CHAPTER 4
Regulation of credit reporting
4.1
Proposed new Part IIIA, which inserts the new credit reporting
provisions into the Privacy Act 1988 (Privacy Act), is included in item
72 of Schedule 2 of the Bill. This chapter will examine some of the proposed credit
reporting provisions referred to in submissions and evidence, including
provisions that deal with:
- permitted disclosures of credit information by credit reporting
bodies;
-
use or disclosure of credit reporting information by credit
reporting bodies for the purposes of direct marketing;
- use or disclosure of credit reporting information that is
de-identified;
- correction of personal information by credit reporting bodies and
credit providers;
- complaints procedures; and
- commencement of the credit reporting provisions.
Permitted disclosures by credit reporting bodies
4.2
Proposed new subsection 20E(1) of the Privacy Act prohibits a 'credit
reporting body' which holds 'credit reporting information' about an individual
from using or disclosing that information. The proposed section allows for some
exceptions; however, the exceptions do not apply to 'credit reporting
information' which is, or was, derived from 'repayment history information',
unless the recipient of the information is a 'credit provider' who is the
holder of an Australian Credit Licence under the National Consumer Credit
Protection Act 2009 (Cth) (National Consumer Credit Protection Act).[1]
4.3
According to the Explanatory Memorandum (EM):
[I]t is considered appropriate that credit providers who
cannot access repayment history information should not be able to indirectly
obtain the benefit of that information through the possibility that credit
reporting bodies could provide credit reporting information that incorporates
repayment history information in another form.[2]
'Repayment history information'
4.4
Some submitters argued, however, that the restriction will adversely
affect their businesses. For example, Diners Club International (Diners Club)
noted that, under regulation 62(1) of the National Consumer Credit
Protection Regulations 2010, four expressly named charge card providers (including
Diners Club) are exempt from the licensing requirements of the National Consumer
Credit Protection Act:
Diners Club would therefore be excluded from receiving or
providing repayment history information either from or to a credit reporting
agency; or from or to other credit providers, including its related bodies
corporate. The current definition of the term "licensee" and its use
in the revised Part IIIA means that Diners Club is at a competitive
disadvantage against its major competitor in the charge card market, American
Express Australia Limited (Amex Australia). As an issuer of credit
cards and therefore a licensee, Amex Australia is able to obtain repayment
history information about charge card applicants.[3]
4.5
Diners Club considered that it would be illogical to 'exclude charge
card providers from the benefits of enhanced reporting' and suggested that
charge card providers who are not licensees should have access to 'repayment
history information'.[4]
4.6
The Communications Alliance recommended similarly that
telecommunications providers, which are also not required to be licensed, should
have the ability to opt into the regime:
This way they would be able to provide a lead indicator to
other financial service providers and it would also give the [telecommunications
providers] a better understanding of a customer's capacity to pay before
finalising the sale products and services to them.[5]
4.7
The Insurance Council of Australia (ICA) expressed concern that lenders mortgage
insurers (LMIs) are not able to access 'repayment history information' directly
from 'credit reporting bodies':
As LMI providers take on the same risk as the lender,
impeding their ability to assess this risk by denying direct access to the full
range of credit information is likely to significantly affect the LMI
providers' ability to actually provide LMI. This will impact on the
availability and accessibility of borrowers (particularly first home buyers)...[D]irect
access to all available credit information on a borrower is fundamental to the
business model of a LMI provider.[6]
4.8
The ICA contrasted the proposed restriction in new subsection 20E(4)
with its ability to obtain 'repayment history information via a lender without
being subject to a responsible lending obligation'.[7]
Its submission called for consistency, recommending that proposed new
subsection 20E(4) should be amended to read:
(4) However, if the credit reporting information is, or was
derived from, repayment history information about the individual, the credit
reporting body must not disclose the information under paragraph (3)(a) or (f)
unless the recipient of the information is a credit provider who is a licensee or
a mortgage insurer.[8]
4.9
Min-it Software, the Consumer Credit Legal Service (WA) (CCLSWA) and the
Consumer Credit Legal Centre (NSW) (CCLCNSW) opposed the inclusion of 'repayment
history information' in the credit reporting provisions. CCLCNSW, for example, recommended
that this information be removed from the Bill for a number of reasons,
including:
It won't always lead to more responsible lending decisions.
It has the potential to entrench hardship.
Credit providers have alternative methods of accessing
repayment history information, and there is no evidence to suggest that the
absence of repayment history is causing significant problems in the market,
therefore its inclusion is not justified from the privacy perspective.
It will lead to more risk-based pricing, which will entrench
disadvantage.[9]
4.10
At the first public hearing, Ms Katherine Lane from the CCLCNSW explained
further:
The main reason that the credit providers need this
information is so that they can deal with managing risk and pricing risk, and
that does not necessarily get a positive outcome for consumers. Pricing risk is
about interest rates. I think the main outcome is going to be that you will
have some little dots or marks on your report and then they will charge you extra
interest...It is also an intrusion on [an individual's] privacy for something
that is going to be to their detriment overall.[10]
4.11
Min-it Software argued that the inclusion of 'repayment history
information' in the Bill conflicts with proposed Australian Privacy Principle 3
(Collection of solicited personal information):
[T]he reporting of such information to a credit reporting
business is not a necessary function nor one reasonably necessary for the
credit provider to perform its responsible lending or other credit activities.
It is also not reasonably necessary, though it might be convenient from a
commercial practice perspective, for another credit provider to see such
history where that credit provider uses or is provided with a scoring mechanism
supplied by the credit reporting business.[11]
More comprehensive credit reporting
– general comments
4.12
'Repayment history information' is one of five new data sets being
introduced into the credit reporting system as a move toward more
comprehensive, or positive, credit reporting, as recommended by the Australian
Law Reform Commission (ALRC).[12]
The other four data sets are: the date on which a credit account was opened;
the date on which a credit account was closed; the type of credit account
opened; and the current limit of each open credit account.[13]
4.13
According to the Explanatory Memorandum (EM):
Comprehensive credit reporting will give credit providers
access to additional personal information to assist them in establishing an
individual's credit worthiness. The additional personal information will allow
credit providers to make a more robust assessment of credit risk and assist
credit providers to meet their responsible lending obligations. It is expected
that this will lead to decreased levels of over-indebtedness and lower credit
default rates. More comprehensive credit reporting is also expected to improve
competition and efficiency in the credit market, which may result in reductions
to the cost of credit for individuals.[14]
4.14
Some submitters and witnesses commented generally in relation to this
reform. Veda, Dun & Bradstreet and Experian, among others, supported the
introduction of positive credit reporting to facilitate risk assessment and
compliance with responsible lending obligations.[15]
Veda particularly noted the preliminary findings of its current Comprehensive
Reporting Pilot Study[16]
and, in evidence, Mr Steven Brown from Dun & Bradstreet argued that
the Bill should go further:
[W]e support the model that has been put forward. It does provide
much more balance...[H]owever,...we feel we have stopped a little short of the
opportunity here—that is, somebody who has a default on their file yet is
meeting payments to utility companies and telecommunications companies will not
have that information recorded on their file or will not have the option to
have that data recorded on their file by those organisations... There are
scenarios today where individuals are not able to establish a track record of
payment to a financial services provider but may well have those facilities
being kept in good order. The ability to include that information on the credit
file would indeed allow those individuals to have that good payment performance
reflect on their file, notwithstanding that they may have one negative incident
on their file. So that is really the issue of fairness that I am referring to,
trying to get more balance into the system.[17]
4.15
However, some submitters – such as the CCLSWA and the Australian Privacy
Foundation (Privacy Foundation) – contended that positive credit reporting will
not advantage consumers. The CCLSWA, for example, rejected the argument that
the inclusion of the five additional data sets in the credit reporting system
will improve the system's efficiency, decrease over-indebtedness and open up
competition:
On the contrary, studies have indicated that there is no
correlation between positive credit reporting and reduced levels of
indebtedness. Nor is there necessarily a correlation between positive reporting
and responsible lending practices....It seems more likely that the reliance on
repayment history information will lead to a rise in the number of consumers
being unfairly refused credit where there are no adverse file listings, and
their loan applications would otherwise be approved.[18]
4.16
The Privacy Foundation argued:
We welcome the imposition of responsible lending conditions
for participation in the credit reporting provisions, which protects consumers
against the more blatant irresponsible lending practices, but this does not
mean that consumer vulnerabilities will not be exploited to provide credit
which is not in the consumer's best interests.[19]
Departmental response
4.17
In response, the Attorney-General's Department (Department) referred to
the Regulation Impact Statement (RIS) accompanying the Bill, which identifies the
potential risks and benefits of including 'repayment history information' as a
fifth data set in the credit reporting system. The RIS concludes, on balance, that
'repayment history information' should be included in the credit reporting
system.[20]
4.18
The Department noted that the consumer protections recommended by the
ALRC have been incorporated into the Bill:
The Department does not consider that any additional
legislative measures in the Privacy Amendment Bill would resolve the
disagreement between stakeholders on the possible implications of including
repayment history information in the credit reporting system.[21]
Use or disclosure of credit reporting information by credit reporting
bodies for the purposes of direct marketing
4.19
According to the EM:
Pre-screening is a direct marketing process by which direct
marketing credit offers to individuals are screened against limited categories
of credit information about those individuals to remove individuals from
the direct marketing credit offer, based on criteria established by the credit
provider making the offer, before the offers are sent. Generally, the process
for pre-screening a direct marketing credit offer works as follows. The credit provider
making the credit offer establishes the eligibility requirements for the direct
marketing credit offer and provides the list of individuals about whom the
pre-screening assessment will be made; the credit reporting body undertakes the
pre-screening assessment and determines whether an individual is eligible
consistent with those criteria; the credit reporting body discloses the
pre-screening assessment to a mailing house which conducts the direct marketing
consistent with the pre-screening assessment, and then the pre-screening
assessment is destroyed by the credit reporting body and the mailing house.[22]
General prohibition
4.20
Proposed new subsection 20G(1) of the Privacy Act prohibits a 'credit
reporting body' which holds 'credit reporting information' about an individual
from using or disclosing the information for direct marketing purposes. The
prohibition does not apply to the use by the 'credit reporting body' of 'credit
information' about an individual for direct marketing purposes by, or on behalf
of, a credit provider (pre‑screening), subject to certain conditions
(proposed new subsection 20G(2) of the Privacy Act).
4.21
Some submitters supported the proposed prohibition, with a few
submissions recommending amendments to enhance the operation of the provision.[23]
The CCLCNSW, for example, submitted that the permitted use for
pre-screening should be removed from the Bill:
[T]he use of credit reporting information to facilitate
pre-screening is an unnecessary breach of privacy. It is abhorrent to use the credit
reporting system for marketing...[D]irect marketing and pre-screening should be
prohibited...[T]he utility of pre-screening should be reviewed in light of the
recent amendments to the National Consumer Credit Protection Act on unsolicited
offers of credit. The Act now specifically prohibits unsolicited offers of
credit unless the consumer has opted in. It is our understanding that many
consumers have not chosen to opt-in. In these circumstances, the need for
pre-screening advocated by industry is now considerably less.[24]
4.22
In 2008, the ALRC recommended that the new Privacy (Credit Reporting
Information) Regulations should prohibit the use or disclosure of 'credit
reporting information' for direct marketing purposes, including the pre-screening
of direct marketing lists.[25]
However, the Australian Government responded:
...the use or disclosure of credit reporting information for
the purposes of pre-screening should be expressly permitted, but only for the
purpose of excluding adverse credit risks from marketing lists.[26]
Opt-out mechanism
4.23
Proposed new subsection 20G(5) provides an 'opt-out' mechanism, allowing
an individual to request a 'credit reporting body' that holds 'credit
information' about the individual not to use that information for pre-screening
purposes. The Privacy Foundation questioned the practicality of this
provision given the lack of a direct relationship between the individual and a
'credit reporting body' (CRB):
[I]t is unrealistic to rely on individuals 'finding' a CRB to
opt-out – they must be given the opportunity via their direct relationship with
a Credit Provider.[27]
4.24
The Law Council of Australia added that the Bill does not explain the
consequences of an 'opt-out' request:
A more practical measure may be for a credit reporting agency
(or perhaps all credit reporting agencies) to establish a separate database of
pre‑screening opt-out individuals. All customer lists for which pre‑screening
had been requested would initially be "washed" against this opt-out
list and the opted-out persons removed from the prospects list, before any use
was made of credit information referred to in clause 20G(2). It should be
expressed in proposed section 20G that an opted out person would not receive
the credit offer proposed to be offered to persons who are successfully
screened.[28]
4.25
The Australian Bankers' Association (ABA) and the Australasian Retail
Credit Association (ARCA) referred to one of the conditions giving rise to a
permitted use: the information cannot be 'consumer credit liability information'
or 'repayment history information' about an individual.[29]
These submitters recommended that the condition be clarified to expressly cover
both direct and indirect use of information in a pre-screening process. As
highlighted in the ABA's submission:
Indirect use means using the new data sets as model inputs to
derive an outcome. For example, a credit reporting agency may blend the data
sets into a model to derive a credit propensity score that predicts a customer's
likelihood to be receptive to an offer of credit. This predictor could then be
used for pre-screening or direct marketing.[30]
Use or disclosure of credit reporting information that is de-identified
4.26
Proposed new subsection 20M(1) of the Privacy Act prohibits a 'credit
reporting body' which holds de-identified 'credit reporting information' (de-identified
information) from using or disclosing that information. The general prohibition
does not apply if the use or disclosure is for the purposes of conducting research
in relation to the assessment of the credit worthiness of individuals and the 'credit
reporting body' complies with any rules made by the Australian Information Commissioner
(Commissioner) (proposed new subsection 20M(2) of the Privacy Act).
4.27
The EM states that the purpose of regulating de-identified information
is to clarify that such information can be used or disclosed in specific
circumstances:
[I]nformation from the credit reporting system has in the
past been used for the purpose of conducting research (including statistical
modelling and data analysis) relating to the assessment or management of
credit. This research, where it is in the public interest, should be expressly
permitted. Conducting research with de-identified personal information enhances
privacy protection and appears to be consistent with existing industry
practices. In addition, research is not a primary purpose of the credit
reporting system and it is not appropriate to allow credit reporting
information that identifies individuals to be used for research purposes.[31]
4.28
The EM notes, however:
[T]here can be concerns about the effectiveness of methods
used to de‑identify personal information and the risks of that
information subsequently being linked again to individuals in a way that allows
them to be identified.[32]
Suggestions to remove proposed new
section 20M
4.29
Some submitters questioned the appropriateness of regulating
de-identified information. These submitters argued that once 'credit reporting
information' has been de‑identified, it is no longer personal information
about an individual within the scope of the Privacy Act. These submitters
suggested that proposed new section 20M of the Privacy Act should be removed
from the Bill.[33]
For example, ARCA recommended:
[T]he Government remove [proposed new section] 20M from the
Bill entirely, and refer the question of the economic value of depersonalised
data to the Productivity Commission for inquiry. Such an inquiry is likely to
provide a range of reforms for the Government to consider in relation to the
regulation of this important economic tool.[34]
4.30
Veda also objected strenuously to the regulation of de-identified data
in the Privacy Act and supported retaining the purpose for which de-identified
data may be used without prescribing rules (including those which might be made
by the Commissioner).[35]
4.31
Submitters and witnesses from the finance and credit industries
indicated that they could not understand the rationale behind proposed new
section 20M of the Privacy Act. In detailed submissions, these stakeholders
described the fundamental role of de-identified information in the information
economy.[36]
For example, Dun & Bradstreet, Experian and Veda jointly
submitted:
The information economy revolves around research using
de-personalised information. Before parliament decides to restrict one part of
the information economy from using de-personalise[d] data, industry believes it
appropriate to consider the value and role that research brings.[37]
4.32
In evidence, Professor Les McCrimmon distinguished credit-reporting
information from the re-identification of health information for the purposes
of research and statistical data sets:
[I]t is a live issue in relation to health research, because
in health research there is often the master key and the need to re-identify to
check the research and the research findings. That does not arise in a
credit-reporting context and...there has not been an occasion in the 40 years
that it has been operating for the requirement to re-identify.
...
To go back to basic principles, the Privacy Act is primarily
concerned with protecting personal privacy, namely personal information, as
part of implementing Australia's obligations under the International Covenant
on Civil and Political Rights. When the information is no longer personal
information, the work of the Privacy Act should end. To extend the work of the
Privacy Act beyond personal information to de-identified information, which by
definition is not personal information, has a couple of problems. One is that
it puts an obligation on the Office of the Information Commissioner to come up
with rules to regulate what in the past has never been regulated and, across
privacy regimes in all [Organisation for Economic Co-operation and Development]
countries, is not regulated for a good reason: it is not personal information;
it does not impact on the human right—namely the protection of privacy. So that
is the first problem.[38]
4.33
Professor McCrimmon did not consider the re-identification of data to be
a problem in the credit reporting context;[39]
nor did Ms Kim Jenkins from Experian, who argued:
There is no purpose behind re-identification in the credit
industry. De‑identified information is for the purpose of scorecards, and
that has to be done on a depersonalised, anonymous basis in order for the
underlying statistical modelling to be valid and robust, and then there is no
purpose in repersonalising that, because that scorecard goes into production.
There is no benefit in relinking it to individuals.[40]
4.34
ARCA suggested that the better legislative approach would be to prohibit
the re-identification of data,[41]
a view with which the three main credit reporting agencies (to be renamed
'credit reporting bodies' by the Bill) agreed.[42]
Veda suggested further that the Bill should appropriately penalise the re‑personalisation
of data:
[I]t is prudent to recommend the inclusion in the legislation
of substantial penalties for subsequent re-personalisation with substantial
penalty provisions as apply elsewhere in the Bill.[43]
4.35
Professor McCrimmon agreed that 'the better policy way to deal with
[this issue] is to penalise re-identification rather than put a blanket ban on
the use of de‑identified data'.[44]
History of proposed new section 20M
4.36
In 2008, the ALRC examined the issue of the use and disclosure of
'credit reporting information' for secondary purposes (such as research). The
ALRC concluded:
The new Privacy (Credit Reporting Information) Regulations
should provide that a credit reporting agency or credit provider may use or disclose
credit reporting information for a secondary purpose related to the assessment of
an application for credit or the management of an existing credit account,
where the individual concerned would reasonably expect such use or disclosure.[45]
4.37
The Australian Government did not accept this recommendation 'as it
would allow credit reporting information to be used and disclosed for a number
of unknown purposes'. The government acknowledged:
[A] key concern for both credit reporting agencies and credit
providers in supporting recommendation 57-2 was that it would provide an
ability to conduct research (including statistical modelling and data analysis)
in relation to credit reporting information where it related to the assessment
or management of credit and was for the benefit of the public.
[T]he Government will...allow for credit providers or credit
reporting agencies to use and disclose de-identified credit reporting
information for research purposes that are deemed to be in the public interest
and have a sufficient connection to the credit reporting system. Research would
also be required to be conducted in accordance with rules developed by the Privacy Commissioner.[46]
4.38
In 2010-2011, the Senate Finance and Public Administration Legislation
Committee (F&PA committee) reported on the Exposure Drafts of the Bill,
including the pre‑cursor to proposed new section 20M.[47]
The F&PA committee noted, among other things, a suggestion from the Office
of the Australian Information Commissioner (OAIC) that the provision did
not permit the disclosure of de-identified information and was not clear in
relation to whether the related rules to be issued by the OAIC must be in place
before any research is permitted.[48]
The F&PA committee recommended that these issues be addressed.[49]
The Australian Government accepted and implemented the recommendations of the
F&PA committee,[50]
particularly in proposed new paragraph 20M(2)(b) of the Privacy Act to provide
that a 'credit reporting body' must comply with rules made by the
Commissioner under proposed new subsection 20M(3).[51]
Departmental response
4.39
In evidence to the current inquiry, an officer from the Department reiterated
the government's view expressed in the EM regarding the potential
re-identification of data, as well as the issue of 'what is discernible from
the characteristics of the data that is de-identified that can lead one to
identification'.[52]
Further:
The credit reporting scheme is set up...on the basis that
basically everything is prohibited and then there are a series of exceptions to
say, 'This is how entities may deal with this type of data.' So the rules
around the de-identified data is to say that we need to put some rules around
this type of secondary use, which is to de-identify and then to do research
with the data.[53]
4.40
In additional information provided to the committee, the Department
clearly advised:
The purpose of clause 20M is to ensure that the Information
Commissioner has the power to issue appropriate guidelines to deal with how an
individual's personal financial information may be used for research.[54]
Correction of personal information by credit reporting bodies and credit
providers
4.41
Proposed new sections 20T and 21V of the Privacy Act respectively enable
an individual to request a 'credit reporting body' or 'credit provider' to
correct certain types of personal information about the individual.
4.42
The EM states:
Importantly, individuals are able to request the correction
of their personal information that may not be held by the credit reporting
body, requiring the credit reporting body to consult with the appropriate
credit reporting body or credit provider. This imposes a specific obligation on
bodies and credit providers to assist individuals to correct their personal
information, no matter whom it is held by in the credit reporting system. This
means that the credit reporting body or credit provider to which the individual
first makes a correction request must deal with that request and assist the
individual to have their personal information corrected.[55]
Third party application
4.43
Some submitters expressed concern with the potential need for an entity
which receives a complaint to consult with another entity. For example, ARCA submitted:
[T]he Bill suggests that the first party contacted (the
respondent) must undertake (presumably themselves) to notify 'everyone' who has
received the disputed information, collate the necessary information to respond
to the complaint, and then respond on behalf of all relevant parties. What
seems to be a simple requirement under the Bill becomes complex because of the
degree of prescription of how an operational process must work, rather than
simple articulation of the outcome that it seeks to deliver.
To manage consumer complaints effectively, it is essential
for relevant parties to manage and resolve the complaint wherever possible.
However, the first point of contact may not always be best placed to manage a
complaint. It may be more appropriate to refer the consumer to the most
appropriate respondent.[56]
4.44
The OAIC was similarly concerned with how an individual is able to
correct personal information not held by the party who is first contacted. The
OAIC's submission emphasised the need for clear, appropriate and comprehensive correction
and notification obligations:
[I]t is important that the Bill clearly sets out:
- the obligation on the entity that received the correction
request to take reasonable steps to have the information corrected
- the obligation on the entity that holds the information to
correct that information
- the obligation on the entity that received the correction
request to notify the individual about the outcome of their correction request.
There is uncertainty as to whether the provisions in the Bill
achieve this...The OAIC...recommends that the Bill be amended to ensure that the
correction provisions are clear, and operate effectively.[57]
Breadth of request to correct
4.45
Other submitters focussed on specific issues, including: the types of
personal information captured by the proposed provisions; the time allowed for
the correction of personal information; and incorrect or unfair listings.
4.46
The types of personal information in respect of which an individual can
request a correction are:
-
'credit information' about the individual;
- 'CRB derived information' about the individual; and
- 'CP derived information' about the individual.
4.47
The ANZ Banking Group Limited (ANZ), for example, submitted that 'CRB derived
information' and 'CP derived information' are assessments of an individual's
credit worthiness. In its view, individuals should not be entitled to amend such
an assessment.[58]
The Australian Finance Conference (AFC) argued similarly that evaluative
information generated by an APP entity in a commercially sensitive decision‑making
process should not be correctable:
The omission potentially invites opening a credit provider to
risk of fraud or customer manipulation of credit application data should the
credit provider be obliged to reveal commercially sensitive components of its
lending decisioning process.[59]
Time to correct and substantiation
4.48
Proposed new subsections 20T(2) and 21V(2) of the Privacy Act require a
'credit reporting body' or 'credit provider', if satisfied that the personal information
is inaccurate, out‑of-date, incomplete, irrelevant or misleading, to take
reasonable steps to correct the information within 30 days or a longer period
agreed to in writing by an individual.
4.49
The Energy & Water Ombudsman NSW (EWON) described the 30‑day
timeframe allowed for the correction of personal information as 'excessive':
If there is a valid reason for the delay, we suggest that the
credit reporting agency makes an annotation to the file to note that a
correction is pending.[60]
4.50
The Telecommunications Industry Ombudsman agreed that the timely removal
of incorrect information is critical:
In our view, a period of 30 days to correct information on a
credit file is too long when it may have the potential to compound difficulties
experienced by consumers, particularly where they need to apply for finance and
where incorrect information on their credit file is impeding them from doing
so. The Telecommunications Consumer Protection (TCP) Code requires that where a
telephone or internet company becomes aware that their customer has been
default listed in error, they must inform the ['credit reporting body'] within
one (1) working day.[61]
4.51
Conversely, the Australian Privacy Commissioner, Mr Timothy Pilgrim, told
the committee that when listings are disputed 'it requires on a number of
occasions a bit more time than [30 days] to be able to get the facts together
to support whether there has been a default or not'.[62]
4.52
The Privacy Foundation contended that the 30‑day timeframe
specified in proposed new subsection 20T(2) is 'weaker' than the ALRC Recommendation
59-8.[63]
The ALRC's recommendation was for the new Privacy (Credit Reporting
Information) Regulations to:
...provide that, within 30 days, evidence to substantiate
disputed credit reporting information must be provided to the individual, or
the matter referred to an external dispute resolution scheme recognised by the
Privacy Commissioner. If these requirements are not met, the credit
reporting agency must delete or correct the information on the request of the
individual concerned.[64]
4.53
In relation to substantiation, CCLCNSW argued that it is essential for a
'credit provider' to be able to produce evidence verifying the accuracy of
a listing:
The credit reporting system operates on an "honour basis",
that is, credit providers are trusted and there are no checks on reported
information. To balance this, consumers must be able to reasonably insist
that this information be verified.[65]
4.54
Consistent with ALRC Recommendation 59-8, but with reference to the
Privacy Act (and not the regulations), CCLCNSW recommended that proposed new section
20T should be amended to require a 'credit reporting body' to request evidence of
a disputed listing from a 'credit provider' and, if not provided within 30 days
of the request, the 'credit reporting body' must remove the disputed listing.[66]
Departmental response
4.55
In evidence, a departmental officer agreed that the Australian
Government had accepted ALRC Recommendation 59-8, but explained that the way in
which that recommendation has been implemented in the Bill is slightly
different from the way in which the government response was framed:
Essentially, if there is a request to correct and that
request is denied, the credit provider has to substantiate the reason for doing
so, so they have to provide you with the evidence. There is no express
provision saying that if they cannot substantiate they must change, because the
general obligation to keep accurate records will apply anyway. So if they
cannot provide an individual with the evidence to show why the listing is there
then there is no evidence for the listing. Therefore the general obligation to
keep accurate, up-to-date records would apply, and they should be updating
their records.[67]
Concept of fairness
4.56
CCLCNSW submitted that another major problem for consumers is default
listings, or repayment history listings, in circumstances where a reasonable
person would consider the listing to be unfair:
There are a number of circumstances where the consumer is
unable to pay because of matters arising that are completely out of their
control. Some examples are:
1. Natural disasters
2. Bank error in processing a direct debit or Bpay
3. Fraud
4. Illness and hospitalisation
5. Mail theft
It is essential that consumers have access to a mechanism to
challenge a listing on the grounds of fairness.[68]
4.57
The CCLCNSW recommended that proposed new section 21V should be amended
to enable consumers to request correction of a listing on the grounds that it
would be unfair and misleading in the circumstances for the listing to remain
uncorrected.[69]
Departmental response
4.58
In evidence, a representative from the Department emphasised that the
inability to contact an individual, can give rise to a 'serious credit infringements'
but was not certain that was likely to happen in the circumstances described by
the CCLCNSW (due to the enhanced contact requirement).[70]
4.59
In any event:
The Department is not able to express a view on whether a
credit provider should list a serious credit infringement in circumstances
where an individual has suffered the consequences of a natural disaster.
However, the Department notes that the definition of serious credit
infringement requires the credit provider to be satisfied that a reasonable
person would consider the individual's act (for example, of missing one or more
payments because of a natural disaster) indicates an intention to no longer
comply with the individual's obligations.[71]
External dispute resolution schemes
4.60
Proposed new section 21W of the Privacy Act requires a 'credit provider'
to give an individual written notice, within a reasonable period, of the
outcome of their request for the correction of personal information under
proposed new section 21V. In particular, if the personal information has
not been corrected, the written notice must state that the correction has not
been made; set out the reasons for the 'credit provider' not correcting the information
(including evidence substantiating the correctness of the information); and:
(c) state that, if the individual is not satisfied with the
response to the request, the individual may:
(i) access a recognised external
dispute resolution scheme of which the provider is a member; or
(ii) make a complaint to the
Commissioner under Part V.
4.61
Proposed new section 21W is one example of a provision in the Bill which
enables an individual to progress an unresolved dispute through either a
recognised external dispute resolution (EDR) scheme or the Commissioner. The
proposed complaints provisions – such as proposed new paragraph 23B(4)(b) – contain
a similar mechanism.
4.62
Min-it Software expressed concern with these provisions which, it
argued, considerably enhance the existing EDR providers' involvement in privacy
complaints:
We do not believe that it is appropriate to give the two
private companies (which are not statutory authorities) engaged in providing
EDR for credit even greater power than they currently have, particularly at the
expense of direct contact with the Privacy Commission[er].[72]
4.63
In relation to the recognition of EDR schemes for the purposes of the
Privacy Act, Mr Pilgrim advised that he has not yet made any assessments
but will begin to consider the matter once the Bill has been enacted.[73]
However:
[T]here is a range of criteria that I would need to take into
account before approving a scheme to operate as an EDR scheme under the [A]ct.
A number of those areas go into some fairly obvious ones, but one of them is
the independence of the scheme and its ability to operate independently.
I would have to be satisfied before approving an EDR scheme to participate
that it met that criterion.[74]
4.64
One other concern – expressed in the Energy & Water Ombudsman NSW's (EWON)
submission regarding proposed new sub-paragraph 21W(3)(c)(i) – was that the EDR
provisions could inadvertently result in customer referral to the wrong EDR
scheme for a particular issue:
For example, a customer may contact their financial
institution to dispute their credit listing and the credit listing may be for
an old energy debt. If after investigation the financial institution is unable
to assist the customer[,] 21W(3)(c)(i) suggests that they must be referred to
the 'external dispute resolution scheme of which the provider is a member', so
the referral would be to the Financial Ombudsman Service, of which the provider
is a member. However, as the customer is disputing a listing related to an
energy debt the most appropriate external dispute resolution scheme would be
EWON.[75]
Complaints procedures
4.65
Division 5 of new Part IIIA of the Privacy Act sets out provisions in
relation to complaints. Proposed new section 23A gives individuals the right to
complain to 'credit reporting bodies' or 'credit providers' about acts or
practices that might be a breach of the credit reporting provisions or the
registered credit reporting code (to be created by Schedule 3 of the Bill).
4.66
Proposed new section 23B sets out how 'credit reporting bodies' and 'credit providers'
are to deal with those complaints. For example, proposed new subsection 23B(1) provides
that the respondent to a complaint:
(a) must, within 7 days after the complaint is made, give the
individual a written notice that:
(i) acknowledges the making of the complaint; and
(ii) sets out how the respondent will deal with the
complaint; and
(b) must investigate the complaint.
Notification provisions
4.67
Several submissions addressed proposed new section 23B of the Privacy
Act, with some questioning the notification requirements in proposed new paragraph 23B(1)(a).
For example, the Australasian Retail Credit Association submitted that the
majority of complaints are resolved within 48 hours and compliance with that
provision would be 'unnecessary, wasteful and irritating for the consumer'.
Further:
[I]t should be acceptable for other methods of communication
to be allowed on the basis that a formal record is retained, such as a file
note made in a customer relationship/complaints management system, or tape
recording of voice communications.[76]
4.68
The Communications Alliance agreed with the need for a less prescriptive
form of communication, submitting that most telecommunications customers prefer
to deal with their telecommunications providers via telephone or email, and
increasingly via social media – such as on Twitter or Facebook.[77]
Optus commented similarly:
[W]e are concerned that the prescriptive complaint handling
requirements set out in the Bill (such as the requirement for written
acknowledgement of complaints and then written confirmation of the outcomes of
complaints) are very rigid and reflect an out-dated method of interacting with
customers. Such restrictive practices do not take into account the multitude of
ways in which customers are able to contact their providers in the digital
environment.[78]
Third party issues
4.69
Some submitters were also concerned by proposed new subsection 23B(2), which
will require the respondent to the complaint to consult another 'credit
reporting body' or 'credit provider' about the complaint, if the respondent considers
that consultation to be necessary. As with the correction of personal
information, third party issues concerned some submitters – for example, the Financial
Ombudsman Service (FOS), the Consumer Action Law Centre (CALC), and ARCA.
4.70
The FOS considered that the regime will prove impractical as many
complaints will relate to a financial services provider ('Bank A') holding
incorrect personal information which it may have obtained from another body (for
example, 'Energy Provider B'):
Bank A enquires as to the accuracy of that information from
Energy Provider B and is told that the information is correct. The complainant
is unhappy with the response and takes the matter to Bank A's EDR scheme.
Energy Provider B is not a member of that EDR Scheme. In those circumstances
the EDR Scheme will not be able to properly investigate the dispute as it will
be unable to access the relevant information which is held by Energy Provider
B, and by its member Bank A. All Bank A's EDR scheme will be able to do is
consider if Bank A has followed an appropriate process in dealing with the request,
but it will not be able to solve the consumer's main problem, which is
correcting any wrong information at its source.[79]
4.71
For this reason, FOS, EWON and the Telecommunications Industry Ombudsman
supported redrafting proposed new section 23B to allow a consumer to be
referred to the appropriate EDR scheme by the first respondent to the complaint.[80]
4.72
ARCA submitted that the complaints‑handling processes in the Bill:
...will require a complex system to be developed between the
multitude of Credit Providers and CRBs who use the credit reporting system to
manage the finalisation of consumer complaints. Such a system would increase
the risk of inadvertent disclosure, remove the ability of the consumer to deal
directly with the cause of the complaint, and is against industry practice and
good business practice regarding customer service.[81]
4.73
ARCA's Chief Executive Officer, Mr Damian Paull noted further:
The complexity of the proposed arrangements will inevitably
lead to delay and unnecessary escalation to alternative dispute arrangements,
creating further financial burden on credit providers through EDR scheme fees;
increased resourcing requirements for the OAIC, the regulator; and, most
importantly, delayed consumer outcomes.[82]
4.74
ARCA and Experian recommended that the Bill should allow the respondent
to the complaint to be able to refer a consumer to the entity which is most
able to resolve the complaint, backed by oversight from the regulator.[83]
4.75
The Consumer Action Law Centre (CALC) supported proposed new
section 23B of the Privacy Act:
[I]t aims to prevent credit providers and credit reporting
agencies buck-passing complaints between themselves (which has been a big
problem to date) and limits the risk of consumers dropping out of the
complaints process because they do not know where to complain.[84]
4.76
Despite this, the CALC considered that the provision might be too broad
and could capture third parties who are reluctant to assist in the resolution
of a complaint:
[T]he obligation to resolve a complaint should lie with the first
party to be contacted by the consumer which is actually involved in the subject
of the complaint. This would usually be the relevant credit reporting agency,
or the credit provider which made the listing. However, to ensure that
consumers don't 'fall through the cracks', a credit provider or credit
reporting agency which did not have any role in the subject of the complaint,
should have an obligation to advise the consumer of the parties which could
deal with the dispute.[85]
4.77
In evidence, a departmental officer told the committee that the
corrections and complaints processes have been re-designed to make them
simpler:
In the correction process, the approach taken is that, if a
person requests a correction, they make the request once to a credit provider or
a credit reporting body, and they have the obligation of consulting with other
industry members to resolve the issue. So you are not bounced around... That is
the intention in relation to the correction process. The recipient of a
complaint can refuse the complaint if it is not about them...If I am making a
complaint—if I say to them, 'You've disclosed information in the wrong
way'—then that is about their act or practice in relation to the information,
so I have to complain to the right person who did the wrong thing, essentially.
So they can transfer my complaint to someone else but they cannot transfer my
correction request.[86]
Industry regimes
4.78
Submitters were also concerned with jurisdictional issues raised by proposed
new section 23B of the Privacy Act. The Communications Alliance, for example, submitted
that the Bill does not recognise long-established credit-related regulations in
several industries,[87]
including: the Communications Alliance Telecommunications Consumer Protections
Industry Code and Telecommunications Industry Ombudsman Scheme (in relation to
the communications industry);[88]
Regulatory Guide 165: Licensing: Internal and external dispute resolution (RG
165) (in relation to licensees under the National Consumer Credit
Protection Act);[89]
and AS ISO 10002-2006.[90]
4.79
The Communications Alliance argued that the Bill imposes new obligations,
which conflict with standard practices in those industries, potentially leading
to consumer confusion and inconsistent approaches.[91]
One such conflict, noted in submissions from ARCA and ANZ, arises from the
prescriptive timeframes in proposed new subsections 23B(4) and 23B(5) of the
Privacy Act.
4.80
Proposed new subsections 23B(4) and 23B(5) of the Privacy Act require
the respondent to a complaint, after investigation and within 30 days, to make
a decision about the complaint and give the individual who made the complaint
written notice of the respondent's decision.
4.81
ANZ submitted:
For a licensed credit provider, a complaint under section 23A
is likely to also be a complaint for the purposes of RG 165. It will be
difficult for licensed credit providers to comply with both sets of
requirements. For example, subsection 23B(5) provides for a maximum timeframe
of 30 days for resolution, or longer if the complainant agrees in writing. RG
165.94 provides for a maximum timeframe of 45 days with no possibility of
extension.[92]
4.82
ARCA made the following suggestion:
AS ISO 10002-2006 is widely recognised as best practice for
managing consumer complaints, and it is widely applied across sectors and
scalable to suit a range of organisations in Australia. ARCA strongly
recommends aligning the timeframes in the Bill with existing obligations for
complaints handling and sees no tangible benefit for the misalignment.[93]
4.83
More generally, a few submitters suggested ways in which the existing
industry regulations could be accommodated within the Bill. The Australian
Finance Conference, for example, recommended:
...an approach in the provisions dealing with complaint
handling that provides an option of alternate compliance to the procedure
outlined in the Bill, to compliance with an equivalent standard recognised by
the Information Commissioner. This would then facilitate a seamless compliance
process for consumer credit providers that, as part of their licensing
obligations, were required to implement complaint-handling processes set down
by ASIC (eg in its Regulatory Guide 165). A similar approach could also be
adopted for broader participants in the industry that are credit providers for
the purposes of Part IIIA including the telecommunications industry.[94]
4.84
The Privacy Foundation and the Communications Alliance called for
further consideration of the status of existing
complaints-handling regulatory regimes under the Bill,[95]
with the Communications Alliance making the following suggestion:
[T]he complaint handling obligations for credit providers [should]
be removed from the Bill and instead be dealt with via the industry Credit
Reporting Code which is to be developed, to allow different industries to manage
such complaints within their existing regulatory frameworks.[96]
4.85
Optus, and others, remarked also on the creation of dual
complaint-handling processes:
Whilst we support the consistency of approach that the Bill
is attempting to achieve, its unintended consequence is the creation of
inconsistencies in other areas. For all regulated industries, this will
institute dual complaint handling processes – one to be followed for credit
complaints and another process for all other types of complaints. Given the telecommunications
industry already has comprehensive and detailed complaint handling requirements...imposing
new and different obligations just for credit complaints will create an
administrative burden for telecommunications providers, and confusion for telecommunications
customers, who should be able to have a consistent experience with their
telecommunications provider regardless of the nature of their complaint.[97]
Departmental response
4.86
The Department advised the committee that it is the government's position
that there should be 'a single corrections and complaints process for personal
information in the credit reporting system, rather than different processes
depending on the industry'.[98]
In answer to a question on notice, the Department emphasised the targeted scope
and application of the proposed regulatory regime:
It is only when [a] correction request relates to personal
information in the credit reporting system that the corrections request
procedures in the Bill would apply. Similarly, the complaint provisions set out
in Division 5 of Part IIIA in the Bill only apply where [a] complaint relates
to an act or practice that breaches the Privacy Act.[99]
4.87
The Department acknowledged that industry codes may also deal with other
credit-related matters – for example, notification processes for consumer
credit defaults or serious credit infringements. In such circumstances:
The Government has imposed specific obligations in relation
to these matters and expects that industry codes would be consistent with these
obligations.[100]
Commencement of the credit reporting provisions
4.88
Schedule 2 of the Bill will commence nine months after receiving
Royal Assent.[101]
Some stakeholders did not regard nine months as sufficient lead time for
industry to implement the necessary changes.
4.89
A few submitters noted that passage of the Bill is only the first step
in a lengthy process to reform the legislative framework for privacy laws in
Australia.[102]
These submitters contended that the regulations and the industry-developed
credit reporting code will need to be finalised before stakeholders can commit
resources to implementation.[103]
ARCA, for example, submitted:
While some organisations are well advanced in their
preparation to these reforms, others have noted that they have been unable to
design and build the solutions, as they have not known the final shape of the
reforms and the impact on their business. Limited available skills, combined
with complex business processes, and highly regulated and defined scheduled
opportunities to make institution-wide technology changes means that many ARCA
Members may find it extremely difficult to implement the required system,
training, documentation, and process changes in the proposed timeframe.
The reality of the process attached to the reforms to credit
reporting means that there is very little time available for industry to see
the final legislative and regulatory detail before the regime is due to start.
Given that credit reporting is an integral part of the way more than $1.1
trillion dollars of consumer credit is granted and managed in Australia, it is
critical that adequate time be provided to undertake this reform in a
controlled and structured manner.[104]
4.90
Abacus-Australian Mutuals (AAM), the Australian Bankers' Association (ABA)
and the Australian Finance Conference (AFC) suggested timeframes that, in their
view, would be adequate lead time for industry:
- AAM submitted that the commencement date should be 'at least 12
months' from registration of the credit reporting code;[105]
- the ABA proposed 15 to 18 months from the date of Royal Assent;[106]
and
- the AFC considered that a reasonable implementation period would
be 12 to 18 months after the detail of the reforms has been settled.[107]
4.91
However, the AFC submitted:
Rather than adopt a fixed date or date tied to date of
assent, the AFC recommends an approach that enables a commencement date to be
determined by the Minister (akin to the process adopted for the Personal
Property Securities Reform) may be the best means of balancing the imperatives
for early enactment against inadequate lead-times for implementation.[108]
4.92
ARCA considered that the various components of the reform should
commence at the same time and proposed a four-step commencement process, which,
it argued, would provide certainty and a practical amount of time to finalise
the reform and adequately prepare for compliance. ARCA's suggested process was:
- establish a set time once the Bill and regulations have been
finalised for the credit reporting code to be developed;
- require the Commissioner to either approve the credit reporting code
or make a determination that the Commissioner will draft the credit reporting code
within a specified time period;
- if the Commissioner is to draft the credit reporting code, set a
time period for such drafting; and
- from the point at which there is a registered credit reporting code
set a commencement date for the new privacy regime.[109]
4.93
ARCA anticipated that the regulations would be finalised 'in early 2013
at the earliest' and that the industry-developed credit reporting code (which
cannot be completed until after finalisation of the Bill and the regulations) would
be presented to the regulator in mid-2013.[110]
Officers from the Department confirmed to the committee that draft regulations
were released for public comment on 17 August 2012, with submissions due
to close on 28 September 2012.[111]
4.94
The CCLCNSW recommended that the Bill should not be passed until the
regulations and the credit reporting code have been drafted and considered:
[R]eviewing just one part of the regulatory framework will
mean that it is inevitable there will be matters not covered due to oversight
or an expectation that the matter will be covered in another part of the
regulation. A particular risk is an expectation that a range of matters will be
covered by the Credit Reporting Code of Conduct when this may not be
appropriate or even reasonable.[112]
Departmental response
4.95
The Department informed the committee that the standard three-month
period between Royal Assent and commencement of the Bill was previously extended
(to the current nine-month commencement date) in line with advice received from
the OAIC, and to allow sufficient time to register the credit reporting code.
In addition:
[T]he commencement period should provide...certainty by setting
out a defined time in the legislation for commencement, and should see all
elements of the Privacy Amendment Bill commence at the same time (that is, no
staged implementation).[113]
4.96
Further:
The Department does not consider that commencement should be
at the discretion of the Attorney-General, nor does the Department consider
that commencement should be contingent on the registration of the [credit
reporting] Code as this does not ensure certainty. The Department will be
considering stakeholder views on extending the current proposed [nine] month
commencement period in proposing options for the Attorney-General's
consideration.[114]
Navigation: Previous Page | Contents | Next Page