Chapter 6
Credit reporting agency provisions
Introduction
6.1
This chapter looks at comments relating to Division 2 of the Exposure
Draft which regulates credit reporting agencies. The matters regulated include
handling of credit reporting information, de-identified information and access
to, and correction of, information.
6.2
Credit reporting agencies are defined in section 180 as an organisation
or a small business operator or an agency prescribed by regulation that carries
on a credit reporting business. The meaning of credit reporting business is
provided for in section 194 of the Exposure Draft and means a business
carried on in Australia and involves the collection, holding, using or
disclosing of personal information about individuals for the purpose of, or for
purposes including the purpose of, providing an entity with information about
the credit worthiness of an individual. Comments received in relation to the
definition of credit reporting agency are discussed in chapter 9.
6.3
If a credit reporting agency is an entity to which the Australian Privacy
Principles (APPs) apply, the APPs do not apply to credit information, credit
reporting agency derived information or credit provider derived information.
The APPs will apply to all other information held by a credit reporting agency.
6.4
The following discussion focuses on the major matters raised in relation
to Division 2. Other issues raised in relation to specific provisions are
listed in appendix 3.
Subdivision B – Consideration of information privacy
6.5
Pursuant to Subdivision B, credit reporting agencies must ensure that
they manage credit reporting information in an open and transparent way. The
subdivision requires credit reporting agencies to take such steps, as are
reasonable in the circumstances, to implement practices, procedures and systems
relating to the credit reporting business of the agency that will:
- ensure compliance with the obligations of Division 2 and the
Credit Reporting Code; and
- enable the agency to deal with inquiries or complaints from individuals
about the agency's compliance with Division 2 or the Credit Reporting Code.
6.6
In addition, credit reporting agencies must have a clearly expressed and
up-to-date policy about the management of credit reporting information by the
agency. These provisions are the equivalent to APP 1 although, as noted by
the Australian Privacy Foundation (APF), there is no equivalent to
APP 1(4)(f) and (g), and no equivalent at all to APP 8, both
concerning overseas transfers.[1]
The committee has discussed cross border disclosure in chapter 3 of this
report.
6.7
Experian submitted that the Subdivision places a number of excessively
onerous standards on credit reporting agencies. For example, the obligation in subsection
105(2) for the agency to have in place policies, procedures and systems that
'will ensure' that the agency complies with Division 2 of the Exposure Draft
and the Credit Reporting Code. Experian commented that 'this drafting suggests
that if there were an isolated incident of non-compliance with either Division
2 or the Code, there may be an argument that the agency's entire systems have
not met this standard, given that these systems did not ensure such compliance
in relation to the isolated incident'. Experian submitted that a credit
reporting agency should be obliged to maintain policies, procedures and systems
that 'are designed/intended to ensure' compliance with Division 2 and the Code.[2]
6.8
Subsections 105(3) and (4) provide for the policy about the management
of credit reporting information held by a credit reporting agency. The AFC
stated that the prescriptive approach taken to mandating the contents of a
privacy policy under subsection 105(4) appear to be at odds with the objective
of high-level principles. The AFC recommended that subsection 105(4) be omitted
and that the Australian Information Commissioner provide guidance on the
content of privacy policies.[3]
Committee comment
6.9
In relation to Experian's comments that onerous standards are being
placed on credit reporting agencies, the committee considers that this is not
the case. The obligations to ensure that that credit reporting information is
managed appropriately must reflect the wider range of information being
collected, used and disclosed and the potential damage to individuals that may be
caused through mismanagement of that information. The committee notes the
concerns with subsection 105(2) in regard to the obligation that the agency
have in place policies, procedures and systems that 'will ensure' that it
complies with Division 2. This provision reflects the 'will ensure' formula in
APP 1. In its first report on the Exposure Draft of Australian Privacy
Amendment Legislation, the committee noted the comments of the Department of
the Prime Minister and Cabinet (the department) which stated, in relation to
APP 1, that:
It was the Government's intention for the compliance
standards on agencies and organisations to be sufficiently high to enhance
privacy protections. The 'will ensure' obligation was included so that privacy
protections are built into the design of an entity's system and not 'bolted on'
afterwards.[4]
6.10
The committee supports this approach.
6.11
The committee received comments during the first part of its inquiry
into the Exposure Draft of Australian Privacy Amendment Legislation regarding the
prescriptive approach taken regarding privacy policies in APP 1.[5]
The committee concluded that the benefits to transparency and overall
compliance with the privacy principles outweighed concerns about compromising
the aim of high-level principles. The committee maintains this view and
supports the inclusion of matters to be addressed by privacy policies regarding
credit reporting information in the new Privacy Act.
Subdivision C – Collection of credit information
6.12
Subdivision C prohibits credit reporting agencies from collecting credit
reporting information about an individual except in certain circumstances
including that the information is collected from a credit provider which is
permitted by the Act to disclose the information or is collected from an entity
other than a credit provider in the course of carrying on a credit reporting
business and the information relates to an individual who is at least 18 years
old. The subdivision also implements obligations in dealing with unsolicited
credit information.
6.13
The provisions of paragraphs 106(4)(c) and (d) concern persons under 18 years
of age, that is, collection is prohibited unless:
- the credit reporting agency knows, or believes on reasonable
grounds, that the individual is at least 18 years of age; and
-
the information does not relate to an act, omission, matter or
thing that occurred or existed before the individual turned 18. (See also
subsection 132.)
6.14
The Law Institute Victoria (LIV) submitted that subsection 106(6)
relating to the exception for credit liability information attained prior to an
individual turning 18 years of age, should be clarified so that it is
apparent whether this concerns only details of contracts or if it extends also
to defaults or payments prior to turning 18.[6]
6.15
Experian commented on the requirement in subsection 106(7) that credit
reporting agencies only collect credit information 'by lawful and fair means'. Experian
commented that it is not clear what the addition of a standard of fairness is
intended to achieve in this context, or how the means of collecting information
by a credit agency would be assessed as fair or unfair. As credit reporting
agencies generally collect credit information from credit providers and do not
have relationships with the individuals to whom the data relates, 'it is
unclear whether the standard of fairness under section 106(7) should be
measured as between the agency and the credit provider, or as between the
agency and individual data subjects'. Experian went on to state that in
relation to credit providers, it is difficult to see why the contractual
arrangements between commercial parties (many of whom are large and
sophisticated) would need to be subject to a legislative standard of fairness. In
relation to individual consumers, Experian considered that the existing
consumer access, correction and dispute resolution rights under the Exposure
Draft provisions achieve a fair outcome for consumers in relation to how credit
reporting agencies handle, use and disclose their credit information. Experian
concluded:
...that no additional policy objectives would be served by
the additional imposition of a vague legislative standard of fairness relating
to data collection.[7]
Committee comment
6.16
In relation to comments about subsection 106(7) that credit reporting
agencies only collect credit information 'by lawful and fair means', the
committee notes that this provision directly reflects APP 3(4). The 'by
lawful and fair means' provisions are included in both Information Privacy
Principle 1 and National Privacy Principle 1. The Privacy Commissioner has provided
guidance in relation to this obligation and the committee would expect that
similar guidance will be provided in relation to the credit reporting
provisions.
Subdivision D – Dealing with credit reporting information etc
6.17
Subdivision D provides for permitted uses and disclosures of credit
reporting information. The use or disclosure of credit reporting information
for direct marketing is expressly prohibited except for pre-screening in
certain circumstances. The subdivision also provides for:
-
the use, disclosure and destruction of pre-screening
determinations;
- the implementation of a ban on use or disclosure of credit reporting
information where an individual believes on reasonable grounds that they have
been, or are likely to be, a victim of fraud;
- prohibition on the adoption of government identifiers as the
identifier of an individual; and
- the use and disclosure of de-identified information.
Section 108 – Use and disclosure of
credit reporting information
6.18
Section 108 provides for the permitted uses and disclosures of credit
reporting information held by a credit reporting agency. It expressly prohibits
use or disclosure of credit reporting information for direct marketing.
6.19
The APF supported the additional restrictions on disclosure contained in
subsections 108(3) to (5), compared to the equivalent APP 8, as these are
justified for the 'privileged' credit reporting regime. However, the APF noted
that paragraphs 108(2)(c) and (3)(f) provide for additional uses and
disclosures if prescribed by the regulations. The APF questioned why these two
provisions have been included as the necessary uses and disclosures have been thoroughly
canvassed during the ALRC and subsequent consultation processes and it should
be possible for the legislation to contain a definitive list.[8]
In addition, the APF noted that paragraph 108(3)(d) provides for the right to
disclose information to an enforcement body if that body believes that the
individual has committed a serious credit infringement. The APF commented that
this 'illustrates the problem...of merging the lender's opinion in relation to
fraud with an opinion about the borrower's intentions based on failure to
respond to correspondence etc'. The APF stated that paragraph 108(3)(d)(ii)
should refer to the enforcement body being satisfied that the individual has
committed 'fraud'.[9]
6.20
Subsection 108(5) requires that the credit reporting agency make a
written note of a disclosure made under section 108. Subsection 110(7) provides
for the same requirement in relation to use of credit reporting information for
pre-screening. The APF submitted that it is unclear as to how this would be
implemented in electronic records and/or automated systems and questioned the
value of such a requirement as it is unclear who will access the notes.
However, the APF considered that these notes/records should be included in an
individual's credit report so that the individual can access them, and if
necessary challenge them. The APF saw this as being particularly important in
relation to disclosure for pre-screening.[10]
6.21
The LIV also commented on the use of written notes and stated that
credit reporting agencies should be required to notify the individual when a
written note is made of a disclosure under subsections 108(5) and 110 (7) as:
- the requirement of documenting
uses and disclosures is of little consequence unless the individual knows that
these uses and disclosures are occurring. Individuals should be provided with
more knowledge, and therefore control, over the use and disclosure of their
information
- without knowledge of disclosures,
it would be difficult if not impossible to enforce. For example, the prohibition
on use and disclosure of false or misleading credit reporting information in
clause 117 or the ability to make requests under sub-clause 110(5).[11]
6.22
Experian submitted that an additional use and disclosure of credit
reporting information should be allowed. Experian stated that the Combating the
Financing of People Smuggling and Other Measures Bill 2011 had been introduced
to reform anti-money laundering and privacy legislation. The reforms will allow
businesses regulated under the Anti-Money Laundering and Counter-Terrorism
Financing Act 2006 (the AML/CTF Act) to more effectively and efficiently
verify the identity of their customers. The reforms enable reporting entities under
the AML/CTF Act to use credit reporting data to verify the identity of their
customers, and introduces a number of privacy safeguards to ensure information
is only used for the purpose of verifying identity.
6.23
Experian noted that the Legal and Constitutional Affairs Legislation Committee
in its report on the Bill recommended that the Bill be passed subject to
further investigation of options for introducing 'an appropriate oversight
mechanism to monitor the handling of credit information for the electronic
verification of identity pursuant to the Bill'.[12]
Experian stated that it is supportive of the principle that credit reporting
agencies should be allowed to use and disclose credit reporting information for
the purposes of identity verification under the AML/CTF Act and awaits the
introduction of this legislation.[13]
Section 109 – Permitted CRA
disclosures in relation to individuals
6.24
Section 109 lists permitted credit reporting agency disclosures with
related conditions. Section 136 similarly provides for permitted credit
provider uses in relation to individuals.
6.25
The AFC commented that the intention of these two sections is to permit
a credit provider to request disclosure, or a credit reporting agency to
disclose credit reporting information to a credit provider, for internal
management purposes of the credit provider that are directly related to the
provision or management of consumer credit by the credit report. However, the disclosure
by the credit reporting agency is on the basis of assessing an application for consumer
credit – as covered by the first limb of the definition of consumer credit
related purpose. The AFC submitted that it was concerned that 'these two components
do not align given the first, namely the management of account, could occur at
any time including after an application has been assessed and before the
consumer credit is terminated yet the permitted disclosure arguably is limited
to the initial assessment process'. The AFC commented that this may reflect a similar
anomaly in the current Privacy Act credit reporting provisions and suggested
that the revision may provide an appropriate opportunity to resolve this
anomaly.[14]
6.26
The Consumer Credit Law Centre NSW (CCLC) comment on Item 5 of the
permitted CRA disclosures which provides for credit reporting agencies to give any
current credit providers default and payment information they have held for at
least 30 days. The CCLC submitted that this information should not be
disclosed at all as the potential harm that could arise from this disclosure
outweighs the potential benefit. While section 136, Item 5 limits credit
providers to using the information for 'the purpose of assisting the individual
to avoid defaulting on his or her obligations in relation to consumer credit
provided by the provider to the individual', the CCLC submitted that 'this
could be interpreted very broadly, and once the disclosure is permitted, then
its use may be difficult to monitor in practice'. The CCLC concluded:
As a general rule, a person who is not in default on a
contract should be permitted to continue with that contract until such time as
it is paid, or they initiate an application for a hardship variation or
otherwise seek to vary the contract. While some CPs have attempted to identify
consumers at risk of hardship and take pro-active steps to work with those
consumers, such measures should be offered and accepted on a voluntary basis.
CCLC submits that default information should not be available to existing
creditors unless it is for the purpose of credit assessment as a result of an
application to increase the limit on an existing facility, or open additional
facility with the same CP (in other words as already covered under item 1 of
the Table in Section 109).[15]
Sections 110, 111, 112 – Credit
reporting information for direct marketing including pre-screening
6.27
The ALRC recommended that the use or disclosure of credit reporting
information for the purpose of direct marketing, including the pre-screening of
direct marketing lists, should be prohibited (Recommendation 57–3). The
Government did not accept the recommendation in full and indicated that the use
or disclosure of credit reporting information for the purposes of pre-screening
should be expressly permitted, but only for the purpose of excluding adverse
credit risks from marketing lists.[16]
6.28
The ALRC noted that this was one of two significant aspects in which the
Exposure Draft differed from the approach recommended in its review. The ALRC
commented that while encouraging responsible lending may be one rationale for
permitting pre-screening, there was a risk that pre-screening may be used as a
'half-measure' in assessing capacity to pay rather than a fuller inquiry. The
ALRC also noted the concerns of consumer groups that pre-screening, by facilitating
direct marketing of credit to individuals who have not applied for or expressed
an interest in obtaining credit, will result in the granting of excessive
amounts of credit. It was suggested, for example, that pre-screening may
encourage the offering of 'pre-approved' loans or increased credit limits.[17]
6.29
The ALRC was of the view that pre-screening has the potential to facilitate
more aggressive marketing of credit and, as it is a tool that may be used by
credit providers in different ways, it will not automatically result in more
responsible lending practices. The ALRC added that 'to ensure that
pre-screening does promote responsible lending would require the enforcement of
detailed rules relating to the criteria on which pre-screening may take place'.
6.30
The ALRC also pointed to the views of stakeholders that using credit
reporting information in direct marketing more generally should be prohibited
and commented that it is artificial to distinguish between 'selecting in' direct
marketing prospects (that is, by using credit reporting information to generate
a list) and 'selecting out' (that is, by pre-screening an existing list, in the
way anticipated by the Exposure Draft). The ALRC concluded:
...that while pre-screening provides clear commercial
advantages for credit providers through the better targeting of marketing. such
commercial advantages do not outweigh the privacy and consumer protection
concerns raised by pre-screening, and it should not be permitted.[18]
6.31
Consumer advocates did not support the inclusion of pre-screening in the
credit reporting system. The LIV commented that credit reporting allows
entities the use of credit information they would not otherwise have access to.
Credit providers could 'pool' the information they collect through a credit
reporting agency and use this to help identify potential customers. The LIV did
not consider that the pool information should be used by credit reporting
agencies for profit: information for one legitimate purpose should not then be
sold and used for purposes which are beneficial to companies without the
consent of individuals.[19]
6.32
The Consumer Action Law Centre (Consumer Action) was also of the view
that pre-screening has no benefit, 'except that it allows credit providers to
market their products more aggressively'.[20]
Consumer Action commented:
We understand why industry wants to use credit reporting
information to pre-screen marketing offers. With direct marketing costing
billions of dollars each year, all types of businesses would like to be able to
better target their direct marketing campaigns to consumers who are more likely
to take up the offers and be profitable to the business. In most cases the
Government doesn't allow access to otherwise protected personal information for
this purpose.
However, the credit industry has argued that pre-screening is
an aid to responsible lending, but the argument is nonsense...
We don't accept that sending marketing material to some
individuals who may later be rejected for credit is a risk to responsible
lending – although we accept that it may reduce the effectiveness of a
marketing campaign.
In fact, we believe that being able to better target
consumers for direct marketing (where there is a greater chance that applicants
will be approved) can enable credit providers to be more aggressive with their
marketing message.[21]
6.33
Ms Karen Cox, Consumer Credit Legal Centre NSW (CCLC), also did not
support the inclusion of pre-screening and stated:
We would rather that they did not do pre-screening at all.
The reason for that is simply that it makes them feel safer about using that as
a marketing strategy, whereas we would rather that people applied for credit
than having been selectively marketed to. Therefore we oppose any tool that
allows them to better direct that marketing, because we do not think it is an
appropriate way of approaching people. We think that people are well aware of
the availability of credit, that most credit providers have a lot of general
marketing out there and that you do not need the personalised marketing that
that sort of tool [facilitates]. We have seen a lot of people over the years
who have been lured into borrowing far more than they can through that type of
personalised marketing.[22]
6.34
While Consumer Action recommended that pre-screening be prohibited, in
the event that this did not occur, Consumer Action sought tighter restrictions
on pre-screening so that credit providers cannot choose information to profile
the customers to be used in each specific marketing campaign. Consumer Action
recommended that pre-screening be limited to only exclude consumers where their
credit file contains bankruptcy, court judgments, serious credit infringements
and/or defaults. In addition, Consumer Action recommended that:
- either subsections 110(2) and 110(3) be amended to prevent
pre-screening being used to select individuals on the basis that those
individuals have defaults; and
- subsection 110(2) be amended to be clear that certain identifying
information cannot be used for the purposes of selecting who will receive
marketing information.[23]
6.35
The APF described section 110 as 'oddly constructed' and commented that
it needed to be carefully reviewed to ensure that it did not allow too wide a
use. The APF went on to state that pre-screening could easily be 'reverse
engineered' to have the practical effect of targeted marketing of credit, which
was not supported by the Government. The APF commented:
As worded, s.110(2) actually confirms that pre-screening is a
form of direct marketing – the opposite of the policy intention. We note that
pre-screening can't use repayment history or liability information. We assume
that identifying information – gender, date of birth, prior addresses – can be
accessed for pre-screening in order to identify the individuals to be removed
from the list. However, it should be clear that this information can't be used
for the pre-screening process itself.[24]
6.36
The APF went on to state that given the limited amount of data that can
be used in pre-screening, it appears that in allowing credit providers to determine
the eligibility requirements, some credit providers may only choose to exclude
people with no defaults; more than one default etc. The APF stated that if
pre-screening is to allow offers to be made to consumers who have defaults, it
questioned the benefits (if any) of pre-screening in contributing to
responsible lending.[25]
6.37
CCLC also commented on the information to be used for pre-screening
purposes and submitted that rather than the legislation excluding the types of
information that can be used, it would be preferable for the legislation to
carefully define the pieces of information that can be used for pre-screening.
That information should be limited to default information, court proceedings
information and personal insolvency information.[26]
The CCLC concluded that identifying information should be used only for the
purpose of identifying the person, not for setting pre-screening criteria. CCLC
also stated that pre-screening should only be permitted for screening people
out as some fringe players target those with negative indicators 'with a view
to extracting exorbitant fees and charges from borrowers in desperate
situations'.[27]
6.38
Finance industry stakeholders supposed the inclusion of the
pre-screening provisions to exclude credit risks from marketing lists. The
Australian Finance Conference (AFC) stated that 'the formal acknowledgement of
this process should provide compliance comfort. The ability to utilise the
process will continue to enhance the responsible lending practices of our
Members.'[28]
Experian also supported the inclusion of this provision as it argued that it
will allow credit providers to 'reduce the volume of their direct marking
campaigns and reduce the likelihood that persons to whom additional credit
should not be extended will not be targeted with further offers of credit'.[29]
6.39
Mr Carlo Cataldo, ARCA, noted that ARCA members supported pre-screening
and stated:
There is one area that pretty much all stakeholders agree on,
including ARCA members and others, and that is that this information is not to
be used for marketing purposes, and only for credit-related purposes, whether
that be fraud or responsible lending or avoiding over-commitment. We would
refer to the UK example, where there is no direct marketing allowed, but in the
circumstances where credit providers would be accessing marketing lists, they
would have the ability to wash that, or ensure that consumers who would not
meet their credit, or not be likely meet their credit obligations, that is
passed by the bureau. That is commonly known as 'pre-screening', and as part of
our submission we would certainly support pre-screening to be part of the
allowable uses going forward.[30]
Opt out provisions
6.40
Subsection 110(5) provides an option for individuals to opt out of
pre-screening activities. The ABA commented that this provision was
inconsistent with proposed credit card reforms which provide for an express opt
in to receive credit limit increase invitations as defined in the National
Consumer Credit Protection (Home Loans and Credit Cards) Act 2011. The ABA
went on to comment that:
From best practice regulation and compliance systems
perspectives it is undesirable to have a different approach and compliance
practice for one form of credit product (i.e. credit cards) with respect to
direct marketing and another for other credit products. A customer might opt
out of the pre-screening process but opt in to receive credit limit increase
invitations only to be disregarded in a credit card marketing exercise on the very
aspect the customer has sought to be included. This could include a customer with
a questionable credit history seeing an opportunity to stay on a credit
marketing list and avoid a pre-screening process by opting out of pre-screening
but opting in to receive credit card limit increase invitations.
Of course, by the consumer not opting out of pre-screening it
would be necessary for the customer to opt in to receive credit limit increase
invitations.[31]
6.41
The ABA concluded that it would be better, in the interests of
consistency in the law and customer experience, for the customer who has not
opted out of pre-screening to be treated as willing to receive credit card
limit increase invitations (as ultimately defined in the National Consumer
Credit Protection (Home Loans and Credit Cards) Act).[32]
6.42
The APF also commented on the opt out provision and stated that it will not
work well as there is no direct relationship/contact between the individual and
a credit reporting agency. The APF argued that it is 'unrealistic' to rely on
individuals 'finding' a credit reporting agency to opt out. Rather, individuals
must be given the opportunity via their direct relationship with a credit provider.
The APF submitted that as subsection 110(2) purports to regulate pre-screening
by a credit reporting agency on behalf of a credit provider, an obligation to
offer an opt out from pre-screening should therefore be included in Part A
Division 3 (Credit providers).[33]
6.43
The LIV commented that, while it did not support the pre-screening
provisions, if they were retained it should reflect the APPs by requiring
credit reporting agencies to provide a 'simple means' by which an individual
can request to opt out. The LIV suggested that when a 'pre-approval' letter is
sent under the branding of a credit provider, it should clearly identify the
credit reporting agency to which a request not to use the information should be
sent and explain the process for making such a request.[34]
6.44
ARCA noted that section 112 provides for the destruction of
pre-screening determinations while pursuant to section 111(3) a credit
reporting agency must make a written note of any disclosure of a pre-screening
determination. This requires keeping a record of pre-screening determinations.
ARCA recommended that to avoid contradiction, and in order to facilitate
auditing of the pre-screening process, the records should be kept for at least
some period of time, even if they are legally deemed no longer useable for any
other purpose.[35]
Section 115 – Use and disclosure of
de-identified information
6.45
A number of submitters raised concerns with the provisions relating to
de-identified information. Section 115 of the Exposure Draft prohibits the use
of de-identified information possessed or controlled by a credit reporting
agency except if the use is for research purposes in relation to the assessment
of the credit worthiness of individuals and the credit reporting agency
complies with any Australian Privacy Rules made by the Australian Information
Commissioner. Subsection 115(4) lists some of the specific matters the rules
may relate to including:
-
the kinds of de-identified information that may or may not be
used for the purposes of conducting research;
- whether or not the research is research in relation to the
assessment of the credit worthiness of individuals;
- the purposes of conducting the research; and
- how the research is conducted.
6.46
Section 180 defines de-identified information as 'credit information
that is no longer personal information'.
6.47
The APF considered that there is too much discretion in the wording of
this section as the Information Commissioner 'may make' Rules and suggested
that there should be an obligation on the Information Commissioner.[36]
6.48
The LIV considered that credit reporting agencies should not be able to
charge for de-identified information. While allowing information to be used for
the purpose of research provides a public benefit, credit reporting agencies
should not use information for their financial benefit.[37]
6.49
However, industry submitters did not support the regulation of
de-identified information.[38]
ARCA, for example, commented:
The approach taken to the regulation of de-identified data is
an example of this attempt to so prescriptively regulate one aspect of
Australia's information economy, without considering the principles for which
it is being regulated. Restricting the uses of de-identified data through the Privacy
Act is an unusual approach to information management, particularly as this data
is no longer 'private' information.[39]
6.50
The ANZ Bank similarly stated that 'if the information is not about an
individual there is no apparent role for the Privacy Act as there is no
possibility of the information being used to the detriment of an individual'.[40]
6.51
Submitters also considered that restrictions on de-identified
information would restrict research and development of innovative, new risk
assessment tools, as any use of such data to develop these new tools would need
to be approved in advance by the regulator on the basis of the research being
in the public good.[41]
The NAB argued that this requirement would impose 'a challenge to build the
case before the analysis is actually undertaken'.[42]
6.52
The NAB and ARCA concluded that the inclusion of these provisions would
place new, complex obligations on credit reporting agencies and involve significant
administrative costs. The NAB also commented that there would be no discernable
consumer benefit and opportunities for product innovation and better and more
targeted risk assessment to promote responsible lending would be lost. The NAB
and ARCA called for these provisions to be removed.[43]
6.53
The ANZ Bank noted that credit providers currently use de-identified
information to develop and maintain credit scorecards. The ANZ Bank stated that
scorecards are vital tools in assessing credit applications, identifying high
risk credit exposures and helping ensure that a credit provider lends
responsibly. Thus limiting use of de-identified information will result in
credit providers being unable to refine and improve their credit risk
assessments.[44]
6.54
Experian was also of the view that de-identified information should not
be regulated under the Privacy Act or that any consumer protection policies
would be served by the imposition of the restrictions proposed under section
115. Experian went on to state that the 'imposition of such restrictions would
potentially impair the ability of CRAs and credit providers to undertake
appropriate statistical analysis in order to develop better credit information
services and better risk assessment tools that enhance responsible lending
practices'.[45]
6.55
Dun & Bradstreet commented that section 115 appears to allow the use
of data for research related purposes 'but is ambiguous about the permissible
outcome or purpose of that research'. Dun & Bradstreet were therefore
concerned that there may be some uncertainty about the lawfulness of what is
regular practice by credit reporting agencies. Dun & Bradstreet concluded:
Given the centrality of CRAs to the removal of information
asymmetries in the credit assessment and management process any ambiguity about
the lawfulness of such practices should be removed. Accordingly, Dun & Bradstreet believes section 115 should be removed from the Exposure Draft
Bill.[46]
6.56
The OAIC noted that 'this approach is the first time that the Privacy
Act would regulate the use of de-identified information' as such information
ordinarily falls outside the Privacy Act's coverage. The OAIC went on to note
that, generally, using de-identified information for research is potentially
less privacy-invasive than using identified information provided that it is
adequately protected from being used to re-indentify individuals and that
individuals are informed, when practicable, that their information may be
de-identified and used for research purposes.
6.57
The OAIC pointed to a number of matters in relation to section 115:
- use of de-identified information is permitted but not disclosure,
this may require credit reporting agencies to conduct research in-house, rather
than using research firms or specialists, and may also prevent disclosing
de-identified information to other parties, such as consumer groups or legal
centres which do their own research or to the OAIC itself; and
- paragraph 115(2)(b) should clarify whether the rules to be issued
by the OAIC must be in place before any research is permitted as the term 'any
Australian Privacy Rules' would not prevent research occurring prior to rules
being developed. The use of the word 'any' is not used in existing research
provisions in the Privacy Act, rather research can proceed 'in accordance with
binding' guidelines is used.[47]
Committee comment
6.58
The Government accepted in part the ALRC's recommendation in relation to
direct marketing. The Government stated that pre-screening should be allowed:
The Government acknowledges the ALRC's views on the use or
disclosure of credit reporting information for the purpose of pre-screening
direct marketing lists. However, the Government considers that, on balance, the
use or disclosure of credit reporting information for the purposes of
pre-screening should be expressly permitted, but only for the purpose of
excluding adverse credit risks from marketing lists.[48]
6.59
The Government Response indicated that specific requirements would be
put in place for pre-screening and that adequate evidence must be maintained to
show compliance with the requirements.[49]
6.60
The committee has considered the comments provided by consumer advocates
and acknowledges their concerns about the use of pre-screening. The committee
considers that some of these concerns will be addressed through the Credit
Reporting Code of Conduct or by guidance from the Information Commissioner.
However, the committee considers that consideration be given to opt in
provisions rather than opt out provisions in relation to pre-screening
activities. In this regard, the committee has noted the comments of the ABA
concerning consistency with the National Consumer Credit Protection (Home
Loans and Credit Cards) Act 2011. The committee considers that the opt out
should be reviewed to ensure consistency of approach across the credit
regulatory regime.
Recommendation 15
6.61 The committee recommends that the opt out provisions in section 110 be
reviewed to ensure consistency with other consumer credit regulatory regimes.
6.62
In relation to de-identified information, the committee considers that
it is appropriate that this information is regulated. The ALRC noted that
credit information is used by credit reporting agencies for research purposes.[50]
The use of this information for research or other purposes is a secondary use
of the credit reporting information. The ALRC also recommended (Recommendation
57–2) that there should be a general provision permitting secondary uses of
credit reporting information. The Government did not accept this
recommendation. The Government's view was that permitted secondary uses should
be expressly prescribed in the legislation, and no other secondary uses should
be permitted. The Government stated:
The Government does not support the ALRC's recommendation as
it would allow credit reporting information to be used and disclosed for a
number of unknown purposes. This in turn would significantly reduce the value
of the credit reporting provisions to promote transparency and consistency for
individuals concerning appropriate uses and disclosures of credit reporting
information. In effect, the ALRC’s recommendation would be contrary to the
requirement to have defined uses and disclosures as outlined in recommendation
57–1 and would undermine the purpose of having specific provisions which operate
in addition to the general 'use and disclosure' principle. While the ALRC
proposed to limit the discretion in relation to secondary uses and disclosures
by specifically defining the primary purpose, the Government is not convinced
that greater use or disclosure of credit reporting information should be
subject to a broad discretion exercised by credit providers or credit reporting
agencies.[51]
6.63
However, the Government recognised that research was a legitimate
secondary use. It was further considered that research should only be conducted
on de-identified information.
6.64
While some submissions have argued that the de-identified information is
no longer personal information and so should not be regulated, the committee
does not support this view. The committee considers that it is appropriate that
secondary uses of credit reporting information should be identified and
regulated, not left to a general test. However, the committee has noted the
comments of the OAIC and considers that these two matters should be addressed.
Recommendation 16
6.65 The committee recommends that section 115 be reviewed in light of the
Office of the Australian Information Commissioner's comments relating to
disclosure of de-identified information and the rules to be issued.
Subdivision E – Integrity of credit reporting information
6.66
Subdivision E provides that credit reporting agencies must take such
steps as are reasonable in the circumstances to ensure that the credit
information it collects, uses and discloses is accurate, up-to-date and
complete as well as relevant when used or disclosed. Credit reporting agencies
must also take steps to ensure the security of credit reporting information.
Section 116 – Quality of credit
reporting information
6.67
Section 116 provides, in part, for credit reporting agencies to enter
into agreements with credit providers that require the provider to ensure that information
disclosed is accurate up-to-date and complete. Section 118 similarly provides
for security of information. Dun & Bradstreet noted that data quality is
integral to the operations of a credit reporting agency and they 'have a direct
commercial interest in maintaining the highest levels of data quality and
therefore are an appropriate entity to ensure the required standards are
understood and adhered to through its contractual agreements with customers'.
Thus the provisions requiring credit reporting agencies to ensure data quality
will enhance the capacity of credit reporting agencies to ensure credit providers
maintain high standards of quality and security.[52]
6.68
Westpac however, did not support the requirements of section 116 and 118
and commented:
We think it is very unusual for legislation to prescribe the
specific steps that an entity must take to ensure compliance with such a broad
obligation.[53]
6.69
Westpac went on to state that paragraphs 116(3)(a) and 118(2)(a) require
higher standards than APP 10. In relation to paragraph 116(3)(a), the
contract between credit reporting agencies and credit providers must 'ensure
credit information is...' rather than reflecting APP 10 ('take such steps
(if any) as are reasonable in the circumstances to ensure the personal
information is...'). Similarly, paragraph 118(2)(a) requires the contract to 'protect
credit reporting information' rather than reflecting APP 10 ('take such
steps as are reasonable in the circumstances to protect the information').
Westpac argued that:
A credit provider should only be required to meet the
standards set out in the APPs. It is unable to warrant to third parties that
all information is accurate, up-to-date, and complete as it can only make best
endeavours to ensure this is the case. Furthermore to audit the agreements an
independent person would need access to the credit reporting agency
information. For completeness this should be captured as a 'Permitted CRA
disclosure'.[54]
6.70
ARCA commented that it did not consider that sections 116 and 118 'alone
are adequate to properly ensure compliance with quality and security
requirements desired for credit information'. ARCA argued that data quality and
data security are fundamental components of the credit reporting system but
that compliance is placed within the context of a contractual matter between
credit reporting agencies and credit providers. ARCA was of the view that this
required credit reporting agencies to police their own customers which ARCA considered
not to be in the interests of either credit reporting agencies or credit
providers for credit reporting agencies to be held solely responsible for this
compliance function. Rather, ARCA recommended that:
Compliance with data quality and data security measures be
included in the proposed Code of Conduct, rather than solely relying on
contracts between CRAs and Credit Providers.[55]
6.71
Veda Advantage submitted that it would be desirable, for compliance
purposes, to expressly state (as part of section 116) that a credit reporting
business is responsible for compliance with the applicable data standards and
must have systems or arrangements in place to facilitate such compliance. Express
obligations are provided for credit providers in respect of accuracy of credit
eligibility information (sections 143 and 144) however Veda noted that there
are no corresponding credit provider obligations in respect of credit information.
Veda submitted that it would be desirable to mirror these obligations that
would potentially apply to similar types of personal information and thus avoid
confusion, assist with compliance and align the responsibilities as proposed in
section 116. Veda concluded that:
- the scope of section 116 be expanded to include the additional
responsibilities or powers; and
- responsibility for accuracy of credit information and credit
eligibility information is aligned.[56]
6.72
Dun & Bradstreet also submitted that independent audits and reviews
are appropriate as access to large volumes of personal information impose a
higher standard of responsibility upon commercial entities than may normally be
the case. Dun & Bradstreet noted that under the current Privacy Act audits
are to be conducted by the Office of the Privacy Commissioner. Dun &
Bradstreet suggested that this should remain with the Office of the Australian Information
Commissioner under both paragraphs 116(3)(b) and 118(2)(b) of the new Privacy
Act.[57]
6.73
However, Experian submitted that the imposition of specific obligations
on credit reporting agencies to obtain regular audits of agreements would be an
excessive and costly compliance burden on credit reporting agencies. In
addition, there are obligations already embodied in a non-prescriptive form in
the general obligation imposed under subsection 116(1), which requires credit
reporting agencies to take reasonable steps to ensure that the information collected
is 'accurate, up-to-date and complete'.
6.74
Experian suggested that it was not appropriate for particular controls
to be prescribed in the provisions. Rather, credit reporting agencies should
only be required to have reasonable systems and controls in place, and to
undertake reasonable monitoring and audit of those systems in a manner that is
consistent with their general obligations under section 116(1). Guidance notes
issued by the Australian Information Commissioner could outline specific regulatory
expectations regarding the auditing of these systems.[58]
6.75
If subsection 116(3) were to be retained, Experian submitted that the
formulation of these obligations requires further clarification:
- the meaning of 'regular' independent audits should be made clear;
and
- materiality thresholds should be imposed upon the scope of the
auditor's role and the responsibility of a credit reporting agency to identify
and deal with suspected breaches. For example, the auditor's role should be
confined to considering significant instances of non-compliance or unusual
credit provider activity identified by the credit reporting agencies internal
systems and controls, and whether there is evidence of any material systemic
weaknesses in those controls.[59]
Committee comment
6.76
The committee considers that the requirement for credit reporting
agencies to enter into agreements to be an appropriate mechanism to ensure quality
and security of credit reporting information. Given the access to five new data
sets, the committee considers that a higher standard should be provided for in
the credit reporting regime. In relation to independent audits of agreements,
the committee considers that the responsibility and cost should be borne by the
industry as industry reaps the benefit of quality data and should ensure
appropriate security of data. Matters where clarity is required, such as the
meaning of 'regular', should be addressed either by the OAIC or in the Credit
Reporting Code of Conduct.
Subdivision F – Access to, and correction of, information
6.77
Subdivision F provides for access to, and correction of, credit reporting
information. The subdivision provides for the manner of dealing with requests,
means of access, charges for access and refusals to give access. A credit
reporting agency is obliged to correct information if the agency is satisfied
that it is not accurate, up-to-date, complete and relevant. Individuals may
request corrections to certain types of information held by a credit reporting
agency.
Section 119 – Access to credit
reporting information
6.78
Section 119 provides for access to credit reporting information.
Subsection 119(1) introduces the new concept of 'access seeker'. The APF
commented that this is a valuable new concept. The APF also noted that there
are very limited exceptions (subsection 119(2)), compared to APP 12. This,
the APF stated, is appropriate in a credit reporting context.[60]
6.79
The joint submission from privacy and consumer organisations commented
on the importance of ensuring that consumers have access to their credit
reports as more information will be collected, including repayment histories. Subsection
119(5) proposes that an access seeker be provided with credit reporting
information with no charge once every 12 months. A credit provider may charge
for all other instances of access, but the charge must not be excessive
(subsection 119(6)). Submitters argued that only one free request per year is
too restrictive, particularly in the case when requests are associated with
dispute resolution etc.[61]
The NAB also commented that the provision appears to reduce an individual's
access rights as under the current Privacy Act an individual can pay to receive
a copy of their credit report within 24 hours. However, subsection 119(3)
only refers to a reasonable period, but not longer than 10 days.[62]
6.80
The joint submission went further and stated that:
The starting point should be that consumers have the right to
access one free copy of their credit report at least once a year, with a 24
hour turnaround or when involved in a dispute. Consumers should be able to
apply for such a report online, by mail or fax.[63]
6.81
Dun & Bradstreet considered that the provisions make it more
difficult and cumbersome for a consumer to obtain a copy of their credit
report, particularly if more than one copy is sought per year. Dun &
Bradstreet noted that the current provisions allow for multiple requests during
a twelve month period without a fee if that request is fulfilled within a ten day
period. Dun & Bradstreet concluded:
The new provisions would limit an individual's access to
their personal credit report without incurring a fee to just one occasion per
year. Such an outcome is likely to limit consumers' ongoing interaction with
their personal credit report and would seem contrary to efforts to improve
consumer literacy about credit reports and their role in the credit process.[64]
6.82
The joint submission noted that while the current Privacy Act provides
for free access to credit reports, credit reporting agencies are currently charging
fees for fast turnaround copies and do not provide consumers with the same
level of information about accessing free reports. In the case of Veda
Advantage, information about free reports is provided 'in the fine print at the
bottom of the web page' and applications must be made by mail. The submission
stated that the processes for Dun & Bradstreet are more straightforward for
consumers who want to get a free report. The joint submission concluded:
In short, neither the current legislative framework [nor]
that proposed in the Exposure Draft Bill builds in an incentive for credit
reporting agencies to reduce barriers to consumers accessing free copy of their
credit report. Instead there are incentives to make it both difficult to find
out about the free report and then difficult to apply for it.[65]
6.83
The joint submission also recommended that the Exposure Draft include an
obligation to promote the right of access to a free credit report (at least at
the same level as any service incurring a fee) and impose an obligation to make
the process as simple as possible for consumers.[66]
6.84
The joint submission submitted that, rather than the term 'not
excessive', credit providers should only be able to charge a 'reasonable fee'. The
joint submission noted that the fees currently charged for fast turnaround
reports were $41.95 (Veda Advantage) and $30 (Dun & Bradstreet). The joint
submission viewed these as excessive 'for what appears to be an electronic
process'. It was noted that as a third credit reporting agency has entered the
market, if a consumer needs a report urgently, they may have to pay a fee to
all three.[67]
6.85
Other submitters suggested that the charge be levelled at no more than
the actual cost incurred by the credit reporting agency in providing the
information.[68]
The LIV went further and stated that charging for access should be prohibited.
The LIV noted that credit reporting agencies rely on individuals' credit
information for their business. As the ultimate 'suppliers' of that
information, individuals should have access to that information whenever they
want without charge. Further, greater access by consumers is one way of
ensuring compliance with the requirements on credit reporting agencies under
the credit reporting system.[69]
Committee comment
6.86
The committee notes that the Exposure Draft now provides for a clear
right for individuals to access one free credit report per year. While the
Exposure Draft provides for only one free credit report, the committee
considers that this is a minimum requirement. If credit reporting agencies
decided to provide more than one free credit report per year, the committee
considers this is a business decision for the agency to make. However, the
committee is concerned that the same level of information is not provided for accessing
free reports and those reports that attract a charge. The committee considers
that the same level of information and prominence should apply to both.
Recommendation 17
6.87 The committee recommends that the Credit Reporting Code of Conduct
include requirements in relation to the standard of information provided to a consumer
in relation to accessing free credit reports and those for which there is a
charge.
Section 120 – Correction of credit
reporting information
6.88
Section 120 provides for the correction of credit reporting information.
Veda Advantage commented that if information is corrected, the credit reporting
agency must then notify any previous recipients in writing of the correction
when it is made. No subsequent obligations exist for the recipients. Veda noted
that corrections, of varying significance, can occur for credit information up
to five years old. Veda submitted that the provision as drafted would create a
substantial compliance regime for credit reporting agencies with no clear
benefit for consumers. Veda supported a requirement for credit reporting
agencies to notify, as requested by the consumer, credit providers whom have
been recipients of the information.[70]
Section 121 – Individual may
request the correction of credit information etc
6.89
The Energy & Water Ombudsman NSW (EWON) commented on the 30 day requirement
for a credit reporting agency to make a correction. EWON stated that if inaccurate
information is listed, 'it is fair and reasonable to the customer who has been
adversely affected by this, that the incorrect credit information is corrected
as soon as possible'. Thus EWON saw the 30 day period as 'excessive in these circumstances,
particularly if this is 30 business days (ie equivalent to six weeks)'. If
there is a valid reason for the delay, it was suggested that the credit
reporting agency make an annotation to the file to note that a correction is
pending. EWON also noted that this is not a penalty section and there appears
to be no incentive for this correction to be carried out in a timely manner. EWON
suggested that if the issue is not addressed in the Act, it should be addressed
in the Credit Reporting Code.[71]
6.90
The TIO commented that the Exposure Draft confers a general
responsibility on credit reporting agencies to correct information they find to
be incorrect but no specific timeframe in which the correction is to be made. The
TIO pointed to the Telecommunications Consumer Protection (TCP) Code which
requires that where a telephone or internet company becomes aware that a
customer has been default listed in error, they must inform the credit
reporting agency within one working day. The TIO was of the view that the one
day requirement in the TCP Code appears to recognise the significant detriment
that can be caused by incorrect information on a person's credit file.[72]
6.91
Veda Advantage also commented on the fees charged by 'credit repair'
organisations including fees to consumers for services such as obtaining a copy
of their credit file. Veda Advantage submitted that fees are often substantial
and a success fee, up to $1,000, may be imposed for each piece of derogatory
information that a credit reporting agency investigates and removes from a
credit report. As a consequence, vulnerable consumers may pay substantial fees
for 'normal, regulated, credit reporting activities that would otherwise be
free'. Veda Advantage went on to state:
Typically, the consumer would be exercising their legal
rights of access and correction as provided for under the Act. It is unfair to
charge the consumer for the mere exercise of their rights and detracts from the
quality of legal protections that the Act specifically provides for.[73]
6.92
Veda Advantage recommended that only credit reporting agencies be
permitted to impose a fee on provision of credit reports (in addition to the
obligation to providing free reports) and that no entity be permitted to charge
for investigation or amendment of a credit report. However, if third party
organisations were permitted to provide such services, Veda Advantage
recommended that rules prescribe fee disclosure to consumers by those
organisations and expressly include that such organisations disclosure to the consumer
that access to, and correction of credit information, when conducted by a
credit reporting agency, is conducted for no fee to the consumer.[74]
Committee comment
6.93
The committee has discussed the timeframes for correction as part of its
examination of complaints handling. See chapter 5 for the committee's
conclusion and recommendation.
6.94
In relation to the matter raised by Veda Advantage, although the
committee supports mechanisms to protect vulnerable consumers, the charging of
fees by credit repair organisations is outside the scope of the Privacy Act and
would more rightly be addressed through the National Consumer Credit Protection
Act.
Section 122 – Notification of
correction etc must be given
6.95
Section 122 provides for notification of corrections and when a
correction is not made. The APF suggested that in instances where a
notification is made not to correct information (subsection 122(3)), the credit
reporting agency should have to notify rights and external dispute resolution
scheme contact details with any notice of decision. In addition, the APF argued
that subsection 122(4) provides too great a discretion for notice not to be
given on grounds of impracticability, and there is no provision for an
associated statement if a correction request is disputed.[75]
6.96
Experian commented on the requirement that notification of the
correction must be provided to previous recipients of the information. Although
subsection 122(4) provides an exception on the grounds of the impracticality of
notifying previous recipients, Experian considered that a further exception
should apply based on the 'likely relevance' of the corrected information to
previous recipients. For example, if a significant period of time has elapsed
since the receipt of the original information, the corrected information will
have little relevance to the recipient unless it needs to specifically
reconsider the individual's credit arrangements, in which case an updated
credit report would be sought. Experian therefore submitted that the obligation
provide for an express time limit, for example, three to six months. An
alternative approach would be to notify previous recipients of the corrected
information only at the request of the individual, based on their views as to
which previous recipients are relevant. Experian suggested that the imposition
of limits based on relevance is consistent with the Government's response to
the ALRC Recommendation 59–5.[76]
Committee comment
6.97
The committee considers that the provisions of subsection 122(4), that
notice is not required to be provided to recipients 'if it is impracticable'
for the credit reporting agency to do so, provides flexibility to agencies in
complying with the notification obligation. The introduction of a further
exception based on 'likely relevance' would introduce a subjective element to
the obligation which the committee considers is not desirable.
Subdivision G – Dealing with credit reporting information after the
retention period ends etc
6.98
Subdivision G provides for the destruction of credit reporting
information after certain retention periods. Credit reporting information can
also be destroyed in cases of fraud. In such an event, credit reporting agencies
must notify third parties which had received that information.
6.99
Section 123 provides for the destruction of credit reporting information
after the retention period ends. Submitters' comments related to the provisions
of subsection 123(3) which requires a credit reporting agency not to destroy credit
reporting information nor ensure that the information is not longer personal
information if, immediately before the retention period ends, there is a
pending correction request or a pending dispute. Dun & Bradstreet, for
example, commented that this requirement seems unnecessary and potentially
onerous from a systems development perspective in light of the fact that the
information would otherwise qualify for destruction and no longer impact the consumer's
credit profile. Accordingly, Dun & Bradstreet recommended that this
sub-section should be removed from the Exposure Draft.[77]
Veda Advantage commented that it is unclear how this provision will benefit
consumers 'who presumably would rather see disputed/incorrect information drop
off the credit file sooner as scheduled'.[78]
6.100
Section 124 provides for the retention period for credit information
except for personal insolvency information. The retention periods of two, five
and seven years are provided for depending on the type of information retained
by the credit reporting agency. Comments in relation to retention periods were
received from Experian which stated that the two year retention period for
positive data is very short by international standards. Experian considered
that an extended retention period of five to seven years would be more
appropriate and consistent with international standards. Experian concluded
that:
...a retention period of five to seven years strikes an
appropriate balance between the value and usefulness of the data for risk
assessment purposes, whilst also ensuring that CRA credit reporting databases
only contain data of appropriate quality and predictive value. Extending the
retention period for positive data would also allow for robust modelling by
CRAs.[79]
6.101
Dun & Bradstreet's comments went to the retention period of default
information. The retention period of five years for default information starts
on the day on which the credit reporting agency collects the information.
However, Dun & Bradstreet stated that the day on which the credit reporting
agency collects the default information is unlikely to be the day on which the
default occurs. Dun & Bradstreet considered that the five year period
should begin from the date of default, thus ensuring fairer outcomes for consumers.[80]
ARCA provided similar comments and suggested that the provision could represent
'unfair' treatment of consumers and a lack of consistency in the underlying
meaning of an item of data. ARCA recommended that retention periods commence
within a specified period of the default actually occurring.[81]
6.102
The ABA also commented on the maximum permissible retention periods for
credit information in relation to disputes. It was noted that consumers may lodge
disputes with the Financial Ombudsman Service (FOS) up to six years after the
disputant became, or ought to have become, aware of the incurring of a loss or
within two years after an independent dispute resolution final response by the
financial institution. Thus, retention periods of two and five years are
insufficient and it would be preferable for the FOS periods to be aligned with
the Exposure Draft from a privacy perspective.[82]
The NAB and ARCA also raised a similar concern in relation to section 164 which
allows the Information Commission to apply to the Court for an order within six
years of an entity contravening a civil penalty provision.[83]
6.103
Section 126 requires the destruction of credit reporting information in
cases of fraud. This provision was not supported by Veda Advantage which argued
that destroying such information prevents credit reporting agencies from
gaining insight into patterns of fraud behaviours. Veda supported the removal
of the information from the credit report.[84]
6.104
Paragraph 126(4)(c) allows an individual to request the credit reporting
agency to notify third parties to which the fraudulent information was
disclosed that it has been destroyed. ARCA argued that this imposes impractical
notification requirements as more than one credit reporting agency may be
involved and consumers may not remember which credit reporting agencies a
credit provider shares data with, even if they have been told when they applied
for the credit. ARCA recommended that an alternative would be to allow the
credit reporting agency to 'assign' responsibility to the credit provider who
provided the credit to the fraudster to notify all of the credit reporting
agencies they have shared the data with. The credit reporting agencies would
then be required to report back to the credit provider that they have done so.
The legislation could specify a time frame in which this should occur and then
the credit provider could confirm to the consumer that the destruction has
taken place.[85]
6.105
The NAB was of a different view, and suggested the credit reporting
agency's obligation to notify a recipient that information has been destroyed
should be automatic not just when an individual requests the credit reporting
agency to do so.[86]
Committee comment
6.106
The ALRC canvassed issues relating to retention periods and came to the
view that the retention periods prescribed in the current Privacy Act 'provide
an important protection for consumers'. The ALRC did not see any compelling
case for changing the existing retention periods. The ALRC's recommendation
(Recommendation 58–5) was accepted by the Government and the committee supports
the retention provisions in the Exposure Draft.
6.107
The committee has noted the comments concerning the provisions for the
destruction of credit reporting information in cases of fraud. The committee
does not support the retention of this information for research purposes as it
may undermine consumer protections. In relation to the notification
requirements, the committee does not consider these to be impractical or
onerous. There are only four credit reporting agencies in Australia and the
notification requirements reflect the serious consequences to consumers in
cases of fraud. However, the committee has noted the views of the NAB in
relation to the automatic notification of recipients of the destruction of
credit reporting information in cases of fraud. The committee also notes that a
requirement to notify recipients of a correction of personal information is
contained in subsection 122(2). The committee considers that, given the serious
consequences of fraud, automatic notification of destruction of information may
have merit.
Recommendation 18
6.108 The committee recommends that consideration be given to providing in
subsection 126(4) a general requirement for notification of destruction of
credit reporting information to all recipients of credit reporting information
in cases of fraud and not only limited to when an individual makes such a
request.
Navigation: Previous Page | Contents | Next Page