigate complaints (including compelling production of records) in relation to loans granted overseas under different laws and proposed to be listed in Australia.

163. The Office supports the inclusion of specific provisions prohibiting these practices to clarify the law and to assist business to better understand their obligations and to help consumers understand their rights.

Question 5-27

Office position:

  1. The Office believes that there are practical and jurisdictional difficulties that exist which indicate that foreign credit providers and foreign loans should continue to be excluded from regulation under the Privacy Act.
  2. The Office suggests that it could assist businesses to better understand their obligations, if the credit reporting provisions explicitly excluded these acts and practices.

5-28 Are there any other issues in relation to the content and drafting of Part IIIA of the Privacy Act that the ALRC should consider in the context of this Inquiry?

Drafting issues

164. In general, the drafting and layout of Part IIIA of the Privacy Act could be improved to assist credit providers, credit reporting agencies and consumers to understand their obligations and rights. Currently, the obligations of each party in the credit relationship are spread out throughout the provisions in Part IIIA (and the Credit Reporting Code of Conduct). Some provisions in Part IIIA sometimes only apply to credit reporting agencies, sometimes only apply to credit providers and other times apply to both.

165. The Office suggests that it would improve the credit reporting framework if Part IIIA was divided into sections that, for example, set out :

  • obligations of credit reporting agencies
  • obligations of credit providers
  • the criteria that needs to be satisfied before a listing can be made
  • the requirements for complaint handling and dispute resolution; and
  • the offence provisions that apply.

Definitions

166. The definitions of 'credit information file' and 'credit report' are complex because of the differing and sometimes overlapping obligations placed on a credit reporting agency or credit provider. For example:

  • Part IIIA specifies in detail the permitted contents of a credit information file in s.18E. However, Part IIIA does not define what the permitted contents of a credit report are other than in the very broad definition of that term in s.6(1) yet it imposes obligations in relation to a credit report;
  • It appears that a credit information file is a subset of the credit report but the existing definitions do not state this explicitly. The usefulness of retaining the separate terms (especially the definition of a credit report) needs to be considered. Alternatively, the relationship between the terms needs to be defined with greater precision;
  • There is some uncertainty about whether deposit bonds used by individuals in lieu of a cash deposit on a house purchase subject to finance falls within the definition of credit in the Privacy Act. If deposit bonds are deemed to be credit then businesses that market such instruments may access the credit reporting system when an individual submits an application. The Office considers that the status of deposit bonds should be examined.

Question 5-28

Office position:

  1. In general, the drafting and layout of Part IIIA of the Privacy Act could be improved to assist credit providers, credit reporting agencies and consumers to understand their obligations and rights.
  2. The usefulness of retaining the separate terms (especially the definition of a credit report) needs to be considered. Alternatively, the relationship between the terms needs to be defined with greater precision;
  3. There is also some uncertainty whether deposit bonds used by individuals in lieu of a cash deposit on a house purchase subject to finance falls within the definition of credit in the Privacy Act. The Office suggests that the status of deposit bonds should be examined.

CHAPTER 6

COMPREHENSIVE CREDIT REPORTING

Introduction

1. The Office welcomes a discussion in relation to comprehensive credit reporting. In considering the issues raised in this chapter, the Office has had regard to our experience as a credit reporting regulator and to the research conducted by the ALRC, which shows that there are strong and divergent views about the merits of comprehensive credit reporting.

2. Our response to this chapter reflects our experience and makes, what the Office believes, are reasonable suggestions to progress the comprehensive credit reporting debate. Generally however, on current evidence available, the Office does not believe that there is a compelling argument to support the introduction of comprehensive credit reporting. It is the Office's view that current information available about the effects of comprehensive credit reporting systems does not provide clear evidence of social or economic advantages significant enough to justify or balance the resulting loss of privacy, choice and control that could result from the introduction of comprehensive credit reporting.

3. The privacy of personal credit information is an important issue that affects all industry participants, particularly individuals who can be greatly disadvantaged by its inappropriate handling. Transparency about how, when and by whom their information will be handled in the credit reporting system is a key issue that has been highlighted in IP32.

4. Whether or not comprehensive credit reporting is introduced we believe our suggestions provide a mechanism to build stronger and more transparent relationships between individuals, credit providers and credit reporting agencies.

6-1 What deficiencies, if any, exist in the current regulatory framework for credit reporting that could be addressed by permitting more comprehensive credit reporting (also known as 'positive' credit reporting)? What are the advantages and disadvantages of more comprehensive credit reporting over the current credit reporting system in Australia?

Deficiencies in the current regulatory framework that could be addressed by permitting more comprehensive credit reporting.

Accuracy

5. The Office's complaint handling experience indicates that the accuracy of information held by credit reporting agencies is the main issue of concern for individuals. For example, in the five year period from 1 January 2002 - 31 December 2006, approximately 90% of credit related complaints concerned disputed content on individuals' credit information files.

6. Complaints about accuracy are often the result of inadequate steps being taken by credit providers to ensure accuracy of information, rather than the volume of information that is available. On this basis, it is reasonable to extrapolate that expanding the volume and depth of information that would be available on individuals' credit information files may worsen the current problems with accuracy of credit information. The Office suggests this would be an undesirable situation for individuals and may also result in added compliance requirements for credit providers and credit reporting agencies.

7. The Office submits that the current deficiency cannot necessarily be resolved solely by permitting comprehensive credit reporting. Further we would suggest that any proposal to introduce comprehensive credit reporting would need to be supported by a framework that included, among other things, standards that would promote a higher level of data accuracy.

Access to credit

8. The Issue Paper reports that the current system makes it unnecessarily difficult for credit providers to assess the credit risk of borrowers, especially those individuals who may have committed a minor default in the previous five years.29 Proponents of comprehensive credit reporting as well as consumer advocates argue that individuals may be unnecessarily disadvantaged by a default listing that appears on their credit file when the other credit facilities they hold have been well conducted.

9. The Office believes that access to credit is important for individuals particularly as it may affect their ability to access essential services such as housing, utilities and transport. However, the Office notes that there are current provisions that allow for the handling of information which is not 'negative', that is, does not relate to the fact that an individual may have defaulted on a loan. Specifically, s18E(1)(b)(v) allows a credit provider to list themselves as being a current credit provider on an individual's credit file and ss18N(1)(b) and 18N(1)(be), respectively, allow the disclosure of financial information between current and prospective credit providers, with the individual's consent, about the extent of the individual's liability and their ability to meet certain commitments30.

10. These provisions currently allow, with consent from the individual, for credit providers to share information between themselves as to whether a specific individual holds credit with a particular credit provider, in a situation where the individual has not already gone into default. Under a comprehensive credit reporting model, individuals may lose the capacity to choose to whom this information goes and when this occurs.

11. On this basis, the Office suggests that, if the current credit reporting provisions were being fully utilised, the introduction of more comprehensive credit reporting may be unnecessary.

Proponents' Views on comprehensive credit reporting

12. A number of pieces of research have been cited to support the claim that comprehensive credit reporting can be beneficial for individuals and the economy as a whole. For example, a US report by Barron and Staten31 states that, amongst other things, comprehensive credit reporting would:

  • improve the quality of credit risk decisions;
  • reduce credit card arrears;
  • increase competition through availability of more products and better interest rates;
  • increase the availability of credit to consumers in lower socio-economic groups; and finally,
  • Increase GDP.

13. Some of these claims are echoed in the MasterCard/ACIL report,32 which also claims that the information disparity in the current system results in loans being denied at times to potentially good borrowers and being provided to potentially bad borrowers and that the present system discriminates against low-income borrowers.33

14. However the available research on comprehensive credit reporting does not conclusively support these claims. For example, while the MasterCard/ACIL report34 found that comprehensive credit reporting could be linked to new borrowers entering the market and resulting in downward pressure on interest rates, other research found that the claims that comprehensive credit reporting led to lower levels of indebtedness could not be consistently proven.35

Opponents' Views on more comprehensive credit reporting

15. Consumer advocacy groups believe that there are a number of problems with the accuracy and integrity of the current credit reporting system.36 Consumer groups generally believe that an expansion of the credit reporting system, in terms of the information collected, may magnify these problems.

16. Opponents of comprehensive credit reporting claim that, rather than reducing defaults, it is more likely that introducing comprehensive credit reporting would result in more lending. Further, they have argued that there are steps that credit providers could currently take to reduce over commitment that are not dependent upon introducing comprehensive credit reporting, such as reducing the use of unsolicited offers and ensuring that their credit assessment of consumers' income or other financial commitments is adequate.

17. In relation to assertions that a comprehensive credit reporting system would reduce the average levels of indebtedness, in the past consumer groups, such as Consumer Federation of Australia, have argued that 'research being used by the industry itself makes it clear that the most likely outcome is more lending, rather than reduced defaults'.37

Office View

18. On balance, at this stage the Office does not believe that there is a strong argument to support the introduction of comprehensive credit reporting as the available research does not provide conclusive, consistent evidence to support such a change. The Office also suggests that overseas studies and experience regarding comprehensive credit reporting are only valid to the extent that in these other jurisdictions the operating environments, including their credit system, regulations, legal framework and participants are very similar to Australia.

19. For example, the study undertaken by ACIL Tasman concluded that comprehensive credit reporting could deliver additional economic benefits to the Australian economy of $5.3 billon and that a balanced credit reporting scorecard could enable more accurate risk assessment and consequently leads to competitively fairer pricing.

20. However, Consumer Affairs Victoria noted that these conclusions were based on some broad assumptions including the premise that efficiencies in credit markets would have positive implications for all other sectors of the economy.38 It is also relevant to note that this study did not conclude what model of comprehensive credit reporting was preferred. Although, IP32 suggests that the report implicitly drew its comparative conclusions from the US model.39 In any event, the Office would suggest that it may be unwise to accept the economic benefits as proven without making some adjustment for local 'conditions'.

21. The Office believes that due to the inconsistent information which exists about the effects of comprehensive credit reporting,40 it is premature to make a recommendation for its introduction.

The Office considers the way to progress the discussion is for an independent research study into comprehensive credit reporting to determine how the various international models would impact the Australian financial system and Australian consumers with a view to making recommendation about:

  1. Whether comprehensive credit reporting should be introduced in Australia; and
  2. If comprehensive credit reporting were to be introduced:
    • what model should be adopted;
    • which industry participants should be included in the expanded system; and
    • what compliance framework should be imposed.

Question 6-1

Office Position:

  1. The Office recommends that independent research be conducted on the impact that comprehensive credit reporting would have on the Australian financial system and Australian consumers.
  2. The Office suggests that independent research should provide recommendations about:
    1. Whether comprehensive credit reporting should be introduced in Australia; and
    2. If comprehensive credit reporting were to be introduced:
      • what model should be adopted;
      • which industry participants should be included in the expanded system; and
      • what compliance framework should be imposed.

Question 6-1

Office Position:

  1. The Office recommends that independent research be conducted on the impact that comprehensive credit reporting would have on the Australian financial system and Australian consumers.
  2. The Office suggests that independent research should provide recommendations about:
    1. Whether comprehensive credit reporting should be introduced in Australia; and
    2. If comprehensive credit reporting were to be introduced:
      • what model should be adopted;
      • which industry participants should be included in the expanded system; and
      • what compliance framework should be imposed.

6-2 What would be the economic and social impact of introducing a system of more comprehensive credit reporting in Australia?

23. Proponents of comprehensive credit reporting claim that the introduction of comprehensive credit reporting would translate into economic benefits for the Australian economy of up to $5.3 billion over the next decade.41

24. Those previously opposed to the introduction of comprehensive credit reporting are concerned that there would be greater availability of access to credit for Australians in lower-socio economic groups, which may trap those who can least afford it in cycles of debt.42

25. It is also the case that individuals can be excluded from access to credit due to the inaccuracy of a credit listing and that this can lead to significant financial hardship. As stated earlier, it is the Office's view that expanding the credit reporting system through the introduction of comprehensive credit reporting may risk magnifying this negative effect.

26. In regard to the question of the broader economic and social impact, the Office is not in a position to provide expert opinion on either of these areas. However, the Office does note that the evidence for positive impacts in these areas does not appear to be conclusive.43

Question 6-2

Office Position:

  1. The Office is not in a position to provide expert opinion on the broader economic and social impact that comprehensive credit reporting may have in Australia but suggests that this is included in independent research suggested in recommendations to question 6-1.

6-3 Should Australian law be amended to expand the categories of personal information that may be collected and used in credit reporting? If so, what categories of personal information should be permitted?

27. The current credit reporting system in Australia is often considered a negative system because credit reports contain information that relates to the fact that an individual may have defaulted on a loan.

28. However, the Office would argue that the credit reporting provisions of the Privacy Act allow for the inclusion of other personal credit information to be included in an individual's credit report relating to the credit that an individual holds and for which they are not in arrears.44 For example, the provisions allow for a credit report to contain a record of a prospective credit provider having sought a credit report on an individual in relation to a credit application and the amount of the application. The provisions also allow a credit provider to place a record in an individual's credit report that identifies them as a credit provider to the individual. See paragraph 9 above for further discussion about this issue.

29. In addition to these two categories of information, the Office believes consideration should be given to including provisions which allow:

  • a credit provider to note on an individual's credit information file on a voluntary basis that an offer of credit was accepted without specifying the actual amount;
  • the inclusion of bankruptcy as permitted content; and
  • the inclusion of debt agreements and personal insolvency agreements as permitted content.

30. These issues are addressed in detail in the Office's response to Question 5-1.

31. In relation to permitted content in credit files, the Office has particular concerns regarding the use and disclosure of publicly available information in relation to credit reporting. In essence, it is the Office's view that any publicly available information, except for prohibited information, that is used to determine an individual's credit worthiness, should be included in that individual's credit file and subject to the same information handling provisions as other credit information. This issue is explored in detail in the Offices response to question 5-26.

32. Beyond the currently permitted content and the additional categories suggested by the Office in paragraphs 27-28 above the Office believes that adding additional categories of information to the permitted content of credit reporting files moves the credit reporting system towards a more comprehensive model. Based on international models, the scope of information that could be made available under a comprehensive credit reporting model is considerably wider than that currently available in Australia and possibly not within the reasonable expectations of Australian consumers.

Question 6-3

Office Position:

  1. See the office position stated at questions 5-1 and 5-26.

6-4 If Australian law is amended to permit more comprehensive credit reporting:

(a) What changes, if any, should be made to the way in which personal information is collected and disseminated for the purposes of credit reporting?

33. In the Office's experience, individuals are often not aware of what will happen to their personal information after it is collected. Further comments regarding collection and disclosure of personal credit information are set out in response to questions 5-3, 5-20 and 5-21.

34. As a general measure, regardless of whether more comprehensive credit reporting is adopted or not, the Office suggests that when collection occurs, separate notice is provided to the individual regarding the handling of their personal credit information. The Office suggests that this notice should not be bundled with other information about credit terms and conditions and that consideration could be given to aligning the notice requirements with those that currently exist under NPP1.3.

35. The Office also suggests that it would assist individuals if the notice set out the possible uses and disclosures that could occur during the credit relationship in accordance with Part IIIA and how individuals could contact the credit reporting agency if they wanted to discuss their information handling practices or to obtain access to their personal credit information. These comments are also made in our response to question 5.3.

(b) Should changes be made to the way in which credit reporting is regulated? For example, should the Privacy Commissioner remain the primary regulator in this area? Would powers and penalties need to increase?

36. In responding to the question in Chapter 7 of IP32, the Office has argued that credit reporting regulations should be retained in the Privacy Act. The Office discusses the preferred model of repealing Part IIIA of the Privacy Act and associated credit reporting provisions and regulating credit reporting under the Privacy Act, NPPs and a binding code. The Office has discussed the inclusion of code making powers in its response to Chapter 6 of IP 31.

37. In responding to Chapter 4 of IP 32 the Office has suggested that the effectiveness of the current offence penalties be reviewed and consideration be given to providing additional mechanisms to the Privacy Commissioner such as the introduction of enforceable remedies for own motion investigations.

(c) Would it be desirable to make personal credit information available to a broader or narrower spectrum of individuals and organisations than may currently access such information? Should any additional safeguards be introduced to protect the privacy of personal information?

38. The Office does not consider that making personal credit information available to a broader spectrum of individuals and organisations would be desirable or necessary and any such proposal should be subject to public consultation.

39. The Commissioner currently has the power under issued under s.11B of the Privacy Act to determine that certain organisations or agencies may be included as credit providers for the purposes of the Privacy Act. The Commissioner has made several such determinations and undertaken reviews of these determinations.45 In each case, the determinations have been made after a process of public consultation has been undertaken and the operation of existing determinations has been analysed and reviewed.

40. The Office is concerned about the opening up of the credit reporting system for purposes unrelated to its original intent, which is the assessment of the credit worthiness of individuals. The personal credit information of an individual should be used and disclosed only for the purpose for which it is legally collected, unless the individual has given consent or the use is authorised or required by law. It would be of concern to the Office if credit reporting organisations considered using the personal information they hold about individuals for other purposes as this would be inconsistent with the original intent of the credit reporting provisions. The Office has discussed the issue of identification verification in responding to Chapter 11 of IP31.46

41. The expansion into activities such as identification verification by credit reporting agencies would appear to be a type of 'function-creep'.47 The Attorney General at the time the credit reporting provisions were introduced into the Privacy Act48 highlighted the need to limit what information is allowed to be held under the credit reporting provisions. The rejection of comprehensive credit reporting by the Attorney General at the time was seen as a way of avoiding 'function-creep' arising.

42. Independently of this particular question, the Office supports the notion of public reporting or notification of security breaches, in certain circumstances, whether it is in relation to personal credit information or personal information in general.

43. As indicated in comments made by the Commissioner,49 as well as the view expressed in Chapter 11 of the Office's submission to IP31 the Office believes that it would be good privacy practice for organisations to tell affected individuals in a timely manner when a security breach has occurred. Further comments about the notification of security breaches are made in the response to Chapter 5.

(d) Should there be differential levels of access to personal information that is collected under such a system?

44. If there were to be a change to the personal information permitted to be used in credit reports under a more comprehensive credit reporting system, the Office does not believe that this in itself implies or necessitates any change to who may access this information. Any system regulating credit reporting should limit the use and disclosure of personal credit information to that required to fulfil the purpose for which it was legally collected, unless the individual has given consent to further or alternate use of their personal credit information, or a use or disclosure is authorised or required by law.

45. The Office believes that the use/disclosure should be limited to the purposes for which the original provisions were enacted, which are in order to assess the credit worthiness of an individual, with corresponding rights of access restricted as per Part IIIA of the Privacy Act.

Question 6-4

Office Position:

  1. The Office suggests that when collection occurs, separate notice is provided to the individual regarding the handling of their personal credit information.
  2. Consistent with recommendation 11.3 (xiii), at page 444 of IP31, the Office suggests that the Privacy Act be amended to add a provision requiring agencies and organisations to advise affected individuals of a breach to their personal credit information in certain circumstances.

CHAPTER 7

THE APPROACH TO REFORM

Introduction

1. The Office welcomes the opportunity to discuss options for reform of the credit reporting provisions in the Privacy Act. In responding to the questions in Chapter 7 of IP32, the Office has framed its answers around optimising consistency and avoiding unnecessary fragmentation of privacy law and providing a clear and sound structure for the provisions underpinned by the principle-based approach of the NPPs and the Privacy Act in general.

Retaining credit reporting provisions in the Privacy Act

2. The Office supports the credit reporting provisions being retained as part of the Privacy Act. The Office suggests that this approach:

  • prevents further fragmentation and inconsistency of privacy laws in Australia;
  • ensures that the importance of protecting the personal information of individuals remains paramount in the regulation of credit reporting activities as intended when the provisions were initially introduced; and
  • retains the Privacy Act and NPPs as the basis from which the credit provisions are developed and draw their character.

3. However, the Office believes that the current provisions of Part IIIA of the Privacy Act and the Code of Conduct should be repealed and replaced by an enforceable code to regulate credit reporting developed under the Act. More details about this approach are provided in paragraphs 18 - 20.

Preventing fragmentation and inconsistency of privacy laws in Australia

4. The Office believes that retaining credit reporting provisions in the Act will assist in preventing further inconsistency through the fragmentation of privacy law in Australia. The issues of inconsistency and fragmentation have recently been addressed in detail by the Office in Chapter 7 of the Office's response to IP31. In that response, the Office said that ensuring consistency between the Privacy Act and other regulations, as well as internal consistency of the Privacy Act itself, will have the positive impacts on:

  • individuals, in determining what their rights are and how to enforce them;
  • agencies and organisations, in understanding their obligations and being able to effectively and efficiently comply with them, and
  • regulators, including the Office, in managing the possible overlap of functions in some areas.

5. The Office believes that these areas are of particular importance in relation to credit reporting and the protection of personal information because of the complex nature of credit reporting and the serious consequences that related issues can have on individuals.

Protecting the personal credit information of individuals

6. The protection of the personal credit information of individuals has always been viewed as warranting special protection. At the time the Privacy Amendment Bill 1989 introduced the credit provisions, in the second reading speech it was stated:

'The Privacy Bill is the next step in the Government's program to introduce comprehensive privacy protection for the Australian community... There are inadequate controls on consumer credit reporting agencies to prevent them from using their databases for non consumer credit purposes.50'

7. Personal credit information has been treated as a special subset of personal information requiring extra privacy protection. Likewise, other subsets of personal information are considered to be sensitive and have been afforded extra protection under the Privacy Act.51 In the case of personal credit information, this has been due to the significant effect that personal credit listings can have on the life and opportunities of an individual.

Using the Privacy Act as a benchmark

8. In his second reading speech on the Privacy Amendment Bill 199052, The Hon M.J. Duffy pointed out that the credit reporting provisions would have the statutory backing of the Privacy Act and would adopt the principles that the Privacy Act were based on to provide privacy protection to individuals in relation to their personal information held by credit reporters.

9. While not all the principles have been reflected in Part IIIA, generally, the credit reporting provisions were formulated using the Privacy Act and IPPs (as the NPPs were not at that time in existence) as a benchmark. For example, the credit reporting provisions:

  • provide the right to access and correction;
  • include the requirement for notice and consent (as appropriate) before disclosure; and
  • limit the collection of information through application of permitted content.

10. The Office argues that the fundamental function of the credit reporting provisions is to protect the privacy of personal information in relation to credit reporting. Due to this reason, and because the provisions were developed with the general principles underpinning the Privacy Act in mind, the Office further argues that the provisions draw their fundamental character from the Privacy Act and will remain at their most effective while retained as part of the Privacy Act.

Undertaking reform

11. In terms of the approach to reform of the credit reporting provisions that may eventually be undertaken, the Office has provided some high-level suggestions for consideration by the ALRC. In addition, the Office has recognised the need for some amendment to the Act, as outlined in the Office's response to Chapter 5 of IP32. These amendments are required to address specific issues and to ensure that the provisions retain their appropriateness and have a clear application in the future customer credit industry setting.

12. It is the Office's view that approaches to structural reform of the credit reporting provisions should focus on improved consistency and ease of application and regulation. It is the Office's experience that regulators, businesses, consumer bodies, business associations and individuals all find the credit reporting regulations overly complex and, at times, difficult to negotiate. The Office has provided suggestions for reform in response to question 7-1 below.

13. The Office believes that to have a beneficial impact on the operation of the credit reporting provisions, a considerable amount of work will need to be undertaken. Given the complex nature of the credit reporting provisions, undertaking a comprehensive reform would be more appropriate than a piece-meal approach or an approach that only addressed certain aspects of reform. In the Office's view, the latter approach may exacerbate the existing issues of complexity and inconsistency. This in turn could lead to more confusion within industry and for individuals, resulting in less consistency of application, more latitude for misunderstanding and an increase in complaints.

7-1 Should Part IIIA and related provisions of the Privacy Act dealing specifically with credit reporting: (a) continue to regulate credit reporting, with appropriate amendment; (b) be repealed, and credit reporting regulated under the Privacy Act, National Privacy Principles and a privacy code; (c) be repealed, and credit reporting regulated under new sectoral legislation outside the Privacy Act; or (d) be repealed, and credit reporting regulated by a self-regulatory scheme?

Retaining the credit reporting provisions in the Privacy Act with appropriate amendment

14. In the event that the credit reporting provisions are retained in the Privacy Act their current format, the Office would strongly recommend that amendments are undertaken to address the specific issues identified and discussed in the Office's response to Chapter 5 of IP32. If the current provisions are repealed and an enforceable code developed, these amendments, or at least the intended effects of them, should also be considered and included in such a code.

15. The main advantage that the Office sees in an approach that retains Part IIIA and related provisions of the Privacy Act in their current form with appropriate amendments is that the provisions would be retained in the Privacy Act, thus avoiding fragmentation. Other possible advantages may include that:

  • retaining the current structure may lessen requirements to amend supporting documentation and legislation, regulations or codes that refer to the credit provisions; and
  • the known, specific issues that require attention can be addressed without the risk of compounding them or creating new issues through development of new provisions.

16. In the Office's view the obvious disadvantage in retaining Part IIIA of the and related provisions of the Privacy Act in their current form with appropriate amendments is that the difficulties with the structure of Part IIIA and the level of inconsistency with the rest of the Privacy Act would not be addressed.

17. With the current opportunity to review and undertake reforms of the Privacy Act, the Office would strongly encourage the Australian Government to consider the advantages of undertaking structural reform of the credit reporting provisions while retaining them in the Privacy Act.

Regulating credit reporting under the Privacy Act, National Privacy Principles and a privacy code

18. As discussed in paragraphs 2 - 4, the Office believes that the current provisions of Part IIIA of the Privacy Act and the Code of Conduct should be repealed and replaced by an enforceable code to regulate credit reporting which is developed under the Privacy Act.

19. IP32 discusses the prospect of credit reporting being regulated solely under the general provisions of the Privacy Act and the NPPs, with no other special provisions. As pointed out by the ALRC,53 this could be seen as a downgrading of the protections provided to personal information held by credit reporting agencies and credit providers. The Office believes that the current protections should not be downgraded by any approach to reform that may be taken and thus credit reporting should not be regulated solely under the general provisions of the Privacy Act and the NPPs.

20. As such, it would seem both practical and necessary for any structural reform of the credit reporting provisions to result in additional provisions to the NPPs for the regulation of personal information held for the purposes of credit reporting. As stated earlier, the Office believes that the most appropriate approach is for these provisions to reside in an enforceable code created under the Privacy Act.

21. The Office believes that the main advantage of this approach is that the credit reporting provisions are retained in the Privacy Act with the positive effects that flow from this as discussed in paragraphs 2 - 10. This approach also provides an opportunity to address specific issues in the current provisions through the drafting process.

22. The Office suggests that this approach to reform also presents an opportunity to address the current structural issues in the credit reporting provisions. Importantly, it provides the opportunity to remove unnecessary complexity from the credit reporting provisions and to address internal consistency and the interaction between the credit reporting provisions and the other provisions of the Privacy Act for regulating the handling of personal information by private sector organisations.

23. As discussed in paragraph 6 and 7 above, the Office believes that the significant effects that credit reporting may have on the lives of individuals requires equally that additional provisions be included in the Privacy Act to protect the use of personal information for credit reporting purposes. It may also be the case that, in future, circumstances may necessitate the development of special provisions to regulate the handling of other types of personal information, such as health information, because of the significant impact it can have on the lives of individuals. The development of an enforceable code for credit reporting could also provide a model for the future development of codes in other specific areas.

24. The issue of the Privacy Commissioner's code making power is discussed at length in the Office's response to Chapter 654 of ALRC IP31 and also in the Office's Private Sector Review55.

Repealing current provisions and regulating credit reporting under new sectoral legislation outside the Privacy Act

25. The Office has discussed the benefits of retaining the credit reporting provisions in the Privacy Act in paragraphs 2 - 10 above. In examining the issue of whether credit reporting should be regulated under sectoral legislation outside the Privacy Act, the Office believes it is necessary to consider to the importance of protecting personal credit information and the initial policy divers for the credit reporting provisions.

26. In his second reading speech of the Privacy Amendment Bill 1989, The Hon M.J. Duffy said that in developing privacy regulation for the credit reporting industry the fundamental right to privacy of individuals must be paramount while balancing the needs of business. This objective would seem to make the Privacy Act, rather than sectoral legislation, which may not hold the privacy interests of individuals as highly, the ideal place for the regulations. The personal information of individuals can be protected by the regulations in a way that does not preclude businesses in any particular sector from continuing to operate in a commercially effective way.

Consistency and fragmentation

27. Generally, the Privacy Act and the credit reporting provisions within the Act have been designed to set limits on types of behaviours and practices associated with the handling of personal information, rather than to set limits on certain groups. If credit reporting were not regulated under the Privacy Act, this general approach would change as sectoral legislation, by definition, would target particular industry sectors.

28. The Office notes also that there could be considerable difficulty determining in which sector or sectors new credit reporting legislation should be made. The current credit reporting provisions relate to traditional credit providers, credit providers covered by the credit provider determinations, and credit reporting agencies. Organisations covered by the credit reporting provisions may belong to a wide variety of industry sectors, with varying degrees of experience in handing personal information. If sectoral legislation was to be introduced, it may, likewise, be required for a wide variety of industry sectors.

29. The Office also believes that significant dangers exist for creating further inconsistency and fragmentation in Australian privacy law through the implementation of sectoral legislation. This danger would increase with the number of different industry sectors in which credit reporting legislation was introduced.

30. If this were to occur, the Office would suggest that some businesses may find that they are regulated by more than one set of credit reporting provisions, or that that different functions they undertake are subject to different regulations, causing increased regulatory burden.

Self-regulation schemes for credit reporting

31. The Office does not support self-regulation of credit reporting by credit reporters and credit reporting agencies as a preferred model. Historically, self-regulation of credit reporting has not proven successful in Australia (see below). The Office believes that the wide variety of organisations covered by the provisions, the complex and sensitive nature of credit reporting, and consumer wariness in relation to credit-related personal information are reasons to avoid such an approach.

32. As illustrated by the ALRC's discussion of the development of the current credit reporting provisions,56 previous attempts at self-regulation of the credit reporting industry have proven unsuccessful. In the discussion, the ALRC points to the 1983 report by the New South Wales Privacy Committee (Australia's first privacy regulating body), which comments on the voluntary agreement in place with the Credit Reporting Association of Australia for regulating some aspects of credit reporting, such as providing access for individuals to their credit files. The report concluded that self-regulation of credit reporting was ineffective57.

33. The requirement for legislation to regulate credit reporting has been recognised by Australian states and territories since the 1970s. This is evident in that Queensland, South Australian, Victorian and New South Wales governments have all, at various points since that time, implemented legislation to regulate different aspects handling of personal information in relation to credit reporting.

34. As stated by The Hon M.J. Duffy,58 before the introduction of the current credit reporting provisions, there were 'inadequate controls on customer credit reporting agencies to prevent them from using their databases for non-consumer credit purposes'. The credit reporting legislation introduced by the Privacy Amendment Act 1990 was considered necessary for this, amongst other reasons, and also timely because of the emergence of new industry practices such as credit profiling of customers. The credit reporting provisions were also considered timely in that they prevented such developments as comprehensive credit reporting, which had been suggested by the credit reporting industry, but was seen as undesirable by the Australian Government at that time59.

35. In considering the question of self-regulation, the Office believes that community attitudes to the privacy of personal information, particularly credit related information, should be taken into account. In 1983, the ALRC issued a report60 which found that members of the public saw credit reporting agencies as posing a threat to their privacy. The Office argues that individuals remain concerned about the privacy of their personal financial information. Respondents to research undertaken by the Office61 in 2001 and 2004 shows that members of the community were more reluctant to divulge details about their finances than any other type of information.

36. This long-standing public concern about the privacy of personal information in relation to credit and the history of legislative development indicates the importance of this issue for both the Australian public and Australian governments. Considering this, the Office believes that maintaining credit reporting legislation in some form, preferably in the Privacy Act is the most appropriate response to the need for regulation of credit reporting.

Question 7-1

Office position:

  1. The Office recommends that the Australian Government repeal Part IIIA of the Privacy Act and associate provisions and regulates credit reporting under the Privacy Act, National Privacy Principles and a binding credit code.
  2. The Office reiterates recommendation 7 from the Private Sector Review that the Australian Government should consider amending the Privacy Act to provide a power to make binding codes.

7-2 Should the credit reporting provisions of the Privacy Act be amended to take account of the following (and if so, how): a) developments in technology; (b) changes in credit reporting practices; or (c) any other considerations?

Developments in technology

37. It is the Office's view that the Privacy Act should remain technology neutral and be amended to reflect this where necessary. The Office has discussed the issue of technology in detail in response to Chapter 1162 of IP 31. The Office notes, however, that there are some specific areas of technology, such as internet technologies, which have had a significant effect on the way that CRAs operate and thus have implications for the credit reporting provisions of the Privacy Act. Also of concern for the Office is the impact that advances in data matching and data mining technologies may have on the credit reporting industry.

On-line access to credit reporting databases

38. When the credit reporting provisions were introduced into the Privacy Act the internet was a relatively new phenomenon. However, the availability of on-line access to CRA databases via the internet has developed since that time. The Office understands that subscriber access to the CRA database is covered by contractual agreement. However, in reality a subscriber can access any part of the database, even if they do not have a credit relationship with the individual whose credit report they gain access to. The only inhibitor to illegal access, it would seem, is the application of an electronic footprint to files as they are accessed. It is not clear to the Office if such indicators of access to files are permanent, or if they can be deleted or cleared from a credit file.

39. Contracts between CRAs and their subscribers place obligations on the subscriber not to access the CRA database unless for a lawful purpose. The Office believes that rather than rely on such contracts and an 'honour system' to fulfil their security obligations under s.18G(b) and (c) of the Privacy Act, CRAs should investigate ways to use technology to ensure the security of the personal information they hold in their database. The Office believes this is an important issue as currently the onus is on an individual to make enquiries if he/she suspects improper access to their credit file. Under this system, however, individuals may not be aware if their credit file has been accessed unlawfully.

40. The Office suggests that further to this, CRAs could utilise internet technology to provide ease of access for individuals to access their own credit file, a step which could be developed in parallel to security measures to help individuals to maintain control over their personal information.

Transborder data flows

41. The Office believes that information technology and the internet have also created concerns for the potential transborder flow of individuals' credit information. This concern has developed because some CRAs that operate in Australia are multinational organisations with electronic databases and IT systems that provide the ability for the sharing of credit file databases with their overseas offices. This raises questions for determining whether the disclosure of personal information occurs in the country from which it was accessed, or in the country where the information was collected and where the files are considered to be held.

42. This issue is particularly problematic because Part IIIA of the Privacy Act does not operate extra-territorially. This issue is discussed further in the response to question 5-27 in Chapter 5.

Data-matching and data mining

43. Technological advances in the area of data-mining and data-matching have enhanced the capacity for the analysis and synthesis of large amounts of information. This technology increases the ability to link separate sources of personal information to profile individuals, and the ability to link pieces of anonymous information to identify an individual.

44. These practices pose particular risks to privacy as they can take pieces of information out of their original context and link them in a way that may potentially create inaccurate information about an individual. Data matching and mining may also reduce the ability of individuals to maintain different legitimate identities in different contexts, for example, separate professional and personal identities. The Office has discussed data-matching and data-mining in detail in responding to Chapter 11 of IP31.

45. In relation to credit reporting, the Office is aware that CRAs could implement technological advances in the areas of data-mining and data-matching and use their databases for identity verification and anti-fraud purposes. The Office believes that of particular concern is that Part IIIA of the Privacy Act regulates the disclosure of credit files but not the use of credit files by CRAs. The Office is concerned about the use of information collected for the purpose of credit reporting to provide identity verification and anti-fraud services. This issue is discussed further in the Office's response to question 5-22 in Chapter 5.

Changes in credit reporting practices

46. In reporting63 on the 2006 review of the credit provider determinations64 (Classes Determination and Assignees Determination) the Office discussed the issue that some non-traditional credit providers covered by the Classes Determination seem to be unaware, or unclear about their obligations under the Privacy Act.

47. This issue was also raised in submission to the review by some consumer advocacy groups who suggested that non-traditional credit providers and assignees did not provide proper notification to individuals before listing defaults on credit reports and did not undertake proper record keeping. These groups suggested that poor record keeping was often linked to the listing of statute-barred debts and double listings by the assignees. These issues are also discussed in the Office's responses to questions 5-10 and 5-11 in Chapter 5.

Question 7-2

Office position:

  1. The Office reiterates recommendation 70 from the Private Sector Review that the Australian Government should consider initiating discussions through appropriate international forums about how to deal with the major international jurisdictional issues arising from the global reach of technologies such as Voice over Internet Protocol (VoIP).
  2. The Office believes that the Privacy Act should provide for the Commissioner to make binding codes that go to certain acts or practices or certain technologies. (See response and recommendation iii to question 11-4 of IP31.)

Endnotes

1Office of the Privacy Commissioner survey results: 2004 Community attitudes towards privacy in Australia. Available on the OPC website at http://www.privacy.gov.au/materials#R

2 For the Office's media release on this case, see: http://www.privacy.gov.au/materials/types/media/view/6185

3 For the Office's media release on this case, see: http://www.privacy.gov.au/materials/types/media/view/6171

4 Alliance Factoring also entered into a court enforceable undertaking on 18 August 2005 to address, amongst other issues, inappropriately listing debts. The undertaking can be found on the ACCC website at http://www.accc.gov.au/content/index.phtml/itemId/705071/fromItemId/620258. The Office of the Privacy Commissioner is also looking into other issues raised by consumer groups in relation to this.

5 See our response to Chapter 7 "Approach of Reform" IP32

6 Section 6(1)(b) Consumer Credit Code (Qld). The states and territories have adopted this Queensland legislation to operate in their jurisdictions as the Uniform Consumer Credit Code.

7 Section 18F(5) Privacy Act.

8 Section 18E(1)(b)(ix) Privacy Act.

9 Section 18E(1)(b)(x) Privacy Act.

10 See sub-paragraph (c) of the definition of 'serious credit infringement' in section 6(1). However, it appears that the alternate sub-paragraphs (a) and (b) of the definition apply a subjective test whether a serious credit infringement has occurred.

11 Section 18E(8)(b) Privacy Act.

12 Office of the Privacy Commissioner: Credit Reporting Code of Conduct, Clause 2.10.

13 See 1.2-1.4, 2.2, 2.4-2.6 of the Credit Reporting Code of Conduct.

14 In practical terms the obligation in on credit providers to keep the information in a credit information file or credit report accurate is not considered to be problematic. This is because it is the credit reporting agency which supplies the credit information file or credit report to the credit provider.

15 'A sensitive issue', The Sydney Morning Herald, Tuesday 13 March 2007, p 25.

16 The research was conducted by the IT Policy Compliance Group and an excerpt of the research is located at http://www.itpolicycompliance.com/... .

17 See our response to Question 11.3(d) of IP 31, pp 440-443,

18 State of California Dept of Consumer Affairs, 'Recommended Practices on Notice of Security Breach Involving Personal Information', April 2006, p7 available at http://www.privacyprotection.ca.gov/recommendations/secbreach.pdf

19 Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper, 9 January 2007 available at http://www.cippic.ca/en/bulletin/BreachNotification_9jan07-print.pdf . Commission of the European Communities, Review of the EU Regulatory Framework for electronic communications networks and services', June 2006, p30, available at http://europa.eu.int/...

20 See s.18N(9)(b) Privacy Act which defines credit worthiness information.

21 Defined in s.6D of the Privacy Act.

22 Section 13(3) Acts Interpretation Act 1901.

23 See http://www.privacy.gov.au/materials/types/reports/view/6031 .

24 ACMA website, Frequently Asked Question sheet, 'Consumer Information', available at http://www.acma.gov.au/ACMAINTER.852114:STANDARD::pc=PC_1790#20.

25 The Office's response to the ALRC's Review of Privacy Issues Paper 31 is located at http://www.privacy.gov.au/materials/types/submissions/view/6757.

26 Recommendation 4.2, Getting in on the Act: Review of the Private Sector Provisions of the Privacy Act (2005) located on the Office's website at http://www.privacy.gov.au/materials/types/reports/view/6049

27Debt collection guideline: for collectors and creditors, October 2005, located at http://www.accc.gov.au/... .

28 Section 6(1)(b) Consumer Credit Code (Qld).

29 IP32 6.28 pg118

30 Ss18(E)(1)(b)(v), 18N(1)(b) and 18N(1)(be) Part IIIA, Privacy Act 1988

31 Barron and Staten, The Value of Comprehensive Credit Reports: Lessons from the U.S. Experiencehttp://www.privacyalliance.org/...

32 ACIL Tasman, Comprehensive Credit Reporting: Main Report of an Analysis of its Economic Benefits for Australia [Prepared for MasterCard International] (2004).

33 Helen Shield, Personal Finance Editor, in article 'MasterCard pushes new credit plan', The Age, 24 April 2004: http://www.theage.com.au/...

34 ACIL Tasman, Comprehensive Credit Reporting: Main Report of an Analysis of its Economic Benefits for Australia [Prepared for MasterCard International] (2004).

35 Riestra, A. 'Credit Bureaus in Today's Credit Markets', European Credit Research Institute, Brussels, 2002, pg2.

36 The Consumer Credit Legal Service (CCLC) (NSW) submission to Senate Legal and Constitutional Committee Inquiry into the Privacy Act 1988, February 2005, http://www.aph.gov.au/... - pg 13.

37http://www.consumersfederation.com/documents/PositionPaperFeb05.doc - accessed 29 September 2006

38 ACIL Tasman, Comprehensive Credit Reporting: Main Report of an Analysis of its Economic Benefits for Australia [Prepared for MasterCard International] (2004). http://www.consumer.vic.gov.au/... pg254

39 IP32 Chapter 6, p 6.75 pp 130 -131

40 Ibid.

41 ACIL Tasman, Comprehensive Credit Reporting: Main Report of an Analysis of its Economic Benefits for Australia [Prepared for MasterCard International] (2004).

42http://www.consumersfederation.com/documents/PositionPaperFeb05.doc P. 3.

43 Riestra, A. 'Credit Bureaus in Today's Credit Markets', European Credit Research Institute, Brussels, 2002, pg 2.

44 ss 18E(1)(b)(i), 18E(1)(b)(v), 18N(1)(b), 18N(1)(be), - Part IIIA - Privacy Act 1988 (Cth)

45 Credit provider determinations can be accessed at http://www.privacy.gov.au/law/act/credit/#cpd

46 The Office's response to Chapter 11 of ALRC IP 31 can be found at http://www.privacy.gov.au/publications/submissions/alrc/c11.html

47 In this context 'function creep' refers to information collected for one purpose being used or disclosed for other purposes increasingly unrelated to the reason for which it was initially collected.

48http://parlinfoweb.aph.gov.au/...

49 Interview with Commissioner Karen Curtis and Nick Miller of Sydney Morning Herald - www.smh.com.au - 8 August 2006.

50 Commonwealth, Parliamentary Debates, Senate, 16 June 1989, 4216 (G Richardson).

51 The collection of sensitive information is limited by NPP 10.

52 Commonwealth, Parliamentary Debates, Hansard, 4 December 1990, p 4343.

53 ALRC IP 32 p 138

54 The Office's response to Chapter 6 of ALRC IP 31 is available at http://www.privacy.gov.au/publications/submissions/alrc/c6.html

55 Office's Private Sector review, p46

56 ALRC IP 32 p 27.

57 Ibid

58Privacy Amendment Bill 1990, Second Reading Speech - Parliament of the Commonwealth of Australia: Hansard, 4 December 1990, p 4343.

59 Commonwealth, Parliamentary Debates, Senate, 16 June 1989, 4216 (G. Richardson).

60 ALRC Report 22 Privacy. Available at http://www.austlii.edu.au/au/other/alrc/publications/reports/22/

61 Office of the Privacy Commissioner survey results: 2004 Community attitudes towards privacy in Australia. Available on the OPC website at http://www.privacy.gov.au/materials#R

62 The Offices response to Chapter 11 of ALRC IP 31 is available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html

63 Office of the Privacy Commissioner: Report on the Review of the Credit Provider Determinations (Assignees and Classes of Credit Providers), 2006. Available on the OPC website at http://www.privacy.gov.au/materials#C

64 Office of the Privacy Commissioner: Credit Provider Determination No. 2006 - 4 Classes of Credit Providers (the Classes Determination) and Credit Provider Determination No. 2006 - 3 Assignees (the Assignees Determination). Available on the OPC website at http://www.privacy.gov.au/materials#C