Credit reporting code

54.182 In DP 72, the ALRC noted that some matters raised in the Inquiry are not addressed most appropriately through legislation. For example, while credit providers generally support the principle of reciprocity in credit reporting, and obligations to report information consistently, arguably, credit providers themselves and their industry associations should take responsibility for such matters—within the framework provided by legislation.

54.183 The ALRC proposed that credit reporting agencies and credit providers should develop, in consultation with consumer groups and regulators, including the OPC, an industry code dealing with operational matters such as default reporting obligations and protocols and procedures for the auditing of credit reporting information.^[230]

54.184 Stakeholders generally accepted that, in addition to the new Privacy (Credit Reporting Information) Regulations, some form of credit reporting code would be desirable.^[231] There was less consensus on which specific obligations should be located in the regulations and the code respectively; and on the legal nature of the code.

Content of the code

54.185 Veda Advantage commented that, for a three-tiered regulatory structure to be effective, the regulations should be drafted to be ‘inclusive and brief’, with detail left to a binding code.

Many credit reporting operational issues are highly detailed and context specific. It is appropriate that these be contained in an industry code that provides for the ability to update and revise the required provisions as operational issues continue to change.^[232]

54.186 The advantages of a code in providing flexibility was emphasised by industry stakeholders.^[233] Dun and Bradstreet, for example, stated that the code would ‘provide flexibility within a closely governed framework to ensure credit reporting standards and obligations keep pace with industry changes and consumer demands’.^[234]

54.187 Galexia put forward broad criteria on which to determine whether specific obligations should be located in the regulations or code. For example, Galexia suggested that matters to be included in regulations should be restricted to those that relate to ‘fundamental privacy rights, rather than minor consumer concerns or basic operational matters’. The code, on the other hand, should deal with matters that require significant flexibility, relate to minor consumer or basic operational concerns, or deal with ‘industry branding or cooperation’.^[235]

54.188 Telecommunications companies had reservations about the desirability of a new credit reporting code.^[236] AAPT suggested that, for the telecommunications industry, it may be preferable to augment the existing credit management code.^[237] Optus expressed concern about how the proposed code would interact with existing industry codes that deal with the same or similar matters.^[238] Telstra highlighted the need to avoid duplication of obligations.^[239]

54.189 Other stakeholders stated that privacy protection should not be downgraded by locating obligations currently contained in the Privacy Act in an industry code, rather than in legislation.^[240] The BFSO, for example, stated that in developing the code it will be important to ensure that

any matters that are currently the subject of mandatory requirements in Part IIIA or the Credit Reporting Code of Conduct remain obligatory (whether by inclusion in the regulations or ensuring that the new code is mandatory and enforceable) …^[241]

54.190 Similarly, the Australian Privacy Foundation supported an industry code, but expressed concern about the meaning of ‘operational matters’. The Foundation stated that it ‘would see some matters that industry regards as “operational” as more fundamental and would want some of these in Regulations or binding Code/Rules’.^[242] The Cyberspace Law and Policy Centre stated that it supported the concept of some detailed operational matters being left to a code but submitted that the ALRC should ‘more clearly explain its proposed hierarchy of regulation, and ensure that it recommends placement of specific obligations in the different levels to reflect its conclusions about how “binding” those obligations should be’.^[243]

54.191 Throughout the course of the Inquiry, ARCA has been developing a draft code. This code is intended to bind its member organisations in relation to their participation in the credit reporting system. In its submission, ARCA presented detailed proposals on the content of a future code, which it summarised as follows:

the structure of the code of conduct … is recommended to be in two layers so as to manage in the first layer, policy and compliance and in the second layer operational and procedural matters. The prime rationale for the third tier is to facilitate, under appropriate governance, continuous review and improvement but without the burdens to development and implementation that would apply under regulation. ARCA recognises that the structure is one that would need to be developed over time with input from stakeholders.^[244]

Legal status

54.192 In submissions, stakeholders made a number of comments about the desirable legal status of the proposed code. ARCA proposed that a code of conduct for credit reporting should be developed by industry and then become an approved privacy code under Part IIIAA of the Privacy Act, or similar new statutory provision.^[245]

54.193 ARCA has also identified a need for the code, or aspects of the code, to be authorised by the ACCC under the Trade Practices Act 1974 (Cth). It raises potential competition issues, notably in relation to sanctions for non-compliance such as suspension or exclusion from the credit reporting system. ARCA has advised that it is currently pursuing ACCC authorisation for a code of conduct dealing with data standards, and containing sanctions for non-compliance.^[246]

54.194 Other industry stakeholders agreed with the ARCA approach.^[247] Veda Advantage, for example, submitted that the code of conduct should be:

• Binding on all credit reporting industry participants

• Made by the industry under the Privacy Act

• Authorised by the ACCC to ensure that contractual provisions making the Code binding on subscribers of CRAs are lawful.^[248]

54.195 Legal Aid Queensland supported a code approved by the Privacy Commissioner and subject to disallowance by Parliament.^[249] The OPC referred to its support for ‘a voluntary industry code’ dealing with operational matters.^[250] The Cyberspace Law and Policy Centre noted what it identified as ‘considerable uncertainty about the framework proposed by the ALRC—in particular the role of Codes and whether they would be mandatory and/or binding and enforceable’. The Centre favoured the imposition of binding and enforceable subscriber agreements and submitted that the new Privacy (Credit Reporting Information) Regulations should require credit reporting agencies to have a complying subscriber agreement in place before disclosing any credit information to a credit provider.^[251]

54.196 An important issue for industry is that, because a credit reporting industry code or agreement is likely to raise competition law issues, it may require authorisation by the ACCC to avoid breaching the Trade Practices Act. Galexia noted that

Authorisation by the ACCC is subject to a very limited test and it is important to clarify that authorisation does not equate with ‘approval’. Indeed, the test is simply whether or not the public benefit outweighs any potential lessening of competition that results from the Code.^[252]

ALRC’s view

54.197 The ALRC recommends that credit reporting agencies and credit providers develop a credit reporting code providing detailed guidance within the framework provided by the Privacy (Credit Reporting Information) Regulations. In other chapters, the ALRC makes specific recommendations concerning the desirable content of the code. For example:

• In Chapter 55, the ALRC recommends that the credit reporting code should mandate procedures for the reporting of repayment performance history, within the parameters prescribed by the new regulations (see Recommendation 55–4).

• In Chapter 58, the ALRC recommends that the credit reporting code should promote data quality by mandating procedures to ensure consistency and accuracy in the reporting of overdue payments and other personal information by credit providers (see Recommendation 58–3).

54.198 There may be other matters that should be included. It may be appropriate, for example, for the code to deal with operational matters relevant to dispute resolution (see Chapter 59). Ultimately, however, the content of the code should be determined by the credit reporting industry, in consultation with consumer groups and regulators, including the OPC.

54.199 Consistently with the ALRC’s recommendations on codes, the credit reporting code would ‘fill in the gaps’ between the outcome set by a privacy principle—or, in this case, the new Privacy (Credit Reporting Information) Regulations—and the application of, or compliance with, that principle or regulation. In recommending the development of a credit reporting code, the ALRC leaves open the question of the code’s precise legal status and governance structure. Again, these are matters for the industry to resolve.

54.200 One option would be for the credit reporting code to become an approved code under Part IIIAA of the Privacy Act. As discussed in Chapter 48, the ALRC’s recommendations for reform of the Privacy Act retain the ability of organisations and industries to flesh out the requirements of the privacy principles in privacy codes approved by the Privacy Commissioner under Part IIIAA. The ALRC recommends that the code provisions be changed so that: a code applies in addition to the UPPs (or regulations) and does not replace them; and the primary purpose of a code is to prescribe how a principle or regulation is to be applied or complied with.^[253] Privacy codes, under the current provisions and the ALRC’s recommended changes, cannot derogate from the principles, unlike regulations and other subordinate legislation.

54.201 A credit reporting code developed by industry or aspects of such a code, could also, under the ALRC’s recommended reforms, become incorporated into the Privacy (Credit Reporting Information) Regulations, or as a new regulation. Such a regulation could contain provisions that derogate from the privacy principles.

54.202 While it may be desirable, at some future time, for a credit reporting code to be approved under Part IIIAA of the Privacy Act or promulgated under the regulations, reform of the credit reporting provisions should not await the development of an approved code. Pending approval under the Privacy Act, the code could operate as an industry code, be adopted voluntarily by participants in the credit reporting system, or made enforceable by contract as part of subscription agreements with credit reporting agencies.

54.203 The important point is that the new Privacy (Credit Reporting Information) Regulations should be promulgated at the same time that Part IIIA of the Act is repealed. The regulations, in accordance with the recommendations made in this Report, should be capable of providing adequate privacy protection for credit reporting information in the absence of any code. That is, while a code may be desirable, the content of the code should not be essential to the adequate regulation of privacy in credit reporting.