17.08.2010
52.23 There is an almost universal view that the practice of credit reporting should be regulated. There are many reasons for this. One is that it vindicates an individual’s right to privacy—as Professor Solove puts it, ‘[p]eople expect certain limits on what is known about them and on what others will find out’.[17] Another justification is that a credit report, which contains aggregated personal information, can be used to make decisions that ‘profoundly affect a person’s life’.[18] As such, there is special urgency in ensuring that such information is accurate and not misused.
State legislation
52.24 The first Australian legislation regulating aspects of credit reporting was enacted in 1971. In Queensland, Part III Division I of the Invasion of Privacy Act 1971 (Qld) established a licensing scheme for credit reporting agents. The Act included statutory provisions dealing with the:
permitted purposes of credit reports;
information to be furnished to consumers and credit reporting agencies when credit is refused on the basis of a credit report;
information to be disclosed by credit reporting agencies on request by consumers; and
obligations on credit reporting agencies to investigate and correct inaccurate information and delete old information.[19]
52.25 The Invasion of Privacy Act contained offences in relation to: obtaining information falsely from a credit reporting agency; unauthorised disclosure of credit reporting information; supplying false credit reporting information; and demanding payment by making threats in relation to credit-related information.[20] The credit reporting provisions of the Act were repealed in 2002.[21]
52.26 In 1975, South Australia enacted the Fair Credit Reports Act 1975 (SA), which provided individuals with rights of access to, and correction of, information in consumer reports; required credit reporting agencies to adopt procedures to ensure the accuracy and fairness of consumer reports; and required traders to inform individuals of their use of adverse information in such reports.[22] The Act was repealed in 1987.[23]
52.27 In Victoria, the Credit Reporting Act 1978 (Vic) provides consumers with rights of access to copies of files held in relation to them by a credit reporting agency and provides a mechanism to dispute details and request the amendment of incorrect information. Credit reporting regulations were made in 1978 to prescribe procedures and time limitations to be followed by consumers seeking to amend personal credit reports held by credit agents.[24] The Victorian Consumer Credit Review noted that:
With the commencement of the [federal] Privacy Act, however, it appears that the continuing relevance of the Victorian Act declined because the Privacy Act was binding on the industry and more comprehensive for consumers.[25]
52.28 Australia’s first privacy regulator, the New South Wales Privacy Committee, identified credit reporting as an important privacy issue.[26] In 1976, concerns about the privacy of credit reporting information led the Privacy Committee and the CRAA to enter a so-called ‘Voluntary Agreement’ under which the CRAA would provide individuals with access to the information it held about them.[27]
52.29 Despite the Voluntary Agreement, few incentives existed to encourage CRAA’s credit provider subscribers to comply with the Voluntary Agreement, notify individuals about adverse reports and rights of access, or to ensure that information they provided to the CRAA was accurate and complete.[28] Some observers expressed serious doubts about the willingness and ability of the CRAA to discipline its member credit providers.
Few clients appear to have ever been suspended, had their memberships cancelled, or had specific employees suspended, for breach of CRAA rules. In 1985, when the Secretary of a Hibernian Credit Union was found to have made an enquiry for purposes other than credit granting (and in the process invented an application for a $50,000 mortgage loan), CRAA failed to discipline either its client or the client’s employee (NSW Privacy Committee Annual Report, 1985, 92–98). Even a Report to Parliament, the NSW Privacy Committee’s ultimate sanction, had no effect.[29]
52.30 During 1983, the New South Wales Privacy Committee reviewed its experience with the Voluntary Agreement and concluded that self-regulation of the credit reporting industry was ineffective. The Committee made proposals that it hoped would be the basis of fair credit reporting legislation or a code of practice under consumer protection legislation.[30] The Committee stated that this position was in line with its view that the ‘time is now ripe for information privacy legislation’.[31]
52.31 In 1989, one commentator on privacy issues stated:
Judging by the last decade’s complaints and enquiries to the country’s only long-standing privacy ‘watchdog’, the NSW Privacy Committee, the public regards consumer credit reporting as the largest single information privacy issue.[32]
New regulatory momentum
52.32 The momentum for regulation of credit reporting intensified in the late 1980s. In large part this was in response to proposals by the CRAA to implement a new system of credit reporting. This system was referred to by the CRAA as the Payment Performance System (PPS) and was described by the CRAA and others as a form of ‘positive’ reporting.[33]
52.33 In the 1980s, credit reporting in Australia did not involve the collection or disclosure in credit reports of so-called ‘positive’ information about an individual’s credit position. Apart from publicly available information about bankruptcies and court judgments, credit information was restricted to default reports made by CRAA members—that is, ‘negative’ information.
52.34 During the latter part of 1988, CRAA publicised an intention to augment its collection of credit reporting information by including information about individuals’ current credit commitments. The nature of the proposal was summarised by Clarke as follows:
Under PPS, credit providers would supply CRAA with tapes containing their customers’ credit accounts. This data would be merged with previously recorded data every 30 to 60 days. Reports would then contain a complete listing of all known credit accounts, balances owing (at some recent point in time), and the consumer’s payment performance on every account during the previous 24 payment periods … Payments 120 days or more overdue would result in a default report being generated automatically.[34]
52.35 The CRAA’s proposals intensified concern about its operations. In 1989, the New South Wales Privacy Committee concluded that the CRAA proposals represented a ‘new and significant threat to privacy’ and again recommended regulation of credit reporting.[35] In April 1989, CRAA announced that it would postpone the introduction of the PPS until January 1990, at the request of the Commonwealth Minister for Consumer Affairs, the Hon Senator Nick Bolkus.
52.36 On 19 April 1989, a ‘Summit’ was sponsored by the Australian Privacy Foundation. The meeting was attended by federal parliamentarians, CRAA representatives, state government agencies, credit providers, consumer and civil liberties groups and the Australian Computer Society.[36] At the conclusion of the Summit, the Minister for Consumer Affairs announced that the Australian Government intended to extend the Privacy Act to cover consumer credit reporting. Credit reporting would therefore become subject to national legislation for the first time.
[17] D Solove, ‘A Taxonomy of Privacy’ (2006) 154(3) University of Pennsylvania Law Review 477, 508.
[18] Ibid, 508.
[19]Invasion of Privacy Act 1971 (Qld) ss 16, 17, 18, 24.
[20] Ibid ss 19, 20, 21, 22, 25.
[21]Tourism, Racing and Fair Trading (Miscellaneous Provisions) Act 2002 (Qld) s 45.
[22]Fair Credit Reports Act 1975 (SA) pt II.
[23]Statutes Amendment (Fair Trading) Act 1987 (SA) s 16.
[24] Consumer Affairs Victoria, The Report of the Consumer Credit Review (2006), 266.
[25] Ibid, 266.
[26] Established under the Privacy Committee Act 1975 (NSW).
[27] R Clarke, Consumer Credit Reporting and Information Privacy Regulation (1989) Australian Computer Society, 4.
[28] Ibid, 4–5.
[29] Ibid, 5.
[30] New South Wales Government Privacy Committee, Annual Report 1984 (1984), 30.
[31] Ibid, 31.
[32] R Clarke, Consumer Credit Reporting and Information Privacy Regulation (1989) Australian Computer Society, 2.
[33] As discussed in Ch 55, the ALRC is of the view that such systems are better described as ‘comprehensive’ or ‘more comprehensive’ credit reporting.
[34] R Clarke, Consumer Credit Reporting and Information Privacy Regulation (1989) Australian Computer Society, 6.
[35] New South Wales Government Privacy Committee, Annual Report (1989), 23.
[36] R Clarke, Consumer Credit Reporting and Information Privacy Regulation (1989) Australian Computer Society, 6.