Consent and credit reporting

53.45 While Part IIIA generally does not require the agreement of individuals to the use or disclosure of credit reporting information about them, provided notification has been given, consent is required in some contexts, which are discussed below.

Consent to disclosure of information

53.46 Part IIIA contains provisions that require the agreement of an individual to the disclosure of his or her personal information. Under s 18K, an individual’s agreement, sometimes in writing, is required in relation to the disclosure by a credit reporting agency of information contained in a credit report to a:

  • credit provider for the purpose of assessing an application for commercial credit;[95]

  • credit provider for the purpose of assessing whether to accept an individual as a guarantor;[96]

  • trade insurer for the purpose of assessing insurance risks in relation to commercial credit;[97] and

  • credit provider for the purpose of collecting payments overdue in respect of commercial credit.[98]

53.47 Section 18L(4) requires an individual specifically to have agreed to a credit provider using information concerning commercial credit in assessing an application for consumer credit. Finally, under s 18N, an individual must have ‘specifically agreed’ to the disclosure of a credit report or other credit worthiness information by a credit provider to another credit provider for the particular purpose;[99] to a guarantor for a loan given by the credit provider to the individual concerned;[100] and to a person considering whether to offer to act as a guarantor.[101]

Disclosure to a credit reporting agency

53.48 Part IIIA does not require an individual to consent to disclosure of information by a credit provider to a credit reporting agency.[102] An individual’s consent may be required, however, by the NPPs or by common law duties of confidence owed by some credit providers to their customers.

53.49 Consent to disclosure may be required—at least where the credit provider is a bank[103]—to avoid breaching the duty of confidence owed by banks to their customers. This common law duty was defined in Tournier v National Provincial and Union Bank of England.[104] It is reflected in the Australian Bankers’ Association’s Code of Banking Practice, which provides that, in addition to a bank’s duties under legislation, it has a general duty of confidentiality towards a customer except in the following circumstances: where disclosure is compelled by law; where there is a duty to the public to disclose; where the interests of the bank require disclosure; or where disclosure is made with the express or implied consent of the customer.[105]

53.50 Chapter 19 discusses the role of consent in privacy regulation generally. As noted in Chapter 19, problems arise where an individual’s capacity to give true consent is hampered. This issue is seen most commonly in the context of ‘bundled consent’—the practice of bundling together consent to a wide range of uses and disclosures of personal information without giving individuals the option of selecting to which uses and disclosures they agree.[106]

[95] Ibid s 18K(1)(b).

[96] Ibid s 18K(1)(c).

[97] Ibid s 18K(1)(e).

[98] Ibid s 18K(1)(h).

[99] Ibid s 18N(1)(b).

[100] Ibid s 18N(1)(bg).

[101] Ibid s 18N(1)(bh).

[102] A credit provider, however, must not give personal information to a credit reporting agency unless the individual concerned has been informed that the information might be disclosed to a credit reporting agency: Ibid s 18E(8).

[103] The duty also may apply to building societies, credit unions and other authorised deposit-taking institutions: A Tyree, ‘Does Tournier Apply to Building Societies?’ (1995) 6 Journal of Banking and Finance Law and Practice 206.

[104]Tournier v National Provincial & Union Bank of England [1924] 1 KB 461. The duty extends to disclosure to related bodies corporate: Bank of Tokyo Ltd v Karoon [1987] AC 45, 53–54.

[105] Australian Bankers’ Association, Code of Banking Practice (1993), [12.1].

[106] See also Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [53.99]–[53.117].