Division 4 and penalty provisions
This chapter discusses issues raised in relation to Division 4 and penalty
provisions contained in the Exposure Draft.
Division 4 – Other recipients of information
Division 4 sets out the rules for certain recipients of information that
has been disclosed by credit reporting agencies or credit providers. The
recipients to which these provisions apply are mortgage insurers and trade
insurers, a related body corporate, credit managers, and advisers etc. The
rules apply to recipients that are APP entities, instead of any relevant
Australian Privacy Principles.
Section 154 regulates the use and disclosure of information by credit
managers. The Australasian Retail Credit Association (ARCA) commented that the
term 'credit manager' is 'materially significant' in the context of this
provision but noted that no definition is provided.
The National Australia Bank (NAB) and the ANZ Bank also noted that the term 'credit
manager' was not defined. The NAB submitted that therefore it 'could not
determine the potential impacts of this section' while the ANZ Bank commented
that it is unclear which entities in the credit industry the section is
intended to capture.
It was recommended that a definition be provided.
ARCA also commented that, pursuant to paragraph 154(2)(a), a permitted
use of information is 'managing credit provided by the credit provider'. The
term 'managing credit' is defined in section 180 as excluding acts relating to
the collection of overdue payments in relation to credit but does not indicate
what it does include. ARCA noted that the term is used in paragraph 154(2)(a)
to create an exception to the general prohibition on use of credit eligibility
information by a 'person' with 'person' also not being defined. ARCA commented
that the provision suggests that this information can't be used by a person in
activities that relate to the collection of overdue accounts. ARCA went on to
comment that 'given the breadth of the definition of credit eligibility information,
this could make it very difficult to collect on an overdue account'. ARCA recommended
definitions be included for the terms used in section 154.
The committee agrees that the addition of a definition of 'credit
manager' would assist with the understanding of section 154.
8.6 The committee recommends that a definition of the term 'credit manager'
Both the Office of the Australian Information Commissioner (OAIC) and
the Australian Privacy Foundation (APF) noted that although the Division sets
out rules for certain recipients, these recipients do not include debt
The APF stated that the 'use of credit reporting information by debt collectors
has been a major issue under Part IIIA and we submit that strict controls are
The OAIC also argued that the exclusion of debt collectors means that:
- the APPs will regulate the use and disclosure of that information
by debt collectors, other than small business operators. The APPs permit the
use and disclosure of information for secondary purposes in certain
- the use and disclosure of credit eligibility information by debt
collectors that are small business operators is unregulated. 
The OAIC went on to comment that disclosure of financial information to
third parties by debt collectors may have serious consequences for an
individual. Mr Timothy Pilgrim, OAIC, expanded on the OAIC's view:
...our concern is whether in fact the activities of debt
collectors will be sufficiently picked up. From our understanding, they may not
be in every circumstance. One example of that is that if they are not covered
in terms of the provisions for some of their activities, that is one aspect.
They may be covered for receiving some of the information but they may not be
covered for how they can use it for secondary purposes. The other issue we
raise relates to the small business exemption, which is that if they are a
small business operator then there may be no coverage of the information they
hold once they have received it, because the Australian privacy principles that
are proposed will not apply to them either.
The OAIC recommended that all debt collectors (regardless of size) should
be prohibited from using and disclosing credit eligibility information, other
than for the primary purpose for which it is collected. This would be
consistent with the obligations for other recipients in Division 4.
The Australian Law Reform Commission (ALRC) considered concerns in
relation to debt collection, particularly where debt collection is outsourced
from the original credit provider to debt collection businesses, which may also
be assignees of the debt. The ALRC noted that where debt collectors are not
assignees, under the current Privacy Act they can only access credit reporting
information through the credit provider. The ALRC saw no compelling reasons for
changes to the rules governing access to credit reporting information.
The Exposure Draft reflects this view with section 140 providing for the
disclosure of credit eligibility information to debt collectors. Subsection
140(2) prescribes the information about the individual that is permitted to be
disclosed including identification information, court proceeding information,
personal insolvency information and default information in certain
The committee considers that a provision regarding CP disclosures to debt
collectors is therefore not required as they do not have the same access to
credit information. However, the committee is concerned that there may be
inadequate protection of credit information that is provided to debt collectors
which are small business operators. As noted by the OAIC, small business
operators are currently not captured by the Privacy Act. The committee
therefore believes that further consideration is required to ensure that credit
eligibility information provided to debt collectors that are small business
operators is adequately protected.
8.13 The committee recommends that further consideration be given to the
regulation of credit eligibility information provided by credit providers to
debt collectors that are small business operators.
The Credit Reporting Exposure Draft provides for both civil and criminal
penalties. The penalties relating to offences by credit reporting agencies and
credit providers are contained in the relevant Divisions. Division 6 provides
for offences by entities. An offence is committed if an entity obtains credit
eligibility information from a credit reporting agency or a credit provider
which is not a permitted disclosure or the entity is not an access seeker; or
the entity obtains the information by false pretence. Division 7 regulates
contraventions of the civil penalties provisions. The following discussion also
incorporates comments relating to specific penalty provisions in various
sections of the legislation.
A civil penalty provision is defined in section 162 as a subsection of
the Act where the word 'civil penalty' and one or more amounts are set out in
penalty units following the subsection. The penalties for contravening a civil
penalty provision and the various forms of civil penalty orders are outlined in
The ALRC recommended that the Privacy Act be amended to 'allow
the Privacy Commissioner to seek a civil penalty in the Federal Court or
Federal Magistrates Court where there is a serious or repeated interference
with the privacy of an individual' (Recommendation 50–2). Part IIIA of the
current Privacy Act includes a number of credit reporting offences. The ALRC
recommended that these offences be removed so that a general 'civil penalties
regime' could be implemented (Recommendation 59–9).
The Government's response to the ALRC review accepted the recommendation
to have the credit reporting offences removed with the inclusion of a general
'civil penalties regime'. The Government stated that it 'agrees that civil
offences are more appropriate for the breach of any provisions in relation to
The imposition of civil penalties was supported with ARCA commenting
that it 'supported a strong regulatory environment, supported by a robust
compliance framework to ensure consumers receive the full benefits associated
with the introduction of more comprehensive credit reporting'.
We believe that there must be strong protections for
applicants and customers specifically in relation to the collection and
subsequent use of information relating to them. To that end, we support harsh penalties
for any organisation that breaches provisions related to marketing and misuse
of the available data.
The APF welcomed the introduction of civil penalties for breaches, as it
was of the view that they are a potentially more effective sanction and
deterrent than the current criminal penalties in Part IIIA.
However, the APF was concerned that the operation of the civil penalty
provisions 'rely entirely' on action by the OAIC. The APF stated that in the
past, the OAIC has not actively enforced the current credit reporting penalties
...whether the civil penalty regime will be effective depends
partly on the willingness of the Information Commissioner to exercise their
powers – experience since 1991 to date has been that the Privacy Commissioner
has not effectively enforced the credit reporting (or the more general) provisions
of the Act, and we submit that this must change. We invite the Committee to
seek assurances from the Information Commissioner that they will address the
many criticisms of complaint handling and enforcement under the Privacy Act – financial counselling NGOs can provide numerous examples of these failings in
relation to Part IIIA and the Credit Reporting Code.
The APF acknowledged that it is intended that the powers and functions
of the OAIC will be strengthened in the new Privacy Act and stated that it
hoped future Information Commissioners will be 'more proactive, and more
responsive to complaints, including representative complaints and evidence of
systemic failures by CRAs and CPs'.
The APF also stated that alternative routes to obtaining civil penalty
orders should be available for individuals to be able to directly apply to the
Federal Magistrates Court and/or to a recognised external dispute resolution (EDR)
The Consumer Credit Legal Centre (NSW) (CCLC) stated on the same matter:
The role of EDR and civil penalties and compensation should
be clarified. As most cases go to EDR, there needs to be a mechanism in place
for EDR to refer matters to the Information Commissioner for civil penalty
In addition, CCLC recommended that the legislation include a compensation
regime for affected consumers that can be awarded by EDR.
Ms Katherine Lane, CCLC, commented that there are already some provisions
for compensation in place and the Privacy Commissioner and the Financial
Ombudsman Service have made decisions on compensation in relation to credit
reports previously. Ms Lane went on to state:
I just think there needs to be a balance for consumers. I
think everybody keeps forgetting that this is our credit history and our credit
reports—us as people of Australia—and people are putting that stuff on our
credit reports; it needs to be accurate. If it is not, there needs to be a
penalty system or a compensation system to compensate you for what is really
serious—basically it is saying inaccurate things about you in public, and that
is accessible to certain people. In law we have lots of things that account for
that: we have libel and defamation and things like that. It is not OK to have
inaccuracies on credit reports, so there needs to be a balance...
I think we need to make sure that there is a system of
accountability—and this is also to drive accuracy. If there is no penalty for
being inaccurate and no compensation that is going to flow, what is the
motivation for accuracy? ...I think it is really important that this
legislation drive credit providers to be extremely careful and accurate in their
listings, and I think that is an outcome that can be achieved by making sure
that there is something to drive that compliance.
Experian raised the issue of the effects of the civil penalty provisions
on credit reporting agencies and the extent to which credit reporting agencies
are dependent on the actions of other industry participants, in particular,
credit providers. Experian stated that:
...if a credit provider (or other regulated entity) is
transacting with a CRA in a manner that is knowingly or recklessly in
contravention of the entity's own obligations under the Exposure Draft
provisions, this places the agency at risk of incurring penalties in relation
to inadvertent 'flow-on' contraventions.
Experian recommended that appropriate thresholds be placed around the
penalties imposed on credit reporting agencies, focussing on:
...whether the contravention was caused by the wrongful
actions of other third parties that are outside the control of the agency, or
whether the agency had in place reasonable and appropriately robust systems and
controls designed to minimise the occurrence of such contraventions.
Experian went on to comment that if civil penalties were imposed on the
agency due to either of these situations, unnecessary harm could be caused to the
agency's reputation and relationships with regulators. Experian recommended that
many of the civil penalty provisions applicable to credit reporting agencies
'should incorporate a prerequisite of fault or wrongdoing by the agency'; that
is, a requirement that contraventions have been committed knowingly or
recklessly, or that they have resulted from inadequacies in the agency's
systems, policies and procedures for ensuring compliance with the relevant
Veda Advantage and Dun & Bradstreet provided similar comments.
Specifically in relation to section 117 (false or misleading credit reporting
information), Veda commented that the penalties fail to 'reflect the fact that
in data sharing arrangements one does not always have control over the conduct
of others and their processes. These matters are, by their nature, internal to
each organisation. It is feasible for data supplied to be incorrect even though
the systems and processes that one has in place are world class'. Veda recommended
the inclusion of the defence of 'reasonable mistake of fact' as strict
liability offences are not appropriate for credit reporting legislation.
This is important because despite taking appropriate care, it
will always be possible that a record happens to be false in a material
particular, in circumstances where the credit reporting agency has no way of
The NAB and ARCA also commented on this matter, stating that the civil
penalty provisions do not consider the issue of intent.
The legislation 'could impose significant penalties on an otherwise compliant
institution based on the activities of a single rogue employee'.
ARCA supported the severity of the penalties but commented that as there are differing
levels of reporting, an 'incomplete' credit report within this context should
not result in it being deemed misleading, and this should be reflected in the
drafting of the provisions.
The ANZ Bank and Westpac also voiced concern that there is no element of
knowledge, intent or recklessness required for a credit reporting agency to
contravene the civil penalty provisions. Thus, a credit provider could contravene
the civil penalty provision simply by using information provided by a credit
reporting agency which the credit provider believes to be true. The credit
provider may only become aware of the false or misleading information until
after the victim starts receiving statements. Furthermore, the credit provider
is unable to verify the information without first disclosing it and therefore
contravene the civil penalty provision. Both the ANZ Bank and Westpac argued
that the penalty sections should be amended to include an element of knowledge,
intent or recklessness on the part of the credit reporting agency and credit provider.
In addition, ARCA noted the requirements of section 167 in relation to
multiple contraventions. ARCA stated that if an unintended breach occurred, for
example, a processing error, the penalty could be equal to the number of instances
of contravention, which could be huge. Similar to the argument from Experian
above, ARCA stated that where 'activities...are not wilful and deliberate
[they] should be approached with a lesser set of penalties, and that actions on
the part of a data sharer should be able to mitigate penalties in appropriate
circumstances'. ARCA noted that this is similar to provisions in the
In relation to the application of penalty units, Veda Advantage argued
that the Exposure Draft does not appear to provide a consistent approach
comparable to the nature of the conduct and seriousness or possible harm caused
by the relevant contravention. Veda explained:
For instance, a CRA that collected information falling
outside section 106 attracts a $1.1 million penalty. Similarly, a CRA that
adopted a Government number as a consumer identifier – a much more harmful
offence – would also attract a penalty of $1.1 million.
In addition, Veda commented that some of the significant civil penalties
relate to provisions where there is 'great complexity'. For example, a $550,000
penalty applies under subsection 113(4), a provision which requires two
separate assessments on 'reasonable grounds' by the credit reporting agency. Veda
also argued that subsection 164(5) does not provide a court with adequate
guidance on how to determine an appropriate penalty. Further, Veda stated that there
is no express provision in the legislation for account to be taken of any compliance
measures to prevent contraventions.
Experian recommended that the Australian Information Commissioner
prepare and publish guidelines on how the Office will pursue civil penalty
orders under Division 7 of the legislation.
Some provisions provide for both criminal and civil penalty: sections
117, 144, 160 and 161. The Australian Finance Conference (AFC) and APF
commented that it understood that the Government intended that criminal offence
provisions be removed in favour of civil penalty provisions and questioned why
provisions provided for a criminal offence.
Ms Helen Gordon, AFC, stated:
I understand the Law Reform Commission undertook consultation
in relation to [criminal offence provisions] and made a decision that criminal
offences probably were not appropriate in the credit reporting context because
it is not something familiar in the rest of the Privacy Act. I do not believe
there are criminal offences for breaching other provisions in the act. So I
understood it was a reflection of, again, modernising the law, looking at what
would be an appropriate way to control behaviour or misbehaviour, and they
certainly recommended against continuing criminal offence provisions in these
The reforms to the credit reporting legislation will provide access to
much greater amounts of personal information. Inaccurate information and the
inappropriate use of information may have consequences for consumers which can
range from minor inconvenience to significant detriment, for example, the inability
to access a mortgage for a home. The committee therefore agrees that
appropriate penalties are an important mechanism in ensuring the integrity of
the credit reporting system.
The committee notes that the ALRC considered that 'a civil penalty
regime is a more appropriate enforcement mechanism for breaches of credit
reporting regulation than the suite of criminal offences currently provided for
in the Act'.
Submitters pointed to the Government's agreement in relation to the ALRC's
recommendation regarding civil penalties but commented that the Exposure Draft still
contains some criminal offences. However, the committee notes that the National
Consumer Credit Protection Act 2009 (NCCP Act) contains both civil and
criminal penalties. The Minister, in the second reading speech for the National
Consumer Credit Protection Bill 2009, commented that the 'relevant provisions
are consistent with the Corporations Act 2001 and other Commonwealth
consumer protection laws' and that the NCCP Act provides for a tiered approach
to the sanctions regime.
The committee understands that the penalty provisions in the Exposure Draft
reflect those of the NCCP Act. The committee considers that, like the NCCP Act,
the tiered approach enables a targeting of the most appropriate sanctions.
Further, it is appropriate for the consistent application of penalty provisions
across all aspects of consumer credit regulation including criminal penalties,
when the offence suggests that this is warranted or the offence is analogous to
similar provisions in the Corporations Act. The committee therefore supports
the penalty provisions contained in the Exposure Draft.
In relation to the APF's suggestion that individuals should be able to
directly apply to the Federal Magistrates Court and/or to a recognised external
dispute resolution (EDR) scheme, the committee notes that, as a general rule in
Commonwealth law, there are strict limitations on who may apply for a civil
penalty order. For example, only the Regulator may apply for a civil penalty
order under the Renewable Energy (Electricity) Act 2000 and the AUSTRAC
Chief Executive Officer under the Anti-Money Laundering and
Counter-Terrorism Financing Act 2006. In addition, under the NCCP Act only
the Australian Security and Investment Commission may apply to a court for a
declaration that a person has contravened a civil penalty provision. As
outlined above, the provisions of the Exposure Draft are consistent with those
of the NCCP Act. The committee also notes that it is Commonwealth policy that
civil penalty proceedings be brought by the Commonwealth, or regulators or
officials authorised by the Commonwealth, rather than individuals. The
committee therefore does not support the AFP's suggestion of individuals
applying directly to the Federal Magistrates Court.
However, the committee is mindful that the effective regulation of
credit reporting will require efficient investigation of breaches and where
appropriate, the timely imposition of sanctions. The committee therefore considers
that the Office of the Australian Information Commissioner may require further
resources to enable it to conduct regular audits under the credit reporting
8.39 The committee recommends that consideration be given to provide increased
funding for the Office of the Australian Information Commissioner to
effectively and efficiently investigate breaches of the credit reporting
The CCLC suggested that the credit reporting regime include compensation
for consumers adversely affected by contraventions of the credit reporting
provisions. The committee notes that the NCCP Act provides for consumer
remedies in two ways:
- through a specific order for a compensation amount for loss and
damage (section 178); or
- through a general order to compensate loss or damage or prevent
or reduce the loss or damage suffered or is likely to suffer, through a broader
range of remedies (section 179).
The Explanatory Memorandum for the NCCP Bill stated that:
Consumer remedies are an important element of the enforcement
package as it enables consumers to take direct action against a licensee who
breaches the law and causes them loss or damage. These actions can provide
sufficient deterrent against breaches of the law. Private suits are considered
a useful way of influencing and curbing market behaviour.
8.42 The committee considers that consideration should be given to including
similar compensation provisions in the credit reporting system.
8.43 The committee recommends that consideration be given to the inclusion of
consumer remedies, similar to those that exist in the National Consumer Credit Protection
Act such as compensation, for consumers adversely affected by contraventions of
the credit reporting provisions.
Credit reporting agencies Experian and Veda Advantage commented on the
lack of a defence of 'reasonable mistake of fact' or lack of intent. However,
the committee notes that subsection 164(5) provides that in determining the
pecuniary penalty, the court must take into account all relevant matters,
nature and extent of the contravention; and
nature and extent of any loss or damage suffered because of the contravention;
circumstances in which the contravention took place; and
the entity has previously been found by a court in proceedings under this Act to
have engaged in any similar conduct.
The committee therefore considers that there is no requirement for the Exposure
Draft to be amended to provide for a defence of a 'reasonable mistake of fact'
or lack of intent.
Navigation: Previous Page | Contents | Next Page