Chapter 4 Further issues
A number of additional issues regarding elements of the Privacy
Amendment Bill were raised in submissions. Some of these issues are addressed
in this chapter.
Proposed section 20M(1) of the Privacy Amendment Bill outlines a
prohibition on credit reporting bodies using or disclosing de-identified credit
reporting information. Proposed section 20M(2) then outlines an exception that such
de-identified data may be disclosed for the purpose of conducting research in
relation to the assessment of the credit worthiness of individuals if the
credit reporting body complies with certain rules.
De-identified data was not previously regulated by Australian privacy
laws and the Australian Law Reform Commission (ALRC) report did not recommend
that de-identified data be regulated.
The Committee received evidence that no other modern economy regulates
de-identified data. This is likely because,
once de-identified, the information is no longer personal information and
therefore does not fall within the remit of privacy laws.
De-identified credit reporting data is used to compile studies around
credit risk and economic hardship in Australia. It is also used for internal
credit modelling and portfolio management, which Australia and New Zealand
Banking Group Ltd suggests assists in the assessment of credit applications and
helps banks to lend responsibly.
Veda notes that de-identified data is:
…critical for creating
data series, accurate statistical modelling and developing insights into
historic trends. It helps ensure the accuracy of credit risk models and the
insights it can contribute are also provided to key financial pillars such as
the Reserve Bank.
Several submissions suggest the restrictions on the use of de-identified
data in this Bill are unnecessary and may lead to unjustified restrictions on
the research and development work undertaken with this data.
Some submissions recommend that section 20M be removed from the Bill in
its entirety or that the majority of
the section be deleted. Some also suggest that a
better approach would be to create a penalty for anyone found to have re-identified
data. In addition, it is
suggested that if data is re-identified, then it would then be personal
information and any misuse of that information would be regulated by the
Australian Privacy Principles (APPs). This should ensure sufficient protection.
The Explanatory Memorandum states that the purpose of regulating de‑identified
credit reporting information is to ‘clarify that such information can be used
or disclosed in specified circumstances’ but notes concern ‘about
the effectiveness of methods used to de-identify personal information and the
risks of that information subsequently being linked again to individuals in a
way that allows them to be identified.’
The Australian Privacy Foundation’s submission echoes this concern. It draws
the Committee’s attention to the ‘increasingly contentious’ issue of whether
the de‑identification of data can really be guaranteed,
and notes that re‑identification technologies are growing rapidly.
Veda submits that these risks relate to health data and not credit
reporting data, and that
re-identification is a problem that has taken place in the United States where
more comprehensive, large-scale, public data sources are readily available.
Proposed section 20M’s purpose is to ensure that the Privacy
Commissioner has the power to issue appropriate guidelines to deal with the way
de-identified data is used.
The Attorney-General’s Department noted that their advice from credit
reporting agencies is that those agencies de-identify information prior to
using it in studies. However the Attorney-General’s Department states that it
is unclear how this is done. Given the uncertainty
around this, the Government’s view when drafting the Bill was that the proposed
approach to de-identified data is the optimal one.
Several submissions suggest that the Privacy Amendment Bill’s proposed
nine month period between Royal Assent and commencement date is unreasonably
The Australian Bankers Association (ABA) notes:
The credit reporting reforms will require individual banks to
develop their own internal compliance arrangements together with ensuring that
their IT systems can interface with external credit reporting bureaux systems.
Further, credit reporting bureaux will have to implement their own compliance
The Australian Retail Credit Association (ARCA) suggests a four step
process ensuring the Credit Reporting code (CR code) is finalised before the
commencement date is set down because some of ARCA’s
members will only be able to undertake the full implementation process once the
Office of the Australian Information Commissioner (OAIC) has approved the CR
The ABA suggests a commencement period of 15 to 18 months would be
The Australian Finance Conference suggested that rather than adopting a
fixed date for commencement, an approach that enables a date to be determined
by the Minister should be included in the Bill.
The Attorney-General’s Department notes that the standard three month commencement
period has already been extended to nine months. This was decided on the
understanding that this would be a sufficient period leading to registration of
the CR code, on advice from the OAIC and relying on precedent in terms of
commencement periods of other regulatory changes.
The Department notes:
The commencement period should provide sufficient time for
the development, approval and registration of the CR code, provide certainty by
setting out a defined time in the legislation for commencement, and should see
all elements of the Privacy Amendment Bill commence at the same time (that is,
no staged implementation).
The Department does not consider that commencement should be
at the discretion of the Attorney-General, nor does the Department consider
that the commencement should be contingent on the registration of the CR code
as this does not ensure certainty.
The Department has stated that it will be considering stakeholder views
on extending the proposed nine month commencement period in proposing options
for consideration by the Attorney-General.
The Committee received many submissions suggesting that various parts of
the Privacy Amendment Bill are complex and confusing
which may make the new privacy regime difficult to use and apply.
The ALRC noted the complexity of the privacy regime in its report and make
a multitude of recommendations that the Privacy Commissioner publish guidance
and educational materials on a variety of topics.
There have been further suggestions that educational materials should be
developed to render this complex legislation more accessible to the public.
The Attorney-General’s Department states that it is not considering any
comprehensive redrafting or restructuring of the Bill and that it expects that
the structure of some of the reforms that may not be currently discernible will
become apparent when the amendments are incorporated and the Privacy Act is a
The Department also notes that in relation to the credit reporting
provisions, increased complexity may be the result of the significant increase
in complexity and scale since the credit reporting system’s introduction twenty
The Department acknowledges the recommendations the ALRC directed to the
OAIC on the provision of guidance and educational materials and notes that the Government
accepted those recommendations in principle. The Department supports
the development of educational materials in relation to the new privacy regime
but suggests that it is a matter for the OAIC.
The Committee acknowledges industry’s concern that important studies may
be obstructed through the regulation of de-identified data. In addition, the
Committee appreciates concerns about the risk of re‑identification of
The Committee has not formed a view as to whether the risk of re‑identification
of data is so severe that the regulation of de-identified data is justified,
given lack of precedent in other modern economies.
The Committee acknowledges the importance of the studies undertaken with
such data and while it suggests the Bill proceed in its current form, it
suggests that the operation of section 20M be evaluated in a review to be conducted
twelve months after commencement of the Act.
The Committee is concerned by the issues raised in relation to the
commencement date. The Committee has not formed a specific view as to the
length of time industry genuinely requires to implement internal systems
required to comply with the new credit reporting system. However, the Committee
considers that the CR code should be developed and approved by the Privacy
Commissioner as soon as possible, to allow industry the greatest time possible
to implement required systems.
The Committee notes the Attorney-General’s Department continue to
consult stakeholders and propose options to the Attorney-General. Consequently,
the Committee anticipates that the issue may be resolved to a large degree through
this consultative process.
The Committee appreciates that updating Australia’s privacy laws is a
complex task that requires detailed provisions. It acknowledges that these
reforms were informed by a comprehensive ALRC inquiry and significant scrutiny
and time have gone into their development. In addition, the Committee notes
that one of the aims of the reforms was to reduce complexity.
Accordingly, the Committee is concerned by the number of submissions that
suggest significant confusion around the new provisions. The Committee is
concerned whether the public will be able to easily comprehend new privacy
rights and whether industry will comprehend the obligations placed on them.
The Committee notes that the Government has accepted in principle the
recommendation of the ALRC to develop educational materials. The Committee considers
this is essential given the complexity and seriousness of these provisions.
The Committee notes that no agency has indicated to the Committee that
they are developing such material, or that they consider themselves responsible
for the development of such material. This is of grave concern to the Committee
and the Committee recommends that the Attorney General ensure that
comprehensive material setting out new privacy obligations and protection is
available prior to the commencement of the Act.
Given the seriousness of privacy concerns and that Australian privacy
laws have not been updated for twenty years, the Committee recognises the
importance of the enhanced privacy protections proposed in this Bill.
In examining the Bill, the Committee has looked to ensure that an
appropriate balance between privacy protection and the convenient flow of data
has been achieved. Given the complexity of issues and the global nature of business,
there are many elements to the privacy regime proposed and there remain many
areas of concern to industry and consumer advocates.
The Committee recognises that considerable consultation has gone on
prior to the introduction of this Bill to the House, and that many of the provisions
proposed are the enactment of recommendations made in the ALRC review. In
addition, the Committee notes that the Attorney‑General’s Department is
continuing to consult with stakeholders to resolve a number of the
implementation details around this Bill and to discuss further possible
consequences of the Bill.
However, given the degree of concerns and that Departmental consultations
are continuing with the purpose of potentially advising the Attorney-General of
options, the Committee expresses its disappointment that the House and indeed
this Committee is asked to consider the Bill at this stage.
On balance the Committee has determined to recommend that the Privacy
Amendment Bill be passed by the House of Representatives. The Committee adopts
this position because it considers that there is a critical need to increase
consumer privacy protections.
||The Committee recommends that the House of Representatives
pass the Privacy Amendment (Enhancing Privacy Protections) Bill 2012.
While recommending that this Bill should be passed (subject to the
outcome of continuing consultations with stakeholders), the Committee further
recommends that the Attorney-General conduct a review of the functioning of the
new privacy regime twelve months after the Bill commences. This review should
address a number of issues that have been raised in this inquiry.
The Committee recommends that the Attorney-General agree to
conduct a review of the Privacy Amendment (Enhancing Privacy Protections)
Bill 2012 twelve months after the commencement of the Act, addressing the
to contravention of APP 8
marketing and opt out provisions for direct marketing
system regulating/preventing credit reporting information overseas (the
Australian link requirement), and
effect of the repayment history provisions on addresses stored on file.
The Committee is concerned that suitable educational and explanatory
material will need to be developed prior to the commencement of the Act to
ensure that individuals understand their new privacy rights, and that industry
are fully aware of their obligations.
During the inquiry, it was not clear that any agency was to assume
responsibility for the development and distribution of such material. Failure
to ensure all parties are aware of and fully understand their obligations and
protections would be a grave oversight in the implementation of this new
Accordingly, the Committee recommends that the Attorney-General ensure
that suitable educational material is developed and distributed prior to the
commencement of the Act.
||The Committee recommends that the Attorney-General ensure
that comprehensive educational material on the new privacy protections and
obligations is available prior to commencement of the Act.