Submission - Credit Reporting Regulatory Framework: Submission to ALRC Privacy Inquiry (December 2007)

2.2. General privacy issues – notice and consent

This section discusses generic privacy concerns that apply to all personal information, usually resulting in basic privacy protections such as requirements for notice and consent regarding the use and disclosure of personal information.

Consumer harm may arise where personal information is used or disclosed without adequate notice and/or consent or where personal information is used in applications that are outside the expectation of the consumer. The nature of the harm itself may vary – sometimes the harm will be a breach of a fundamental human right to privacy, whether or not it leads to any other consequences (such as embarrassment, financial loss, increased risk of harm etc.).

In DP72, the ALRC proposes a streamlined set of Unified Privacy Principles (UPPs) to replace the existing Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) in the Privacy Act 1988.[2] The proposed UPPs are a significant improvement and simplification of existing law, and businesses should find it easier to comply with the UPPs. The UPPs provide generic notice and consent requirements.

In the credit reporting environment there is strong support for applying notice and consent requirements to credit reporting information. However, there are practical impediments to applying the specific consent provisions contained in the proposed UPPs to credit reporting information. Consent is difficult to obtain in the credit reporting environment – as information is collected from third parties, rather than directly from the consumer.

Removing or restricting the role of consent as a privacy protection can be justified by reference to the public benefit delivered by an effective credit reporting regime. This position is now broadly accepted and there is wide support for the ALRC’s proposal to reduce reliance on consent and to instead regulate credit reporting through specific Privacy (Credit Reporting Information) Regulations.

There is debate over whether the generic notice requirements in the UPPs are adequate for the credit reporting environment. Also, the current PART IIIA provisions only require credit providers to give notice (not other parties) and only at very limited times (time of application and time of refusal).

The notice requirements may need to be strengthened to re-balance privacy protection following the loss of consent requirements. This could be achieved by adding specific notice requirements to the proposed Privacy (Credit Reporting Information) Regulations. For example, the Office of the Privacy Commissioner (OPC) Submission to the ALRC Issues Paper 32 (IP32)[3] stated:

There is value in requiring credit providers to give individuals notice when certain events occur, such as default listing or a debt assignment, which could result in an adverse listing being placed on their credit information file.[4]

The Banking and Financial Services Ombudsman (BFSO) Submission argues for a more explicit regulatory requirement (in either the Act or the recommended credit reporting industry Code[5]) requiring a credit provider to notify a consumer as part of the debt collection process:

Ideally, the credit reporting agency would notify the individual each time a default or serious credit infringement listing is made or altered, including when any publicly available information such as a court order or bankruptcy is added to the credit information file.[6]

The Nigel Waters Submission argues that the law could be clearer about the timing of notice:

[T]here should be a requirement to notify at or prior to any significant event including the initial collection, listing a default, assigning a debt, or commencing debt collection, in addition to the existing requirement to notify refusal of credit on the basis of an adverse credit report.[7]

There are similar suggestions in other non-industry submissions to the ALRC.

Overall, this Report concludes that if consent is removed as a protection, the other general privacy requirements need to be strengthened in order to re-balance generic privacy protections. Notice is the key remaining protection, and notice can be strengthened by making it clearer and more timely. Such an approach is canvassed by the ALRC in their Proposal 52-10 in DP72 – although few details are provided.

In particular, notice should be provided at a time when the consumer has a chance to take action regarding any inaccuracies in the data. The key stages are set out in the table below:


Current Regulation

Future Regulation

Application for credit

Section 18E(8)(c), Part IIIA, Privacy Act 1988

Privacy (Credit Reporting Information) Regulations

Refusal of credit following use of credit reporting information

Section 18M, Part IIIA, Privacy Act 1988

Privacy (Credit Reporting Information) Regulations

Listing of a default

Notice at the time of listing a default is not subject to specific regulation, although it appears to be common practice with mainstream lenders.

Privacy (Credit Reporting Information) Regulations

Assignment of a debt

Privacy (Credit Reporting Information) Regulations

Commencement of debt collection activities

Privacy (Credit Reporting Information) Regulations

Notice requirements


[2] Privacy Act 1988 (Cth), <>.

[3] Australian Law Reform Commission, Review of Privacy – Credit Reporting Provisions, Issues Paper 32, December 2006, <>.

[4] Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 32 Credit Reporting Provisions, 13 April 2007, page 34, <>.

[5] Proposal 50-11, DP72.

[6] Banking and Financial Services Ombudsman, Review of Privacy – Credit Reporting Provisions: Issues Paper 32 – Submission by Banking and Financial Services Ombudsman Limited, March 2007, page 16, <>.

[7] Waters N, Implementing privacy principles in Credit Reporting Submission to the Australian Law Reform Commission on the Review of Privacy Issues Paper 32: Credit Reporting Provisions, Cyberspace Law and Policy Centre, 31 March 2007, page 12, <>.