Disclosure of personal information

53.30 The Privacy Act restricts how, and to whom, personal information in credit information files and credit reports may be disclosed. As explained below, the Act largely focuses on regulating the actions of credit reporting agencies, credit providers and others—setting rules on what these entities may do. Part IIIA, however, also prohibits any other person from obtaining access to a credit information file or credit report, where the Act does not authorise the person to do so, or where the person gains access by a false pretence.[47]

Credit reporting agencies

53.31 Section 18K of the Act contains four general rules on how personal information may be conveyed by credit reporting agencies to people who are permitted to view the information. If a credit reporting agency intentionally contravenes any of the relevant provisions, it is liable for a fine of up to $150,000.[48]

53.32 The general rules are as follows. First, a credit reporting agency is not permitted to make a credit information file directly available to another entity; instead the agency must convey that information in the form of a credit report. Secondly, a credit report only may be given to a credit provider.[49] Thirdly, personal information in a credit report only may be disclosed by a credit reporting agency for one of the purposes specified in the Act—these are summarised below. Fourthly, a credit reporting agency must not disclose personal information if the information does not fall within the permitted categories in s 18E, or if the agency is required to delete the information in question under s 18F.[50] These rules, however, are subject to certain exceptions, which are also set out below.

53.33 The purposes for which an individual’s credit report may be given to a credit provider are set out exhaustively in the section. They relate to the state of mind and activities of the credit provider. The permitted purposes are to:

  • assess the individual’s application for credit;[51]
  • assess the risk in purchasing, or undertaking credit enhancement of, a loan by means of securitisation;[52]
  • assess an application for commercial credit, provided the individual agrees to the disclosure;[53]
  • assess whether to accept the individual as a guarantor of a loan, provided the individual agrees in writing to the disclosure;[54]
  • inform a current credit provider that the individual is at least 60 days overdue in making a payment to a second credit provider and this second credit provider has taken steps to recover some or all of the credit outstanding;[55]
  • assist in collecting overdue payments from the individual;[56] and
  • assist in collecting overdue payments in respect of commercial credit, provided the individual consents or the commercial credit was given prior to 24 September 1991.[57]

53.34 There are some situations in which a credit reporting agency may disclose an individual’s credit report to a person who is not a credit provider, including disclosure to: another credit reporting agency;[58] or a mortgage or trade insurer, where the insurer is assessing matters connected with whether to provide mortgage or trade insurance to a credit provider in respect of the individual.[59]

53.35 The rule prohibiting the direct disclosure of personal information from an individual’s credit information file is subject to a number of exceptions, namely where the:

  • only personal information disclosed is publicly available;[60]
  • disclosure is required or authorised by law;[61] or
  • credit reporting agency is satisfied that a credit provider or law enforcement authority reasonably believes the individual has committed a serious credit infringement and the information is given to a credit provider or law enforcement authority.[62]

Credit providers

53.36 The rules dealing with how a credit provider may disclose personal information in its possession are set out in ss 18N and 18NA of the Act. The general rule is that a credit provider is prohibited from disclosing an individual’s personal information (either from a credit report or other credit worthiness information held by the credit provider and that is not publicly available) unless a stated exception applies. If a credit provider intentionally contravenes this provision, it is liable for a fine of up to $150,000.[63]

53.37 There is a finite list of exceptions to the general rule. In summary, a credit provider is permitted to disclose an individual’s personal information to:

  • a credit reporting agency that is creating or modifying a credit information file;[64]
  • another credit provider for a particular purpose, provided either the individual specifically agrees or it is in connection with an overdue payment;[65]
  • the guarantor of an individual’s loan in connection with enforcing the guarantee;[66]
  • a mortgage insurer for the purpose of risk assessment or as required by the contract between the credit provider and the insurer;[67]
  • a recognised dispute settling body that is assisting in settling a dispute between the credit provider and the individual;[68]
  • a government body with responsibility in this area;[69]
  • a supplier of goods or services for the purpose of determining whether to accept a payment by credit card or funds transfer, provided the personal information disclosed does no more than identify the individual and inform the supplier whether the individual has sufficient funds for the proposed payment;[70]
  • a person considering taking on the individual’s debt, provided the personal information disclosed does no more than identify the individual and inform the person of the amount of the debt;[71]
  • the guarantor, or a proposed guarantor, of a loan, provided the borrower specifically agrees;[72]
  • a debt collector in respect of overdue payments to the credit provider, provided the personal information disclosed does no more than: identify the individual; give specified details relating to the debt; and provide a record of any adverse court judgments or bankruptcy orders;[73]
  • a corporation related to the credit provider that is itself a corporation;[74]
  • a corporation, in connection with its taking on a debt owed to the credit provider;[75]
  • a person who manages loans made by the credit provider;[76]
  • a person, as required or authorised by law;[77]
  • the individual or another person authorised by the individual;[78] and
  • another credit provider or a law enforcement authority, where the credit provider reasonably suspects the individual has committed a serious credit infringement.[79]

53.38 The Privacy Commissioner has a power to determine the manner in which such a report may be disclosed;[80] however, the Commissioner is yet to make such a determination.

Information given by credit providers to credit reporting agencies

53.39 In practice, credit reporting agencies, in compiling credit information files, obtain most of that information from credit providers themselves.[81] This creates a two-way flow of personal information between credit reporting agencies and credit providers.

53.40 In view of this, the Act limits the information that a credit provider may provide to a credit reporting agency. That is, a credit provider must not give to a credit reporting agency personal information relating to an individual in any of the following situations:

  • where the information would not fall within the categories in s 18E(1) summarised above;
  • where the credit provider does not have reasonable grounds for believing the information is correct; or
  • where the credit provider did not, before or at the time of, or before, acquiring the information, inform the individual that the information might be disclosed to a credit reporting agency.[82]

[47] Ibid ss 18S, 18T. The penalty in respect of each offence is a fine not exceeding $30,000.

[48] Ibid s 18K(5).

[49] The terms ‘credit report’ and ‘credit provider’ are discussed earlier in this chapter.

[50]Privacy Act 1988 (Cth) s 18K(2).

[51] Ibid s 18K(1)(a).

[52] Ibid s 18K(1)(ab), (ac).

[53] Ibid s 18K(1)(b). The individual’s agreement must usually be given in writing—see s 18K(1A).

[54] Ibid s 18K(1)(c).

[55] Ibid s 18K(1)(f). The relevant credit reporting agency is permitted to make such a disclosure only where it has received this information at least 30 days before the disclosure.

[56] Ibid s 18K(1)(g).

[57] Ibid s 18K(1)(h).

[58] Ibid s 18K(1)(j).

[59] Ibid s 18K(1)(d), (e). In respect of trade insurance, the disclosure is permitted only if the individual has agreed in writing: s 18K(1)(e).

[60] Ibid s 18K(1)(k).

[61] Ibid s 18K(1)(m).

[62] Ibid s 18K(1)(n).

[63] Ibid s 18N(2).

[64] Ibid s 18N(1)(a).

[65] Ibid s 18N(1)(b), (fa).

[66] Ibid s 18N(1)(ba).

[67] Ibid s 18N(1)(bb).

[68] Ibid s 18N(1)(bc).

[69] Ibid s 18N(1)(bd), (bda).

[70] Ibid s 18N(1)(be).

[71] Ibid s 18N(1)(bf).

[72] Ibid s 18N(1)(bg), (bh). The borrower’s agreement is not necessary if: the guarantee (or security) was provided before 7 December 1992; the information discloses the guarantor’s liability; and the credit provider previously advised the borrower that such disclosures may take place: s 18N(1)(bg)(ii). See also s 18NA in respect of indemnities.

[73] Ibid s 18N(1)(c). If the debt relates to commercial credit, the credit provider is prohibited from disclosing the details of the debt to a debt collector: s 18N(1)(ca).

[74] Ibid s 18N(1)(d).

[75] Ibid s 18N(1)(e).

[76] Ibid s 18N(1)(f).

[77] Ibid s 18N(1)(g).

[78] Ibid s 18N(1)(ga), (gb).

[79] Ibid s 18N(1)(h).

[80] Ibid s 18N(5)–(7).

[81] This is specifically anticipated in Ibid ss 18E(8) and 18N(1)(a).

[82] Ibid s 18E(8).