Submission - Credit Reporting Regulatory Framework: Submission to ALRC Privacy Inquiry (December 2007)

2.11. Use of credit reporting information

Current regulation restricts access to credit reporting information to a limited set of credit providers. However, some credit reporting agencies offer additional services and applications that require them to also collect, use and disclose non-credit reporting information. For example, personal information that forms part of credit reporting information may also be useful in verifying evidence of identity claims. This is a growing area of business following the passage of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).[32]

Some industry submissions to the ALRC have argued for consistent regulation across all of their activities. This could be achieved by broadening the definition of credit reporting information to include information used for other purposes.

It is likely that there will be some sympathy for organisations who find themselves subject to two separate, inconsistent privacy regulations (the UPPs and the Privacy (Credit Reporting Information) Regulations). However, use of personal information outside of the credit reporting environment will ultimately fail the specific credit-related public benefit test that has been used to justify the ‘special’ regulation of credit reporting information. The application of the Privacy (Credit Reporting Information) Regulations should remain as tight as possible, and credit reporting agencies will have to comply with the UPPs for all their other activities. They can draw some comfort from the simplification of the proposed UPPs compared to earlier privacy requirements.

The OPC has made some useful recommendations on this issue:

The Office suggests that consideration be given to the inclusion of an express provision in Part IIIA prohibiting the collection of an individual’s credit information file by employers, insurers and government agencies... As a general principle, the Office submits that only credit providers should be able to access information from credit information files unless there are cogent public interest reasons why other persons should.[33]

It is important to keep credit reporting regulation as simple as possible. It is already a complex area requiring specific regulation and possibly an industry Code. This regulation will be made more complex if access to credit reporting information is extended beyond credit providers.

It is also important to note that the economic/public benefit arguments used to justify the special treatment of credit reporting are based on lending dynamics – not employment or other potential applications. If other systems develop that seek access to this type of information they should be consent based and covered by the UPPs.

It may be necessary to include this restriction in the Privacy Act 1988 itself rather than in the proposed Privacy (Credit Reporting Information) Regulations. This would help to avoid future industry efforts to lobby for access to credit reporting information for specific issues or one-off incidents. The Act will need to contain a provision setting out the broad role of the regulations, so this section may provide a useful location for this restriction. 

[32] Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), <$file/AntiMoneyLaundCountTerrFin2006.pdf>.

[33] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 32 Credit Reporting Provisions, 13 April 2007, pages 51, 58,