Chapter 8

Chapter 8

Division 4 and penalty provisions


8.1        This chapter discusses issues raised in relation to Division 4 and penalty provisions contained in the Exposure Draft.

Division 4 – Other recipients of information

8.2        Division 4 sets out the rules for certain recipients of information that has been disclosed by credit reporting agencies or credit providers. The recipients to which these provisions apply are mortgage insurers and trade insurers, a related body corporate, credit managers, and advisers etc. The rules apply to recipients that are APP entities, instead of any relevant Australian Privacy Principles.

Credit managers

8.3        Section 154 regulates the use and disclosure of information by credit managers. The Australasian Retail Credit Association (ARCA) commented that the term 'credit manager' is 'materially significant' in the context of this provision but noted that no definition is provided.[1] The National Australia Bank (NAB) and the ANZ Bank also noted that the term 'credit manager' was not defined. The NAB submitted that therefore it 'could not determine the potential impacts of this section' while the ANZ Bank commented that it is unclear which entities in the credit industry the section is intended to capture.[2] It was recommended that a definition be provided.

8.4        ARCA also commented that, pursuant to paragraph 154(2)(a), a permitted use of information is 'managing credit provided by the credit provider'. The term 'managing credit' is defined in section 180 as excluding acts relating to the collection of overdue payments in relation to credit but does not indicate what it does include. ARCA noted that the term is used in paragraph 154(2)(a) to create an exception to the general prohibition on use of credit eligibility information by a 'person' with 'person' also not being defined. ARCA commented that the provision suggests that this information can't be used by a person in activities that relate to the collection of overdue accounts. ARCA went on to comment that 'given the breadth of the definition of credit eligibility information, this could make it very difficult to collect on an overdue account'. ARCA recommended definitions be included for the terms used in section 154.[3]

Committee comment

8.5        The committee agrees that the addition of a definition of 'credit manager' would assist with the understanding of section 154.

Recommendation 21

8.6        The committee recommends that a definition of the term 'credit manager' be provided.

Debt collectors

8.7        Both the Office of the Australian Information Commissioner (OAIC) and the Australian Privacy Foundation (APF) noted that although the Division sets out rules for certain recipients, these recipients do not include debt collectors.[4] The APF stated that the 'use of credit reporting information by debt collectors has been a major issue under Part IIIA and we submit that strict controls are required'.[5] The OAIC also argued that the exclusion of debt collectors means that:

8.8        The OAIC went on to comment that disclosure of financial information to third parties by debt collectors may have serious consequences for an individual. Mr Timothy Pilgrim, OAIC, expanded on the OAIC's view:

...our concern is whether in fact the activities of debt collectors will be sufficiently picked up. From our understanding, they may not be in every circumstance. One example of that is that if they are not covered in terms of the provisions for some of their activities, that is one aspect. They may be covered for receiving some of the information but they may not be covered for how they can use it for secondary purposes. The other issue we raise relates to the small business exemption, which is that if they are a small business operator then there may be no coverage of the information they hold once they have received it, because the Australian privacy principles that are proposed will not apply to them either.[7]

8.9        The OAIC recommended that all debt collectors (regardless of size) should be prohibited from using and disclosing credit eligibility information, other than for the primary purpose for which it is collected. This would be consistent with the obligations for other recipients in Division 4.[8]

Committee comment

8.10      The Australian Law Reform Commission (ALRC) considered concerns in relation to debt collection, particularly where debt collection is outsourced from the original credit provider to debt collection businesses, which may also be assignees of the debt. The ALRC noted that where debt collectors are not assignees, under the current Privacy Act they can only access credit reporting information through the credit provider. The ALRC saw no compelling reasons for changes to the rules governing access to credit reporting information.[9]

8.11      The Exposure Draft reflects this view with section 140 providing for the disclosure of credit eligibility information to debt collectors. Subsection 140(2) prescribes the information about the individual that is permitted to be disclosed including identification information, court proceeding information, personal insolvency information and default information in certain circumstances.

8.12      The committee considers that a provision regarding CP disclosures to debt collectors is therefore not required as they do not have the same access to credit information. However, the committee is concerned that there may be inadequate protection of credit information that is provided to debt collectors which are small business operators. As noted by the OAIC, small business operators are currently not captured by the Privacy Act. The committee therefore believes that further consideration is required to ensure that credit eligibility information provided to debt collectors that are small business operators is adequately protected.

Recommendation 22

8.13      The committee recommends that further consideration be given to the regulation of credit eligibility information provided by credit providers to debt collectors that are small business operators.

Penalty provisions


8.14      The Credit Reporting Exposure Draft provides for both civil and criminal penalties. The penalties relating to offences by credit reporting agencies and credit providers are contained in the relevant Divisions. Division 6 provides for offences by entities. An offence is committed if an entity obtains credit eligibility information from a credit reporting agency or a credit provider which is not a permitted disclosure or the entity is not an access seeker; or the entity obtains the information by false pretence. Division 7 regulates contraventions of the civil penalties provisions. The following discussion also incorporates comments relating to specific penalty provisions in various sections of the legislation.

8.15      A civil penalty provision is defined in section 162 as a subsection of the Act where the word 'civil penalty' and one or more amounts are set out in penalty units following the subsection. The penalties for contravening a civil penalty provision and the various forms of civil penalty orders are outlined in section 164.

8.16      The ALRC recommended that the Privacy Act be amended to 'allow the Privacy Commissioner to seek a civil penalty in the Federal Court or Federal Magistrates Court where there is a serious or repeated interference with the privacy of an individual' (Recommendation 50–2). Part IIIA of the current Privacy Act includes a number of credit reporting offences. The ALRC recommended that these offences be removed so that a general 'civil penalties regime' could be implemented (Recommendation 59–9).[10]

8.17      The Government's response to the ALRC review accepted the recommendation to have the credit reporting offences removed with the inclusion of a general 'civil penalties regime'. The Government stated that it 'agrees that civil offences are more appropriate for the breach of any provisions in relation to credit reporting'.[11]


8.18      The imposition of civil penalties was supported with ARCA commenting that it 'supported a strong regulatory environment, supported by a robust compliance framework to ensure consumers receive the full benefits associated with the introduction of more comprehensive credit reporting'.[12] Mastercard commented:

We believe that there must be strong protections for applicants and customers specifically in relation to the collection and subsequent use of information relating to them. To that end, we support harsh penalties for any organisation that breaches provisions related to marketing and misuse of the available data.[13]

8.19      The APF welcomed the introduction of civil penalties for breaches, as it was of the view that they are a potentially more effective sanction and deterrent than the current criminal penalties in Part IIIA.[14] However, the APF was concerned that the operation of the civil penalty provisions 'rely entirely' on action by the OAIC. The APF stated that in the past, the OAIC has not actively enforced the current credit reporting penalties and commented:

...whether the civil penalty regime will be effective depends partly on the willingness of the Information Commissioner to exercise their powers – experience since 1991 to date has been that the Privacy Commissioner has not effectively enforced the credit reporting (or the more general) provisions of the Act, and we submit that this must change. We invite the Committee to seek assurances from the Information Commissioner that they will address the many criticisms of complaint handling and enforcement under the Privacy Act – financial counselling NGOs can provide numerous examples of these failings in relation to Part IIIA and the Credit Reporting Code.[15]

8.20      The APF acknowledged that it is intended that the powers and functions of the OAIC will be strengthened in the new Privacy Act and stated that it hoped future Information Commissioners will be 'more proactive, and more responsive to complaints, including representative complaints and evidence of systemic failures by CRAs and CPs'.[16]

8.21      The APF also stated that alternative routes to obtaining civil penalty orders should be available for individuals to be able to directly apply to the Federal Magistrates Court and/or to a recognised external dispute resolution (EDR) scheme.[17]

8.22      The Consumer Credit Legal Centre (NSW) (CCLC) stated on the same matter:

The role of EDR and civil penalties and compensation should be clarified. As most cases go to EDR, there needs to be a mechanism in place for EDR to refer matters to the Information Commissioner for civil penalty investigations.[18]

8.23      In addition, CCLC recommended that the legislation include a compensation regime for affected consumers that can be awarded by EDR.[19] Ms Katherine Lane, CCLC, commented that there are already some provisions for compensation in place and the Privacy Commissioner and the Financial Ombudsman Service have made decisions on compensation in relation to credit reports previously. Ms Lane went on to state:

I just think there needs to be a balance for consumers. I think everybody keeps forgetting that this is our credit history and our credit reports—us as people of Australia—and people are putting that stuff on our credit reports; it needs to be accurate. If it is not, there needs to be a penalty system or a compensation system to compensate you for what is really serious—basically it is saying inaccurate things about you in public, and that is accessible to certain people. In law we have lots of things that account for that: we have libel and defamation and things like that. It is not OK to have inaccuracies on credit reports, so there needs to be a balance...

I think we need to make sure that there is a system of accountability—and this is also to drive accuracy. If there is no penalty for being inaccurate and no compensation that is going to flow, what is the motivation for accuracy? ...I think it is really important that this legislation drive credit providers to be extremely careful and accurate in their listings, and I think that is an outcome that can be achieved by making sure that there is something to drive that compliance.[20]

8.24      Experian raised the issue of the effects of the civil penalty provisions on credit reporting agencies and the extent to which credit reporting agencies are dependent on the actions of other industry participants, in particular, credit providers. Experian stated that:

...if a credit provider (or other regulated entity) is transacting with a CRA in a manner that is knowingly or recklessly in contravention of the entity's own obligations under the Exposure Draft provisions, this places the agency at risk of incurring penalties in relation to inadvertent 'flow-on' contraventions.[21]

8.25      Experian recommended that appropriate thresholds be placed around the penalties imposed on credit reporting agencies, focussing on:

...whether the contravention was caused by the wrongful actions of other third parties that are outside the control of the agency, or whether the agency had in place reasonable and appropriately robust systems and controls designed to minimise the occurrence of such contraventions.[22]

8.26      Experian went on to comment that if civil penalties were imposed on the agency due to either of these situations, unnecessary harm could be caused to the agency's reputation and relationships with regulators. Experian recommended that many of the civil penalty provisions applicable to credit reporting agencies 'should incorporate a prerequisite of fault or wrongdoing by the agency'; that is, a requirement that contraventions have been committed knowingly or recklessly, or that they have resulted from inadequacies in the agency's systems, policies and procedures for ensuring compliance with the relevant provisions.[23]

8.27      Veda Advantage and Dun & Bradstreet provided similar comments. Specifically in relation to section 117 (false or misleading credit reporting information), Veda commented that the penalties fail to 'reflect the fact that in data sharing arrangements one does not always have control over the conduct of others and their processes. These matters are, by their nature, internal to each organisation. It is feasible for data supplied to be incorrect even though the systems and processes that one has in place are world class'. Veda recommended the inclusion of the defence of 'reasonable mistake of fact' as strict liability offences are not appropriate for credit reporting legislation.[24] Veda concluded:

This is important because despite taking appropriate care, it will always be possible that a record happens to be false in a material particular, in circumstances where the credit reporting agency has no way of knowing this.[25]

8.28      The NAB and ARCA also commented on this matter, stating that the civil penalty provisions do not consider the issue of intent.[26] The legislation 'could impose significant penalties on an otherwise compliant institution based on the activities of a single rogue employee'.[27] ARCA supported the severity of the penalties but commented that as there are differing levels of reporting, an 'incomplete' credit report within this context should not result in it being deemed misleading, and this should be reflected in the drafting of the provisions.[28]

8.29      The ANZ Bank and Westpac also voiced concern that there is no element of knowledge, intent or recklessness required for a credit reporting agency to contravene the civil penalty provisions. Thus, a credit provider could contravene the civil penalty provision simply by using information provided by a credit reporting agency which the credit provider believes to be true. The credit provider may only become aware of the false or misleading information until after the victim starts receiving statements. Furthermore, the credit provider is unable to verify the information without first disclosing it and therefore contravene the civil penalty provision. Both the ANZ Bank and Westpac argued that the penalty sections should be amended to include an element of knowledge, intent or recklessness on the part of the credit reporting agency and credit provider.[29]

8.30      In addition, ARCA noted the requirements of section 167 in relation to multiple contraventions. ARCA stated that if an unintended breach occurred, for example, a processing error, the penalty could be equal to the number of instances of contravention, which could be huge. Similar to the argument from Experian above, ARCA stated that where 'activities...are not wilful and deliberate [they] should be approached with a lesser set of penalties, and that actions on the part of a data sharer should be able to mitigate penalties in appropriate circumstances'. ARCA noted that this is similar to provisions in the Corporations Act.[30]


8.31      In relation to the application of penalty units, Veda Advantage argued that the Exposure Draft does not appear to provide a consistent approach comparable to the nature of the conduct and seriousness or possible harm caused by the relevant contravention. Veda explained:

For instance, a CRA that collected information falling outside section 106 attracts a $1.1 million penalty. Similarly, a CRA that adopted a Government number as a consumer identifier – a much more harmful offence – would also attract a penalty of $1.1 million.[31]

8.32      In addition, Veda commented that some of the significant civil penalties relate to provisions where there is 'great complexity'. For example, a $550,000 penalty applies under subsection 113(4), a provision which requires two separate assessments on 'reasonable grounds' by the credit reporting agency. Veda also argued that subsection 164(5) does not provide a court with adequate guidance on how to determine an appropriate penalty. Further, Veda stated that there is no express provision in the legislation for account to be taken of any compliance measures to prevent contraventions.[32]

8.33      Experian recommended that the Australian Information Commissioner prepare and publish guidelines on how the Office will pursue civil penalty orders under Division 7 of the legislation.[33]

8.34      Some provisions provide for both criminal and civil penalty: sections 117, 144, 160 and 161. The Australian Finance Conference (AFC) and APF commented that it understood that the Government intended that criminal offence provisions be removed in favour of civil penalty provisions and questioned why provisions provided for a criminal offence.[34] Ms Helen Gordon, AFC, stated:

I understand the Law Reform Commission undertook consultation in relation to [criminal offence provisions] and made a decision that criminal offences probably were not appropriate in the credit reporting context because it is not something familiar in the rest of the Privacy Act. I do not believe there are criminal offences for breaching other provisions in the act. So I understood it was a reflection of, again, modernising the law, looking at what would be an appropriate way to control behaviour or misbehaviour, and they certainly recommended against continuing criminal offence provisions in these new provisions.[35]

Committee comment

8.35      The reforms to the credit reporting legislation will provide access to much greater amounts of personal information. Inaccurate information and the inappropriate use of information may have consequences for consumers which can range from minor inconvenience to significant detriment, for example, the inability to access a mortgage for a home. The committee therefore agrees that appropriate penalties are an important mechanism in ensuring the integrity of the credit reporting system.

8.36      The committee notes that the ALRC considered that 'a civil penalty regime is a more appropriate enforcement mechanism for breaches of credit reporting regulation than the suite of criminal offences currently provided for in the Act'.[36] Submitters pointed to the Government's agreement in relation to the ALRC's recommendation regarding civil penalties but commented that the Exposure Draft still contains some criminal offences. However, the committee notes that the National Consumer Credit Protection Act 2009 (NCCP Act) contains both civil and criminal penalties. The Minister, in the second reading speech for the National Consumer Credit Protection Bill 2009, commented that the 'relevant provisions are consistent with the Corporations Act 2001 and other Commonwealth consumer protection laws' and that the NCCP Act provides for a tiered approach to the sanctions regime.[37] The committee understands that the penalty provisions in the Exposure Draft reflect those of the NCCP Act. The committee considers that, like the NCCP Act, the tiered approach enables a targeting of the most appropriate sanctions. Further, it is appropriate for the consistent application of penalty provisions across all aspects of consumer credit regulation including criminal penalties, when the offence suggests that this is warranted or the offence is analogous to similar provisions in the Corporations Act. The committee therefore supports the penalty provisions contained in the Exposure Draft.

8.37      In relation to the APF's suggestion that individuals should be able to directly apply to the Federal Magistrates Court and/or to a recognised external dispute resolution (EDR) scheme, the committee notes that, as a general rule in Commonwealth law, there are strict limitations on who may apply for a civil penalty order. For example, only the Regulator may apply for a civil penalty order under the Renewable Energy (Electricity) Act 2000 and the AUSTRAC Chief Executive Officer under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. In addition, under the NCCP Act only the Australian Security and Investment Commission may apply to a court for a declaration that a person has contravened a civil penalty provision. As outlined above, the provisions of the Exposure Draft are consistent with those of the NCCP Act. The committee also notes that it is Commonwealth policy that civil penalty proceedings be brought by the Commonwealth, or regulators or officials authorised by the Commonwealth, rather than individuals.  The committee therefore does not support the AFP's suggestion of individuals applying directly to the Federal Magistrates Court.

8.38      However, the committee is mindful that the effective regulation of credit reporting will require efficient investigation of breaches and where appropriate, the timely imposition of sanctions. The committee therefore considers that the Office of the Australian Information Commissioner may require further resources to enable it to conduct regular audits under the credit reporting system.

Recommendation 23

8.39      The committee recommends that consideration be given to provide increased funding for the Office of the Australian Information Commissioner to effectively and efficiently investigate breaches of the credit reporting provisions.

8.40      The CCLC suggested that the credit reporting regime include compensation for consumers adversely affected by contraventions of the credit reporting provisions. The committee notes that the NCCP Act provides for consumer remedies in two ways:

8.41      The Explanatory Memorandum for the NCCP Bill stated that:

Consumer remedies are an important element of the enforcement package as it enables consumers to take direct action against a licensee who breaches the law and causes them loss or damage. These actions can provide sufficient deterrent against breaches of the law. Private suits are considered a useful way of influencing and curbing market behaviour.[38]

8.42      The committee considers that consideration should be given to including similar compensation provisions in the credit reporting system.

Recommendation 24

8.43      The committee recommends that consideration be given to the inclusion of consumer remedies, similar to those that exist in the National Consumer Credit Protection Act such as compensation, for consumers adversely affected by contraventions of the credit reporting provisions.

8.44      Credit reporting agencies Experian and Veda Advantage commented on the lack of a defence of 'reasonable mistake of fact' or lack of intent. However, the committee notes that subsection 164(5) provides that in determining the pecuniary penalty, the court must take into account all relevant matters, including:

(a)   the nature and extent of the contravention; and

(b)   the nature and extent of any loss or damage suffered because of the contravention; and

(c)   the circumstances in which the contravention took place; and

(d)  whether the entity has previously been found by a court in proceedings under this Act to have engaged in any similar conduct.

8.45      The committee therefore considers that there is no requirement for the Exposure Draft to be amended to provide for a defence of a 'reasonable mistake of fact' or lack of intent.

Navigation: Previous Page | Contents | Next Page