Chapter 2

Chapter 2



2.1        Currently, provisions relating to consumer credit reporting are contained in Part IIIA and associated provisions of the Privacy Act 1988 (the Privacy Act). The credit reporting provisions regulate the collection, use and disclosure of personal information concerning credit that is intended to be used wholly or primarily for domestic, family or household purposes. Commercial credit information is only incidentally regulated by the Privacy Act.

2.2        Credit reporting involves providing information about an individual's credit worthiness to banks, finance companies and other credit providers, such as retail businesses that issue credit cards or allow individuals to have goods or services on credit. Credit reporting is generally conducted by specialised credit reporting agencies that collect and disclose information about potential borrowers, usually in order to assist credit providers to assess applications.[1]

2.3        Credit reporting agencies gather information from credit providers and publicly available information. This information is stored in central databases and is used to generate credit reporting information for credit providers. Credit providers use the information provided by credit reporting agencies as well as information from the individual's application form and the credit provider's own records to assess credit applications. In addition, credit reporting agencies provide information processing services that assist credit providers to assess credit applications. Credit reporting agencies also use their databases in credit scoring systems.

2.4        There are three credit reporting agencies in Australia: Veda Advantage; Dun & Bradstreet; and the Tasmanian Collection Service. A fourth credit reporting agency, Experian Australia Credit Services entered the market in August 2011.

2.5        The following discussion provides an overview of the context of the current inquiry, a synopsis of the Australian Law Reform Commission's (ALRC) review of credit reporting and privacy requirements and ensuing recommendations, and a summary of the Government's response to the ALRC recommendations.[2]

Context of the current inquiry

2.6        On 30 January 2006, the Government requested that the ALRC undertake a comprehensive review of the Privacy Act. The ALRC provided its report on the review to the Government in May 2008.[3]

2.7        In October 2009, the Government provided a 'First Stage Response' to the ALRC's recommendations. The focus of the first stage response was 'to establish the foundations for an enhanced privacy framework'.[4] The Government's response to the ALRC review addressed four areas of reform of the Privacy Act: the Privacy Principles; Office of the Privacy Commissioner;[5] credit reporting provisions; and health services and research.

2.8        The first of these four areas of proposed reform of the privacy regime – the Privacy Principles – was addressed by the Government with the release of the Australian Privacy Principles Exposure Draft provisions in June 2010. These provisions were referred to the committee on 24 June 2010. The committee tabled its report, Exposure Drafts of Australian Privacy Amendment Legislation: Part 1 Australian Privacy Principles in June 2011.[6] The report provided background to the Privacy Act and reviews of the Privacy Act, examined the 13 draft Australian Privacy Principles (APPs) and made 29 recommendations. The recommendations included redrafting of the principles to improve clarity, the provision of guidance on definitions and explanatory material, the inclusion of agency specific provisions, and that the Office of the Australian Information Commissioner undertake a review of agency voluntary data matching guidelines with a view to an extension of APP 9 to agencies.[7]

2.9        The Exposure Draft for the second of the four areas of proposed reform, credit reporting, was received by the President of the Senate on 1 February 2011 and was tabled in the Senate on 9 February 2011.

2.10      While the ALRC was undertaking its review of the Privacy Act, the Council of Australian Governments (COAG) agreed, in 2008, that the Commonwealth take responsibility from the states for regulating the credit industry.[8] The National Consumer Credit Protection Act 2009 and the National Consumer Credit Protection Act Amendment (Home Loans and Credit Cards) Act 2011 were passed pursuant to this agreement.

The ALRC's review of credit reporting and privacy requirements

Current credit reporting provisions

2.11      The Privacy Amendment Act 1990 extended coverage of the Privacy Act to consumer credit reporting and introduced privacy protections in relation to consumer credit records. A number of further amendments have since been made to the credit reporting provisions of the Privacy Act.[9] The Privacy Act also empowers the Privacy Commissioner to issue a binding Code of Conduct. A Credit Reporting Code of Conduct (the Code) came into effect on 24 September 1991.[10] Over the years a variety of amendments to the Code have been made; some of these reflect amendments to the credit reporting provisions of the Privacy Act.[11]

2.12      The main provisions relating to credit reporting provide for:[12]

The ALRC recommendations and the Government Response

2.13      The ALRC made a total of 46 recommendations relating to the credit reporting. These recommendations addressed approaches to reform, more comprehensive credit reporting, collection and permitted content of credit reporting information, use and disclosure of credit reporting information, data quality and security, access to and correction of information, complaint handling and penalties.

Approach to reform

2.14      The ALRC report recommended (Recommendation 54–1) that the credit reporting provisions (Part IIIA) of the Privacy Act be repealed. The ALRC recommended that, instead, credit reporting should be regulated under the general provisions of the Privacy Act, the model Unified Privacy Principles (UPPs)[16] and new regulations under the Privacy Act. It was anticipated that the regulations would 'impose obligations on credit reporting agencies and credit providers with respect to the handling of credit reporting information'. The ALRC was of the view that the new regulations should only address requirements that are different or more specific than those provided for in the model UPPs[17] (Recommendation 54–2).[18]

2.15      'Credit reporting information' was defined in Recommendation 54–3 and a simplified definition of 'credit provider' was also recommended (Recommendation 54–4).[19]

2.16      The ALRC recommended that the reporting of personal information about foreign credit and the disclosure of credit reporting information to foreign credit providers be excluded (Recommendation 54–5), subject to the Privacy Commissioner being empowered to approve reporting of personal information about foreign credit, and the disclosure of credit reporting information to foreign credit providers in defined circumstances (Recommendation 54–7).[20]

2.17      The ALRC report also recommended 'that a credit reporting code providing detailed guidance within the framework provided by the Act and the regulations be developed by credit reporting agencies and credit providers, in consultation with consumer groups and regulators, including the OPC' (Recommendation 54–9).[21]

2.18      The Government accepted ALRC Recommendations 54–2, 54–3, 54–4 and 54–5. Recommendation 54–9 was accepted with amendment while Recommendations 54–6 and 54–8 were accepted in principle. Recommendation 54–1 and 54–7 were not accepted.

2.19      In relation to Recommendation 54–1, the Government was of the view that regulation of credit reporting should primarily continue under the Privacy Act, rather than in regulations. The Government recognised the need to address the complexities of Part IIIA of the Privacy Act through redrafting.[22] The Government did not accept the ALRC's recommendation that, in defined circumstances, the Privacy Commissioner should be able to approve the reporting of personal information about foreign credit, believing that any exceptions should be adopted by legislative amendment (Recommendation 54–7). In addition, the Government signalled its intention to define circumstances, under the Privacy Act, in which credit information could be shared with New Zealand.[23]

2.20      The Government accepted, with amendment, the ALRC recommendation to develop a credit reporting code (Recommendation 54–9). The Government added that the Privacy Act will outline the matters to be addressed by the code, that the code will replace the current Credit Reporting Code of Conduct, that the code will not override or have lesser provisions than the Privacy Act, that the code will be binding on any organisation or agency wishing to be involved in credit reporting, and that the code will be approved by the Privacy Commissioner.[24]

More comprehensive credit reporting

2.21      The current Privacy Act restricts the kinds of information that can be collected and disclosed in the course of credit reporting.[25] Principally, although not exclusively, this information is restricted to that which detracts from an individual's credit worthiness, such as defaulting on a loan.

2.22      The ALRC gave consideration to extending the kinds of personal information that may be collected and disclosed under the Privacy Act, in particular an individual's current credit commitments and/or repayment performance. Although many people use the terms 'negative' and 'positive' credit reporting to distinguish between the current system and an expanded collecting provision, the ALRC eschewed these terms as being too confusing. The ALRC argued that the terms wrongly imply that one system would advantage, and one would disadvantage, a creditor when this is not necessarily the case. The ALRC opted the term 'more comprehensive' credit reporting as it more accurately conveys two matters: that the expanded information will not necessarily assist, or hamper, an individual's application for credit; and that the information is not exhaustive but merely 'more comprehensive'.[26]

2.23      The ALRC made it clear that 'more comprehensive' credit reporting must be considered at the same time as other regulatory issues including 'data quality of credit reporting information, dispute resolution and penalties for the unauthorised use or disclosure of such information'.[27]

2.24      The ALRC consulted extensively with stakeholders, received advice from a Credit Reporting Advisory Sub-committee and examined a variety of models of more comprehensive credit reporting.[28] Those consulted argued that a number of benefits may accrue from a more comprehensive credit reporting regime, including improved risk assessment, increased competition and efficiency in credit markets, decreased levels of over-indebtedness and default, and more responsible lending. Some organisations consulted by the ALRC challenged some of these claimed benefits, arguing that the benefits that may accrue as a result of more comprehensive credit reporting would be outweighed by information privacy and security concerns.[29]

2.25      The ALRC concluded that there should be an extension of the types of personal information that may be collected for credit reporting purposes. It was anticipated that this would be regulated under new Privacy (Credit Reporting Information) Regulations (the regulations).[30] Five related recommendations were made by the ALRC on this issue. In summary, these included:

2.26      The Government accepted all the ALRC's recommendations except Recommendation 55–4 which was accepted in principle. The Government noted that it should be clearly set out in the Privacy Act when a 'missed repayment' will be deemed to occur. The Government indicated that it would seek further views from stakeholders about the preferred approach to be taken in relation to when a repayment is 'missed'. In addition, 'given the significance that will be attributed to how repayment history is listed and the accompanying notices provided with this listing', the Government indicated that these matters will be set out in the regulations rather than in the binding industry code.[32]

Collection and permitted content of credit reporting information

2.27      The ALRC noted that the current provisions of the Privacy Act in relation to the collection, and notification of collection, of information in credit information files and credit reports are at odds with the 'collection' and 'notification' principles of the model UPPs.[33] The ALRC recommended that 'the new Privacy (Credit Reporting Information) Regulations should prescribe an exhaustive list of the categories of personal information that are permitted to be included in credit reporting information'. It was recommended that these should be based on the existing provisions of the Privacy Act, subject to specific changes (Recommendation 56–1).[34] In summary, these recommended changes include:

2.28      Additionally, the ALRC recommended:

2.29      The ALRC examined the 'notification' principle in the UPPs and in Part IIIA of the Privacy Act and arrived at the view that provisions dealing with notification should be incorporated in the proposed regulations, albeit in a form that is more prescriptive regarding the timing of notification than existing provisions.

2.30      The ALRC recommended (Recommendation 56–10) that notification should occur 'at or before the time personal information to be disclosed to a credit reporting agency is collected about an individual' with an onus on credit providers to take steps to ensure the individual is aware of the:

2.31      Similarly, in relation to notification of disclosure of overdue payment information, it was recommended (Recommendation 56–11) that:

...a credit provider, before disclosing overdue payment information to a credit reporting agency, must have taken reasonable steps to ensure that the individual concerned is aware of the intention to report the information.[44]

2.32      The Government accepted Recommendations 56–1, 56–2, 56–3, 56–5, 56–6, 56–8, 56–9, 56–10), accepted in principle Recommendations 56–4 and 56–7 and accepted Recommendation 56–11 with amendment.

2.33      The Government accepted in principle the ALRC recommendation (Recommendation 56–4) that credit reporting information be permitted to include personal insolvency information recorded on the NPII, further specifying four categories of allowable information. The Government noted that there is a need to clarify what can currently be listed as credit reporting information from the NPII. It agreed that proposals to include information about debt agreement proposals may be included in credit reporting information, but that this should be removed if the proposal is unsuccessful.[45]

2.34      In relation to serious credit infringements, the Government accepted that these can be reported, providing reasonable steps to contact the individual are taken beforehand (Recommendation 56–6). However, rather than accepting the ALRC recommendation that the Privacy Commissioner develop and publish guidance to be satisfied prior to listing (Recommendation 56–7), the Government was of the view that this should regulated by the binding industry code.[46]

2.35      The Government accepted, with amendment, the ALRC recommendation that credit reporting agencies take reasonable steps, prior to disclosing overdue payments, to ensure an individual is aware of the intention to report the information (Recommendation 56–11). However, the Government was of the view, subject to further consultation with stakeholders, that the notification obligation should also be extended to 'missed' payments.[47]

Use and disclosure of credit reporting information

2.36      The ALRC observed that Part IIIA of the Privacy Act exhaustively prescribes more than 50 different circumstances in which the use or disclosure of personal information is authorised. The ALRC was of the view that this could be significantly simplified and consolidated in the new regulations. The ALRC recommended (Recommendation 57–1) that the new regulations 'provide a simplified list of circumstances in which a credit reporting agency or credit provider may use or disclose credit reporting information'.[48]

2.37      The ALRC noted that 'the use and disclosure of credit reporting information is potentially useful for a wide range of secondary purposes'. However, they were of the view that a general allowance of use and disclosure of credit reporting information for secondary purposes was overly broad. The ALRC recommended (Recommendation 57–2) that such use or disclosure should be:

...for a secondary purpose related to the assessment of an application for credit or the management of an existing credit account, where the individual concerned would reasonably expect such use or disclosure.[49]

2.38      The ALRC considered whether 'pre-screening' of credit reports by credit providers for the purpose of excluding individuals from direct marketing offers (such as an offer to increase credit limits) contravenes a prohibition in the Privacy Act against direct marketing.[50] The ALRC noted that the current legal position under the Privacy Act was complex and that whereas pre-screening could be used to assist responsible lending practices it could also be used to market credit more aggressively. The ALRC recommended (Recommendation 57–3) that the new regulations 'should prohibit the use or disclosure of credit reporting information for the purposes of direct marketing, including the pre-screening of direct marketing lists'.[51]

2.39      The ALRC deliberated whether statutory obligations imposed upon credit providers and others to verify customer identity, including under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), could or should be fulfilled through credit reporting information held by credit reporting agencies.[52] The Privacy Act places detailed limits on the disclosure of personal information by credit reporting agencies and the use of personal information by credit providers, and there is no express provision for identity verification. The ALRC recommended (Recommendation 57–4) that rather than introducing unnecessary complexity into the new regulations, the issue could be dealt with by express authorisation under the AML/CTF Act.[53]

2.40      The ALRC examined whether credit reporting regulation should address the increasingly prevalent problem of identity theft, and what kind of action would provide most effective protection for an individual who claimed they had experienced theft of their identity. They recommended (Recommendation 57–5) that the new regulations 'should provide individuals with a right to prohibit for a specified period the disclosure by a credit reporting agency of credit reporting information about them without their express authorisation'.[54]

2.41      The Government accepted Recommendation 57–1 but did not accept Recommendation 57–2 regarding the use or disclosure of information for a secondary purpose. The Government was of the view that this recommendation would 'significantly reduce the value of the credit reporting provisions to promote transparency and consistency', and would be contrary to the requirement to have defined uses and disclosures as outlined in ALRC recommendation 57–1. However, additional uses and disclosures will be permitted in the public interest, for the benefit of the individuals concerned, or for research in the public interest using de-identified information under rules developed by the Privacy Commissioner.[55]

2.42      The Government accepted in part the ALRC's recommendation prohibiting the use or disclosure of credit reporting information for direct marketing (Recommendation 57–3). The Government did not agree with the prohibition on pre-screening of direct marketing lists; rather, the Government was of the view that pre-screening should be expressly permitted, but only for the purpose of excluding adverse credit risks from marketing lists, and subject to a list of specific requirements.[56]

2.43      The Government accepted in principle Recommendation 57–4 that credit reporting agencies be allowed to use and disclose credit reporting information for electronic identity verification under the AML/CTF Act. However, the Government stipulated this should be subject to adequate privacy protections being put in place.[57]

2.44      The Government did not accept Recommendation 57–6 that there should be no provision limiting disclosure of personal information in 'reports' related to credit worthiness. The Government stated that this provision should be maintained in order that credit providers should continue to be restricted from disclosing 'credit worthiness' information. The Government, however, acknowledged that the current definition of a 'report' about an individual's credit worthiness is too broad and will be 'revised to only apply to information that is similar to information maintained about a credit reporting agency...or information that is about an individual's credit accounts'.[58]

Data quality and security

2.45      The ALRC was of the view that there was no necessity to include general data quality obligations in the new regulations as this is adequately addressed by the 'Data Quality' principle in the model UPPs. In the case of specific, serious and well-defined data quality concerns the ALRC argued that there may be a case for inclusion of obligations in the new regulations or in the credit reporting code.[59]

2.46      In relation to overdue payments, the ALRC recommended that in the case of expiry of a relevant statutory limitation period, or where a credit provider is prevented by law from bringing proceedings for recovery of an overdue payment, there should be an express prohibition on listing any overdue payment.[60] However, the ALRC recommended (Recommendation 58–2) that where an individual has entered into a new arrangement with a credit provider to repay an existing debt that this may be listed and remain part of the individual's credit reporting information for the full five years permissible under the regulations.[61]

2.47      The ALRC was of the view that, in general, detailed data quality requirements are better dealt with under the recommended credit reporting code than by regulation. The ALRC recommended (Recommendation 58–3) that the credit reporting code should promote data quality through procedures dealing with timeliness and calculation of overdue payments for credit reporting purposes, obligations to prevent multiple listings of the same debt, updating of credit reporting information and the linking of credit reporting information relating to individuals who may or may not be the same individual.[62]

2.48      The ALRC considered the issue of data quality obligations of credit reporting agencies, concluding that the agencies 'should take more responsibility for ensuring data quality'. The report noted that:

Consumer groups have expressed concerns that there are no adequate incentives for credit reporting agencies or credit providers to correct systemic flaws in the credit reporting system, in part because the cost of dealing with a small number of complaints is less than the cost of ensuring the data is accurate in the first place.[63]

2.49      The ALRC recommended (Recommendation 58–4) that the new regulations 'impose obligations on credit reporting agencies to monitor the data quality of information provided to them by credit providers, including through audit' and 'that credit reporting agencies must enter into agreements with credit providers that contain obligations to ensure the security of credit reporting information', as well as that possible breaches of the agreements and controls should be identified and investigated.[64]

2.50      The ALRC also recommended that the new regulations should provide for the deletion by credit reporting agencies of certain information after specified periods of time: different categories of credit reporting information after the expiry of 'maximum permissible periods', based on those currently provided for in the Privacy Act (Recommendation 58–5); and, certain information about voluntary arrangements with creditors under provisions of the Bankruptcy Act 1966 five years from the date of the arrangement as recorded on the NPII (Recommendation 58–6).[65]

2.51      The Government accepted all recommendations except Recommendation 58-6. While the Government agreed that a five year retention period for information about voluntary arrangements was sufficient, it was of the mind that all bankruptcy information should be treated equally, and therefore proposed that all bankruptcy information be listed for the same period of five years, even where a bankruptcy order is longer. Additionally, if an individual completes a voluntary arrangement early they should be able to request a note to the listing of the arrangement to that effect.[66]

Access and correction, complaint handling and penalties

2.52      The ALRC was of the view that 'individuals should have unfettered rights of access to their credit reporting information'. They were also keen to ensure that in the future the current situation where major credit reporting agencies provide credit reporting information free of charge to the individuals concerned was guaranteed. Consequently they recommended (Recommendation 59–1) that the new regulations should provide individuals with the right to access their credit reporting information, based upon current provisions in the Privacy Act, and 'that credit reporting agencies must provide individuals, on request, with one free copy of their credit reporting information annually' (Recommendation 59–2).[67]

2.53      The ALRC also recommended (Recommendation 59–3) that an individual's rights of access to credit reporting information may be exercised for a credit-related purpose by a person authorised in writing.[68]

2.54      The ALRC recommended (Recommendation 59–4) that where a credit provider refuses an application for credit based wholly or partly on credit reporting, it must notify the individual,[69] and that in these circumstances information must be provided on the avenues of complaint available to the individual if they have a complaint about the content of their credit reporting information (Recommendation 59–6). Further, the ALRC recommended (Recommendation 59–5) that credit reporting agencies and credit providers establish procedures to deal with credit reporting complaints, and where unable to resolve complaints inform the individual of that fact and that the individual may complain to an external dispute resolution scheme or the Privacy Commissioner.[70]

2.55      The ALRC also recommended (Recommendation 59–8) that within 30 days, evidence to substantiate disputed credit reporting information must be provided to the individual, or the matter referred to a Privacy Commissioner-recognised external dispute resolution scheme. If these requirements are not met, the credit reporting agency must delete or correct the information on request of the individual.[71] Further, the ALRC recommended (Recommendation 59–7) that only credit providers who were members of a Privacy Commissioner-recognised external dispute resolution be able to list overdue payments or repayment performance history.[72]

2.56      The Government accepted Recommendations 59–1, 59–3, 59–4, 59–6, 59–8, and 59–9. While the Government accepted in principle Recommendation 59–2 regarding the provision of one free copy of an individual's credit reporting information annually, it stated that details on timeframes and the form of access should be addressed by the binding industry code.[73]

2.57      The Government accepted, in part, Recommendation 59–5 and stated that the Privacy Act should outline the overarching requirements and be supported by the binding industry code for details of procedures required between credit reporting agencies and credit providers. The onus to resolve a dispute should be on the first contacted party in order for there to be clear responsibilities, and to avoid the complainant having to go back and forth between parties. The first contacted party would have the responsibility to liaise with all other parties.[74]

2.58      Recommendation 59–7 was accepted with amendment. The Government noted that there was significant justification to extend the requirement to be a member of such a scheme to all credit reporting agencies and credit providers.[75]

Navigation: Previous Page | Contents | Next Page