CHAPTER 6

Committee views and recommendations

6.1 This inquiry was one of several reviews into Australia's privacy legislation which have taken place over the past seven years. In particular, the committee notes the extensive review conducted by the Australian Law Reform Commission (ALRC), which reported in August 2008, and to which the Australian Government partially responded in October 2009.

6.2 The Bill gives effect to that response, and the committee understands that a further response will be considered in separate legislation after the Bill's passage and implementation. The second stage response will relate primarily to health services and research provisions, as well as the ALRC recommendations not addressed in the government's first stage response.[1]

6.3 According to the Attorney-General, the Bill aims to bring Australia's privacy protection framework into the modern era.[2] The committee commends such a reform, noting that Australia's privacy laws have not kept pace with the considerable social changes that have occurred since the Privacy Act was first enacted over 20 years ago.[3]

6.4 The reforms introduced in the Bill cover 197 of the 295 policy recommendations made by the ALRC and focus on four key objectives.[4] In this report, the committee has focussed on three key areas:

the creation of the Australian Privacy Principles (APPs);
the introduction of more comprehensive credit reporting; and
the proposed clarification and enhancement of the functions and powers of the Australian Information Commissioner (Commissioner).

6.5 The committee notes that many issues in relation to these proposed amendments have previously been considered by both the ALRC and the Senate Finance and Public Administration Legislation Committee (F&PA committee) in its comprehensive examination of Exposure Drafts of the Bill in 2010-2011.[5] The committee acknowledges that certain issues continue to concern stakeholders but, in instances where the Australian Government has made and communicated clear policy decisions, the committee will not be revisiting those concerns in recommendations in this report.

Australian Privacy Principles

6.6 The creation of the APPs represents an important milestone in the reform of Australia's privacy laws. The committee welcomes the creation of a single set of privacy principles applicable to both Commonwealth agencies and private sector organisations (item 82 of Schedule 1 of the Bill).

6.7 Throughout the inquiry, stakeholders commented on both the APPs and their supporting provisions in Schedule 1 of the Bill. Based on the evidence received, the committee considers that individual privacy protections could be enhanced with some further legislative amendments in relation to key definitions and specific aspects of APP 2, APP 7 and APP 8.

Complexity of the APPs

6.8 The committee notes that, in 2011, the F&PA committee recommended that the draft APPs should be reconsidered with a view to improving their clarity and avoiding repetition.[6] In the current inquiry, the Attorney-General's Department (Department) confirmed that the APPs have been restructured to reduce length and repetition, particularly through the use of a table in proposed new section 16A (item 82 of Schedule 1).[7]

6.9 The committee notes that there remain concerns regarding the complexity of the APPs[8] but accepts the Department's view that ALRC Recommendation 5-2, which called for the Privacy Act to be redrafted to achieve greater logical consistency, simplicity and clarity, has been implemented effectively.[9] The Department advised the committee that it considers that the drafting style adopted in the Bill reflects current best drafting practice.[10]

6.10 Nonetheless, the committee considers that the introduction of the APPs must be complemented by educational resources and guidance material for individuals, government agencies and private sector organisations. A number of targeted recommendations in relation to education and guidance on specific APPs were made by the F&PA committee during the course of its inquiry, and those recommendations were endorsed by the Australian Government. However, the need for public awareness and education campaigns on the APPs generally, as well as APP-related guidance material for agencies and organisations, does not appear to have been considered in the F&PA committee's recommendations.

Australian Privacy Principle 2

6.11 The committee supports the introduction of APP 2, which gives an individual the right not to identify him or herself, or to use a pseudonym, when dealing with an APP entity in relation to a particular matter. The committee notes that this right is not absolute, including where it is 'impracticable' for an APP entity to deal with individuals who have not identified themselves (APP 2.2(b)).

6.12 Facebook, Google, IAB and Yahoo!7 suggested that the EM to the Bill should provide examples of impracticability, and that APP 2.2(b) should be extended to include individuals who have used a pseudonym.[11] The committee notes that the Australian Government is 'considering options to enhance clarity around the application of this exception'.[12] In that circumstance, the committee suggests that the government give consideration to amending APP 2.2(b) to refer to 'individuals who have not identified themselves or who have used a pseudonym'.

Recommendation 1

6.13 The committee recommends that the application of the exception in proposed APP 2.2(b) in item 104 of Schedule 1 be clarified to make it clear that APP 2.1 does not apply where it is impracticable for the APP entity to deal with 'individuals who have not identified themselves or who have used a pseudonym'.

Australian Privacy Principle 3

6.14 APP 3 prohibits an APP entity from collecting personal information (other than sensitive information) unless the information is 'reasonably necessary' for one or more of the entity's functions or activities. In the case of an agency, the information can also be 'directly related to' one or more of the entity's functions or activities.

6.15 The committee acknowledges the concerns of some stakeholders regarding the breadth of APP 3, and notes that the two components which are the cause of concern are the terms 'reasonably necessary' and 'directly related to'.

6.16 In response to the F&PA committee's 2010-2011 inquiry, the Australian Government stated its support for the use of the 'reasonably necessary' test in APP 3 on the grounds that this objective element 'is intended to reduce instances of inappropriate collection of personal information'.[13] The Department confirmed this policy position in evidence to the current inquiry.[14]

6.17 In relation to the 'directly related to' test in APP 3, the Australian Government accepted the F&PA committee's recommendation to limit this test to Commonwealth agencies only.[15] Submitters – such as the Law Council of Australia and the NSW Privacy Commissioner – argued that all APP entities, including private sector organisations, should be subject to the same obligations regarding the collection of personal information,[16] and that the 'directly related to' test for Commonwealth agencies should be removed from the Bill.

6.18 The government has previously considered the application of the 'directly related to' test. The committee accepts the Department's position that this test imports a defined element for Commonwealth agencies which are required to collect personal information to effectively carry out specific functions and activities, but which might not meet an objective 'reasonably necessary' test. In this context, Commonwealth agencies are also subject to stricter oversight and accountability mechanisms through the parliament, the executive and the Commonwealth Ombudsman.[17]

6.19 The committee also received evidence from some stakeholders regarding the current definition of 'consent' in subsection 6(1) of the Privacy Act and its application to APP 3.3. In 2008, the ALRC considered that the application of this term to the privacy principles should be guided by the Commissioner.[18] The Australian Government accepted this recommendation[19] and, in 2011, the F&PA committee supported its expeditious implementation.[20] The committee considers that the matter now rests with the Commissioner but notes that, in some instances, there may be strong arguments in favour of specific requirements for express consent – for example, in the collection of 'sensitive information'.[21]

Australian Privacy Principle 5

6.20 The committee supports the inclusion of a notification requirement in the APPs in relation to the collection of personal information. As noted by the Office of the Victorian Privacy Commissioner, APP 5 promotes transparency and ensures individuals are aware of their rights in relation to the collection of personal information by an APP entity.[22]

6.21 The committee notes stakeholders' concerns regarding the practical operation of the notification requirement in APP 5.1, and considers that the educational resources and guidance material to be developed and published by the Commissioner should help to address these concerns. In this context, the committee also observes that implementation issues are a particular matter for the APP codes and credit reporting codes to be developed in accordance with Schedule 3 of the Bill at a later time.

Australian Privacy Principle 6

6.22 APP 6 deals with the use or disclosure of personal information. The OAIC did not consider APP 6.3 to be a necessary provision.[23] APP 6.3 allows non-law enforcement agencies to disclose biometric information or biometric templates to 'enforcement bodies', subject to rules made by the Commissioner.

6.23 The Department advised the committee:

The policy intention of APP 6.3 is to enable non-law enforcement agencies to disclose biometric information and templates for a secondary purpose to enforcement bodies where an APP 6 exception, including the enforcement related activity exception, is not applicable. This may occur where the disclosure is for purposes such as identity/nationality verification or general traveller risk assessment, in circumstances where there is a legitimate basis for the disclosure but no criminal enforcement action is on foot...The policy rationale in APP 6.3 recognises that non-law enforcement agencies have current, and will have future, legitimate reasons to disclose biometric information and templates to enforcement bodies, but that this should occur within a framework that protects against improper disclosure.[24]

6.24 The committee accepts this position. In particular, the committee notes that the disclosure will be subject to oversight by the Commissioner and additional safeguards throughout the Privacy Act (due to the classification of biometric information and biometric templates as 'sensitive information').[25] The committee considers that these safeguards will curb any potential abuse of the provision.

Australian Privacy Principle 7

6.25 The committee notes that APP 7, dealing with direct marketing, has been significantly revised to improve its structure and clarity following a recommendation from the F&PA committee.[26] The committee agrees that the provision is much improved, and is consistent with the drafting style used in respect of other APPs which prohibit and then allow certain activities. The committee understands that this is a common approach:

[C]asting the principle as a 'prohibition' against certain activity followed by exceptions is a drafting approach used in principles-based privacy regulation to clearly identify the information-handling activity that breaches privacy, followed by any exceptions to this general rule that would permit an entity to undertake the activity.[27]

6.26 The committee accepts this rationale, but acknowledges the concerns raised by the Australian Direct Marketing Association, and others, regarding the heading to APP 7.1 ('Prohibition on direct marketing').[28] The committee does not perceive any particular justification for this heading, which is unique among the APPs. The committee agrees with stakeholders that it is likely to cause considerable confusion.

Recommendation 2

6.27 The committee recommends that, to avoid confusion, the subheading to proposed APP 7.1 in item 104 of Schedule 1 of the Bill be amended to read 'Use or disclosure' or 'Direct marketing', rather than 'Prohibition on direct marketing'.

6.28 In 2010-2011, the F&PA committee recommended that consideration be given to restructuring the exceptions to the general prohibition on direct marketing contained in APP 7.1.[29] The committee notes that these provisions – APP 7.2 and APP 7.3 – have not been substantively amended. In the current inquiry, the issue of most concern to stakeholders was the opt-out notification requirement in APP 7.3(d).

6.29 The committee heard stakeholders' concerns regarding the clarity and implementation of the requirement, particularly in relation to social media technologies. However, the committee is persuaded that the requirement is flexible and feasible, while requiring organisations to adapt to new direct marketing rules which enhance the privacy protections of consumers.[30]

6.30 The Australian Privacy Foundation argued that the opt-out mechanisms in APP 7.2 and APP 7.6 could be strengthened with the inclusion of similar notification requirements.[31] The committee notes that the distinction between these two provisions and APP 7.3 is the element of reasonable expectation: APP 7.2 provides for situations where an individual would reasonably expect a private sector organisation to use or disclose personal information for direct marketing purposes (APP 7.2(b)), whereas APP 7.3 applies to situations where there is no such expectation. The committee agrees however that, regardless of expectation, individuals might wish to opt-out of direct marketing communications at any time.

Recommendation 3

6.31 The committee recommends that proposed APP 7.2 and APP 7.6 in item 104 of Schedule 1 of the Bill be amended to ensure consistency with the notification requirement in APP 7.3, and enable individuals the opportunity to opt-out of direct marketing communications at any time.

Australian Privacy Principle 8

6.32 The committee received considerable evidence in relation to the cross-border disclosure of personal information, and recognises that this is a particularly complex legal and policy issue. The complexity arises from the creation of two regimes within the Bill,[32] conflict of laws issues and the competing interests of various stakeholders. In this regard, a balance must be struck between protecting the privacy of individuals and facilitating the free flow of information across national borders.

6.33 In general, most stakeholders supported the intent of APP 8 but expressed concerns regarding the accountability mechanism in proposed new section 16C of the Privacy Act. The committee notes concerns that an APP entity could be held liable for privacy breaches committed by an 'overseas recipient' even though the entity has taken all reasonable steps to prevent that breach.[33]

6.34 In evidence, departmental officers acknowledged the difficulties which could arise in a conflict of laws situation and for which there is no current solution.[34] In relation to inadvertent breaches – caused, for example, by hacking, fraud or an 'overseas recipient's' recklessness or negligence – the Department emphasised the need for privacy protection and for individuals to have a means of redress.[35] The committee accepts this position, noting that the circumstances of each case can be considered by the Commissioner investigating a complaint under Part V of the Privacy Act.

6.35 The committee also notes the Australian Government's stated policy position:

The exceptions in APP 8.2 have been carefully considered and the Government considers that they are justified. The Government considers that these exceptions provide appropriate and reasonable grounds for the transfer of accountability to an overseas recipient. In all other situations, the Australian entity should continue to remain accountable for the protection of personal information.[36]

6.36 APP 8.2(b) provides an exception to APP 8.1 where an APP entity expressly informs an individual that consent to the disclosure of the information renders APP 8.1 inapplicable, and the individual then gives an informed consent to the cross‑border disclosure of their personal information. The OAIC expressed concern regarding the potential 'displacement' of the accountability mechanism,[37] and the committee agrees with the NSW Privacy Commissioner that APP 8.2(b) should better explain the practical effect and potential consequences of this displacement.[38]

Recommendation 4

6.37 The committee recommends that proposed APP 8.2(b) in item 104 of Schedule 1 of the Bill be amended to require an entity to inform an individual of the practical effect and potential consequences of any informed consent by the individual to APP 8.1 not applying to the disclosure of the individual's personal information to an 'overseas recipient'.

Recommendation 5

6.38 The committee recommends that the Explanatory Memorandum to the Bill be revised to clearly explain that an entity will be required to inform an individual of the practical effect and potential consequences of any informed consent by the individual to APP 8.1 not applying to the disclosure of the individual's personal information to an 'overseas recipient'.

'Enforcement body' and 'enforcement related activity'

6.39 The committee notes that item 17 of Schedule 1 of the Bill, defining the 'Immigration Department' (currently the Department of Immigration and Citizenship) as an 'enforcement body', was a matter of concern for the Office of the Australian Information Commissioner (OAIC) because the Immigration Department's usual activities are 'not of an enforcement related nature'.[39] The committee also notes that this aspect of the definition was not included in the Exposure Draft of the Bill. While the Explanatory Memorandum (EM) contains a brief statement regarding the appropriateness of this provision,[40] the committee considers that further details should be provided to give examples of the types of enforcement-related functions and activities which will be covered by the exception.

6.40 The committee also acknowledges the concerns of Liberty Victoria and the Australian Privacy Foundation regarding the addition of surveillance activities, intelligence‑gathering activities and other monitoring activities to the definition of 'enforcement related activity' (item 20 of Schedule 1 of the Bill). The EM justifies this amendment on the basis of accuracy and modernisation:

These types of activities have been included to update and more accurately reflect the range of activities that law enforcement agencies currently undertake in performing their legitimate and lawful functions of accuracy and modernisation.[41]

6.41 The committee suggests, however, that this explanation should be expanded to provide further guidance on what will constitute lawful use of an individual's personal information by 'enforcement bodies'.

Recommendation 6

6.42 The committee recommends that the Attorney-General's Department revise and reissue the Explanatory Memorandum to the Bill to clearly explain the enforcement‑related functions and activities of the Department of Immigration and Citizenship, as justification for the classification of the 'Immigration Department' as an 'enforcement body' in item 17 of Schedule 1 of the Bill.

Recommendation 7

6.43 The committee recommends that the Attorney-General's Department revise and reissue the Explanatory Memorandum to the Bill to clearly explain the scope and intended application of the terms 'surveillance activities', 'intelligence gathering activities', and 'monitoring activities' in item 20 of Schedule 1 of the Bill.

'Permitted general situation'

6.44 Some stakeholders commented on proposed new section 16A of the Privacy Act (item 82 of Schedule 1 of the Bill), which consolidates and separates an exception repeated throughout various APPs in the Exposure Drafts of the Bill examined by the F&PA committee. In particular, the Law Council of Australia pointed out that it might be difficult to read and interpret the legislation due to the separation of the exception from its substantive provisions.[42]

6.45 The committee agrees that, in this regard, the legislation could be more 'user‑friendly', and considers that a relevant note at the end of each APP should be inserted where necessary. This applies equally to proposed new section 16B of the Privacy Act, which defines the 'permitted health situation' exception.

6.46 One exception contained in the definition of 'permitted general situation' relates to 'diplomatic or consular functions or activities' (item 6 in the table to proposed new subsection 16A(1) of the Privacy Act). The OAIC submitted that the scope of this exception is not clear.[43] The committee agrees that a clear explanation of the meaning of the phrase 'diplomatic and consular functions' would help identify the range of activities which are to be exempted from the application of the APPs.

Recommendation 8

6.47 The committee recommends that the provisions contained in item 82 of Schedule 1 of the Bill and for each Australian Privacy Principle which contains a 'permitted general situation' or 'permitted health situation' exception, a note should be added at the end of the relevant principle to cross‑reference proposed new section 16A of the Privacy Act 1988 and/or proposed new section 16B of the Privacy Act 1988, as appropriate.

Recommendation 9

6.48 The committee recommends that the Attorney-General's Department revise and reissue the Explanatory Memorandum to the Bill to explain the intended scope and application of the 'diplomatic or consular functions or activities' exception set out in item 6 in the table to proposed new subsection 16A(1) of the Privacy Act in item 82 of Schedule 1 of the Bill.

Credit reporting definitions

6.49 The committee notes the numerous comments regarding amendments to the general definitions in subsection 6(1) of the Privacy Act and key definitions relating to credit reporting in proposed new Division 2 of Part II (Interpretation) of the Privacy Act (item 69 of Schedule 2 of the Bill). The committee will not comment on each proposed definition but focuses its attention instead on those definitions which appear to be most contentious or significant.

'Australian link'

6.50 The committee heard that the 'Australian link' requirement in proposed new paragraph 21G(3)(b) of the Privacy Act will significantly affect a number of stakeholders' business operations. Departmental representatives assured the committee that such an effect is not intended and a solution is currently being considered.[44] The committee is therefore confident that this concern will be addressed in due course.

6.51 The Bill proposes two new regimes for the cross-border disclosure of personal information: the 'Australian link' requirement, which is used throughout proposed new Part IIIA of the Privacy Act (credit reporting provisions); and the general obligations set out in APP 8, supported by an accountability mechanism in proposed new section 16C of the Privacy Act (item 82 of Schedule 1 of the Bill).

6.52 In relation to proposed new section 21G, the committee understands that the 'Australian link' requirement creates a special rule for the cross-border disclosure of 'credit eligibility information'[45] and is entirely separate from the APP 8 regime. While some finance and credit industry stakeholders questioned the need for the two regimes, the committee accepts that the Australian Government has carefully considered the structural approach adopted in the Bill.[46]

Key definitions

6.53 The committee appreciates that the proposed key definitions relating to credit reporting are numerous and, in some instances, circuitous. In this regard, the committee notes the stated need for specific terms which correlate with information flows in the credit reporting system, as well as the APPs in Schedule 1 of the Bill.[47] The committee also notes the Commissioner's new guidance‑related function (item 54 of Schedule 4 of the Bill), which includes promoting an understanding and acceptance of the credit reporting provisions, and the Australian Government's previous commitment to educate and inform stakeholders in the transition phase of the Bill.[48]

'Default information'

6.54 The committee acknowledges concerns regarding proposed new subsection 6Q(1) of the Privacy Act (item 69 in Schedule 2 of the Bill) (key definition of 'default information'). With respect to notification and listing processes, the committee agrees with the Consumer Credit Legal Centre (NSW) that, after receiving written notification of a default, consumers should have a period of time in which to rectify that default before a listing can be made.

6.55 The Australian Communications Consumer Action Network suggested that a 'credit provider' should be required to notify an individual of the intention to make a default listing. The committee does not consider this notification to be necessary but agrees that consumers should be aware of the potential outcome of a failure to rectify a default.

6.56 The committee agrees with the threshold amount in proposed new subparagraph 6Q(1)(d)(i) (item 69 of Schedule 2) being increased to avoid the capture of relatively small debts as a consumer credit default, particularly those related to telecommunications and utility debts. Noting that a $300 minimum attracted the most support, the committee suggests that the Australian Government actively consider increasing the threshold to at least this amount.

6.57 The committee understands that there are a number of industry views regarding the time in which a listing should be made. The committee agrees that there should be some certainty in the process, particularly to avoid the potentially adverse effects identified by the Energy & Water Ombudsman NSW – for example, considerably delayed default listings.[49] The Australian Government has previously supported clarification on this issue,[50] and the committee endorses the view that appropriate guidance should be provided in the industry‑developed credit reporting code.

6.58 The committee agrees with the Financial Ombudsman Service that individuals experiencing financial hardship should not be discouraged from approaching their 'credit provider' in order to negotiate a hardship arrangement under the National Consumer Credit Protection Act 2009 (National Consumer Credit Protection Act).[51] The committee is concerned to hear that individuals are increasingly being default‑listed while negotiating such arrangements, and therefore supports better alignment between the National Consumer Credit Protection Act and the Privacy Act.

Recommendation 10

6.59 The committee recommends that proposed new subsection 6Q(1) in item 69 of Schedule 2 of the Bill be amended to require an appropriate amount of time, such as 14 days, to have elapsed from the date of a written notice before a default listing can occur.

Recommendation 11

6.60 The committee recommends that the written notification in proposed new subsection 6Q(1) in item 69 of Schedule 2 of the Bill be amended to include a warning about the potential for a default listing by a 'credit provider' in the event that an overdue amount is not paid within a set period of time.

Recommendation 12

6.61 The committee recommends that proposed new subparagraph 6Q(1)(d)(i) in item 69 of Schedule 2 of the Bill be amended to reflect $300, or such higher amount as the Australian Government considers appropriate, as the minimum amount for which a consumer credit default listing can be made.

Recommendation 13

6.62 The committee recommends that the Office of the Australian Information Commissioner, in formulating guidelines under proposed new section 26V in item 29 of Schedule 3 of the Bill, include as a criterion the timeframe within which an individual's 'default information' can be listed by a 'credit provider'.

Recommendation 14

6.63 The committee recommends that the Office of the Australian Information Commissioner, in formulating guidelines under proposed new section 26V in item 72 of Schedule 2 of the Bill, include a requirement for credit providers to fully consider an application for financial difficulty assistance under the National Consumer Credit Protection Act 2009 before an individual's 'default information' can be listed.

'Serious credit information'

6.64 Submitters and witnesses also raised specific concerns regarding the proposed new definition of 'serious credit infringement' in subsection 6(1) of the Privacy Act (item 63 of Schedule 2 of the Bill).

6.65 The committee recognises the significance and potential consequences of listing a 'serious credit infringement' as part of a consumer's 'credit information'. The committee considers it appropriate for a 'credit provider' to be required to take such steps as are reasonable in the circumstances (proposed new paragraph (c)(ii)) for at least six months (proposed new paragraph (c)(iii)) in an effort to contact a debtor.

6.66 The committee does not accept that the proposed definition of 'serious credit infringement' should be removed from the Bill, as suggested by the Consumer Action Law Centre. Instead, the committee agrees with the view expressed by the Australian Law Reform Commission in its 2008 report that 'credit providers' have a legitimate interest in sharing information about the conduct of individuals that falls short of fraud.[52] The committee endorses the approach adopted in the Bill, an approach which the committee considers does not diminish the serious nature of fraud.

'New arrangement information'

6.67 The committee notes that pre-default hardship arrangements are governed by provisions in the National Consumer Credit Protection Act, whereas post-default hardship arrangements are to be dealt with as 'new arrangement information' under the Privacy Act.

6.68 The committee is concerned to have heard that the non-alignment of these two regimes could operate to the detriment of individuals who are complying with a hardship arrangement. The ANZ Banking Group Limited suggested that the credit reporting system could note this compliance and avoid adversely affecting an individual's credit file and future ability to obtain credit.[53] However, the committee received evidence from Ms Katherine Lane of the Consumer Credit Legal Centre (NSW) that any such notation could discourage consumers from requesting hardship variations under section 72 of the National Consumer Credit Protection Act.[54]

6.69 The committee therefore notes and agrees with the Department:

Hardship variations cannot be listed as part of an individual's credit reporting information. The Government is concerned that permitting the listing of hardship variations may act as a deterrent to individuals seeking hardship variations in appropriate circumstances (including following a natural disaster) and this would be contrary to the intention of providing the right to request a hardship variation.[55]

Regulation of credit reporting

6.70 In relation to proposed new Part IIIA of the Privacy Act (item 72 of Schedule 2 of the Bill), the committee comments on various provisions as follows.

Permitted disclosures by credit reporting bodies and repayment history information

6.71 In her second reading speech, the Attorney-General noted that direct provision of 'repayment history information' will be restricted to 'credit providers' who are subject to responsible lending obligations under the National Consumer Credit Protection Act.[56] Proposed new section 20E of the Privacy Act (Use or disclosure of credit reporting information) gives effect to this policy proposal in relation to the disclosure of 'credit reporting information' by 'credit reporting bodies'.

6.72 The committee acknowledges the concerns of industry stakeholders which are not 'licensees' under the National Consumer Credit Protection Act. However, the committee notes:

The purpose of the credit reporting system is to balance an individual's interests in protecting their personal information with the need to ensure sufficient personal information is available to assist a credit provider to determine an individual's eligibility for credit following an application for credit by an individual, and for related matters.[57]

6.73 The committee also notes the proposed Objects of the Privacy Act (item 1 of Schedule 4 of the Bill) clause and, in particular, the first objective of promoting the privacy of individuals. In view of these objectives, the committee considers that it is appropriate to curtail the dissemination of individuals' 'repayment history information' even though its availability might be considered beneficial to, or more desirable for, certain sectors of the finance and credit industries.

6.74 On a separate matter, the committee acknowledges evidence provided by the Consumer Credit Legal Centre (NSW) indicating that the inclusion of 'repayment history information' in the credit reporting provisions of the Bill could be used to increase interest rates charged under a consumer credit contract. According to Ms Katherine Lane, this outcome would be detrimental to the most vulnerable of consumers in circumstances where they may have incurred only minor credit defaults.[58]

Use or disclosure of de-identified credit reporting information

6.75 Proposed new section 20M of the Privacy Act, preventing the use and disclosure of de‑identified 'credit reporting information', also concerned several industry stakeholders. The committee heard arguments concerning the appropriateness of this provision and the value of de-identified data in the information economy.

6.76 A representative from the Department highlighted that the Bill has been drafted to prohibit all uses, disclosures and collections of personal information with permitted exceptions, including in relation to the secondary use of 'credit reporting information'. Further, the committee notes the Australian Government's express recognition of, and allowance for, 'research purposes that are deemed to be in the public interest and have a sufficient connection to the credit reporting system', subject to existing rules developed by the Office of the Australian Information Commissioner.[59]

6.77 The committee considers that it is appropriate for secondary uses of 'credit reporting information' to be regulated, particularly when it might be possible to re‑identify the information.[60] The committee is not persuaded that proposed new section 20M will prevent industry from conducting relevant research activities and is of the view that there might also be merit in prohibiting the re‑identification of de‑identified 'credit reporting information'[61] as an additional precautionary measure for the protection of individuals' personal information.

Recommendation 15

6.78 The committee recommends that the Australian Government consider prohibiting the re-identification of 'credit reporting information' which has been de-identified for research purposes in accordance with proposed new subsection 20M(2) in item 72 of Schedule 2 of the Bill, and whether a proportionate civil penalty should apply to any breach of that prohibition.

Correction of personal information and third party application

6.79 Proposed new subsections 20T(1) and 21V(1) (item 72 of Schedule 2) of the Privacy Act enable an individual to request the correction of certain personal information held by 'credit reporting bodies' and 'credit providers'. The committee notes that the entity concerned need not hold the disputed information, but will be required to deal with the correction request and assist the individual to have their personal information corrected.[62]

6.80 As noted by the Australasian Retail Credit Association, this requirement might be complex because of its focus on an operational process rather than an outcome.[63] The committee agrees that it might be more expedient for the recipient of a complaint to be able to refer a complainant to a more appropriate respondent; however, the committee is not persuaded that the Bill's proposed corrections process is unworkable. As suggested by the Office of the Australian Information Commissioner,[64] the process should be improved to strengthen its consumer protections.

Recommendation 16

6.81 The committee recommends that proposed new sections 20T and 21V in item 72 of Schedule 2 of the Bill be amended to:

create an obligation for the recipient of a request to take reasonable steps to have the information corrected by the entity which holds the disputed information;
create an obligation for the entity which holds the disputed information to correct the information within 30 days, if satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading; and
create an obligation for the recipient of a request to notify the individual about the outcome of their request if that request has been determined by another entity which holds the disputed information.

Correction of personal information and time to correct

6.82 The committee acknowledges the views of the Energy & Water Ombudsman NSW and the Telecommunications Industry Ombudsman, which argued that corrections to personal information should be made expeditiously.[65] The committee also notes the evidence of: the Australian Privacy Commissioner, Mr Timothy Pilgrim, who argued that where information is in dispute, the investigation leading to correction could well require more than the 30 days stipulated in proposed new subsections 20T(2) and 21V(2) (item 72 of Schedule 2) of the Privacy Act;[66] and consumer advocates, such as the Consumer Credit Legal Centre (NSW), which argued that, consistent with ALRC Recommendation 59-8, 'credit reporting bodies' and 'credit providers', should substantiate disputed listings within 30 days.[67]

6.83 In the circumstances, the committee considers that the 30‑day timeframe is appropriate but an additional consumer protection would serve to prevent any possible prejudice to an individual while a corrections request is being investigated.[68]

Recommendation 17

6.84 The committee recommends that the regulations made pursuant to section 100 of the Privacy Act 1988 provide a mechanism for 'credit reporting bodies' and 'credit providers' who have received a request for the correction of an individual's personal information to note on the individual's credit file that a correction is under investigation, with the notation to be removed upon completion of that investigation.

Correction of personal information and the concept of fairness

6.85 The Consumer Credit Legal Centre (NSW) highlighted that proposed new section 21V, and presumably also proposed new section 20T (both in item 72 of Schedule 2), does not allow for listings to be corrected in circumstances where a reasonable person would consider the listing to be unfair.[69] The committee believes that exceptional circumstances – such as natural disasters, bank error, fraud, medical incapacity, and mail theft – warrant such an allowance.

Recommendation 18

6.86 The committee recommends that the Bill be amended to enable a 'credit reporting body' or 'credit provider' to correct an individual's personal information in exceptional circumstances, such as in the case of natural disasters, bank error, fraud, medical incapacity, and mail theft.

Complaints procedures and third party issues

6.87 The committee notes the various concerns in relation to the complaints procedures in proposed new Division 5 of the credit reporting provisions. For example, the argument that the regime will prove impractical given the possibility of one entity needing to consult another entity about the complaint (proposed new subsection 23B(2); item 72 of Schedule 2).[70] Several stakeholders suggested that, to be effective, the Bill should allow the recipient of a complaint to refer a consumer to the entity which is the subject of the complaint.

6.88 The committee accepts the Department's evidence that the recipient of a complaint can refuse a complaint if it does not involve them,[71] and observes that the legislative provisions do not preclude the recipient of the complaint from referring a consumer to the appropriate entity.

Commencement

6.89 The committee received evidence from the finance and credit industries regarding the adequacy of lead time should the credit reporting reforms commence nine months after receiving Royal Assent. Submitters and witnesses expressed a range of views on alternative commencement dates, with suggestions ranging from 12‑18 months calculated from specific points in the reform process to a date to be determined by the Attorney-General.

6.90 The committee notes that the Australian Government has engaged, and continues to engage, in extensive consultations with industry stakeholders regarding the reforms to Australia's privacy legislation. In the current inquiry, it was apparent that the number of contentious issues has been significantly reduced and the outstanding issues now under examination are quite specific.

6.91 In relation to the commencement date, the committee accepts the need for certainty in what has been a very lengthy and complex reform process. Noting the 2010-11 inquiries into the Exposure Drafts of the Bill by the Senate Finance and Public Administration Legislation Committee (F&PA committee), and the current public consultation in relation to the draft regulations, the committee considers that the proposed reforms are sufficiently advanced for industry to be well aware of the extent and nature of implementation measures required by the Bill.

6.92 The committee therefore accepts the Department's view that a commencement date of nine months is certain and appropriate.[72] The committee commends the Department for its acknowledgement of stakeholders' ongoing concerns;[73] however, the committee is of the view that, in the interests of certainty for all stakeholders, the commencement date should remain at nine months after Royal Assent.

Recommendation 19

6.93 The committee recommends that the commencement date for the Bill remain at nine months after the Bill receives Royal Assent in order to provide certainty for all relevant stakeholders.

6.94 As a final note, the committee observes that the Australian Government previously accepted the F&PA committee's recommendation to consult industry and consumers during the transitional phase of implementation.[74] The government's response also stated:

The development of effective education and information resources by stakeholders and for stakeholders will be undertaken during the transition to the new regime. The Government anticipates that both industry and the Office of the Australian Information Commissioner...will play a significant role in providing education and assistance.[75]

6.95 The committee endorses this approach to raising public awareness and educating consumers about the impending privacy reforms.

Recommendation 20

6.96 The committee recommends that, before the Bill's commencement date, the Office of the Australian Information Commissioner – in consultation with the Attorney-General's Department, as appropriate – develop and publish material informing consumers of the key changes to privacy legislation as proposed by the Bill, and providing guidance to Commonwealth agencies and private sector organisations to ensure compliance with the new legislative requirements.

6.97 In conclusion, the committee commends the reform of Australia's privacy protection framework. The Bill represents one component of this reform and, while some specific amendments have been proposed by the committee, overall the committee supports the Bill and recommends its passage.

Recommendation 21

6.98 Subject to the preceding recommendations, the committee recommends that the Senate pass the Bill.

Senator Trish Crossin

Chair

Navigation: Previous Page | Contents | Next Page