CHAPTER 4

Regulation of credit reporting

4.1 Proposed new Part IIIA, which inserts the new credit reporting provisions into the Privacy Act 1988 (Privacy Act), is included in item 72 of Schedule 2 of the Bill. This chapter will examine some of the proposed credit reporting provisions referred to in submissions and evidence, including provisions that deal with:

permitted disclosures of credit information by credit reporting bodies;
use or disclosure of credit reporting information by credit reporting bodies for the purposes of direct marketing;
use or disclosure of credit reporting information that is de-identified;
correction of personal information by credit reporting bodies and credit providers;
complaints procedures; and
commencement of the credit reporting provisions.

Permitted disclosures by credit reporting bodies

4.2 Proposed new subsection 20E(1) of the Privacy Act prohibits a 'credit reporting body' which holds 'credit reporting information' about an individual from using or disclosing that information. The proposed section allows for some exceptions; however, the exceptions do not apply to 'credit reporting information' which is, or was, derived from 'repayment history information', unless the recipient of the information is a 'credit provider' who is the holder of an Australian Credit Licence under the National Consumer Credit Protection Act 2009 (Cth) (National Consumer Credit Protection Act).[1]

4.3 According to the Explanatory Memorandum (EM):

[I]t is considered appropriate that credit providers who cannot access repayment history information should not be able to indirectly obtain the benefit of that information through the possibility that credit reporting bodies could provide credit reporting information that incorporates repayment history information in another form.[2]

'Repayment history information'

4.4 Some submitters argued, however, that the restriction will adversely affect their businesses. For example, Diners Club International (Diners Club) noted that, under regulation 62(1) of the National Consumer Credit Protection Regulations 2010, four expressly named charge card providers (including Diners Club) are exempt from the licensing requirements of the National Consumer Credit Protection Act:

Diners Club would therefore be excluded from receiving or providing repayment history information either from or to a credit reporting agency; or from or to other credit providers, including its related bodies corporate. The current definition of the term "licensee" and its use in the revised Part IIIA means that Diners Club is at a competitive disadvantage against its major competitor in the charge card market, American Express Australia Limited (Amex Australia). As an issuer of credit cards and therefore a licensee, Amex Australia is able to obtain repayment history information about charge card applicants.[3]

4.5 Diners Club considered that it would be illogical to 'exclude charge card providers from the benefits of enhanced reporting' and suggested that charge card providers who are not licensees should have access to 'repayment history information'.[4]

4.6 The Communications Alliance recommended similarly that telecommunications providers, which are also not required to be licensed, should have the ability to opt into the regime:

This way they would be able to provide a lead indicator to other financial service providers and it would also give the [telecommunications providers] a better understanding of a customer's capacity to pay before finalising the sale products and services to them.[5]

4.7 The Insurance Council of Australia (ICA) expressed concern that lenders mortgage insurers (LMIs) are not able to access 'repayment history information' directly from 'credit reporting bodies':

As LMI providers take on the same risk as the lender, impeding their ability to assess this risk by denying direct access to the full range of credit information is likely to significantly affect the LMI providers' ability to actually provide LMI. This will impact on the availability and accessibility of borrowers (particularly first home buyers)...[D]irect access to all available credit information on a borrower is fundamental to the business model of a LMI provider.[6]

4.8 The ICA contrasted the proposed restriction in new subsection 20E(4) with its ability to obtain 'repayment history information via a lender without being subject to a responsible lending obligation'.[7] Its submission called for consistency, recommending that proposed new subsection 20E(4) should be amended to read:

(4) However, if the credit reporting information is, or was derived from, repayment history information about the individual, the credit reporting body must not disclose the information under paragraph (3)(a) or (f) unless the recipient of the information is a credit provider who is a licensee or a mortgage insurer.[8]

4.9 Min-it Software, the Consumer Credit Legal Service (WA) (CCLSWA) and the Consumer Credit Legal Centre (NSW) (CCLCNSW) opposed the inclusion of 'repayment history information' in the credit reporting provisions. CCLCNSW, for example, recommended that this information be removed from the Bill for a number of reasons, including:

It won't always lead to more responsible lending decisions.

It has the potential to entrench hardship.

Credit providers have alternative methods of accessing repayment history information, and there is no evidence to suggest that the absence of repayment history is causing significant problems in the market, therefore its inclusion is not justified from the privacy perspective.

It will lead to more risk-based pricing, which will entrench disadvantage.[9]

4.10 At the first public hearing, Ms Katherine Lane from the CCLCNSW explained further:

The main reason that the credit providers need this information is so that they can deal with managing risk and pricing risk, and that does not necessarily get a positive outcome for consumers. Pricing risk is about interest rates. I think the main outcome is going to be that you will have some little dots or marks on your report and then they will charge you extra interest...It is also an intrusion on [an individual's] privacy for something that is going to be to their detriment overall.[10]

4.11 Min-it Software argued that the inclusion of 'repayment history information' in the Bill conflicts with proposed Australian Privacy Principle 3 (Collection of solicited personal information):

[T]he reporting of such information to a credit reporting business is not a necessary function nor one reasonably necessary for the credit provider to perform its responsible lending or other credit activities. It is also not reasonably necessary, though it might be convenient from a commercial practice perspective, for another credit provider to see such history where that credit provider uses or is provided with a scoring mechanism supplied by the credit reporting business.[11]

More comprehensive credit reporting – general comments

4.12 'Repayment history information' is one of five new data sets being introduced into the credit reporting system as a move toward more comprehensive, or positive, credit reporting, as recommended by the Australian Law Reform Commission (ALRC).[12] The other four data sets are: the date on which a credit account was opened; the date on which a credit account was closed; the type of credit account opened; and the current limit of each open credit account.[13]

4.13 According to the Explanatory Memorandum (EM):

Comprehensive credit reporting will give credit providers access to additional personal information to assist them in establishing an individual's credit worthiness. The additional personal information will allow credit providers to make a more robust assessment of credit risk and assist credit providers to meet their responsible lending obligations. It is expected that this will lead to decreased levels of over-indebtedness and lower credit default rates. More comprehensive credit reporting is also expected to improve competition and efficiency in the credit market, which may result in reductions to the cost of credit for individuals.[14]

4.14 Some submitters and witnesses commented generally in relation to this reform. Veda, Dun & Bradstreet and Experian, among others, supported the introduction of positive credit reporting to facilitate risk assessment and compliance with responsible lending obligations.[15] Veda particularly noted the preliminary findings of its current Comprehensive Reporting Pilot Study[16] and, in evidence, Mr Steven Brown from Dun & Bradstreet argued that the Bill should go further:

[W]e support the model that has been put forward. It does provide much more balance...[H]owever,...we feel we have stopped a little short of the opportunity here—that is, somebody who has a default on their file yet is meeting payments to utility companies and telecommunications companies will not have that information recorded on their file or will not have the option to have that data recorded on their file by those organisations... There are scenarios today where individuals are not able to establish a track record of payment to a financial services provider but may well have those facilities being kept in good order. The ability to include that information on the credit file would indeed allow those individuals to have that good payment performance reflect on their file, notwithstanding that they may have one negative incident on their file. So that is really the issue of fairness that I am referring to, trying to get more balance into the system.[17]

4.15 However, some submitters – such as the CCLSWA and the Australian Privacy Foundation (Privacy Foundation) – contended that positive credit reporting will not advantage consumers. The CCLSWA, for example, rejected the argument that the inclusion of the five additional data sets in the credit reporting system will improve the system's efficiency, decrease over-indebtedness and open up competition:

On the contrary, studies have indicated that there is no correlation between positive credit reporting and reduced levels of indebtedness. Nor is there necessarily a correlation between positive reporting and responsible lending practices....It seems more likely that the reliance on repayment history information will lead to a rise in the number of consumers being unfairly refused credit where there are no adverse file listings, and their loan applications would otherwise be approved.[18]

4.16 The Privacy Foundation argued:

We welcome the imposition of responsible lending conditions for participation in the credit reporting provisions, which protects consumers against the more blatant irresponsible lending practices, but this does not mean that consumer vulnerabilities will not be exploited to provide credit which is not in the consumer's best interests.[19]

Departmental response

4.17 In response, the Attorney-General's Department (Department) referred to the Regulation Impact Statement (RIS) accompanying the Bill, which identifies the potential risks and benefits of including 'repayment history information' as a fifth data set in the credit reporting system. The RIS concludes, on balance, that 'repayment history information' should be included in the credit reporting system.[20]

4.18 The Department noted that the consumer protections recommended by the ALRC have been incorporated into the Bill:

The Department does not consider that any additional legislative measures in the Privacy Amendment Bill would resolve the disagreement between stakeholders on the possible implications of including repayment history information in the credit reporting system.[21]

Use or disclosure of credit reporting information by credit reporting bodies for the purposes of direct marketing

4.19 According to the EM:

Pre-screening is a direct marketing process by which direct marketing credit offers to individuals are screened against limited categories of credit information about those individuals to remove individuals from the direct marketing credit offer, based on criteria established by the credit provider making the offer, before the offers are sent. Generally, the process for pre-screening a direct marketing credit offer works as follows. The credit provider making the credit offer establishes the eligibility requirements for the direct marketing credit offer and provides the list of individuals about whom the pre-screening assessment will be made; the credit reporting body undertakes the pre-screening assessment and determines whether an individual is eligible consistent with those criteria; the credit reporting body discloses the pre-screening assessment to a mailing house which conducts the direct marketing consistent with the pre-screening assessment, and then the pre-screening assessment is destroyed by the credit reporting body and the mailing house.[22]

General prohibition

4.20 Proposed new subsection 20G(1) of the Privacy Act prohibits a 'credit reporting body' which holds 'credit reporting information' about an individual from using or disclosing the information for direct marketing purposes. The prohibition does not apply to the use by the 'credit reporting body' of 'credit information' about an individual for direct marketing purposes by, or on behalf of, a credit provider (pre‑screening), subject to certain conditions (proposed new subsection 20G(2) of the Privacy Act).

4.21 Some submitters supported the proposed prohibition, with a few submissions recommending amendments to enhance the operation of the provision.[23] The CCLCNSW, for example, submitted that the permitted use for pre-screening should be removed from the Bill:

[T]he use of credit reporting information to facilitate pre-screening is an unnecessary breach of privacy. It is abhorrent to use the credit reporting system for marketing...[D]irect marketing and pre-screening should be prohibited...[T]he utility of pre-screening should be reviewed in light of the recent amendments to the National Consumer Credit Protection Act on unsolicited offers of credit. The Act now specifically prohibits unsolicited offers of credit unless the consumer has opted in. It is our understanding that many consumers have not chosen to opt-in. In these circumstances, the need for pre-screening advocated by industry is now considerably less.[24]

4.22 In 2008, the ALRC recommended that the new Privacy (Credit Reporting Information) Regulations should prohibit the use or disclosure of 'credit reporting information' for direct marketing purposes, including the pre-screening of direct marketing lists.[25] However, the Australian Government responded:

...the use or disclosure of credit reporting information for the purposes of pre-screening should be expressly permitted, but only for the purpose of excluding adverse credit risks from marketing lists.[26]

Opt-out mechanism

4.23 Proposed new subsection 20G(5) provides an 'opt-out' mechanism, allowing an individual to request a 'credit reporting body' that holds 'credit information' about the individual not to use that information for pre-screening purposes. The Privacy Foundation questioned the practicality of this provision given the lack of a direct relationship between the individual and a 'credit reporting body' (CRB):

[I]t is unrealistic to rely on individuals 'finding' a CRB to opt-out – they must be given the opportunity via their direct relationship with a Credit Provider.[27]

4.24 The Law Council of Australia added that the Bill does not explain the consequences of an 'opt-out' request:

A more practical measure may be for a credit reporting agency (or perhaps all credit reporting agencies) to establish a separate database of pre‑screening opt-out individuals. All customer lists for which pre‑screening had been requested would initially be "washed" against this opt-out list and the opted-out persons removed from the prospects list, before any use was made of credit information referred to in clause 20G(2). It should be expressed in proposed section 20G that an opted out person would not receive the credit offer proposed to be offered to persons who are successfully screened.[28]

4.25 The Australian Bankers' Association (ABA) and the Australasian Retail Credit Association (ARCA) referred to one of the conditions giving rise to a permitted use: the information cannot be 'consumer credit liability information' or 'repayment history information' about an individual.[29] These submitters recommended that the condition be clarified to expressly cover both direct and indirect use of information in a pre-screening process. As highlighted in the ABA's submission:

Indirect use means using the new data sets as model inputs to derive an outcome. For example, a credit reporting agency may blend the data sets into a model to derive a credit propensity score that predicts a customer's likelihood to be receptive to an offer of credit. This predictor could then be used for pre-screening or direct marketing.[30]

Use or disclosure of credit reporting information that is de-identified

4.26 Proposed new subsection 20M(1) of the Privacy Act prohibits a 'credit reporting body' which holds de-identified 'credit reporting information' (de-identified information) from using or disclosing that information. The general prohibition does not apply if the use or disclosure is for the purposes of conducting research in relation to the assessment of the credit worthiness of individuals and the 'credit reporting body' complies with any rules made by the Australian Information Commissioner (Commissioner) (proposed new subsection 20M(2) of the Privacy Act).

4.27 The EM states that the purpose of regulating de-identified information is to clarify that such information can be used or disclosed in specific circumstances:

[I]nformation from the credit reporting system has in the past been used for the purpose of conducting research (including statistical modelling and data analysis) relating to the assessment or management of credit. This research, where it is in the public interest, should be expressly permitted. Conducting research with de-identified personal information enhances privacy protection and appears to be consistent with existing industry practices. In addition, research is not a primary purpose of the credit reporting system and it is not appropriate to allow credit reporting information that identifies individuals to be used for research purposes.[31]

4.28 The EM notes, however:

[T]here can be concerns about the effectiveness of methods used to de‑identify personal information and the risks of that information subsequently being linked again to individuals in a way that allows them to be identified.[32]

Suggestions to remove proposed new section 20M

4.29 Some submitters questioned the appropriateness of regulating de-identified information. These submitters argued that once 'credit reporting information' has been de‑identified, it is no longer personal information about an individual within the scope of the Privacy Act. These submitters suggested that proposed new section 20M of the Privacy Act should be removed from the Bill.[33] For example, ARCA recommended:

[T]he Government remove [proposed new section] 20M from the Bill entirely, and refer the question of the economic value of depersonalised data to the Productivity Commission for inquiry. Such an inquiry is likely to provide a range of reforms for the Government to consider in relation to the regulation of this important economic tool.[34]

4.30 Veda also objected strenuously to the regulation of de-identified data in the Privacy Act and supported retaining the purpose for which de-identified data may be used without prescribing rules (including those which might be made by the Commissioner).[35]

4.31 Submitters and witnesses from the finance and credit industries indicated that they could not understand the rationale behind proposed new section 20M of the Privacy Act. In detailed submissions, these stakeholders described the fundamental role of de-identified information in the information economy.[36] For example, Dun & Bradstreet, Experian and Veda jointly submitted:

The information economy revolves around research using de-personalised information. Before parliament decides to restrict one part of the information economy from using de-personalise[d] data, industry believes it appropriate to consider the value and role that research brings.[37]

4.32 In evidence, Professor Les McCrimmon distinguished credit-reporting information from the re-identification of health information for the purposes of research and statistical data sets:

[I]t is a live issue in relation to health research, because in health research there is often the master key and the need to re-identify to check the research and the research findings. That does not arise in a credit-reporting context and...there has not been an occasion in the 40 years that it has been operating for the requirement to re-identify.

...

To go back to basic principles, the Privacy Act is primarily concerned with protecting personal privacy, namely personal information, as part of implementing Australia's obligations under the International Covenant on Civil and Political Rights. When the information is no longer personal information, the work of the Privacy Act should end. To extend the work of the Privacy Act beyond personal information to de-identified information, which by definition is not personal information, has a couple of problems. One is that it puts an obligation on the Office of the Information Commissioner to come up with rules to regulate what in the past has never been regulated and, across privacy regimes in all [Organisation for Economic Co-operation and Development] countries, is not regulated for a good reason: it is not personal information; it does not impact on the human right—namely the protection of privacy. So that is the first problem.[38]

4.33 Professor McCrimmon did not consider the re-identification of data to be a problem in the credit reporting context;[39] nor did Ms Kim Jenkins from Experian, who argued:

There is no purpose behind re-identification in the credit industry. De‑identified information is for the purpose of scorecards, and that has to be done on a depersonalised, anonymous basis in order for the underlying statistical modelling to be valid and robust, and then there is no purpose in repersonalising that, because that scorecard goes into production. There is no benefit in relinking it to individuals.[40]

4.34 ARCA suggested that the better legislative approach would be to prohibit the re-identification of data,[41] a view with which the three main credit reporting agencies (to be renamed 'credit reporting bodies' by the Bill) agreed.[42] Veda suggested further that the Bill should appropriately penalise the re‑personalisation of data:

[I]t is prudent to recommend the inclusion in the legislation of substantial penalties for subsequent re-personalisation with substantial penalty provisions as apply elsewhere in the Bill.[43]

4.35 Professor McCrimmon agreed that 'the better policy way to deal with [this issue] is to penalise re-identification rather than put a blanket ban on the use of de‑identified data'.[44]

History of proposed new section 20M

4.36 In 2008, the ALRC examined the issue of the use and disclosure of 'credit reporting information' for secondary purposes (such as research). The ALRC concluded:

The new Privacy (Credit Reporting Information) Regulations should provide that a credit reporting agency or credit provider may use or disclose credit reporting information for a secondary purpose related to the assessment of an application for credit or the management of an existing credit account, where the individual concerned would reasonably expect such use or disclosure.[45]

4.37 The Australian Government did not accept this recommendation 'as it would allow credit reporting information to be used and disclosed for a number of unknown purposes'. The government acknowledged:

[A] key concern for both credit reporting agencies and credit providers in supporting recommendation 57-2 was that it would provide an ability to conduct research (including statistical modelling and data analysis) in relation to credit reporting information where it related to the assessment or management of credit and was for the benefit of the public.

[T]he Government will...allow for credit providers or credit reporting agencies to use and disclose de-identified credit reporting information for research purposes that are deemed to be in the public interest and have a sufficient connection to the credit reporting system. Research would also be required to be conducted in accordance with rules developed by the Privacy Commissioner.[46]

4.38 In 2010-2011, the Senate Finance and Public Administration Legislation Committee (F&PA committee) reported on the Exposure Drafts of the Bill, including the pre‑cursor to proposed new section 20M.[47] The F&PA committee noted, among other things, a suggestion from the Office of the Australian Information Commissioner (OAIC) that the provision did not permit the disclosure of de-identified information and was not clear in relation to whether the related rules to be issued by the OAIC must be in place before any research is permitted.[48] The F&PA committee recommended that these issues be addressed.[49] The Australian Government accepted and implemented the recommendations of the F&PA committee,[50] particularly in proposed new paragraph 20M(2)(b) of the Privacy Act to provide that a 'credit reporting body' must comply with rules made by the Commissioner under proposed new subsection 20M(3).[51]

Departmental response

4.39 In evidence to the current inquiry, an officer from the Department reiterated the government's view expressed in the EM regarding the potential re-identification of data, as well as the issue of 'what is discernible from the characteristics of the data that is de-identified that can lead one to identification'.[52] Further:

The credit reporting scheme is set up...on the basis that basically everything is prohibited and then there are a series of exceptions to say, 'This is how entities may deal with this type of data.' So the rules around the de-identified data is to say that we need to put some rules around this type of secondary use, which is to de-identify and then to do research with the data.[53]

4.40 In additional information provided to the committee, the Department clearly advised:

The purpose of clause 20M is to ensure that the Information Commissioner has the power to issue appropriate guidelines to deal with how an individual's personal financial information may be used for research.[54]

Correction of personal information by credit reporting bodies and credit providers

4.41 Proposed new sections 20T and 21V of the Privacy Act respectively enable an individual to request a 'credit reporting body' or 'credit provider' to correct certain types of personal information about the individual.

4.42 The EM states:

Importantly, individuals are able to request the correction of their personal information that may not be held by the credit reporting body, requiring the credit reporting body to consult with the appropriate credit reporting body or credit provider. This imposes a specific obligation on bodies and credit providers to assist individuals to correct their personal information, no matter whom it is held by in the credit reporting system. This means that the credit reporting body or credit provider to which the individual first makes a correction request must deal with that request and assist the individual to have their personal information corrected.[55]

Third party application

4.43 Some submitters expressed concern with the potential need for an entity which receives a complaint to consult with another entity. For example, ARCA submitted:

[T]he Bill suggests that the first party contacted (the respondent) must undertake (presumably themselves) to notify 'everyone' who has received the disputed information, collate the necessary information to respond to the complaint, and then respond on behalf of all relevant parties. What seems to be a simple requirement under the Bill becomes complex because of the degree of prescription of how an operational process must work, rather than simple articulation of the outcome that it seeks to deliver.

To manage consumer complaints effectively, it is essential for relevant parties to manage and resolve the complaint wherever possible. However, the first point of contact may not always be best placed to manage a complaint. It may be more appropriate to refer the consumer to the most appropriate respondent.[56]

4.44 The OAIC was similarly concerned with how an individual is able to correct personal information not held by the party who is first contacted. The OAIC's submission emphasised the need for clear, appropriate and comprehensive correction and notification obligations:

[I]t is important that the Bill clearly sets out:

- the obligation on the entity that received the correction request to take reasonable steps to have the information corrected

- the obligation on the entity that holds the information to correct that information

- the obligation on the entity that received the correction request to notify the individual about the outcome of their correction request.

There is uncertainty as to whether the provisions in the Bill achieve this...The OAIC...recommends that the Bill be amended to ensure that the correction provisions are clear, and operate effectively.[57]

Breadth of request to correct

4.45 Other submitters focussed on specific issues, including: the types of personal information captured by the proposed provisions; the time allowed for the correction of personal information; and incorrect or unfair listings.

4.46 The types of personal information in respect of which an individual can request a correction are:

'credit information' about the individual;
'CRB derived information' about the individual; and
'CP derived information' about the individual.

4.47 The ANZ Banking Group Limited (ANZ), for example, submitted that 'CRB derived information' and 'CP derived information' are assessments of an individual's credit worthiness. In its view, individuals should not be entitled to amend such an assessment.[58] The Australian Finance Conference (AFC) argued similarly that evaluative information generated by an APP entity in a commercially sensitive decision‑making process should not be correctable:

The omission potentially invites opening a credit provider to risk of fraud or customer manipulation of credit application data should the credit provider be obliged to reveal commercially sensitive components of its lending decisioning process.[59]

Time to correct and substantiation

4.48 Proposed new subsections 20T(2) and 21V(2) of the Privacy Act require a 'credit reporting body' or 'credit provider', if satisfied that the personal information is inaccurate, out‑of-date, incomplete, irrelevant or misleading, to take reasonable steps to correct the information within 30 days or a longer period agreed to in writing by an individual.

4.49 The Energy & Water Ombudsman NSW (EWON) described the 30‑day timeframe allowed for the correction of personal information as 'excessive':

If there is a valid reason for the delay, we suggest that the credit reporting agency makes an annotation to the file to note that a correction is pending.[60]

4.50 The Telecommunications Industry Ombudsman agreed that the timely removal of incorrect information is critical:

In our view, a period of 30 days to correct information on a credit file is too long when it may have the potential to compound difficulties experienced by consumers, particularly where they need to apply for finance and where incorrect information on their credit file is impeding them from doing so. The Telecommunications Consumer Protection (TCP) Code requires that where a telephone or internet company becomes aware that their customer has been default listed in error, they must inform the ['credit reporting body'] within one (1) working day.[61]

4.51 Conversely, the Australian Privacy Commissioner, Mr Timothy Pilgrim, told the committee that when listings are disputed 'it requires on a number of occasions a bit more time than [30 days] to be able to get the facts together to support whether there has been a default or not'.[62]

4.52 The Privacy Foundation contended that the 30‑day timeframe specified in proposed new subsection 20T(2) is 'weaker' than the ALRC Recommendation 59-8.[63] The ALRC's recommendation was for the new Privacy (Credit Reporting Information) Regulations to:

...provide that, within 30 days, evidence to substantiate disputed credit reporting information must be provided to the individual, or the matter referred to an external dispute resolution scheme recognised by the Privacy Commissioner. If these requirements are not met, the credit reporting agency must delete or correct the information on the request of the individual concerned.[64]

4.53 In relation to substantiation, CCLCNSW argued that it is essential for a 'credit provider' to be able to produce evidence verifying the accuracy of a listing:

The credit reporting system operates on an "honour basis", that is, credit providers are trusted and there are no checks on reported information. To balance this, consumers must be able to reasonably insist that this information be verified.[65]

4.54 Consistent with ALRC Recommendation 59-8, but with reference to the Privacy Act (and not the regulations), CCLCNSW recommended that proposed new section 20T should be amended to require a 'credit reporting body' to request evidence of a disputed listing from a 'credit provider' and, if not provided within 30 days of the request, the 'credit reporting body' must remove the disputed listing.[66]

Departmental response

4.55 In evidence, a departmental officer agreed that the Australian Government had accepted ALRC Recommendation 59-8, but explained that the way in which that recommendation has been implemented in the Bill is slightly different from the way in which the government response was framed:

Essentially, if there is a request to correct and that request is denied, the credit provider has to substantiate the reason for doing so, so they have to provide you with the evidence. There is no express provision saying that if they cannot substantiate they must change, because the general obligation to keep accurate records will apply anyway. So if they cannot provide an individual with the evidence to show why the listing is there then there is no evidence for the listing. Therefore the general obligation to keep accurate, up-to-date records would apply, and they should be updating their records.[67]

Concept of fairness

4.56 CCLCNSW submitted that another major problem for consumers is default listings, or repayment history listings, in circumstances where a reasonable person would consider the listing to be unfair:

There are a number of circumstances where the consumer is unable to pay because of matters arising that are completely out of their control. Some examples are:

1. Natural disasters

2. Bank error in processing a direct debit or Bpay

3. Fraud

4. Illness and hospitalisation

5. Mail theft

It is essential that consumers have access to a mechanism to challenge a listing on the grounds of fairness.[68]

4.57 The CCLCNSW recommended that proposed new section 21V should be amended to enable consumers to request correction of a listing on the grounds that it would be unfair and misleading in the circumstances for the listing to remain uncorrected.[69]

Departmental response

4.58 In evidence, a representative from the Department emphasised that the inability to contact an individual, can give rise to a 'serious credit infringements' but was not certain that was likely to happen in the circumstances described by the CCLCNSW (due to the enhanced contact requirement).[70]

4.59 In any event:

The Department is not able to express a view on whether a credit provider should list a serious credit infringement in circumstances where an individual has suffered the consequences of a natural disaster. However, the Department notes that the definition of serious credit infringement requires the credit provider to be satisfied that a reasonable person would consider the individual's act (for example, of missing one or more payments because of a natural disaster) indicates an intention to no longer comply with the individual's obligations.[71]

External dispute resolution schemes

4.60 Proposed new section 21W of the Privacy Act requires a 'credit provider' to give an individual written notice, within a reasonable period, of the outcome of their request for the correction of personal information under proposed new section 21V. In particular, if the personal information has not been corrected, the written notice must state that the correction has not been made; set out the reasons for the 'credit provider' not correcting the information (including evidence substantiating the correctness of the information); and:

(c) state that, if the individual is not satisfied with the response to the request, the individual may:

(i) access a recognised external dispute resolution scheme of which the provider is a member; or

(ii) make a complaint to the Commissioner under Part V.

4.61 Proposed new section 21W is one example of a provision in the Bill which enables an individual to progress an unresolved dispute through either a recognised external dispute resolution (EDR) scheme or the Commissioner. The proposed complaints provisions – such as proposed new paragraph 23B(4)(b) – contain a similar mechanism.

4.62 Min-it Software expressed concern with these provisions which, it argued, considerably enhance the existing EDR providers' involvement in privacy complaints:

We do not believe that it is appropriate to give the two private companies (which are not statutory authorities) engaged in providing EDR for credit even greater power than they currently have, particularly at the expense of direct contact with the Privacy Commission[er].[72]

4.63 In relation to the recognition of EDR schemes for the purposes of the Privacy Act, Mr Pilgrim advised that he has not yet made any assessments but will begin to consider the matter once the Bill has been enacted.[73] However:

[T]here is a range of criteria that I would need to take into account before approving a scheme to operate as an EDR scheme under the [A]ct. A number of those areas go into some fairly obvious ones, but one of them is the independence of the scheme and its ability to operate independently. I would have to be satisfied before approving an EDR scheme to participate that it met that criterion.[74]

4.64 One other concern – expressed in the Energy & Water Ombudsman NSW's (EWON) submission regarding proposed new sub-paragraph 21W(3)(c)(i) – was that the EDR provisions could inadvertently result in customer referral to the wrong EDR scheme for a particular issue:

For example, a customer may contact their financial institution to dispute their credit listing and the credit listing may be for an old energy debt. If after investigation the financial institution is unable to assist the customer[,] 21W(3)(c)(i) suggests that they must be referred to the 'external dispute resolution scheme of which the provider is a member', so the referral would be to the Financial Ombudsman Service, of which the provider is a member. However, as the customer is disputing a listing related to an energy debt the most appropriate external dispute resolution scheme would be EWON.[75]

Complaints procedures

4.65 Division 5 of new Part IIIA of the Privacy Act sets out provisions in relation to complaints. Proposed new section 23A gives individuals the right to complain to 'credit reporting bodies' or 'credit providers' about acts or practices that might be a breach of the credit reporting provisions or the registered credit reporting code (to be created by Schedule 3 of the Bill).

4.66 Proposed new section 23B sets out how 'credit reporting bodies' and 'credit providers' are to deal with those complaints. For example, proposed new subsection 23B(1) provides that the respondent to a complaint:

(a) must, within 7 days after the complaint is made, give the individual a written notice that:

(i) acknowledges the making of the complaint; and

(ii) sets out how the respondent will deal with the complaint; and

(b) must investigate the complaint.

Notification provisions

4.67 Several submissions addressed proposed new section 23B of the Privacy Act, with some questioning the notification requirements in proposed new paragraph 23B(1)(a). For example, the Australasian Retail Credit Association submitted that the majority of complaints are resolved within 48 hours and compliance with that provision would be 'unnecessary, wasteful and irritating for the consumer'. Further:

[I]t should be acceptable for other methods of communication to be allowed on the basis that a formal record is retained, such as a file note made in a customer relationship/complaints management system, or tape recording of voice communications.[76]

4.68 The Communications Alliance agreed with the need for a less prescriptive form of communication, submitting that most telecommunications customers prefer to deal with their telecommunications providers via telephone or email, and increasingly via social media – such as on Twitter or Facebook.[77] Optus commented similarly:

[W]e are concerned that the prescriptive complaint handling requirements set out in the Bill (such as the requirement for written acknowledgement of complaints and then written confirmation of the outcomes of complaints) are very rigid and reflect an out-dated method of interacting with customers. Such restrictive practices do not take into account the multitude of ways in which customers are able to contact their providers in the digital environment.[78]

Third party issues

4.69 Some submitters were also concerned by proposed new subsection 23B(2), which will require the respondent to the complaint to consult another 'credit reporting body' or 'credit provider' about the complaint, if the respondent considers that consultation to be necessary. As with the correction of personal information, third party issues concerned some submitters – for example, the Financial Ombudsman Service (FOS), the Consumer Action Law Centre (CALC), and ARCA.

4.70 The FOS considered that the regime will prove impractical as many complaints will relate to a financial services provider ('Bank A') holding incorrect personal information which it may have obtained from another body (for example, 'Energy Provider B'):

Bank A enquires as to the accuracy of that information from Energy Provider B and is told that the information is correct. The complainant is unhappy with the response and takes the matter to Bank A's EDR scheme. Energy Provider B is not a member of that EDR Scheme. In those circumstances the EDR Scheme will not be able to properly investigate the dispute as it will be unable to access the relevant information which is held by Energy Provider B, and by its member Bank A. All Bank A's EDR scheme will be able to do is consider if Bank A has followed an appropriate process in dealing with the request, but it will not be able to solve the consumer's main problem, which is correcting any wrong information at its source.[79]

4.71 For this reason, FOS, EWON and the Telecommunications Industry Ombudsman supported redrafting proposed new section 23B to allow a consumer to be referred to the appropriate EDR scheme by the first respondent to the complaint.[80]

4.72 ARCA submitted that the complaints‑handling processes in the Bill:

...will require a complex system to be developed between the multitude of Credit Providers and CRBs who use the credit reporting system to manage the finalisation of consumer complaints. Such a system would increase the risk of inadvertent disclosure, remove the ability of the consumer to deal directly with the cause of the complaint, and is against industry practice and good business practice regarding customer service.[81]

4.73 ARCA's Chief Executive Officer, Mr Damian Paull noted further:

The complexity of the proposed arrangements will inevitably lead to delay and unnecessary escalation to alternative dispute arrangements, creating further financial burden on credit providers through EDR scheme fees; increased resourcing requirements for the OAIC, the regulator; and, most importantly, delayed consumer outcomes.[82]

4.74 ARCA and Experian recommended that the Bill should allow the respondent to the complaint to be able to refer a consumer to the entity which is most able to resolve the complaint, backed by oversight from the regulator.[83]

4.75 The Consumer Action Law Centre (CALC) supported proposed new section 23B of the Privacy Act:

[I]t aims to prevent credit providers and credit reporting agencies buck-passing complaints between themselves (which has been a big problem to date) and limits the risk of consumers dropping out of the complaints process because they do not know where to complain.[84]

4.76 Despite this, the CALC considered that the provision might be too broad and could capture third parties who are reluctant to assist in the resolution of a complaint:

[T]he obligation to resolve a complaint should lie with the first party to be contacted by the consumer which is actually involved in the subject of the complaint. This would usually be the relevant credit reporting agency, or the credit provider which made the listing. However, to ensure that consumers don't 'fall through the cracks', a credit provider or credit reporting agency which did not have any role in the subject of the complaint, should have an obligation to advise the consumer of the parties which could deal with the dispute.[85]

4.77 In evidence, a departmental officer told the committee that the corrections and complaints processes have been re-designed to make them simpler:

In the correction process, the approach taken is that, if a person requests a correction, they make the request once to a credit provider or a credit reporting body, and they have the obligation of consulting with other industry members to resolve the issue. So you are not bounced around... That is the intention in relation to the correction process. The recipient of a complaint can refuse the complaint if it is not about them...If I am making a complaint—if I say to them, 'You've disclosed information in the wrong way'—then that is about their act or practice in relation to the information, so I have to complain to the right person who did the wrong thing, essentially. So they can transfer my complaint to someone else but they cannot transfer my correction request.[86]

Industry regimes

4.78 Submitters were also concerned with jurisdictional issues raised by proposed new section 23B of the Privacy Act. The Communications Alliance, for example, submitted that the Bill does not recognise long-established credit-related regulations in several industries,[87] including: the Communications Alliance Telecommunications Consumer Protections Industry Code and Telecommunications Industry Ombudsman Scheme (in relation to the communications industry);[88] Regulatory Guide 165: Licensing: Internal and external dispute resolution (RG 165) (in relation to licensees under the National Consumer Credit Protection Act);[89] and AS ISO 10002-2006.[90]

4.79 The Communications Alliance argued that the Bill imposes new obligations, which conflict with standard practices in those industries, potentially leading to consumer confusion and inconsistent approaches.[91] One such conflict, noted in submissions from ARCA and ANZ, arises from the prescriptive timeframes in proposed new subsections 23B(4) and 23B(5) of the Privacy Act.

4.80 Proposed new subsections 23B(4) and 23B(5) of the Privacy Act require the respondent to a complaint, after investigation and within 30 days, to make a decision about the complaint and give the individual who made the complaint written notice of the respondent's decision.

4.81 ANZ submitted:

For a licensed credit provider, a complaint under section 23A is likely to also be a complaint for the purposes of RG 165. It will be difficult for licensed credit providers to comply with both sets of requirements. For example, subsection 23B(5) provides for a maximum timeframe of 30 days for resolution, or longer if the complainant agrees in writing. RG 165.94 provides for a maximum timeframe of 45 days with no possibility of extension.[92]

4.82 ARCA made the following suggestion:

AS ISO 10002-2006 is widely recognised as best practice for managing consumer complaints, and it is widely applied across sectors and scalable to suit a range of organisations in Australia. ARCA strongly recommends aligning the timeframes in the Bill with existing obligations for complaints handling and sees no tangible benefit for the misalignment.[93]

4.83 More generally, a few submitters suggested ways in which the existing industry regulations could be accommodated within the Bill. The Australian Finance Conference, for example, recommended:

...an approach in the provisions dealing with complaint handling that provides an option of alternate compliance to the procedure outlined in the Bill, to compliance with an equivalent standard recognised by the Information Commissioner. This would then facilitate a seamless compliance process for consumer credit providers that, as part of their licensing obligations, were required to implement complaint-handling processes set down by ASIC (eg in its Regulatory Guide 165). A similar approach could also be adopted for broader participants in the industry that are credit providers for the purposes of Part IIIA including the telecommunications industry.[94]

4.84 The Privacy Foundation and the Communications Alliance called for further consideration of the status of existing complaints-handling regulatory regimes under the Bill,[95] with the Communications Alliance making the following suggestion:

[T]he complaint handling obligations for credit providers [should] be removed from the Bill and instead be dealt with via the industry Credit Reporting Code which is to be developed, to allow different industries to manage such complaints within their existing regulatory frameworks.[96]

4.85 Optus, and others, remarked also on the creation of dual complaint-handling processes:

Whilst we support the consistency of approach that the Bill is attempting to achieve, its unintended consequence is the creation of inconsistencies in other areas. For all regulated industries, this will institute dual complaint handling processes – one to be followed for credit complaints and another process for all other types of complaints. Given the telecommunications industry already has comprehensive and detailed complaint handling requirements...imposing new and different obligations just for credit complaints will create an administrative burden for telecommunications providers, and confusion for telecommunications customers, who should be able to have a consistent experience with their telecommunications provider regardless of the nature of their complaint.[97]

Departmental response

4.86 The Department advised the committee that it is the government's position that there should be 'a single corrections and complaints process for personal information in the credit reporting system, rather than different processes depending on the industry'.[98] In answer to a question on notice, the Department emphasised the targeted scope and application of the proposed regulatory regime:

It is only when [a] correction request relates to personal information in the credit reporting system that the corrections request procedures in the Bill would apply. Similarly, the complaint provisions set out in Division 5 of Part IIIA in the Bill only apply where [a] complaint relates to an act or practice that breaches the Privacy Act.[99]

4.87 The Department acknowledged that industry codes may also deal with other credit-related matters – for example, notification processes for consumer credit defaults or serious credit infringements. In such circumstances:

The Government has imposed specific obligations in relation to these matters and expects that industry codes would be consistent with these obligations.[100]

Commencement of the credit reporting provisions

4.88 Schedule 2 of the Bill will commence nine months after receiving Royal Assent.[101] Some stakeholders did not regard nine months as sufficient lead time for industry to implement the necessary changes.

4.89 A few submitters noted that passage of the Bill is only the first step in a lengthy process to reform the legislative framework for privacy laws in Australia.[102] These submitters contended that the regulations and the industry-developed credit reporting code will need to be finalised before stakeholders can commit resources to implementation.[103] ARCA, for example, submitted:

While some organisations are well advanced in their preparation to these reforms, others have noted that they have been unable to design and build the solutions, as they have not known the final shape of the reforms and the impact on their business. Limited available skills, combined with complex business processes, and highly regulated and defined scheduled opportunities to make institution-wide technology changes means that many ARCA Members may find it extremely difficult to implement the required system, training, documentation, and process changes in the proposed timeframe.

The reality of the process attached to the reforms to credit reporting means that there is very little time available for industry to see the final legislative and regulatory detail before the regime is due to start. Given that credit reporting is an integral part of the way more than $1.1 trillion dollars of consumer credit is granted and managed in Australia, it is critical that adequate time be provided to undertake this reform in a controlled and structured manner.[104]

4.90 Abacus-Australian Mutuals (AAM), the Australian Bankers' Association (ABA) and the Australian Finance Conference (AFC) suggested timeframes that, in their view, would be adequate lead time for industry:

AAM submitted that the commencement date should be 'at least 12 months' from registration of the credit reporting code;[105]
the ABA proposed 15 to 18 months from the date of Royal Assent;[106] and
the AFC considered that a reasonable implementation period would be 12 to 18 months after the detail of the reforms has been settled.[107]

4.91 However, the AFC submitted:

Rather than adopt a fixed date or date tied to date of assent, the AFC recommends an approach that enables a commencement date to be determined by the Minister (akin to the process adopted for the Personal Property Securities Reform) may be the best means of balancing the imperatives for early enactment against inadequate lead-times for implementation.[108]

4.92 ARCA considered that the various components of the reform should commence at the same time and proposed a four-step commencement process, which, it argued, would provide certainty and a practical amount of time to finalise the reform and adequately prepare for compliance. ARCA's suggested process was:

establish a set time once the Bill and regulations have been finalised for the credit reporting code to be developed;
require the Commissioner to either approve the credit reporting code or make a determination that the Commissioner will draft the credit reporting code within a specified time period;
if the Commissioner is to draft the credit reporting code, set a time period for such drafting; and
from the point at which there is a registered credit reporting code set a commencement date for the new privacy regime.[109]

4.93 ARCA anticipated that the regulations would be finalised 'in early 2013 at the earliest' and that the industry-developed credit reporting code (which cannot be completed until after finalisation of the Bill and the regulations) would be presented to the regulator in mid-2013.[110] Officers from the Department confirmed to the committee that draft regulations were released for public comment on 17 August 2012, with submissions due to close on 28 September 2012.[111]

4.94 The CCLCNSW recommended that the Bill should not be passed until the regulations and the credit reporting code have been drafted and considered:

[R]eviewing just one part of the regulatory framework will mean that it is inevitable there will be matters not covered due to oversight or an expectation that the matter will be covered in another part of the regulation. A particular risk is an expectation that a range of matters will be covered by the Credit Reporting Code of Conduct when this may not be appropriate or even reasonable.[112]

Departmental response

4.95 The Department informed the committee that the standard three-month period between Royal Assent and commencement of the Bill was previously extended (to the current nine-month commencement date) in line with advice received from the OAIC, and to allow sufficient time to register the credit reporting code. In addition:

[T]he commencement period should provide...certainty by setting out a defined time in the legislation for commencement, and should see all elements of the Privacy Amendment Bill commence at the same time (that is, no staged implementation).[113]

4.96 Further:

The Department does not consider that commencement should be at the discretion of the Attorney-General, nor does the Department consider that commencement should be contingent on the registration of the [credit reporting] Code as this does not ensure certainty. The Department will be considering stakeholder views on extending the current proposed [nine] month commencement period in proposing options for the Attorney-General's consideration.[114]

Navigation: Previous Page | Contents | Next Page