Chapter 3 Credit Reporting Provisions

3.1                   The credit reporting provisions are contained in Schedule 2 of the Privacy Amendment Bill and will replace the current credit reporting system in Part IIIA of the Privacy Act 1988 (Cth). The provisions regulate the handling and maintenance of certain kinds of personal information concerning consumer credit that is intended to be used wholly or primarily for domestic, family or household purposes.

The Australian link requirement

3.2                   The Privacy Amendment Bill contains a specific rule to govern the cross‑border disclosure of credit reporting information. A credit provider is restricted from disclosing credit eligibility information to overseas recipients that do not have an Australian link.[1] This requirement was not included in the 2011 exposure draft of the credit reporting provisions.

3.3                   The Explanatory Memorandum states that ‘the term “Australian link” is used to define the entities that are subject to the operation of the Act’.[2]

3.4                   The Australian link requirement aims to ensure Australian credit information does not leave the Australian credit information system and that foreign credit information does not enter the Australian credit information system.[3]

3.5                   The Committee received a significant number of submissions voicing concerns about the Australian link requirement in the credit reporting provisions.[4] Many organisations are concerned that the Australian link restriction will inhibit legitimate business practices as information may not be able to be disclosed to an off-shore agent or related entity for legitimate business purposes.[5]

3.6                   The Law Council of Australia (LCA) explains that:

…some authorised deposit taking institutions have established outsourcing operations with entities based in foreign countries as a means of providing financial services more economically and contributing to lower overall prices. These services may comprise ‘cloud’ based technologies for data storage and backup, which may utilise storage in a variety of locations for the purposes of effective disaster recovery. In other cases, business processes (that may include automated credit decisioning or first line call centre support) may be hosted offshore by contracted service providers.

The off-shore entities may be wholly-owned but foreign incorporated subsidiaries, or may be unrelated bodies subject to strict service agreements which require information to be used and dealt with solely for the purposes of the principal with high levels of security.[6]

3.7                   It appears that Australian organisations with such arrangements will be affected by the Australian link requirement.

3.8                   Optus notes that the provisions will adversely affect companies that have off-shore call centres or data processing facilities.[7]

3.9                   The Australia and New Zealand Banking Group Limited (ANZ) expresses concern that the provisions will mean an Australian-based organisation will not be able to transfer information to a wholly owned off-shore entity, even where the organisation takes steps to ensure the entity is subject to similar standards as the APPs.[8]

3.10               General Electric Capital notes that for companies that hold credit eligibility information and personal information, these will have to be segregated and managed under different disclosure regimes.[9]

3.11               The LCA suggests the Australian link requirement is artificial because if an Australian organisation has a 100 per cent held subsidiary performing outsourced services, the control that organisation holds over the information is the same, regardless of where the subsidiary is incorporated.[10]

3.12               The LCA suggests where the credit provider is an authorised deposit-taking institution for the purposes of the Banking Act 1959 (Cth) and the manner in which the off-shore provider is being used is consistent with APRA’s standards and is subject to APRA’s supervision, the Australian link requirement should not apply.[11]

3.13               Some submissions suggest that instead of the Australian link requirement, APP 8 should apply to credit eligibility information in the same way it applies to personal information[12] as there is no policy basis for restricting the disclosure of credit eligibility information to a greater degree than personal information.[13]

3.14               Alternatively, ANZ suggests that an exception to the Australian link requirement be developed for instances in which information is being disclosed for legitimate business purposes.[14]

3.15               In contrast, Communications Alliance suggests that Australian link requirement should be removed altogether.[15]

3.16               The Committee notes Mr Glenn from the Attorney-General’s Department’s comments at the Senate hearing, which acknowledged the issues and the ongoing discussions as to how the cross-border flow of credit information might best operate:

Certainly the Bill needs some improvements around the Australian link idea. We have heard from stakeholders that the proposed solution to deal with cross-border data flows in the credit context does not work with existing business models. So we are having some discussions with banking and finance stakeholder as to how to adjust that.[16]

3.17               The Attorney-General’s Department notes that the Government accepted Australian Law Reform Commission (ALRC) recommendation 54-5 to exclude Australian reporting of personal information about foreign credit, and the disclosure of credit reporting information to foreign credit providers. The Department suggests that the off-shore processing of credit reporting information does not appear to have been considered by the ALRC.[17] 

3.18               The Department’s submission clarifies that there is no policy intention to prohibit the existing practices of credit providers in relation to their off‑shore processing systems for credit reporting information.[18]

3.19               The Department explains that the insertion of the term ‘Australian link’ in section 5B of the Privacy Act 1988 (Cth) (which includes a foreign organisation that holds information in Australia), combined with the permission for credit providers to disclose to a related body corporate, would allow off-shore processing of credit reporting data.[19] However, it acknowledges that credit provider stakeholders suggest that this arrangement will not allow them to continue to undertake off-shore processing of that information.[20]

3.20               The Department notes that:

On examining the exposure draft of the credit reporting provisions in the development of the Privacy Amendment Bill, it became clear that permitting broad cross-border disclosure of personal information from the credit reporting system under APP 8 would undermine the government’s policy to exclude the reporting of personal information about foreign credit and the disclosure of credit reporting information to foreign credit providers.[21]

3.21               On this basis, the Department advises that it is currently considering options to address this issue. It notes that the preferred approach is to identify options that allow a specifically targeted disclosure to deal with off-shore process which would most likely impose obligations based on proposed APP 8.1 and proposed section 16C. This would ensure that the Australian credit provider remains accountable for the personal information sent to the overseas recipient. The Department advises that initial discussions suggest this approach may be acceptable to credit provider stakeholders. [22]

3.22               The Committee was advised that the Department ‘will continue to work with stakeholders to refine an approach that can be put to the Attorney‑General for consideration.’[23]

Repayment history data provisions

3.23               The Privacy Amendment Bill will allow personal information grouped under five new data sets to be collected and included on credit reports. The fifth new data set is repayment history data.

3.24               Some submissions outline their support for the inclusion of repayment history data as one of the new data sets.[24]

3.25               However, some organisations have strong concerns about consumers’ interests and the effect of the inclusion of repayment history data in the credit reporting system.[25]

3.26               Notably, while the ALRC recommended that limited repayment history information should be included in the credit reporting system, it also recommends that this be accompanied by responsible lending obligations and other safeguards.[26]

3.27               The Explanatory Memorandum suggests that the repayment history data will lead to decreased levels of over indebtedness and lower credit default rates.[27] Other submissions also suggest that collection of repayment history data will improve the quality of consumer credit.[28]

3.28               According to the Attorney-General’s Department submission, the Government considers that more comprehensive credit reporting will allow a more robust assessment of credit risk. This could lead to lower credit default rates and is likely to improve competition in the credit market, eventually resulting in benefits to both individuals and the credit industry.[29]

3.29               The Consumer Credit Legal Centre, New South Wales (CCLC) disputes this and claims there is no evidence to suggest that the inclusion of repayment history data will lead to these positive changes[30] and suggests that including repayment history data will not, in itself, lead to responsible lending.[31]

3.30               Instead, CCLC claims that the reverse may occur and there is the potential to justify the refusal of credit due to poor repayment history where the borrower otherwise has capacity to pay, or to allow credit to be granted where it wouldn’t have been in other circumstances because of a good repayment history, or to offer differential pricing based on repayment history (risk-based pricing).[32] These possible scenarios are unlikely to provide positive outcomes for consumers.[33]

3.31               However, as noted in some submissions, lenders are already subject to various responsible lending obligations under the National Consumer Credit Protection Act 2009 (Cth).[34]

3.32               In addition, the Bill includes a number of consumer protections around repayment history information, such as a restrictive definition of ‘repayment information’ and strong restrictions on the collection, use and disclosure of repayment history information.[35]

3.33               The Committee also notes that the Government response to the ALRC recommendation 54-8 included an agreement that a review of the credit reporting provisions would be conducted within five years from the commencement of the Bill.[36]

3.34               Most submissions to this inquiry raised concerns of industry regarding the effects of the Bill, however there were some additional issues raised by consumer advocates. These include the perceived reluctance of the Privacy Commissioner to make determinations, pre-screening for direct marketing purpose and the difficulty of removal of unfair/incorrect credit listings.

3.35               The Committee notes that many of these consumer advocate issues were interrogated in some detail at the Senate hearings and, consequently, the Committee has chosen note to examine further these issues.[37]

Addresses stored on file

3.36               Veda’s submission outlines its concern about the restriction on the number of addresses that can be held on a credit report. It suggest that the limit of an individual’s current or last known address and two previous addresses, combined with changes which add restrictions on the internal use of that information, may result in many individuals becoming untraceable. This could potentially affect 2.4 million files.[38] As internal use is unregulated under the current regime, the additional information is used for data matching purposes.[39] Veda suggests that these restrictive changes will create potential for ‘a highly mobile, highly transient segment of the population’ to become untraceable.[40]

3.37               Veda suggests that to remedy this problem the Bill should be amended to allow credit reports to include, for the purpose of record management, either the current plus two previous addresses or all addresses over the previous five years, whichever is the greater.[41]

3.38               The Attorney-General’s Department gave evidence that it does not consider that credit reporting bodies will lose trace of an individual if the individual moves more than twice in a five year period because the proposed definition of ‘identification information’ includes a range of other types of personal information.[42]

3.39               The Attorney-General’s Department notes that it:

…considers that the various types of personal information included in the definition of ‘identification information’ in conjunction with the permitted address information should be sufficient to identify individuals.[43]

Committee Comment

Australian link requirement

3.40               The Committee received a significant number of submissions on this issue and notes the difficulty in striking an appropriate balance between the protection of credit reporting information and the ability for industry to function reasonably. The Committee emphasises that this is critical issue.

3.41               The Committee notes that the Attorney-General’s Department has already undertaken significant consultation with various organisations across many industries.

3.42               The Committee is pleased to note that the Attorney-General’s Department intends to continue consultation with stakeholders. The Committee anticipates this process will lead to some resolution of the issues around the Australian link requirement.

3.43               At this point, the Committee is satisfied with the provisions as proposed in the Bill, particularly in light of continued consultation with industry which may refine aspects of the Bill’s practical operation. However, given the complexity and seriousness of the issues, for both individuals and industry, the Committee acknowledges the critical importance of reviewing these provisions to assess their implementation and any unintended consequences. The Committee recommends that the cross border disclosure of credit reporting information is assessed in a review of the operation of the new privacy laws. This review should be conducted twelve months after the Act commences.

Repayment history provisions

3.44               The Committee notes concerns raised regarding the effect of the inclusion of repayment history provisions. However, responsible lending obligations already exist and, as per the recommendation of ALRC, consumer protections are included in the Bill.

3.45               The Committee supports the Government’s commitment to review the credit reporting provisions within five years of commencement.

3.46               The Committee is satisfied that the provisions as currently drafted are reasonable and balanced, and an appropriate review of their operations has already been agreed to.

Addresses stored on file

3.47               The Committee notes the concern raised regarding this issue but is not convinced that it will result in many individuals becoming untraceable as a consequence. Other types of personal information may still be stored and the Committee does not consider the changes to be overly restrictive or detrimental to industry.