Repeal and new regulation under the Act

54.11 There are three main approaches available for reform of the credit reporting provisions:

  • Credit reporting could continue to be regulated under Part IIIA of the Privacy Act 1988 (Cth) and its related provisions.

  • Part IIIA and its related provisions could be repealed, and credit reporting regulated under the general provisions of the Privacy Act.

  • Credit reporting could be regulated by new sectoral legislation dealing specifically with the privacy of credit reporting information.

54.12 There was little support in submissions for the retention of Part IIIA in its present form. As discussed in this chapter, even those who value the privacy protections provided by Part IIIA generally agreed that the provisions should be simplified, while retaining the basic rules.

54.13 The ALRC has concluded that the credit reporting provisions of the Privacy Act should be repealed and credit reporting governed by the general provisions of the Act and the model UPPs, supplemented by subordinate legislation. The reasons for this view include that the credit reporting provisions are an unjustified anomaly within the Privacy Act; the Act would be significantly simplified by the repeal of Part IIIA; the repeal of Part IIIA is consistent with the ALRC’s recommendation that one set of privacy principles regulating both the public and private sectors be developed; and an equivalent level of privacy protection can be provided to individuals under the model UPPs and subordinate legislation.

The anomalous nature of Part IIIA

54.14 The credit reporting provisions are the only provisions in the Privacy Act that deal in detail with the handling of personal information within a particular industry or business sector. One credit reporting agency has observed that Part IIIA of the Privacy Act is a ‘significantly more prescriptive legislative regime than applies to other arguably more sensitive sectors of the private sector’.[14]While it may be argued that credit reporting presents a suite of privacy issues that are uniquely deserving of specific regulation, the reasons for this anomaly are to some extent historical in that the credit reporting industry was made subject to privacy regulation before the rest of the private sector.

54.15 In 1990, when the credit reporting provisions were inserted into the Privacy Act, the Act had very limited application to the private sector.[15] While further privacy regulation was anticipated,[16] comprehensive coverage of the private sector was not implemented until 2000, with the enactment of the Privacy Amendment (Private Sector) Act 2000 (Cth). The Privacy Amendment (Private Sector) Act, which came into effect on 21 December 2001, established the NPPs, which apply to the handling of personal information in the private sector.

54.16 The history of credit reporting regulation in Australia may be contrasted with that in New Zealand where credit reporting regulation, under a legally binding code, followed the enactment of the Privacy Act 1993 (NZ)—which applied information privacy principles across the public and private sectors.

54.17 As discussed in Chapter 18, the ALRC recommends that the IPPs and NPPs should be replaced by a single set of privacy principles regulating both the public and private sectors (the model UPPs). The repeal of Part IIIA is consistent with the development of one set of legislative privacy principles[17] and with the approach taken to the privacy protection of health information.[18]

The need for specific credit reporting regulation

54.18 The credit reporting provisions of the Privacy Act are complex and prescriptive. While some of this complexity and prescriptiveness may be unnecessary, effective regulation of credit reporting needs to incorporate at least some of this detail and, more generally, to tailor broad privacy principles to the specific conditions of the credit reporting industry.

54.19 Incorporating the credit reporting provisions into regulations or a code under the Privacy Act, rather than leaving them in the primary legislation, makes it easier for rules to be amended to take into account the changing nature of the credit sector in Australia and developments in the role and potential uses of the credit reporting system.

54.20 One approach might be to incorporate the credit reporting provisions into a legally binding code issued by the Privacy Commissioner. Models of credit reporting privacy codes include those in New Zealand[19] and Hong Kong.[20] In New Zealand, credit reporting is regulated under a legally binding code issued by the Privacy Commissioner under the Act.[21] Many basic elements of the Credit Reporting Privacy Code 2004 (NZ) are similar, in effect, to regulation in Australia.

Sectoral credit reporting legislation

54.21 An alternative approach to reform of the credit reporting provisions of the Privacy Act would be to repeal those provisions and enact new sectoral legislation dealing with the privacy of credit reporting information.[22] Sectoral credit reporting legislation might deal with related consumer protection issues and be designed to operate consistently with the Consumer Credit Code,[23] or incorporated into the Code. One advantage of such an approach would be to consolidate a link between regulation of credit reporting and the responsible lending and related obligations of credit providers.[24]

54.22 The possible disadvantages include the following:

  • Banks, finance companies, other credit providers and consumers would have to deal with two statutory privacy regimes—that is, specific rules in relation to credit reporting, and the model UPPs in relation to other aspects of handling personal information.

  • Specific credit reporting legislation may add to problems caused by inconsistency and fragmentation in privacy law, including complexity of privacy regulation, varying levels of privacy protection, and regulatory gaps.

54.23 If credit reporting regulation were to be located outside the Act, questions may arise about whether the Privacy Commissioner remains the appropriate regulator.[25] For example, credit reporting conceivably could be regulated as a financial services consumer protection law by the Australian Securities and Investments Commission (ASIC).

54.24 Overseas jurisdictions take differing approaches to the location of credit reporting legislation and the nature of the regulator. Most commonly, however, credit reporting is regulated within privacy law regimes, except where regulation of credit reporting preceded the enactment of privacy laws, or where there is no comprehensive privacy or data protection legislation.[26]

54.25 In the United States, credit reporting is regulated under the Fair Credit Reporting Act 1970 (US) by the Federal Trade Commission.[27] In the United Kingdom, the activities of credit reference agencies are regulated by both the Consumer Credit Act 1974 (UK) and under privacy legislation.[28] New Zealand and Canada more closely follow the Australian model. Credit reporting is regulated by these jurisdictions’ privacy commissioners under the Privacy Act 1993 (NZ) and the Personal Information Protection and Electronic Documents Act 2000 (Canada) respectively.

Discussion Paper proposals

54.26 In the Discussion Paper Review of Australian Privacy Law (DP 72), the ALRC stated that the repeal of Part IIIA need not result in any lessening of privacy protection in relation to credit reporting. It would not be sufficient, however, to leave credit reporting to be regulated by the model UPPs alone, or by the UPPs supported by a binding code issued by the Privacy Commissioner. The reasons included that:

  • credit reporting regulation needs to be able to impose more or less stringent obligations on credit reporting agencies and credit providers than are provided for in the UPPs;[29]

  • credit reporting requires a level of prescription, beyond the principles-based approach of the UPPs, to ensure that credit reporting agencies, credit providers and individuals understand their obligations and rights; and

  • derogation from the UPPs would not be permitted under the ALRC’s proposed approach to codes under the Privacy Act.[30]

54.27 Accordingly, in DP 72, the ALRC proposed that:

  • the credit reporting provisions of the Privacy Act should be repealed and credit reporting regulated under the general provisions of the Act and the model UPPs;[31] and

  • privacy rules, which impose obligations on credit reporting agencies and credit providers with respect to the handling of credit reporting information, should be promulgated in regulations.[32]

54.28 The ALRC also proposed that the:

  • obligations imposed on credit reporting agencies and credit providers by the proposed Privacy (Credit Reporting Information) Regulations should be in addition to those imposed by the proposed UPPs;[33] and

  • regulations should be drafted to contain only those requirements that are different or more specific than are provided for in the proposed UPPs.[34]

Submissions and consultations

54.29 Support for the review and reform of credit reporting regulation was expressed throughout the course of the Inquiry, by consumer and industry groups. These views are discussed below.

Repeal of Part IIIA

54.30 There was substantial support for the repeal of Part IIIA.[35] The credit reporting provisions were criticised for being overly complex and prescriptive. Part IIIA was characterised as being ‘inflexible, difficult to work with and poorly suited to both consumer protection and efficient business objectives’.[36]

54.31 While some stakeholders appeared to support the retention of Part IIIA,[37] some of these stakeholders also favoured substantial modification of the current regulatory scheme—for example, by consolidating Part IIIA, the Credit Reporting Code of Conduct and the Privacy Commissioner’s credit provider determinations[38] into one body of provisions.[39]

54.32 There was little support for new credit reporting legislation enacted outside the Privacy Act. The OPC noted that regulating credit reporting as an industry rather than regulating the handling of personal information used in credit reporting would create ‘further inconsistency and fragmentation in Australian privacy law’.[40] Other stakeholders also expressed concern about fragmentation in privacy law.

54.33 The Australasian Retail Credit Association (ARCA), for example, stated that maintaining the OPC as the sole regulator in relation to credit reporting would ‘help ensure the consistency of policy decision making and reduced complexity’—especially given that the credit industry is a ‘highly regulated sector with compliance to multiple regulations requiring careful consideration to limit duplication and management confusion’.[41] Conversely, some stakeholders suggested that ASIC might be a more effective credit reporting regulator.[42] The reasons for this view included the close connections between credit reporting regulation and the way credit is provided and debts pursued,[43] and more general concerns about the effectiveness of the OPC as a regulator.[44]

Regulations or code

54.34 Stakeholders generally accepted that privacy protection in credit reporting should not rely on general privacy principles alone, but needs to be supported by regulations or a legally binding code (or both).[45] There were some exceptions. Telstra, for example, objected to the imposition of obligations beyond those provided by the UPPs. Telstra encouraged the ALRC to ‘consider whether the new, comprehensive UPPs could be broad enough in scope to cover all aspects of privacy (including credit related issues), which would eliminate the need for separate regulations’.[46]

54.35 For most stakeholders, however, the key concerns revolved around the appropriate location of credit reporting regulation. Some industry stakeholders continued to express a preference for implementing new credit reporting rules through a code,[47] developed by industry and approved by the OPC, rather than by regulations, made by the Governor-General in Council on the recommendation of the responsible Minister.

54.36 The Australian Finance Conference (AFC), for example, stated that, while it supported the overall approach to reform proposed by the ALRC in DP 72, a code should be used rather than regulations. The code should be ‘developed collaboratively with industry, consumer representatives and government’ and cover ‘both matters of policy and operational issues’.[48] The OPC favoured setting out credit reporting privacy rules ‘in a binding credit code issued by the Privacy Commissioner as a legislative instrument’. The OPC accepted, nevertheless, that regulations would be a viable alternative approach.[49]

54.37 ARCA accepted that regulations may be desirable to ‘facilitate actions that may be otherwise broader than contemplated by the UPPs’ and to ‘provide a framework for credit reporting outcomes and impose specific obligations and constraints on credit providers and CRAs’. ARCA was concerned, however, that the regulations, while supplementing the UPPs:

should not contain a level of detail that would result in rigid and prescriptive rules that rapidly date and impede innovation. It is proposed that the rules underpinning the regulations have flexibility to support an industry operating in a climate of evolving technology and that would be supported by a code of conduct approach.[50]

54.38 ARCA suggested that, in general, the content of the regulations should be limited to those matters that are ‘unlikely to change with market conditions’ and should be outcome-based rather than prescribe how outcomes are to be achieved. In its submission, ARCA nevertheless accepted the idea that privacy rules for credit reporting should be promulgated in regulations under the Privacy Act.[51]

54.39 ARCA’s position was explicitly supported in other submissions[52] and other stakeholders also favoured regulations.[53] ARCA recommended a three-tiered regulatory structure, broadly consistent with that proposed by the ALRC in DP 72, and comprising:

  • the privacy principles contained in the Privacy Act;

  • regulations to provide a framework for regulating credit reporting under the Act, modify the privacy principles where necessary and set out the additional obligations of credit providers and credit reporting agencies; and

  • a code of conduct that provides detailed policies and procedures for credit reporting.

54.40 Galexia recommended a similar regulatory framework for credit reporting, comprising general principles, detailed regulations, and industry operating rules.[54] This basic framework was also supported, with some qualifications about the content and location of various provisions, by some other stakeholders.[55]

54.41 Concerns were expressed, however, that current privacy protections should not be downgraded by the repeal of Part IIIA and its replacement with the Privacy (Credit Reporting Information) Regulations. The Cyberspace Law and Policy Centre suggested, for example, that the starting point for any review of the credit reporting provisions should be ‘an acknowledgement that the current centralised credit reporting systems represent a privileged state-sanctioned exception from normal expectations of privacy’.

From this starting point, it is only to be expected that there should be strict controls, limits and additional safeguards, and the onus should be on the community of lenders to justify any weakening of controls; derogations from obligations, or extension of the privilege in the form of more comprehensive credit reporting.[56]

Relationship between the UPPs and the regulations

54.42 By proposing that the obligations imposed by the new Privacy (Credit Reporting Information) Regulations should be ‘in addition to’ those imposed by the UPPs,[57] the ALRC intended to indicate that a credit provider or credit reporting agency would need to comply with both the model UPPs and the regulations, which would modify the operation of the UPPs in particular contexts. This overall approach met with broad agreement from stakeholders.[58]

54.43 An alternative approach is taken in New Zealand under the Credit Reporting Privacy Code 2004 (NZ) (NZ Code).[59] The Privacy Act 1993 (NZ) provides that the doing of any action that would otherwise be a breach of an information privacy principle[60] is deemed not to be a breach if the action is done in compliance with the NZ Code.[61] General requirements of the information privacy principles are incorporated into the credit reporting rules set out in the NZ Code, along with those that are different or more specific than provided for in the principles.

54.44 Stakeholders did not call for such an approach in Australia. Rather, it was suggested that credit reporting regulations should not duplicate the obligations set out in general privacy principles.[62]

Approaches to drafting the regulations

54.45 Stakeholders referred to the need to simplify credit reporting regulation.[63] The Consumer Credit Legal Centre (NSW) (CCLC), for example, stated:

The drafting of the current Part IIIA is complex, rigid and often difficult to comprehend and apply. It also arguably undermines the thrust of the privacy principles. Credit providers, consumers and decision-makers alike become mired in the detailed requirements of the Act and can easily lose sight of the principles those sections were meant to uphold.[64]

54.46 National Legal Aid suggested that while some of the complexity of Part IIIA would have been difficult to avoid,[65] ‘there is now an opportunity to prune back some of this complexity, given the broader application of the Privacy Act, changes in the way credit is provided and the enhanced capacity of computerised information systems’.[66]

54.47 Industry stakeholders made similar comments. AAPT, for example, stated that the credit reporting provisions ‘need to be re-written in plain English and in a simple style’ and that the provisions are ‘currently difficult to read and consumer protection must therefore be eroded’.[67] Telstra stated that any ‘new credit specific rules require careful drafting to avoid the interpretative difficulties and lack of clarity now existing in complying with Part IIIA’.[68]

ALRC’s view

54.48 A degree of consensus emerged around the overall approach that should be taken to the future regulation of credit reporting, based on that proposed by the ALRC in DP 72. The starting point is that Part IIIA should be repealed and credit reporting governed by the general provisions of the Act and the model UPPs, supplemented by subordinate legislation or a code.

54.49 This approach is consistent with the ALRC’s overall approach to reform of the Privacy Act. As discussed in detail in Chapter 4, the ALRC does not recommend the adoption of a pure form of principles-based regulation. Rather, the ALRC takes a pragmatic approach, adopting what could be described as a hybrid model. The model draws significantly on principles-based regulation as its foundation, but allows for a reversion to more traditional rules-based regulation where appropriate. Subordinate legislation can be introduced to provide greater specificity and certainty in regulating privacy in relation to particular activities—including credit reporting.

Regulations or code

54.50 On the issue of regulations or a code, the ALRC recommends that the primary source of privacy rules imposing obligations on credit reporting agencies and credit providers with respect to the handling of credit reporting information, should be regulations promulgated under the Privacy Act.

54.51 Consistently with the ALRC’s overall approach to reform of the Privacy Act, the Privacy (Credit Reporting Information) Regulations would be more detailed and specific than the UPPs and derogate from the requirements in the privacy principles, by providing different (that is, more or less stringent) requirements than are provided for in the principles.[69]

54.52 This approach is dictated, in part, by the ALRC’s recommendations in relation to the development and issuing of codes of conduct under Part IIIAA of the Privacy Act.[70] In this context, the ALRC recommends that privacy codes approved under Part IIIAA should not replace the obligations provided by the UPPs and must impose obligations that are at least equivalent to those under the Act.[71]

54.53 Some industry stakeholders favoured a code rather than regulations as the regulatory mechanism, although they did not always specify the desired legal status of such a code.[72] To provide effective regulation of credit reporting, a statutory basis for a code (whether issued by the OPC or some other body) would be required to ensure its obligations are binding on all participants in the credit reporting industry. The reasons for preferring a code included: perceptions that the process for developing codes would be more ‘industry-driven’; and that codes are more easily amended, for example, to take account of changes in industry practices or technology.

54.54 A statutory code-making power could be drafted to allow the OPC to issue codes that derogate from the model UPPs, in the way permissible under the ALRC’s recommended regulation-making power.[73] The ALRC considers, however, that even if the same result, in terms of privacy protection, might be achieved through a code issued by the OPC, it is more appropriate to recommend the promulgation of regulations by the responsible Minister.

54.55 As discussed in Chapter 4, this approach better conforms with the principles of responsible government and parliamentary supremacy, by clearly vesting in Parliament the power to control the rules that apply to privacy. Proceeding by way of regulations also is consistent with the ALRC’s approach to the privacy of health information.

Relationship between the UPPs and the regulations

54.56 As discussed above, the content of the Privacy (Credit Reporting Information) Regulations will include provisions that can be seen as both strengthening and lessening the privacy protection afforded to personal information by the model UPPs. For example, the Privacy (Credit Reporting Information) Regulations will continue to limit the permitted content of credit reporting information held by credit reporting agencies and will mandate the indirect collection of personal information.

54.57 The relationship between the model UPPs and the new Privacy (Credit Reporting Information) Regulations requires consideration in light of the potential inconsistencies. Two broad approaches appear available.

  • The relationship between the UPPs and the Privacy (Credit Reporting Information) Regulations could mirror the existing relationship between the NPPs and Part IIIA of the Privacy Act. Credit reporting agencies and credit providers would have to comply with both regimes.

  • Alternatively, the requirements of the UPPs could be incorporated into the regulations, along with those that are different or more specific than provided for in the UPPs. A breach of the UPPs would be deemed not to be a breach if done in compliance with the credit reporting regulations.[74]

54.58 Credit reporting agencies and credit providers should have to comply with both the model UPPs and the Privacy (Credit Reporting Information) Regulations. This approach is consistent with the existing relationship between the credit reporting provisions and general privacy principles contained in the Privacy Act, and with the approach to be taken to the new Privacy (Health Information) Regulations.[75]

54.59 The regulations should be drafted to contain only those requirements that are different or more specific than provided for in the UPPs. Any problems of inconsistency would be limited because conduct that complies with the Privacy (Credit Reporting Information) Regulations is ‘required or authorised by law’ under the model UPPs.

Approaches to drafting the regulations

54.60 The existing credit reporting provisions contained in Part IIIA and associated provisions should be recast as regulations under the Privacy Act, incorporating content that reflects the policy recommendations resulting from the current Inquiry. Such is the complexity of the provisions, and the definitions in particular, that there would be good reason for redrafting them, even if the substance of regulation were to remain largely unchanged.

54.61 In drafting the Privacy (Credit Reporting Information) Regulations, the existing provisions of Part IIIA of the Privacy Act remain an appropriate starting point. Despite the criticisms made of the existing credit reporting provisions, Part IIIA of the Act provides comprehensive privacy protection. Further, the current practices of credit reporting agencies and credit providers have been developed to comply with these obligations:

Significant resources have been expended to ensure documentation, procedures and training meet the requirements of Part IIIA and related provisions on an on-going basis … Any change would potentially impact and bring with it significant cost which may be borne by customers in the pricing of credit products.[76]

54.62 In the interests of maintaining privacy protection and minimising the transition costs to industry of new credit reporting regulations, significant departures from the policy framework of Part IIIA need to be justified.

54.63 There is potential for the Privacy (Credit Reporting Information) Regulations to simplify significantly the privacy rules relating to credit reporting. A number of approaches could be pursued. There is room, for example, to simplify the overall regulatory framework by consolidating the provisions of Part IIIA, the Privacy Commissioner determinations and the Credit Reporting Code of Conduct[77]—notably in relation to the definition of credit provider (discussed below).

54.64 In addition, some of the drafting approaches taken in the NZ Code may have the potential to simplify credit reporting regulation in Australia. The NZ Code was significantly influenced by the existing Australian credit reporting provisions and intended to bring about ‘greater trans-Tasman regulatory alignment’.[78] The New Zealand Assistant Privacy Commissioner has summarised the NZ Code as taking a similar approach to Part IIIA on some broad issues[79] and in some specific matters,[80] while being less complex and prescriptive.[81] There are, however, notable differences in some areas, including in relation to limits on the disclosure of credit information, which are less restrictive in New Zealand.[82]

54.65 The relative simplicity of the NZ Code can be illustrated by the differing approaches to the drafting of the provisions dealing with the use and disclosure of credit information.[83] The NZ Code is able to deal succinctly with limits on use and disclosure of credit information by credit reporters in Rules 10 and 11 respectively, while Part IIIA of the Privacy Act relies on the extensive provisions of ss 18K, 18L, 18N, 18P and 18Q.[84]

54.66 More generally, the drafting and layout of the credit reporting provisions could be improved to assist credit providers, credit reporting agencies and consumers to understand their obligations and rights.[85] ARCA agreed, for example, that there is ‘value in leveraging’ aspects of the NZ Code and the existing provisions of Part IIIA. Many of the recommendations made in this and subsequent chapters should contribute to a less complex form of credit reporting regulation.

54.67 It must be stressed, however, that it is not the ALRC’s practice to draft regulations. As discussed in Chapter 1, this is partly because drafting is a specialised function better left to the legislative drafting experts and partly a recognition that the ALRC’s time and resources are better directed towards determining the policy that will shape any resulting legislation.

Recommendation 54-1 The credit reporting provisions of the Privacy Act should be repealed and credit reporting regulated under the general provisions of the Privacy Act, the model Unified Privacy Principles, and regulations under the Privacy Act—the new Privacy (Credit Reporting Information) Regulations—which impose obligations on credit reporting agencies and credit providers with respect to the handling of credit reporting information.

Recommendation 54-2 The new Privacy (Credit Reporting Information) Regulations should be drafted to contain only those requirements that are different or more specific than provided for in the model Unified Privacy Principles.

[14] Baycorp Advantage, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 16 March 2005.

[15] The Privacy Act provided guidelines for the collection, handling and use of individual tax file number information in the private, as well as public, sector: Taxation Laws Amendment (Tax File Numbers) Act 1988 (Cth).

[16] For example, the second reading speech stated that the credit reporting provisions were ‘the next step’ in the Government’s program to introduce comprehensive privacy protection: Commonwealth, Parliamentary Debates, Senate, 16 June 1989, 4216 (G Richardson).

[17] See Ch 4.

[18] See Part H.

[19] Credit Reporting Privacy Code 2004 (NZ).

[20] Office of the Privacy Commissioner for Personal Data Hong Kong, Code of Practice on Consumer Credit Data (1998).

[21] Credit Reporting Privacy Code 2004 (NZ) under Privacy Act 1993 (NZ) s 46.

[22] In this Report, the term ‘credit reporting information’ is used to describe all personal information recommended to be covered by the Privacy (Credit Reporting Information) Regulations.

[23] The Consumer Credit Code is set out in the Consumer Credit (Queensland) Act 1994 (Qld) and is adopted by legislation in other states and territories.

[24] The concept of responsible lending and its relationship with credit reporting is discussed in Ch 55.

[25] The OPC already has some functions under legislation other than the Privacy Act including the Data-matching Program (Assistance and Tax) Act 1990 (Cth); National Health Act 1953 (Cth); Telecommunications Act 1997 (Cth); and Crimes Act 1914 (Cth): see Australian Law Reform Commission, Review of Privacy, IP 31 (2006).

[26] Veda Advantage, Submission PR 272, 29 March 2007.

[27] The United States does not have a federal information privacy commissioner.

[28] The United Kingdom Information Commissioner (the equivalent of the OPC) deals with credit reporting complaints, and credit reference agencies are bound by the Data Protection Act 1998 (UK).

[29] As discussed above, Part IIIA currently imposes obligations on credit reporting agencies and credit providers that are both more and less stringent than those provided by the NPPs.

[30] The ALRC proposed that binding privacy codes should provide guidance or standards that contain obligations that are at least equivalent to those under the Act: Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 44–9.

[31] Ibid, Proposal 50–1.

[32] Ibid, Proposal 50–2.

[33] Ibid, Proposal 50–3.

[34] Ibid, Proposal 50–4.

[35] Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Uniform Consumer Credit Code Management Committee, Submission PR 520, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Abacus–Australian Mutuals, Submission PR 456, 11 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007; Australian Finance Conference, Submission PR 294, 18 May 2007; Office of the Privacy Commissioner, Submission PR 281, 13 April 2007; Institute of Mercantile Agents, Submission PR 270, 28 March 2007; GE Money Australia, Submission PR 233, 12 March 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 232, 9 March 2007; Australian Institute of Credit Management, Submission PR 224, 9 March 2007.

[36] Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[37] Australian Privacy Foundation, Submission PR 275, 2 April 2007; Consumer Action Law Centre, Submission PR 274, 2 April 2007; National Legal Aid, Submission PR 265, 23 March 2007; Optus, Submission PR 258, 16 March 2007.

[38] Under Privacy Act 1988 (Cth) s 11B.

[39] Australian Privacy Foundation, Submission PR 275, 2 April 2007; Consumer Action Law Centre, Submission PR 274, 2 April 2007.

[40] Office of the Privacy Commissioner, Submission PR 281, 13 April 2007.

[41] Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[42] Consumer Action Law Centre, Submission PR 510, 21 December 2007; National Legal Aid, Submission PR 265, 23 March 2007.

[43] National Legal Aid, Submission PR 265, 23 March 2007.

[44] Consumer Action Law Centre, Submission PR 510, 21 December 2007.

[45] Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Uniform Consumer Credit Code Management Committee, Submission PR 520, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Banking and Financial Services Ombudsman, Submission PR 471, 14 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007; Office of the Privacy Commissioner, Submission PR 281, 13 April 2007; Veda Advantage, Submission PR 272, 29 March 2007; GE Money Australia, Submission PR 233, 12 March 2007.

[46] Telstra Corporation Limited, Submission PR 459, 11 December 2007. Telstra added, however, that any ‘credit specific obligations, and only to the extent that they are absolutely necessary, should be imposed by legislation’.

[47] Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007.

[48] Australian Finance Conference, Submission PR 398, 7 December 2007.

[49] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[50] Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[51] Ibid.

[52] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; GE Money Australia, Submission PR 537, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Westpac, Submission PR 472, 14 December 2007; Abacus–Australian Mutuals, Submission PR 456, 11 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007.

[53] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Banking and Financial Services Ombudsman, Submission PR 471, 14 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007.

[54] Galexia Pty Ltd, Submission PR 465, 13 December 2007.

[55] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Consumer Action Law Centre, Submission PR 510, 21 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[56] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[57] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 50–3.

[58] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[59]Credit Reporting Privacy Code 2004 (NZ). The NZ Code is a binding code issued by the Privacy Commissioner pursuant to the Privacy Act 1993 (NZ).

[60] The information privacy principles are the NZ equivalent of the NPPs and IPPs.

[61] Privacy Act 1993 (NZ) s 53(a). On the other hand, failure to comply with the Code, even though that failure is not otherwise a breach of any information privacy principle, is deemed to be a breach of an information privacy principle: s 53(b).

[62] Telstra Corporation Limited, Submission PR 459, 11 December 2007; N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007.

[63] See, eg, N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007; National Legal Aid, Submission PR 265, 23 March 2007; Optus, Submission PR 258, 16 March 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007; Mortgage and Finance Association of Australia, Submission PR 231, 9 March 2007; AAPT Ltd, Submission PR 87, 15 January 2007.

[64] Consumer Credit Legal Centre (NSW) Inc, Credit Reporting Research Report (2007), 67.

[65] Given the need, among other things, to establish a firm constitutional basis for regulating consumer credit and avoid unforseen consequences to the finance industry of restricting access to credit reporting information: National Legal Aid, Submission PR 265, 23 March 2007.

[66] Ibid.

[67] AAPT Ltd, Submission PR 87, 15 January 2007.

[68] Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[69] The ALRC recommends, in Ch 5, that the regulation-making power in the Privacy Act provide expressly that regulations may modify the operation of the UPPs to impose more or less stringent requirements: See Rec 5–1.

[70] The code-making power under Part IIIAA of the Privacy Act is discussed in detail in Ch 48.

[71] Rec 48–1.

[72] See, eg, Australian Finance Conference, Submission PR 398, 7 December 2007.

[73] Rec 5–1.

[74] That is, following the model provided by the NZ Code.

[75] See Part H.

[76] Australian Finance Conference, Submission PR 294, 18 May 2007.

[77] N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007.

[78] New Zealand Government Privacy Commissioner, Credit Reporting Privacy Code: Frequently Asked Questions (2006) <www.privacy.org.nz/privacy-act/frequently-asked-questions> at 5 May 2008.

[79] For example, in relation to the information a credit reporting agency is permitted to collect.

[80] For example, the definition of ‘serious credit infringement’.

[81] B Stewart, ‘Credit Reporting Privacy Code 2004’ (Paper presented at New Zealand Credit & Finance Institute, Auckland, 21 February 2005).

[82] For example, a credit reporter may disclose credit information to a prospective landlord or employer: Credit Reporting Privacy Code 2004 (NZ), Rule 11(2).

[83] Some of this simplicity results from that fact that, in New Zealand, the credit reporting activities of credit providers are regulated indirectly through obligations imposed under contract. Under the NZ Code, a credit reporter must ensure that a complying subscriber agreement is in place before disclosing any credit information to a credit provider: see Ibid, Rules 5(2)(d); 8(3)(a); 11(2) and sch 3. The handling of credit information disclosed to a credit provider by a credit reporter is covered by the general information privacy principles of the Privacy Act 1993 (NZ), as it would be if the information was obtained by the credit provider from its own clients directly. There was no call for such an approach in Australia.

[84] The NZ Code deals with the use and disclosure of credit information in less than 1,000 words, as compared to the 6,000 relevant words of Part IIIA (leaving aside related definitions).

[85] Office of the Privacy Commissioner, Submission PR 281, 13 April 2007.