Chapter 6

Chapter 6

Credit reporting agency provisions


6.1        This chapter looks at comments relating to Division 2 of the Exposure Draft which regulates credit reporting agencies. The matters regulated include handling of credit reporting information, de-identified information and access to, and correction of, information.

6.2        Credit reporting agencies are defined in section 180 as an organisation or a small business operator or an agency prescribed by regulation that carries on a credit reporting business. The meaning of credit reporting business is provided for in section 194 of the Exposure Draft and means a business carried on in Australia and involves the collection, holding, using or disclosing of personal information about individuals for the purpose of, or for purposes including the purpose of, providing an entity with information about the credit worthiness of an individual. Comments received in relation to the definition of credit reporting agency are discussed in chapter 9.

6.3        If a credit reporting agency is an entity to which the Australian Privacy Principles (APPs) apply, the APPs do not apply to credit information, credit reporting agency derived information or credit provider derived information. The APPs will apply to all other information held by a credit reporting agency.

6.4        The following discussion focuses on the major matters raised in relation to Division 2. Other issues raised in relation to specific provisions are listed in appendix 3.

Subdivision B – Consideration of information privacy

6.5        Pursuant to Subdivision B, credit reporting agencies must ensure that they manage credit reporting information in an open and transparent way. The subdivision requires credit reporting agencies to take such steps, as are reasonable in the circumstances, to implement practices, procedures and systems relating to the credit reporting business of the agency that will:

6.6        In addition, credit reporting agencies must have a clearly expressed and up-to-date policy about the management of credit reporting information by the agency. These provisions are the equivalent to APP 1 although, as noted by the Australian Privacy Foundation (APF), there is no equivalent to APP 1(4)(f) and (g), and no equivalent at all to APP 8, both concerning overseas transfers.[1] The committee has discussed cross border disclosure in chapter 3 of this report.

6.7        Experian submitted that the Subdivision places a number of excessively onerous standards on credit reporting agencies. For example, the obligation in subsection 105(2) for the agency to have in place policies, procedures and systems that 'will ensure' that the agency complies with Division 2 of the Exposure Draft and the Credit Reporting Code. Experian commented that 'this drafting suggests that if there were an isolated incident of non-compliance with either Division 2 or the Code, there may be an argument that the agency's entire systems have not met this standard, given that these systems did not ensure such compliance in relation to the isolated incident'. Experian submitted that a credit reporting agency should be obliged to maintain policies, procedures and systems that 'are designed/intended to ensure' compliance with Division 2 and the Code.[2]

6.8        Subsections 105(3) and (4) provide for the policy about the management of credit reporting information held by a credit reporting agency. The AFC stated that the prescriptive approach taken to mandating the contents of a privacy policy under subsection 105(4) appear to be at odds with the objective of high-level principles. The AFC recommended that subsection 105(4) be omitted and that the Australian Information Commissioner provide guidance on the content of privacy policies.[3]

Committee comment

6.9        In relation to Experian's comments that onerous standards are being placed on credit reporting agencies, the committee considers that this is not the case. The obligations to ensure that that credit reporting information is managed appropriately must reflect the wider range of information being collected, used and disclosed and the potential damage to individuals that may be caused through mismanagement of that information. The committee notes the concerns with subsection 105(2) in regard to the obligation that the agency have in place policies, procedures and systems that 'will ensure' that it complies with Division 2. This provision reflects the 'will ensure' formula in APP 1. In its first report on the Exposure Draft of Australian Privacy Amendment Legislation, the committee noted the comments of the Department of the Prime Minister and Cabinet (the department) which stated, in relation to APP 1, that:

It was the Government's intention for the compliance standards on agencies and organisations to be sufficiently high to enhance privacy protections. The 'will ensure' obligation was included so that privacy protections are built into the design of an entity's system and not 'bolted on' afterwards.[4]

6.10      The committee supports this approach.

6.11      The committee received comments during the first part of its inquiry into the Exposure Draft of Australian Privacy Amendment Legislation regarding the prescriptive approach taken regarding privacy policies in APP 1.[5] The committee concluded that the benefits to transparency and overall compliance with the privacy principles outweighed concerns about compromising the aim of high-level principles. The committee maintains this view and supports the inclusion of matters to be addressed by privacy policies regarding credit reporting information in the new Privacy Act.

Subdivision C – Collection of credit information

6.12      Subdivision C prohibits credit reporting agencies from collecting credit reporting information about an individual except in certain circumstances including that the information is collected from a credit provider which is permitted by the Act to disclose the information or is collected from an entity other than a credit provider in the course of carrying on a credit reporting business and the information relates to an individual who is at least 18 years old. The subdivision also implements obligations in dealing with unsolicited credit information.

6.13      The provisions of paragraphs 106(4)(c) and (d) concern persons under 18 years of age, that is, collection is prohibited unless:

6.14      The Law Institute Victoria (LIV) submitted that subsection 106(6) relating to the exception for credit liability information attained prior to an individual turning 18 years of age, should be clarified so that it is apparent whether this concerns only details of contracts or if it extends also to defaults or payments prior to turning 18.[6]

6.15      Experian commented on the requirement in subsection 106(7) that credit reporting agencies only collect credit information 'by lawful and fair means'. Experian commented that it is not clear what the addition of a standard of fairness is intended to achieve in this context, or how the means of collecting information by a credit agency would be assessed as fair or unfair. As credit reporting agencies generally collect credit information from credit providers and do not have relationships with the individuals to whom the data relates, 'it is unclear whether the standard of fairness under section 106(7) should be measured as between the agency and the credit provider, or as between the agency and individual data subjects'. Experian went on to state that in relation to credit providers, it is difficult to see why the contractual arrangements between commercial parties (many of whom are large and sophisticated) would need to be subject to a legislative standard of fairness. In relation to individual consumers, Experian considered that the existing consumer access, correction and dispute resolution rights under the Exposure Draft provisions achieve a fair outcome for consumers in relation to how credit reporting agencies handle, use and disclose their credit information. Experian concluded:

...that no additional policy objectives would be served by the additional imposition of a vague legislative standard of fairness relating to data collection.[7]

Committee comment

6.16      In relation to comments about subsection 106(7) that credit reporting agencies only collect credit information 'by lawful and fair means', the committee notes that this provision directly reflects APP 3(4). The 'by lawful and fair means' provisions are included in both Information Privacy Principle 1 and National Privacy Principle 1. The Privacy Commissioner has provided guidance in relation to this obligation and the committee would expect that similar guidance will be provided in relation to the credit reporting provisions.

Subdivision D – Dealing with credit reporting information etc

6.17      Subdivision D provides for permitted uses and disclosures of credit reporting information. The use or disclosure of credit reporting information for direct marketing is expressly prohibited except for pre-screening in certain circumstances. The subdivision also provides for:

Section 108 – Use and disclosure of credit reporting information

6.18      Section 108 provides for the permitted uses and disclosures of credit reporting information held by a credit reporting agency. It expressly prohibits use or disclosure of credit reporting information for direct marketing.

6.19      The APF supported the additional restrictions on disclosure contained in subsections 108(3) to (5), compared to the equivalent APP 8, as these are justified for the 'privileged' credit reporting regime. However, the APF noted that paragraphs 108(2)(c) and (3)(f) provide for additional uses and disclosures if prescribed by the regulations. The APF questioned why these two provisions have been included as the necessary uses and disclosures have been thoroughly canvassed during the ALRC and subsequent consultation processes and it should be possible for the legislation to contain a definitive list.[8] In addition, the APF noted that paragraph 108(3)(d) provides for the right to disclose information to an enforcement body if that body believes that the individual has committed a serious credit infringement. The APF commented that this 'illustrates the problem...of merging the lender's opinion in relation to fraud with an opinion about the borrower's intentions based on failure to respond to correspondence etc'. The APF stated that paragraph 108(3)(d)(ii) should refer to the enforcement body being satisfied that the individual has committed 'fraud'.[9]

6.20      Subsection 108(5) requires that the credit reporting agency make a written note of a disclosure made under section 108. Subsection 110(7) provides for the same requirement in relation to use of credit reporting information for pre-screening. The APF submitted that it is unclear as to how this would be implemented in electronic records and/or automated systems and questioned the value of such a requirement as it is unclear who will access the notes. However, the APF considered that these notes/records should be included in an individual's credit report so that the individual can access them, and if necessary challenge them. The APF saw this as being particularly important in relation to disclosure for pre-screening.[10]

6.21      The LIV also commented on the use of written notes and stated that credit reporting agencies should be required to notify the individual when a written note is made of a disclosure under subsections 108(5) and 110 (7) as:

6.22      Experian submitted that an additional use and disclosure of credit reporting information should be allowed. Experian stated that the Combating the Financing of People Smuggling and Other Measures Bill 2011 had been introduced to reform anti-money laundering and privacy legislation. The reforms will allow businesses regulated under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the AML/CTF Act) to more effectively and efficiently verify the identity of their customers. The reforms enable reporting entities under the AML/CTF Act to use credit reporting data to verify the identity of their customers, and introduces a number of privacy safeguards to ensure information is only used for the purpose of verifying identity.

6.23      Experian noted that the Legal and Constitutional Affairs Legislation Committee in its report on the Bill recommended that the Bill be passed subject to further investigation of options for introducing 'an appropriate oversight mechanism to monitor the handling of credit information for the electronic verification of identity pursuant to the Bill'.[12] Experian stated that it is supportive of the principle that credit reporting agencies should be allowed to use and disclose credit reporting information for the purposes of identity verification under the AML/CTF Act and awaits the introduction of this legislation.[13]

Section 109 – Permitted CRA disclosures in relation to individuals

6.24      Section 109 lists permitted credit reporting agency disclosures with related conditions. Section 136 similarly provides for permitted credit provider uses in relation to individuals.

6.25      The AFC commented that the intention of these two sections is to permit a credit provider to request disclosure, or a credit reporting agency to disclose credit reporting information to a credit provider, for internal management purposes of the credit provider that are directly related to the provision or management of consumer credit by the credit report. However, the disclosure by the credit reporting agency is on the basis of assessing an application for consumer credit – as covered by the first limb of the definition of consumer credit related purpose. The AFC submitted that it was concerned that 'these two components do not align given the first, namely the management of account, could occur at any time including after an application has been assessed and before the consumer credit is terminated yet the permitted disclosure arguably is limited to the initial assessment process'. The AFC commented that this may reflect a similar anomaly in the current Privacy Act credit reporting provisions and suggested that the revision may provide an appropriate opportunity to resolve this anomaly.[14]

6.26      The Consumer Credit Law Centre NSW (CCLC) comment on Item 5 of the permitted CRA disclosures which provides for credit reporting agencies to give any current credit providers default and payment information they have held for at least 30 days. The CCLC submitted that this information should not be disclosed at all as the potential harm that could arise from this disclosure outweighs the potential benefit. While section 136, Item 5 limits credit providers to using the information for 'the purpose of assisting the individual to avoid defaulting on his or her obligations in relation to consumer credit provided by the provider to the individual', the CCLC submitted that 'this could be interpreted very broadly, and once the disclosure is permitted, then its use may be difficult to monitor in practice'. The CCLC concluded:

As a general rule, a person who is not in default on a contract should be permitted to continue with that contract until such time as it is paid, or they initiate an application for a hardship variation or otherwise seek to vary the contract. While some CPs have attempted to identify consumers at risk of hardship and take pro-active steps to work with those consumers, such measures should be offered and accepted on a voluntary basis. CCLC submits that default information should not be available to existing creditors unless it is for the purpose of credit assessment as a result of an application to increase the limit on an existing facility, or open additional facility with the same CP (in other words as already covered under item 1 of the Table in Section 109).[15]

Sections 110, 111, 112 – Credit reporting information for direct marketing including pre-screening

6.27      The ALRC recommended that the use or disclosure of credit reporting information for the purpose of direct marketing, including the pre-screening of direct marketing lists, should be prohibited (Recommendation 57–3). The Government did not accept the recommendation in full and indicated that the use or disclosure of credit reporting information for the purposes of pre-screening should be expressly permitted, but only for the purpose of excluding adverse credit risks from marketing lists.[16]

6.28      The ALRC noted that this was one of two significant aspects in which the Exposure Draft differed from the approach recommended in its review. The ALRC commented that while encouraging responsible lending may be one rationale for permitting pre-screening, there was a risk that pre-screening may be used as a 'half-measure' in assessing capacity to pay rather than a fuller inquiry. The ALRC also noted the concerns of consumer groups that pre-screening, by facilitating direct marketing of credit to individuals who have not applied for or expressed an interest in obtaining credit, will result in the granting of excessive amounts of credit. It was suggested, for example, that pre-screening may encourage the offering of 'pre-approved' loans or increased credit limits.[17]

6.29      The ALRC was of the view that pre-screening has the potential to facilitate more aggressive marketing of credit and, as it is a tool that may be used by credit providers in different ways, it will not automatically result in more responsible lending practices. The ALRC added that 'to ensure that pre-screening does promote responsible lending would require the enforcement of detailed rules relating to the criteria on which pre-screening may take place'.

6.30      The ALRC also pointed to the views of stakeholders that using credit reporting information in direct marketing more generally should be prohibited and commented that it is artificial to distinguish between 'selecting in' direct marketing prospects (that is, by using credit reporting information to generate a list) and 'selecting out' (that is, by pre-screening an existing list, in the way anticipated by the Exposure Draft). The ALRC concluded:

...that while pre-screening provides clear commercial advantages for credit providers through the better targeting of marketing. such commercial advantages do not outweigh the privacy and consumer protection concerns raised by pre-screening, and it should not be permitted.[18]

6.31      Consumer advocates did not support the inclusion of pre-screening in the credit reporting system. The LIV commented that credit reporting allows entities the use of credit information they would not otherwise have access to. Credit providers could 'pool' the information they collect through a credit reporting agency and use this to help identify potential customers. The LIV did not consider that the pool information should be used by credit reporting agencies for profit: information for one legitimate purpose should not then be sold and used for purposes which are beneficial to companies without the consent of individuals.[19]

6.32      The Consumer Action Law Centre (Consumer Action) was also of the view that pre-screening has no benefit, 'except that it allows credit providers to market their products more aggressively'.[20] Consumer Action commented:

We understand why industry wants to use credit reporting information to pre-screen marketing offers. With direct marketing costing billions of dollars each year, all types of businesses would like to be able to better target their direct marketing campaigns to consumers who are more likely to take up the offers and be profitable to the business. In most cases the Government doesn't allow access to otherwise protected personal information for this purpose.

However, the credit industry has argued that pre-screening is an aid to responsible lending, but the argument is nonsense...

We don't accept that sending marketing material to some individuals who may later be rejected for credit is a risk to responsible lending – although we accept that it may reduce the effectiveness of a marketing campaign.

In fact, we believe that being able to better target consumers for direct marketing (where there is a greater chance that applicants will be approved) can enable credit providers to be more aggressive with their marketing message.[21]

6.33      Ms Karen Cox, Consumer Credit Legal Centre NSW (CCLC), also did not support the inclusion of pre-screening and stated:

We would rather that they did not do pre-screening at all. The reason for that is simply that it makes them feel safer about using that as a marketing strategy, whereas we would rather that people applied for credit than having been selectively marketed to. Therefore we oppose any tool that allows them to better direct that marketing, because we do not think it is an appropriate way of approaching people. We think that people are well aware of the availability of credit, that most credit providers have a lot of general marketing out there and that you do not need the personalised marketing that that sort of tool [facilitates]. We have seen a lot of people over the years who have been lured into borrowing far more than they can through that type of personalised marketing.[22]

6.34      While Consumer Action recommended that pre-screening be prohibited, in the event that this did not occur, Consumer Action sought tighter restrictions on pre-screening so that credit providers cannot choose information to profile the customers to be used in each specific marketing campaign. Consumer Action recommended that pre-screening be limited to only exclude consumers where their credit file contains bankruptcy, court judgments, serious credit infringements and/or defaults. In addition, Consumer Action recommended that:

6.35      The APF described section 110 as 'oddly constructed' and commented that it needed to be carefully reviewed to ensure that it did not allow too wide a use. The APF went on to state that pre-screening could easily be 'reverse engineered' to have the practical effect of targeted marketing of credit, which was not supported by the Government. The APF commented:

As worded, s.110(2) actually confirms that pre-screening is a form of direct marketing – the opposite of the policy intention. We note that pre-screening can't use repayment history or liability information. We assume that identifying information – gender, date of birth, prior addresses – can be accessed for pre-screening in order to identify the individuals to be removed from the list. However, it should be clear that this information can't be used for the pre-screening process itself.[24]

6.36      The APF went on to state that given the limited amount of data that can be used in pre-screening, it appears that in allowing credit providers to determine the eligibility requirements, some credit providers may only choose to exclude people with no defaults; more than one default etc. The APF stated that if pre-screening is to allow offers to be made to consumers who have defaults, it questioned the benefits (if any) of pre-screening in contributing to responsible lending.[25]

6.37      CCLC also commented on the information to be used for pre-screening purposes and submitted that rather than the legislation excluding the types of information that can be used, it would be preferable for the legislation to carefully define the pieces of information that can be used for pre-screening. That information should be limited to default information, court proceedings information and personal insolvency information.[26] The CCLC concluded that identifying information should be used only for the purpose of identifying the person, not for setting pre-screening criteria. CCLC also stated that pre-screening should only be permitted for screening people out as some fringe players target those with negative indicators 'with a view to extracting exorbitant fees and charges from borrowers in desperate situations'.[27]

6.38      Finance industry stakeholders supposed the inclusion of the pre-screening provisions to exclude credit risks from marketing lists. The Australian Finance Conference (AFC) stated that 'the formal acknowledgement of this process should provide compliance comfort. The ability to utilise the process will continue to enhance the responsible lending practices of our Members.'[28] Experian also supported the inclusion of this provision as it argued that it will allow credit providers to 'reduce the volume of their direct marking campaigns and reduce the likelihood that persons to whom additional credit should not be extended will not be targeted with further offers of credit'.[29]

6.39      Mr Carlo Cataldo, ARCA, noted that ARCA members supported pre-screening and stated:

There is one area that pretty much all stakeholders agree on, including ARCA members and others, and that is that this information is not to be used for marketing purposes, and only for credit-related purposes, whether that be fraud or responsible lending or avoiding over-commitment. We would refer to the UK example, where there is no direct marketing allowed, but in the circumstances where credit providers would be accessing marketing lists, they would have the ability to wash that, or ensure that consumers who would not meet their credit, or not be likely meet their credit obligations, that is passed by the bureau. That is commonly known as 'pre-screening', and as part of our submission we would certainly support pre-screening to be part of the allowable uses going forward.[30]

Opt out provisions

6.40      Subsection 110(5) provides an option for individuals to opt out of pre-screening activities. The ABA commented that this provision was inconsistent with proposed credit card reforms which provide for an express opt in to receive credit limit increase invitations as defined in the National Consumer Credit Protection (Home Loans and Credit Cards) Act 2011. The ABA went on to comment that:

From best practice regulation and compliance systems perspectives it is undesirable to have a different approach and compliance practice for one form of credit product (i.e. credit cards) with respect to direct marketing and another for other credit products. A customer might opt out of the pre-screening process but opt in to receive credit limit increase invitations only to be disregarded in a credit card marketing exercise on the very aspect the customer has sought to be included. This could include a customer with a questionable credit history seeing an opportunity to stay on a credit marketing list and avoid a pre-screening process by opting out of pre-screening but opting in to receive credit card limit increase invitations.

Of course, by the consumer not opting out of pre-screening it would be necessary for the customer to opt in to receive credit limit increase invitations.[31]

6.41      The ABA concluded that it would be better, in the interests of consistency in the law and customer experience, for the customer who has not opted out of pre-screening to be treated as willing to receive credit card limit increase invitations (as ultimately defined in the National Consumer Credit Protection (Home Loans and Credit Cards) Act).[32]

6.42      The APF also commented on the opt out provision and stated that it will not work well as there is no direct relationship/contact between the individual and a credit reporting agency. The APF argued that it is 'unrealistic' to rely on individuals 'finding' a credit reporting agency to opt out. Rather, individuals must be given the opportunity via their direct relationship with a credit provider. The APF submitted that as subsection 110(2) purports to regulate pre-screening by a credit reporting agency on behalf of a credit provider, an obligation to offer an opt out from pre-screening should therefore be included in Part A Division 3 (Credit providers).[33]

6.43      The LIV commented that, while it did not support the pre-screening provisions, if they were retained it should reflect the APPs by requiring credit reporting agencies to provide a 'simple means' by which an individual can request to opt out. The LIV suggested that when a 'pre-approval' letter is sent under the branding of a credit provider, it should clearly identify the credit reporting agency to which a request not to use the information should be sent and explain the process for making such a request.[34]

6.44      ARCA noted that section 112 provides for the destruction of pre-screening determinations while pursuant to section 111(3) a credit reporting agency must make a written note of any disclosure of a pre-screening determination. This requires keeping a record of pre-screening determinations. ARCA recommended that to avoid contradiction, and in order to facilitate auditing of the pre-screening process, the records should be kept for at least some period of time, even if they are legally deemed no longer useable for any other purpose.[35]

Section 115 – Use and disclosure of de-identified information

6.45      A number of submitters raised concerns with the provisions relating to de-identified information. Section 115 of the Exposure Draft prohibits the use of de-identified information possessed or controlled by a credit reporting agency except if the use is for research purposes in relation to the assessment of the credit worthiness of individuals and the credit reporting agency complies with any Australian Privacy Rules made by the Australian Information Commissioner. Subsection 115(4) lists some of the specific matters the rules may relate to including:

6.46      Section 180 defines de-identified information as 'credit information that is no longer personal information'.

6.47      The APF considered that there is too much discretion in the wording of this section as the Information Commissioner 'may make' Rules and suggested that there should be an obligation on the Information Commissioner.[36]

6.48      The LIV considered that credit reporting agencies should not be able to charge for de-identified information. While allowing information to be used for the purpose of research provides a public benefit, credit reporting agencies should not use information for their financial benefit.[37]

6.49      However, industry submitters did not support the regulation of de-identified information.[38] ARCA, for example, commented:

The approach taken to the regulation of de-identified data is an example of this attempt to so prescriptively regulate one aspect of Australia's information economy, without considering the principles for which it is being regulated. Restricting the uses of de-identified data through the Privacy Act is an unusual approach to information management, particularly as this data is no longer 'private' information.[39]

6.50      The ANZ Bank similarly stated that 'if the information is not about an individual there is no apparent role for the Privacy Act as there is no possibility of the information being used to the detriment of an individual'.[40]

6.51      Submitters also considered that restrictions on de-identified information would restrict research and development of innovative, new risk assessment tools, as any use of such data to develop these new tools would need to be approved in advance by the regulator on the basis of the research being in the public good.[41] The NAB argued that this requirement would impose 'a challenge to build the case before the analysis is actually undertaken'.[42]

6.52      The NAB and ARCA concluded that the inclusion of these provisions would place new, complex obligations on credit reporting agencies and involve significant administrative costs. The NAB also commented that there would be no discernable consumer benefit and opportunities for product innovation and better and more targeted risk assessment to promote responsible lending would be lost. The NAB and ARCA called for these provisions to be removed.[43]

6.53      The ANZ Bank noted that credit providers currently use de-identified information to develop and maintain credit scorecards. The ANZ Bank stated that scorecards are vital tools in assessing credit applications, identifying high risk credit exposures and helping ensure that a credit provider lends responsibly. Thus limiting use of de-identified information will result in credit providers being unable to refine and improve their credit risk assessments.[44]

6.54      Experian was also of the view that de-identified information should not be regulated under the Privacy Act or that any consumer protection policies would be served by the imposition of the restrictions proposed under section 115. Experian went on to state that the 'imposition of such restrictions would potentially impair the ability of CRAs and credit providers to undertake appropriate statistical analysis in order to develop better credit information services and better risk assessment tools that enhance responsible lending practices'.[45]

6.55      Dun & Bradstreet commented that section 115 appears to allow the use of data for research related purposes 'but is ambiguous about the permissible outcome or purpose of that research'. Dun & Bradstreet were therefore concerned that there may be some uncertainty about the lawfulness of what is regular practice by credit reporting agencies. Dun & Bradstreet concluded:

Given the centrality of CRAs to the removal of information asymmetries in the credit assessment and management process any ambiguity about the lawfulness of such practices should be removed. Accordingly, Dun & Bradstreet believes section 115 should be removed from the Exposure Draft Bill.[46]

6.56      The OAIC noted that 'this approach is the first time that the Privacy Act would regulate the use of de-identified information' as such information ordinarily falls outside the Privacy Act's coverage. The OAIC went on to note that, generally, using de-identified information for research is potentially less privacy-invasive than using identified information provided that it is adequately protected from being used to re-indentify individuals and that individuals are informed, when practicable, that their information may be de-identified and used for research purposes.

6.57      The OAIC pointed to a number of matters in relation to section 115:

Committee comment

6.58      The Government accepted in part the ALRC's recommendation in relation to direct marketing. The Government stated that pre-screening should be allowed:

The Government acknowledges the ALRC's views on the use or disclosure of credit reporting information for the purpose of pre-screening direct marketing lists. However, the Government considers that, on balance, the use or disclosure of credit reporting information for the purposes of pre-screening should be expressly permitted, but only for the purpose of excluding adverse credit risks from marketing lists.[48]

6.59      The Government Response indicated that specific requirements would be put in place for pre-screening and that adequate evidence must be maintained to show compliance with the requirements.[49]

6.60      The committee has considered the comments provided by consumer advocates and acknowledges their concerns about the use of pre-screening. The committee considers that some of these concerns will be addressed through the Credit Reporting Code of Conduct or by guidance from the Information Commissioner. However, the committee considers that consideration be given to opt in provisions rather than opt out provisions in relation to pre-screening activities. In this regard, the committee has noted the comments of the ABA concerning consistency with the National Consumer Credit Protection (Home Loans and Credit Cards) Act 2011. The committee considers that the opt out should be reviewed to ensure consistency of approach across the credit regulatory regime.

Recommendation 15

6.61      The committee recommends that the opt out provisions in section 110 be reviewed to ensure consistency with other consumer credit regulatory regimes.

6.62      In relation to de-identified information, the committee considers that it is appropriate that this information is regulated. The ALRC noted that credit information is used by credit reporting agencies for research purposes.[50] The use of this information for research or other purposes is a secondary use of the credit reporting information. The ALRC also recommended (Recommendation 57–2) that there should be a general provision permitting secondary uses of credit reporting information. The Government did not accept this recommendation. The Government's view was that permitted secondary uses should be expressly prescribed in the legislation, and no other secondary uses should be permitted. The Government stated:

The Government does not support the ALRC's recommendation as it would allow credit reporting information to be used and disclosed for a number of unknown purposes. This in turn would significantly reduce the value of the credit reporting provisions to promote transparency and consistency for individuals concerning appropriate uses and disclosures of credit reporting information. In effect, the ALRC’s recommendation would be contrary to the requirement to have defined uses and disclosures as outlined in recommendation 57–1 and would undermine the purpose of having specific provisions which operate in addition to the general 'use and disclosure' principle. While the ALRC proposed to limit the discretion in relation to secondary uses and disclosures by specifically defining the primary purpose, the Government is not convinced that greater use or disclosure of credit reporting information should be subject to a broad discretion exercised by credit providers or credit reporting agencies.[51]

6.63      However, the Government recognised that research was a legitimate secondary use. It was further considered that research should only be conducted on de-identified information.

6.64      While some submissions have argued that the de-identified information is no longer personal information and so should not be regulated, the committee does not support this view. The committee considers that it is appropriate that secondary uses of credit reporting information should be identified and regulated, not left to a general test. However, the committee has noted the comments of the OAIC and considers that these two matters should be addressed.

Recommendation 16

6.65      The committee recommends that section 115 be reviewed in light of the Office of the Australian Information Commissioner's comments relating to disclosure of de-identified information and the rules to be issued.

Subdivision E – Integrity of credit reporting information

6.66      Subdivision E provides that credit reporting agencies must take such steps as are reasonable in the circumstances to ensure that the credit information it collects, uses and discloses is accurate, up-to-date and complete as well as relevant when used or disclosed. Credit reporting agencies must also take steps to ensure the security of credit reporting information.

Section 116 – Quality of credit reporting information

6.67      Section 116 provides, in part, for credit reporting agencies to enter into agreements with credit providers that require the provider to ensure that information disclosed is accurate up-to-date and complete. Section 118 similarly provides for security of information. Dun & Bradstreet noted that data quality is integral to the operations of a credit reporting agency and they 'have a direct commercial interest in maintaining the highest levels of data quality and therefore are an appropriate entity to ensure the required standards are understood and adhered to through its contractual agreements with customers'. Thus the provisions requiring credit reporting agencies to ensure data quality will enhance the capacity of credit reporting agencies to ensure credit providers maintain high standards of quality and security.[52]

6.68      Westpac however, did not support the requirements of section 116 and 118 and commented:

We think it is very unusual for legislation to prescribe the specific steps that an entity must take to ensure compliance with such a broad obligation.[53]

6.69      Westpac went on to state that paragraphs 116(3)(a) and 118(2)(a) require higher standards than APP 10. In relation to paragraph 116(3)(a), the contract between credit reporting agencies and credit providers must 'ensure credit information is...' rather than reflecting APP 10 ('take such steps (if any) as are reasonable in the circumstances to ensure the personal information is...'). Similarly, paragraph 118(2)(a) requires the contract to 'protect credit reporting information' rather than reflecting APP 10 ('take such steps as are reasonable in the circumstances to protect the information'). Westpac argued that:

A credit provider should only be required to meet the standards set out in the APPs. It is unable to warrant to third parties that all information is accurate, up-to-date, and complete as it can only make best endeavours to ensure this is the case. Furthermore to audit the agreements an independent person would need access to the credit reporting agency information. For completeness this should be captured as a 'Permitted CRA disclosure'.[54]

6.70      ARCA commented that it did not consider that sections 116 and 118 'alone are adequate to properly ensure compliance with quality and security requirements desired for credit information'. ARCA argued that data quality and data security are fundamental components of the credit reporting system but that compliance is placed within the context of a contractual matter between credit reporting agencies and credit providers. ARCA was of the view that this required credit reporting agencies to police their own customers which ARCA considered not to be in the interests of either credit reporting agencies or credit providers for credit reporting agencies to be held solely responsible for this compliance function. Rather, ARCA recommended that:

Compliance with data quality and data security measures be included in the proposed Code of Conduct, rather than solely relying on contracts between CRAs and Credit Providers.[55]

6.71      Veda Advantage submitted that it would be desirable, for compliance purposes, to expressly state (as part of section 116) that a credit reporting business is responsible for compliance with the applicable data standards and must have systems or arrangements in place to facilitate such compliance. Express obligations are provided for credit providers in respect of accuracy of credit eligibility information (sections 143 and 144) however Veda noted that there are no corresponding credit provider obligations in respect of credit information. Veda submitted that it would be desirable to mirror these obligations that would potentially apply to similar types of personal information and thus avoid confusion, assist with compliance and align the responsibilities as proposed in section 116. Veda concluded that:

6.72      Dun & Bradstreet also submitted that independent audits and reviews are appropriate as access to large volumes of personal information impose a higher standard of responsibility upon commercial entities than may normally be the case. Dun & Bradstreet noted that under the current Privacy Act audits are to be conducted by the Office of the Privacy Commissioner. Dun & Bradstreet suggested that this should remain with the Office of the Australian Information Commissioner under both paragraphs 116(3)(b) and 118(2)(b) of the new Privacy Act.[57]

6.73      However, Experian submitted that the imposition of specific obligations on credit reporting agencies to obtain regular audits of agreements would be an excessive and costly compliance burden on credit reporting agencies. In addition, there are obligations already embodied in a non-prescriptive form in the general obligation imposed under subsection 116(1), which requires credit reporting agencies to take reasonable steps to ensure that the information collected is 'accurate, up-to-date and complete'.

6.74      Experian suggested that it was not appropriate for particular controls to be prescribed in the provisions. Rather, credit reporting agencies should only be required to have reasonable systems and controls in place, and to undertake reasonable monitoring and audit of those systems in a manner that is consistent with their general obligations under section 116(1). Guidance notes issued by the Australian Information Commissioner could outline specific regulatory expectations regarding the auditing of these systems.[58]

6.75      If subsection 116(3) were to be retained, Experian submitted that the formulation of these obligations requires further clarification:

Committee comment

6.76      The committee considers that the requirement for credit reporting agencies to enter into agreements to be an appropriate mechanism to ensure quality and security of credit reporting information. Given the access to five new data sets, the committee considers that a higher standard should be provided for in the credit reporting regime. In relation to independent audits of agreements, the committee considers that the responsibility and cost should be borne by the industry as industry reaps the benefit of quality data and should ensure appropriate security of data. Matters where clarity is required, such as the meaning of 'regular', should be addressed either by the OAIC or in the Credit Reporting Code of Conduct.

Subdivision F – Access to, and correction of, information

6.77      Subdivision F provides for access to, and correction of, credit reporting information. The subdivision provides for the manner of dealing with requests, means of access, charges for access and refusals to give access. A credit reporting agency is obliged to correct information if the agency is satisfied that it is not accurate, up-to-date, complete and relevant. Individuals may request corrections to certain types of information held by a credit reporting agency.

Section 119 – Access to credit reporting information

6.78      Section 119 provides for access to credit reporting information. Subsection 119(1) introduces the new concept of 'access seeker'. The APF commented that this is a valuable new concept. The APF also noted that there are very limited exceptions (subsection 119(2)), compared to APP 12. This, the APF stated, is appropriate in a credit reporting context.[60]

6.79      The joint submission from privacy and consumer organisations commented on the importance of ensuring that consumers have access to their credit reports as more information will be collected, including repayment histories. Subsection 119(5) proposes that an access seeker be provided with credit reporting information with no charge once every 12 months. A credit provider may charge for all other instances of access, but the charge must not be excessive (subsection 119(6)). Submitters argued that only one free request per year is too restrictive, particularly in the case when requests are associated with dispute resolution etc.[61] The NAB also commented that the provision appears to reduce an individual's access rights as under the current Privacy Act an individual can pay to receive a copy of their credit report within 24 hours. However, subsection 119(3) only refers to a reasonable period, but not longer than 10 days.[62]

6.80      The joint submission went further and stated that:

The starting point should be that consumers have the right to access one free copy of their credit report at least once a year, with a 24 hour turnaround or when involved in a dispute. Consumers should be able to apply for such a report online, by mail or fax.[63]

6.81      Dun & Bradstreet considered that the provisions make it more difficult and cumbersome for a consumer to obtain a copy of their credit report, particularly if more than one copy is sought per year. Dun & Bradstreet noted that the current provisions allow for multiple requests during a twelve month period without a fee if that request is fulfilled within a ten day period. Dun & Bradstreet concluded:

The new provisions would limit an individual's access to their personal credit report without incurring a fee to just one occasion per year. Such an outcome is likely to limit consumers' ongoing interaction with their personal credit report and would seem contrary to efforts to improve consumer literacy about credit reports and their role in the credit process.[64]

6.82      The joint submission noted that while the current Privacy Act provides for free access to credit reports, credit reporting agencies are currently charging fees for fast turnaround copies and do not provide consumers with the same level of information about accessing free reports. In the case of Veda Advantage, information about free reports is provided 'in the fine print at the bottom of the web page' and applications must be made by mail. The submission stated that the processes for Dun & Bradstreet are more straightforward for consumers who want to get a free report. The joint submission concluded:

In short, neither the current legislative framework [nor] that proposed in the Exposure Draft Bill builds in an incentive for credit reporting agencies to reduce barriers to consumers accessing free copy of their credit report. Instead there are incentives to make it both difficult to find out about the free report and then difficult to apply for it.[65]

6.83      The joint submission also recommended that the Exposure Draft include an obligation to promote the right of access to a free credit report (at least at the same level as any service incurring a fee) and impose an obligation to make the process as simple as possible for consumers.[66]

6.84      The joint submission submitted that, rather than the term 'not excessive', credit providers should only be able to charge a 'reasonable fee'. The joint submission noted that the fees currently charged for fast turnaround reports were $41.95 (Veda Advantage) and $30 (Dun & Bradstreet). The joint submission viewed these as excessive 'for what appears to be an electronic process'. It was noted that as a third credit reporting agency has entered the market, if a consumer needs a report urgently, they may have to pay a fee to all three.[67]

6.85      Other submitters suggested that the charge be levelled at no more than the actual cost incurred by the credit reporting agency in providing the information.[68] The LIV went further and stated that charging for access should be prohibited. The LIV noted that credit reporting agencies rely on individuals' credit information for their business. As the ultimate 'suppliers' of that information, individuals should have access to that information whenever they want without charge. Further, greater access by consumers is one way of ensuring compliance with the requirements on credit reporting agencies under the credit reporting system.[69]

Committee comment

6.86      The committee notes that the Exposure Draft now provides for a clear right for individuals to access one free credit report per year. While the Exposure Draft provides for only one free credit report, the committee considers that this is a minimum requirement. If credit reporting agencies decided to provide more than one free credit report per year, the committee considers this is a business decision for the agency to make. However, the committee is concerned that the same level of information is not provided for accessing free reports and those reports that attract a charge. The committee considers that the same level of information and prominence should apply to both.

Recommendation 17

6.87      The committee recommends that the Credit Reporting Code of Conduct include requirements in relation to the standard of information provided to a consumer in relation to accessing free credit reports and those for which there is a charge.

Section 120 – Correction of credit reporting information

6.88      Section 120 provides for the correction of credit reporting information. Veda Advantage commented that if information is corrected, the credit reporting agency must then notify any previous recipients in writing of the correction when it is made. No subsequent obligations exist for the recipients. Veda noted that corrections, of varying significance, can occur for credit information up to five years old. Veda submitted that the provision as drafted would create a substantial compliance regime for credit reporting agencies with no clear benefit for consumers. Veda supported a requirement for credit reporting agencies to notify, as requested by the consumer, credit providers whom have been recipients of the information.[70]

Section 121 – Individual may request the correction of credit information etc

6.89      The Energy & Water Ombudsman NSW (EWON) commented on the 30 day requirement for a credit reporting agency to make a correction. EWON stated that if inaccurate information is listed, 'it is fair and reasonable to the customer who has been adversely affected by this, that the incorrect credit information is corrected as soon as possible'. Thus EWON saw the 30 day period as 'excessive in these circumstances, particularly if this is 30 business days (ie equivalent to six weeks)'. If there is a valid reason for the delay, it was suggested that the credit reporting agency make an annotation to the file to note that a correction is pending. EWON also noted that this is not a penalty section and there appears to be no incentive for this correction to be carried out in a timely manner. EWON suggested that if the issue is not addressed in the Act, it should be addressed in the Credit Reporting Code.[71]

6.90      The TIO commented that the Exposure Draft confers a general responsibility on credit reporting agencies to correct information they find to be incorrect but no specific timeframe in which the correction is to be made. The TIO pointed to the Telecommunications Consumer Protection (TCP) Code which requires that where a telephone or internet company becomes aware that a customer has been default listed in error, they must inform the credit reporting agency within one working day. The TIO was of the view that the one day requirement in the TCP Code appears to recognise the significant detriment that can be caused by incorrect information on a person's credit file.[72]

6.91      Veda Advantage also commented on the fees charged by 'credit repair' organisations including fees to consumers for services such as obtaining a copy of their credit file. Veda Advantage submitted that fees are often substantial and a success fee, up to $1,000, may be imposed for each piece of derogatory information that a credit reporting agency investigates and removes from a credit report. As a consequence, vulnerable consumers may pay substantial fees for 'normal, regulated, credit reporting activities that would otherwise be free'. Veda Advantage went on to state:

Typically, the consumer would be exercising their legal rights of access and correction as provided for under the Act. It is unfair to charge the consumer for the mere exercise of their rights and detracts from the quality of legal protections that the Act specifically provides for.[73]

6.92      Veda Advantage recommended that only credit reporting agencies be permitted to impose a fee on provision of credit reports (in addition to the obligation to providing free reports) and that no entity be permitted to charge for investigation or amendment of a credit report. However, if third party organisations were permitted to provide such services, Veda Advantage recommended that rules prescribe fee disclosure to consumers by those organisations and expressly include that such organisations disclosure to the consumer that access to, and correction of credit information, when conducted by a credit reporting agency, is conducted for no fee to the consumer.[74]

Committee comment

6.93      The committee has discussed the timeframes for correction as part of its examination of complaints handling. See chapter 5 for the committee's conclusion and recommendation.

6.94      In relation to the matter raised by Veda Advantage, although the committee supports mechanisms to protect vulnerable consumers, the charging of fees by credit repair organisations is outside the scope of the Privacy Act and would more rightly be addressed through the National Consumer Credit Protection Act.

Section 122 – Notification of correction etc must be given

6.95      Section 122 provides for notification of corrections and when a correction is not made. The APF suggested that in instances where a notification is made not to correct information (subsection 122(3)), the credit reporting agency should have to notify rights and external dispute resolution scheme contact details with any notice of decision. In addition, the APF argued that subsection 122(4) provides too great a discretion for notice not to be given on grounds of impracticability, and there is no provision for an associated statement if a correction request is disputed.[75]

6.96      Experian commented on the requirement that notification of the correction must be provided to previous recipients of the information. Although subsection 122(4) provides an exception on the grounds of the impracticality of notifying previous recipients, Experian considered that a further exception should apply based on the 'likely relevance' of the corrected information to previous recipients. For example, if a significant period of time has elapsed since the receipt of the original information, the corrected information will have little relevance to the recipient unless it needs to specifically reconsider the individual's credit arrangements, in which case an updated credit report would be sought. Experian therefore submitted that the obligation provide for an express time limit, for example, three to six months. An alternative approach would be to notify previous recipients of the corrected information only at the request of the individual, based on their views as to which previous recipients are relevant. Experian suggested that the imposition of limits based on relevance is consistent with the Government's response to the ALRC Recommendation 59–5.[76]

Committee comment

6.97      The committee considers that the provisions of subsection 122(4), that notice is not required to be provided to recipients 'if it is impracticable' for the credit reporting agency to do so, provides flexibility to agencies in complying with the notification obligation. The introduction of a further exception based on 'likely relevance' would introduce a subjective element to the obligation which the committee considers is not desirable.

Subdivision G – Dealing with credit reporting information after the retention period ends etc

6.98      Subdivision G provides for the destruction of credit reporting information after certain retention periods. Credit reporting information can also be destroyed in cases of fraud. In such an event, credit reporting agencies must notify third parties which had received that information.

6.99      Section 123 provides for the destruction of credit reporting information after the retention period ends. Submitters' comments related to the provisions of subsection 123(3) which requires a credit reporting agency not to destroy credit reporting information nor ensure that the information is not longer personal information if, immediately before the retention period ends, there is a pending correction request or a pending dispute. Dun & Bradstreet, for example, commented that this requirement seems unnecessary and potentially onerous from a systems development perspective in light of the fact that the information would otherwise qualify for destruction and no longer impact the consumer's credit profile. Accordingly, Dun & Bradstreet recommended that this sub-section should be removed from the Exposure Draft.[77] Veda Advantage commented that it is unclear how this provision will benefit consumers 'who presumably would rather see disputed/incorrect information drop off the credit file sooner as scheduled'.[78]

6.100         Section 124 provides for the retention period for credit information except for personal insolvency information. The retention periods of two, five and seven years are provided for depending on the type of information retained by the credit reporting agency. Comments in relation to retention periods were received from Experian which stated that the two year retention period for positive data is very short by international standards. Experian considered that an extended retention period of five to seven years would be more appropriate and consistent with international standards. Experian concluded that:

...a retention period of five to seven years strikes an appropriate balance between the value and usefulness of the data for risk assessment purposes, whilst also ensuring that CRA credit reporting databases only contain data of appropriate quality and predictive value. Extending the retention period for positive data would also allow for robust modelling by CRAs.[79]

6.101         Dun & Bradstreet's comments went to the retention period of default information. The retention period of five years for default information starts on the day on which the credit reporting agency collects the information. However, Dun & Bradstreet stated that the day on which the credit reporting agency collects the default information is unlikely to be the day on which the default occurs. Dun & Bradstreet considered that the five year period should begin from the date of default, thus ensuring fairer outcomes for consumers.[80] ARCA provided similar comments and suggested that the provision could represent 'unfair' treatment of consumers and a lack of consistency in the underlying meaning of an item of data. ARCA recommended that retention periods commence within a specified period of the default actually occurring.[81]

6.102         The ABA also commented on the maximum permissible retention periods for credit information in relation to disputes. It was noted that consumers may lodge disputes with the Financial Ombudsman Service (FOS) up to six years after the disputant became, or ought to have become, aware of the incurring of a loss or within two years after an independent dispute resolution final response by the financial institution. Thus, retention periods of two and five years are insufficient and it would be preferable for the FOS periods to be aligned with the Exposure Draft from a privacy perspective.[82] The NAB and ARCA also raised a similar concern in relation to section 164 which allows the Information Commission to apply to the Court for an order within six years of an entity contravening a civil penalty provision.[83]

6.103         Section 126 requires the destruction of credit reporting information in cases of fraud. This provision was not supported by Veda Advantage which argued that destroying such information prevents credit reporting agencies from gaining insight into patterns of fraud behaviours. Veda supported the removal of the information from the credit report.[84]

6.104         Paragraph 126(4)(c) allows an individual to request the credit reporting agency to notify third parties to which the fraudulent information was disclosed that it has been destroyed. ARCA argued that this imposes impractical notification requirements as more than one credit reporting agency may be involved and consumers may not remember which credit reporting agencies a credit provider shares data with, even if they have been told when they applied for the credit. ARCA recommended that an alternative would be to allow the credit reporting agency to 'assign' responsibility to the credit provider who provided the credit to the fraudster to notify all of the credit reporting agencies they have shared the data with. The credit reporting agencies would then be required to report back to the credit provider that they have done so. The legislation could specify a time frame in which this should occur and then the credit provider could confirm to the consumer that the destruction has taken place.[85]

6.105         The NAB was of a different view, and suggested the credit reporting agency's obligation to notify a recipient that information has been destroyed should be automatic not just when an individual requests the credit reporting agency to do so.[86]

Committee comment

6.106         The ALRC canvassed issues relating to retention periods and came to the view that the retention periods prescribed in the current Privacy Act 'provide an important protection for consumers'. The ALRC did not see any compelling case for changing the existing retention periods. The ALRC's recommendation (Recommendation 58–5) was accepted by the Government and the committee supports the retention provisions in the Exposure Draft.

6.107         The committee has noted the comments concerning the provisions for the destruction of credit reporting information in cases of fraud. The committee does not support the retention of this information for research purposes as it may undermine consumer protections. In relation to the notification requirements, the committee does not consider these to be impractical or onerous. There are only four credit reporting agencies in Australia and the notification requirements reflect the serious consequences to consumers in cases of fraud. However, the committee has noted the views of the NAB in relation to the automatic notification of recipients of the destruction of credit reporting information in cases of fraud. The committee also notes that a requirement to notify recipients of a correction of personal information is contained in subsection 122(2). The committee considers that, given the serious consequences of fraud, automatic notification of destruction of information may have merit.

Recommendation 18

6.108         The committee recommends that consideration be given to providing in subsection 126(4) a general requirement for notification of destruction of credit reporting information to all recipients of credit reporting information in cases of fraud and not only limited to when an individual makes such a request.

Navigation: Previous Page | Contents | Next Page