Galexia
             home
       about us
        services
        projects
       research
          contact
» home » research » assets » dp72 credit submission 20071223  

Subscribe to Galexia news and announcements.
More information »

Identity Management and Authentication - Strategic Consulting: Galexia’s expertise on identity management includes consideration of the policy context as well as technical design issues, legal compliance, political considerations and community attitudes. Our background in law, technology and public relations makes Galexia uniquely suited to delivering strategic advice on identity management. Find out more »

[Data protection regulations and international data flows: Implications for trade and development (April 2016)]

Data protection regulations and international data flows: Implications for trade and development (2016)
Find out more »

Submission - Credit Reporting Regulatory Framework: Submission to ALRC Privacy Inquiry (December 2007)

[« previous] [next »] [up] [title page] [full contents]

3.1. Regulatory framework overview

The starting point for developing an effective regulatory framework for credit reporting is to accept that credit reporting is ‘different’ to most other information practices. It raises a complex combination of privacy, consumer and economic issues that may never be adequately addressed in a single regulatory instrument.

From a privacy perspective, credit reporting needs to be dealt with by a specific approach as the usual privacy protection of consent is not available as a practical privacy protection in the credit reporting environment.

From a consumer protection perspective, credit reporting is a small subset of broader consumer issues in the marketing and provision of credit, and is difficult to regulate as a stand-alone function.

In addition, there is a broader debate about the style and structure of effective regulation in Australia:

  • Responsive regulation
    John Braithwaite has developed a theory of ‘responsive regulation’ that has become very popular in Australia. Broadly, this theory argues that the degree of government regulation should depend upon the behaviour of those regulated.[82] In the credit reporting environment this approach would encourage the development of a tiered approach to regulation, with an industry Code containing the majority of requirements, and legislation only coming in to play in ‘response’ to specific concerns. In practice, the credit reporting sector already has a long history of problems in areas like data quality that have resulted in regulation being escalated to the legislation layer. Once there, it is difficult for the industry to justify their return to the self-regulatory layer without being able to display significant improvements.
  • Hybrid regulation
    The use of hybrid regulatory systems has significant support in Australia.[83] This approach is particularly concerned with ‘quasi-regulation’, a system of regulation that is not explicitly government regulation (i.e. not all regulation is black-letter law) but with which private sector bodies are encouraged by the government to comply. Hybrid regulation might also involve ‘co-regulation’; where the regulation is created by industry, but is underpinned by legislation. The majority of financial services regulation in Australia is a form of hybrid regulation.

The following advice on the development of an efficient regulatory framework for credit reporting is based on a tiered or hybrid regulatory approach.

This broad approach is consistent with the proposals of the ALRC in DP72. Their regulatory framework is summarised as follows:

[T]he ALRC proposes a model for new credit reporting regulation. Under this model, the credit reporting provisions of the Privacy Act would be repealed and credit reporting regulated under the general provisions of the Act and the proposed UPPs. Privacy rules imposing obligations on credit reporting agencies and credit providers specifically would be promulgated in regulations under the Act in the proposed Privacy (Credit Reporting Information) Regulations.[84]

In addition, the ALRC proposes the development of an industry Code:

Proposal 50-11: Credit reporting agencies and credit providers should develop, in consultation with consumer groups and regulators, including the Office of the Privacy Commissioner, an industry code dealing with operational matters such as default reporting obligations and protocols and procedures for the auditing of credit reporting information.

The findings and recommendations in this Report are also based on several key assumptions about credit reporting:

  • Credit reporting is different from most information practices and cannot be effectively regulated by generic privacy law;
  • Credit reporting is difficult to separate from the marketing and provision of credit, so credit reporting regulation needs to be considered together with general credit regulation; and
  • The ALRC review of privacy legislation is an important opportunity to achieve reform of credit reporting regulation, but it is not the only appropriate forum for reform.

The result of applying these assumptions is that the regulatory framework clearly requires multiple elements or layers. This Report finds that the development of an effective regulatory framework for credit reporting requires three broad elements:

  • General principles;
  • Detailed regulations; and
  • Industry operating rules.

However, the exact application and location of these three elements needs to take into consideration the overlap between privacy and consumer protection issues.

Using this structure, the Report makes the following findings:

 

Privacy Findings

Consumer Protection Findings

General principles

These would normally be the UPPs in the Privacy Act 1988, but in the case of credit reporting the Act may serve only as a place-holder for the proposed Privacy (Credit Reporting Information) Regulations which will contain the general principles for credit reporting.

The principles used in this Report for determining when an element should be included in the Privacy Act 1988 are:

  • The issue must, in substance, be a privacy issue rather than a consumer protection issue;
  • The issue requires certainty, rather than flexibility;
  • The issue relates to fundamental privacy rights, rather than minor consumer concerns or basic operational matters.

General principles

The Report finds that one of the criticisms of credit regulation in Australia is that there are no general fairness principles for credit providers, in contrast to the general principles that apply to other financial services providers.

No general principles are in place regarding responsible lending or responsible credit marketing (in stark contrast to other jurisdictions such as the UK and USA).

Detailed regulations

The Report finds that the proposed Privacy (Credit Reporting Information) Regulations are likely to form the core of privacy protection in the credit reporting environment. This Report adopts the following tests for the content of the proposed Regulations:

  • The issue must, in substance, be a privacy issue rather than a consumer protection issue;
  • The issue requires a degree of flexibility – Regulations can be amended more quickly than the Privacy Act 1988 itself;
  • The issue relates to fundamental privacy rights, rather minor consumer concerns or basic operational matters.

Detailed regulations

The Report finds that some detailed regulations are currently provided in State and Territory legislation, including the UCCC and the draft Finance Broking Bill.

However, they do not adequately cover responsible lending or responsible credit marketing across the entire credit market.

Industry operating rules and best practice

This Report finds that there is support for an industry Code to act as an additional layer of regulation. This Report adopts the following tests for the content of a potential industry Code:

  • The issue might be a privacy issue or a consumer protection issue (or both);
  • The issue requires significant flexibility – the industry Code may potentially be quick to amend;
  • The issue does not relate to fundamental privacy rights;
  • The issue relates to minor consumer concerns or basic operational matters; or
  • The issue regards industry branding or cooperation.

Industry operating rules and best practice

The Report finds that some general best practice guidance may be available through industry Codes and also sometimes through regulator guidelines (e.g. ASIC / ACCC Debt Collection Guidelines).

However, at this stage there is no best practice guidance available for responsible lending or responsible credit marketing.

 

[82] Braithwaite J, Rewards and Regulations, Journal of Law and Society, vol 29, no 1, March 2002, pages 12–26,
<http://www.anu.edu.au/fellows/jbraithwaite/_documents/Articles/Rewards_Regulation_2002.pdf>.

[83] Commonwealth Inter-Departmental Committee on Quasi-Regulation, Black-Letter Law, December 1997, <http://www.obpr.gov.au/__data/assets/pdf_file/0006/69666/greyletterlaw.pdf>.

[84] Paragraph 50.160, DP72.

[« previous] [next »] [up] [title page] [full contents]

[view all]

[up to research]

 

Search for:

HERE

PrintVersionprint this page

Sitemapsitemap

Subcribe to RSS newsrss news feed

Manage email subscriptionsmanage email subscriptions

Latest News

September 2019
Register of Public Galexia PIAs. Read more »

September 2019
Updates to Galexia Website. Read more »

September 2019
PM&C / Office of the National Data Commissioner (ONDC) releases Discussion Paper and accepts recommendations from Galexia’s PIA on the proposed Data Sharing and Release legislative framework. Read more »

August 2019
Galexia providing privacy advice and an independent public Privacy Impact Assessment (PIA) on 2021 Census for ABS. Read more »

June 2019
Galexia completes privacy advice and an independent Privacy Impact Assessment (PIA) on the Naval Shipbuilding College Workforce Register. Read more »

view all news items »

[Home] [Sitemap] [Print this page] [Privacy statement]

© Galexia Pty Ltd
Telephone: +61 (02) 9660 1111
Email: [email protected]