Credit providers

54.101 In general, credit reporting agencies may disclose personal information contained in credit information files (for example, a credit report) only to those persons who are ‘credit providers’ as that term is defined in the Act.[113] An entity is a credit provider under s 11B if the entity is, among other things, a

  • bank;

  • corporation, a substantial part of whose business or undertaking is the provision of loans;

  • corporation that carries on a retail business in the course of which it issues credit cards; or

  • corporation that provides loans and is included in a class of corporations determined by the Privacy Commissioner to be credit providers for the purposes of the Privacy Act.[114]

54.102 A loan is defined to include a hire‑purchase agreement or an agreement for the hiring, leasing or renting of goods or services under which full payment is not made or a full deposit is paid for the return of goods.[115]

Credit provider determinations

54.103 The Privacy Commissioner has made two determinations of general application[116] in relation to the definition of credit provider under s 11B. These determinations were renewed from August 2006 and are effective to 31 August 2011.

54.104 Under the Privacy Commissioner’s Credit Provider Determination No. 2006–4 (Classes of Credit Provider) (Classes of Credit Provider Determination)—first made in substantially similar form in 1991—corporations are to be regarded as credit providers if they:

  • make loans in respect of the provision of goods or services on terms that allow the deferral of payment, in full or in part, for at least seven days; or

  • engage in the hiring, leasing or renting of goods, where no amount, or an amount less than the value of the goods, is paid as deposit for return of the goods, and the relevant arrangement is one of at least seven days duration.[117]

54.105 Under the Privacy Commissioner’s Credit Provider Determination No. 2006–3 (Assignees) (Assignees Determination)—first made in substantially similar form in 1995—corporations are to be regarded as credit providers for the purposes of the Privacy Act if they acquire the rights of a credit provider with respect to the repayment of a loan (whether by assignment, subrogation or other means). A corporation deemed to be a credit provider by virtue of the Assignees Determination is regarded as the credit provider to whom the loan application was submitted, or who provided the loan.[118]

Participation in the credit reporting system

54.106 The definition of credit provider raises broad issues about who should be permitted to participate in the credit reporting system; and what standards participants should have to comply with, in relation to credit reporting and more generally.

54.107 There have been suggestions, for example, that credit providers should have to comply with the Consumer Credit Code in order to participate in the credit reporting system.[119] The Consumer Credit Code, which has been adopted by all state and territory governments, governs many aspects of credit transactions and provides a range of important protections for consumers. These protections include, for example, notice requirements that must be met before a credit provider may begin enforcement proceedings, prescribed periods within which a default may be remedied by the consumer,[120] and the power of a court to reopen an unjust transaction.[121]

54.108 Some organisations, which are recognised as credit providers for the purposes of the credit reporting provisions of the Privacy Act, are not required to comply with the Consumer Credit Code, which applies to ‘credit providers’ defined more narrowly.[122] Importantly, the Consumer Credit Code ‘does not recognise services provided with payment in arrears terms as credit’.[123]

Discussion Paper proposal

54.109 In DP 72, the ALRC proposed that the Privacy (Credit Reporting Information) Regulations should include a simplified definition of ‘credit provider’ under which those individuals or organisations who are currently credit providers for the purposes of Part IIIA of the Privacy Act should generally continue to be credit providers for the purposes of the regulations.[124]

54.110 The ALRC also asked whether the new definition of credit provider could be tightened at the margins and, in particular, whether organisations should be regarded as credit providers if they make loans in respect of the provision of goods or services on terms that allow the deferral of payment, in full or in part, for at least 30 days—as compared to seven days, as is currently the case under the Classes of Credit Provider Determination.[125] This would bring the definition into line with common trade terms relating to payment for invoiced goods or services.

54.111 Finally, the ALRC asked whether the definition of ‘credit provider’ under the NZ Code should be adopted as the definition of ‘credit provider’ under the new Privacy (Credit Reporting Information) Regulations.[126] Under the NZ Code, a credit provider is defined as an entity ‘that carries on a business involving the provision of credit to an individual’. The term ‘credit’ means ‘property or services acquired before payment, and money on loan’.[127] This option, in contrast to the preceding suggestion, would loosen the definition of credit provider.

Submissions and consultations

54.112 The proliferation of entities that have access to the credit reporting system—due primarily to the breadth of the definition of credit provider under the Privacy Commissioner’s determinations—was highlighted in submissions.[128] The Privacy Commissioner’s credit provider determinations have extended access to the credit reporting system ‘beyond traditional lenders such as banks to a wide range of retailers and service providers’ including, for example, video store operators, and legal services and healthcare providers.[129]

54.113 Some stakeholders maintained that, in reaching these determinations, the Commissioner had failed ‘to strike the correct balance’ between commercial interests and protecting the privacy of credit reporting information.[130] Legal Aid Queensland observed:

In 16 years of making determinations in respect of the categories of credit providers who can access credit reporting, the privacy commissioner has facilitated the astronomical expansion of potential entities who can access credit reporting. We note that when the credit reporting provisions of the Privacy Act commenced in 1991, there was an expectation that the restrictive nature of the legislation would mean that there would be less than 500 members. Veda Advantage now claim more than 5000 corporate members.[131]

Telecommunications and utilities

54.114 One focus of concern has been on access to the credit reporting system by telecommunications and utilities companies.[132] Telecommunications and utilities companies use the credit reporting system to assess the credit worthiness of applicants for accounts and to assist in debt collection. These companies also may report overdue payments (defaults). For the purposes of credit reporting regulation, ‘credit’ advanced by telecommunications companies involves, for example, ‘post-paid services’. These are where services are provided without requiring immediate payment by the customer, such as (in the case of Telstra) ‘fixed home phone connection and call charges, post-paid mobile call charges and BigPond usage charges for dial-up, ISDN and broadband’.[133]

54.115 Telecommunications and utilities companies are credit providers for the purposes of Part IIIA of the Privacy Act by virtue of the Classes of Credit Provider Determination. These companies are not generally bound to comply with the provisions of the Consumer Credit Code. A number of stakeholders submitted that compliance with the Consumer Credit Code should be a condition of access to the credit reporting system.[134] The Banking and Financial Services Ombudsman (BFSO), for example, submitted that access should not be allowed unless the credit that has been provided is regulated credit, as defined in the Consumer Credit Code.[135]

54.116 Some stakeholders suggested that telecommunications companies are inadequately regulated as credit providers.[136] In response, telecommunications and utilities companies emphasised their need for credit reporting information and the fact that credit management in telecommunications is subject to an industry credit management code released by the Australian Communications Industry Forum.[137]

54.117 Optus noted that, without access to credit reporting information, it would be ‘forced to undertake more intrusive information collection in order to assess the level of risk of providing that customer with a service’.[138] EnergyAustralia stated that it would be ‘unfair to allow one particular class of credit provider access to information that enables them to make judgements about credit worthiness and deny this to another class of credit providers’.[139]

Access to credit reporting information

54.118 While most concern centred on the provisions of the Classes of Credit Provider Determination, discussed above, some stakeholders argued that, in some respects, the definition of credit provider is too restrictive and excludes some businesses that have legitimate claims to have access to credit reporting information.

54.119 The AFC, for example, stated that the definition should be ‘broadened to cover any business that supplies goods or services other than on an up-front cash basis’ and the definition should not rely on any limit based on a fixed number of days for which payment is deferred.[140]

54.120 There are some classes of organisation that do not meet the current criteria for participation in the credit reporting system but consider that they should be permitted to obtain personal information contained in credit information files. Mercantile agents and others engaged in debt collection, investigation and related activities comprise one such group. Real estate agents and landlords comprise another.[141]

54.121 There are concerns, however, about access to credit reporting by ‘non-traditional lenders’ on the basis that the information obtained is primarily used in debt collection, rather than risk assessment, and by businesses that are more likely not to have appropriate dispute resolution or data quality processes in place.[142] The Assignees Determination was criticised in this context. National Legal Aid, for example, stated that assignees ‘are typically debt collection agencies, which are thus given access to an information resource which was originally intended to exclude them from direct access to credit information files’.[143]

Definition of credit provider

54.122 There was support for the incorporation of a simplified definition of credit provider[144] in the Privacy (Credit Reporting Information) Regulations, but stakeholders had different perspectives on the desirable content of such a definition. Industry stakeholders, understandably, favoured a formulation that would maintain access to the credit reporting system for those organisations that currently have access.[145]

54.123 The OPC agreed that the definition should permit those individuals and organisations that are currently credit providers for the purposes of the Privacy Act to continue to be credit providers under the new regulations.[146] The Uniform Consumer Credit Code Management Committee specifically supported continued access to credit reporting information by telecommunications providers in order to allow those companies ‘to screen out customers’.[147]

54.124 The Cyberspace Law and Policy Centre supported a narrower definition of credit provider than is currently provided under the Act and the Privacy Commissioner’s credit provider determinations.

Given the potential effect on individuals of adverse conclusions being drawn from credit reports, it is essential that access is limited to genuine lenders who can justify the need for credit reporting information. Businesses such as car hire firms and real estate agents, and employers, who seek to use credit reporting information for other purposes, must continue to be denied access, as must merchants accepting credit card payments who do not bear the risk of defaults.[148]

54.125 The Cyberspace Law and Policy Centre suggested that any simplified definition of credit provider ‘should not be significantly broader than the current definition’ and ‘the justification for the classes included by Determination should be revisited’.[149] Other stakeholders also submitted that current credit providers should not necessarily retain access to the credit reporting system[150]—particularly if more comprehensive reporting is to be introduced.[151]

54.126 There was some support for increasing the required deferred payment period to 30 days.[152] It was said that such a reform would be ‘likely to capture most of the problematic small credit providers who currently can potentially access credit reporting including video companies, car hire companies and most tradespeople’.[153] The idea was specifically opposed by other stakeholders, on the grounds that organisations with a legitimate need for credit reporting information would be excluded, including telecommunications providers.[154]

54.127 Views were similarly mixed on the appropriateness of the broad definition of credit provider found in the NZ Code. Some industry stakeholders submitted that such a definition would form an appropriate starting point for the definition of credit provider under Australian credit reporting regulation.[155] Others opposed the idea.[156] Legal Aid Queensland, for example, stated:

Such a definition would provide access to credit reporting to employers, car hire companies, insurers, debt collectors, real estate agents, corner stores (particularly in aboriginal communities where ‘bookup’ is a significant issue), newsagents (who provide daily deliveries but charge for service, on a periodical basis in arrears), doctors, dentists, lawyers and plumbers leaving very few entities that could not potentially access credit reporting.[157]

54.128 ARCA suggested that the new regulations should define a ‘credit provider’ as ‘an organisation that carries on a business involving the provision of credit to an individual’ and ‘credit’ as ‘property or services acquired before payment and money on loan’—the formulation used in the NZ Code.[158] This position was also favoured by other industry stakeholders.[159] Some stakeholders went further. The Australian Credit Forum, for example, suggested that the definition also should include any business that accepts cheques.[160]

54.129 Other stakeholders expressed concerns about an overly broad definition of credit provider, such as that in the NZ Code, whether or not qualified by a deferred payment period. The Consumer Action Law Centre stated:

Our view is that the number of days allowed for payment is not the key issue, but the amount of risk being taken by the business. For example, allowing 60 days to pay a small account may present little risk, while allowing 5 days to pay for, say, a vehicle that has already been delivered would be a significant risk.[161]

54.130 It was also suggested that the Privacy (Credit Reporting Information) Regulations should provide a power for the OPC to determine that an organisation is, or is not, a credit provider for the purpose of the Act and regulations—that is, a power similar to the existing OPC power under s 11B(1)(b)(v)(B).[162] The OPC submitted that:

The Privacy Commissioner should retain the power to deem businesses as credit providers by making determinations. Businesses that are currently deemed to be credit providers by determination should not be incorporated into the statutory definition of credit provider but be covered by a determination.[163]

54.131 The OPC provided a number of detailed comments on the definition of credit provider and related matters.[164] The OPC submitted that the related definition of ‘loan’ should be amended so that, where a ‘loan’ concerns the hire, lease, or rental of goods, a payment is defined as either a deposit or a payment in advance and the value of the goods is assessed by an objective standard.[165] The OPC also suggested that the meaning of ‘substantial’, which forms part of the definition of ‘credit provider’ in s 11B(1)(b)(iii) of the Privacy Act, could be improved; and state and territory government agencies that make loans to individuals should have the same opportunity as Australian government agencies to apply for a credit provider determination.[166]

ALRC’s view

54.132 The ALRC is not convinced that there is a sufficiently compelling case to tighten the definition of credit provider for the purpose of new credit reporting regulation. The credit provider determinations have been in place since 1991 and commercial practices have developed in reliance on continued access to credit reporting information.

54.133 The determinations were reviewed and renewed without substantive amendment by the OPC in 2006. The OPC concluded that, while there were recurring issues that required attention, these issues had not prevented the Classes of Credit Provider Determination from operating satisfactorily.[167] The OPC undertook to develop information sheets and education strategies targeted at businesses covered by the Classes of Credit Provider Determination and those operating in the telecommunications sector; and to consider, as resources became available, the development of a credit reporting audit program focusing on non-traditional credit providers.[168]

54.134 Opponents of access by credit providers covered by the credit provider determinations did not deny that some of these businesses have an operational need for access to credit reporting information to assess the credit worthiness of potential customers. Objections to such access were based in large part on the use of default listing as a debt collection tool and on the quality of data reported by these credit providers. Even some critics of the existing definition of a credit provider accept, however, that there are difficulties in developing viable alternatives that do not exclude organisations with a legitimate need for credit reporting information.

54.135 Many of the concerns about the breadth of the definition of credit provider may be addressed effectively by the ALRC’s recommendations intended to improve credit reporting data quality (see Chapter 58) and complaint-handling procedures (Chapter 59). In particular, the ALRC recommends that the Privacy (Credit Reporting Information) Regulations should provide that credit providers may only list overdue payment information where the credit provider is a member of an external dispute resolution (EDR) scheme approved by the OPC. This recommendation is aimed at improving complaint-handling processes, but may have the secondary effect of removing ‘fringe’ players from the credit reporting system who are unwilling to join an EDR scheme.

54.136 As proposed in DP 72, the ALRC recommends that the Privacy (Credit Reporting Information) Regulations include a simplified definition of ‘credit provider’ under which those individuals or organisations who are currently credit providers for the purposes of Part IIIA of the Privacy Act should generally continue to be credit providers for the purposes of the new regulations. In the ALRC’s view, no compelling case has been made out for organisations to be regarded as credit providers if they provide goods or services on terms that allow the deferral of payment for at least 30 days, as discussed in DP 72.[169]

54.137 Beyond this, the ALRC does not have a firm view on exactly how the definition should be drafted. As discussed above, a range of issues concerning the drafting of the definition were raised in DP 72, and put forward in submissions. The definition will inevitably be broad, to avoid arbitrary distinctions between organisations that face credit risks. The finer detail of the drafting is, however, best left to the Australian Government to resolve, with the assistance of the Office of Parliamentary Counsel.

Recommendation 54-4 The new Privacy (Credit Reporting Information) Regulations should include a simplified definition of ‘credit provider’ under which those agencies and organisations that are currently credit providers for the purposes of the Privacy Act (whether by operation of s 11B or pursuant to determinations of the Privacy Commissioner) should generally continue to be credit providers for the purposes of the regulations.

[113] These provisions are summarised in more detail in Ch 53.

[114]Privacy Act 1988 (Cth) s 11B(1)(b)(v)(B).

[115] Ibid s 6(1), definition of ‘loan’.

[116] A third credit provider determination relates to a particular Australian Government agency and is not discussed here: Privacy Commissioner, Credit Provider Determination No 2006–5 (Indigenous Business Australia), 25 October 2006.

[117] Privacy Commissioner, Credit Provider Determination No. 2006–4 (Classes of Credit Providers), 21 August 2006.

[118] Privacy Commissioner, Credit Provider Determination No. 2006–3 (Assignees), 21 August 2006.

[119] Office of the Privacy Commissioner, Report on the Review of the Credit Provider Determinations (Assignees and Classes of Credit Providers) (2006), 15.

[120]Consumer Credit Code ss 80–81.

[121] In determining whether a transaction is unjust, the court may have regard to, among other things, whether ‘the credit provider knew, or could have ascertained by reasonable inquiry of the debtor at the time, that the debtor could not pay’: Ibid s 70(2)(l).

[122] Under the Consumer Credit Code, a ‘credit provider’ is defined to mean a person who provides ‘credit’: Ibid s 3(1), Sch 1. For the purposes of the Code, credit is provided if, under a contract, ‘payment of a debt … is deferred’ or a person ‘incurs a deferred debt to another’: Consumer Credit Code s 4(1). The Consumer Credit Code applies only to the provision of credit where a charge is or may be made for providing the credit: Consumer Credit Code s 5(1).

[123] Consumer Action Law Centre, Submission PR 274, 2 April 2007.

[124] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 50–7.

[125] Ibid, Question 50–1.

[126] Ibid, Question 50–2.

[127] Credit Reporting Privacy Code 2004 (NZ) cl 5.

[128] For example, Queensland Law Society, Submission PR 286, 20 April 2007; N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007; Consumer Action Law Centre, Submission PR 274, 2 April 2007; National Legal Aid, Submission PR 265, 23 March 2007; Min-it Software, Submission PR 236, 13 March 2007.

[129] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [5.15]. In this context, Tasmanian Collection Service observed that organisations which ‘typically provide small value credit’ include veterinary surgeons, medical specialists, florists, schools and newsagents: Tasmanian Collection Service, Submission PR 375, 5 December 2007.

[130] N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007.

[131] Legal Aid Queensland, Submission PR 489, 19 December 2007.

[132] Australian Privacy Foundation, Submission PR 275, 2 April 2007; National Legal Aid, Submission PR 265, 23 March 2007; Telecommunications Industry Ombudsman, Submission PR 221, 8 March 2007.

[133] Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[134] N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007; Banking and Financial Services Ombudsman Ltd, Submission PR 263, 21 March 2007. The OPC supported the ‘alignment’ of the definition of ‘credit’ in the Privacy Act with the definition in the Consumer Credit Code: Office of the Privacy Commissioner, Submission PR 281, 13 April 2007.

[135] Banking and Financial Services Ombudsman, Submission PR 471, 14 December 2007; Banking and Financial Services Ombudsman Ltd, Submission PR 263, 21 March 2007.

[136] Australian Privacy Foundation, Submission PR 275, 2 April 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007; Telecommunications Industry Ombudsman, Submission PR 221, 8 March 2007; Consumer Credit Legal Centre (NSW) Inc, Credit Reporting Research Report (2007), rec 24.

[137] Australian Communications Industry Forum, Industry Code—Credit Management, ACIF C541 (2006). The credit management code was registered by the Australian Communications and Media Authority on 13 April 2006 and binds telecommunications carriers and carriage service providers. The code deals with, among other things: the steps undertaken to enable a consumer to gain and maintain access to services (including credit assessment and credit control); the minimum steps (including acceptable minimum timeframes for advising consumers) that a supplier must take before suspending, restricting or disconnecting a consumer’s services; the processes that follow disconnection of services, including the collection of debts; and the disclosure of consumer personal information to a third party that may take place as a consequence of credit management action: Australian Communications Industry Forum, Industry Code—Credit Management, ACIF C541 (2006), i.

[138] Optus, Submission PR 258, 16 March 2007.

[139] EnergyAustralia, Submission PR 229, 9 March 2007.

[140] Australian Finance Conference, Submission PR 294, 18 May 2007.

[141] The NZ Code specifically permits a credit reporter to disclose credit information (where authorised by the individual) to a prospective landlord for the purpose of assessing the credit worthiness of the individual as a tenant: Credit Reporting Privacy Code 2004 (NZ) r 11(2)(b)(ii).

[142] Consumer Action Law Centre, Submission PR 274, 2 April 2007.

[143] The assignment or factoring of debts, including debts that are not overdue is, however, a common commercial practice: Institute of Mercantile Agents, Submission PR 270, 28 March 2007.

[144] GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; First Data International, Submission PR 503, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[145] GE Money Australia, Submission PR 537, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[146] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[147] Uniform Consumer Credit Code Management Committee, Submission PR 520, 21 December 2007.

[148] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[149] Ibid.

[150] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Legal Aid Queensland, Submission PR 489, 19 December 2007.

[151] National Legal Aid, Submission PR 521, 21 December 2007.

[152] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007.

[153] Legal Aid Queensland, Submission PR 489, 19 December 2007.

[154] Optus, Submission PR 532, 21 December 2007; First Data International, Submission PR 503, 20 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[155] GE Money Australia, Submission PR 537, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[156] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007.

[157] Legal Aid Queensland, Submission PR 489, 19 December 2007.

[158] Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[159] Veda Advantage, Submission PR 498, 20 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007. The AFC favoured a similar broad definition of ‘credit provider’: Australian Finance Conference, Submission PR 398, 7 December 2007.

[160] Australian Credit Forum, Submission PR 492, 19 December 2007.

[161] Consumer Action Law Centre, Submission PR 510, 21 December 2007.

[162] Veda Advantage, Submission PR 498, 20 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[163] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[164] Ibid.

[165] The existing definition of ‘loan’ in Privacy Act 1988 (Cth) s 6(1) excludes a contract for hire, lease or rent of goods under which an amount greater than or equal to the value of the goods is paid as deposit for the return of the goods.

[166] See Ibid s 11B(1)(d).

[167] Office of the Privacy Commissioner, Report on the Review of the Credit Provider Determinations (Assignees and Classes of Credit Providers) (2006), 20.

[168] Ibid, 22. The OPC also concluded that the Assignees Determination was operating satisfactorily and recommended that education programs should be developed and audit programs considered: Office of the Privacy Commissioner, Report on the Review of the Credit Provider Determinations (Assignees and Classes of Credit Providers) (2006), 20, 22.

[169] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 50–1.