Mr Alan Kirkland
Executive Director
Australian Law Reform Commission
GPO BOX 3708
SYDNEY NSW 2001
Dear Mr Kirkland,
I refer to your request of 12 December 2006 for submissions to the Australian Law Reform Commission's Review of Privacy - Credit Reporting Provisions Issue Paper 32.
I am pleased to provide you with a submission to the Issues Paper.
I look forward to discussing our submission with the Commission
Yours sincerely
Karen Curtis
Privacy Commissioner
13 April 2007
1. The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act) has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.
2. The Office welcomes the review of the credit reporting provisions of the Privacy Act as part of the wider review being undertaken by the Australian Law Reform Commission (ALRC) of privacy regulation in Australia.
3. With the advent of the digital age individuals can now access credit in ways and for purposes that had not been contemplated in 1990 when Part IIIA was enacted. For example, individuals can now open a bank account, complete financial transactions, and even apply for credit online. For many young people their first credit transaction may be when they obtain a mobile phone, often while still at school.
4. With what seems to be an increasing ease of access to credit, it could be thought that individuals may have become less concerned about the privacy of their personal credit information than they have been in the past. However, research undertaken by this Office suggests that individuals' concern about protecting their financial information has increased, rather than abated, in recent years1.
5. The Office believes that privacy in this electronic age is about making sure that individuals can take up the advantages available to them through online environments and other technological advances, without unnecessarily sacrificing their ability to choose to whom their information is disclosed and how it is used and protected.
6. The protection of personal credit information remains an important privacy concern for individuals because of the serious consequences that may arise through the mishandling of their credit information. It is therefore crucial that the obligations on industry participants are clearly enunciated; that sufficient information is available to individuals to enable them to understand their rights; and that there is an appropriate framework in place to support these objectives.
7. With these aims in mind, the Office considers that it is timely that the ARLC's review focuses on the important issues of overall reform of the credit reporting system and whether the system should be expanded to allow more comprehensive credit reporting.
8. In general, the Office considers that the credit reporting provisions have worked well to provide privacy protection for individuals in relation to their credit information files. However, the Office suggests that reforming the framework of the credit reporting provisions would improve consistency and reduce complexity, thereby assisting credit providers and credit reporting agencies to understand their obligations and making sure individuals are aware of their rights.
9. In terms of the approaches to reform discussed by the ALRC in Chapter 7 of Issues Paper 32, Review of Privacy - Credit Reporting Conditions (IP 32), the Office considers that Part IIIA of the Privacy Act and associate provisions should be repealed in favour of regulating credit reporting under the National Privacy Principles (NPPs) and a binding code.
10. The Office believes that this approach will provide a regulatory regime that is consistent with the principle based approach of the Privacy Act while at the same time imposing specific and enforceable obligations on credit providers and credit reporting agencies, in relation to their credit reporting activities.
11. In our responses to chapter 4 and 5, the Office has drawn on its experience in applying the provisions of Part IIIA and the Privacy Act. The Office believes that the current provisions could be improved by removing some of the gaps and overlaps that exist and resolving inconsistencies between Part IIIA and other provisions of the Privacy Act, for example, the NPPs and the Credit Reporting Code of Conduct (the Code). The Office has also suggested that the current offence provisions should be reviewed with a view to assessing their effectiveness and analysing whether the Privacy Commissioner should be provided with additional mechanisms for dealing with breaches.
12. The Office intends that the recommendations made in response to chapters 4 and 5 be read in terms of reforming the current provisions and achieving the intended outcomes, regardless of whether Part IIIA is retained in its current format or whether the prescriptive detail ends up in a binding code.
13. In relation to comprehensive credit reporting, the Office believes that to date the available research does not provide consistent evidence to support such a change and that the research has not been validated against the legal, regulatory and industry factors that exist in Australia's credit reporting system.
14. The Office believes that the way to progress the discussion on comprehensive credit reporting is for an independent research study to be conducted to determine how such a scheme would impact on the Australian financial system and Australian consumers.
15. In general this submission follows the structure of IP32. While seven chapters appear in IP32, the Office has no comment to make in relation to the terms of reference for the review as set out in chapter 1. Further, the Office has not commented on the matters discussed by the ALRC in chapters 2 and 3 of IP32. These chapters deal with the development of the credit reporting provisions and the credit reporting framework and do not contain any specific questions.
16. To follow the structure set by IP32, the Office has titled the sections of its submission consistent with chapters 4 to 7 of the Issues Paper.
1. The Office considers that its role as a complaint handling body for credit reporting complaints is important given the serious consequences for individuals if adverse information is inappropriately recorded on their credit files. The Office believes that there are opportunities to improve the current complaint handling process and this chapter makes a number of suggestions which we believe will benefit credit providers, credit reporting agencies and individuals by making the process more transparent and effective.
2. The Office believes it is beneficial to all parties to maintain the existing process whereby individuals are able to negotiate a resolution of their complaint directly with the respondent while still retaining the ability to lodge a complaint with our Office if the matter is not resolved by the credit provider or credit reporting agency. The compliance experience our Office has in relation to investigating credit reporting complaints tell us that most complaints can be satisfactorily conciliated. However, the Office considers that the current penalty provisions could benefit from being reformed to make them a more effective mechanism to manage interferences with the privacy of credit information.
3. Consistent with our response to Chapter 6 the ALRC's Issues Paper 31, Review of Privacy (IP31), the Office considers that there are grounds for introducing additional mechanisms into the Privacy Act for dealing with systemic issues, including those that relate to the handling of personal credit information. Our response and the suggestions made in this chapter reflect those made in IP31.
4. The Office intends that the recommendations in this chapter should be read in terms of the objective of reforming the credit reporting provisions regardless of whether Part IIIA is retained in its current format or whether the prescriptive detail ends up in a binding Code as outlined in our response to Chapter 7.
5. Section 28A(1)(g) of the Privacy Act provides that the Privacy Commissioner may audit credit providers and credit reporting agencies for compliance with the requirements of Part IIIA of the Privacy Act.
6. Since the credit reporting provisions were introduced in 1990, the Privacy Commissioner has conducted 144 credit related audits. However, since the 2002/03 financial year the Privacy Commissioner has concentrated the Office's compliance resources on its complaint handling area to deal with the increased number of complaints received by the Office following the introduction of the private sector provisions in the Privacy Act. The Privacy Commissioner has not undertaken any credit reporting audits since this time.
7. Given the serious consequences for individuals if adverse information is inappropriately recorded on their credit files, the Office considers that there remains a strong argument for the retention of the Office's credit reporting audit functions. In support of this, the Office notes that audits not only provide an opportunity to determine the extent of compliance with the Act and to address possible systemic issues but also serve an educative function and allow the Office to promote best privacy practice solutions for an organisation's specific business practices.
8. The Office anticipates that, due to additional budget funding announced in 2006/2007, it will be able to direct more resources to its audit functions in the future and recommence its program for auditing credit providers and credit reporting agencies.
9. In response to IP31, the Office recommended that private sector organisations be encouraged to undertake self-auditing (Recommendation 6-9(i)). Similarly Recommendation 39 of the Office's Privacy Sector Review states that:
The Office will consider promoting privacy audits by private sector organisations, including by providing information on the value of auditing as evidence of compliance in the event of complaints and by developing and providing privacy audit training for organisations.
10. The Office considers that this activity could be extended to include promotion of self-auditing in the credit reporting industry to complement the Office's audit activities.
11. Credit reporting essentially involves the handling of personal information in credit related transactions. The credit reporting provisions of the Privacy Act protect the personal credit information of individuals. For this reason the Office considers that credit reporting complaints should be handled as privacy complaints under the Privacy Act.
12. The Office considers that the complaint handling framework has been largely effective in handling individuals' privacy complaints about credit reporting agencies. In the five year period from 1 January 2002 - 31 December 2006, 17% of complaints received by the Office concerned credit reporting issues. Of the credit cases received in the period, 87% had been closed as at 7 February 2007.
13. Of those closed cases, approximately one third were closed following conciliation or where the credit provider had already taken steps to adequately deal with the matter. Resolutions in these cases commonly included the amending of records and, on occasion, also included the payment of compensation. Another third of the cases were closed on the basis that the respondent had not breached the Act.
14. The Office has also had some success with the handling of systemic privacy issues using its own motion investigation (OMI) powers under s 40(2) of the Privacy Act and/or by meeting with organisations or agencies to discuss issues of concern. For example, in August 2004, approximately 65,000 customer default listings relating to One.Tel (then in liquidation) were removed from credit records after the Office found that the failed telecommunications company did not have systems in place to update customer credit default listings once a debt had been paid.2 In July 2003, following discussions with the Office, Alliance Factoring (a debt purchase organisation) agreed to change its debt collection practices to provide individuals with more time to resolve, query or dispute a debt before a default listing was made.3 4
15. However, the Office considers that there are grounds for introducing additional mechanisms into the Privacy Act for the handling of systemic issues. The Office's position on this issue is addressed in its response to Chapter 6 of IP31. The Office considers that this position is equally relevant to the handling of serious and systemic credit reporting issues.
16. The Office acknowledges that the complaints process in relation to credit reporting complaints may sometimes be confusing for complainants. In particular, individuals will often complain to the credit reporting agency to dispute an adverse listing when the primary respondent, being the source of the listing information, is the credit provider. Further, if the matter is referred to the Office, in accordance with the Act the Office will require the complainant to first complain to the credit provider, before it will consider whether to conduct an investigation.
17. While this is sometimes frustrating for complainants, the Office supports the retention of a general requirement that individuals complain to the respondent in the first instance before making a complaint to the Privacy Commissioner as required under s40(1A). The Office considers that where a complaint can be resolved between the complainant and respondent without the involvement of the Privacy Commissioner, this is the preferred method of resolving the matter. Further, this process provides respondents with an opportunity to take greater control and ownership of their handling of complaints and provides an incentive for respondents to actively deal with matters before they are raised with the Privacy Commissioner.
18. The Office considers that individuals could be better informed about where to direct an initial complaint in relation to a disputed default listing or adverse notation by the CRA such as details about a linked file. One way to achieve this could be to introduce an obligation on credit providers and CRAs to provide better notice to individuals regarding how and where to make complaints if they wish to dispute a default listing or information about linked files. This is consistent with our responses to Chapters 5 and 6 of IP32 where we suggest that consideration is given to amending the notice provision under s18E to provide additional information to individuals at the time their information is collected.
19. The Office submits that the complaint handling process could be improved by amending the credit reporting provisions to include:
20. The Office notes that there are currently a number of industry dispute resolution schemes that handle complaints related to credit reporting to some degree, specifically the Telecommunications Industry Ombudsman (TIO) and the Banking and Financial Services Industry Ombudsman (BFSO). The Office acknowledges that such schemes can serve an important role in assisting the resolution of complaints and promoting good practice within an industry.
21. The Office has recommended in its response to IP31 a number of strategies to formalise the relationship between the Office and industry dispute resolution schemes that deal with related complaints. These strategies include amendment of the Commissioner's decline powers to allow the Office to decline a complaint where the matter was being or had been adequately dealt with by a recognised industry dispute resolution scheme and to refer a matter where it would be more suitably handled by a recognised industry body.
22. Given the impact that adverse credit listings can have on an individual and the issues that arise in the credit reporting context from having three parties involved in most complaints (the credit provider, the credit reporting agency and the complainant), there may be benefits in the development of a credit reporting dispute resolution scheme. However, the Office would suggest that any such scheme should still provide that individuals have the option of escalating their complaint to the Privacy Commissioner if they considered that it had not been satisfactorily dealt with through such a scheme.
23. Importantly, however, there is a risk that the complaint handling mechanisms available to consumers could become confused or be further complicated by the introduction of a credit reporting complaint handling scheme if this is additional to the credit reporting complaint handling offered by the Office of the Privacy Commissioner and other existing industry dispute resolutions schemes such as the TIO and BFSO.
24. The Privacy Commissioner's Credit Reporting Code of Conduct (Code of Conduct) currently imposes a range of complaint handling requirements on credit providers and credit reporting agencies (see Part 3 of the Code of Conduct). The Office recognises that ideally the adequacy of these requirements and the Code of Conduct in general should be reviewed.
25. However, the Office will determine the proper timing of this task once the ALRC has decided on its approach in relation to the credit reporting provisions in the Privacy Act, recognising that if significant amendments are proposed this may supersede any changes that might be made to the Code of Conduct in the interim.
26. It appears from our experience that breaches of the credit reporting provisions can be placed into three categories: those that are inadvertent and unintentional breaches; those that are wilful or intended misuse of the credit reporting system; and inadvertent or unintentional breaches that are systematic in nature.
27. In general, the Office supports the retention of offence provisions for credit reporting offences. However, the Office believes the current offences could be reformed to reflect that, in our experience, the best outcome is achieved for individuals when inadvertent or unintentional breaches are conciliated either directly with the respondent, through an alternate dispute resolution scheme, or through the Office.
28. Where wilful or intentional misuse of the credit reporting system has occurred or the act is considered to be systemic in nature, the Office recommends that the penalties should be reflective of the serious nature of these offences and that the Privacy Commissioner should have additional powers to deal with such matters.
29. Further, the Office notes that the penalty provisions in Part IIIA need to be read in conjunction with Chapter 2, s3A of the Criminal Code. It is understood that these provisions provide that proceedings for an offence under Part IIIA must be made within 12 months of the offence occurring.
30. In many cases, Part IIIA offences may not be detected until an individual is refused credit or obtains access to their credit information file and discovers an unauthorised entry on that file. This may not occur until some time (possibly years) after the unauthorised entry was originally made. This situation may undermine the deterrence effect of the penalty provisions and could be remedied by amending the relevant legislation as required to reflect that proceedings for an offence under Part IIIA may be brought up to 3 years from the date that the offence is discovered, rather than 12 months from the date when the alleged offence occurred.
31. The Office has some concerns with the proposal raised in IP32, that the offence provision at s 18R be amended to "impose strict liability civil penalties on a credit reporting agency or credit provider that give to any other person a credit report containing false or misleading information (whether intentionally or otherwise)".
32. The main concern for the Office is that the introduction of strict liability provisions may undermine its conciliation role in relation to cases where an organisation may have inadvertently recorded an erroneous listing on an individual's consumer credit information file.
33. The Office is not convinced that it would be beneficial to the affected individual in such cases for the Office to seek to impose a civil penalty against an organisation rather than attempt to conciliate an outcome (which could include compensation). The Office would, however, be interested in further exploring options that may provide for the application of civil penalties without preventing the Office from conciliating cases.
34. There are a number of existing offence provisions in Part IIIA of the Privacy Act which reflect the seriousness of wilful or intended misuse of the credit reporting system. However, the Office notes that the current penalties have not been changed since 1990. The Office suggests that where penalties are imposed for serious misuse of the credit reporting system that the penalty amount imposed should be sufficient to act as a deterrent.
35. As noted in response to Chapter 6 of IP 31, the Office considers that a cautious approach should be taken to the introduction of further offence provisions in the Privacy Act. The Office also considers that the test for an offence should be higher than the test for a breach of the Privacy Act in all cases, for example, by the inclusion of a concept of intent into the offence provision, and should address a sufficiently serious level of misconduct.
36. Notwithstanding this, the Office notes that there have been no convictions in relation to the existing credit reporting offences under the Privacy Act since the introduction of the credit reporting provisions. During this time, the Privacy Commissioner has referred a range of matters to the Australian Federal Police (AFP) under s.49 where the Commissioner has formed the opinion that an offence may have been committed. In the Office's experience, few matters referred to the AFP under s.49 as possible credit reporting offences are subsequently prioritised for investigation by the AFP.
37. Given this, the Office considers that it may be appropriate for the ALRC to review the effectiveness of the current offence provisions and if the intention of these provisions is not being met, to consider other options for dealing with serious misuse of the credit reporting system. Such options could include the introduction of a range of enforceable remedies for own motion investigations (such as enforceable compliance notices) providing the Commissioner with the capacity to better pursue serious and systemic credit reporting issues if they arise. The Office has made recommendations to this effect in response to Chapter 6 of IP31.
1. The Office welcomes the opportunity to comment on and make suggestions regarding the operation of the current credit reporting provisions and how they could be improved.
2. The Office understands that as the ALRC is investigating approaches to reforming the credit reporting provisions, Part IIIA of the Privacy Act may not be retained in its current form. For this reason, the Office submits that the comments and suggestions in this chapter should be read in terms of the intended outcome of each suggestion, regardless of whether Part IIIA is retained in its current format. In responding to Chapter 7 of IP32 the Office has made recommendations about an approach to the reform of the credit reporting provisions.5
3. The Office intends that the recommendations in this chapter could be carried across as model provisions for a binding Code in terms of our response to Chapter 7.
4. The framework of Part IIIA of the Privacy Act was created before the National Privacy Principles (NPPs) were enacted. In comparison to the NPPs, and the Information Privacy Principles, Part IIIA tends to a prescriptive rather than a principles regulatory approach. The Office considers that credit reporting does require a certain of level of prescription to ensure that credit providers, credit reporting agencies and individuals understand their obligations and rights. Adverse personal credit listings can have a significant impact on the life and opportunities of an individual.
5. While many of the provisions in Part IIIA are consistent with privacy principles that relate to the giving of notice (by the credit provider), the use and disclosure of personal information, data quality and data security obligations, and access and correction issues, the approach is fragmented and incomplete.
6. In general the Office considers that the current framework is complex and makes it difficult for credit providers, credit reporting agencies and individuals to understand what their obligations and rights are. For example, the obligations of credit providers and credit reporting agencies are spread throughout Part IIIA and require reference to the Credit Reporting Code of Conduct to ensure compliance with certain provisions. Further, the definitions of 'credit information file' and 'credit report' are complex because of the differing and sometimes overlapping obligations placed on a credit reporting agency or credit provider.
7. The Office believes that compliance with the credit reporting provisions would improve if the obligations of credit providers and credit reporting agencies were clearly set out in a structured way and any overlapping or inconsistent definitions of key terms were resolved.
8. There are a number of areas where there appear to be unintentional privacy gaps in the regulation of personal credit information by Part IIIA. To some extent these are resolved by invoking provisions under the NPPs (or the Credit Reporting Code of Conduct). For example, there is no specific obligation in relation to the collection of personal information in Part IIIA which means that the NPPs will apply by default but only if the credit provider is an organisation within the meaning of s.6C of the Privacy Act. Other examples are the lack of clear regulation relating to the use of personal information in credit information files by credit reporting agencies and the regulation of a number of aspects of publicly available information of individuals.
9. The Office believes that these gaps make compliance unnecessarily complex for credit providers and credit reporting agencies and may create confusion for individuals and hinder understanding of their rights. These issues are discussed in more detail in our response and recommendations to various questions in this chapter.
10. In addition, there are some fundamental definitional differences between credit reporting terms set out in the Privacy Act and Part IIIA and those set out in other related legislation. For example, the term 'credit' has a different meaning in s.6(1) of the Privacy Act to that stated in the Uniform Consumer Credit Code.6
11. In the answer to Question 5-11 below, the overlap between Part IIIA with Part 13 of the Telecommunications Act 1997 is discussed. A number of provisions in Part 13 allow telecommunications businesses which are also credit providers to use or disclose personal information of individuals not generally permitted by other credit providers under Part IIIA. The Office believes that this inconsistency may lessen privacy protection.
12. Inconsistent regulation of credit reporting has the potential to increase compliance costs for all industry participants and limit the rights of individuals to have complaints resolved. The responses and recommendations that follow have been framed from the objective of reducing the current complexity and fragmentation of the credit reporting provisions.
13. The provisions do not differentiate between adverse listings for minor sums and large sums. This means that in some cases even if the monetary amount in question is quite small the consequences for the individual in attracting an adverse credit listing could be serious as such a listing will persist for 5 or 7 years. The Office considers that there is merit in the ALRC considering whether time limits for adverse listings should be on the basis of set monetary amounts on a graduated scale. For example, consistent with our response to Question 5-24 regarding children and young people, the Office suggests that the ALRC could consider whether periods of between 2 to 4 years could be considered for minor monetary amounts.
14. Credit reporting agencies generally provide access to credit information via subscriber arrangements with credit providers. The Office understands the services are usually provided online.
15. Section 18E(1)(b) of the Privacy Act states in part that a permitted content of a credit information file includes both a record of a credit provider having sought a credit report together with the amount of credit sought by an individual. If the credit provider lists the amount sought, the information then recorded will be an accurate snapshot at the time the application for credit is made.
16. In addition, s.18E(1)(b)(v) of the Privacy Act permits a lender to list itself as a current credit provider on the individual's credit information file. This procedure has the effect of alerting a potential lender that there is a current credit facility with another lender, thus assisting a potential lender to assess risk. However, it is understood that the provision is little used possibly because of the compliance obligation to inform the credit reporting agency when the credit provider ceases to be a current credit provider.7
17. The Office agrees with the view expressed in Paragraph 5.9 of IP32 that the statutory provision in s.18E(1)(b)(i) of the Privacy Act which requires the recording of inquiry information on a credit information file is a privacy safeguard. The provision helps to ensure transparency so that the individual is aware of, from reading their credit file, the name of the entity which accessed his or her credit information file on a particular date and the purpose of the access.
18. It may also act as a deterrent to inappropriate access. Although the individual may not be aware of who is accessing their information at the time the access occurs, the record assists the individual to see this information when they obtain their credit file at a later stage. It also facilitates the individual's ability to exercise their rights, including, by lodging a complaint if necessary.
19. However, IP32 notes that there may be some disadvantages to individuals as a result of the inquiries information on their credit files. Paragraph 5.6 of IP32 refers to the Consumer Credit Legal Centre (NSW) Inc's (CCLC) view that in its experience it is increasingly the case that an individual's application for credit is rejected solely on the basis of the number of inquiries on the person's credit report, despite the absence of default listings.
20. In the Office's experience, the number of inquiries recorded on an individual's credit information file may be a factor in lending decisions, particularly for smaller credit providers. Further, some lenders use internally or externally generated confidential risk scorecards for individuals. The Office understands that a number of variables and weightings are used in generating a scorecard including, but not limited to, the number of times an individual has applied for credit in a given period.
21. The Office is aware that where an individual approaches a finance broker in an effort to obtain the most competitive credit, an electronic footprint of accesses and the amount of the credit application is recorded on the individual's credit information file by a number of potential lenders and the broker itself even though only one loan is being sought.
22. The Office recognises the importance of consumers being able to 'shop around' for credit without the concern that the net effect of this may be a negative scorecard due to multiple inquiries listed on their credit file. The Office believes that there may be an issue for some consumers who have applied to a number of credit providers for the same credit amount. A provision for credit providers to note, on a voluntary basis, that they made an offer of credit, without specifying the amount, to an individual in relation to a specific inquiry could go some way to addressing the possible misleading nature of multiple inquires from credit providers over a short time period. The Office believes that consideration should be given to introducing such a provision in the Privacy Act.
23. Although, currently, some credit reporting agencies specify a minimum listing amount of $100 on an individual's credit information file, Part IIIA does not specify any minimum listing amount.
24. The adverse impact on an individual's ability to secure credit by the practice of listing small debts may be disproportionate to the potential financial risks encountered by credit providers assessing a loan application.
25. The Office is of the opinion that there should be a statutory minimum amount below which listings should not be a permitted content of a credit file under s.18E of the Privacy Act.
26. CCLC has suggested that such an amount could be $500 and the Office believes there is merit in the ALRC exploring this proposal particularly if it receives broad support. Any changes to this provision will not affect the credit provider's existing rights under the general law to obtain judgment against the individual for an unpaid loan.
27. The Office is of the view that dishonoured cheques of not less than $100 should be removed as a permitted content of a credit information file. It is understood that few if any such listings are made and the Office agrees with the view expressed in Paragraph 5.14 of IP32 which casts doubt on whether a dishonoured cheque constitutes credit as defined in the Privacy Act.
28. The Insolvency and Trustee Service Australia (ITSA), maintains the National Personal Insolvency Index (NPII) which is a register of bankrupts. This register is publicly available; however the Office understands that the NPII is not the primary source of information on bankrupts for most credit providers. Credit providers would generally rely on the information obtained from credit reporting agencies. The Office considers that an individual's status as a bankrupt is a significant factor in the credit provider assessing the individual's eligibility for credit.
29. At present, Part IIIA of the Privacy Act allows 'bankruptcy orders made against the individual' to be listed on a credit information file but does not allow an 'act of bankruptcy', whether this results from a sequestration order by the Federal Court or debtor's petition by the Official Receiver, as permitted content of a credit information file.8 The Office notes that the term 'bankruptcy order' is not used in the Bankruptcy Act 1966, while the term 'act of bankruptcy' is used.
30. The Office suggests that the term 'bankruptcy orders' should be removed and replaced with the term 'act of bankruptcy' as a permitted content of a credit information file in s.18E of the Privacy Act.
31. Debt agreements under Part IX and personal insolvency agreements under Part X of the Bankruptcy Act do not constitute bankruptcy orders and, for this reason, are not permitted contents of a credit information file. Part IX and Part X agreements by individuals are publicly available information under the Bankruptcy Act. One credit reporting agency lists Part IX and Part X agreements in a separate record as publicly available information, which means they are not subject to the requirements of Part IIIA of the Privacy Act.
32. To promote consistency and reduce complexity the Office suggests that consideration be given to whether debt agreements under Part IX and personal insolvency agreements under Part X should be made permitted contents of a credit information file. If Part IX and Part X debt agreements are made permitted contents of a credit information file, then the Office supports the deletion of the information after 5 years from the individual's credit information file, rather than 7 years as is the case with bankruptcy orders.
33. Further discussion regarding the regulation of the publicly available personal information of individuals appears under Question 5-26.
34. A 'serious credit infringement' is defined in s.6(1) of the Privacy Act and is a permitted content of an individual's credit information file under s.18E(1)(b)(x).
35. As pointed out in Paragraph 5.23 of IP32, a credit provider can list a serious credit infringement at any time; there is no waiting period as with other listings.
36. However, the listing requirements are quite complex and include:
37. The Office recommends that the ALRC consider simplifying the definition of serious credit infringement and the circumstances when such a listing should be made. It also agrees with the view in Paragraphs 5.22-5.24 of IP32 that the Privacy Act should define serious credit infringement with greater precision rather than leaving this to the interpretation of individual credit providers as is currently the case. The Office believes that such changes will not affect the credit provider's existing rights under the general law to obtain judgment against the individual for an unpaid loan.
38. In the answer to Question 5-25 below the Office suggests that ALRC may wish to consider whether the commercial credit information of an individual should be covered by Part IIIA of the Privacy Act. An individual's commercial credit information may include personal information and credit reporting agencies currently make this information available to credit providers to assess an individual's credit eligibility with the consent of the individual.
39. If this proposal proceeds the permitted content of a credit information file in s.18E could be amended to include commercial credit taken out by individuals.
40. The Office recommends that that the definition of a 'credit reporting business' in s.6(1) of the Privacy Act should be amended to remove the exclusion in the phrase 'other records in which the only personal information relating to individuals is publicly available information'. This will have the effect of regulating publicly available personal information, such as commercial credit information, including defaults, directorships, judgments and proprietorship information that is collected by a credit reporting agency for the purpose of assessing an individual's eligibility for credit.
41. If this proposal proceeds the permitted content of a credit information file in s.18E should be amended to include publicly available information.
42. The Office supports the current list of prohibited content of a credit information file in s.18E(2) of the Privacy Act, including the publicly available information on that list, given the highly sensitive nature of the information and the lack of relevancy of the information to an individual's credit worthiness. The prohibited content of a credit information file currently comprises:
43. However, to improve consistency the ALRC may wish to consider aligning the definition of prohibited content with the definition of sensitive information in s.6(1) of the Privacy Act which applies to the NPPs. This aspect is also discussed in the answer to Question 5-26.
44. The Office does not support compulsory reporting by credit providers to credit reporting agencies. The Office considers that the personal information compulsorily reported to credit reporting agencies could become a rich source of data with the attendant risk that over time other entities may wish to source the information for purposes unrelated to the provision of credit.
45. To address some of the privacy concerns, should such a proposal be adopted, the Office believes that the current use and disclosure provisions should be reviewed so that stronger protections are introduced to prohibit the use or disclosure of permitted content for non-credit related purposes.
46. The Office is not in a position to say whether compulsory credit reporting would add to the compliance costs of medium and small credit providers. However, the Office is concerned that expanding the volume of information reported to credit reporting agencies has the potential to increase the level of inaccuracy.
47. The notice provision in s.18E(8)(c) of the Privacy Act is important as it promotes transparency between the individuals, credit providers and to some extent credit reporting agencies. However as currently drafted, this provision generates a number of complaints particularly in relation to assigned loans. Such complaints typically occur because notice may be given by a credit provider a long time before a listing is made. Problems may also occur with assigned loans because the assignee may assume notice has been provided by the original credit provider and not provide notice at time of listing . The Office believes that s.18E(8)(c) would benefit from being re-drafted to align the notice requirements with those under NPP1.3.
48. To address these issues, the Office believes that organisations collecting personal information for credit reporting purposes should give separate notice to the individual regarding the handling of their personal information. The Office also believes that this notice should not be bundled with other information about credit terms and conditions and could set out information such as the possible uses and discloses that could occur during the credit relationship in accordance with Part IIIA and how the individual could contact a credit reporting agency to discuss the handling of their personal information or obtain access to their information. These comments are also made in our response to Question 6.4(a).
49. The Office also considers that there is value in requiring credit providers to give individuals notice when certain events occur, such as default listing or a debt assignment, which could result in an adverse listing being placed on their credit information file. The Office notes that these events sometimes occur well after the credit was initially granted. As credit providers, or assignees are likely to be in contact with individuals about these matters, reminding individuals that a listing may be made on their credit information file would involve only a marginal additional compliance cost. The Office suggests that this notice could be incorporated into the letter of demand or debt assignment notice that the credit provider issues, as is currently done by some credit providers.
50. Part IIIA of the Privacy Act interacts with state-based statutes of limitation through certain provisions in the Credit Reporting Code of Conduct. Clause 2.8 of the Credit Reporting Code of Conduct provides that 'a credit provider must not give to a credit reporting agency information about an individual being overdue in making a payment where recovery of the debt by the credit provider is barred by the statue of limitations'. In this way the statutes of limitation temporally limit the listing of debts, which may otherwise be listed under the Credit Reporting provisions of the Act.
51. Part IIIA provides that where a loan is statute barred because of provisions in statutes of limitation, the debtor cannot be considered to be 'overdue in making a payment' or to have committed a serious credit infringement 'indicating an intention ... no longer to comply with the ... person's obligations in relation to credit' within the meaning of those terms in the Privacy Act. Statutes of limitation are a state matter and so to apply this provision accurately, credit providers and credit reporting agencies may need to refer to a number of pieces of legislation.
52. The Office supports the consolidation of provisions in the Credit Reporting Code of Conduct (Paragraph 2.8) and s.18E(1)(ba)(i) in the Privacy Act preventing statute barred loans both in relation to debtors and guarantors from being listed on an individual's credit information file.
53. With the exception of statute barred debts, the current credit reporting provisions of the Privacy Act do not specify a time limit within which a credit provider must report a payment default or serious credit infringement to a credit reporting agency. Specifying a maximum period of time by which listing must occur may assist affected debtors but could add to business compliance costs. The ALRC may wish to consider this matter further. The Office also notes that some credit reporting agencies have imposed a 12 month limit within which credit providers must report defaults or serious infringements. The Office agrees that this is an appropriate time-frame.
54. The Office understands multiple listings may occur when a credit provider lists a payment default (or serious credit infringement) and later makes another adverse listing for the same default or serious infringement. This has the effect of extending the period that the listing remains on an individual's credit information file, for example from the usual 5 years to 10 years and is likely to adversely affect an individual's ability to secure credit for an extended period. This practice appears to significantly penalise an individual and may not reflect their current credit worthiness.
55. The Office has taken the view that multiple listings for the same default are not permitted by Part IIIA based on the interaction between s. 18E and s.18F. The Office supports a specific provision to prohibit multiple listings in relation to the same default so that this protection is clearer. The Office suggests that such a provision, or a separate provision, could allow a credit provider to update the amount of the default on an individual's credit information file without an additional listing being made.
56. In relation to schemes of arrangement12 and default listings the Office agrees it should review its Credit Advice Summaries in relation to payments that becomes overdue under the new arrangement but that have already been listed.
57. The Office considers that the terms 'credit information file' and 'credit report' used, respectively, within Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct need to be reviewed to eliminate inconsistencies in their definitions. Other issues related to the inconsistent use of terms are discussed in the response to Question 5-16 below.
58. Sections 18G (a) and 18J(1) in the Privacy Act and several paragraphs in the Credit Reporting Code of Conduct13 regulate the accuracy of credit information files and credit reports.
59. Section 18G(a) states in part that a credit reporting agency and a credit provider 'must take reasonable steps to ensure that personal information contained in the (credit information) file or (credit) report is accurate, up-to-date, complete and not misleading'.
60. Section 18J(1) is couched in similar terms, requiring a credit reporting agency to take 'reasonable steps' to make appropriate corrections, deletions and additions, to ensure the personal information in the credit information file or credit report is accurate, up-to-date, complete and not misleading.
61. The Commissioner's advisory Note 7 to the Credit Reporting Code of Conduct states, in relation to s.18G, that 'where there is doubt as to a credit reporting agency's ability to comply with these standards of accuracy, currency, and completeness in respect of any item of information, such items must be removed from the credit information file'. The Explanatory Memorandum to Part IIIA of the Privacy Act at Paragraph 76 says:
Incorrect credit information may have a profound effect on the lives of individuals. Section 18G provides that a credit reporting agency and a credit provider will be required to take steps to ensure that the personal information contained in a credit report [or credit information file] is accurate, up to date and not misleading (Paragraph 18G(a)) ... Where there are disagreements between an individual and a credit reporting agency or credit provider as to the accuracy of a credit record, the individual will be able to request the record-holder to include a statement or note in the credit file or report; see new s.18J.
62. It could be argued that as s.18G is a provision independent of s.18J(1), it imposes an obligation on a credit reporting agency (and credit providers14) to maintain the accuracy of a credit information file or credit report by taking reasonable and proactive steps to do so. As the requirements in s.18G include credit reporting agencies, it is the Office's view that credit reporting agencies cannot rely solely on credit providers to maintain the accuracy of the information held on the credit reporting system. For example, credit reporting agencies could take reasonable steps to maintain the accuracy of their reports by taking a representative sample of records to check for accuracy on a regular basis. The Office believes there may also be other steps that credit reporting agencies could take.
63. To clarify the requirements regarding accuracy the Office supports the inclusion of obligations similar to those outlined in the New Zealand Credit Reporting Privacy Code 2004 and outlined in Paragraph 5.55 of IP32 which requires credit reporting agencies to:
64. It is understood that credit reporting agencies will link the credit information file of an individual to other credit files which are thought to refer to that same individual when, for example, someone is suspected of using an assumed name or a different combination of their first names or first and surnames. In practical terms this means that when an affected individual makes a credit application and the credit provider makes a credit report inquiry, all the linked files can be accessed.
65. It does not appear that individuals are notified when their credit information file has been linked and so they are unlikely to become aware of the linkage until they are refused credit because of the content of their credit file and then make inquiries. The Office appreciates that there may be practical privacy difficulties that a credit reporting agency would face in providing information to an individual about the details of such a linkage. However, it is notable that usually a credit information file will not state that there has been a link to another file, why it was made or where the information came from. The collated and linked information is contained in credit files but the credit providers and individuals are not advised as to the reasons for the linkage.
66. Under s.18(G)(a) credit reporting agencies have obligations to ensure the accuracy of information held on credit information files. In terms of linked credit files, we understand that credit reporting agencies rely on the fact that credit providers have obligations regarding the accuracy of information they use and disclose, rather than making any separate investigation or decision before linking credit files. The Office has received several complaints about this issue. The practice of linking files in this way appears to be a gap in the privacy protections in Part IIIA. The Office also understands that credit reporting agencies may link personal information in credit files based on information supplied by third parties. However, these third-parties do not appear to have any obligations under Part IIIA of the Privacy Act to ensure the accuracy of the information that they supply to a credit reporting agency.
67. The Office suggests that the ALRC should consider whether these practices should be regulated.
68. Section 18E(1)(b)(vi) of the Privacy Act provides in part that a payment that is overdue by at least 60 days may be included in a credit information file. Some credit providers have