Part IIIA and the NPPs

54.4 In considering options for reform, it is important to understand the relationship between the credit reporting provisions and the existing National Privacy Principles (NPPs). Part IIIA of the Privacy Act was originally intended to adopt and reflect privacy principles in the specific context of credit reporting.[4] The NPPs were enacted later, in 2000,[5] and established a set of general principles designed to provide privacy protection in respect of personal information in the private (non-government) sector.

54.5 The rules in Part IIIA are designed to achieve broadly the same objectives as the NPPs. The obligations in Part IIIA apply only in respect of credit reporting whereas the NPPs apply to the private sector generally. In substance, the provisions of Part IIIA of the Privacy Act constitute a third major set of privacy rules, in addition to the Information Privacy Principles (IPPs) and the NPPs—albeit more detailed and prescriptive than either of those sets of principles. For example, while NPP 1.1 sets out a general principle that an organisation must not collect personal information unless the information is necessary for one or more of its functions or activities, Part IIIA provides that a credit reporting agency must not include personal information in a credit information file unless the information comprises specified permitted content.[6]

54.6 The obligations in Part IIIA can be seen as both strengthening and derogating from the privacy protection afforded to personal information by the NPPs. A brief comparison of some of the NPPs and the credit reporting provisions illustrates this point.[7]

54.7 In some important respects, the NPPs can be seen as imposing a lower level of privacy protection than the provisions of Part IIIA:

  • Under NPP 1, an organisation must not collect personal information unless the information is necessary for one or more of its functions or activities. This broad test of necessity can be contrasted with the detailed provisions of s 18E, which prescribe the permitted content of credit information files held by credit reporting agencies. Even if other categories of information can be shown to be necessary for credit reporting under NPP 1, collection is prohibited (even if the individual consents) under s 18E.

  • Under NPP 2, an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection unless the secondary purpose is related to the primary purpose or within the reasonable expectations of the individual concerned. In addition, NPP 2.1(c) permits, in some circumstances, the use of information for the secondary purpose of direct marketing—including by related bodies corporate.[8] In contrast, ss 18K and 18N limit the disclosure of personal information by credit reporting agencies and credit providers respectively to an exhaustive list of specific circumstances.

  • Under NPP 3, an organisation must take reasonable steps to ensure that the personal information it collects, uses or discloses is ‘up-to-date’.[9] There is no equivalent of s 18F, however, which provides for the deletion of personal information in credit information files after the end of maximum permissible periods for the keeping of different kinds of information.

  • Under NPP 6, individuals have rights to access personal information about them. Unlike the equivalent rights under s 18H, NPP 6 specifically allows organisations to charge for access and contains an extensive list of exceptions, under which access may be refused in certain circumstances.

54.8 In other respects, the NPPs can be seen as imposing a higher level of privacy protection than the provisions of Part IIIA. Importantly, Part IIIA operates to authorise some information-handling practices that would not be permitted under the NPPs without the consent of the individual concerned:

  • Sections 18K and 18N operate to authorise a range of secondary uses and disclosures of personal information that would not be permitted without consent under NPP 2.1—for example, credit reports may be used by mortgage insurers and those considering entering securitisation arrangements, without the individual’s consent.[10]

  • The credit reporting provisions implicitly permit indirect collection of personal information by credit reporting agencies while NPP 1.4 requires that, if it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

54.9 In this context, the Cyberspace Law and Policy Centre observed that Part IIIA departs from the usual rules relating to the use and disclosure of personal information (NPP 2), by allowing:

(a) the bundling of use for assessing a credit application with disclosure for the secondary purpose of informing other credit providers via central credit reference databases;

(b) a variation (distortion) of the normal meaning of consent; i.e. in this context it is not freely given with the option of withdrawal—rather it is merely an acknowledgement of a condition; and

(c) the pooling of a multiplicity of bilateral information exchanges into a common centralised system, on economic efficiency grounds.[11]

54.10 A breach of a requirement of Part IIIA, unless the relevant provision states otherwise, has the same effect as a breach of one of the NPPs, and constitutes an ‘interference with the privacy of an individual’.[12] Part IIIA and the NPPs operate independently.[13] Under s 13A(2), an organisation commits an interference with the privacy of an individual if it breaches a NPP, notwithstanding that the organisation is also a credit reporting agency or a credit provider. Section 16A(4) states that conduct that does not breach the NPPs is not lawful for the purposes of Part IIIA merely because it does not breach the NPPs.

[4] Commonwealth, Parliamentary Debates, Senate, 16 June 1989, 4216 (G Richardson).

[5]Privacy Amendment (Private Sector) Act 2000 (Cth). The NPPs are located in Privacy Act 1988 (Cth) sch 3.

[6] Privacy Act 1988 (Cth) s 18E(1).

[7] The model UPPs do not depart significantly from the NPPs in these respects.

[8] Privacy Act 1988 (Cth) s 13B.

[9] A similar obligation applies to information in credit information files and credit reports: Ibid s 18G(a).

[10] Ibid ss 18K(1)(ab), (ac), and (d).

[11] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[12] See Privacy Act 1988 (Cth) s 13(d).

[13] A Tyree, ‘The Privacy (Private Sector) Amendments’ (2000) 11 Journal of Banking and Finance Law and Practice 313, 315.