Notification of collection

56.96 The ‘Notification’ principle in the model UPPs provides that, at or before the time an agency or organisation collects personal information about an individual from the individual or from someone other than the individual, it must take such steps, if any, as are reasonable in the circumstances to notify or ensure that the individual is aware of the: fact and circumstances of collection where the individual may not be aware that his or her personal information has been collected; identity and contact details of the agency or organisation; rights of access to, and correction of, personal information provided by these principles; purposes for which the information is collected; main consequences of not providing the information; actual or types of organisations, agencies, entities or persons to whom the agency or organisation usually discloses personal information; fact that the avenues of complaint available to the individual if he or she has a complaint about the collection or handling of his or her personal information are set out in the agency’s or organisation’s Privacy Policy; and fact, where applicable, that the collection is required or authorised by or under law.

56.97 Part IIIA provides indirectly for notification. Under s 18E(8)(c), a credit provider must not give to a credit reporting agency personal information relating to an individual if ‘the credit provider did not, at the time of, or before, acquiring the information, inform the individual that the information might be disclosed to a credit reporting agency’. It has been suggested that the words ‘at the time of, or before, acquiring the information’ may permit the credit provider a choice about when to provide notice to the individual that information may be disclosed. Given that a significant period may elapse between the relevant events, more prescriptive notice provisions may be appropriate.

56.98 The interpretation of s 18E(8)(c) has been the subject of a representative complaint to the OPC, lodged in April 2006 by the Consumer Credit Legal Centre (NSW) and the Consumer Credit Legal Service Inc (Vic) against Baycorp Advantage Business Information Services Ltd and Alliance Factoring Pty Ltd.[106] The complaint relates to the listing of about 600,000 individuals for default or serious credit infringement, lodged by Alliance in relation to Telstra debts.

56.99 The complaint claims a failure to inform individuals that personal information might be disclosed to a credit reporting agency. The complainants submitted that the correct interpretation of s 18E(8)(c) is that an individual should be notified at the time of, or before, the handing over of personal information, and the relevant time is the time of the application for a loan, account or other relevant facility. The opposing argument is that a credit provider may comply with s 18E(8)(c) by notifying an individual that it intends shortly to list a default—and does not need to have notified the individual about this possibility at the time of the initial credit application.

56.100 The Consumer Action Law Centre contested the validity of the latter interpretation, which it considered ‘has been developed to meet the interests of debt purchase firms and [credit reporting agencies] to maximise the listing of utility defaults’.[107] The Centre submitted that

more prescriptive notice provisions may be appropriate, as they would in effect simply clarify the operation of the existing provision, namely that notice should be given at relevant times, for example at initial application stage, if a default is to be listed, if a debt is assigned and so on.[108]

56.101 The OPC noted that the notice provision in s 18E(8)(c) is important as it ‘promotes transparency between the individuals, credit providers and to some extent credit reporting agencies’. The notice provision was said to generate a number of complaints, particularly in relation to assigned loans where, for example, notice may have been given a long time before a listing is made, or an assignee assumes notice has been provided by the original credit provider and does not provide notice at the time of listing.[109] The OPC recommended that s 18E(8)(c) be redrafted to ‘align it more closely with the requirements under NPP 1.3, and to require that notice is given prior to any listing being made or a debt being assigned’.[110]

56.102 Submissions from a range of bodies favoured the imposition of more prescriptive notice requirements.[111] It was suggested that credit providers or credit reporting agencies should be required specifically to notify individuals about default listings and complaint-handling processes.[112] More prescriptive notice requirements were opposed by others.[113]

Discussion Paper proposal

56.103 In DP 72, the ALRC proposed that the Privacy (Credit Reporting Information) Regulations should provide that, at or before the time credit reporting information is collected about an individual, credit providers must take reasonable steps to ensure that the individual is aware of the:

  • fact and circumstances of collection (for example, how and where the information was collected);

  • credit provider’s and credit reporting agency’s identity and contact details;

  • fact that the individual is able to gain access to the information;

  • main consequences of not providing the information;

  • types of people, organisations, agencies or other entities to whom the credit provider and credit reporting agency usually discloses credit reporting information; and

  • avenues of complaint available to the individual if he or she has a complaint about the collection or handling of his or her credit reporting information.[114]

56.104 The ALRC also proposed that the regulations should prescribe the specific circumstances in which a credit provider must inform an individual that personal information might be disclosed to a credit reporting agency, for example, in circumstances where the individual defaults in making payments.[115] It asked:

  • In what specific circumstances should a credit provider be obliged to inform an individual that personal information might be disclosed to a credit reporting agency; and what information should notices contain? Who should give notice when a debt is assigned—the original credit provider, the assignee or both?[116]

  • Should the regulations prescribe specific circumstances in which a credit reporting agency must inform an individual that it has collected personal information?[117]

Submissions and consultations

56.105 Most stakeholders accepted there is some need for specific rules regarding notification in credit reporting contexts.[118] Galexia noted, for example, that notification is a ‘key privacy right once consent is removed as a privacy protection, and requirements for timely and effective notice need to be in the regulations in order to balance the removal of consent’.[119] The Cyberspace Law and Policy Centre submitted that the Privacy (Credit Reporting Information) Regulations should ‘prescribe both the content and timing of notices by all relevant parties’.[120]

56.106 The OPC agreed that the regulations should provide that, at or before the time credit reporting information about an individual is collected, credit providers must take reasonable steps to ensure that the individual is aware of the matters set out in the ALRC’s proposal. The OPC also submitted that a notice regarding the handling of an individual’s credit reporting information could set out: the possible uses and disclosures that could occur during the credit relationship; a brief explanation of the operation of the credit reporting system; and that notice should be provided to the individual separate to other information about credit terms and conditions.[121]

56.107 Some stakeholders did not consider that notification of collection should be dealt with primarily in regulations. ARCA, for example, stated that it agreed with the ‘basic principles of notification regarding collection and use’ but submitted that the ‘details regarding practical implementation’ should be left to the code of conduct.[122]

56.108 Other stakeholders submitted that there should not be any specific rules relating to notification of the collection of credit reporting information.[123] It was argued that the provisions of the general privacy principles, including the ‘Notification’ principle in the model UPPs, would provide adequate regulation.[124] Optus stated, for example, that regulating notification obligations would be

contrary to the approach taken by the Government’s taskforce in reducing the regulatory burden on business, which advocated for more high level regulations (not prescriptive rules which impact on providers’ business processes) … By imposing a prescriptive list of scenarios when credit providers must give specified information to customers, regardless of that customer’s individual circumstances, this will simply add to the information overload already experienced by consumers.[125]

56.109 Telstra considered that ‘requirements relating to the notification of collection should be covered by the new UPPs’ and that credit reporting regulations should simply replicate the current obligations in s 18(8)(c) of the Privacy Act.[126]

56.110 Some stakeholders supported further prescription of the circumstances in which a credit provider should be required to inform an individual that personal information might be disclosed to a credit reporting agency.[127] Other stakeholders opposed further prescription.[128] The Mortgage and Finance Association of Australia stated:

It will be counter-productive to inform consumers of too much information. A general statement that personal and credit information may be provided to a credit reporting agency is sufficient to alert consumers to that matter.[129]

56.111 The AFC stated that, in considering the notification obligations to be incorporated in credit reporting regulations, other consumer credit compliance requirements, including under the Consumer Credit Code,[130] need to be taken into account. The Consumer Credit Code, for example, ‘recognises that the issue of a default notice to a debtor prior to the credit provider taking recovery action is not always necessary’.[131] It argued that ‘an upfront notice warning the debtor that a default may be listed may be sufficient’ and a requirement for notice, prior to default listing, might operate against the public policy of the Consumer Credit Code.[132]

56.112 The timing of notices was also an important concern. Legal Aid Queensland submitted that the timing of notification should be ‘spelt out either in the regulations or in the binding code’ and be a ‘continuing obligation dependant on what information is disclosed to the credit reporting agency and where the information is collected in the Financial Transaction Life Cycle’.[133] Similarly, the Australian Privacy Foundation submitted that, while it generally supported the proposed content of the regulation, ‘it is still too ambiguous as to timing—it doesn’t address contentious interpretation by the OPC which has allowed notice to be given at the time of a default listing by an assignee, even though there has been no initial notice’.[134]

56.113 The Cyberspace Law and Policy Centre also suggested that the new regulations need to be ‘more prescriptive about the timing of notices’ because it is unsatisfactory for individuals to be told about the possibility of a default listing only when they default or when a debt is assigned:

For the notice requirement to have its intended effect, it needs to apply at the time an individual is still in a position to walk away from the transaction ie. at the time of initial application for credit. It should however also apply at key subsequent events such as prior to default listing and on assignment.[135]

56.114 Similarly, the Financial Counsellors Association of Queensland stated that:

As well as the regulations specifying when credit providers should inform consumers regarding a listing to a credit reporting agency, credit providers should be providing that information at time of application for credit by a consumer. It has been our experience that credit providers need to ensure consumers are aware of their rights and obligations at time of credit application.[136]

56.115 Other stakeholders expressed concern about more prescriptive provisions dealing with the timing of notices. Telstra stated, for example, that an obligation to notify ‘at or before’ the time credit reporting information is collected is

often not practical (for example, in the context of telephone contact). In Telstra’s view the existing wording in NPP 1 (allowing the provision of the information ‘as soon as practicable after’) has worked well and means that individuals receive relevant information close to the time of collection.[137]

56.116 The Australian Credit Forum agreed that the circumstances of notification should be prescribed but submitted that this need not be ‘at the time of a default but should instead be allowed to be included at the time of initial granting of credit’ to address ‘the difficulties in skip and fraud situations’.[138]

56.117 A number of consumer and industry stakeholders agreed that, in addition to notice at the first point of collection of credit reporting information (generally, when a credit application is made), individuals should be notified when a default is listed and when debt is assigned.[139]

56.118 The complexities involved in further prescription of notification obligations were highlighted by the views on the issue of notification when debt is assigned. ARCA and others stated that it should be the obligation of the assignee, at the time of the sale, to notify the consumer that the debt has been assigned.[140] Others considered notice should be provided to the individual by the assignor[141] or either (or both) the assignor and assignee.[142] The AFC stated that, in practice, which party gives notice depends on ‘matters of contract, statute and general legal principles’:

For example, the form of the assignment, (ie equitable assignment vs. legal assignment) may impact on whether notice is given to the debtor at all. Where notice is to be given, the contract of assignment may cover whether the obligation to notify rests with the assignor (ie financier) or the assignee (ie debt collector). Therefore, any decision to impose notification obligations on either party, should take this into account. Further, the potential for a conflict of laws or the imposition of a dual notification obligation (eg at state level under the property laws and at the Commonwealth level under privacy laws) should be avoided because of the lack of identified customer protection benefit and attendant compliance costs that may result.[143]

56.119 There was little support for imposing notification obligations on credit reporting agencies. ARCA noted that the collection responsibility is with the credit provider and that

the only circumstances where a [credit reporting agency] should provide notice to consumers that it has collected personal information are those circumstances where the consumer may have no other means of notice—that is, for information collected indirectly other than from credit providers. This category is almost exclusively public information. [Credit reporting agencies] should provide general rather than individual notice to consumers, for example in the form of tiered privacy notices.[144]

56.120 Credit reporting agencies already offer, for a fee, to notify individuals of additions or changes to their credit information files.[145] Veda Advantage has advised that it intends to develop the capacity to manage notification electronically and directly with consumers, where appropriate.[146]

ALRC’s view

56.121 Provisions dealing with aspects of notification of collection should be incorporated in the new Privacy (Credit Reporting Information) Regulations. This approach received significant support. The proposal in DP 72 was, however, criticised by some stakeholders for duplicating the obligations contained in the existing NPP 1.3 and the ‘Notification’ principle in the model UPPs.[147] Duplication would be contrary to the ALRC’s expressed view that the new regulations should be drafted to contain only those requirements that are different or more specific than provided for in the model UPPs.[148]

56.122 There are aspects of the notification obligations in respect to credit reporting that do not duplicate those in the ‘Notification’ principle. It is important, however, that the regulations require credit providers to inform individuals about information handling by credit reporting agencies. For example, while the ‘Notification’ principle obliges an organisation that collects personal information to ensure the individual concerned is aware of the ‘actual or types of organisations, agencies, entities or other persons to whom the agency or organisation usually discloses personal information’, what is required, in the context of credit reporting, is that credit providers also inform individuals about the types of organisations, agencies, entities or other persons to whom the credit reporting agency usually discloses personal information. Insofar as the ‘Notification’ principle applies to indirect collection, the principle does not achieve this end, because it places obligations on the credit reporting agency and not credit providers.

56.123 Another concern about duplication of obligations concerned the provisions of the telecommunications industry credit management code.[149] In the ALRC’s view, however, this does not constitute duplication; rather, the code states that it must be read in conjunction with Part IIIA and that telecommunications suppliers must comply with the provisions of Part IIIA.[150]

56.124 The ‘Notification’ principle refers to notification ‘at or before the time (or, if that is not practicable, as soon as practicable after)’ of collection. Section 18E(8)(c) contains the similar words ‘at the time of, or before, acquiring the information’. Section 18E(8)(c) has been the subject of varying interpretation and lacks clarity in its application. For example, the drafting allows credit providers to argue that the obligation does not require:

  • notification at the time of the initial credit application that a default might be listed in the future; or

  • notification before or at the time a default listing is made, provided that notification (that a default might be listed in the future) was given at the time of the initial credit application.

56.125 The ALRC understands that giving notice immediately before listing a default has been adopted generally as good industry practice.[151] This practice should be mandated by the regulations.

Recommendation 56-10 The new Privacy (Credit Reporting Information) Regulations should provide, in addition to the other provisions of the ‘Notification’ principle, that at or before the time personal information to be disclosed to a credit reporting agency is collected about an individual, a credit provider must take such steps as are reasonable, if any, to ensure that the individual is aware of the:

(a) identity and contact details of the credit reporting agency;

(b) rights of access to, and correction of, credit reporting information provided by the regulations; and

(c) actual or types of organisations, agencies, entities or persons to whom the credit reporting agency usually discloses credit reporting information.

Recommendation 56-11 The new Privacy (Credit Reporting Information) Regulations should provide that a credit provider, before disclosing overdue payment information to a credit reporting agency, must have taken reasonable steps to ensure that the individual concerned is aware of the intention to report the information. Overdue payment information, for these purposes, means the information currently referred to in s 18E(b)(1)(vi) of the Privacy Act.

[106] The Cyberspace Law and Policy Centre advised that the Privacy Commissioner has ‘now formed a final view with which the complainant NGOs disagree, but has declined to make a formal Determination that could be challenged’: Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[107] Consumer Action Law Centre, Submission PR 274, 2 April 2007.

[108] Ibid.

[109] Office of the Privacy Commissioner, Submission PR 281, 13 April 2007.

[110] Ibid.

[111] Queensland Law Society, Submission PR 286, 20 April 2007; Office of the Privacy Commissioner, Submission PR 281, 13 April 2007; N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007; Consumer Action Law Centre, Submission PR 274, 2 April 2007; Banking and Financial Services Ombudsman Ltd, Submission PR 263, 21 March 2007; Westpac, Submission PR 256, 16 March 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007.

[112] Issues concerning the notification given when an individual’s application for credit is refused on the basis of a credit report under s 18M of the Privacy Act are discussed in Ch 59.

[113] For example, EnergyAustralia, Submission PR 229, 9 March 2007; Min-it Software, Submission PR 236, 13 March 2007.

[114]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 52–9.

[115]Ibid, Proposal 52–10.

[116]Ibid, Question 52–3.

[117]Ibid, Question 52–4.

[118]Galexia Pty Ltd, Submission PR 465, 13 December 2007; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Australian Credit Forum, Submission PR 492, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007;

[119]Galexia Pty Ltd, Submission PR 465, 13 December 2007.

[120]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[121]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[122]Australasian Retail Credit Association, Submission PR 352, 29 November 2007. See also National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007.

[123]Optus, Submission PR 532, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; HBOS Australia, Submission PR 475, 14 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007.

[124] Veda Advantage, Submission PR 498, 20 December 2007; HBOS Australia, Submission PR 475, 14 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[125]Optus, Submission PR 532, 21 December 2007. Optus noted that an industry code could provide guidance on the provision of notices.

[126]Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[127] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Australian Credit Forum, Submission PR 492, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Banking and Financial Services Ombudsman, Submission PR 471, 14 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Financial Counsellors Association of Queensland, Submission PR 371, 30 November 2007.

[128] Law Society of New South Wales, Submission PR 443, 10 December 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.

[129]Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.

[130] The Consumer Credit Code is set out in the Consumer Credit (Queensland) Act 1994 (Qld) and is adopted by legislation in other states and territories.

[131]Consumer Credit Code s 80(4).

[132]Australian Finance Conference, Submission PR 398, 7 December 2007.

[133]Legal Aid Queensland, Submission PR 489, 19 December 2007.

[134]Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[135]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[136]Financial Counsellors Association of Queensland, Submission PR 371, 30 November 2007.

[137]Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[138]Australian Credit Forum, Submission PR 492, 19 December 2007.

[139] Consumer Action Law Centre, Submission PR 510, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Banking and Financial Services Ombudsman, Submission PR 471, 14 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[140]Australasian Retail Credit Association, Submission PR 352, 29 November 2007. See also GE Money Australia, Submission PR 537, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; National Australia Bank, Submission PR 408, 7 December 2007.

[141]Consumer Action Law Centre, Submission PR 510, 21 December 2007.

[142]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007.

[143]Australian Finance Conference, Submission PR 398, 7 December 2007.

[144]Australasian Retail Credit Association, Submission PR 352, 29 November 2007. See also GE Money Australia, Submission PR 537, 21 December 2007.

[145] See Ch 59.

[146] Veda Advantage, Submission PR 272, 29 March 2007.

[147] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; HBOS Australia, Submission PR 475, 14 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007.

[148] See Rec 54–2.

[149] AAPT Ltd, Submission PR 338, 7 November 2007; Australian Communications Industry Forum, Industry Code—Credit Management, ACIF C541 (2006).

[150]Australian Communications Industry Forum, Industry Code—Credit Management, ACIF C541 (2006), [1.1.4], App B.

[151] Consumer Action Law Centre, Submission PR 274, 2 April 2007.