Chapter 3 Credit Reporting Provisions
3.1
The credit reporting provisions are contained in Schedule 2 of the
Privacy Amendment Bill and will replace the current credit reporting system in
Part IIIA of the Privacy Act 1988 (Cth). The provisions regulate the handling
and maintenance of certain kinds of personal information concerning consumer
credit that is intended to be used wholly or primarily for domestic, family or
household purposes.
The Australian link requirement
3.2
The Privacy Amendment Bill contains a specific rule to govern the cross‑border
disclosure of credit reporting information. A credit provider is restricted
from disclosing credit eligibility information to overseas recipients that do
not have an Australian link.[1] This requirement was not
included in the 2011 exposure draft of the credit reporting provisions.
3.3
The Explanatory Memorandum states that ‘the term “Australian link” is
used to define the entities that are subject to the operation of the Act’.[2]
3.4
The Australian link requirement aims to ensure Australian credit
information does not leave the Australian credit information system and that
foreign credit information does not enter the Australian credit information
system.[3]
3.5
The Committee received a significant number of submissions voicing
concerns about the Australian link requirement in the credit reporting
provisions.[4] Many organisations are
concerned that the Australian link restriction will inhibit legitimate business
practices as information may not be able to be disclosed to an off-shore agent
or related entity for legitimate business purposes.[5]
3.6
The Law Council of Australia (LCA) explains that:
…some authorised
deposit taking institutions have established outsourcing operations with
entities based in foreign countries as a means of providing financial services
more economically and contributing to lower overall prices. These services may
comprise ‘cloud’ based technologies for data storage and backup, which may
utilise storage in a variety of locations for the purposes of effective
disaster recovery. In other cases, business processes (that may include
automated credit decisioning or first line call centre support) may be hosted
offshore by contracted service providers.
The off-shore entities may be wholly-owned but foreign
incorporated subsidiaries, or may be unrelated bodies subject to strict service
agreements which require information to be used and dealt with solely for the
purposes of the principal with high levels of security.[6]
3.7
It appears that Australian organisations with such arrangements will be
affected by the Australian link requirement.
3.8
Optus notes that the provisions will adversely affect companies that
have off-shore call centres or data processing facilities.[7]
3.9
The Australia and New Zealand Banking Group Limited (ANZ) expresses
concern that the provisions will mean an Australian-based organisation will not
be able to transfer information to a wholly owned off-shore entity, even where
the organisation takes steps to ensure the entity is subject to similar
standards as the APPs.[8]
3.10
General Electric Capital notes that for companies that hold credit
eligibility information and personal information, these will have to be
segregated and managed under different disclosure regimes.[9]
3.11
The LCA suggests the Australian link requirement is artificial because
if an Australian organisation has a 100 per cent held subsidiary performing
outsourced services, the control that organisation holds over the information
is the same, regardless of where the subsidiary is incorporated.[10]
3.12
The LCA suggests where the credit provider is an authorised
deposit-taking institution for the purposes of the Banking Act 1959 (Cth)
and the manner in which the off-shore provider is being used is consistent with
APRA’s standards and is subject to APRA’s supervision, the Australian link
requirement should not apply.[11]
3.13
Some submissions suggest that instead of the Australian link
requirement, APP 8 should apply to credit eligibility information in the same
way it applies to personal information[12] as there is no policy
basis for restricting the disclosure of credit eligibility information to a
greater degree than personal information.[13]
3.14
Alternatively, ANZ suggests that an exception to the Australian link
requirement be developed for instances in which information is being disclosed
for legitimate business purposes.[14]
3.15
In contrast, Communications Alliance suggests that Australian link
requirement should be removed altogether.[15]
3.16
The Committee notes Mr Glenn from the Attorney-General’s Department’s
comments at the Senate hearing, which acknowledged the issues and the ongoing
discussions as to how the cross-border flow of credit information might best
operate:
Certainly the Bill needs some improvements around the
Australian link idea. We have heard from stakeholders that the proposed solution
to deal with cross-border data flows in the credit context does not work with
existing business models. So we are having some discussions with banking and
finance stakeholder as to how to adjust that.[16]
3.17
The Attorney-General’s Department notes that the Government accepted Australian
Law Reform Commission (ALRC) recommendation 54-5 to exclude Australian
reporting of personal information about foreign credit, and the disclosure of
credit reporting information to foreign credit providers. The Department suggests
that the off-shore processing of credit reporting information does not appear
to have been considered by the ALRC.[17]
3.18
The Department’s submission clarifies that there is no policy intention
to prohibit the existing practices of credit providers in relation to their off‑shore
processing systems for credit reporting information.[18]
3.19
The Department explains that the insertion of the term ‘Australian link’
in section 5B of the Privacy Act 1988 (Cth) (which includes a foreign
organisation that holds information in Australia), combined with the permission
for credit providers to disclose to a related body corporate, would allow
off-shore processing of credit reporting data.[19] However, it acknowledges
that credit provider stakeholders suggest that this arrangement will not allow
them to continue to undertake off-shore processing of that information.[20]
3.20
The Department notes that:
On examining the exposure draft of the credit reporting
provisions in the development of the Privacy Amendment Bill, it became clear
that permitting broad cross-border disclosure of personal information from the
credit reporting system under APP 8 would undermine the government’s policy to
exclude the reporting of personal information about foreign credit and the
disclosure of credit reporting information to foreign credit providers.[21]
3.21
On this basis, the Department advises that it is currently considering
options to address this issue. It notes that the preferred approach is to
identify options that allow a specifically targeted disclosure to deal with
off-shore process which would most likely impose obligations based on proposed
APP 8.1 and proposed section 16C. This would ensure that the Australian credit
provider remains accountable for the personal information sent to the overseas
recipient. The Department advises that initial discussions suggest this
approach may be acceptable to credit provider stakeholders. [22]
3.22
The Committee was advised that the Department ‘will continue to work
with stakeholders to refine an approach that can be put to the Attorney‑General
for consideration.’[23]
Repayment history data provisions
3.23
The Privacy Amendment Bill will allow personal information grouped under
five new data sets to be collected and included on credit reports. The fifth
new data set is repayment history data.
3.24
Some submissions outline their support for the inclusion of repayment
history data as one of the new data sets.[24]
3.25
However, some organisations have strong concerns about consumers’
interests and the effect of the inclusion of repayment history data in the
credit reporting system.[25]
3.26
Notably, while the ALRC recommended that limited repayment history
information should be included in the credit reporting system, it also
recommends that this be accompanied by responsible lending obligations and
other safeguards.[26]
3.27
The Explanatory Memorandum suggests that the repayment history data will
lead to decreased levels of over indebtedness and lower credit default rates.[27]
Other submissions also suggest that collection of repayment history data will
improve the quality of consumer credit.[28]
3.28
According to the Attorney-General’s Department submission, the
Government considers that more comprehensive credit reporting will allow a more
robust assessment of credit risk. This could lead to lower credit default rates
and is likely to improve competition in the credit market, eventually resulting
in benefits to both individuals and the credit industry.[29]
3.29
The Consumer Credit Legal Centre, New South Wales (CCLC) disputes this
and claims there is no evidence to suggest that the inclusion of repayment
history data will lead to these positive changes[30]
and suggests that including repayment history data will not, in itself, lead to
responsible lending.[31]
3.30
Instead, CCLC claims that the reverse may occur and there is the
potential to justify the refusal of credit due to poor repayment history where
the borrower otherwise has capacity to pay, or to allow credit to be granted
where it wouldn’t have been in other circumstances because of a good repayment
history, or to offer differential pricing based on repayment history
(risk-based pricing).[32] These possible scenarios
are unlikely to provide positive outcomes for consumers.[33]
3.31
However, as noted in some submissions, lenders are already subject to various
responsible lending obligations under the National Consumer Credit
Protection Act 2009 (Cth).[34]
3.32
In addition, the Bill includes a number of consumer protections around
repayment history information, such as a restrictive definition of ‘repayment
information’ and strong restrictions on the collection, use and disclosure of
repayment history information.[35]
3.33
The Committee also notes that the Government response to the ALRC
recommendation 54-8 included an agreement that a review of the credit reporting
provisions would be conducted within five years from the commencement of the
Bill.[36]
3.34
Most submissions to this inquiry raised concerns of industry regarding
the effects of the Bill, however there were some additional issues raised by
consumer advocates. These include the perceived reluctance of the Privacy
Commissioner to make determinations, pre-screening for direct marketing purpose
and the difficulty of removal of unfair/incorrect credit listings.
3.35
The Committee notes that many of these consumer advocate issues were
interrogated in some detail at the Senate hearings and, consequently, the
Committee has chosen note to examine further these issues.[37]
Addresses stored on file
3.36
Veda’s submission outlines its concern about the restriction on the
number of addresses that can be held on a credit report. It suggest that the
limit of an individual’s current or last known address and two previous
addresses, combined with changes which add restrictions on the internal use of
that information, may result in many individuals becoming untraceable. This
could potentially affect 2.4 million files.[38] As internal use is
unregulated under the current regime, the additional information is used for
data matching purposes.[39] Veda suggests that these
restrictive changes will create potential for ‘a highly mobile, highly
transient segment of the population’ to become untraceable.[40]
3.37
Veda suggests that to remedy this problem the Bill should be amended to
allow credit reports to include, for the purpose of record management, either
the current plus two previous addresses or all addresses over the previous five
years, whichever is the greater.[41]
3.38
The Attorney-General’s Department gave evidence that it does not
consider that credit reporting bodies will lose trace of an individual if the
individual moves more than twice in a five year period because the proposed
definition of ‘identification information’ includes a range of other types of
personal information.[42]
3.39
The Attorney-General’s Department notes that it:
…considers that the
various types of personal information included in the definition of
‘identification information’ in conjunction with the permitted address
information should be sufficient to identify individuals.[43]
Committee Comment
Australian link requirement
3.40
The Committee received a significant number of submissions on this issue
and notes the difficulty in striking an appropriate balance between the
protection of credit reporting information and the ability for industry to
function reasonably. The Committee emphasises that this is critical issue.
3.41
The Committee notes that the Attorney-General’s Department has already
undertaken significant consultation with various organisations across many
industries.
3.42
The Committee is pleased to note that the Attorney-General’s Department
intends to continue consultation with stakeholders. The Committee anticipates
this process will lead to some resolution of the issues around the Australian
link requirement.
3.43
At this point, the Committee is satisfied with the provisions as
proposed in the Bill, particularly in light of continued consultation with industry
which may refine aspects of the Bill’s practical operation. However, given the
complexity and seriousness of the issues, for both individuals and industry,
the Committee acknowledges the critical importance of reviewing these
provisions to assess their implementation and any unintended consequences. The
Committee recommends that the cross border disclosure of credit reporting
information is assessed in a review of the operation of the new privacy laws.
This review should be conducted twelve months after the Act commences.
Repayment history provisions
3.44
The Committee notes concerns raised regarding the effect of the
inclusion of repayment history provisions. However, responsible lending
obligations already exist and, as per the recommendation of ALRC, consumer
protections are included in the Bill.
3.45
The Committee supports the Government’s commitment to review the credit
reporting provisions within five years of commencement.
3.46
The Committee is satisfied that the provisions as currently drafted are
reasonable and balanced, and an appropriate review of their operations has
already been agreed to.
Addresses stored on file
3.47
The Committee notes the concern raised regarding this issue but is not
convinced that it will result in many individuals becoming untraceable as a
consequence. Other types of personal information may still be stored and the
Committee does not consider the changes to be overly restrictive or detrimental
to industry.