Credit reporting information

54.70 The provisions of Part IIIA apply variously to personal information in ‘credit information files’, ‘credit reports’ and ‘reports’. As discussed in Chapter 53, each term is defined differently. Briefly:

  • a ‘credit information file’ is information kept by a credit reporting agency in the course of carrying on a credit reporting business;[86]

  • a ‘credit report’ is information prepared by a credit reporting agency that is used (by a credit provider) in establishing an individual’s eligibility for credit;[87] and

  • a ‘report’ is a credit report or any other information that has any bearing on an individual’s credit worthiness.[88]

54.71 Stakeholders questioned the need to retain these separate terms, especially in view of commercial practice and technology.[89] Veda Advantage noted that the terms are ‘out of step with commercial practice, technology and market demand’ given that the use of ‘data streams within the credit environment has meant that the traditional concept of a physical credit report no longer exists’.[90]

Discussion Paper proposal

54.72 In DP 72, the ALRC proposed that the Privacy (Credit Reporting Information) Regulations should apply only to the handling by credit reporting agencies and credit providers of personal information maintained by credit reporting agencies and used by credit providers in assessing an individual’s credit worthiness. This category of personal information should be defined as ‘credit reporting information’. The existing definitions of ‘credit information files’, ‘credit reports’ and ‘reports’ would not need to be reproduced in the new regulations.

54.73 The ALRC did not favour incorporating a broader definition of credit information based on the definition of ‘report’ in s 18N(9), as suggested by some stakeholders.[91] Section 18N applies to information contained in ‘reports relating to credit worthiness’. A ‘report’ is defined, for the purposes of the section, as

(a) a credit report; or

(b) … any other record or information, whether in a written, oral or other form, that has any bearing on an individual’s credit worthiness, credit standing, credit history or credit capacity;

but does not include a credit report or any other record or information in which the only personal information relating to individuals is publicly available information.[92]

54.74 A ‘credit report’ is defined as

any record or information, whether in a written, oral or other form, that:

(a) is being or has been prepared by a credit reporting agency; and

(b) has any bearing on an individual’s:

(i) eligibility to be provided with credit; or

(ii) history in relation to credit; or

(iii) capacity to repay credit; and

(c) is used, has been used or has the capacity to be used for the purpose of serving as a factor in establishing an individual’s eligibility for credit.[93]

54.75 Rather, the ALRC’s view was that the proposed definition of credit reporting information should combine elements of the current definitions of ‘credit information file’ and ‘credit report’. The ALRC suggested the following illustrative definition:

credit reporting information, means any record that contains personal information about an individual and is:

(a) maintained by a credit reporting agency in the course of carrying on a credit reporting business; or

(b) held by a credit provider and:

(i) is being or has been prepared by a credit reporting agency; and

(ii) has any bearing on an individual’s eligibility to be provided with credit, history in relation to credit, or capacity to repay credit; and

(iii) is used, has been used or has the capacity to be used for the purpose of serving as a factor in establishing an individual’s eligibility for credit.[94]

Submissions and consultations

54.76 There was broad agreement, at least in principle, with the ALRC’s proposal that the Privacy (Credit Reporting Information) Regulations should apply to a new category of personal information, to be defined as ‘credit reporting information’.[95] Stakeholders expressed a range of concerns, however, about the potential breadth of the proposed definition.

54.77 ARCA stated that the definition of credit reporting information should only encompass information about credit worthiness. ARCA noted that

organisations that operate credit reporting businesses use and disclose some types of personal information (especially that drawn from public registers) for multiple purposes, only one of which is credit reporting …[96]

54.78 ARCA stated that, unless the definition is focused on ‘credit worthiness’, additional costs would be imposed on credit reporting agencies ‘as they would need to maintain multiple copies of data bases to ensure that these categories of information could be used in non-credit circumstances’.[97] Similarly, Veda Advantage suggested that credit reporting information should cover only ‘a record containing personal information related to an individual’s credit worthiness’ that is either: held and maintained by a credit reporting business; or prepared by a credit reporting business and held by a credit provider and used to assess eligibility for credit.[98]

54.79 More generally, industry stakeholders expressed concern that the definition of credit reporting information should ensure that the regulations cover only consumer, as opposed to commercial, credit reporting information and do not cover publicly available information.[99]

54.80 Other stakeholders considered that the new Privacy (Credit Reporting Information) Regulations should also apply to a broad category of information similar to that covered by existing s 18N of the Privacy Act—that is, information with any bearing on an individual’s credit worthiness regardless of its source.[100] Section 18N is discussed in Chapter 57.

ALRC’s view

54.81 A workable definition of credit reporting information is critical to the coverage of the new Privacy (Credit Reporting Information) Regulations and the formulation of the ALRC’s recommendations. The ALRC’s recommendations are based on the assumption that ‘credit reporting information’ comprises a subset of ‘personal information’, as the latter term is defined in the Privacy Act; and that the Privacy (Credit Reporting Information) Regulations apply only to credit reporting information.

54.82 The desirable content of the definition was canvassed in many different contexts. The ALRC understands industry concerns about the need to ensure the definition of credit reporting is not inappropriately broad. On the other hand, limiting the coverage of the regulations to personal information that is ‘about credit worthiness’, however defined, risks providing incomplete privacy protection for consumers.

54.83 This is because some personal information used in credit assessment processes cannot be said to be ‘about credit worthiness’ in any real respect. As discussed in Ch 52, when credit providers assess an individual’s eligibility for credit, credit scoring is often used. Credit scoring involves the use of mathematical algorithms or statistical programs that assign a credit score to an individual based on information derived from a number of sources. That information may be obtained from credit reports, the credit application or the credit provider’s own records. In Australia, credit scoring systems used by individual credit providers are often referred to as ‘scorecards’.

54.84 Credit scorecards used by Australian credit providers incorporate a range of information that is considered predictive of credit risk. Data items such as age; state of residence; possession of a driver’s licence; category of employment and time at current employment; residential status (renting, subject to mortgage, ownership etc); and time at current and previous addresses is commonly incorporated into scorecards. The possession of a driver’s licence, for example, is considered a positive factor in assessing eligibility for credit. It is difficult, however, to interpret this information as being information ‘about’ credit worthiness. Rather, there is a statistical relationship between this characteristic and credit worthiness in the models developed by credit providers.

54.85 The ALRC is concerned that, if the definition of credit reporting information is too closely linked to credit worthiness, some items of personal information disclosed by credit reporting agencies to credit providers would not receive the additional protection of the Privacy (Credit Reporting Information) Regulations in relation to, for example, access, correction and dispute resolution. In the ALRC’s view, the point is to regulate the handling of information that is maintained by credit reporting agencies and used by credit providers to establish an individual’s eligibility for credit.

54.86 The ALRC recommends that the definition of ‘credit reporting information’ should include only personal information that is maintained or prepared by a credit reporting agency or, having been prepared by an agency, is held by a credit provider and is used, or is capable of being used, for the purpose of establishing an individual’s eligibility for credit. The following definition is an appropriate starting point:

credit reporting information, means any record that contains personal information about an individual and is:

(a) maintained by a credit reporting agency in the course of carrying on a credit reporting business; or

(b) held by a credit provider and:

(i) has been prepared by a credit reporting agency; and

(ii) is used, has been used or has the capacity to be used for the purpose of serving as a factor in establishing an individual’s eligibility for credit.

Recommendation 54-3 The new Privacy (Credit Reporting Information) Regulations should apply only to ‘credit reporting information’, defined for the purposes of the newregulationsas personal information that is:

(a) maintained by a credit reporting agency in the course of carrying on a credit reporting business; or

(b) held by a credit provider; and

(i) has been prepared by a credit reporting agency; and

(ii) is used, has been used or has the capacity to be used in establishing an individual’s eligibility for credit.

[86]Privacy Act 1988 (Cth) s 6(1).

[87] Ibid s 6(1).

[88] Ibid s 18N(9).

[89] Australian Finance Conference, Submission PR 294, 18 May 2007; Office of the Privacy Commissioner, Submission PR 281, 13 April 2007; N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007; Veda Advantage, Submission PR 272, 29 March 2007.

[90] Veda Advantage, Submission PR 272, 29 March 2007.

[91]N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007.

[92]Privacy Act 1988 (Cth) s 18N(9).

[93] Ibid s 6(1).

[94]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [50.87].

[95]GE Money Australia, Submission PR 537, 21 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[96]Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[97]Ibid. Especially given ARCA’s recommendation that ‘credit reporting information’ be subject to a regulated primary purpose: See Ch 57.

[98]Veda Advantage, Submission PR 498, 20 December 2007.

[99]Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007. Telstra considered that the definition should be ‘more clearly and strictly confined to credit information files held by credit reporting agencies, and credit reports that they provide’: Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[100]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.