CHAPTER 6
Committee views and recommendations
6.1
This inquiry was one of several reviews into Australia's privacy
legislation which have taken place over the past seven years. In particular,
the committee notes the extensive review conducted by the Australian Law Reform
Commission (ALRC), which reported in August 2008, and to which the Australian
Government partially responded in October 2009.
6.2
The Bill gives effect to that response, and the committee understands that
a further response will be considered in separate legislation after the Bill's
passage and implementation. The second stage response will relate primarily to
health services and research provisions, as well as the ALRC recommendations
not addressed in the government's first stage response.[1]
6.3
According to the Attorney-General, the Bill aims to bring Australia's
privacy protection framework into the modern era.[2]
The committee commends such a reform, noting that Australia's privacy laws have
not kept pace with the considerable social changes that have occurred since the
Privacy Act was first enacted over 20 years ago.[3]
6.4
The reforms introduced in the Bill cover 197 of the 295 policy
recommendations made by the ALRC and focus on four key objectives.[4]
In this report, the committee has focussed on three key areas:
- the creation of the Australian Privacy Principles (APPs);
- the introduction of more comprehensive credit reporting; and
- the proposed clarification and enhancement of the functions and
powers of the Australian Information Commissioner (Commissioner).
6.5
The committee notes that many issues in relation to these proposed amendments
have previously been considered by both the ALRC and the Senate Finance
and Public Administration Legislation Committee (F&PA committee) in its
comprehensive examination of Exposure Drafts of the Bill in 2010-2011.[5]
The committee acknowledges that certain issues continue to concern
stakeholders but, in instances where the Australian Government has made and
communicated clear policy decisions, the committee will not be revisiting those
concerns in recommendations in this report.
Australian Privacy Principles
6.6
The creation of the APPs represents an important milestone in the reform
of Australia's privacy laws. The committee welcomes the creation of a single
set of privacy principles applicable to both Commonwealth agencies and private
sector organisations (item 82 of Schedule 1 of the Bill).
6.7
Throughout the inquiry, stakeholders commented on both the APPs and
their supporting provisions in Schedule 1 of the Bill. Based on the evidence
received, the committee considers that individual privacy protections could be
enhanced with some further legislative amendments in relation to key
definitions and specific aspects of APP 2, APP 7 and APP 8.
Complexity of the APPs
6.8
The committee notes that, in 2011, the F&PA committee recommended
that the draft APPs should be reconsidered with a view to improving their clarity
and avoiding repetition.[6]
In the current inquiry, the Attorney-General's Department (Department)
confirmed that the APPs have been restructured to reduce length and repetition,
particularly through the use of a table in proposed new section 16A (item 82
of Schedule 1).[7]
6.9
The committee notes that there remain concerns regarding the complexity
of the APPs[8]
but accepts the Department's view that ALRC Recommendation 5-2, which called
for the Privacy Act to be redrafted to achieve greater logical consistency,
simplicity and clarity, has been implemented effectively.[9]
The Department advised the committee that it considers that the drafting style
adopted in the Bill reflects current best drafting practice.[10]
6.10
Nonetheless, the committee considers that the introduction of the APPs must
be complemented by educational resources and guidance material for individuals,
government agencies and private sector organisations. A number of targeted
recommendations in relation to education and guidance on specific APPs were made
by the F&PA committee during the course of its inquiry, and those
recommendations were endorsed by the Australian Government. However, the
need for public awareness and education campaigns on the APPs generally, as
well as APP-related guidance material for agencies and organisations, does not
appear to have been considered in the F&PA committee's recommendations.
Australian Privacy Principle 2
6.11
The committee supports the introduction of APP 2, which gives an
individual the right not to identify him or herself, or to use a pseudonym,
when dealing with an APP entity in relation to a particular matter. The
committee notes that this right is not absolute, including where it is
'impracticable' for an APP entity to deal with individuals who have not
identified themselves (APP 2.2(b)).
6.12
Facebook, Google, IAB and Yahoo!7 suggested that the EM to the Bill
should provide examples of impracticability, and that APP 2.2(b) should be
extended to include individuals who have used a pseudonym.[11]
The committee notes that the Australian Government is 'considering options to
enhance clarity around the application of this exception'.[12]
In that circumstance, the committee suggests that the government give
consideration to amending APP 2.2(b) to refer to 'individuals who have not
identified themselves or who have used a pseudonym'.
Recommendation 1
6.13
The committee recommends that the application of the exception in
proposed APP 2.2(b) in item 104 of Schedule 1 be clarified to make it clear
that APP 2.1 does not apply where it is impracticable for the APP entity to
deal with 'individuals who have not identified themselves or who have used a
pseudonym'.
Australian Privacy Principle 3
6.14
APP 3 prohibits an APP entity from collecting personal information
(other than sensitive information) unless the information is 'reasonably
necessary' for one or more of the entity's functions or activities. In the case
of an agency, the information can also be 'directly related to' one or more of
the entity's functions or activities.
6.15
The committee acknowledges the concerns of some stakeholders regarding
the breadth of APP 3, and notes that the two components which are the cause of
concern are the terms 'reasonably necessary' and 'directly related to'.
6.16
In response to the F&PA committee's 2010-2011 inquiry, the
Australian Government stated its support for the use of the 'reasonably
necessary' test in APP 3 on the grounds that this objective element 'is
intended to reduce instances of inappropriate collection of personal
information'.[13]
The Department confirmed this policy position in evidence to the current
inquiry.[14]
6.17
In relation to the 'directly related to' test in APP 3, the Australian
Government accepted the F&PA committee's recommendation to limit this test
to Commonwealth agencies only.[15]
Submitters – such as the Law Council of Australia and the NSW Privacy
Commissioner – argued that all APP entities, including private sector
organisations, should be subject to the same obligations regarding the
collection of personal information,[16]
and that the 'directly related to' test for Commonwealth agencies should be
removed from the Bill.
6.18
The government has previously considered the application of the
'directly related to' test. The committee accepts the Department's position
that this test imports a defined element for Commonwealth agencies which are
required to collect personal information to effectively carry out specific
functions and activities, but which might not meet an objective 'reasonably
necessary' test. In this context, Commonwealth agencies are also subject to
stricter oversight and accountability mechanisms through the parliament, the
executive and the Commonwealth Ombudsman.[17]
6.19
The committee also received evidence from some stakeholders regarding
the current definition of 'consent' in subsection 6(1) of the Privacy Act and its
application to APP 3.3. In 2008, the ALRC considered that the application of
this term to the privacy principles should be guided by the Commissioner.[18]
The Australian Government accepted this recommendation[19]
and, in 2011, the F&PA committee supported its expeditious implementation.[20]
The committee considers that the matter now rests with the Commissioner but
notes that, in some instances, there may be strong arguments in favour of
specific requirements for express consent – for example, in the collection of
'sensitive information'.[21]
Australian Privacy Principle 5
6.20
The committee supports the inclusion of a notification requirement in
the APPs in relation to the collection of personal information. As noted by the
Office of the Victorian Privacy Commissioner, APP 5 promotes transparency and
ensures individuals are aware of their rights in relation to the collection of
personal information by an APP entity.[22]
6.21
The committee notes stakeholders' concerns regarding the practical
operation of the notification requirement in APP 5.1, and considers that the educational
resources and guidance material to be developed and published by the
Commissioner should help to address these concerns. In this context, the committee
also observes that implementation issues are a particular matter for the APP
codes and credit reporting codes to be developed in accordance with Schedule 3
of the Bill at a later time.
Australian Privacy Principle 6
6.22
APP 6 deals with the use or disclosure of personal information. The OAIC
did not consider APP 6.3 to be a necessary provision.[23]
APP 6.3 allows non-law enforcement agencies to disclose biometric information
or biometric templates to 'enforcement bodies', subject to rules made by the
Commissioner.
6.23
The Department advised the committee:
The policy intention of APP 6.3 is to enable non-law
enforcement agencies to disclose biometric information and templates for a
secondary purpose to enforcement bodies where an APP 6 exception, including the
enforcement related activity exception, is not applicable. This may occur where
the disclosure is for purposes such as identity/nationality verification or
general traveller risk assessment, in circumstances where there is a legitimate
basis for the disclosure but no criminal enforcement action is on foot...The
policy rationale in APP 6.3 recognises that non-law enforcement agencies have
current, and will have future, legitimate reasons to disclose biometric
information and templates to enforcement bodies, but that this should occur
within a framework that protects against improper disclosure.[24]
6.24
The committee accepts this position. In particular, the committee notes
that the disclosure will be subject to oversight by the Commissioner and
additional safeguards throughout the Privacy Act (due to the classification of biometric
information and biometric templates as 'sensitive information').[25]
The committee considers that these safeguards will curb any potential abuse of
the provision.
Australian Privacy Principle 7
6.25
The committee notes that APP 7, dealing with direct marketing, has been
significantly revised to improve its structure and clarity following a
recommendation from the F&PA committee.[26]
The committee agrees that the provision is much improved, and is consistent
with the drafting style used in respect of other APPs which prohibit and
then allow certain activities. The committee understands that this is a common approach:
[C]asting the principle as a 'prohibition' against certain
activity followed by exceptions is a drafting approach used in principles-based
privacy regulation to clearly identify the information-handling activity that
breaches privacy, followed by any exceptions to this general rule that would
permit an entity to undertake the activity.[27]
6.26
The committee accepts this rationale, but acknowledges the concerns
raised by the Australian Direct Marketing Association, and others, regarding
the heading to APP 7.1 ('Prohibition on direct marketing').[28]
The committee does not perceive any particular justification for this heading,
which is unique among the APPs. The committee agrees with stakeholders that it
is likely to cause considerable confusion.
Recommendation 2
6.27
The committee recommends that, to avoid confusion, the subheading to proposed
APP 7.1 in item 104 of Schedule 1 of the Bill be amended to read 'Use or disclosure'
or 'Direct marketing', rather than 'Prohibition on direct marketing'.
6.28
In 2010-2011, the F&PA committee recommended that consideration be
given to restructuring the exceptions to the general prohibition on direct
marketing contained in APP 7.1.[29]
The committee notes that these provisions – APP 7.2 and APP 7.3 – have not
been substantively amended. In the current inquiry, the issue of most concern
to stakeholders was the opt-out notification requirement in APP 7.3(d).
6.29
The committee heard stakeholders' concerns regarding the clarity and
implementation of the requirement, particularly in relation to social media
technologies. However, the committee is persuaded that the requirement is
flexible and feasible, while requiring organisations to adapt to new direct
marketing rules which enhance the privacy protections of consumers.[30]
6.30
The Australian Privacy Foundation argued that the opt-out mechanisms in
APP 7.2 and APP 7.6 could be strengthened with the inclusion of similar
notification requirements.[31]
The committee notes that the distinction between these two provisions and APP
7.3 is the element of reasonable expectation: APP 7.2 provides for situations
where an individual would reasonably expect a private sector organisation to
use or disclose personal information for direct marketing purposes (APP 7.2(b)),
whereas APP 7.3 applies to situations where there is no such expectation. The
committee agrees however that, regardless of expectation, individuals might
wish to opt-out of direct marketing communications at any time.
Recommendation 3
6.31
The committee recommends that proposed APP 7.2 and APP 7.6 in item 104
of Schedule 1 of the Bill be amended to ensure consistency with the
notification requirement in APP 7.3, and enable individuals the opportunity to
opt-out of direct marketing communications at any time.
Australian Privacy Principle 8
6.32
The committee received considerable evidence in relation to the
cross-border disclosure of personal information, and recognises that this is a particularly
complex legal and policy issue. The complexity arises from the creation of two
regimes within the Bill,[32]
conflict of laws issues and the competing interests of various stakeholders. In
this regard, a balance must be struck between protecting the privacy of
individuals and facilitating the free flow of information across national borders.
6.33
In general, most stakeholders supported the intent of APP 8 but
expressed concerns regarding the accountability mechanism in proposed new
section 16C of the Privacy Act. The committee notes concerns that an APP entity
could be held liable for privacy breaches committed by an 'overseas recipient'
even though the entity has taken all reasonable steps to prevent that breach.[33]
6.34
In evidence, departmental officers acknowledged the difficulties which
could arise in a conflict of laws situation and for which there is no current
solution.[34]
In relation to inadvertent breaches – caused, for example, by hacking, fraud or
an 'overseas recipient's' recklessness or negligence – the Department
emphasised the need for privacy protection and for individuals to have a means of
redress.[35]
The committee accepts this position, noting that the circumstances of each case
can be considered by the Commissioner investigating a complaint under Part V of
the Privacy Act.
6.35
The committee also notes the Australian Government's stated policy
position:
The exceptions in APP 8.2 have been carefully considered and
the Government considers that they are justified. The Government considers that
these exceptions provide appropriate and reasonable grounds for the transfer of
accountability to an overseas recipient. In all other situations, the
Australian entity should continue to remain accountable for the protection of
personal information.[36]
6.36
APP 8.2(b) provides an exception to APP 8.1 where an APP entity expressly
informs an individual that consent to the disclosure of the information renders
APP 8.1 inapplicable, and the individual then gives an informed consent to
the cross‑border disclosure of their personal information. The OAIC
expressed concern regarding the potential 'displacement' of the accountability
mechanism,[37]
and the committee agrees with the NSW Privacy Commissioner that APP 8.2(b)
should better explain the practical effect and potential consequences of this
displacement.[38]
Recommendation 4
6.37
The committee recommends that proposed APP 8.2(b) in item 104 of Schedule
1 of the Bill be amended to require an entity to inform an individual of the practical
effect and potential consequences of any informed consent by the individual to APP
8.1 not applying to the disclosure of the individual's personal information to
an 'overseas recipient'.
Recommendation 5
6.38
The committee recommends that the Explanatory Memorandum to the Bill be
revised to clearly explain that an entity will be required to inform an
individual of the practical effect and potential consequences of any informed
consent by the individual to APP 8.1 not applying to the disclosure of the
individual's personal information to an 'overseas recipient'.
'Enforcement body' and 'enforcement
related activity'
6.39
The committee notes that item 17 of Schedule 1 of the Bill, defining the
'Immigration Department' (currently the Department of Immigration and
Citizenship) as an 'enforcement body', was a matter of concern for the Office
of the Australian Information Commissioner (OAIC) because the Immigration Department's
usual activities are 'not of an enforcement related nature'.[39]
The committee also notes that this aspect of the definition was not included in
the Exposure Draft of the Bill. While the Explanatory Memorandum (EM) contains
a brief statement regarding the appropriateness of this provision,[40]
the committee considers that further details should be provided to give
examples of the types of enforcement-related functions and activities which
will be covered by the exception.
6.40
The committee also acknowledges the concerns of Liberty Victoria and the
Australian Privacy Foundation regarding the addition of surveillance
activities, intelligence‑gathering activities and other monitoring
activities to the definition of 'enforcement related activity' (item 20 of
Schedule 1 of the Bill). The EM justifies this amendment on the basis of
accuracy and modernisation:
These types of activities have been included to update and
more accurately reflect the range of activities that law enforcement agencies
currently undertake in performing their legitimate and lawful functions of
accuracy and modernisation.[41]
6.41
The committee suggests, however, that this explanation should be
expanded to provide further guidance on what will constitute lawful use of an
individual's personal information by 'enforcement bodies'.
Recommendation 6
6.42
The committee recommends that the Attorney-General's Department revise
and reissue the Explanatory Memorandum to the Bill to clearly explain the
enforcement‑related functions and activities of the Department of
Immigration and Citizenship, as justification for the classification of the
'Immigration Department' as an 'enforcement body' in item 17 of Schedule 1 of
the Bill.
Recommendation 7
6.43
The committee recommends that the Attorney-General's Department revise
and reissue the Explanatory Memorandum to the Bill to clearly explain the scope
and intended application of the terms 'surveillance activities', 'intelligence
gathering activities', and 'monitoring activities' in item 20 of Schedule 1 of
the Bill.
'Permitted general situation'
6.44
Some stakeholders commented on proposed new section 16A of the
Privacy Act (item 82 of Schedule 1 of the Bill), which consolidates and
separates an exception repeated throughout various APPs in the Exposure Drafts
of the Bill examined by the F&PA committee. In particular, the Law Council
of Australia pointed out that it might be difficult to read and interpret the
legislation due to the separation of the exception from its substantive
provisions.[42]
6.45
The committee agrees that, in this regard, the legislation could be more
'user‑friendly', and considers that a relevant note at the end of each
APP should be inserted where necessary. This applies equally to proposed new
section 16B of the Privacy Act, which defines the 'permitted health situation'
exception.
6.46
One exception contained in the definition of 'permitted general
situation' relates to 'diplomatic or consular functions or activities' (item 6
in the table to proposed new subsection 16A(1) of the Privacy Act). The OAIC submitted
that the scope of this exception is not clear.[43]
The committee agrees that a clear explanation of the meaning of the phrase
'diplomatic and consular functions' would help identify the range of activities
which are to be exempted from the application of the APPs.
Recommendation 8
6.47
The committee recommends that the provisions contained in item 82 of
Schedule 1 of the Bill and for each Australian Privacy Principle which contains
a 'permitted general situation' or 'permitted health situation' exception, a
note should be added at the end of the relevant principle to cross‑reference
proposed new section 16A of the Privacy Act 1988 and/or proposed new
section 16B of the Privacy Act 1988, as appropriate.
Recommendation 9
6.48
The committee recommends that the Attorney-General's Department revise
and reissue the Explanatory Memorandum to the Bill to explain the intended
scope and application of the 'diplomatic or consular functions or activities' exception
set out in item 6 in the table to proposed new subsection 16A(1) of the
Privacy Act in item 82 of Schedule 1 of the Bill.
Credit reporting definitions
6.49
The committee notes the numerous comments regarding amendments to the
general definitions in subsection 6(1) of the Privacy Act and key definitions
relating to credit reporting in proposed new Division 2 of Part II (Interpretation)
of the Privacy Act (item 69 of Schedule 2 of the Bill). The committee will
not comment on each proposed definition but focuses its attention instead on
those definitions which appear to be most contentious or significant.
'Australian link'
6.50
The committee heard that the 'Australian link' requirement in proposed
new paragraph 21G(3)(b) of the Privacy Act will significantly affect a number
of stakeholders' business operations. Departmental representatives assured the
committee that such an effect is not intended and a solution is currently being
considered.[44]
The committee is therefore confident that this concern will be addressed in due
course.
6.51
The Bill proposes two new regimes for the cross-border disclosure of
personal information: the 'Australian link' requirement, which is used
throughout proposed new Part IIIA of the Privacy Act (credit reporting
provisions); and the general obligations set out in APP 8, supported by an
accountability mechanism in proposed new section 16C of the Privacy Act (item
82 of Schedule 1 of the Bill).
6.52
In relation to proposed new section 21G, the committee understands that
the 'Australian link' requirement creates a special rule for the cross-border
disclosure of 'credit eligibility information'[45]
and is entirely separate from the APP 8 regime. While some finance and credit
industry stakeholders questioned the need for the two regimes, the committee
accepts that the Australian Government has carefully considered the structural
approach adopted in the Bill.[46]
Key definitions
6.53
The committee appreciates that the proposed key definitions relating to
credit reporting are numerous and, in some instances, circuitous. In this
regard, the committee notes the stated need for specific terms which correlate
with information flows in the credit reporting system, as well as the APPs in
Schedule 1 of the Bill.[47]
The committee also notes the Commissioner's new guidance‑related function
(item 54 of Schedule 4 of the Bill), which includes promoting an understanding
and acceptance of the credit reporting provisions, and the Australian
Government's previous commitment to educate and inform stakeholders in the
transition phase of the Bill.[48]
'Default information'
6.54
The committee acknowledges concerns regarding proposed new
subsection 6Q(1) of the Privacy Act (item 69 in Schedule 2 of the Bill)
(key definition of 'default information'). With respect to notification and
listing processes, the committee agrees with the Consumer Credit Legal Centre
(NSW) that, after receiving written notification of a default, consumers should
have a period of time in which to rectify that default before a listing can be
made.
6.55
The Australian Communications Consumer Action Network suggested that a
'credit provider' should be required to notify an individual of the intention
to make a default listing. The committee does not consider this notification to
be necessary but agrees that consumers should be aware of the potential outcome
of a failure to rectify a default.
6.56
The committee agrees with the threshold amount in proposed new
subparagraph 6Q(1)(d)(i) (item 69 of Schedule 2) being increased to avoid the
capture of relatively small debts as a consumer credit default, particularly
those related to telecommunications and utility debts. Noting that a $300
minimum attracted the most support, the committee suggests that the Australian
Government actively consider increasing the threshold to at least this amount.
6.57
The committee understands that there are a number of industry views
regarding the time in which a listing should be made. The committee agrees that
there should be some certainty in the process, particularly to avoid the
potentially adverse effects identified by the Energy & Water Ombudsman NSW
– for example, considerably delayed default listings.[49]
The Australian Government has previously supported clarification on this
issue,[50]
and the committee endorses the view that appropriate guidance should be
provided in the industry‑developed credit reporting code.
6.58
The committee agrees with the Financial Ombudsman Service that
individuals experiencing financial hardship should not be discouraged from
approaching their 'credit provider' in order to negotiate a hardship
arrangement under the National Consumer Credit Protection Act 2009 (National
Consumer Credit Protection Act).[51]
The committee is concerned to hear that individuals are increasingly being
default‑listed while negotiating such arrangements, and therefore
supports better alignment between the National Consumer Credit Protection Act
and the Privacy Act.
Recommendation 10
6.59
The committee recommends that proposed new subsection 6Q(1) in
item 69 of Schedule 2 of the Bill be amended to require an appropriate
amount of time, such as 14 days, to have elapsed from the date of a written notice
before a default listing can occur.
Recommendation 11
6.60
The committee recommends that the written notification in proposed new
subsection 6Q(1) in item 69 of Schedule 2 of the Bill be amended to
include a warning about the potential for a default listing by a 'credit
provider' in the event that an overdue amount is not paid within a set period
of time.
Recommendation 12
6.61
The committee recommends that proposed new subparagraph 6Q(1)(d)(i) in
item 69 of Schedule 2 of the Bill be amended to reflect $300, or such higher
amount as the Australian Government considers appropriate, as the minimum
amount for which a consumer credit default listing can be made.
Recommendation 13
6.62
The committee recommends that the Office of the Australian Information
Commissioner, in formulating guidelines under proposed new section 26V in
item 29 of Schedule 3 of the Bill, include as a criterion the timeframe
within which an individual's 'default information' can be listed by a 'credit
provider'.
Recommendation 14
6.63
The committee recommends that the Office of the Australian Information
Commissioner, in formulating guidelines under proposed new section 26V in
item 72 of Schedule 2 of the Bill, include a requirement for credit
providers to fully consider an application for financial difficulty assistance
under the National Consumer Credit Protection Act 2009 before an
individual's 'default information' can be listed.
'Serious credit information'
6.64
Submitters and witnesses also raised specific concerns regarding the
proposed new definition of 'serious credit infringement' in subsection 6(1) of
the Privacy Act (item 63 of Schedule 2 of the Bill).
6.65
The committee recognises the significance and potential consequences of
listing a 'serious credit infringement' as part of a consumer's 'credit
information'. The committee considers it appropriate for a 'credit
provider' to be required to take such steps as are reasonable in the
circumstances (proposed new paragraph (c)(ii)) for at least six months
(proposed new paragraph (c)(iii)) in an effort to contact a debtor.
6.66
The committee does not accept that the proposed definition of 'serious
credit infringement' should be removed from the Bill, as suggested by the Consumer
Action Law Centre. Instead, the committee agrees with the view expressed by the
Australian Law Reform Commission in its 2008 report that 'credit providers' have
a legitimate interest in sharing information about the conduct of individuals
that falls short of fraud.[52]
The committee endorses the approach adopted in the Bill, an approach which the
committee considers does not diminish the serious nature of fraud.
'New arrangement information'
6.67
The committee notes that pre-default hardship arrangements are governed
by provisions in the National Consumer Credit Protection Act, whereas
post-default hardship arrangements are to be dealt with as 'new arrangement
information' under the Privacy Act.
6.68
The committee is concerned to have heard that the non-alignment of these
two regimes could operate to the detriment of individuals who are complying
with a hardship arrangement. The ANZ Banking Group Limited suggested that the
credit reporting system could note this compliance and avoid adversely
affecting an individual's credit file and future ability to obtain credit.[53]
However, the committee received evidence from Ms Katherine Lane of the Consumer
Credit Legal Centre (NSW) that any such notation could discourage consumers
from requesting hardship variations under section 72 of the National Consumer
Credit Protection Act.[54]
6.69
The committee therefore notes and agrees with the Department:
Hardship variations cannot be listed as part of an individual's
credit reporting information. The Government is concerned that permitting the listing
of hardship variations may act as a deterrent to individuals seeking hardship variations
in appropriate circumstances (including following a natural disaster) and this would
be contrary to the intention of providing the right to request a hardship
variation.[55]
Regulation of credit reporting
6.70
In relation to proposed new Part IIIA of the Privacy Act (item 72 of
Schedule 2 of the Bill), the committee comments on various provisions as
follows.
Permitted disclosures by credit
reporting bodies and repayment history information
6.71
In her second reading speech, the Attorney-General noted that direct
provision of 'repayment history information' will be restricted to 'credit
providers' who are subject to responsible lending obligations under the National
Consumer Credit Protection Act.[56]
Proposed new section 20E of the Privacy Act (Use or disclosure of credit
reporting information) gives effect to this policy proposal in relation to the
disclosure of 'credit reporting information' by 'credit reporting bodies'.
6.72
The committee acknowledges the concerns of industry stakeholders which
are not 'licensees' under the National Consumer Credit Protection Act. However,
the committee notes:
The purpose of the credit reporting system is to balance an
individual's interests in protecting their personal information with the need
to ensure sufficient personal information is available to assist a credit
provider to determine an individual's eligibility for credit following an
application for credit by an individual, and for related matters.[57]
6.73
The committee also notes the proposed Objects of the Privacy Act (item 1
of Schedule 4 of the Bill) clause and, in particular, the first objective of promoting
the privacy of individuals. In view of these objectives, the committee
considers that it is appropriate to curtail the dissemination of individuals'
'repayment history information' even though its availability might be
considered beneficial to, or more desirable for, certain sectors of the finance
and credit industries.
6.74
On a separate matter, the committee acknowledges evidence provided by
the Consumer Credit Legal Centre (NSW) indicating that the inclusion of
'repayment history information' in the credit reporting provisions of the Bill could
be used to increase interest rates charged under a consumer credit contract.
According to Ms Katherine Lane, this outcome would be detrimental to
the most vulnerable of consumers in circumstances where they may have incurred only
minor credit defaults.[58]
Use or disclosure of de-identified
credit reporting information
6.75
Proposed new section 20M of the Privacy Act, preventing the use and
disclosure of de‑identified 'credit reporting information', also concerned
several industry stakeholders. The committee heard arguments concerning the
appropriateness of this provision and the value of de-identified data in the
information economy.
6.76
A representative from the Department highlighted that the Bill has been
drafted to prohibit all uses, disclosures and collections of personal
information with permitted exceptions, including in relation to the secondary
use of 'credit reporting information'. Further, the committee notes the
Australian Government's express recognition of, and allowance for, 'research
purposes that are deemed to be in the public interest and have a sufficient
connection to the credit reporting system', subject to existing rules developed
by the Office of the Australian Information Commissioner.[59]
6.77
The committee considers that it is appropriate for secondary uses of 'credit
reporting information' to be regulated, particularly when it might be possible
to re‑identify the information.[60]
The committee is not persuaded that proposed new section 20M will prevent
industry from conducting relevant research activities and is of the view that
there might also be merit in prohibiting the re‑identification of de‑identified
'credit reporting information'[61]
as an additional precautionary measure for the protection of individuals'
personal information.
Recommendation 15
6.78
The committee recommends that the Australian Government consider
prohibiting the re-identification of 'credit reporting information' which has
been de-identified for research purposes in accordance with proposed new subsection 20M(2)
in item 72 of Schedule 2 of the Bill, and whether a proportionate civil penalty
should apply to any breach of that prohibition.
Correction of personal information
and third party application
6.79
Proposed new subsections 20T(1) and 21V(1) (item 72 of Schedule 2) of
the Privacy Act enable an individual to request the correction of certain
personal information held by 'credit reporting bodies' and 'credit providers'.
The committee notes that the entity concerned need not hold the disputed
information, but will be required to deal with the correction request and
assist the individual to have their personal information corrected.[62]
6.80
As noted by the Australasian Retail Credit Association, this requirement
might be complex because of its focus on an operational process rather than an
outcome.[63]
The committee agrees that it might be more expedient for the recipient of a
complaint to be able to refer a complainant to a more appropriate respondent;
however, the committee is not persuaded that the Bill's proposed corrections
process is unworkable. As suggested by the Office of the Australian Information
Commissioner,[64]
the process should be improved to strengthen its consumer protections.
Recommendation 16
6.81
The committee recommends that proposed new sections 20T and 21V in item
72 of Schedule 2 of the Bill be amended to:
- create an obligation for the recipient of a request to take
reasonable steps to have the information corrected by the entity which holds
the disputed information;
- create an obligation for the entity which holds the disputed
information to correct the information within 30 days, if satisfied that the
information is inaccurate, out-of-date, incomplete, irrelevant or misleading;
and
- create an obligation for the recipient of a request to notify the
individual about the outcome of their request if that request has been
determined by another entity which holds the disputed information.
Correction of personal information and
time to correct
6.82
The committee acknowledges the views of the Energy & Water Ombudsman
NSW and the Telecommunications Industry Ombudsman, which argued that
corrections to personal information should be made expeditiously.[65]
The committee also notes the evidence of: the Australian Privacy Commissioner,
Mr Timothy Pilgrim, who argued that where information is in dispute,
the investigation leading to correction could well require more than the 30
days stipulated in proposed new subsections 20T(2) and 21V(2) (item 72 of
Schedule 2) of the Privacy Act;[66]
and consumer advocates, such as the Consumer Credit Legal Centre (NSW), which
argued that, consistent with ALRC Recommendation 59-8, 'credit reporting
bodies' and 'credit providers', should substantiate disputed listings within
30 days.[67]
6.83
In the circumstances, the committee considers that the 30‑day
timeframe is appropriate but an additional consumer protection would serve to
prevent any possible prejudice to an individual while a corrections request is
being investigated.[68]
Recommendation 17
6.84
The committee recommends that the regulations made pursuant to section
100 of the Privacy Act 1988 provide a mechanism for 'credit reporting
bodies' and 'credit providers' who have received a request for the correction
of an individual's personal information to note on the individual's credit file
that a correction is under investigation, with the notation to be removed upon
completion of that investigation.
Correction of personal information
and the concept of fairness
6.85
The Consumer Credit Legal Centre (NSW) highlighted that proposed new
section 21V, and presumably also proposed new section 20T (both in item 72 of
Schedule 2), does not allow for listings to be corrected in circumstances where
a reasonable person would consider the listing to be unfair.[69]
The committee believes that exceptional circumstances – such as natural
disasters, bank error, fraud, medical incapacity, and mail theft – warrant such
an allowance.
Recommendation 18
6.86
The committee recommends that the Bill be amended to enable a 'credit reporting
body' or 'credit provider' to correct an individual's personal information in
exceptional circumstances, such as in the case of natural disasters, bank
error, fraud, medical incapacity, and mail theft.
Complaints procedures and third
party issues
6.87
The committee notes the various concerns in relation to the complaints
procedures in proposed new Division 5 of the credit reporting provisions. For example,
the argument that the regime will prove impractical given the possibility of
one entity needing to consult another entity about the complaint (proposed new
subsection 23B(2); item 72 of Schedule 2).[70]
Several stakeholders suggested that, to be effective, the Bill should allow the
recipient of a complaint to refer a consumer to the entity which is the subject
of the complaint.
6.88
The committee accepts the Department's evidence that the recipient of a
complaint can refuse a complaint if it does not involve them,[71]
and observes that the legislative provisions do not preclude the recipient of
the complaint from referring a consumer to the appropriate entity.
Commencement
6.89
The committee received evidence from the finance and credit industries
regarding the adequacy of lead time should the credit reporting reforms
commence nine months after receiving Royal Assent. Submitters and witnesses
expressed a range of views on alternative commencement dates, with suggestions
ranging from 12‑18 months calculated from specific points in the
reform process to a date to be determined by the Attorney-General.
6.90
The committee notes that the Australian Government has engaged, and
continues to engage, in extensive consultations with industry stakeholders
regarding the reforms to Australia's privacy legislation. In the current
inquiry, it was apparent that the number of contentious issues has been
significantly reduced and the outstanding issues now under examination are
quite specific.
6.91
In relation to the commencement date, the committee accepts the need for
certainty in what has been a very lengthy and complex reform process. Noting
the 2010-11 inquiries into the Exposure Drafts of the Bill by the Senate
Finance and Public Administration Legislation Committee (F&PA committee),
and the current public consultation in relation to the draft regulations, the
committee considers that the proposed reforms are sufficiently advanced for
industry to be well aware of the extent and nature of implementation measures
required by the Bill.
6.92
The committee therefore accepts the Department's view that a commencement
date of nine months is certain and appropriate.[72]
The committee commends the Department for its acknowledgement of stakeholders'
ongoing concerns;[73]
however, the committee is of the view that, in the interests of certainty for
all stakeholders, the commencement date should remain at nine months after
Royal Assent.
Recommendation 19
6.93
The committee recommends that the commencement date for the Bill remain
at nine months after the Bill receives Royal Assent in order to provide
certainty for all relevant stakeholders.
6.94
As a final note, the committee observes that the Australian Government
previously accepted the F&PA committee's recommendation to consult industry
and consumers during the transitional phase of implementation.[74]
The government's response also stated:
The development of effective education and information
resources by stakeholders and for stakeholders will be undertaken during the
transition to the new regime. The Government anticipates that both industry and
the Office of the Australian Information Commissioner...will play a significant
role in providing education and assistance.[75]
6.95
The committee endorses this approach to raising public awareness and
educating consumers about the impending privacy reforms.
Recommendation 20
6.96
The committee recommends that, before the Bill's commencement date, the
Office of the Australian Information Commissioner – in consultation with the
Attorney-General's Department, as appropriate – develop and publish material
informing consumers of the key changes to privacy legislation as proposed by
the Bill, and providing guidance to Commonwealth agencies and private sector
organisations to ensure compliance with the new legislative requirements.
6.97
In conclusion, the committee commends the reform of Australia's privacy
protection framework. The Bill represents one component of this reform and,
while some specific amendments have been proposed by the committee, overall the
committee supports the Bill and recommends its passage.
Recommendation 21
6.98
Subject to the preceding recommendations, the committee recommends that
the Senate pass the Bill.
Senator Trish Crossin
Chair
Navigation: Previous Page | Contents | Next Page