Submission - Credit Reporting Regulatory Framework: Submission to ALRC Privacy Inquiry (December 2007)
3.2. Privacy Regulation
- 3.2.1. General principles
- 3.2.2. Detailed regulations
- 3.2.3. Industry operating rules and best practice
3.2.1. General principles
General principles for privacy regulation of credit reporting will need to be different from the proposed UPPs in the Privacy Act 1988. The UPPs rely heavily on consent as the major privacy protection, and consent is not available as a practical tool in the credit reporting environment. It would be dangerous to try to amend the UPPs to allow for the specific requirements of the credit reporting environment, as this might weaken the overall protection offered by the UPPs for all types of information. Ultimately a different set of principles will need to be applied to credit reporting.
It is possible that these principles could be located in the Privacy Act 1988, as a separate section on credit reporting. Alternatively, the Privacy Act 1988 could just be used as the legislative ‘hook’ for Regulations that contain both the general principles and the detailed regulations (see below).
Also, the UPPs will be almost impossible to change quickly, so it is risky for credit reporting issues to be covered by the UPPs alone when we know that the industry is entering a period where there may be dynamic changes in the environment, leading to a need for some regulatory flexibility.
Stakeholders noted that there were good reasons for developing a regulatory response to credit reporting that goes further than the UPPs. The Office of the Privacy Commissioner stated: ‘the Office considers that credit reporting does require a certain of level of prescription to ensure that credit providers, credit reporting agencies and individuals understand their obligations and rights’. The Consumer Action Law Centre stated: ‘we are strongly opposed to a reliance on the NPPs alone or to a self-regulatory system.’
The Principles used in this Report for determining when an element should be included in the Privacy Act 1988 are:
- The issue must, in substance, be a privacy issue rather than a consumer protection issue;
- The issue requires certainty, rather than flexibility;
- The issue relates to fundamental privacy rights, rather than minor consumer concerns or basic operational matters.
This Report recommends that the Privacy Act 1988 should contain a brief section on credit reporting that includes four key elements:
- A definition of credit reporting and credit reporting information;
- A requirement that credit reporting and credit reporting information are to be regulated by the proposed Privacy (Credit Reporting Information) Regulations;
- A broad principle limiting the extent of access to credit reporting information to credit providers and organisations that require access to credit reporting information for the management of credit (e.g. debt collectors); and
- A broad principle that complaints can be made to the Office of the Privacy Commissioner in relation to credit reporting in accordance with both the Act and Regulations.
All other credit reporting privacy regulation would be included in the proposed Privacy (Credit Reporting Information) Regulations or in a potential industry Code.
One contentious area in the approach suggested in this Report is that we argue that access to credit reporting information should be restricted in a provision in the Act to “credit providers and organisations that require access to credit reporting information for the management of credit”. This effectively establishes a ‘tight’ primary purpose for credit reporting information that should prove useful in the application of use and disclosure principles.
This is a much narrower scope than some other jurisdictions where access is granted to employers, real estate agents and other parties that do not play a role in the management of credit.
In Australia, industry is not seeking broad access to credit reporting. However, there are some calls to allow access to credit reporting information for specific secondary purposes. The most notable example is efforts to use credit reporting information for verifying evidence of identity claims. This is a growing area of business following the passage of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
We propose that secondary purposes should be strictly limited in order to avoid potential function creep. The use and disclosure of personal information for a secondary purpose cannot be managed by consent in the credit reporting environment, so other methods may need to be adopted to manage and limit secondary use in credit reporting. The current method for restricting secondary use is to rely on a list of permitted uses in the legislation (e.g. Section 18K and Section 18L of Part IIIA of the Privacy Act 1988).
At this stage identity verification is not listed as an allowable use. The direct inclusion of identity verification in this list (without further tests) may be difficult as the Parliament have had several opportunities to include identity verification and have chosen not to do so.
In relation to secondary use, the ALRC Discussion Paper 72 makes the following Recommendation:
Proposal 53-2: The proposed Privacy (Credit Reporting Information) Regulations should provide that, in addition, a credit reporting agency or credit provider may use or disclose credit reporting information for related secondary purposes, as permitted by the proposed ‘Use and Disclosure’ principle.
The secondary use provisions in UPP 5. Use and Disclosure would not allow identity verification to proceed, as it is simply not related to the primary purpose of collection of credit reporting information. None of the other exceptions in UPP 5 would appear to apply, especially as consent is unavailable.
However, an alternative method for limiting secondary purposes and function creep would be to include a detailed test for an ‘allowable’ secondary purpose in the Act. This may require further consideration, but an initial test might require any secondary purpose to satisfy all of the following conditions:
- The secondary purpose must primarily be for the benefit of the individual;
- The secondary purpose must be for a purpose that the individual would be likely to consent to (if effective consent were practicable);
- The secondary purpose must be for a general public benefit or community economic benefit rather than merely for private economic gain; and
- The secondary purpose must not result in an increased overall risk of privacy harm through either the secondary purpose itself or its contribution to ‘function creep’.
It is possible, although not certain, that the application of these tests might result in identity verification being included as an allowable secondary purpose for the use and disclosure of credit reporting information.
3.2.2. Detailed regulations
The ALRC suggests in DP72 that the proposed Privacy (Credit Reporting Information) Regulations will form the core privacy regulation for credit reporting. The regulations will include both general privacy principles that are relevant for the credit reporting environment and detailed regulations for the credit reporting agencies and organisations that access credit reporting information.
This is an approach that is supported in this Report.
It is important to note that these will be regulations made under the Privacy Act 1988 so they can only provide coverage of issues that are privacy specific – they will not be able to cover general consumer protection issues. The Regulations must be aligned with the objectives of the Privacy Act 1988 – these are likely to change as per the following ALRC recommendation:
Proposal 3-4: The Privacy Act should be amended to include an objects clause. The objects of the Act should be to:(a) implement Australia’s obligations at international law in relation to privacy;(b) promote the protection of individual privacy;(c) recognise that the right to privacy is not absolute and to provide a framework within which to balance the public interest in protecting the privacy of individuals with other public interests;(d) establish a cause of action to protect the interests that individuals have in the personal sphere free from interference from others;(e) promote the responsible and transparent handling of personal information by agencies and organisations;(f) facilitate the growth and development of electronic commerce, nationally and internationally, while ensuring respect for the right to privacy; and(g) provide the basis for nationally consistent regulation of privacy.
The Regulations would also need to be consistent with the relevant credit reporting provision in the Act (as described above). This provision would contain the definition of credit reporting (thus restricting the scope of the regulations to matters covered by the definition) and a broad principle limiting the extent of access to credit reporting information.
Interestingly, the Regulations do not need to be stronger than or equivalent to the UPPs (this is a rule that only applies to registered or prescribed codes). Also, they may not necessarily need to be ‘balanced’. For example, there is no specific legal requirement that the provisions in the Regulation need to be strengthened in order to ‘balance’ the loss of consent that occurs in the credit reporting environment (although this Report expresses the view that the Regulations should be strengthened in this way).
Within these broad settings, there is great flexibility in developing Regulations. They could be very prescriptive or very broad; lengthy or short; expansive or limited; and strong or weak.
This Report therefore adopts the following tests for the content of the proposed Privacy (Credit Reporting Information) Regulations:
- The issue must, in substance, be a privacy issue rather than a consumer protection issue;
- The issue requires a degree of flexibility – the Regulations can be amended more quickly than the Privacy Act 1988 itself;
- The issue relates to fundamental privacy rights, rather minor consumer concerns or basic operational matters.
On this last point, this Report has identified key privacy rights in the credit reporting environment to include Notice, Accuracy, Access and Complaints rights:
This is a key privacy right once consent is removed as a privacy protection, and requirements for timely and effective notice need to be in the regulations in order to balance the removal of consent.
Data accuracy is a key privacy right in credit reporting as the consequences for consumers of inadequate data are so severe.
Access is a key privacy right in credit reporting as the consumer is in the best position to assess the accuracy of data that is being used and must be able to review and correct this data.
Complaints play a significant role in credit reporting and consumers must be guaranteed access to simple, fast and affordable dispute resolution processes.
3.2.3. Industry operating rules and best practice
Where an issue is operational in nature and requires a high degree of flexibility it can potentially be included in an industry Code or best practice guide. The Code might also be an appropriate location for some non-privacy issues to be addressed. Industry benefits of a Code include ownership, branding, flexibility and innovation.
This Report therefore adopts the following tests for the content of a potential industry Code:
- The issue might be a privacy issue or a consumer protection issue (or both);
- The issue requires significant flexibility – the industry Code may potentially be quick to amend;
- The issue does not relate to fundamental privacy rights;
- The issue relates to minor consumer concerns or basic operational matters; or
- The issue regards industry branding or cooperation.
It is important to determine the exact nature of a potential industry Code. At the outset it should be made clear that the industry Code is not a substitute for the proposed Privacy (Credit Reporting Information) Regulations – it is an additional regulatory initiative.
It is desirable that the Code is registered as a Code under the Privacy Act 1988. This is a complex process that requires detailed stakeholder consultation, but it does ensure that the Code is aligned with privacy legislation. Indeed, the content of registered Codes must be equivalent to or stronger than the UPPs. (In this case we assume that the test will be whether the Code is equivalent to or stronger than the proposed Privacy (Credit Reporting Information) Regulations.)
In order for the Code to be registered under the Privacy Act 1988 it could be developed and submitted by an industry body – ARCA has indicated it will be the body to develop such a Code. Alternatively, the Code could be prescribed by the OPC – although this is unlikely in an environment where the industry is willing to submit a Code (it is presumed that the prescribed codes power is for circumstances where the industry is not cooperating).
There is also the question of whether such a Code will be a disallowable instrument. Currently, codes (registered under S18BB) are not disallowable instruments. However, a specific credit reporting code of conduct is a disallowable instrument (S18A). DP72 appears to say that a Code developed by the industry and subsequently approved by the OPC is not a disallowable instrument but a Code prescribed by the OPC (under the new proposed power to prescribe binding codes) is a disallowable instrument. So if the credit reporting industry proposes a Code (to supplement the Regulations on certain industry issues) and it is registered by the OPC, it is unlikely that it will be a disallowable instrument. However, this point requires final clarification from the ALRC.
This Report recommends that only prescribed Codes should be disallowable instruments.
Finally, any industry Code raises potential competition law issues. It is likely that an industry Code in the credit reporting sector will also require authorisation by the ACCC to avoid breaching the Trade Practices Act 1974. Authorisation by the ACCC is subject to a very limited test and it is important to clarify that authorisation does not equate with ‘approval’. Indeed, the test is simply whether or not the public benefit outweighs any potential lessening of competition that results from the Code.
The ACCC authorisation process has caused considerable concern in the past where an industry chose to have a privacy Code authorised by the ACCC without having it registered by the OPC. This must be avoided, as the ACCC test is very weak compared to the OPC test. The ideal approach for a potential industry Code in the credit reporting sector is to have the Code first registered by the OPC (this ensures that the content of the Code is equivalent to or stronger than privacy legislation) and then authorised by the ACCC. In these circumstances the ACCC could be asked to only amend provisions that would not alter the content registered by the OPC. For example, the ACCC could ask that sanction provisions be strengthened or weakened to meet their authorisation test, without changing the substantive provisions that have been approved by the OPC.
The worst outcome would be that the industry Code is not subject to any testing by the OPC and moves straight to ACCC authorisation. In these circumstances the Code is likely to be of little worth as the bar set by the ACCC is so low.
Overall, the industry must also decide whether the benefits of a Code outweigh the hassle and expense of a developing and managing a Code. The alternative is to comply with the Regulations alone – which may not be as difficult as industry believe. In many other industries, organisations have come to accept general privacy legislation, and have abandoned attempts to develop a Code. Indeed, some registered Codes have subsequently been withdrawn or continue to have very low membership.
At this stage, there is strong momentum behind the development of a Code by ARCA.
An issue that could be included in the Code is the issue of reciprocity. This is the term used to describe the requirement for any organisation accessing credit reporting information to also contribute its own credit reporting information.
The ALRC has recommended that industry develop a Code to help manage the reciprocity issue (Proposal 51-2). Their reasons include:
Some matters raised in the Inquiry, however, are not addressed most appropriately through legislation. For example, credit providers generally support the principle of reciprocity in credit reporting and obligations to report information consistently. Arguably, credit providers themselves and their industry associations should take responsibility for such matters, within the framework provided by legislation.
Data quality standards are also an issue that the industry would like to include in a Code – although this should more correctly be described as data consistency (data quality remains a key privacy right that will be addressed in the proposed Privacy (Credit Reporting Information) Regulations).
Data consistency standards may be different to the data quality standards required in privacy law, but the Code must be either equivalent to or stronger than privacy law. The ALRC specifically proposes that the Code should be used for improving data consistency (Proposal 54-5). Their reasons include:
Privacy principles should ensure that credit reporting agencies and credit providers are obliged to take reasonable steps to ensure the data quality of credit reporting information. The complexity of data quality issues in credit reporting means that more prescriptive regulation is generally undesirable. Prescriptive requirements may unnecessarily increase the cost of compliance with the Privacy Act 1988 and transaction costs in the finance industry generally, without any significant benefit in terms of data quality. Rather, with some exceptions—as in the case of the listing of statute barred debts—it is considered more appropriate to leave detailed data quality requirements to be dealt with in the proposed credit reporting industry code, developed with input from consumer groups and regulators. If the proposed review indicates that industry self-regulation is not successful in addressing data quality problems such as those discussed in this chapter, however, further regulation should be considered.
This Report accepts that there is strong industry interest in developing a Code and that the ALRC has recommended that reciprocity and data consistency should both be dealt with in a Code rather than in legislation. (It is difficult to list other issues that should be subject to the Code.) However, we note that the development of a Code is a timely and complex process and the benefits of a Code are often over-estimated by industry. We would not be surprised if the industry chose at some point in the future to abandon the Code and simply comply with the Regulations. For this reason, some further consideration should be given to including reciprocity and data consistency in the Regulations.
This would result in all of the privacy requirements for credit reporting being contained in one regulatory instrument.
 Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 32 Credit Reporting Provisions, 13 April 2007, page 34, <http://www.privacy.gov.au/publications/submissions/sub-alrc-ip32-credit-reporting-200704.pdf>.
 Consumer Action Law Centre, Review of Privacy – Credit Reporting Provisions Submission in response to Issues Paper 32, 30 March 2007, page 20, <http://www.consumeraction.org.au/downloads/ConsumerActionSubmissiontoIssuesPaper32.pdf>.
 Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), <http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/893B6CC0392995E0CA257376001EE4C4/$file/AntiMoneyLaundCountTerrFin2006.pdf>.