Chapter 3
General issues
Introduction
3.1
The reforms proposed under the Exposure Draft will provide for a more comprehensive
credit reporting regime while at the same time protecting the extensive credit
information about individuals that will be collected, used and disclosed. This
is a significant change to the credit regime contained in the Privacy Act
1988 (Privacy Act). As Credit Ombudsman Services commented:
...these reforms will mark the introduction of a
fundamentally different approach to credit reporting in Australia. The reforms
will begin a process that will transform the entire credit reporting system,
and every part of the credit reporting process is likely to change in some way.[1]
3.2
It was generally agreed by submitters that a more comprehensive credit
reporting regime will enhance transparency and result in improved credit
decision making and protect consumer interests.[2]
The Australian Bankers' Association (ABA), for example, commented that it:
...welcomes the introduction of a more comprehensive system
of credit reporting as a tool to better inform credit risk decisions that our
members and other credit providers make in accordance with both prudential and
consumer credit regulatory responsibilities. This will be a valuable addition
to what is currently seen as an outdated and largely inadequate system of
negative reporting in Part 111A.[3]
3.3
Credit reporting agency Dun & Bradstreet similarly supported the
introduction of a comprehensive credit reporting regime. Mr Damian Karmelich,
Director, Dun & Bradstreet, pointed to significant benefits arising from
comprehensive credit reporting:
Our support for comprehensive or positive credit reporting is
premised on the belief that such a system in Australia has the capacity to
reduce default rates, increase lending to poorly served sections of the
community, improve pricing for risk, improve outcomes for small business and
promote competition within the banking sector. These benefits have accrued to
consumers, lenders and the broader economy in many countries where positive
credit reporting is in existence.[4]
3.4
However, consumer groups and privacy commentators noted that the
availability of additional information required strict control as the
mishandling of credit information may have serious consequences for consumers. The
Australian Privacy Foundation (APF) went further and stated that the credit
reporting system is a 'statutorily authorised intrusion into individuals'
privacy and in effect a "licenced" exception to the normal operation
of the National Privacy Principles in the Privacy Act'. The APF went on to
comment:
Any suggestion that lenders and utility companies have a
'right' to centrally held credit reporting information should therefore be
dismissed–the credit reporting system is a privilege, and it is incumbent on
industry to justify any extension, and appropriate for the system to be very
tightly regulated.[5]
3.5
The Privacy Commissioner NSW also expressed concern about the risks to
individuals arising from increased access to credit information and stated:
While it is arguable that the collection of positive credit
information may improve due diligence regarding the decision to provide credit
to an individual, I am not convinced that the further and better particulars
about such matters as an individual's credit repayment history would make the
provision or the reporting of the provision of credit any more responsible. In
my view the benefits to credit providers in terms of responsible lending are
outweighed by the risks to the individual from the significantly extensive and
intrusive collection of information about that individual.[6]
3.6
The Office of the Australian Information Commissioner (OAIC) observed that
it is crucial that the credit reporting regulatory framework proposed in the Exposure
Draft protects information appropriately and clearly sets out individual rights
and industry obligations.[7]
Mr Timothy Pilgrim, Australian Privacy Commissioner, stated:
In the credit context, it is appropriate that credit
information is available to the credit industry for the purpose of assessing
creditworthiness. However, this must be balanced with the need to provide
appropriate privacy protection of that information for individuals.
Importantly, the protection of financial information remains a key concern for
individuals, most commonly due to the potentially serious consequences that may
arise through the mishandling of credit information. For these reasons we understand
that it is important to have a regulatory regime that sets out clearly the
rights and obligations of credit reporting agencies, credit providers and
individuals, one that strikes an appropriate balance between their different
interests.[8]
3.7
In its response to the Australian Law Reform Commission's (ALRC)
recommendations, the Government also recognised the need for more user-friendly
and less complex and prescriptive regulation of credit reporting than is
presently contained in the Part IIIA of the Privacy Act.[9]
3.8
However, as with the Exposure Draft on the Australian Privacy Principles
(APPs), the committee received a range of comments about the structure and
complexity of the credit reporting Exposure Draft which, it was argued, may
undermine the goal of an efficient and effective regulatory regime. In
addition, the prescriptive nature of some of its provisions was seen as having
the potential to effect the flexibility of the system to respond to future
challenges as well as imposing a greater compliance burden. The following
discussion addresses these concerns.
Structure
3.9
The ALRC recommended (Recommendation 54–1) that credit reporting be
regulated under the general provisions of the Privacy Act and that regulations
under the Privacy Act impose obligations on credit reporting agencies and
credit providers with respect to the handling of credit reporting information.[10]
In addition, the ALRC also recommended that a credit reporting code, developed
by industry with input from consumer groups and regulators, provide detailed
guidance within the framework provided by the Privacy Act (Recommendation
54–9).
3.10
ALRC Recommendation 54–1 was not accepted by the Government which stated
that it did not agree that it is appropriate to have a general regulation-making
power that would allow modification of the Privacy Principles. Rather, the
Government considered that credit reporting information should continue to be
regulated primarily under the Privacy Act, with provision for specific regulations
to be made where necessary.[11]
3.11
In its submission to the committee, the ALRC noted that the inclusion of
the credit reporting provisions in the Privacy Act is one of two significant
respects where the Exposure Draft differs from the approach recommended by the
ALRC. In its report, the ALRC commented on its preferred option of the use of
regulations and stated that this was consistent with the ALRC's overall
approach to reform of the Privacy Act, that is, a hybrid model. The ALRC
stated:
The model draws significantly on principles-based regulation
as its foundation, but allows for a reversion to more traditional rules-based
regulation where appropriate. Subordinate legislation can be introduced to
provide greater specificity and certainty in regulating privacy in relation to
particular activities—including credit reporting.[12]
3.12
The ALRC went on to state that regulations would be more detailed and specific
than the Unified Privacy Principles (UPPs) and 'derogate from the requirements
in the privacy principles, by providing different (that is, more or less
stringent) requirements than are provided for in the principles'.[13]
3.13
The ALRC also commented that the current inclusion of the credit
reporting provisions within the Privacy Act is 'to some extent historical in that
the credit reporting industry was made subject to privacy regulation before the
rest of the private sector'. As a consequence, the handling of personal
information by the credit industry is the only instance of an industry or
business sector that is covered by provisions within the Privacy Act. The ALRC
therefore recommended that Part IIIA be repealed and that credit reporting be
addressed through regulations that would supplement the Privacy Principles and
other general provisions of the Privacy Act.
3.14
The ALRC indicated that it supported the implementation of the credit
reporting provisions through subordinate legislation as:
- the credit reporting provisions are an unjustified anomaly within
the Privacy Act;
- the Act would be significantly simplified by the repeal of Part
IIIA;
- the repeal of Part IIIA is consistent with the development of one
set of Privacy Principles regulating both the public and private sectors (as
with the proposed new Australian Privacy Principles); and
- an equivalent level of privacy protection can be provided to
individuals under the Privacy Principles and subordinate legislation.[14]
3.15
The ALRC further commented that:
...the Privacy Act could be drafted to contain a
regulation-making power specific to the handling of credit reporting information.
This would recognise that credit reporting presents a suite of privacy issues
that are uniquely deserving of specific treatment, and requires regulation that
both strengthens and derogates from the protection afforded by general privacy
principles.[15]
3.16
Rather than the credit reporting provisions being contained in
regulations, the OAIC supported shifting the provisions to a schedule to the
Privacy Act. The OAIC stated that this would simplify the Privacy Act's
structure and clearly distinguish the role of the APPs and credit provisions.[16]
Mr Pilgrim also commented that as the credit reporting provisions are focussed:
...purely on one area of business activity, it should sit
separately to the act, perhaps as a schedule. And we believe that this would
not make it easier just for us as an organisation regulating, but also for
industry when they are looking at a discrete piece of legislation, so that they
do not need to work through pages and pages and reams. It sounds like it might
be a minor issue, but all of us understand what it is like when we have to
start wading through pieces of legislation to find different provisions.[17]
3.17
The OAIC concluded that the Privacy Act should enable individuals,
organisations and agencies to easily understand their rights and obligations. As
currently drafted, the provisions may be difficult for individuals to use and
understand.[18]
3.18
The APF also commented more generally on the use of regulations. The APF
argued that key provisions should be 'locked in' in the legislation itself rather
than provided for under regulations or a code of conduct to be approved by the
Information Commissioner. The APF stated:
However widely the Information Commissioner consults in the
preparation of a Code, there is a clear 'democratic deficit' in this process.
Experience with the similar role of the Privacy Commissioner under Part IIIA is
that industry pressure can lead to Code provisions which undermine the effect
of the Act. An example is the Privacy Commissioner's interpretation of the permissible
timing of notice of default listings. While we accept the role of a Code in
fleshing out some of the operational details, we do not believe it is the place
for any significant threshold provisions.[19]
Committee comment
3.19
The committee notes the advice of the Senate Standing Committee on
Regulations and Ordinances that '[i]t is a breach of parliamentary propriety
for delegated legislation to deal with matters more appropriately included in a
Bill'. These matters include legislation that fundamentally changes the law,
being intended to alter and redefine rights, obligations and liabilities, or
which significantly alters pre-existing legal, social or financial concepts.[20]
The committee considers that the credit reporting provisions fall within the
categories of matters that are more appropriately included in primary
legislation. The credit reporting provisions contain significant regulatory
obligations to ensure that the credit information pertaining to individuals is
collected, used and disclosed in an appropriate way. The provisions also
contain offences for which the penalty is 200 penalty units. The committee
notes that it is Commonwealth criminal law policy that in general the penalty
attached to offences in regulations should not exceed 50 penalty units.[21]
The committee therefore does not consider that it is appropriate that these
provisions are contained in regulations.
3.20
However, the committee is mindful of concerns put forward by the OAIC
and considers, on balance, that to ensure the new Privacy Act is not overly complex,
that the credit reporting provisions are easily accessible for consumers and
the credit industry, and that the prominence of the APPs is not diminished,
consideration should be given to locating the credit reporting provisions in a
schedule to the Privacy Act. On this point, the committee notes that schedules
are taken to form part of the Act, and therefore have the same force and effect
as the main provisions of the Act.[22]
The committee is therefore of the view that there is merit in considering whether
the complexity of the consumer credit provisions can be reduced, and the
provisions can be more readily accessible and understood, if the provisions
were contained in a schedule to the Privacy Act.
Recommendation 1
3.21 The committee recommends that consideration be given to locating the
credit reporting provisions in a schedule to the Privacy Act.
Level of prescription and complexity
3.22
Submitters noted that the current credit reporting provisions in Part
IIIA of the Privacy Act are very complex and cumbersome. The OAIC welcomed the
Government's efforts to simplify these provisions in the Exposure Draft. The OAIC
also stated that is was particularly useful that the provisions have been
reordered to systematically set out the obligations on different recipients of
credit information and that the ordering of obligations better reflect the
stages of personal information flows consistent with the draft APPs.[23]
3.23
However, generally the Exposure Draft was seen as not improving clarity or
providing greater simplicity. Submitters commented that the Exposure Draft is overly
long and complex and therefore does not clearly set out the protections
provided to consumers and the obligations of industry. The APF stated that 'it
is quite difficult to comprehend the detailed changes and effect of the
proposed new regime from the draft clauses, and the short Companion Guide
offers only limited assistance'.[24]
3.24
In particular, concerns were raised about the definitions used and the
level of prescription in detailing how some matters will be regulated. This was
seen as neither being in step with the principles-based approach supported by
the Government, nor assisting in the understanding or use of the provisions and
thus not improving privacy protections.[25]
Experian for example, stated that:
...these shortcomings in the drafting and structure of the
Exposure Draft detract from the 'clear and simple' objectives of the Exposure
Draft provisions. This is of particular concern given that the focus of the
provisions is upon enhancing the protection of consumers from misuse of their
personal information. Consumers and non-lawyers are unlikely to understand or
engage with such a lengthy and complex document and this diminishes its potential
usefulness and effectiveness in educating consumers about their rights under
the credit reporting regime, and encouraging them to engage with and
periodically check the information on their credit files.[26]
3.25
The Law Institute Victoria (LIV) also commented that the focus of the
Exposure Draft is on business practices in the credit reporting sector 'with
little thought or provision for the rights and interests of individuals and
fundamental principles of privacy'. The LIV further stated:
There are minimal protections of individual people's privacy
in the Exposure Draft. These minimal protections are likely to be underused or
unenforced while they are embedded in such a technical and complex framework,
and while they are so severely compromised by burdensome and costly
requirements (eg requirements to opt out, instead of opt in (eg cl 110(5));
requirement to renew banning period every 14 days (cl 113), and 'not
excessive' charges for access (cl 120(6))).[27]
3.26
Although the LIV recommended amendments to the Exposure Draft, it
remained concerned that it would 'still be inaccessible to the individuals
whose interests are greatly impacted by its provisions and, in implementation,
it would represent a missed opportunity to engage people and give them more
genuine control over their information'.[28]
3.27
Other submitters, including the Australian Institute of Credit
Management (AICM), supported a principles-based approach as such an approach
would assist to reduce the level of complexity and prescription of the Exposure
Draft.[29]
In addition, it was argued that a principles-based approach would assist in
keeping the Privacy Act relevant, support innovation and provide sufficient
flexibility to deal with unforeseen situations.[30]
Mr David Fodor, Chief Credit Officer, National Australia Bank (NAB), commented:
Following a review of the credit-reporting exposure draft,
NAB is concerned that some provisions may be overly prescriptive and complex,
particularly regarding the way it is proposed to regulate some aspects of data
usage. The legislation as drafted includes a high focus on how outcomes are to
be achieved, which may run the risk that the acts may become quickly outdated,
hampering innovation and being insufficiently flexible to deal with unforeseen
circumstances. NAB acknowledges the need to strike a balance between the protection
of privacy, the benefits available to consumers from more responsible lending
decisions, and the commercial practicalities of enablement.[31]
3.28
The NAB also stated that by using principles to drive outcomes,
'adequate controls can be implemented with a greatly reduced risk of creating
"practicality" issues from prescribing how those outcomes are to be
achieved'.[32]
However, the Exposure Draft is seen as being prescriptive. Veda Advantage, for
example, commented:
As drafted, there are instances where the proposed
legislation sets out a policy objective and then prescribes very detailed steps
CRAs must take to achieve the outcome.[33]
3.29
The Australian Finance Conference (AFC) also submitted that the Exposure
Draft, unlike recently implemented regulation such as the anti-money laundering
and consumer credit regimes, is a 'reversion to a more-prescriptive method of
regulation, which in our view, detracts from achievement of the underlying
objectives of improved clarity and understanding'.[34]
3.30
Submitters argued that regulations and/or a code of practice would be
the more appropriate place to contain the detailed measures regarding the
implementation and on-going management of the new credit reporting regime.[35]
3.31
The Australasian Retail Credit Association (ARCA) also commented that the
complexity of the Exposure Draft would require further training of staff to
ensure that they understand the credit reporting regime and thus comply with the
legislation. ARCA commented that the complexity of the legislation 'is likely
to result in potentially large numbers of unintentional human error breaches,
and it could be exceptionally difficult for staff to know clearly what they are
and are not allowed to do with a specific element of information'. ARCA saw
potential for staff choosing to be cautious and, as a consequence, not providing
information to consumers that they may be permitted to provide. ARCA argued
that this may result in consumers becoming frustrated, and the benefits
associated with the introduction of more comprehensive credit reporting may not
be fully realised.[36]
Definitions
3.32
The Exposure Draft contains 60 new definitions compared with seven key credit
reporting definitions contained in the current Privacy Act. The need for these
new definitions was seen by the AFC as being a result of the prescriptive
nature of the Exposure Draft as extensive and complex definitions are required
to support the central provisions of the proposed credit reporting regime. The
AFC went on to state that 'it is therefore critical that the definitions are
clear, easily understood and reflect Government policy'.[37]
3.33
However, many submitters commented that the definitions are complex and
difficult to understand and therefore credit reporting provisions will be less
accessible than they should be.[38]
Veda Advantage commented that the definitions create a 'web of complexity'.[39]
Ms Helen Gordon, AFC, stated:
In looking at the definitions, you see that each definition
effectively builds on another definition. So you spend your time working your
way through—it is a circular, tortuous route—to find that you are back to
square one and perhaps still a little unclear as to exactly what is regulated
and exactly how it is regulated. It is the definitions that go into that: who
is regulated, how it is regulated and what you can do in relation to it. Our
point is that, if we do not understand what we are talking about because the
definitions are so complex, it is very hard to then overlay the actual
functional provisions and know how they are meant to work.[40]
3.34
Other submitters pointed to a range of similar concerns:
- some definitions build on and overlap a number of other
definitions;[41]
- the Exposure Draft relies on definitions contained in other
legislation;[42]
- the Exposure Draft does not include key definitions, for example,
there is no definition of 'credit manager', or 'derived' for credit derived
information;[43]
- some definitions are unnecessary as they define terms that are
well understood;[44]
-
the parameters of the concepts defined appear to extend beyond
what was intended to be regulated (for example the definition of 'credit
reporting business'); and
-
definitions are not consistent with definitions in other
regulations, for example, the definition of 'consumer credit' is different from
that contained in the National Credit Code.[45]
3.35
The NAB and AFC pointed to the definition of 'credit eligibility
information' as an example of a complex definition. The NAB stated that this
definition 'leads to unnecessary complications and duplication and makes
comprehension difficult'.[46]
The AFC noted that the definition of credit eligibility information is pivotal
to the compliance framework for information handling by a credit provider.
Thus, it is critical for a credit provider to be able to identify what
information it handles that meets this definition as this will dictate the
parameters of compliance with the draft credit reporting provisions. However, the
AFC commented that the definition of credit eligibility information builds on a
significant number of other definitions, all of which need to be considered by
the credit provider to determine what information it handles needs to meet the
compliance framework in the draft provisions. The AFC concluded that this
approach 'challenges understanding'.[47]
3.36
The AFC also pointed to the variation between terms used and defined in
the Exposure Draft and other laws, for example, 'credit' is defined in the Australian
Securities and Investment Commission Act. The AFC commented that these
variations have occurred 'where either it would appear the terms were intended
to have the same meaning or they should have the same meaning to assist understanding
and compliance with consumer credit regulation generally'. The AFC went on to
state that:
...even a slight variation in definition of a term from one
Act to another potentially creates a need for each regulated entity to consider
the compliance outcomes of the variation. Where the variation is for reasons of
format rather than substance, we submit it should not occur to avoid this
eventuality.[48]
3.37
Veda Advantage submitted that the Exposure Draft should only include a
single definition for regulated information – 'credit reporting information' –
applying to credit providers and credit reporting agencies. Veda Advantage
argued that this would allow simplification or deletion of various use and
disclosure provisions throughout the Exposure Draft.[49]
Veda Advantage also proposed that the Government undertake a roundtable process
to agree the terms of simplification of the Exposure Draft.
3.38
The Department of the Prime Minister and Cabinet (the Department) noted
that Veda's proposals for significant and comprehensive change to the
definitions used in the Exposure Draft have been analysed by a barrister to
determine the implications of the proposals for consumers. The barrister commented
that the proposed changes would need to be carefully considered to ensure that
underlying policy positions are not changed. The Department considered that:
...the proposal for the complete redrafting of the credit
reporting provisions and the definitions would be a significant and time
consuming exercise which would also need to ensure that all the Government's
policy directions were implemented. The Department's view is that the exposure
draft accurately implements the Government's policy on the regulation of credit
reporting as set out in the Government's first stage response to the Australian
Law Reform Commission (ALRC) report.[50]
3.39
The NAB suggested that readability could be improved if all definitions
were located in a single dictionary or for those more specific definitions
applicable to credit reporting agencies and credit providers, to relocate them
to the relevant divisions to which they primarily relate.[51]
Credit Reporting Code of Conduct
3.40
A number of submitters suggested that moving some matters into the
Credit Reporting Code of Conduct (the Code) would assist in reducing the
complexity of the Exposure Draft. For example, Mr Chris Gration, Veda Advantage,
commented that the Code should have the capacity to deal with some of the
operational complexity of the Exposure Draft.[52]
Ms Nerida Caesar, Chief Executive Officer, Veda Advantage also commented that
'operational detail is typically best left to regulation or code of conduct'.
Ms Caesar further stated:
Prescribing operational matters—for example, detailing each
step required to implement a ban or a freeze on a credit report—is, we believe,
unnecessary and counterproductive.[53]
3.41
Veda Advantage also submitted that having certain matters in the Code
allowed for flexibility to respond to changing circumstances, for example,
matters emerging in relation to identity fraud can be responded to in the Code.[54]
Optus was also of the view that some matters in the Exposure Draft could be
moved into the Code. This would allow sufficient flexibility for different
sectoral requirements and take into account existing obligations, whilst still
maintaining minimum and consistent standards of consumer protection for credit
reporting information.[55]
3.42
Discussion on the development of the Code is provided below, see paragraphs
3.70–3.89.
Other suggestions for
simplification and clarification
3.43
Submitters also provided other suggestions to aid with simplification
and clarification of the Exposure Draft.
3.44
Veda Advantage suggested that permitted disclosures and uses between
credit reporting agencies and credit providers be aligned and provided in a
single table. It stated that this will allow for further simplification,
including merging of a range of sections in the Exposure Draft (sections 108, 109,
135 and 136).[56]
3.45
The AFC and the OAIC noted that the word 'agency' is used throughout Division
2 (credit reporting agencies) as a short-form term for credit reporting agency.
However, the word agency is defined as a government sector entity in section 16
of the Australian Privacy Principles Exposure Draft. The AFC also noted that
the Government has indicated that Commonwealth agencies that carry on a credit
reporting business will be regulated as credit reporting agencies. The AFC
therefore submitted that in order to avoid confusion and assist with
understanding, a word or term other than 'agency' should be used as the
short-form reference for credit reporting agency in Division 2.[57]
The OAIC recommended use of the full term or using 'CRA' after the provision
refers to 'credit reporting agency'.[58]
3.46
The OAIC also noted that a range of new concepts have been introduced
into the credit reporting regime. The OAIC stated that 'to ensure a smooth
transition to the new regime, it is important that new concepts and terminology
are clearly defined, well explained and understood'. The OAIC provided comment
on two terms used in the Exposure Draft:
- 'pre-screening determination': this term should be replaced by
'pre-screening assessment' as this would avoid confusion with other uses of the
term 'determination' and better reflect the nature of the decision being made
by a credit reporting agency. Further if this term is adopted, its meaning
should be made clear and consistent including that it is not included in the
term 'credit reporting information'; and
- complaints determination: 'determination' in relation to the
conclusion reached by a credit reporting agency or a credit provider following
investigation of a complaint should be replaced with the term 'decision'.[59]
3.47
The committee received a range of comments regarding provisions relating
to notification which contained the requirement that the notification be
provided within a 'reasonable period'. Submitters commented that a specified
timeframe would be preferable in most circumstances. These provisions include:
- subsection 122(2) – notice of correction by a credit reporting
agency. The Consumer Credit Legal Centre (NSW) (CCLC) suggested that this
period be set as a maximum of 14 days;[60]
- section 142 – notification of a refusal of an application for
consumer credit by a credit provider. The Telecommunications Industry Ombudsman
(TIO) suggested a seven day period as timely notification of a refusal of
credit is important, particularly as it is often related to a house purchase
and the applicant may only become aware of a default listing when an
application for finance is rejected;[61]
and
-
section 150 – notice of correction etc must be given. CCLC stated
that this period should be set as a maximum of 14 days.[62]
Committee comment
3.48
The committee considers that many of the concerns regarding complexity
and lack of clarity may have been overcome if the Exposure Draft had been
accompanied by a detailed explanatory document. The Companion Guide offers only
limited assistance in understanding the Exposure Draft. Indeed, the committee
notes that the Companion Guide is short and relies heavily on the Government
Response. The committee does not consider that the Companion Guide provides
sufficient detail or assistance in interpreting the provisions of the Exposure
Draft, many of which are detailed and complex. In addition, the committee notes
that some issues will be addressed through guidance from the OAIC or through
the Code of Conduct, for example, the interpretation of 'reasonableness'
regarding notification periods.
3.49
As with the Exposure Draft of the Australian Privacy Principles, the
task of drafting the credit reporting provisions to achieve the Government's
aims has been complex and difficult. The move to a more comprehensive credit
reporting regime, and the addition of five new data sets, has required the
implementation of a significant regulatory framework. The committee acknowledges
that the Credit Reporting Exposure Draft has sought to impose this regime
through the regulation of the flow of information in the credit reporting
sector. The Exposure Draft assumes what is being undertaken at each stage of
the process and systematically sets out the obligations on different recipients
of credit information at each stage. It recognises that both credit reporting
agencies and credit providers value add to the information that they receive.
Given the complexity of the information flows for credit reporting, and the
need to ensure adequate information protection, it is understandable that the
Exposure Draft is long and detailed.
3.50
However, the committee is concerned that the adoption of this approach may
have undermined the goal of simplifying and clarifying the credit reporting
regime and therefore lead to uncertainty as to obligations and rights. In
particular, the committee is concerned that the many complex provisions contained
in the Exposure Draft may not assist individuals to understand their rights and
may hinder consumers, for example, in enforcing their rights if a complaint or
dispute arises. For organisations, it is crucial that they understand their
obligations in order to comply with the legislation and ensure that consumers
can be confident that the greater amount of their personal information that is
being kept is adequately protected. A complex legislative regime does not
assist with this goal.
3.51
One of the particular areas of concern for submitters was the increase
in the number, and complexity, of definitions used: some 60 new definitions are
included in the Exposure Draft. In relation to definitions, the committee notes
that the Companion Guide states that:
The exposure draft uses a number of core definitions to
better identify information flows in the credit reporting system, rather than
basing the regulatory framework on the single definition of 'credit reporting
information'.
The creation of a number of definitions is intended to
improve the clarity and operation of the provisions.[63]
3.52
The committee acknowledges again that the new definitions are required
as the regulatory regime is based on the information flows in the credit
reporting system. However, it appears to the committee that the result has been
a very complex and detailed Exposure Draft. Veda Advantage put the suggestion that
a single definition of 'credit reporting information' should be used to
simplify the credit reporting system. The committee does not support this
suggestion as it would involve major re-drafting of the Exposure Draft and does
not reflect the complexity of the current business model of the credit
reporting sector.
3.53
The committee has also considered suggestions that 'operational' matters
be moved to the proposed Credit Reporting Code of Conduct. While this would
lead to a simplification of the Exposure Draft, such a move would have to be
weighed against the benefit of having the major provisions of the credit
reporting regime in one place. The committee considers, on balance, that no
matters currently contained in the Exposure Draft should be moved into the
Code.
3.54
However, the committee considers that there is room for further
refinement of the Exposure Draft to improve clarity and simplicity. The
committee therefore recommends that the Exposure Draft be reviewed in light of
the comments received during the inquiry. These suggestions include clarity in
the use of the terms 'agency', 'pre-screening determination' and complaints
'determination'.
Recommendation 2
3.55 The committee recommends that the Exposure Draft be reviewed to ensure
that the provisions are clear and concise.
Recommendation 3
3.56 The committee recommends that the definitions be reviewed to ensure
consistency across the Privacy Act and, to the extent possible, that definitions
are standalone provisions.
Interaction between the credit reporting provisions and the Australian
Privacy Principles
3.57
The interaction between the APPs and credit reporting provisions differs
depending on the entity involved and the information being regulated. The
credit reporting agency provisions in the Exposure Draft incorporate all the
relevant general requirements of the APPs and replace the APPs for credit
reporting. Section 104 provides that if a credit reporting agency is an APP
entity, the APPs do not apply to the agency in relation to credit information,
CRA derived information and CP derived information. The APPs apply to the
credit reporting agency in relation to other kinds of personal information. In
relation to separate credit reporting provisions, the Companion Guide states:
This will ensure that more onerous privacy obligations will
apply to the types of defined information collected, used and disclosed by
credit reporting agencies.[64]
3.58
For credit providers that are not small business operators, pursuant to
section 130, the Exposure Draft provisions 'may apply' to a credit provider 'in
addition to, or instead of,' the APPs. If the credit provider is a small
business operator only the credit reporting provisions apply. The Companion
Guide states:
This will ensure that the APPs continue to apply to certain
types of personal information (eg identification information) while more
onerous privacy obligations will apply to other types of personal information
collected, used and disclosed by credit providers in the credit reporting
system.[65]
3.59
The Exposure Draft reflects ALRC Recommendation 54–2 that the credit
reporting provisions should be drafted to contain only those requirements that
are different or more specific than provided for in the Unified Privacy
Principles (now the APPs). The ALRC commented in its report that credit
reporting agencies and credit providers should have to comply with both the
model UPPs (APPs) and the credit reporting requirements and noted that 'this approach
is consistent with the existing relationship between the credit reporting provisions
and general privacy principles contained in the Privacy Act, and with the approach
to be taken to the new 'Privacy (Health Information) Regulations'. The credit
reporting provisions should contain only those requirements that are different
or more specific than provided for in the UPPs. The ALRC commented that any
problems of inconsistency would be limited because conduct that complies with
the credit reporting provisions 'required or authorised by law' under the model
UPPs.[66]
3.60
The Government accepted this recommendation and stated that:
...to the extent possible, the Privacy Principles should set
out the foundation for protecting credit reporting information. Regulation of
credit reporting information in the Privacy Act will only set out further
requirements where it is necessary for different or more specific protections
to apply.
Relevant organisations will have to comply with both the Privacy
Principles and the proposed credit reporting provisions. However, as the credit
reporting provisions will only apply where it is necessary to have either
greater or lesser privacy protection, it is intended that these provisions
would set the new privacy standard for credit reporting. If there is
inconsistency between the protections in the principles and the credit
reporting provisions, organisations would be expected to comply with the more
specific or different standards in the credit reporting provisions.[67]
3.61
The OAIC submitted that it did not support the approach taken in the
Exposure Draft. The OAIC commented that this approach to the interaction
between the APPs and credit reporting provisions 'may create challenges for
individuals, organisations, dispute resolution bodies and the OAIC as regulator'
as the obligations for credit reporting agencies and credit providers are not
easily ascertained nor clearly stated. The OAIC suggested that clarity would be
improved if the credit reporting provisions were a self-contained and complete
set of provisions. That is, in place of the APPs, the credit reporting
provisions should incorporate all of the relevant requirements of the APPs, in
addition to the more specific or different requirements for credit reporting.[68]
3.62
The OAIC noted that the Exposure Draft already adopts this preferred
approach for credit reporting agencies, but not for credit providers. The OAIC
went on to comment that 'it is not apparent why a different approach has been
followed for credit providers'. However, the OAIC saw several benefits arising
from the incorporation of all of the relevant APP requirements into the
Exposure Draft for credit providers:
- clarifying whether the APPs or the credit reporting provisions apply
to credit providers' credit reporting activities
- for example, currently under the Exposure Draft, a credit
provider may be required to correct 'identification information' under either
the provisions in the Exposure Draft or APP 13 (if the APPs apply to them). As
these processes are not identical, this introduces avoidable complexity and
confusion;
- self-contained provisions are easier to use and understand because
obligations and rights can be determined without reference to multiple parts of
the Privacy Act;
- providing consistent obligations for all credit providers
(regardless of size) in relation to credit reporting, and consistent privacy
protections for individuals' credit-related information
- this may better reflect the intent of the Government Response,
which indicated that credit providers that are small business operators would
be subject to the additional obligations imposed by the APPs in relation to
credit reporting;
- reducing complexity and increasing efficiency in the OAIC's
investigations and enforcement of the provisions, since all credit providers
would be subject to identical obligations.[69]
3.63
However, if this approach was not adopted, the OAIC recommended two
complementary measures to reduce the complexity of the current provisions. First,
the Exposure Draft could clarify which APPs apply to credit providers by
positively identifying, in a single provision, the APPs that do and do not
apply to credit reporting. At present, provisions throughout the Exposure Draft
identify only those APPs that do not apply to credit providers in relation to
credit reporting.
3.64
Secondly, the Exposure Draft should be amended to ensure that the APPs, which
apply to credit providers' credit reporting activities (in addition to the
Exposure Draft), apply to all credit providers, including small business
operators. At present, credit providers' obligations will vary depending on
whether they are subject to the APPs, or are small business operators. The OAIC
was of the view that the protection afforded to individuals' credit-related
information should apply regardless of the size of the credit provider (as in
the preferred option above), as the same serious consequences may arise if
information is mishandled.[70]
3.65
The AFC also commented on the need to clarify the interaction between
the APPs and the credit reporting provisions. In particular, the AFC recommended
that an additional paragraph be considered for inclusion in section 130 (application
of the Division to credit providers) to reflect the Government's intention that
if there is inconsistency between the draft credit reporting provisions and the
APPs, that a credit provider must comply with the more specific or different
standards in the credit reporting provision.[71]
Committee comment
3.66
The committee considers that the interaction between the Australian
Privacy Principles and the credit reporting provisions should be further
clarified in the Exposure Draft. The committee has reviewed the options
proposed by the Office of the Australian Information Commissioner and considers
that it is desirable for the credit reporting provisions to incorporate all of
the relevant requirements of the APPs, in addition to the more specific or
different requirements for credit reporting. The committee further considers
that this would be a crucial requirement should the credit reporting provisions
be moved to a schedule of the Privacy Act.
Recommendation 4
3.67 The committee recommends that the Exposure Draft be amended to
incorporate all of the relevant requirements of the Australian Privacy Principles
for both credit reporting agencies and credit providers, in addition to the
more specific or different requirements for credit reporting.
Other components of the reform framework
3.68
The credit reporting Exposure Draft is one part of the new credit
reporting framework. Submitters noted that significant components of the
framework are yet to be released by the Government: the regulations dealing
with issues such as permitted uses and disclosures, detail on the repayment
history and consumer liability information; the Credit Reporting Code which
will cover a range of operational matters; the powers and functions of the
Australian Information Commission in relation to codes; and transitional
arrangements.[72]
3.69
There was concern that the Exposure Draft was being reviewed without the
other components of the regulatory framework. Consumer Action Law Centre (Consumer
Action), for example, stated that 'without access to the regulations, it is
impossible to gain a proper understanding of the operation of these amendments
or their impact on consumers'.[73]
The APF also noted that regulations are proposed for some 'very significant
determinants of the scope and effect of the regulatory regime' including
additional credit reporting agency use and disclosure criteria (paragraphs
108(2)(c) and (3)(f)); definitions of credit provider and credit reporting
business and additional requirements for uses and disclosures for credit
eligibility information by credit providers (paragraphs 135(2)(e) and (3)(g)).
The APF commented that without the regulations, it is difficult to assess the
overall regulatory package.[74]
Credit Reporting Code of Conduct
3.70
The Credit Reporting Code of Conduct will play a significant role in the
credit reporting regime. The Exposure Draft contains only references to the
proposed new Credit Reporting Code of Conduct and the Government has indicated
that the Code will be developed by industry and key stakeholders. The
Government's response to the ALRC's Recommendation 54–9 will provide the basis
for its development.[75]
The Government Response stated that:
The Government notes that it is necessary to have a clear and
transparent code of practice, which is agreed to across the credit reporting
industry, about how the credit reporting provisions and related issues will
operate in practice. The code will ensure consistency across the industry in
relation to matters such as access to information, data accuracy and complaint
handling.[76]
3.71
The Government also stated that it considered that the Code should be
developed 'subject to satisfactory consultation requirements between the credit
reporting industry, advocates and the Privacy Commissioner'. Any Code that is
developed is to be approved by the Privacy Commissioner. The Government
Response also stated that:
Any organisation or agency (including credit providers and
credit reporting agencies) that wants to participate in the credit reporting
system will be required to be a member of this binding code. This will ensure
consistency across the sector.
A breach of the code will be deemed to be a breach of the
Privacy Act to the extent that the code provision is interpreting the
application of a credit reporting provision in the Act.[77]
3.72
The Code will operate in addition to the credit reporting provisions and
not override or apply lesser standards than are outlined in the Privacy Act. The
Government stated that the Code would set out how credit reporting agencies and
credit providers can practically apply the credit reporting provisions.[78]
The Companion Guide notes that Exposure Draft expressly envisages some matters
to be dealt with in the Code. These include:
- the implementation of practices, procedures and systems relating
to the credit reporting business of a credit reporting agency that will,
amongst other things, ensure that it complies with the Code;
- requirements set out in the Code relating to the disclosure of
direct marketing;
- the means of access given by a credit reporting agency to an
access seeker relating to credit reporting information;
- matters to be notified to an individual at, or before, the time a
credit provider collects personal information about that individual that the
provider is likely to disclose to a credit reporting agency; and
- matters specified in the Code to be notified to an individual by a
credit provider when an application for consumer credit is refused.[79]
3.73
The Government Response also stated that:
The Government will consult further with industry and
advocates in drafting the appropriate provisions to the power to make a binding
industry code in the Privacy Act.[80]
3.74
The development of the Code was supported by submitters. Optus, for
example, commented that the Department of the Prime Minister and Cabinet has given
the advice that the Code could allow for different obligations on different sectors,
to take into account the existing legal and regulatory obligations that apply
to those sectors. In addition, a code was seen as more easily future-proofed
than legislation, and can be quickly and easily amended over time when needed.[81]
3.75
The ABA and ARCA supported a single, mandatory and binding code and
stated that this would ensure competitive neutrality and certainty for
consumers. In addition, a code be consistent with the ALRC's approach to the
objective of consolidating privacy regulation as much as feasible. ARCA and the
ABA noted that references in the Exposure Draft to the Code are limited. ARCA
was of the view that the Code should be mandated by the Act.[82]
3.76
The ABA noted that the references in the Exposure Draft do not define
the Code's scope but provide for certain aspects, some of which must be included
in the Code and others that are optional. The Code must cover at least:
- compliance with complaints handling;
- a credit reporting agency's manner of giving access; and
- a credit provider's manner of giving access.[83]
3.77
The ABA proposed a comprehensive Code be developed that was not confined
only to the matters referred to in the primary legislation and regulations. Rather,
the Code should incorporate all relevant operational aspects of the credit
reporting regime including the on-going commitment to data quality.
3.78
ARCA also noted that data quality is essential to ensure an effective
and accessible credit reporting system. ARCA submitted that in order to ensure
data quality, the Code should have 'specifically built-in arrangements to
facilitate an ongoing commitment to data quality'.[84]
Mr Carlo Cataldo, Chairman, ARCA, commented:
To ensure that data quality is at the heart of credit
reporting, ARCA proposes that the update to the credit reporting code of
conduct has specifically built-in arrangements to facilitate an ongoing
commitment to data quality. ARCA proposes that data quality be addressed in the
code via a three-pillar approach consisting of a single data standard for
credit reporting, the requirement of reciprocity, and an effective and
adequately resourced means of independent oversight. A single data standard
will ensure transparency through the credit reporting system and will give a
clear understanding of what data is there in credit reports. Consumers will
understand exactly what the information on their personal credit report means
irrespective of the credit bureau, which credit provider provided it and what
the information is that they are receiving.[85]
3.79
The ABA indicated its support for ARCA's proposals.[86]
3.80
ARCA also proposed that an independent committee be established to
'drive compliance with the Code'. Such a committee would comprise
representation from both industry and consumer advocates. ARCA concluded:
While we would expect to finalise arrangements in consultation
with industry and the regulator, ARCA proposes that this committee would
support the work of the regulator, maintain industry focus on compliance with
the Code, and to undertake compliance tasks associated with the Code.[87]
3.81
ARCA informed the committee that it was working with other stakeholders
to develop the Code. An independent reviewer has been employed to review not
only the process of development but also the update of the Code. ARCA indicated
that it had consulted widely, and will continue to do so, as the current credit
reporting system is used substantially beyond financial services. Consumers are
included in the development process and Mr Cataldo concluded:
Our intent is to build a code that all stakeholders are very
involved with and that has strong compliance so that it is absolutely delivered
and can move Australia, particularly in data quality, up to global practice
more than is often occurring.[88]
3.82
Legal Aid Queensland (LAQ) argued that 'it is not in consumers' best
interests for industry to drive the development of a credit reporting code
which is not purely directed to intra industry issues unless there are adequate
consumer safeguards' and supported the establishment of a mechanism to ensure
compliance with the Code. The LAQ submitted that codes do not offer adequate
consumer protection and noted that in some sectors with existing codes there
are consistently large numbers of complaints and or widespread non-compliance
with the code. In order to ensure compliance with the Code, the LAQ stated that
an independent code monitoring and compliance body, funded by industry members
that have access to credit reporting information, needs to be established.[89]
3.83
In response to suggestions that the telecommunications industry should
develop its own code, the LAQ stated:
We strongly reject any proposal to have more than one credit
reporting code. We have particular concerns about any suggestion that the
telecommunications industry could develop its own code, or rely on the current
telecommunication codes. Consumer experience suggests that telecommunications
industry codes have been ineffectual in delivering an appropriate 'baseline' in
consumer protection and compliance culture.[90]
3.84
The LAQ also noted that telecommunications codes have taken significant
time and resources to develop, and even when finalised have very few
signatories, for example, the Telecommunications Consumer Protection Code (TCP
Code), has only two signatories while other codes have no signatories.[91]
In addition, the TCP Code places no obligation on the industry body, the Communications
Alliance, to monitor complaints, monitor compliance, undertake routine
compliance with signatories or identify systemic code issues and breaches. While
the TCP Code requires the Communications Alliance to handle complaints about
code signatories in accordance with the Communications Alliance Code Administration
and Compliance Scheme and to report on the Scheme, the LAQ commented that the Communications
Alliance has not reported publicly on compliance with the TCP Code. This is despite
the scheme being in existence for more than 10 years.
3.85
The LAQ concluded that the inability of the telecommunications industry
to develop adequate consumer safeguards is reflected in the level of
complaints: the Telecommunications Industry Ombudsman reported receiving 87,264
new complaints in the last six months of 2010. This represents an increase of 9
per cent on the previous six months. This included 19,000 issues relating to
the failure of companies to follow through with promises they had already made
to resolve complaints.[92]
Committee comment
3.86
The Credit Reporting Code of Conduct is a significant component of the
credit reporting regime. The committee has noted that the development of the Code
is underway and that industry has engaged with stakeholders and employed an
independent reviewer to assist the development process. However, the committee
is mindful of the concerns raised by consumer and advocacy groups about an
industry led development process.
3.87
In its response to the ALRC recommendations, the Government acknowledged
that the credit reporting industry will be the main driver behind the Code. The
Privacy Commissioner will have final approval of the Code. The committee
considers that this is an appropriate mechanism for approval and, as the
Government stated, will balance the needs of industry to have efficient and
effective credit reporting with the privacy needs of individuals.
3.88
The requirement for entities that wish to participate in the credit
reporting system to be members of the binding Code is a further safeguard.
Breaches of the Code will be deemed breaches of the Privacy Act 'to the extent
that the Code provision is interpreting the application of a credit reporting
provision in the Act'.[93]
3.89
The committee considers that the suggestion from the Australasian Credit
Retail Association that an independent committee be established to drive
compliance with the Code has merit. With a membership representing both
industry and consumer advocates, the committee considers that such a committee
would greatly assist in ensuring that the Code balanced the interests of
industry and consumers. It would also assist in ensuring a timely response to
emerging issues. The committee also considers that the committee may provide
valuable support to the Australian Information Commissioner in the
Commissioner's role as regulator and provide timely access to a dedicated forum
which monitors developments in the credit reporting system.
Transitional arrangements
3.90
While not dealt with in the Exposure Draft, the need for transitional
arrangements was raised by submitters. Westpac commented that it was important
for transitional arrangements to be put in place to allow for, and encourage
industry to, transition to the new credit reporting regime in a timely manner while
maintaining appropriate consumer safeguards. Westpac suggested a 12 month
transition period.[94]
3.91
Experian also submitted that, from its experience in other
jurisdictions, careful management of transitional arrangements will be required
to ensure that no tightening in credit practices occurs that can have an
adverse impact on the economy. Experian pointed to three main issues:
- positive data sets will need to be made available to credit
reporting agencies in advance of the expected commencement date of the new
provisions, to enable sufficient lead time for the agencies to conduct
meaningful data testing and to properly manage and implement changes to
internal systems, controls and procedures;
- credit providers need to be permitted to provide initial data
loads of two year repayment histories to credit reporting agencies immediately
upon the commencement date of the new provisions. This will ensure that the
credit reporting system can benefit from the availability of the new positive
data sets as soon as possible after commencement; and
-
it would be appropriate for the Australian Information
Commissioner to temporarily adopt a more relaxed approach to inadvertent
non-compliance by entities that are genuinely making efforts to modify their
systems and controls to comply with the new requirements, both during the
transitional period and for an appropriate period following commencement of the
new regime.[95]
3.92
In addition, the committee received evidence that consumers will need to
be informed of the new credit reporting system. Mr Timothy Pilgrim, OAIC, noted
that this will be a difficult task and that a number of approaches may be
needed. Mr Pilgrim stated:
The approaches will have to come from government, obviously,
in advising people on what these changes are. Clearly, our office has a role in
education and educating the community, but in doing that we would want to be
working very closely with industry, because industry at the end of the day do
have the immediate contact with the community, with the people who are
utilising the system, and whose credit information they are collecting as part
of those processes. So we would see the need to work closely with industry and
hope that we would get assistance from them to provide relevant and timely
information out to people who are accessing credit through the particular
organisations.[96]
3.93
Veda Advantage also noted that education of consumers will be very
important. Ms Nerida Caesar, Veda, commented that industry should fund an
education campaign:
...we do believe there should be an education campaign funded
by the broad industry, they being the lenders and credit reference
associations. We do believe that is [a] very important aspect.[97]
3.94
Telecommunications providers also commented that some matters, for
example, the need to provide the type of credit account opened (consumer credit
liability information), will require changes to IT systems, retraining staff or
amending internal processes. The Communications Alliance submitted that IT
systems changes may take some years to implement as businesses need to seek
funding, identify and build the needed changes and retrain users of the
systems.[98]
Committee comment
3.95
The committee considers that adequate transitional arrangements will be
required to ensure that the changes to the credit reporting system are
implemented in an efficient manner. The committee considers that the Department
of the Prime Minister and Cabinet should undertake consultations to ensure that
the concerns of industry are addressed during the lead up to the implementation
of the new credit reporting regime. However, the committee does not support
making data sets available before the expected commencement date of the new
provisions as only once the legislation is passed will full rights and
obligations be in place.
3.96
In addition, the committee considers that consumer education will be an
important factor in ensuring that the new credit reporting system is understood
by consumers, particularly the way in which the new data sets are used and
disclosed and consumer rights in relation to access and complaints.
Recommendation 5
3.97 The committee recommends that the Department of the Prime Minister and
Cabinet undertake consultations to ensure that the needs of industry and
consumers are addressed during the lead up to the implementation of the new
credit reporting regime.
Recommendation 6
3.98 The committee recommends that the Office of the Australian Information
Commissioner consult with industry and consumer advocates to provide guidance
on any consumer education campaigns in relation to the new credit reporting
system.
Section 101 – cross border disclosure
3.99
The Government accepted the ALRC's recommendation to exclude the
reporting of personal information about foreign credit and the disclosure of
credit reporting information to foreign credit providers. The Government stated
that:
This restriction is necessary as any benefit that would be
obtained in creating greater transparency about an individual's credit risk
would be outweighed by the inability of the Privacy Commissioner to enforce
effectively the credit reporting provisions against foreign entities.[99]
3.100
This restriction was welcomed by the Consumer Credit Legal Service (WA) (CCLSWA)
which noted that 'this restriction on cross border data flow reduces the prospect
of privacy breaches'. CCLSWA also stated that cross border data flow contains
inherent risks of compromised data integrity and security, for example, where
disputes occur, it is very difficult to resolve when dealing with another
country. However, CCLSWA) noted that the Government is still to release
provisions dealing with cross border disclosures of credit reporting
information or a proposed exception to allow credit reporting information to be
shared with New Zealand.
3.101
CCLSWA commented that sharing credit reporting information with New Zealand
seems to be contrary to section 101 of the Exposure Draft and it is unclear what
benefit this would be to Australian consumers. The Legal Service further
commented that information sharing may increase the risk of data inaccuracies
and cause problems for Australian and New Zealand consumers residing in
Australia who dispute content from a listing originating in New Zealand. It
concluded:
It is unclear on what basis the Australian Government thinks
it would be beneficial to share this information with New Zealand. At the very
least, it would be desirable for there to be dispute resolution mechanisms
within Australia for disputes relating to credit reporting by New Zealand
institutions.[100]
3.102
The APF stated that the explanation provided on page 10 of the Companion
Guide regarding cross border disclosure is unclear and unsatisfactory. If the
intention is to prohibit overseas transfer of credit reporting information
(subject to future exceptions for New Zealand), then this prohibition needs to
be in the legislation.[101]
3.103
The committee only received one other comment in relation to cross
border disclosure. The AFC commented that there may be difficulties of
interpretation for Australian residents temporarily overseas that apply for
credit. If the application is mailed from overseas, the AFC questioned whether
this would it be regarded as having been applied for in Australia. The AFC
argued that better approach may to expand the provision to cover an application
that is made or received in Australia.[102]
Committee comment
3.104
In relation to cross border disclosure with New Zealand, the committee
notes that the ALRC recommended (Recommendation 54–7) that the Privacy
Commissioner approve cross border disclosure in defined circumstances. The ALRC
indicated that the main motivation for making this recommendation was to allow
recognition of the close relationship between the Australian and New Zealand
credit reporting market. The Government did not accept this recommendation and considered
that the recommendation should be tailored to allow trans-Tasman use and
disclosure of credit reporting information, where necessary and appropriate.
These provisions have not been included in the Exposure Draft but will be
drafted following further inter-governmental negotiations with the relevant New
Zealand authorities.[103]
The Government also indicated that any further exceptions to the prohibition in
Recommendation 54–5 should be adopted by legislative amendments rather than by
a determination of the Privacy Commissioner. Further exceptions to the
prohibition to allow sharing of credit reporting information with other foreign
jurisdictions would only be considered where a clear need arises.
3.105
The committee acknowledges concerns with cross border disclosure of an
individual's credit information and the need for adequate protections for consumers
in these circumstances. However, the close relationship between the Australian
and New Zealand credit reporting markets must be recognised. The Government has
indicated that it will be working with New Zealand authorities so that adequate
protections can be put in place to ensure that there is no inappropriate
secondary use of the information outside the jurisdiction where the information
was originally held. In addition, effective enforcement mechanisms will be
needed to ensure that misuse can be appropriately rectified.
3.106
In relation to the AFC's concerns about an Australian resident
temporarily overseas applying for credit, the committee considers that the questions
as to whether this was credit applied for in Australia should be addressed by
guidance from the Australian Information Commissioner.
Powers of the Australian Information Commissioner
3.107
The Privacy Commissioner NSW and Ms Katherine Lane, CCLC, expressed
concern about access to the additional credit information provided for under
the proposed credit reporting regime and the risks to the individual's privacy.
Ms Lane commented that accuracy of information will be important and that the
OAIC needs to have reasonable powers and exercise them to make sure that the
accuracy is maintained.[104]
The Privacy Commissioner NSW was of the view that the inclusion of extra data
sets should be accompanied by an increase in the level of scrutiny by the
Office of the Australian Information Commissioner.
3.108
The Privacy Commissioner NSW noted that section 28A of the Privacy Act currently
allows the Federal Privacy Commissioner to 'conduct audits' of credit
information files and credit reports', to 'monitor the security and accuracy of
personal information contained in credit files' and to 'examine the records of
credit reporting agencies and credit providers'. The Privacy Commissioner NSW
went on to state that the Federal Privacy Commissioner's website indicates that
there have been no audits of credit providers or credit reporting agencies to
date. Evidently, 'oversight of the conduct of credit providers and credit
reporting agencies in terms of their obligations under the Privacy Act appears
to have been limited to the investigation of complaints'.[105]
3.109
The Privacy Commissioner NSW concluded that:
Comprehensive credit reporting will involve a vast increase
in the amount and type of information which may be collected. This
significantly heightens the risk that credit information (positive and
negative) may be improperly collected, not stored securely or misused. To meet
this risk I suggest that Parliament should consider including a provision which
requires that Privacy Commissioner conduct one regular (at least yearly) audit
of a randomly selected credit reporting agency and a credit provider in
Australia. This will serve as a conscious-raising exercise for credit providers
and credit reporting agencies, and it will go some way to balancing the
potentially invasive effect of comprehensive credit reporting by increasing
accountability, transparency and, hopefully compliance with the credit
reporting provisions.[106]
3.110
Dun & Bradstreet noted that sections 116 and 118 require that a
regular audit be conducted for data quality and security by an independent
auditor. Dun & Bradstreet recommended that the audits be conducted by the
Office of the Australian Information Commissioner. This would reflect the
provisions of the current Privacy Act.[107]
Committee comment
3.111
The committee agrees with the Privacy Commissioner NSW that with access
to greatly expanded credit data, the collection, use and disclosure of that
information will require appropriate levels of oversight and scrutiny. The
committee considers that a requirement for the Office of the Australian
Information Commissioner to conduct a regular audit of a randomly selected
credit reporting agency and a credit provider in Australia is worthy of further
consideration. However, the committee is mindful that additional resources may
be required by the Information Commissioner to meet such a requirement.
Recommendation 7
3.112 The committee recommends that consideration be given to including a requirement
in the provisions for the powers and functions of the Australian Information
Commissioner that a regular audit of a randomly selected credit reporting
agency and a credit provider in Australia be conducted by the Australian
Information Commissioner.
Navigation: Previous Page | Contents | Next Page