Prohibited content of credit reporting information

56.79 Section 18E(2) provides that certain types of personal information must never be included in an individual’s credit information file. This list is similar to, but differs in some respects from, the general definition of ‘sensitive information’ in s 6(1).

56.80 First, the definition of prohibited content in s 18E(2) includes personal information recording an individual’s ‘lifestyle, character or reputation’, which is not specifically an element of the definition of sensitive information.[89] Secondly, the definition of sensitive information includes ‘health information’, which is not referred to in s 18E(2). In addition, the ALRC recommends that the definition of ‘sensitive information’ in the Privacy Act be amended to include biometric information collected for the purpose of automated biometric verification or identification; and biometric template information.[90]

56.81 The concepts of prohibited content under s 18E(2) and sensitive information under s 6(1) serve quite distinct purposes. The former, in effect, acts to prohibit collection (with or without the consent of the individual); the latter to restrict collection without consent, and limit use or disclosure for secondary purposes.[91]

56.82 In response to the Issues Paper, Review of Privacy (IP 31), the OPC suggested that the ALRC consider whether the prohibited content set out in s 18E(2) should be the same as the ‘sensitive information’ in s 6(1) of the Privacy Act.[92] In DP 72, the ALRC proposed that the Privacy (Credit Reporting Information) Regulations should prohibit the collection in credit reporting information of ‘sensitive information’, as that term is defined in s 6(1) of the Privacy Act.[93] Stakeholders who addressed the issue were unanimous in their support for the proposal.[94]

56.83 If an equivalent of s 18E(2) is to be included in the new regulations, it would make sense to align the provision with the definition of ‘sensitive information’ for the sake of consistency and to simplify the drafting of the regulations.

56.84 The need expressly to prohibit the collection of a defined category of sensitive information in credit reporting remains questionable given that this information would not be permitted content under the new Privacy (Credit Reporting Information) Regulations. There is some possibility, however, that the collection of sensitive information might otherwise be permissible under the new regulations. It is conceivable, for example, that some content permitted under the regulations may constitute health information—for example, a record of an overdue payment owed to a hospital or doctor. On the other hand, credit reporting information would not ordinarily be specific enough to constitute information ‘about’ the individual’s health (as opposed to about the fact an individual owes money to a health service provider).

56.85 It is also possible that biometric template information might be used for identifying individuals in the context of credit application or reporting processes. As noted above, the ALRC recommends that the definition of sensitive information include biometric template information.[95] Expressly prohibiting the collection in credit reporting information of ‘sensitive information’ would mean that biometric template information could not be included as a permitted identifier by a determination of the Privacy Commissioner under existing s 18E(3)—as is theoretically the case now.

Recommendation 56-8 The new Privacy (Credit Reporting Information) Regulations should prohibit the collection in credit reporting information of ‘sensitive information’, as defined in the Privacy Act.

[89]Privacy Act 1988 (Cth) s 18E(2)(f).

[90] Rec 6–4.

[91] In conjunction with NPPs 10 and 2.1.

[92] Office of the Privacy Commissioner, Submission PR 281, 13 April 2007.

[93] Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Financial Counsellors Association of Queensland, Submission PR 371, 30 November 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007. The Cyberspace Law and Policy Centre and the Australian Privacy Foundation suggested that the ALRC recommend the Regulations prohibit the inclusion in credit reporting information of ‘sensitive information’ and information about an individual’s ‘lifestyle, character or reputation’.

[94] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 52–7.

[95] Rec 6–4.