ALTA Law Research Series
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
ALTA Law Research Series |
|
Last Updated: 19 July 2010
Reform of Credit Reporting Privacy Law
Response to the Australian Law Reform Commission (ALRC) Privacy Report 108 Pt G
Submission to the Australian Government
Nigel Waters
31 January 2009
Nigel Waters
Principal Researcher, Interpreting Privacy Principles Project
Research Assistance by Abi Paramaguru, Research Assistant
Research for this submission is part of the Interpreting Privacy Principles Project, an Australian Research Council Discovery Project
http://www.cyberlawcentre.org/ipp
CLPC Submission on credit reporting privacy p.1 31 January 2009
This submission takes into account discussions with other NGOs, the Department of Prime Minister and Cabinet's consultation meeting on 9 December 2008, and the submission by Veda Advantage dated 8 January.
This submission complements three other submissions by the Centre – on the UPPs, on Health and Research Privacy, and on the remaining ALRC recommendations.
Acronyms used in this submission:
|
CR
|
Credit Reporting
|
|
|
|
|
CRB
|
Credit Reporting Business
|
|
|
|
|
CRI
|
Credit Reporting Information
|
|
|
|
|
CRP
|
Credit Reporting Purpose
|
|
|
|
|
CP
|
Credit Provider
|
|
|
|
|
OPC
|
Office of the Privacy Commissioner
|
|
|
|
|
PC
|
Privacy Commissioner
|
|
|
|
|
PI
|
Personal Information
|
|
|
|
|
PAI
|
Publicly Available Information
|
|
|
|
|
PII
|
Personal Identifying Information
|
|
|
|
|
|
|
|
||
|
ALRC Report 108
|
CLPC submission
|
|
||
|
|
|
|
||
|
Part G—Credit Reporting Provisions
|
|
|
||
|
|
|
|
||
|
54. Approach to Reform
|
|
|
||
|
|
|
|
|
|
|
more prescriptive
|
|
Rules for credit reporting that are more prescriptive than the UPPs
can be justified on the
|
|
|
|
than UPPs ?
|
|
basis that a centralised credit reporting system necessarily
involves a departure from
|
|
|
|
|
|
|
privacy norms and reasonable expectations.
|
|
|
|
|
|
|
|
|
repeal and new
|
Recommendation 54–1 The credit reporting provisions of the
Privacy Act should be repealed
|
Regulations are too easy to change if left to normal
processes.
|
|
|
|
regulations
|
and credit reporting regulated under the general provisions of the
Privacy Act, the model Unified
|
|
|
|
|
|
|
Privacy Principles, and regulations under the Privacy
Act—the new Privacy (Credit Reporting
|
Key aspects of the CR regime should remain in the Act (a pared-back
Part IIIA)
|
|
|
|
|
Information) Regulations—which impose obligations on
credit reporting agencies and credit
|
|
|
|
|
|
providers with respect to the handling of credit reporting
information.
|
Other aspects can be left to Regs provided there are statutory
consultative processes
|
|
|
|
|
|
including public hearings
|
|
|
|
|
|
Any CR provisions in the Act or Regs should follow the sequence
of the UPPs
|
|
|
only requirements
|
Recommendation 54–2 The new Privacy (Credit Reporting
Information) Regulations should be
|
Agree
|
|
|
|
|
|
|||
|
different or more
|
drafted to contain only those requirements that are different to
or more specific than provided for
|
|
|
|
|
|
|
in the model Unified Privacy Principles.
|
|
|
CLPC Submission on credit reporting privacy p.2 31 January 2009
|
ALRC Report 108
|
CLPC submission
|
|
|
|
|
|
|
|
|
specific than UPPs
|
|
|
|
|
|
|
|
|
|
‘credit reporting
|
Recommendation 54–3 The new Privacy (Credit Reporting
Information) Regulations should
|
Any variation from ALRC recommendation would need careful
consideration.
|
|
|
information’
|
apply only to ‘credit reporting information’, defined for
the purposes of the new regulations as
|
|
|
|
|
personal information that is:
|
Veda suggests exclusion of 'personal identifying information' (PII)
from the definition of
|
|
|
|
|
'credit reporting information' (CRI ) but we submit that this is
not acceptable as it would
|
|
|
|
(a) maintained by a credit reporting agency in the course of
carrying on a credit reporting
|
mean that CRI was no longer personal information (PI). Controls
over the type of PII that
|
|
|
|
business; or
|
can be used in CR (including PC discretion to vary) should
remain.
|
|
|
|
(b) held by a credit provider; and
|
The change suggested by Veda might also allow PI collected by CRBs
to become to
|
|
|
|
|
become a more openly accessible ID system, outside the boundaries of
the credit reporting
|
|
|
|
(i) has been prepared by a credit reporting agency; and
|
system, which we believe would be an unintended and undesirable
consequence. We
|
|
|
|
|
agree with Veda that the regulatory loop should be closed –
preventing CRBs and/or CPs
|
|
|
|
(ii) is used, has been used or has the capacity to be used in
establishing an individual’s eligibility
|
from using the same information (as is CRI) for other purposes.
We are not convinced that
|
|
|
|
|
|
|
|
|
for credit.
|
relying on the concepts of CRB, CRP and CRI alone can achieve this
closure. See our
|
|
|
|
|
|
|
|
|
|
response to Veda's suggestion at the first item under Chapter 57
– Use & Disclosure,
|
|
|
|
|
below.
|
|
|
|
|
Further discussion is required.
|
|
|
|
(deliberately out of sequence)
|
Veda suggests an exhaustive list of positive and negative CRI data
elements in a Schedule.
|
|
|
|
|
This may be helpful – particularly in the context of
differential control of marketing and pre-
|
|
|
|
Recommendation 56–1 The new Privacy (Credit Reporting
Information) Regulations should
|
screening (subject to our comments on that below).
|
|
|
|
prescribe an exhaustive list of the categories of personal
information that are permitted to be
|
This is acceptable, but any PC discretion to vary the list should be
via generic PID processes
|
|
|
|
included in credit reporting information. This list should be
based on the provisions of s18E of
|
|
|
|
|
(Part VI) with their requirement for public consultation.
|
|
|
|
|
the Privacy Act, subject to the changes set out in
Recommendations 55–1, 55–2, 56–2 to 56–4,
|
|
|
|
|
|
|
|
|
|
56–6, 56–8 and 56–9.
|
|
|
|
|
|
|
|
|
'Credit reporting
|
Paragraph 54.95 – no effective change to definition in
s6
|
Should avoid 'dominant purpose' test – this is too dependent
on corporate structures – CR
|
|
|
should be the regulated activity irrespective of whether it is a
large or small component of
|
|
||
|
business'
|
|
|
|
|
|
the overall activity of any particular enterprise.
|
|
|
|
|
|
|
|
|
'credit reporting
|
Paragraph 57.37 and Recommendation 57-1- are relevant
|
Veda suggests a new definition to distinguish primary (direct)
from secondary (indirect)
|
|
|
purpose'
|
|
purpose, in the specific context of CR.
|
|
|
|
|
We submit that while a new definition may be helpful, the terms
'primary' and 'secondary'
|
|
|
|
|
should be retained as they are consistent both with the UPPs and
with international privacy
|
|
|
|
|
instruments.
|
|
|
|
|
If 'Credit reporting purpose' is to be defined it should expressly
include building of statistical
|
|
|
|
|
models (to avoid problems to date). It could also include some other
credit related uses and
|
|
|
|
|
disclosures currently authorised separately in s18K,L,N,NA, P &
Q but should not include
|
|
|
|
|
'required or authorised by law' which should remain a secondary
purpose exception (for
|
|
|
|
|
consistency with the UPPs).
|
|
CLPC Submission on credit reporting privacy p.3 31 January 2009
|
ALRC Report 108
|
CLPC submission
|
|
|
|
|
|
|
|
|
|
|
The need for the definition to distinguish between consumer and
commercial credit would
|
|
|
|
|
need further consideration – see immediately
below.
|
|
|
definition of ‘credit
|
Recommendation 54–4 The new Privacy (Credit Reporting
Information) Regulations should
|
The classes of organisation that can and cannot be a 'credit provider'
(CP) should be listed
|
|
|
provider’
|
include a simplified definition of ‘credit provider’
under which those agencies and organisations
|
in a Schedule to the Act.
|
|
|
|
that are currently credit providers for the purposes of the
Privacy Act (whether by operation of
|
|
|
|
|
s 11B or pursuant to determinations of the Privacy Commissioner)
should generally continue to
|
If the PC is to be allowed to amend the Schedule it should be
through generic PID
|
|
|
|
be credit providers for the purposes of the regulations.
|
processes (Pt VI) with their requirements for public
consultation.
|
|
|
|
|
The Schedule should expressly exclude 'credit repair'
businesses.
|
|
|
|
|
We suggest that a 'one-size fits all' approach is not appropriate
– different classes of credit
|
|
|
|
|
provider may need to be treated differently both for input (listing)
and output (access).
|
|
|
|
|
Consideration should be given to differentiating utilities and
essential services (including
|
|
|
|
|
telcos) as classes of credit provider to which differential
obligations should apply, given the
|
|
|
|
|
significance for individuals of any restrictions on their access to
such services.
|
|
|
|
|
See also our comments in relation to Recommendation 56-2 regarding
differential thresholds
|
|
|
|
|
of loan amount to be listed in CRI, for different classes of
CP.
|
|
|
definition of credit
|
|
Veda suggests the use of the Uniform Consumer Credit Code
definition of 'credit'.
|
|
|
(general)
|
|
|
|
|
|
|
Given our preference for amendments to be conditional on
responsible lending obligations
|
|
|
|
|
in the UCCC, we support consistency of definitions.
|
|
|
|
|
Any desirable limitation on the application of the CR regime should
be effected through the
|
|
|
|
|
definition of 'credit provider' rather than by a different definition
of 'credit'.
|
|
|
definition of credit
|
Paragraph 54.177 – no change to this limitation on coverage is
recommended (contrary to
|
Protection should apply to provision of credit to individuals
irrespective of purpose – to
|
|
|
prevent deliberate evasion of regulation by presenting loans to
individuals as for a
|
|
||
|
(limited to
|
Proposal 50-10 in DP72)
|
|
|
|
commercial purpose when they are in fact for private
consumption.
|
|
||
|
‘domestic, family or
|
|
|
|
|
|
|
|
|
|
household’
|
|
|
|
|
purposes)
|
|
|
|
|
|
|
|
|
|
Regulations:
|
Recommendation 54–5 The new Privacy (Credit Reporting
Information) Regulations should,
|
Agree
|
|
|
|
|
||
|
exclude foreign
|
subject to Recommendation 54–7, exclude the reporting of
personal information about foreign
|
|
|
|
credit reporting
|
credit and the disclosure of credit reporting information to foreign
credit providers.
|
|
|
|
|
|
|
|
|
Regulations: PC
|
Recommendation 54–7 The new Privacy (Credit Reporting
Information) Regulations should
|
This power is not in our view necessary, and its use would
undermine the prohibition on
|
|
|
foreign credit reporting. If there was to be a PC discretion, it
should be through generic
|
|
||
|
approve foreign
|
empower the Privacy Commissioner to approve the reporting of personal
information about
|
|
|
|
public interest determination (Pt VI) processes, with their
requirement for public consultation.
|
|
||
|
credit reporting
|
foreign credit, and the disclosure of credit reporting information to
foreign credit providers, in
|
|
|
|
|
|
||
|
|
defined circumstances. The regulations should set out criteria for
approval, including the
|
|
|
|
|
availability of effective enforcement and complaint handling in
the foreign jurisdiction.
|
|
|
|
|
|
|
|
CLPC Submission on credit reporting privacy p.4 31 January 2009
|
ALRC Report 108
|
CLPC submission
|
|
|
|
|
|
|
|
|
Memo with NZ
|
Recommendation 54–6 The Australian Government should include
credit reporting regulation
|
Agree, but the merits of any special arrangements for sharing of
credit reporting information
|
|
|
between Australia and New Zealand should be subject to public
consultation.
|
|
||
|
|
in the list of areas identified as possible issues for
coordination pursuant to the Memorandum of
|
|
|
|
|
|
|
|
|
|
Understanding Between the Government of New Zealand and the
Government of Australia on
|
|
|
|
|
Coordination of Business Law (2000).
|
|
|
|
|
|
|
|
|
review
|
Recommendation 54–8 The Australian Government should, in
five years from the
|
Agree – but this commitment should be in the Act
itself.
|
|
|
|
|
||
|
|
commencement of the new Privacy (Credit Reporting
Information) Regulations, initiate a review
|
|
|
|
|
of the regulations.
|
|
|
|
|
|
|
|
|
credit reporting
|
Recommendation 54–9 Credit reporting agencies and credit
providers, in consultation with
|
A Code is a suitable instrument for some detailed requirements,
but its development and
|
|
|
code
|
consumer groups and regulators, including the Office of the Privacy
Commissioner, should
|
compliance with it should be made mandatory in the Act –
compliance with the Code should
|
|
|
|
develop a credit reporting code providing detailed guidance within the
framework provided by
|
be a condition of provision of/access to CRI - not just left to
contract.
|
|
|
|
the Privacy Act and the new Privacy (Credit Reporting
Information) Regulations. The credit
|
|
|
|
|
reporting code should deal with a range of operational matters
relevant to compliance.
|
Governance arrangements for the Code need to be specified in the Act
or Regulations –
|
|
|
|
|
including provisions for review and compliance monitoring (see
existing models in financial
|
|
|
|
|
services, copyright?).
|
|
|
|
|
Veda suggests that the Code not be made under the Privacy Act.
If this is to accommodate
|
|
|
|
|
content which is related more closely to lending obligations (see
below) than to privacy
|
|
|
|
|
protection then it may be acceptable provided there is a requirement
for not only the Privacy
|
|
|
|
|
Commissioner, but also other stakeholders including relevant NGOs,
to be consulted through
|
|
|
|
|
an open public process.
|
|
|
55. More Comprehensive Credit Reporting
|
|
|
|
|
|
|
|
|
|
categories
|
Recommendation 55–1 The new Privacy (Credit Reporting
Information) Regulations should
|
Item (b) and arguably item (a) are already possible under the
provision for 'current credit
|
|
|
|
permit credit reporting information to include the following
categories of personal information, in
|
provider status' which is rarely used.
|
|
|
|
addition to those currently permitted in credit information files
under the Privacy Act:
|
|
|
|
|
|
These additional items of information are acceptable on condition
that there is simultaneous
|
|
|
|
(a) the type of each credit account opened (for example,
mortgage, personal loan, credit card);
|
enactment of binding responsible lending obligations (including
assessment of capacity to
|
|
|
|
|
repay and 'appropriate product' requirements) - see below re Rec
55-3)
|
|
|
|
(b) the date on which each credit account was opened;
|
|
|
|
|
|
Specialist NGOs should be asked to specify more clearly what is
needed as this will be in
|
|
|
|
(c) the current limit of each open credit account; and
|
credit legislation not privacy.
|
|
|
|
|
|
|
|
‘closed’
|
(d) the date on which each credit account was closed.
|
The Code should include criteria for when an account is considered to
be 'closed'.
|
|
|
|
|
||
|
|
|
|
|
|
repayment
|
Recommendation 55–2 Subject to Recommendation 55–3,
the new Privacy (Credit Reporting
|
Inclusion in CRI of this limited subset of repayment history is
acceptable subject to
|
|
|
performance history
|
Information) Regulations should also permit credit reporting
information to include an individual’s
|
effective implementation of Rec 55-3 (see below).
|
|
|
|
repayment performance history, comprised of information
indicating:
|
It should be made clear that item (a) would allow only yes/no
information about repayments –
|
|
|
|
|
|
|
|
|
(a) whether, over the prior two years, the individual was meeting
his or her repayment
|
not any detail of amounts
|
|
|
|
|
|
|
CLPC Submission on credit reporting privacy p.5 31 January 2009
|
ALRC Report 108
|
CLPC submission
|
|
|
|
|
|
|
|
|
|
obligations as at each point of the relevant repayment cycle for
a credit account; and, if not,
|
|
|
|
|
(b) the number of repayment cycles the individual was in
arrears.
|
|
|
|
|
|
|
|
|
reciprocity
|
No recommendation
|
We submit that the question of reciprocity; i.e. whether input of
information should be a
|
|
|
condition of access (output) is largely a commercial matter which
should not be regulated by
|
|
||
|
|
|
|
|
|
|
|
privacy law.
|
|
|
responsible lending
|
Recommendation 55–3 The Australian Government should
implement Recommendation 55–2
|
This is an essential precondition for any increase in the type and
amount of information to
|
|
|
|
only after it is satisfied that there is an adequate framework
imposing responsible lending
|
be allowed in CRI.
|
|
|
|
obligations in Commonwealth, state and territory
legislation.
|
Appropriate amendments to credit legislation should be 'locked in'
on an integrated timetable.
|
|
|
|
|
|
|
|
|
|
Relevant changes to the Privacy Act should not commence until these
requirements are in
|
|
|
|
|
place and operating
|
|
|
repayment
|
Recommendation 55–4 The credit reporting code should set out
procedures for reporting
|
Agree in principle – see other comments on content of
Regs
|
|
|
|
|
||
|
performance history
|
repayment performance history, within the parameters prescribed by the
new Privacy (Credit
|
|
|
|
- procedures
|
Reporting Information) Regulations.
|
|
|
|
|
|
|
|
|
deletion
|
Recommendation 55–5 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree
|
|
|
|
|
||
|
|
provide for the deletion of the information referred to in
Recommendation 55–1 two years after
|
|
|
|
|
the date on which a credit account is closed.
|
|
|
|
|
|
|
|
|
Transitional
|
Not expressly considered
|
The sudden availability of extra CRI could dramatically affect
status of individual consumers
|
|
|
arrangements for
|
|
– and there is a need for safeguards
|
|
|
more
|
|
|
|
|
comprehensive
|
|
Veda suggests a 3 year transition period, with obligations on CRBs
and CPs to have
|
|
|
reporting
|
|
agreements in place about a phased provision of the extra CRI, linked
to a public
|
|
|
|
|
announcement of the changes.
|
|
|
|
|
This suggestion relates to the conditional passage of responsible
lending obligations.
|
|
|
|
|
Further consultation is desirable about how changes to credit law
and privacy law will be
|
|
|
|
|
co-ordinated.
|
|
|
|
|
Veda's suggestions seem unobjectionable provided there are specific
obligations on CPs and
|
|
|
|
|
CRBs to notify individuals of the new regime well in advance of
its commencement.
|
|
|
Preparation for
|
Reference to constraints on data studies
|
Veda and the credit industry understandably want to analyse existing
data to help design
|
|
|
more
|
|
Code provisions and safeguards, but OPC interpretation of Part IIIA
has prevented use of
|
|
|
comprehensive
|
|
existing CRI for analysis.
|
|
|
reporting
|
|
The OPC interpretation seems very inflexible. We support action,
including amendments if
|
|
|
|
|
|
|
|
|
|
necessary, to facilitate analysis of CRI for these purposes. It may
be that relevant analysis
|
|
|
|
|
can be performed on de-identified data, with appropriate
transparency, independent
|
|
|
|
|
governance and audit of the analysis project (see also our response to
Rec 58-5)
|
|
CLPC Submission on credit reporting privacy p.6 31 January 2009
|
ALRC Report 108
|
CLPC submission
|
|
|
|
|
|
|
|
|
56. Collection and Permitted Content of Credit Reporting
Information
|
|
|
|
|
|
|
|
|
|
|
|
Veda has suggested express authority for CRBs to collect
indirectly from CPs – relieving
|
|
|
|
|
them of the need to justify non-compliance with UPP
2.3.
|
|
|
|
|
We support this suggestion.
|
|
|
|
|
|
|
|
identity theft
|
[ no recommendation? ]
|
See comments on Rec 57-5
|
|
|
|
|
||
|
|
|
|
|
|
exhaustive list of
|
Recommendation 56–1
|
See comments on this under Chpt 54 above
|
|
|
|
|
||
|
categories of CRI
|
|
|
|
|
|
|
|
|
|
overdue payments
|
Recommendation 56–2 The new Privacy (Credit Reporting
Information) Regulations should
|
We support the setting of a threshold or thresholds in the Act
or Regulations. The
|
|
|
of less than a
|
provide that credit reporting agencies are not permitted to list
overdue payments of less than a
|
thresholds must apply to any new repayment history information as
well as to default
|
|
|
prescribed amount
|
prescribed amount.
|
information, and should be automatically index linked.
|
|
|
|
|
We submit that it may be appropriate to have different thresholds
for different classes of
|
|
|
|
|
credit provider (e.g. utilities) given the nature of the loan type
and the differential
|
|
|
|
|
consequences of default information.
|
|
|
|
|
The minimum threshold for any class of credit provider should be
$200.
|
|
|
presented and
|
Recommendation 56–3 The new Privacy (Credit Reporting
Information) Regulations should not
|
Agree
|
|
|
dishonoured
|
permit credit reporting information to include information about
presented and dishonoured
|
|
|
|
cheques
|
cheques.
|
|
|
|
|
|
|
|
|
personal insolvency
|
Recommendation 56–4 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree
|
|
|
|
|
||
|
|
permit credit reporting information to include personal insolvency
information recorded on the
|
|
|
|
|
National Personal Insolvency Index administered under the
Bankruptcy Regulations 1966 (Cth).
|
|
|
|
|
|
|
|
|
adequately
|
Recommendation 56–5 Credit reporting agencies should ensure
that credit reports adequately
|
Agree - this requirement should be in Regs not Code
|
|
|
|
|
||
|
differentiate forms
|
differentiate the forms of administration identified on the
National Personal Insolvency Index
|
|
|
|
of administration
|
(NPII); and accurately reflect the relevant information recorded
on the NPII, as updated from
|
|
|
|
|
time to time.
|
|
|
|
|
|
|
|
|
serious credit
|
Recommendation 56–6 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree – guidance on reasonable steps can be left to Code,
provided proposed requirements
|
|
|
for EDR are made mandatory.
|
|
||
|
infringement’
|
allow for the listing of a ‘serious credit
infringement’ based on the definition currently set out in
|
|
|
|
|
|
||
|
|
s18E(1)(b)(x) of the Privacy Act, amended so that the
credit provider is required to have taken
|
|
|
|
|
reasonable steps to contact the individual before reporting a
serious credit infringement under
|
|
|
|
|
s 18E(1)(b)(x)(c).
|
|
|
|
|
|
|
|
|
GLs: criteria for
|
Recommendation 56–7 The Office of the Privacy Commissioner
should develop and publish
|
Code should cover these matters – parties involved will have
more expertise than the OPC
|
|
|
serious credit
|
guidance on the criteria that need to be satisfied before a
serious credit infringement may be
|
|
|
CLPC Submission on credit reporting privacy p.7 31 January 2009
|
ALRC Report 108
|
CLPC submission
|
|
|
|
|
|
|
|
|
infringement
|
listed, including:
|
alone ( subject to general comments on status and process for
Code).
|
|
|
|
(a) how to interpret ‘serious’ (for example, in terms
of the individual’s conduct, and the period
|
We favour strong provisions for EDR schemes to be able to issue
'take down' notices on SCI
|
|
|
|
listings found to be inappropriate.
|
|
|
|
|
and amount of overdue payments);
|
|
|
|
|
|
|
|
|
|
(b) how to establish whether reasonable steps to contact the
individual have been taken;
|
|
|
|
|
(c) whether a serious credit infringement should be listed where
there is a dispute between the
|
|
|
|
|
parties that is subject to dispute resolution; and
|
|
|
|
|
(d) the obligations on credit providers and individuals in proving
or disproving that a serious
|
|
|
|
|
credit infringement has occurred.
|
|
|
|
|
|
|
|
|
Publicly available
|
No recommendation
|
Where CRI includes publicly available information (PAI) that
information should be
|
|
|
information
|
|
regulated by the credit reporting provisions of the legislation.
Where PAI is held separately
|
|
|
|
|
but is brought together with other CRI for the purposes of a
credit report, it will form part of
|
|
|
|
|
the CRI at that point and should be regulated by the CR
provisions.
|
|
|
|
|
Care needs to be taken in drafting to ensure the intent of the
legislation cannot be evaded by
|
|
|
|
|
separate storage of PAI, only bringing it together with other CRI
momentarily in response to
|
|
|
|
|
enquiries.
|
|
|
‘sensitive
|
Recommendation 56–8 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree but prohibition should also cover information about an
individual’s ‘lifestyle, character
|
|
|
or reputation’.
|
|
||
|
information’ and
|
prohibit the collection in credit reporting information of
‘sensitive information’, as defined in the
|
|
|
|
|
|
||
|
‘lifestyle, character
|
Privacy Act.
|
|
|
|
or reputation’ info
|
|
|
|
|
|
|
|
|
|
under the age of 18
|
Recommendation 56–9 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree – guidance on 'reasonable to know' in Code
|
|
|
|
|
||
|
|
prohibit the collection of credit reporting information about
individuals who the credit provider or
|
|
|
|
|
credit reporting agency knows, or reasonably should know, to be
under the age of 18.
|
|
|
|
|
|
|
|
|
Notification /
|
Recommendation 56–10 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree but needs to expressly rule out PC's discretion to
interpret as allowing notification
|
|
|
‘ensure individual is
|
provide, in addition to the other provisions of the
‘Notification’ principle, that at or before the time
|
much later than time of collection (current PC position)
|
|
|
aware ‘
|
personal information to be disclosed to a credit reporting
agency is collected about an individual,
|
|
|
|
|
a credit provider must take such steps as are reasonable, if any,
to of the:
|
|
|
|
|
(a) identity and contact details of the credit reporting
agency;
|
Also needs to expressly provide for notice of any new items of
information to be allowed in
|
|
|
|
|
credit information files (4+1, as recommended by the ALRC in
55-1 and 55-2))
|
|
|
|
(b) rights of access to, and correction of, credit reporting
information provided by the regulations;
|
Also needs to require notice of EDR processes.
|
|
|
|
and
|
|
|
|
|
(c) actual or types of organisations, agencies, entities or
persons to whom the credit reporting
|
|
|
CLPC Submission on credit reporting privacy p.8 31 January 2009
|
ALRC Report 108
|
CLPC submission
|
|
|
|
|
|
|
|
|
|
agency usually discloses credit reporting information.
|
|
|
|
|
|
|
|
|
content and timing
|
Recommendation 56–11 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree
|
|
|
|
|
||
|
of notices
|
provide that a credit provider, before disclosing overdue payment
information to a credit
|
|
|
|
|
reporting agency, must have taken reasonable steps to ensure
that the individual concerned is
|
|
|
|
|
aware of the intention to report the information.
|
|
|
|
|
Overdue payment information, for these purposes, means the
information currently referred to in
|
|
|
|
|
s18E(b)(1)(vi) of the Privacy Act.
|
|
|
|
|
|
|
|
|
Bundled and true
|
No recommendation either for credit reporting or more
generally
|
Where the CR provisions incorporate 'consent' a review is required
to assess whether free
|
|
|
and revocable consent is possible in the circumstances. Where it is
not, the consent
|
|
||
|
consent
|
|
|
|
|
|
requirement should be replaced with notification requirements; i.e.
notice that certain uses
|
|
|
|
|
|
|
|
|
|
|
and disclosures are a condition of the loan transaction (consent in
these circumstances is
|
|
|
|
|
spurious and misleading).
|
|
|
57. Use and Disclosure of Credit Reporting Information
|
|
|
|
|
|
|
|
|
|
|
|
Veda has suggested a new provision – that credit reporting
businesses must not disclose
|
|
|
|
|
personal information for a CR purpose unless that personal
information is derived from CRI,
|
|
|
|
|
or publicly available information, or is PII.
|
|
|
|
|
This new provision, intended to prevent abuse, would be helpful
subject to our previous
|
|
|
|
|
submission that PAI and PII should be part of CRI where it is
used in association with other
|
|
|
|
|
CRI for CR purposes. The new provision need therefore only say
'derived from CRI'.
|
|
|
|
|
|
|
|
list of
|
Recommendation 57–1 The new Privacy (Credit Reporting
Information) Regulations should
|
Veda suggest an express authorisation for CRBs and CPs to use CRI
for a primary (they
|
|
|
circumstances /
|
provide a simplified list of circumstances in which a credit
reporting agency or credit provider
|
suggest 'direct') credit reporting purpose (see suggested definition
under Chpt 54 above),
|
|
|
permitted uses
|
may use or disclose credit reporting information.
|
together with a discretion for the PC to declare a purpose not
consistent, and therefore
|
|
|
|
|
prohibited.
|
|
|
|
This list should be based on the provisions of Part IIIA of the
Privacy Act, which currently
|
|
|
|
|
authorise the use and disclosure by credit reporting agencies and
credit providers of personal
|
Provided the PC discretion is only to limit and not to permit
further purposes, then this is
|
|
|
|
information contained in credit information files, credit reports
and reports relating to credit
|
acceptable, if subject to the Pt VI PID process
safeguards.
|
|
|
|
worthiness (ss 18L, 18K and 18N).
|
The Veda proposal is for a simplification through a newly defined
primary purpose for both
|
|
|
|
|
|
|
|
|
|
CRBs and CPs which includes some directly related uses and
disclosures. If this route is
|
|
|
|
|
taken, we see no reason for this authority not ot be in the Act
itself rather than in the
|
|
|
|
|
Regulations. Additional uses or disclosures within the primary
purpose could then only be
|
|
|
|
|
added by amendment of the Act.
|
|
|
secondary purpose
|
Recommendation 57–2 The new Privacy (Credit Reporting
Information) Regulations should
|
Under Veda's proposal, some of the credit related secondary
purposes currently authorised
|
|
|
|
provide that a credit reporting agency or credit provider may use
or disclose credit reporting
|
by s18K,L,N,NA,P &Q) would now be authorised instead by the
provision for a defined
|
|
|
|
information for a secondary purpose related to the assessment of
an application for credit or the
|
primary purpose of credit reporting.
|
|
|
|
management of an existing credit account, where the individual
concerned would reasonably
|
|
|
CLPC Submission on credit reporting privacy p.9 31 January 2009
|
ALRC Report 108
|
CLPC submission
|
|
|
|
|
|
|
|
|
|
expect such use or disclosure.
|
Veda's suggested principle avoids use of the term 'management of the
account' (see below)
|
|
|
|
|
but is otherwise too permissive, and overly reliant on subjective
judgements by CRBs and
|
|
|
|
|
CPs about individual needs and public benefit.
|
|
|
|
|
Great care would be needed in drafting either the definition of
'credit reporting purpose' or
|
|
|
|
|
or the secondary use exceptions to ensure that 'management of
account' or other wording
|
|
|
|
|
does not allow otherwise strictly prohibited purposes such as direct
marketing or pre-
|
|
|
|
|
screening.
|
|
|
|
|
Particular attention to potential uses of the additional items of
CRI (4+1) which could be
|
|
|
|
|
'passed off' as for 'account management' or similar
purposes.
|
|
|
|
|
There is also a risk that CPs could access the new fuller CRI
at any time – not just when
|
|
|
|
|
triggered by an application or other defined event. What is required
is a table (now common
|
|
|
|
|
in legislation) showing which classes of CRB and CP are authorised
to use CRI for the
|
|
|
|
|
different secondary purposes (this table would also accommodate the
different monetary
|
|
|
|
|
thresholds suggested above in response to Rec 56-2).
|
|
|
mortgage or trade
|
No recommendation
|
We support a provision allowing indirect access to credit reporting
information to a mortgage
|
|
|
or trade insurer, via the credit provider. This could be either
incorporated in the primary
|
|
||
|
insurer
|
|
|
|
|
|
purpose definition or remain a secondary purpose exception
|
|
|
|
|
|
|
|
|
debt collection
|
Paragraphs 57.57- 57.62 - No recommendation for change to
existing limitations – direct access
|
The existing limitations on direct access to CRI by debt collection
businesses, except where
|
|
|
they are assignees for the loan, should remain.
|
|
||
|
|
only where assignees otherwise via credit provider
|
|
|
|
|
|
|
|
|
direct marketing
|
Recommendation 57–3 The new Privacy (Credit Reporting
Information) Regulations should
|
Veda suggest allowing use of only negative CRI for pre-screening,
defined as removing
|
|
|
|
prohibit the use or disclosure of credit reporting information
for the purposes of direct marketing,
|
individuals with a poor credit history from marketing
lists.
|
|
|
|
including the pre-screening of direct marketing lists.
|
|
|
|
|
|
If drafting can be devised to ensure that this concession could
not be used to target those
|
|
|
|
|
screened out of one list for another different marketing approach,
then this would be
|
|
|
|
|
acceptable, but it is difficult to see how this how this could be
ensured. Unless it can be,
|
|
|
|
|
and adequate audit trails to verify compliance established, then use
of CRI for pre-
|
|
|
|
|
screening should be prohibited.
|
|
|
|
|
Concern about pre-screening could be alleviated with adequate
responsible lending
|
|
|
|
|
requirements in consumer credit law, and by better implementation
of 'opt-out' facilities.
|
|
|
|
|
Strongly support prohibition of use of CRI for direct marketing,
but will require a clear
|
|
|
|
|
definition of direct marketing to ensure that it doesn't get back
in the guise of 'account
|
|
|
|
|
management' or another permitted purpose.
|
|
|
|
|
Some of these matters are under consideration by ARCA which is
currently developing a
|
|
|
|
|
Code. While this may be a useful vehicle for progressing
discussions, the Code proposed as
|
|
|
|
|
part of the new regime will not be the appropriate location for
controls over direct marketing
|
|
CLPC Submission on credit reporting privacy p.10 31 January 2009
|
ALRC Report 108
|
CLPC submission
|
|
|
|
|
|
|
|
|
|
|
and/or pre-screening – these need to be in the Act or
Regulations.
|
|
|
AML/CTF
|
Recommendation 57–4 The use and disclosure of credit
reporting information for electronic
|
This recommendation is premature – the issue should be
addressed in wider identity
|
|
|
management context and through amendment of AML-CTF Act first, if
justified.
|
|
||
|
|
identity verification purposes to satisfy obligations under the
Anti-Money Laundering and
|
|
|
|
|
|
|
|
|
|
Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act)
should be authorised expressly
|
|
|
|
|
under the AML/CTF Act.
|
|
|
|
|
|
|
|
|
individual right to
|
Recommendation 57–5 The new Privacy (Credit Reporting
Information) Regulations should
|
A consumer option to freeze access is desirable but need to
consider all variations – in
|
|
|
prohibit
|
provide individuals with a right to prohibit for a specified
period the disclosure by a credit
|
some ID crime circumstances individuals may prefer a flag/warning
to a freeze?
|
|
|
|
reporting agency of credit reporting information about them without
their express authorisation.
|
|
|
|
|
|
Veda suggests a 'reasonableness' test for acting on requests,
to avoid abuse. This is
|
|
|
|
|
acceptable in principle, but the threshold should not be as high
as court issued certificates,
|
|
|
|
|
as suggested by Veda.
|
|
|
|
|
Any 'freeze' option would need to be accompanied by an
obligation on CRBs to explain the
|
|
|
|
|
reason for the freeze to users, to avoid adverse inferences.,
and a corresponding obligation
|
|
|
|
|
on
|
|
|
use and disclosure
|
Recommendation 57–6 There should be no equivalent in the
new Privacy (Credit Reporting
|
Whether applied through the Act or Regulations, this change would
mean that the scope of
|
|
|
the CR privacy regime will be more limited that it currently is
(potentially) under Part IIIA. We
|
|
||
|
limitations apply
|
Information) Regulations of s18N of the Privacy Act,
which limits the disclosure by credit
|
|
|
|
note that the wider scope was not accidental, but acknowledge
that, in practice, there has
|
|
||
|
only to ‘credit
|
providers of personal information in ‘reports’ related
to credit worthiness. The use and disclosure
|
|
|
|
been no enforcement and probably little compliance with the CR
provisions in this wider
|
|
||
|
reporting
|
limitations should apply only to ‘credit reporting
information’ as defined for the purposes of the
|
context. We therefore pragmatically accept that the scope should
be limited.
|
|
|
information’
|
new regulations.
|
|
|
|
|
|
||
|
no 18N
|
|
|
|
|
|
|
|
|
|
58. Data Quality and Security
|
|
|
|
|
|
|
|
|
|
unrecoverable
|
Recommendation 58–1 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree – Code could give further guidance
|
|
|
debts
|
prohibit expressly the listing of any overdue payment where the
credit provider is prevented
|
|
|
|
|
under any law of the Commonwealth, a state or a territory from
bringing proceedings against the
|
|
|
|
|
individual to recover the amount of the overdue payment; or where
any relevant statutory
|
|
|
|
|
limitation period has expired.
|
|
|
|
|
|
|
|
|
new arrangements
|
Recommendation 58–2 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree
|
|
|
|
|
||
|
|
provide that where the individual has entered into a new
arrangement with a credit provider to
|
|
|
|
|
repay an existing debt—such as by entering into a scheme of
arrangement with the credit
|
|
|
|
|
provider—an overdue payment under the new arrangement may be
listed and remain part of the
|
|
|
|
|
individual’s credit reporting information for the full
five-year period permissible under the
|
|
|
|
|
regulations.
|
|
|
|
|
|
|
|
|
data quality
|
Recommendation 58–3 The credit reporting code should promote
data quality by setting out
|
Agree – suitable matters for Code
|
|
|
procedures
|
procedures to ensure consistency and accuracy of credit reporting
information. These
|
|
|
|
|
|
|
|
CLPC Submission on credit reporting privacy p.11 31 January 2009
|
ALRC Report 108
|
CLPC submission
|
|
|
|
|
|
|
|
|
|
procedures should deal with matters including:
|
|
|
|
|
(a) the timeliness of the reporting of credit reporting
information;
|
Code must also expressly cover definitions of 'overdue',
'default', and provide guidance on
|
|
|
|
reasonable steps in relation to various matters where these are
required by the Act or Regs.
|
|
|
|
|
|
|
|
|
|
(b) the calculation of overdue payments for credit reporting
purposes;
|
|
|
|
|
(c) obligations to prevent the multiple listing of the same
debt;
|
|
|
|
|
(d) the updating of credit reporting information; and
|
|
|
|
|
(e) the linking of credit reporting information relating to
individuals who may or may not be the
|
|
|
|
|
same individual.
|
|
|
|
|
|
|
|
|
data quality and
|
Recommendation 58–4 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree, but Regs should also require that access to CRI be
conditional on joining and
|
|
|
audit
|
provide that credit reporting agencies must:
|
following the Code (i.e. don't just leave requirement to follow
Code to contract/ CRA terms
|
|
|
|
|
and conditions)
|
|
|
|
(a) enter into agreements with credit providers that contain
obligations to ensure the quality and
|
|
|
|
|
security of credit reporting information;
|
Veda suggests a qualified requirement to take 'reasonable
steps to ensure'. This is
|
|
|
|
|
acceptable
|
|
|
|
(b) establish and maintain controls to ensure that only credit
reporting information that is
|
|
|
|
|
accurate, complete and up-to-date is used or disclosed;
|
|
|
|
|
(c) monitor data quality and audit compliance with the agreements
and controls; and
|
An active monitoring role for CRAs is important, and the Act
should give CRBs the
|
|
|
|
necessary powers to perform this role.
|
|
|
|
|
|
|
|
|
|
(d) identify and investigate possible breaches of the agreements
and controls.
|
|
|
|
|
|
|
|
|
retention periods
|
Recommendation 58–5 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree
|
|
|
|
provide for the deletion by credit reporting agencies of different
categories of credit reporting
|
|
|
|
18F
|
information after the expiry of maximum permissible periods, based
on those currently set out in
|
Veda suggests express provision for retention of information for
audit and statistical
|
|
|
|
s18F of the Privacy Act.
|
modelling, but these should not require extended retention of
personally identifiable records
|
|
|
|
|
.
|
|
|
|
|
The Regulations are the appropriate vehicle for detailed retention
periods which can take
|
|
|
|
|
account of audit and modelling needs, provided there are adequate
public consultation
|
|
|
|
|
requirements for any changes to Regulations.
|
|
|
deletion of voluntary
|
Recommendation 58–6 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree – see our submission on Rec 56-4 above
|
|
|
|
|
||
|
arrangements
|
provide for the deletion by credit reporting agencies of
information about voluntary arrangements
|
|
|
|
|
|
|
|
|
|
the arrangement as recorded on the National Personal Insolvency
Index.
|
|
|
|
|
|
|
|
|
security of CRI
|
No recommendation for separate security requirements – UPP
should apply as default
|
Agree
|
|
|
|
|
||
|
|
|
|
|
CLPC Submission on credit reporting privacy p.12 31 January 2009
|
ALRC Report 108
|
CLPC submission
|
|
|
|
|
|
|
|
|
18G(b)
|
|
|
|
|
|
|
|
|
|
59. Access and Correction, Complaint Handling and
Penalties
|
|
|
|
|
|
|
|
|
|
|
Recommendation 59–1 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree – given that the industry has made no argument for the
exceptions in UPP 9.1
|
|
|
|
provide individuals with a right to obtain access to credit
reporting information based on the
|
|
|
|
|
provisions currently set out in s 18H of the Privacy
Act.
|
|
|
|
|
|
|
|
|
one free copy
|
Recommendation 59–2 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree with this important variation on UPP 9, provided there is
also an express right also to
|
|
|
|
provide that credit reporting agencies must provide individuals, on
request, with one free copy of
|
a free copy after any dispute/correction.
|
|
|
|
their credit reporting information annually.
|
The Regulations should include time limits – the current 10
days is too long – CRB systems
|
|
|
|
|
|
|
|
|
|
allow much quicker response.
|
|
|
|
Recommendation 59–3 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree but would like to see some way of preventing abuse by 'forced
access' for third party
|
|
|
|
purposes, and by shonky operators e.g. in debt repair. This is a
generic issue for the access
|
|
|
|
|
provide an equivalent of s18H(3) of the Privacy Act, so
that an individual’s rights of access to
|
|
|
|
|
principle in the UPPs as well.
|
|
|
|
|
credit reporting information may be exercised for a credit-related
purpose by a person
|
|
|
|
|
|
|
|
|
|
authorised in writing.
|
|
|
|
|
|
|
|
|
|
Recommendation 59–4 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree, but this requirement should be in the Act rather than
Regulations. The Code could
|
|
|
|
provide further guidance
|
|
|
|
|
provide that, where a credit provider refuses an application for
credit based wholly or partly on
|
|
|
|
|
|
|
|
|
|
credit reporting information, it must notify an individual of that
fact. These notification
|
|
|
|
|
requirements should be based on the provisions currently set out
in s18M of the Privacy Act.
|
|
|
|
|
|
|
|
|
rights of access to
|
Contrary to Proposal 55-3 in DP72, the ALRC concludes that a right
of access to detailed credit
|
The ALRC's reasons for departing from its earlier proposal are not
convincing. If an
|
|
|
individual’s application for credit is refused based wholly or
partly on credit reporting
|
|
||
|
credit reporting
|
scoring information is not practicable in Australia. Provision of
general explanations about credit
|
|
|
|
information, there should be an obligation on the CPs to provide any
credit score or ranking
|
|
||
|
information
|
scoring could be covered in the Code (Report 108, paragraphs
59.84-59.88)
|
|
|
|
used by the credit provider, together with explanatory material on
scoring systems, to allow
|
|
||
|
|
|
|
|
|
|
|
individuals to understand how the risk of the credit application was
assessed
|
|
|
complaints
|
Recommendation 59–5 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree generally but not with automatic referral by CRB to CP
– CRBs should be able to
|
|
|
|
provide that:
|
centrally manage complaints where appropriate, to avoid a 'merry
go round'.
|
|
|
|
(a) credit reporting agencies and credit providers must establish
procedures to deal with a
|
The Act or Regs should impose obligations on CRBs to try to
resolve individuals complaints
|
|
|
|
request by an individual for resolution of a credit reporting
complaint in a fair, efficient and timely
|
and on CPs to provide CRBs with such information as they
reasonably require to facilitate
|
|
|
|
manner;
|
resolution.
|
|
|
|
(b) a credit reporting agency should refer to a credit provider
for resolution complaints about the
|
Further consultation is desirable about the dispute resolution
provisions, particularly to make
|
|
|
|
best use of the various EDR schemes. (see response below to Rec
59-7)
|
|
|
|
|
content of credit reporting information provided to the agency by
that credit provider; and
|
|
|
|
|
|
|
|
|
|
(c) where a credit reporting agency or credit provider
establishes that it is unable to resolve a
|
|
|
|
|
complaint, it must inform the individual concerned that it is
unable to resolve the complaint and
|
|
|
|
|
that the individual may complain to an external dispute resolution
scheme or to the Privacy
|
|
|
CLPC Submission on credit reporting privacy p.13 31 January 2009
|
ALRC Report 108
|
CLPC submission
|
|
|
|
|
|
|
|
|
|
Commissioner.
|
|
|
|
|
|
|
|
|
avenues of
|
Recommendation 59–6 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree but obligation should be on both the CRB and CP to inform the
consumer of EDR
|
|
|
options.
|
|
||
|
complaint available
|
provide that the information to be given, if an
individual’s application for credit is refused based
|
|
|
|
|
|
||
|
|
wholly or partly on credit reporting information, should include
the avenues of complaint
|
|
|
|
|
available to the individual if he or she has a complaint about
the content of his or her credit
|
|
|
|
|
reporting information.
|
|
|
|
|
|
|
|
|
external dispute
|
Recommendation 59–7 The new Privacy (Credit Reporting
Information) Regulations should
|
This should also be a condition of access to CRI as well as for
input (can't assume will
|
|
|
resolution scheme
|
provide that credit providers only may list overdue payment or
repayment performance history
|
always be reciprocity)
|
|
|
|
where the credit provider is a member of an external dispute
resolution scheme recognised by
|
|
|
|
|
the Privacy Commissioner.
|
Any external dispute resolution schemes should meet national
benchmarks as well as
|
|
|
|
|
recognised by the Privacy Commissioner
|
|
|
|
|
See Benchmarks for Industry-Based Customer Dispute Resolution
Schemes:
|
|
|
|
|
http://www.anzoa.com.au/docs/National%20Benchmarks.pdf.
|
|
|
|
|
ASIC approval may also be a desirable criterion.
|
|
|
evidence to
|
Recommendation 59–8 The new Privacy (Credit Reporting
Information) Regulations should
|
Agree
|
|
|
|
|
||
|
substantiate dispute
|
provide that, within 30 days, evidence to substantiate disputed
credit reporting information must
|
|
|
|
|
be provided to the individual, or the matter referred to an
external dispute resolution scheme
|
|
|
|
|
recognised by the Privacy Commissioner. If these requirements are
not met, the credit reporting
|
|
|
|
|
agency must delete or correct the information on the request of
the individual concerned.
|
|
|
|
|
|
|
|
|
|
Recommendation 59–9 The Privacy Act should be amended
to remove the credit reporting
|
Agree
|
|
|
|
|
|
|
|
|
offences and allow a civil penalty to be imposed as provided for
by Recommendation 50–2.
|
|
|
|
|
|
|
|
CLPC Submission on credit reporting privacy p.14 31 January 2009
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/ALRS/2009/21.html