Credit reporting agencies

54.87 Under the Privacy Act, ‘a person is a credit reporting agency if the person is a corporation that carries on a credit reporting business’.[101] A ‘credit reporting business’ is defined as

a business or undertaking … that involves the preparation or maintenance of records containing personal information relating to individuals (other than records in which the only personal information relating to individuals is publicly available information), for the purpose of, or for purposes that include as the dominant purpose the purpose of, providing to other persons (whether for profit or reward or otherwise) information on an individual’s:

(a) eligibility to be provided with credit; or

(b) history in relation to credit; or

(c) capacity to repay credit;

whether or not the information is provided or intended to be provided for the purposes of assessing applications for credit.[102]

Discussion Paper proposal

54.88 The OPC recommended that the definition of a ‘credit reporting business’ should be amended to remove the exclusion ‘other than records in which the only personal information relating to individuals is publicly available information’. The OPC stated that this would have the effect of regulating publicly available personal information collected by a credit reporting agency for credit assessment purposes under Part IIIA, rather than the NPPs.

The Office believes that all relevant types of personal information should be regulated by Part IIIA if they are made available to banks and financial institutions in assessing an individual’s eligibility to be provided with credit, indicate their credit history or capacity to repay credit. Moreover, a credit provider may have no obligations to comply with the NPPs if they are a small business operator within the meaning of s 6D. The effect will be that the provisions of Part IIIA will regulate this activity not the NPPs.[103]

54.89 Consistently with this view, the ALRC, in DP 72, proposed that the definition of a ‘credit reporting business’, if based on that in s 6(1) of the Privacy Act, should exclude the phrase ‘other than records in which the only personal information relating to individuals is publicly available information’.[104]

Submission and consultations

54.90 ARCA agreed in principle with the ALRC’s proposal.[105] Other stakeholders also supported the proposal, subject to qualifications about the coverage of commercial credit information and publicly available information.[106]

54.91 The ALRC proposal may, however, have been understood in different ways by stakeholders. This is perhaps unsurprising, as the words proposed to be excluded constitute an exception within the definition of a ‘credit reporting business’. This definition is itself a component of the definitions of ‘credit reporting agency’, ‘credit information file’ (and the ALRC’s proposed definition of ‘credit reporting information’).

54.92 ARCA suggested that the regulations should provide a new definition of ‘credit reporting agency’. A credit reporting agency should, in ARCA’s view, be defined as ‘an organisation that carries on a business or undertaking that involves the preparation or maintenance of records containing personal information for the dominant purpose of, providing to other persons information on an individual’s credit worthiness’. ARCA was concerned that publicly available information held by a credit reporting agency not be regulated as credit reporting information simply by virtue of that fact.[107]

54.93 Veda Advantage also expressed concern about the possible extension of credit reporting regulation to publicly available information generally, where held by a credit reporting agency.

Such an extension is inconsistent with the objective of simplifying privacy laws. It imposes additional obligations on the handling of publicly available data that are specific to the credit reporting business—with additional costs—without any proportional benefit to protecting the privacy of individuals. It would mean any public information used at any point by a credit reporting agency—including responding to a public access request—would be credit reporting information. Accordingly, it would be limited by the primary purpose of credit reporting information, meaning it could not be used for any other purpose.[108]

54.94 Veda stated that to have the same data set covered by different rules (depending on the business holding it) would lead to ‘unnecessary confusion, complexity, cost and duplication of effort’ and the need to maintain publicly available information in ‘two quarantined sets—credit reporting and general personal information’.[109]

ALRC’s view

54.95 The ALRC no longer considers that the definition of a ‘credit reporting business’ should be amended, as proposed in DP 72. The proposal alone is not capable of achieving the policy position intended by the OPC—that is, to regulate publicly available personal information collected by a credit reporting agency for credit assessment purposes under Part IIIA (or the new credit reporting regulations) rather than the NPPs (or UPPs).

54.96 The exclusion of the words ‘records in which the only personal information relating to individuals is publicly available information’ (emphasis added) would have limited effect as credit reporting agencies do not often provide publicly available information to credit providers in isolation from other personal information. In any case, the provisions of Part IIIA (and the new credit reporting regulations) apply to the handling of credit information files and credit reports (or credit reporting information in the new regulations), which are permitted to contain only specified categories of personal information.[110]

54.97 One rationale for the proposal was that it was consistent with the ALRC’s proposal that the Privacy (Credit Reporting Information) Regulations permit credit reporting information to include publicly available information.[111] As discussed in Chapter 56, the ALRC has concluded that no case has been made for the inclusion of new categories of publicly available information in credit reporting information.

54.98 The definition of ‘credit reporting information’ (see Recommendation 54–3 above) in the new Privacy (Credit Reporting Information) Regulations should continue to ensure that publicly available information maintained by a credit reporting agency is covered by credit reporting regulation only where the information is maintained ‘in the course of carrying on a credit reporting business’—that is, consumer credit reporting. As is presently the case under Part IIIA of the Privacy Act, a credit reporting agency should be able to conduct other business undertakings, including commercial credit reporting, using publicly available or other personal information that it holds, subject to compliance with the UPPs and other obligations under the Privacy Act.

54.99 As noted above, a ‘credit reporting agency’ is currently defined as a ‘corporation’ that carries on a credit reporting business.[112] Consistent with the ALRC’s overall approach to reform, a credit reporting agency under the new Privacy (Credit Reporting Information) Regulations should be defined as any ‘agency or organisation’—as those terms are defined in the Privacy Act—that engages in a credit reporting business.

54.100 If the small business exemption is not removed from the Privacy Act (as recommended in Chapter 39) regulations should be made under s 6E to ensure credit reporting agencies or credit providers that are small business operators are treated as organisations for the purposes of the Act and the Privacy (Credit Reporting Information) Regulations.

[101] Privacy Act 1988 (Cth) s 11A.

[102] Ibid s 6(1).

[103] Office of the Privacy Commissioner, Submission PR 281, 13 April 2007.

[104] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 50–6.

[105] Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[106] Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007.

[107] Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[108] Veda Advantage, Submission PR 498, 20 December 2007.

[109] Ibid.

[110] The OPC noted that the permitted contents of a credit information file would need to be expanded to cover additional categories of publicly available information: Office of the Privacy Commissioner, Submission PR 281, 13 April 2007.

[111] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 52–6.

[112] Privacy Act 1988 (Cth) s 11A.