57.63 Direct marketing involves the promotion and sale of goods and services directly to consumers. Credit reporting information is a possible source of personal information from which to generate lists of individuals to whom goods and services may be marketed.
57.64 NPP 2 allows organisations to use personal information for direct marketing with consent or, where it is impracticable for an organisation to seek an individual’s consent, the organisation complies with a number of requirements set out in the principle.
57.65 In contrast, Part IIIA does not permit the use or disclosure of personal information for the purpose of direct marketing. Section 18K places limits on the disclosure by a credit reporting agency of personal information contained in an individual’s credit information file. The purposes for which such information may be disclosed are set out exhaustively—and disclosure for direct marketing purposes is not among the permitted purposes.
57.66 In DP 72, the ALRC proposed that the new Privacy (Credit Reporting Information) Regulations prohibit the use or disclosure of credit reporting information for the purposes of direct marketing.
Submissions and consultations
57.67 There was broad agreement that credit reporting regulation should ensure that credit reporting information is not permitted to be used for direct marketing. ARCA submitted that credit reporting information should ‘be precluded from use as a source of direct marketing prospects’. It stated that
credit providers should be precluded from supplying criteria to a credit reporting agency for the purposes of extracting customer records fitting any particular profile to then solicit business. In addition the credit reporting agencies should be precluded from undertaking such activity, and there should be heavy penalties for any breach of such a rule.
57.68 Those opposed to more comprehensive credit reporting have highlighted concerns that ‘such comprehensive, centralised databases may be mined for data by credit providers and other reporting agencies for marketing purposes’. Proponents of more comprehensive credit reporting also emphasised the need to maintain restrictions on the use or disclosure of credit reporting information for direct marketing, at least in relation to ‘positive’ data.
57.69 The Australian Bankers’ Association stated that its support for more comprehensive credit reporting was ‘strongly predicated on there being effective and enforceable legislative controls on the use of a credit reporting data base for marketing purposes … and severe sanctions for breach’. GE Money Australia, another proponent of more comprehensive reporting, noted that the perceived risk of smaller credit providers or new entrants to the credit marketing ‘cherry picking’ good customers directly from credit reporting agency lists was one reason for an initial lack of support for more comprehensive reporting in the United Kingdom.
57.70 The Uniform Consumer Credit Code Committee noted that a prohibition on using credit reporting information for direct marketing would be ‘consistent with concerns that government fair trading agencies have about unsolicited credit card offers, especially in relation to credit cards and store cards’.
57.71 The use or disclosure of credit reporting information for the purposes of direct marketing appears inconsistent with the existing provisions of Part IIIA of the Privacy Act, which restrict the use and disclosure of such information by reference to an exhaustive list of permitted purposes. Stakeholders expressed strong support for an express prohibition on using credit reporting information for direct marketing.
57.72 Section 18K of the Privacy Act does not permit the disclosure of mailing lists derived from credit information files by credit reporting agencies. This position should be maintained under the new Privacy (Credit Reporting Information) Regulations. To avoid doubt, the regulations should prohibit expressly the use or disclosure of credit reporting information for direct marketing.
57.73 One model for such a provision is in Hong Kong’s Code of Practice on Consumer Credit Data (Hong Kong Code). The Hong Kong Code sets out the purposes for which a credit provider may access consumer credit data held by a credit reference agency. It states that:
For the avoidance of doubt … a credit provider is prohibited from accessing the consumer credit data of an individual held by a [credit reference agency] for the purpose of offering or advertising the availability of goods, facilities or services to such individual.
 The application of privacy principles to direct marketing is discussed in more detail in Ch 26.
Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 53–3.
 Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; Uniform Consumer Credit Code Management Committee, Submission PR 520, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; HBOS Australia, Submission PR 475, 14 December 2007; ANZ, Submission PR 467, 13 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Financial Counsellors Association of Queensland, Submission PR 371, 30 November 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007; Confidential, Submission PR 297, 1 June 2007; American Express, Submission PR 257, 16 March 2007; MasterCard Worldwide, Submission PR 237, 13 March 2007; GE Money Australia, Submission PR 233, 12 March 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 232, 9 March 2007. Telstra disagreed, stating that, in this context, ‘the need to treat credit information differently from other personal information is unclear’: Telstra Corporation Limited, Submission PR 459, 11 December 2007.
Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
 Westpac, Submission PR 256, 16 March 2007.
 Confidential, Submission PR 297, 1 June 2007; American Express, Submission PR 257, 16 March 2007; MasterCard Worldwide, Submission PR 237, 13 March 2007; GE Money Australia, Submission PR 233, 12 March 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 232, 9 March 2007.
 GE Money Australia, Submission PR 233, 12 March 2007.
Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.
 GE Money Australia, Submission PR 233, 12 March 2007. For this reason, GE Money favoured a prohibition on the use of ‘positive’ data in marketing.
Uniform Consumer Credit Code Management Committee, Submission PR 520, 21 December 2007.
Office of the Privacy Commissioner for Personal Data Hong Kong, Code of Practice on Consumer Credit Data (1998).
Ibid, cl 2.12. The Hong Kong Code does not appear to distinguish between direct marketing generally and the pre-screening of direct marketing lists.