Chapter 3

Chapter 3

General issues


3.1        The reforms proposed under the Exposure Draft will provide for a more comprehensive credit reporting regime while at the same time protecting the extensive credit information about individuals that will be collected, used and disclosed. This is a significant change to the credit regime contained in the Privacy Act 1988 (Privacy Act). As Credit Ombudsman Services commented:

...these reforms will mark the introduction of a fundamentally different approach to credit reporting in Australia. The reforms will begin a process that will transform the entire credit reporting system, and every part of the credit reporting process is likely to change in some way.[1]

3.2        It was generally agreed by submitters that a more comprehensive credit reporting regime will enhance transparency and result in improved credit decision making and protect consumer interests.[2] The Australian Bankers' Association (ABA), for example, commented that it:

...welcomes the introduction of a more comprehensive system of credit reporting as a tool to better inform credit risk decisions that our members and other credit providers make in accordance with both prudential and consumer credit regulatory responsibilities. This will be a valuable addition to what is currently seen as an outdated and largely inadequate system of negative reporting in Part 111A.[3]

3.3        Credit reporting agency Dun & Bradstreet similarly supported the introduction of a comprehensive credit reporting regime. Mr Damian Karmelich, Director, Dun & Bradstreet, pointed to significant benefits arising from comprehensive credit reporting:

Our support for comprehensive or positive credit reporting is premised on the belief that such a system in Australia has the capacity to reduce default rates, increase lending to poorly served sections of the community, improve pricing for risk, improve outcomes for small business and promote competition within the banking sector. These benefits have accrued to consumers, lenders and the broader economy in many countries where positive credit reporting is in existence.[4]

3.4        However, consumer groups and privacy commentators noted that the availability of additional information required strict control as the mishandling of credit information may have serious consequences for consumers. The Australian Privacy Foundation (APF) went further and stated that the credit reporting system is a 'statutorily authorised intrusion into individuals' privacy and in effect a "licenced" exception to the normal operation of the National Privacy Principles in the Privacy Act'. The APF went on to comment:

Any suggestion that lenders and utility companies have a 'right' to centrally held credit reporting information should therefore be dismissed–the credit reporting system is a privilege, and it is incumbent on industry to justify any extension, and appropriate for the system to be very tightly regulated.[5]

3.5        The Privacy Commissioner NSW also expressed concern about the risks to individuals arising from increased access to credit information and stated:

While it is arguable that the collection of positive credit information may improve due diligence regarding the decision to provide credit to an individual, I am not convinced that the further and better particulars about such matters as an individual's credit repayment history would make the provision or the reporting of the provision of credit any more responsible. In my view the benefits to credit providers in terms of responsible lending are outweighed by the risks to the individual from the significantly extensive and intrusive collection of information about that individual.[6]

3.6        The Office of the Australian Information Commissioner (OAIC) observed that it is crucial that the credit reporting regulatory framework proposed in the Exposure Draft protects information appropriately and clearly sets out individual rights and industry obligations.[7] Mr Timothy Pilgrim, Australian Privacy Commissioner, stated:

In the credit context, it is appropriate that credit information is available to the credit industry for the purpose of assessing creditworthiness. However, this must be balanced with the need to provide appropriate privacy protection of that information for individuals. Importantly, the protection of financial information remains a key concern for individuals, most commonly due to the potentially serious consequences that may arise through the mishandling of credit information. For these reasons we understand that it is important to have a regulatory regime that sets out clearly the rights and obligations of credit reporting agencies, credit providers and individuals, one that strikes an appropriate balance between their different interests.[8]

3.7        In its response to the Australian Law Reform Commission's (ALRC) recommendations, the Government also recognised the need for more user-friendly and less complex and prescriptive regulation of credit reporting than is presently contained in the Part IIIA of the Privacy Act.[9]

3.8        However, as with the Exposure Draft on the Australian Privacy Principles (APPs), the committee received a range of comments about the structure and complexity of the credit reporting Exposure Draft which, it was argued, may undermine the goal of an efficient and effective regulatory regime. In addition, the prescriptive nature of some of its provisions was seen as having the potential to effect the flexibility of the system to respond to future challenges as well as  imposing a greater compliance burden. The following discussion addresses these concerns.


3.9        The ALRC recommended (Recommendation 54–1) that credit reporting be regulated under the general provisions of the Privacy Act and that regulations under the Privacy Act impose obligations on credit reporting agencies and credit providers with respect to the handling of credit reporting information.[10] In addition, the ALRC also recommended that a credit reporting code, developed by industry with input from consumer groups and regulators, provide detailed guidance within the framework provided by the Privacy Act (Recommendation 54–9).

3.10      ALRC Recommendation 54–1 was not accepted by the Government which stated that it did not agree that it is appropriate to have a general regulation-making power that would allow modification of the Privacy Principles. Rather, the Government considered that credit reporting information should continue to be regulated primarily under the Privacy Act, with provision for specific regulations to be made where necessary.[11]

3.11      In its submission to the committee, the ALRC noted that the inclusion of the credit reporting provisions in the Privacy Act is one of two significant respects where the Exposure Draft differs from the approach recommended by the ALRC. In its report, the ALRC commented on its preferred option of the use of regulations and stated that this was consistent with the ALRC's overall approach to reform of the Privacy Act, that is, a hybrid model. The ALRC stated:

The model draws significantly on principles-based regulation as its foundation, but allows for a reversion to more traditional rules-based regulation where appropriate. Subordinate legislation can be introduced to provide greater specificity and certainty in regulating privacy in relation to particular activities—including credit reporting.[12]

3.12      The ALRC went on to state that regulations would be more detailed and specific than the Unified Privacy Principles (UPPs) and 'derogate from the requirements in the privacy principles, by providing different (that is, more or less stringent) requirements than are provided for in the principles'.[13]

3.13      The ALRC also commented that the current inclusion of the credit reporting provisions within the Privacy Act is 'to some extent historical in that the credit reporting industry was made subject to privacy regulation before the rest of the private sector'. As a consequence, the handling of personal information by the credit industry is the only instance of an industry or business sector that is covered by provisions within the Privacy Act. The ALRC therefore recommended that Part IIIA be repealed and that credit reporting be addressed through regulations that would supplement the Privacy Principles and other general provisions of the Privacy Act.

3.14      The ALRC indicated that it supported the implementation of the credit reporting provisions through subordinate legislation as:

3.15      The ALRC further commented that:

...the Privacy Act could be drafted to contain a regulation-making power specific to the handling of credit reporting information. This would recognise that credit reporting presents a suite of privacy issues that are uniquely deserving of specific treatment, and requires regulation that both strengthens and derogates from the protection afforded by general privacy principles.[15]

3.16      Rather than the credit reporting provisions being contained in regulations, the OAIC supported shifting the provisions to a schedule to the Privacy Act. The OAIC stated that this would simplify the Privacy Act's structure and clearly distinguish the role of the APPs and credit provisions.[16] Mr Pilgrim also commented that as the credit reporting provisions are focussed:

...purely on one area of business activity, it should sit separately to the act, perhaps as a schedule. And we believe that this would not make it easier just for us as an organisation regulating, but also for industry when they are looking at a discrete piece of legislation, so that they do not need to work through pages and pages and reams. It sounds like it might be a minor issue, but all of us understand what it is like when we have to start wading through pieces of legislation to find different provisions.[17]

3.17      The OAIC concluded that the Privacy Act should enable individuals, organisations and agencies to easily understand their rights and obligations. As currently drafted, the provisions may be difficult for individuals to use and understand.[18]

3.18      The APF also commented more generally on the use of regulations. The APF argued that key provisions should be 'locked in' in the legislation itself rather than provided for under regulations or a code of conduct to be approved by the Information Commissioner. The APF stated:

However widely the Information Commissioner consults in the preparation of a Code, there is a clear 'democratic deficit' in this process. Experience with the similar role of the Privacy Commissioner under Part IIIA is that industry pressure can lead to Code provisions which undermine the effect of the Act. An example is the Privacy Commissioner's interpretation of the permissible timing of notice of default listings. While we accept the role of a Code in fleshing out some of the operational details, we do not believe it is the place for any significant threshold provisions.[19]

Committee comment

3.19      The committee notes the advice of the Senate Standing Committee on Regulations and Ordinances that '[i]t is a breach of parliamentary propriety for delegated legislation to deal with matters more appropriately included in a Bill'. These matters include legislation that fundamentally changes the law, being intended to alter and redefine rights, obligations and liabilities, or which significantly alters pre-existing legal, social or financial concepts.[20] The committee considers that the credit reporting provisions fall within the categories of matters that are more appropriately included in primary legislation. The credit reporting provisions contain significant regulatory obligations to ensure that the credit information pertaining to individuals is collected, used and disclosed in an appropriate way. The provisions also contain offences for which the penalty is 200 penalty units. The committee notes that it is Commonwealth criminal law policy that in general the penalty attached to offences in regulations should not exceed 50 penalty units.[21] The committee therefore does not consider that it is appropriate that these provisions are contained in regulations.

3.20      However, the committee is mindful of concerns put forward by the OAIC and considers, on balance, that to ensure the new Privacy Act is not overly complex, that the credit reporting provisions are easily accessible for consumers and the credit industry, and that the prominence of the APPs is not diminished, consideration should be given to locating the credit reporting provisions in a schedule to the Privacy Act. On this point, the committee notes that schedules are taken to form part of the Act, and therefore have the same force and effect as the main provisions of the Act.[22] The committee is therefore of the view that there is merit in considering whether the complexity of the consumer credit provisions can be reduced, and the provisions can be more readily accessible and understood, if the provisions were contained in a schedule to the Privacy Act.

Recommendation 1

3.21      The committee recommends that consideration be given to locating the credit reporting provisions in a schedule to the Privacy Act.

Level of prescription and complexity

3.22      Submitters noted that the current credit reporting provisions in Part IIIA of the Privacy Act are very complex and cumbersome. The OAIC welcomed the Government's efforts to simplify these provisions in the Exposure Draft. The OAIC also stated that is was particularly useful that the provisions have been reordered to systematically set out the obligations on different recipients of credit information and that the ordering of obligations better reflect the stages of personal information flows consistent with the draft APPs.[23]

3.23      However, generally the Exposure Draft was seen as not improving clarity or providing greater simplicity. Submitters commented that the Exposure Draft is overly long and complex and therefore does not clearly set out the protections provided to consumers and the obligations of industry. The APF stated that 'it is quite difficult to comprehend the detailed changes and effect of the proposed new regime from the draft clauses, and the short Companion Guide offers only limited assistance'.[24]

3.24      In particular, concerns were raised about the definitions used and the level of prescription in detailing how some matters will be regulated. This was seen as neither being in step with the principles-based approach supported by the Government, nor assisting in the understanding or use of the provisions and thus not improving privacy protections.[25] Experian for example, stated that:

...these shortcomings in the drafting and structure of the Exposure Draft detract from the 'clear and simple' objectives of the Exposure Draft provisions. This is of particular concern given that the focus of the provisions is upon enhancing the protection of consumers from misuse of their personal information. Consumers and non-lawyers are unlikely to understand or engage with such a lengthy and complex document and this diminishes its potential usefulness and effectiveness in educating consumers about their rights under the credit reporting regime, and encouraging them to engage with and periodically check the information on their credit files.[26]

3.25      The Law Institute Victoria (LIV) also commented that the focus of the Exposure Draft is on business practices in the credit reporting sector 'with little thought or provision for the rights and interests of individuals and fundamental principles of privacy'. The LIV further stated:

There are minimal protections of individual people's privacy in the Exposure Draft. These minimal protections are likely to be underused or unenforced while they are embedded in such a technical and complex framework, and while they are so severely compromised by burdensome and costly requirements (eg requirements to opt out, instead of opt in (eg cl 110(5)); requirement to renew banning period every 14 days (cl 113), and 'not excessive' charges for access (cl 120(6))).[27]

3.26      Although the LIV recommended amendments to the Exposure Draft, it remained concerned that it would 'still be inaccessible to the individuals whose interests are greatly impacted by its provisions and, in implementation, it would represent a missed opportunity to engage people and give them more genuine control over their information'.[28]

3.27      Other submitters, including the Australian Institute of Credit Management (AICM), supported a principles-based approach as such an approach would assist to reduce the level of complexity and prescription of the Exposure Draft.[29] In addition, it was argued that a principles-based approach would assist in keeping the Privacy Act relevant, support innovation and provide sufficient flexibility to deal with unforeseen situations.[30] Mr David Fodor, Chief Credit Officer, National Australia Bank (NAB), commented:

Following a review of the credit-reporting exposure draft, NAB is concerned that some provisions may be overly prescriptive and complex, particularly regarding the way it is proposed to regulate some aspects of data usage. The legislation as drafted includes a high focus on how outcomes are to be achieved, which may run the risk that the acts may become quickly outdated, hampering innovation and being insufficiently flexible to deal with unforeseen circumstances. NAB acknowledges the need to strike a balance between the protection of privacy, the benefits available to consumers from more responsible lending decisions, and the commercial practicalities of enablement.[31]

3.28      The NAB also stated that by using principles to drive outcomes, 'adequate controls can be implemented with a greatly reduced risk of creating "practicality" issues from prescribing how those outcomes are to be achieved'.[32] However, the Exposure Draft is seen as being prescriptive. Veda Advantage, for example, commented:

As drafted, there are instances where the proposed legislation sets out a policy objective and then prescribes very detailed steps CRAs must take to achieve the outcome.[33]

3.29      The Australian Finance Conference (AFC) also submitted that the Exposure Draft, unlike recently implemented regulation such as the anti-money laundering and consumer credit regimes, is a 'reversion to a more-prescriptive method of regulation, which in our view, detracts from achievement of the underlying objectives of improved clarity and understanding'.[34]

3.30      Submitters argued that regulations and/or a code of practice would be the more appropriate place to contain the detailed measures regarding the implementation and on-going management of the new credit reporting regime.[35]

3.31      The Australasian Retail Credit Association (ARCA) also commented that the complexity of the Exposure Draft would require further training of staff to ensure that they understand the credit reporting regime and thus comply with the legislation. ARCA commented that the complexity of the legislation 'is likely to result in potentially large numbers of unintentional human error breaches, and it could be exceptionally difficult for staff to know clearly what they are and are not allowed to do with a specific element of information'. ARCA saw potential for staff choosing to be cautious and, as a consequence, not providing information to consumers that they may be permitted to provide. ARCA argued that this may result in consumers becoming frustrated, and the benefits associated with the introduction of more comprehensive credit reporting may not be fully realised.[36]


3.32      The Exposure Draft contains 60 new definitions compared with seven key credit reporting definitions contained in the current Privacy Act. The need for these new definitions was seen by the AFC as being a result of the prescriptive nature of the Exposure Draft as extensive and complex definitions are required to support the central provisions of the proposed credit reporting regime. The AFC went on to state that 'it is therefore critical that the definitions are clear, easily understood and reflect Government policy'.[37]

3.33      However, many submitters commented that the definitions are complex and difficult to understand and therefore credit reporting provisions will be less accessible than they should be.[38] Veda Advantage commented that the definitions create a 'web of complexity'.[39] Ms Helen Gordon, AFC, stated:

In looking at the definitions, you see that each definition effectively builds on another definition. So you spend your time working your way through—it is a circular, tortuous route—to find that you are back to square one and perhaps still a little unclear as to exactly what is regulated and exactly how it is regulated. It is the definitions that go into that: who is regulated, how it is regulated and what you can do in relation to it. Our point is that, if we do not understand what we are talking about because the definitions are so complex, it is very hard to then overlay the actual functional provisions and know how they are meant to work.[40]

3.34      Other submitters pointed to a range of similar concerns:

3.35      The NAB and AFC pointed to the definition of 'credit eligibility information' as an example of a complex definition. The NAB stated that this definition 'leads to unnecessary complications and duplication and makes comprehension difficult'.[46] The AFC noted that the definition of credit eligibility information is pivotal to the compliance framework for information handling by a credit provider. Thus, it is critical for a credit provider to be able to identify what information it handles that meets this definition as this will dictate the parameters of compliance with the draft credit reporting provisions. However, the AFC commented that the definition of credit eligibility information builds on a significant number of other definitions, all of which need to be considered by the credit provider to determine what information it handles needs to meet the compliance framework in the draft provisions. The AFC concluded that this approach 'challenges understanding'.[47]

3.36      The AFC also pointed to the variation between terms used and defined in the Exposure Draft and other laws, for example, 'credit' is defined in the Australian Securities and Investment Commission Act. The AFC commented that these variations have occurred 'where either it would appear the terms were intended to have the same meaning or they should have the same meaning to assist understanding and compliance with consumer credit regulation generally'. The AFC went on to state that:

...even a slight variation in definition of a term from one Act to another potentially creates a need for each regulated entity to consider the compliance outcomes of the variation. Where the variation is for reasons of format rather than substance, we submit it should not occur to avoid this eventuality.[48]

3.37      Veda Advantage submitted that the Exposure Draft should only include a single definition for regulated information – 'credit reporting information' – applying to credit providers and credit reporting agencies. Veda Advantage argued that this would allow simplification or deletion of various use and disclosure provisions throughout the Exposure Draft.[49] Veda Advantage also proposed that the Government undertake a roundtable process to agree the terms of simplification of the Exposure Draft.

3.38      The Department of the Prime Minister and Cabinet (the Department) noted that Veda's proposals for significant and comprehensive change to the definitions used in the Exposure Draft have been analysed by a barrister to determine the implications of the proposals for consumers. The barrister commented that the proposed changes would need to be carefully considered to ensure that underlying policy positions are not changed. The Department considered that:

...the proposal for the complete redrafting of the credit reporting provisions and the definitions would be a significant and time consuming exercise which would also need to ensure that all the Government's policy directions were implemented. The Department's view is that the exposure draft accurately implements the Government's policy on the regulation of credit reporting as set out in the Government's first stage response to the Australian Law Reform Commission (ALRC) report.[50]

3.39      The NAB suggested that readability could be improved if all definitions were located in a single dictionary or for those more specific definitions applicable to credit reporting agencies and credit providers, to relocate them to the relevant divisions to which they primarily relate.[51]

Credit Reporting Code of Conduct

3.40      A number of submitters suggested that moving some matters into the Credit Reporting Code of Conduct (the Code) would assist in reducing the complexity of the Exposure Draft. For example, Mr Chris Gration, Veda Advantage, commented that the Code should have the capacity to deal with some of the operational complexity of the Exposure Draft.[52] Ms Nerida Caesar, Chief Executive Officer, Veda Advantage also commented that 'operational detail is typically best left to regulation or code of conduct'. Ms Caesar further stated:

Prescribing operational matters—for example, detailing each step required to implement a ban or a freeze on a credit report—is, we believe, unnecessary and counterproductive.[53]

3.41      Veda Advantage also submitted that having certain matters in the Code allowed for flexibility to respond to changing circumstances, for example, matters emerging in relation to identity fraud can be responded to in the Code.[54] Optus was also of the view that some matters in the Exposure Draft could be moved into the Code. This would allow sufficient flexibility for different sectoral requirements and take into account existing obligations, whilst still maintaining minimum and consistent standards of consumer protection for credit reporting information.[55]

3.42      Discussion on the development of the Code is provided below, see paragraphs 3.70–3.89.

Other suggestions for simplification and clarification

3.43      Submitters also provided other suggestions to aid with simplification and clarification of the Exposure Draft.

3.44      Veda Advantage suggested that permitted disclosures and uses between credit reporting agencies and credit providers be aligned and provided in a single table. It stated that this will allow for further simplification, including merging of a range of sections in the Exposure Draft (sections 108, 109, 135 and 136).[56]

3.45      The AFC and the OAIC noted that the word 'agency' is used throughout Division 2 (credit reporting agencies) as a short-form term for credit reporting agency. However, the word agency is defined as a government sector entity in section 16 of the Australian Privacy Principles Exposure Draft. The AFC also noted that the Government has indicated that Commonwealth agencies that carry on a credit reporting business will be regulated as credit reporting agencies. The AFC therefore submitted that in order to avoid confusion and assist with understanding, a word or term other than 'agency' should be used as the short-form reference for credit reporting agency in Division 2.[57] The OAIC recommended use of the full term or using 'CRA' after the provision refers to 'credit reporting agency'.[58]

3.46      The OAIC also noted that a range of new concepts have been introduced into the credit reporting regime. The OAIC stated that 'to ensure a smooth transition to the new regime, it is important that new concepts and terminology are clearly defined, well explained and understood'. The OAIC provided comment on two terms used in the Exposure Draft:

3.47      The committee received a range of comments regarding provisions relating to notification which contained the requirement that the notification be provided within a 'reasonable period'. Submitters commented that a specified timeframe would be preferable in most circumstances. These provisions include:

Committee comment

3.48      The committee considers that many of the concerns regarding complexity and lack of clarity may have been overcome if the Exposure Draft had been accompanied by a detailed explanatory document. The Companion Guide offers only limited assistance in understanding the Exposure Draft. Indeed, the committee notes that the Companion Guide is short and relies heavily on the Government Response. The committee does not consider that the Companion Guide provides sufficient detail or assistance in interpreting the provisions of the Exposure Draft, many of which are detailed and complex. In addition, the committee notes that some issues will be addressed through guidance from the OAIC or through the Code of Conduct, for example, the interpretation of 'reasonableness' regarding notification periods.

3.49      As with the Exposure Draft of the Australian Privacy Principles, the task of drafting the credit reporting provisions to achieve the Government's aims has been complex and difficult. The move to a more comprehensive credit reporting regime, and the addition of five new data sets, has required the implementation of a significant regulatory framework. The committee acknowledges that the Credit Reporting Exposure Draft has sought to impose this regime through the regulation of the flow of information in the credit reporting sector. The Exposure Draft assumes what is being undertaken at each stage of the process and systematically sets out the obligations on different recipients of credit information at each stage. It recognises that both credit reporting agencies and credit providers value add to the information that they receive. Given the complexity of the information flows for credit reporting, and the need to ensure adequate information protection, it is understandable that the Exposure Draft is long and detailed.

3.50      However, the committee is concerned that the adoption of this approach may have undermined the goal of simplifying and clarifying the credit reporting regime and therefore lead to uncertainty as to obligations and rights. In particular, the committee is concerned that the many complex provisions contained in the Exposure Draft may not assist individuals to understand their rights and may hinder consumers, for example, in enforcing their rights if a complaint or dispute arises. For organisations, it is crucial that they understand their obligations in order to comply with the legislation and ensure that consumers can be confident that the greater amount of their personal information that is being kept is adequately protected. A complex legislative regime does not assist with this goal.

3.51      One of the particular areas of concern for submitters was the increase in the number, and complexity, of definitions used: some 60 new definitions are included in the Exposure Draft. In relation to definitions, the committee notes that the Companion Guide states that:

The exposure draft uses a number of core definitions to better identify information flows in the credit reporting system, rather than basing the regulatory framework on the single definition of 'credit reporting information'.

The creation of a number of definitions is intended to improve the clarity and operation of the provisions.[63]

3.52      The committee acknowledges again that the new definitions are required as the regulatory regime is based on the information flows in the credit reporting system. However, it appears to the committee that the result has been a very complex and detailed Exposure Draft. Veda Advantage put the suggestion that a single definition of 'credit reporting information' should be used to simplify the credit reporting system. The committee does not support this suggestion as it would involve major re-drafting of the Exposure Draft and does not reflect the complexity of the current business model of the credit reporting sector.

3.53      The committee has also considered suggestions that 'operational' matters be moved to the proposed Credit Reporting Code of Conduct. While this would lead to a simplification of the Exposure Draft, such a move would have to be weighed against the benefit of having the major provisions of the credit reporting regime in one place. The committee considers, on balance, that no matters currently contained in the Exposure Draft should be moved into the Code.

3.54      However, the committee considers that there is room for further refinement of the Exposure Draft to improve clarity and simplicity. The committee therefore recommends that the Exposure Draft be reviewed in light of the comments received during the inquiry. These suggestions include clarity in the use of the terms 'agency', 'pre-screening determination' and complaints 'determination'.

Recommendation 2

3.55      The committee recommends that the Exposure Draft be reviewed to ensure that the provisions are clear and concise.

Recommendation 3

3.56      The committee recommends that the definitions be reviewed to ensure consistency across the Privacy Act and, to the extent possible, that definitions are standalone provisions.

Interaction between the credit reporting provisions and the Australian Privacy Principles

3.57      The interaction between the APPs and credit reporting provisions differs depending on the entity involved and the information being regulated. The credit reporting agency provisions in the Exposure Draft incorporate all the relevant general requirements of the APPs and replace the APPs for credit reporting. Section 104 provides that if a credit reporting agency is an APP entity, the APPs do not apply to the agency in relation to credit information, CRA derived information and CP derived information. The APPs apply to the credit reporting agency in relation to other kinds of personal information. In relation to separate credit reporting provisions, the Companion Guide states:

This will ensure that more onerous privacy obligations will apply to the types of defined information collected, used and disclosed by credit reporting agencies.[64]

3.58      For credit providers that are not small business operators, pursuant to section 130, the Exposure Draft provisions 'may apply' to a credit provider 'in addition to, or instead of,' the APPs. If the credit provider is a small business operator only the credit reporting provisions apply. The Companion Guide states:

This will ensure that the APPs continue to apply to certain types of personal information (eg identification information) while more onerous privacy obligations will apply to other types of personal information collected, used and disclosed by credit providers in the credit reporting system.[65]

3.59      The Exposure Draft reflects ALRC Recommendation 54–2 that the credit reporting provisions should be drafted to contain only those requirements that are different or more specific than provided for in the Unified Privacy Principles (now the APPs). The ALRC commented in its report that credit reporting agencies and credit providers should have to comply with both the model UPPs (APPs) and the credit reporting requirements and noted that 'this approach is consistent with the existing relationship between the credit reporting provisions and general privacy principles contained in the Privacy Act, and with the approach to be taken to the new 'Privacy (Health Information) Regulations'. The credit reporting provisions should contain only those requirements that are different or more specific than provided for in the UPPs. The ALRC commented that any problems of inconsistency would be limited because conduct that complies with the credit reporting provisions 'required or authorised by law' under the model UPPs.[66]

3.60      The Government accepted this recommendation and stated that: the extent possible, the Privacy Principles should set out the foundation for protecting credit reporting information. Regulation of credit reporting information in the Privacy Act will only set out further requirements where it is necessary for different or more specific protections to apply.

Relevant organisations will have to comply with both the Privacy Principles and the proposed credit reporting provisions. However, as the credit reporting provisions will only apply where it is necessary to have either greater or lesser privacy protection, it is intended that these provisions would set the new privacy standard for credit reporting. If there is inconsistency between the protections in the principles and the credit reporting provisions, organisations would be expected to comply with the more specific or different standards in the credit reporting provisions.[67]

3.61      The OAIC submitted that it did not support the approach taken in the Exposure Draft. The OAIC commented that this approach to the interaction between the APPs and credit reporting provisions 'may create challenges for individuals, organisations, dispute resolution bodies and the OAIC as regulator' as the obligations for credit reporting agencies and credit providers are not easily ascertained nor clearly stated. The OAIC suggested that clarity would be improved if the credit reporting provisions were a self-contained and complete set of provisions. That is, in place of the APPs, the credit reporting provisions should incorporate all of the relevant requirements of the APPs, in addition to the more specific or different requirements for credit reporting.[68]

3.62      The OAIC noted that the Exposure Draft already adopts this preferred approach for credit reporting agencies, but not for credit providers. The OAIC went on to comment that 'it is not apparent why a different approach has been followed for credit providers'. However, the OAIC saw several benefits arising from the incorporation of all of the relevant APP requirements into the Exposure Draft for credit providers:

3.63      However, if this approach was not adopted, the OAIC recommended two complementary measures to reduce the complexity of the current provisions. First, the Exposure Draft could clarify which APPs apply to credit providers by positively identifying, in a single provision, the APPs that do and do not apply to credit reporting. At present, provisions throughout the Exposure Draft identify only those APPs that do not apply to credit providers in relation to credit reporting.

3.64      Secondly, the Exposure Draft should be amended to ensure that the APPs, which apply to credit providers' credit reporting activities (in addition to the Exposure Draft), apply to all credit providers, including small business operators. At present, credit providers' obligations will vary depending on whether they are subject to the APPs, or are small business operators. The OAIC was of the view that the protection afforded to individuals' credit-related information should apply regardless of the size of the credit provider (as in the preferred option above), as the same serious consequences may arise if information is mishandled.[70]

3.65      The AFC also commented on the need to clarify the interaction between the APPs and the credit reporting provisions. In particular, the AFC recommended that an additional paragraph be considered for inclusion in section 130 (application of the Division to credit providers) to reflect the Government's intention that if there is inconsistency between the draft credit reporting provisions and the APPs, that a credit provider must comply with the more specific or different standards in the credit reporting provision.[71]

Committee comment

3.66      The committee considers that the interaction between the Australian Privacy Principles and the credit reporting provisions should be further clarified in the Exposure Draft. The committee has reviewed the options proposed by the Office of the Australian Information Commissioner and considers that it is desirable for the credit reporting provisions to incorporate all of the relevant requirements of the APPs, in addition to the more specific or different requirements for credit reporting. The committee further considers that this would be a crucial requirement should the credit reporting provisions be moved to a schedule of the Privacy Act.

Recommendation 4

3.67      The committee recommends that the Exposure Draft be amended to incorporate all of the relevant requirements of the Australian Privacy Principles for both credit reporting agencies and credit providers, in addition to the more specific or different requirements for credit reporting.

Other components of the reform framework

3.68      The credit reporting Exposure Draft is one part of the new credit reporting framework. Submitters noted that significant components of the framework are yet to be released by the Government: the regulations dealing with issues such as permitted uses and disclosures, detail on the repayment history and consumer liability information; the Credit Reporting Code which will cover a range of operational matters; the powers and functions of the Australian Information Commission in relation to codes; and transitional arrangements.[72]

3.69      There was concern that the Exposure Draft was being reviewed without the other components of the regulatory framework. Consumer Action Law Centre (Consumer Action), for example, stated that 'without access to the regulations, it is impossible to gain a proper understanding of the operation of these amendments or their impact on consumers'.[73] The APF also noted that regulations are proposed for some 'very significant determinants of the scope and effect of the regulatory regime' including additional credit reporting agency use and disclosure criteria (paragraphs 108(2)(c) and (3)(f)); definitions of credit provider and credit reporting business and additional requirements for uses and disclosures for credit eligibility information  by credit providers (paragraphs 135(2)(e) and (3)(g)). The APF commented that without the regulations, it is difficult to assess the overall regulatory package.[74]

Credit Reporting Code of Conduct

3.70      The Credit Reporting Code of Conduct will play a significant role in the credit reporting regime. The Exposure Draft contains only references to the proposed new Credit Reporting Code of Conduct and the Government has indicated that the Code will be developed by industry and key stakeholders. The Government's response to the ALRC's Recommendation 54–9 will provide the basis for its development.[75] The Government Response stated that:

The Government notes that it is necessary to have a clear and transparent code of practice, which is agreed to across the credit reporting industry, about how the credit reporting provisions and related issues will operate in practice. The code will ensure consistency across the industry in relation to matters such as access to information, data accuracy and complaint handling.[76]

3.71      The Government also stated that it considered that the Code should be developed 'subject to satisfactory consultation requirements between the credit reporting industry, advocates and the Privacy Commissioner'. Any Code that is developed is to be approved by the Privacy Commissioner. The Government Response also stated that:

Any organisation or agency (including credit providers and credit reporting agencies) that wants to participate in the credit reporting system will be required to be a member of this binding code. This will ensure consistency across the sector.

A breach of the code will be deemed to be a breach of the Privacy Act to the extent that the code provision is interpreting the application of a credit reporting provision in the Act.[77]

3.72      The Code will operate in addition to the credit reporting provisions and not override or apply lesser standards than are outlined in the Privacy Act. The Government stated that the Code would set out how credit reporting agencies and credit providers can practically apply the credit reporting provisions.[78] The Companion Guide notes that Exposure Draft expressly envisages some matters to be dealt with in the Code. These include:

3.73      The Government Response also stated that:

The Government will consult further with industry and advocates in drafting the appropriate provisions to the power to make a binding industry code in the Privacy Act.[80]

3.74      The development of the Code was supported by submitters. Optus, for example, commented that the Department of the Prime Minister and Cabinet has given the advice that the Code could allow for different obligations on different sectors, to take into account the existing legal and regulatory obligations that apply to those sectors. In addition, a code was seen as more easily future-proofed than legislation, and can be quickly and easily amended over time when needed.[81]

3.75      The ABA and ARCA supported a single, mandatory and binding code and stated that this would ensure competitive neutrality and certainty for consumers. In addition, a code be consistent with the ALRC's approach to the objective of consolidating privacy regulation as much as feasible. ARCA and the ABA noted that references in the Exposure Draft to the Code are limited. ARCA was of the view that the Code should be mandated by the Act.[82]

3.76      The ABA noted that the references in the Exposure Draft do not define the Code's scope but provide for certain aspects, some of which must be included in the Code and others that are optional. The Code must cover at least:

3.77      The ABA proposed a comprehensive Code be developed that was not confined only to the matters referred to in the primary legislation and regulations. Rather, the Code should incorporate all relevant operational aspects of the credit reporting regime including the on-going commitment to data quality.

3.78      ARCA also noted that data quality is essential to ensure an effective and accessible credit reporting system. ARCA submitted that in order to ensure data quality, the Code should have 'specifically built-in arrangements to facilitate an ongoing commitment to data quality'.[84] Mr Carlo Cataldo, Chairman, ARCA, commented:

To ensure that data quality is at the heart of credit reporting, ARCA proposes that the update to the credit reporting code of conduct has specifically built-in arrangements to facilitate an ongoing commitment to data quality. ARCA proposes that data quality be addressed in the code via a three-pillar approach consisting of a single data standard for credit reporting, the requirement of reciprocity, and an effective and adequately resourced means of independent oversight. A single data standard will ensure transparency through the credit reporting system and will give a clear understanding of what data is there in credit reports. Consumers will understand exactly what the information on their personal credit report means irrespective of the credit bureau, which credit provider provided it and what the information is that they are receiving.[85]

3.79      The ABA indicated its support for ARCA's proposals.[86]

3.80      ARCA also proposed that an independent committee be established to 'drive compliance with the Code'. Such a committee would comprise representation from both industry and consumer advocates. ARCA concluded:

While we would expect to finalise arrangements in consultation with industry and the regulator, ARCA proposes that this committee would support the work of the regulator, maintain industry focus on compliance with the Code, and to undertake compliance tasks associated with the Code.[87]

3.81      ARCA informed the committee that it was working with other stakeholders to develop the Code. An independent reviewer has been employed to review not only the process of development but also the update of the Code. ARCA indicated that it had consulted widely, and will continue to do so, as the current credit reporting system is used substantially beyond financial services. Consumers are included in the development process and Mr Cataldo concluded:

Our intent is to build a code that all stakeholders are very involved with and that has strong compliance so that it is absolutely delivered and can move Australia, particularly in data quality, up to global practice more than is often occurring.[88]

3.82      Legal Aid Queensland (LAQ) argued that 'it is not in consumers' best interests for industry to drive the development of a credit reporting code which is not purely directed to intra industry issues unless there are adequate consumer safeguards' and supported the establishment of a mechanism to ensure compliance with the Code. The LAQ submitted that codes do not offer adequate consumer protection and noted that in some sectors with existing codes there are consistently large numbers of complaints and or widespread non-compliance with the code. In order to ensure compliance with the Code, the LAQ stated that an independent code monitoring and compliance body, funded by industry members that have access to credit reporting information, needs to be established.[89]

3.83      In response to suggestions that the telecommunications industry should develop its own code, the LAQ stated:

We strongly reject any proposal to have more than one credit reporting code. We have particular concerns about any suggestion that the telecommunications industry could develop its own code, or rely on the current telecommunication codes. Consumer experience suggests that telecommunications industry codes have been ineffectual in delivering an appropriate 'baseline' in consumer protection and compliance culture.[90]

3.84      The LAQ also noted that telecommunications codes have taken significant time and resources to develop, and even when finalised have very few signatories, for example, the Telecommunications Consumer Protection Code (TCP Code), has only two signatories while other codes have no signatories.[91] In addition, the TCP Code places no obligation on the industry body, the Communications Alliance, to monitor complaints, monitor compliance, undertake routine compliance with signatories or identify systemic code issues and breaches. While the TCP Code requires the Communications Alliance to handle complaints about code signatories in accordance with the Communications Alliance Code Administration and Compliance Scheme and to report on the Scheme, the LAQ commented that the Communications Alliance has not reported publicly on compliance with the TCP Code. This is  despite the scheme being in existence for more than 10 years.

3.85      The LAQ concluded that the inability of the telecommunications industry to develop adequate consumer safeguards is reflected in the level of complaints: the Telecommunications Industry Ombudsman reported receiving 87,264 new complaints in the last six months of 2010. This represents an increase of 9 per cent on the previous six months. This included 19,000 issues relating to the failure of companies to follow through with promises they had already made to resolve complaints.[92]

Committee comment

3.86      The Credit Reporting Code of Conduct is a significant component of the credit reporting regime. The committee has noted that the development of the Code is underway and that industry has engaged with stakeholders and employed an independent reviewer to assist the development process. However, the committee is mindful of the concerns raised by consumer and advocacy groups about an industry led development process.

3.87      In its response to the ALRC recommendations, the Government acknowledged that the credit reporting industry will be the main driver behind the Code. The Privacy Commissioner will have final approval of the Code. The committee considers that this is an appropriate mechanism for approval and, as the Government stated, will balance the needs of industry to have efficient and effective credit reporting with the privacy needs of individuals.

3.88      The requirement for entities that wish to participate in the credit reporting system to be members of the binding Code is a further safeguard. Breaches of the Code will be deemed breaches of the Privacy Act 'to the extent that the Code provision is interpreting the application of a credit reporting provision in the Act'.[93]

3.89      The committee considers that the suggestion from the Australasian Credit Retail Association that an independent committee be established to drive compliance with the Code has merit. With a membership representing both industry and consumer advocates, the committee considers that such a committee would greatly assist in ensuring that the Code balanced the interests of industry and consumers. It would also assist in ensuring a timely response to emerging issues. The committee also considers that the committee may provide valuable support to the Australian Information Commissioner in the Commissioner's role as regulator and provide timely access to a dedicated forum which monitors developments in the credit reporting system.

Transitional arrangements

3.90      While not dealt with in the Exposure Draft, the need for transitional arrangements was raised by submitters. Westpac commented that it was important for transitional arrangements to be put in place to allow for, and encourage industry to, transition to the new credit reporting regime in a timely manner while maintaining appropriate consumer safeguards. Westpac suggested a 12 month transition period.[94]

3.91      Experian also submitted that, from its experience in other jurisdictions, careful management of transitional arrangements will be required to ensure that no tightening in credit practices occurs that can have an adverse impact on the economy. Experian pointed to three main issues:

3.92      In addition, the committee received evidence that consumers will need to be informed of the new credit reporting system. Mr Timothy Pilgrim, OAIC, noted that this will be a difficult task and that a number of approaches may be needed. Mr Pilgrim stated:

The approaches will have to come from government, obviously, in advising people on what these changes are. Clearly, our office has a role in education and educating the community, but in doing that we would want to be working very closely with industry, because industry at the end of the day do have the immediate contact with the community, with the people who are utilising the system, and whose credit information they are collecting as part of those processes. So we would see the need to work closely with industry and hope that we would get assistance from them to provide relevant and timely information out to people who are accessing credit through the particular organisations.[96]

3.93      Veda Advantage also noted that education of consumers will be very important. Ms Nerida Caesar, Veda, commented that industry should fund an education campaign:

...we do believe there should be an education campaign funded by the broad industry, they being the lenders and credit reference associations. We do believe that is [a] very important aspect.[97]

3.94      Telecommunications providers also commented that some matters, for example, the need to provide the type of credit account opened (consumer credit liability information), will require changes to IT systems, retraining staff or amending internal processes. The Communications Alliance submitted that IT systems changes may take some years to implement as businesses need to seek funding, identify and build the needed changes and retrain users of the systems.[98]

Committee comment

3.95      The committee considers that adequate transitional arrangements will be required to ensure that the changes to the credit reporting system are implemented in an efficient manner. The committee considers that the Department of the Prime Minister and Cabinet should undertake consultations to ensure that the concerns of industry are addressed during the lead up to the implementation of the new credit reporting regime. However, the committee does not support making data sets available before the expected commencement date of the new provisions as only once the legislation is passed will full rights and obligations be in place.

3.96      In addition, the committee considers that consumer education will be an important factor in ensuring that the new credit reporting system is understood by consumers, particularly the way in which the new data sets are used and disclosed and consumer rights in relation to access and complaints.

Recommendation 5

3.97      The committee recommends that the Department of the Prime Minister and Cabinet undertake consultations to ensure that the needs of industry and consumers are addressed during the lead up to the implementation of the new credit reporting regime.

Recommendation 6

3.98      The committee recommends that the Office of the Australian Information Commissioner consult with industry and consumer advocates to provide guidance on any consumer education campaigns in relation to the new credit reporting system.

Section 101 – cross border disclosure

3.99      The Government accepted the ALRC's recommendation to exclude the reporting of personal information about foreign credit and the disclosure of credit reporting information to foreign credit providers. The Government stated that:

This restriction is necessary as any benefit that would be obtained in creating greater transparency about an individual's credit risk would be outweighed by the inability of the Privacy Commissioner to enforce effectively the credit reporting provisions against foreign entities.[99]

3.100         This restriction was welcomed by the Consumer Credit Legal Service (WA) (CCLSWA) which noted that 'this restriction on cross border data flow reduces the prospect of privacy breaches'. CCLSWA also stated that cross border data flow contains inherent risks of compromised data integrity and security, for example, where disputes occur, it is very difficult to resolve when dealing with another country. However, CCLSWA) noted that the Government is still to release provisions dealing with cross border disclosures of credit reporting information or a proposed exception to allow credit reporting information to be shared with New Zealand.

3.101         CCLSWA commented that sharing credit reporting information with New Zealand seems to be contrary to section 101 of the Exposure Draft and it is unclear what benefit this would be to Australian consumers. The Legal Service further commented that information sharing may increase the risk of data inaccuracies and cause problems for Australian and New Zealand consumers residing in Australia who dispute content from a listing originating in New Zealand. It concluded:

It is unclear on what basis the Australian Government thinks it would be beneficial to share this information with New Zealand. At the very least, it would be desirable for there to be dispute resolution mechanisms within Australia for disputes relating to credit reporting by New Zealand institutions.[100]

3.102         The APF stated that the explanation provided on page 10 of the Companion Guide regarding cross border disclosure is unclear and unsatisfactory. If the intention is to prohibit overseas transfer of credit reporting information (subject to future exceptions for New Zealand), then this prohibition needs to be in the legislation.[101]

3.103         The committee only received one other comment in relation to cross border disclosure. The AFC commented that there may be difficulties of interpretation for Australian residents temporarily overseas that apply for credit. If the application is mailed from overseas, the AFC questioned whether this would it be regarded as having been applied for in Australia. The AFC argued that better approach may to expand the provision to cover an application that is made or received in Australia.[102]

Committee comment

3.104         In relation to cross border disclosure with New Zealand, the committee notes that the ALRC recommended (Recommendation 54–7) that the Privacy Commissioner approve cross border disclosure in defined circumstances. The ALRC indicated that the main motivation for making this recommendation was to allow recognition of the close relationship between the Australian and New Zealand credit reporting market. The Government did not accept this recommendation and considered that the recommendation should be tailored to allow trans-Tasman use and disclosure of credit reporting information, where necessary and appropriate. These provisions have not been included in the Exposure Draft but will be drafted following further inter-governmental negotiations with the relevant New Zealand authorities.[103] The Government also indicated that any further exceptions to the prohibition in Recommendation 54–5 should be adopted by legislative amendments rather than by a determination of the Privacy Commissioner. Further exceptions to the prohibition to allow sharing of credit reporting information with other foreign jurisdictions would only be considered where a clear need arises.

3.105         The committee acknowledges concerns with cross border disclosure of an individual's credit information and the need for adequate protections for consumers in these circumstances. However, the close relationship between the Australian and New Zealand credit reporting markets must be recognised. The Government has indicated that it will be working with New Zealand authorities so that adequate protections can be put in place to ensure that there is no inappropriate secondary use of the information outside the jurisdiction where the information was originally held. In addition, effective enforcement mechanisms will be needed to ensure that misuse can be appropriately rectified.

3.106         In relation to the AFC's concerns about an Australian resident temporarily overseas applying for credit, the committee considers that the questions as to whether this was credit applied for in Australia should be addressed by guidance from the Australian Information Commissioner.

Powers of the Australian Information Commissioner

3.107         The Privacy Commissioner NSW and Ms Katherine Lane, CCLC, expressed concern about access to the additional credit information provided for under the proposed credit reporting regime and the risks to the individual's privacy. Ms Lane commented that accuracy of information will be important and that the OAIC needs to have reasonable powers and exercise them to make sure that the accuracy is maintained.[104] The Privacy Commissioner NSW was of the view that the inclusion of extra data sets should be accompanied by an increase in the level of scrutiny by the Office of the Australian Information Commissioner.

3.108         The Privacy Commissioner NSW noted that section 28A of the Privacy Act currently allows the Federal Privacy Commissioner to 'conduct audits' of credit information files and credit reports', to 'monitor the security and accuracy of personal information contained in credit files' and to 'examine the records of credit reporting agencies and credit providers'. The Privacy Commissioner NSW went on to state that the Federal Privacy Commissioner's website indicates that there have been no audits of credit providers or credit reporting agencies to date. Evidently, 'oversight of the conduct of credit providers and credit reporting agencies in terms of their obligations under the Privacy Act appears to have been limited to the investigation of complaints'.[105]

3.109         The Privacy Commissioner NSW concluded that:

Comprehensive credit reporting will involve a vast increase in the amount and type of information which may be collected. This significantly heightens the risk that credit information (positive and negative) may be improperly collected, not stored securely or misused. To meet this risk I suggest that Parliament should consider including a provision which requires that Privacy Commissioner conduct one regular (at least yearly) audit of a randomly selected credit reporting agency and a credit provider in Australia. This will serve as a conscious-raising exercise for credit providers and credit reporting agencies, and it will go some way to balancing the potentially invasive effect of comprehensive credit reporting by increasing accountability, transparency and, hopefully compliance with the credit reporting provisions.[106]

3.110         Dun & Bradstreet noted that sections 116 and 118 require that a regular audit be conducted for data quality and security by an independent auditor. Dun & Bradstreet recommended that the audits be conducted by the Office of the Australian Information Commissioner. This would reflect the provisions of the current Privacy Act.[107]

Committee comment

3.111         The committee agrees with the Privacy Commissioner NSW that with access to greatly expanded credit data, the collection, use and disclosure of that information will require appropriate levels of oversight and scrutiny. The committee considers that a requirement for the Office of the Australian Information Commissioner to conduct a regular audit of a randomly selected credit reporting agency and a credit provider in Australia is worthy of further consideration. However, the committee is mindful that additional resources may be required by the Information Commissioner to meet such a requirement.

Recommendation 7

3.112         The committee recommends that consideration be given to including a requirement in the provisions for the powers and functions of the Australian Information Commissioner that a regular audit of a randomly selected credit reporting agency and a credit provider in Australia be conducted by the Australian Information Commissioner.

Navigation: Previous Page | Contents | Next Page