Chapter 2
Background
Introduction
2.1
Currently, provisions relating to consumer credit reporting are
contained in Part IIIA and associated provisions of the Privacy Act 1988 (the
Privacy Act). The credit reporting provisions regulate the collection, use and
disclosure of personal information concerning credit that is intended to be
used wholly or primarily for domestic, family or household purposes. Commercial
credit information is only incidentally regulated by the Privacy Act.
2.2
Credit reporting involves providing information about an individual's
credit worthiness to banks, finance companies and other credit providers, such
as retail businesses that issue credit cards or allow individuals to have goods
or services on credit. Credit reporting is generally conducted by specialised
credit reporting agencies that collect and disclose information about potential
borrowers, usually in order to assist credit providers to assess applications.[1]
2.3
Credit reporting agencies gather information from credit providers and
publicly available information. This information is stored in central databases
and is used to generate credit reporting information for credit providers.
Credit providers use the information provided by credit reporting agencies as
well as information from the individual's application form and the credit
provider's own records to assess credit applications. In addition, credit
reporting agencies provide information processing services that assist credit
providers to assess credit applications. Credit reporting agencies also use
their databases in credit scoring systems.
2.4
There are three credit reporting agencies in Australia: Veda Advantage;
Dun & Bradstreet; and the Tasmanian Collection Service. A fourth credit
reporting agency, Experian Australia Credit Services entered the market in
August 2011.
2.5
The following discussion provides an overview of the context of the
current inquiry, a synopsis of the Australian Law Reform Commission's (ALRC) review
of credit reporting and privacy requirements and ensuing recommendations, and a
summary of the Government's response to the ALRC recommendations.[2]
Context of the current inquiry
2.6
On 30 January 2006, the Government requested that the ALRC undertake a
comprehensive review of the Privacy Act. The ALRC provided its report on
the review to the Government in May 2008.[3]
2.7
In October 2009, the Government provided a 'First Stage Response' to the
ALRC's recommendations. The focus of the first stage response was 'to establish
the foundations for an enhanced privacy framework'.[4]
The Government's response to the ALRC review addressed four areas of reform of
the Privacy Act: the Privacy Principles; Office of the Privacy Commissioner;[5]
credit reporting provisions; and health services and research.
2.8
The first of these four areas of proposed reform of the privacy regime –
the Privacy Principles – was addressed by the Government with the release of the
Australian Privacy Principles Exposure Draft provisions in June 2010. These
provisions were referred to the committee on 24 June 2010. The committee tabled
its report, Exposure Drafts of Australian Privacy Amendment Legislation:
Part 1 Australian Privacy Principles in June 2011.[6]
The report provided background to the Privacy Act and reviews of the Privacy
Act, examined the 13 draft Australian Privacy Principles (APPs)
and made 29 recommendations. The recommendations included redrafting of the
principles to improve clarity, the provision of guidance on definitions and
explanatory material, the inclusion of agency specific provisions, and that the
Office of the Australian Information Commissioner undertake a review of agency
voluntary data matching guidelines with a view to an extension of APP 9 to
agencies.[7]
2.9
The Exposure Draft for the second of the four areas of proposed reform,
credit reporting, was received by the President of the Senate on 1 February
2011 and was tabled in the Senate on 9 February 2011.
2.10
While the ALRC was undertaking its review of the Privacy Act, the
Council of Australian Governments (COAG) agreed, in 2008, that the Commonwealth
take responsibility from the states for regulating the credit industry.[8]
The National Consumer Credit Protection Act 2009 and the National
Consumer Credit Protection Act Amendment (Home Loans and Credit Cards) Act 2011
were passed pursuant to this agreement.
The ALRC's review of credit reporting and privacy requirements
Current credit reporting provisions
2.11
The Privacy Amendment Act 1990 extended coverage of the Privacy
Act to consumer credit reporting and introduced privacy protections in relation
to consumer credit records. A number of further amendments have since been made
to the credit reporting provisions of the Privacy Act.[9]
The Privacy Act also empowers the Privacy Commissioner to issue a binding Code
of Conduct. A Credit Reporting Code of Conduct (the Code) came into
effect on 24 September 1991.[10]
Over the years a variety of amendments to the Code have been made; some of
these reflect amendments to the credit reporting provisions of the Privacy Act.[11]
2.12
The main provisions relating to credit reporting provide for:[12]
-
information covered by the provisions: the Privacy Act
defines 'personal information', 'credit information file' and 'credit report'.
'Personal information' is information or an opinion, whether true or not, and
whether recorded in a material form or not, about an individual whose identity
is apparent, or can reasonably be ascertained, from the information or opinion.
A 'credit information file' means any record that contains information about a
person and is kept by a credit reporting agency in the course of carrying on a
credit reporting business. A 'credit report' may be created from a credit
information file and passed from the credit reporting agency to a credit
provider;
- persons within the ambit of the provisions: the provisions
apply to individuals whose personal information is contained in a credit
information file; credit reporting agencies; credit providers which include
banks, corporations or entities providing loans or issuing credit cards; and
persons providing third-party personal information to credit reporting
agencies;
- content of credit information files: a credit information
file can contain information that is 'reasonably necessary' to identify the
individual.[13]
The Privacy Act stipulates an exhaustive list of information that may be
included in a credit information file as well as a list of information that
must not be included. There is no requirement for verification of information
prior to it being included in a credit information file;
- accuracy and security of personal information: the
provisions require credit reporting agencies and credit providers to take
reasonable steps to ensure that personal information is 'accurate, up-to-date,
complete and not misleading', to protect against misuse, to prevent
unauthorised use or disclosure of personal information in a file or report.
Credit reporting agencies and credit providers are prohibited from disclosing
false or misleading credit reports;
- disclosure of personal information: disclosure of personal
information in credit information files and credit reports by credit reporting
agencies, credit providers and others is regulated, as well as unauthorised
access to that information or obtaining that information by a false pretence;[14]
- use of personal information: restrictions are placed on the
use of an individual's credit report (or personal information derived from that
report) by credit providers, mortgage and trade insurers, and other users;[15]
- consent and credit reporting: provided that notification
has been given, agreement to the use or disclosure of credit reporting
information about individuals is generally not required. Exceptions apply in
relation to assessing applications for commercial credit, acceptance of guarantors,
or collecting payments overdue in respect of commercial credit. Exceptions also
apply to trade insurers for the purpose of assessing insurance risks in
relation to commercial credit;
-
individuals must also specifically agree to the use of their
information in certain circumstances: these circumstances include where a
credit provider assesses an application for consumer credit. Consent from an
individual for the disclosure of information by a credit provider to a credit
reporting agency is not required but consent is required in limited
circumstances such as if the National Privacy Principles or common law duties
of confidence require disclosure, or in some circumstances where a bank owes a
duty of confidence under the Australian Bankers' Association's Code of Banking
Practice;
- rights of access, correction and notification: credit
reporting agencies and credit providers must take reasonable steps to allow
individuals access to information held on them and ensure personal information
on a file is accurate, up-to-date, complete and not misleading. Obligations for
notification are provided for when a credit report is used to refuse an
application for credit, and certain obligations to guarantors and other applicants
on joint applications; and
- responsibilities of the Office of the Privacy Commissioner
(OPC): provisions give the OPC a range of responsibilities and powers
including issuing a code of conduct relating to credit information files and
credit reports, making certain determinations under the credit reporting
provisions of the Privacy Act, auditing credit information files
and credit reports held by credit reporting agencies and credit providers, and
investigating, and making determinations on credit reporting infringements.
The ALRC recommendations and the Government
Response
2.13
The ALRC made a total of 46 recommendations relating to the credit
reporting. These recommendations addressed approaches to reform, more comprehensive
credit reporting, collection and permitted content of credit reporting
information, use and disclosure of credit reporting information, data quality
and security, access to and correction of information, complaint handling and
penalties.
Approach to reform
2.14
The ALRC report recommended (Recommendation 54–1) that the credit
reporting provisions (Part IIIA) of the Privacy Act be repealed. The ALRC recommended
that, instead, credit reporting should be regulated under the general
provisions of the Privacy Act, the model Unified Privacy Principles (UPPs)[16]
and new regulations under the Privacy Act. It was anticipated that the
regulations would 'impose obligations on credit reporting agencies and credit
providers with respect to the handling of credit reporting information'. The
ALRC was of the view that the new regulations should only address requirements
that are different or more specific than those provided for in the model UPPs[17]
(Recommendation 54–2).[18]
2.15
'Credit reporting information' was defined in Recommendation 54–3 and a
simplified definition of 'credit provider' was also recommended (Recommendation
54–4).[19]
2.16
The ALRC recommended that the reporting of personal information about
foreign credit and the disclosure of credit reporting information to foreign
credit providers be excluded (Recommendation 54–5), subject to the Privacy
Commissioner being empowered to approve reporting of personal information about
foreign credit, and the disclosure of credit reporting information to foreign
credit providers in defined circumstances (Recommendation 54–7).[20]
2.17
The ALRC report also recommended 'that a credit reporting code providing
detailed guidance within the framework provided by the Act and the regulations
be developed by credit reporting agencies and credit providers, in consultation
with consumer groups and regulators, including the OPC' (Recommendation 54–9).[21]
2.18
The Government accepted ALRC Recommendations 54–2, 54–3, 54–4 and 54–5.
Recommendation 54–9 was accepted with amendment while Recommendations 54–6 and
54–8 were accepted in principle. Recommendation 54–1 and 54–7 were not
accepted.
2.19
In relation to Recommendation 54–1, the Government was of the view that
regulation of credit reporting should primarily continue under the Privacy Act,
rather than in regulations. The Government recognised the need to address the
complexities of Part IIIA of the Privacy Act through redrafting.[22]
The Government did not accept the ALRC's recommendation that, in defined
circumstances, the Privacy Commissioner should be able to approve the reporting
of personal information about foreign credit, believing that any exceptions
should be adopted by legislative amendment (Recommendation 54–7). In addition,
the Government signalled its intention to define circumstances, under the
Privacy Act, in which credit information could be shared with New Zealand.[23]
2.20
The Government accepted, with amendment, the ALRC recommendation to
develop a credit reporting code (Recommendation 54–9). The Government added
that the Privacy Act will outline the matters to be addressed by the code, that
the code will replace the current Credit Reporting Code of Conduct, that the
code will not override or have lesser provisions than the Privacy Act, that the
code will be binding on any organisation or agency wishing to be involved in
credit reporting, and that the code will be approved by the Privacy
Commissioner.[24]
More comprehensive credit reporting
2.21
The current Privacy Act restricts the kinds of information that can be
collected and disclosed in the course of credit reporting.[25]
Principally, although not exclusively, this information is restricted to that which
detracts from an individual's credit worthiness, such as defaulting on a loan.
2.22
The ALRC gave consideration to extending the kinds of personal
information that may be collected and disclosed under the Privacy Act, in
particular an individual's current credit commitments and/or repayment
performance. Although many people use the terms 'negative' and 'positive'
credit reporting to distinguish between the current system and an expanded
collecting provision, the ALRC eschewed these terms as being too confusing. The
ALRC argued that the terms wrongly imply that one system would advantage, and
one would disadvantage, a creditor when this is not necessarily the case. The
ALRC opted the term 'more comprehensive' credit reporting as it more accurately
conveys two matters: that the expanded information will not necessarily assist,
or hamper, an individual's application for credit; and that the information is
not exhaustive but merely 'more comprehensive'.[26]
2.23
The ALRC made it clear that 'more comprehensive' credit reporting must
be considered at the same time as other regulatory issues including 'data
quality of credit reporting information, dispute resolution and penalties for
the unauthorised use or disclosure of such information'.[27]
2.24
The ALRC consulted extensively with stakeholders, received advice from a
Credit Reporting Advisory Sub-committee and examined a variety of models of
more comprehensive credit reporting.[28]
Those consulted argued that a number of benefits may accrue from a more
comprehensive credit reporting regime, including improved risk assessment,
increased competition and efficiency in credit markets, decreased levels of over-indebtedness
and default, and more responsible lending. Some organisations consulted by the ALRC
challenged some of these claimed benefits, arguing that the benefits that may
accrue as a result of more comprehensive credit reporting would be outweighed
by information privacy and security concerns.[29]
2.25
The ALRC concluded that there should be an extension of the types of
personal information that may be collected for credit reporting purposes. It
was anticipated that this would be regulated under new Privacy (Credit
Reporting Information) Regulations (the regulations).[30]
Five related recommendations were made by the ALRC on this issue. In summary,
these included:
- an extension of currently permitted categories of personal
information to include the type of each credit account opened, the date on
which each credit account was opened, the current limit of each open credit
account, and the date on which each credit account was closed (Recommendation
55–1);
- provision in the regulations for the deletion of this information
two years after an account is closed (Recommendation 55–5);
- permitting credit reporting information to include an
individual's repayment performance history indicating whether over the prior
two years the individual was meeting their repayment obligations for each
repayment cycle, or if not the number of repayment cycles the individual was in
arrears (Recommendation 55–2). This recommendation was made subject to the
Australian Government satisfying itself that there is an adequate framework
imposing responsible lending obligations in Commonwealth, state and territory
legislation (Recommendation 55–3); and
- that the credit reporting code should set out procedures for
reporting payment performance history, within parameters set by the regulations
(Recommendation 55–4).[31]
2.26
The Government accepted all the ALRC's recommendations except
Recommendation 55–4 which was accepted in principle. The Government noted that
it should be clearly set out in the Privacy Act when a 'missed repayment' will
be deemed to occur. The Government indicated that it would seek further views
from stakeholders about the preferred approach to be taken in relation to when
a repayment is 'missed'. In addition, 'given the significance that will be
attributed to how repayment history is listed and the accompanying notices
provided with this listing', the Government indicated that these matters will
be set out in the regulations rather than in the binding industry code.[32]
Collection and permitted content of
credit reporting information
2.27
The ALRC noted that the current provisions of the Privacy Act in relation
to the collection, and notification of collection, of information in credit
information files and credit reports are at odds with the 'collection' and
'notification' principles of the model UPPs.[33]
The ALRC recommended that 'the new Privacy (Credit Reporting Information)
Regulations should prescribe an exhaustive list of the categories of
personal information that are permitted to be included in credit reporting
information'. It was recommended that these should be based on the existing
provisions of the Privacy Act, subject to specific changes (Recommendation
56–1).[34]
In summary, these recommended changes include:
- an extension of currently permitted information related to the
type of each credit account opened, the date on which each credit account was
opened, the current limit of each open credit account and the date on which
each credit account was closed, as detailed above (based on Recommendation 55–1);[35]
- permitting of credit reporting information to include an
individual's repayment performance history, as detailed above (based on Recommendation
55–2);[36]
- prohibiting credit reporting agencies from listing overdue
payments of less than a prescribed amount (Recommendation 56–2), or including
information about presented and dishonoured cheques (Recommendation 56–3); or
collecting 'sensitive information', as defined in the Privacy Act (Recommendation
56–8);[37]
- permitting credit reporting information including personal
insolvency information recorded on the National Personal Insolvency Index
(NPII) administered under the Bankruptcy Regulations 1966 (Recommendation 56-4);[38]
- permitting the listing of a 'serious credit infringement' based
on the definition in the Privacy Act, amended so that the credit provider is
required to have taken reasonable steps to contact the individual before
reporting a serious credit infringement (Recommendation 56–6);[39]
and
- prohibiting the collection in credit reporting information of
information about individuals who the credit provider or credit reporting
agency knows, or reasonably should know, to be under the age of 18 (Recommendation
56–9).[40]
2.28
Additionally, the ALRC recommended:
- credit reporting agencies should ensure that credit reports
adequately differentiate the forms of administration identified on the NPII,
and accurately reflect the relevant information recorded on the NPII, as
updated from time to time (Recommendation 56–5);[41]
and
- the Office of the Privacy Commissioner should develop and publish
guidance on the criteria that need to be satisfied before a serious credit
infringement can be listed (Recommendation 56–7) including interpretations of
'serious', establishing whether reasonable steps to contact an individual have
been taken, whether serious credit infringements should be listed if they are
the subject of either a dispute or dispute resolution, and obligations on
credit providers and individuals in proving or disproving serious credit
infringements.[42]
2.29
The ALRC examined the 'notification' principle in the UPPs and in Part
IIIA of the Privacy Act and arrived at the view that provisions dealing with
notification should be incorporated in the proposed regulations, albeit in
a form that is more prescriptive regarding the timing of notification than
existing provisions.
2.30
The ALRC recommended (Recommendation 56–10) that notification should
occur 'at or before the time personal information to be disclosed to a credit
reporting agency is collected about an individual' with an onus on credit
providers to take steps to ensure the individual is aware of the:
- identity and contact details of the credit reporting agency;
- rights of access to, and correction of, credit reporting
information provided by the regulations; and
- actual or types of organisations, agencies, entities or persons
to whom the credit reporting agency usually discloses credit reporting
information.[43]
2.31
Similarly, in relation to notification of disclosure of overdue payment
information, it was recommended (Recommendation 56–11) that:
...a credit provider, before disclosing overdue payment
information to a credit reporting agency, must have taken reasonable steps to
ensure that the individual concerned is aware of the intention to report the
information.[44]
2.32
The Government accepted Recommendations 56–1, 56–2, 56–3, 56–5, 56–6, 56–8,
56–9, 56–10), accepted in principle Recommendations 56–4 and 56–7 and accepted Recommendation
56–11 with amendment.
2.33
The Government accepted in principle the ALRC recommendation
(Recommendation 56–4) that credit reporting information be permitted to include
personal insolvency information recorded on the NPII, further specifying four
categories of allowable information. The Government noted that there is a need
to clarify what can currently be listed as credit reporting information from
the NPII. It agreed that proposals to include information about debt agreement
proposals may be included in credit reporting information, but that this should
be removed if the proposal is unsuccessful.[45]
2.34
In relation to serious credit infringements, the Government accepted
that these can be reported, providing reasonable steps to contact the
individual are taken beforehand (Recommendation 56–6). However, rather than
accepting the ALRC recommendation that the Privacy Commissioner develop and
publish guidance to be satisfied prior to listing (Recommendation 56–7), the
Government was of the view that this should regulated by the binding industry
code.[46]
2.35
The Government accepted, with amendment, the ALRC recommendation that
credit reporting agencies take reasonable steps, prior to disclosing overdue
payments, to ensure an individual is aware of the intention to report the
information (Recommendation 56–11). However,
the Government was of the view, subject to further consultation with
stakeholders, that the notification obligation should also be extended to 'missed'
payments.[47]
Use and disclosure of credit
reporting information
2.36
The ALRC observed that Part IIIA of the Privacy Act exhaustively
prescribes more than 50 different circumstances in which the use or disclosure
of personal information is authorised. The ALRC was of the view that this could
be significantly simplified and consolidated in the new regulations. The ALRC
recommended (Recommendation 57–1) that the new regulations 'provide a
simplified list of circumstances in which a credit reporting agency or credit
provider may use or disclose credit reporting information'.[48]
2.37
The ALRC noted that 'the use and disclosure of credit reporting
information is potentially useful for a wide range of secondary purposes'.
However, they were of the view that a general allowance of use and disclosure
of credit reporting information for secondary purposes was overly broad. The
ALRC recommended (Recommendation 57–2) that such use or disclosure should be:
...for a secondary purpose related to the assessment of an
application for credit or the management of an existing credit account, where
the individual concerned would reasonably expect such use or disclosure.[49]
2.38
The ALRC considered whether 'pre-screening' of credit reports by credit
providers for the purpose of excluding individuals from direct marketing offers
(such as an offer to increase credit limits) contravenes a prohibition in the Privacy
Act against direct marketing.[50]
The ALRC noted that the current legal position under the Privacy Act was
complex and that whereas pre-screening could be used to assist responsible
lending practices it could also be used to market credit more aggressively. The
ALRC recommended (Recommendation 57–3) that the new regulations 'should
prohibit the use or disclosure of credit reporting information for the purposes
of direct marketing, including the pre-screening of direct marketing lists'.[51]
2.39
The ALRC deliberated whether statutory obligations imposed upon credit
providers and others to verify customer identity, including under the Anti-Money
Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), could or
should be fulfilled through credit reporting information held by credit
reporting agencies.[52]
The Privacy Act places detailed limits on the disclosure of personal
information by credit reporting agencies and the use of personal information by
credit providers, and there is no express provision for identity verification. The
ALRC recommended (Recommendation 57–4) that rather than introducing unnecessary
complexity into the new regulations, the issue could be dealt with by express
authorisation under the AML/CTF Act.[53]
2.40
The ALRC examined whether credit reporting regulation should address the
increasingly prevalent problem of identity theft, and what kind of action would
provide most effective protection for an individual who claimed they had experienced
theft of their identity. They recommended (Recommendation 57–5) that the new
regulations 'should provide individuals with a right to prohibit for a
specified period the disclosure by a credit reporting agency of credit
reporting information about them without their express authorisation'.[54]
2.41
The Government accepted Recommendation 57–1 but did not accept Recommendation
57–2 regarding the use or disclosure of information for a secondary purpose.
The Government was of the view that this recommendation would 'significantly
reduce the value of the credit reporting provisions to promote transparency and
consistency', and would be contrary to the requirement to have defined uses and
disclosures as outlined in ALRC recommendation 57–1. However, additional uses
and disclosures will be permitted in the public interest, for the benefit of
the individuals concerned, or for research in the public interest using
de-identified information under rules developed by the Privacy Commissioner.[55]
2.42
The Government accepted in part the ALRC's recommendation prohibiting
the use or disclosure of credit reporting information for direct marketing (Recommendation
57–3). The Government did not agree with the prohibition on pre-screening of
direct marketing lists; rather, the Government was of the view that
pre-screening should be expressly permitted, but only for the purpose of
excluding adverse credit risks from marketing lists, and subject to a list of
specific requirements.[56]
2.43
The Government accepted in principle Recommendation 57–4 that credit
reporting agencies be allowed to use and disclose credit reporting information
for electronic identity verification under the AML/CTF Act. However, the
Government stipulated this should be subject to adequate privacy protections
being put in place.[57]
2.44
The Government did not accept Recommendation 57–6 that there should be
no provision limiting disclosure of personal information in 'reports' related
to credit worthiness. The Government stated that this provision should be
maintained in order that credit providers should continue to be restricted from
disclosing 'credit worthiness' information. The Government, however,
acknowledged that the current definition of a 'report' about an individual's
credit worthiness is too broad and will be 'revised to only apply to
information that is similar to information maintained about a credit
reporting agency...or information that is about an individual's credit
accounts'.[58]
Data quality and security
2.45
The ALRC was of the view that there was no necessity to include general
data quality obligations in the new regulations as this is adequately addressed
by the 'Data Quality' principle in the model UPPs. In the case of specific,
serious and well-defined data quality concerns the ALRC argued that there may
be a case for inclusion of obligations in the new regulations or in the credit
reporting code.[59]
2.46
In relation to overdue payments, the ALRC recommended that in the case
of expiry of a relevant statutory limitation period, or where a credit provider
is prevented by law from bringing proceedings for recovery of an overdue
payment, there should be an express prohibition on listing any overdue payment.[60]
However, the ALRC recommended (Recommendation 58–2) that where an individual
has entered into a new arrangement with a credit provider to repay an existing
debt that this may be listed and remain part of the individual's credit reporting
information for the full five years permissible under the regulations.[61]
2.47
The ALRC was of the view that, in general, detailed data quality
requirements are better dealt with under the recommended credit reporting code
than by regulation. The ALRC recommended (Recommendation 58–3) that the credit
reporting code should promote data quality through procedures dealing with
timeliness and calculation of overdue payments for credit reporting purposes,
obligations to prevent multiple listings of the same debt, updating of credit
reporting information and the linking of credit reporting information relating
to individuals who may or may not be the same individual.[62]
2.48
The ALRC considered the issue of data quality obligations of credit
reporting agencies, concluding that the agencies 'should take more
responsibility for ensuring data quality'. The report noted that:
Consumer groups have expressed concerns that there are no
adequate incentives for credit reporting agencies or credit providers to
correct systemic flaws in the credit reporting system, in part because the cost
of dealing with a small number of complaints is less than the cost of ensuring
the data is accurate in the first place.[63]
2.49
The ALRC recommended (Recommendation 58–4) that the new regulations
'impose obligations on credit reporting agencies to monitor the data quality of
information provided to them by credit providers, including through audit' and
'that credit reporting agencies must enter into agreements with credit
providers that contain obligations to ensure the security of credit reporting
information', as well as that possible breaches of the agreements and controls
should be identified and investigated.[64]
2.50
The ALRC also recommended that the new regulations should provide for
the deletion by credit reporting agencies of certain information after
specified periods of time: different categories of credit reporting information
after the expiry of 'maximum permissible periods', based on those currently
provided for in the Privacy Act (Recommendation 58–5); and, certain information
about voluntary arrangements with creditors under provisions of the Bankruptcy
Act 1966 five years from the date of the arrangement as recorded on the
NPII (Recommendation 58–6).[65]
2.51
The Government accepted all recommendations except Recommendation 58-6.
While the Government agreed that a five year retention period for information
about voluntary arrangements was sufficient, it was of the mind that all
bankruptcy information should be treated equally, and therefore proposed that
all bankruptcy information be listed for the same period of five years, even
where a bankruptcy order is longer. Additionally, if an individual completes a
voluntary arrangement early they should be able to request a note to the
listing of the arrangement to that effect.[66]
Access and correction, complaint
handling and penalties
2.52
The ALRC was of the view that 'individuals should have unfettered rights
of access to their credit reporting information'. They were also keen to ensure
that in the future the current situation where major credit reporting agencies
provide credit reporting information free of charge to the individuals
concerned was guaranteed. Consequently they recommended (Recommendation 59–1)
that the new regulations should provide individuals with the right to access
their credit reporting information, based upon current provisions in the Privacy
Act, and 'that credit reporting agencies must provide individuals, on
request, with one free copy of their credit reporting information annually'
(Recommendation 59–2).[67]
2.53
The ALRC also recommended (Recommendation 59–3) that an individual's
rights of access to credit reporting information may be exercised for a
credit-related purpose by a person authorised in writing.[68]
2.54
The ALRC recommended (Recommendation 59–4) that where a credit provider
refuses an application for credit based wholly or partly on credit reporting,
it must notify the individual,[69]
and that in these circumstances information must be provided on the avenues of
complaint available to the individual if they have a complaint about the
content of their credit reporting information (Recommendation 59–6). Further,
the ALRC recommended (Recommendation 59–5) that credit reporting agencies and
credit providers establish procedures to deal with credit reporting complaints,
and where unable to resolve complaints inform the individual of that fact and
that the individual may complain to an external dispute resolution scheme or
the Privacy Commissioner.[70]
2.55
The ALRC also recommended (Recommendation 59–8) that within 30 days,
evidence to substantiate disputed credit reporting information must be provided
to the individual, or the matter referred to a Privacy Commissioner-recognised
external dispute resolution scheme. If these requirements are not met, the
credit reporting agency must delete or correct the information on request of
the individual.[71]
Further, the ALRC recommended (Recommendation 59–7) that only credit providers
who were members of a Privacy Commissioner-recognised external dispute
resolution be able to list overdue payments or repayment performance history.[72]
2.56
The Government accepted Recommendations 59–1, 59–3, 59–4, 59–6, 59–8,
and 59–9. While the Government accepted in principle Recommendation 59–2 regarding
the provision of one free copy of an individual's credit reporting information
annually, it stated that details on timeframes and the form of access should be
addressed by the binding industry code.[73]
2.57
The Government accepted, in part, Recommendation 59–5 and stated that
the Privacy Act should outline the overarching requirements and be supported by
the binding industry code for details of procedures required between credit
reporting agencies and credit providers. The onus to resolve a dispute should
be on the first contacted party in order for there to be clear
responsibilities, and to avoid the complainant having to go back and forth
between parties. The first contacted party would have the responsibility to
liaise with all other parties.[74]
2.58
Recommendation 59–7 was accepted with amendment. The Government noted
that there was significant justification to extend the requirement to be a
member of such a scheme to all credit reporting agencies and credit providers.[75]
Navigation: Previous Page | Contents | Next Page