Review of the regulations

54.178 In DP 72, the ALRC proposed that the new Privacy (Credit Reporting Information) Regulations should be reviewed after five years of operation.[221] The ALRC considered that a requirement to review the regulations was desirable, among other reasons, to assess the impact of more comprehensive credit reporting on privacy and the credit market;[222] and to consider whether further regulation is required to ensure the data quality of credit reporting information.[223]

54.179 A review requirement was supported in submissions[224]—although many stakeholders considered that a review after three years of operation (or even sooner) would be preferable.[225] Galexia submitted:

The ALRC has proposed that the credit reporting regulatory arrangements should be reviewed after 5 years. In an environment where there are significant concerns about complaints handling processes and culture this review will need to be brought forward. [Galexia] proposes bringing the review forward from 5 years to 3 years.[226]

54.180 The OPC also suggested that consideration should be given at the time of introduction of the Privacy (Credit Reporting Information) Regulations to ‘appropriate performance criteria and mechanisms for assisting in the review process’. In this context, the OPC noted that it ‘is not qualified to provide expert opinion on the broader economic and social impact that comprehensive credit reporting may have in Australia’.[227] The OPC submitted:

Given the proposed focus of the review on the impact of more comprehensive credit reporting on credit markets, and potentially other questions of broader economic and social impact, the Office suggests that the ALRC consider what other appropriate agencies could contribute to or conduct the review process. For example, the Office suggests that a review could be conducted by the Productivity Commission or via a tripartite agreement between the credit reporting agencies, the Office and an independent auditor.[228]

54.181 While other aspects of credit reporting regulation will be important, including problems concerning compliance with the data quality and dispute resolution obligations, the operation of more comprehensive credit reporting can be expected to be a major focus of the review. The ALRC notes that, if the ALRC’s recommendations are implemented, it will be some time before the effects of more comprehensive credit reporting can be evaluated. Notably, the model recommended by the ALRC would permit credit reporting agencies to collect an individual’s two-year repayment performance history.[229] It will take up to two years at least, therefore, before the system is operating to its full extent. Review of the regulations after five years of operation is appropriate.

Recommendation 54-8 The Australian Government should, in five years from the commencement of the new Privacy (Credit Reporting Information) Regulations, initiate a review of the regulations.

[221] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 51–3.

[222] Ibid, Proposal 51–3. More comprehensive credit reporting is discussed in Ch 55.

[223] Ibid, Proposal 54–6. Data quality of credit reporting information is discussed in Ch 58.

[224] Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Australian Credit Forum, Submission PR 492, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; MGIC Australia, Submission PR 479, 17 December 2007; HBOS Australia, Submission PR 475, 14 December 2007; ANZ, Submission PR 467, 13 December 2007; Galexia Pty Ltd, Submission PR 465, 13 December 2007; Citibank Pty Ltd, Submission PR 428, 7 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Financial Counsellors Association of Queensland, Submission PR 371, 30 November 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[225] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Galexia Pty Ltd, Submission PR 465, 13 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[226] Galexia Pty Ltd, Submission PR 465, 13 December 2007.

[227] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[228] Ibid.

[229] See Ch 55, Rec 55–2.