Disclosure of reports relating to credit worthiness

57.190 Section 18N applies to information contained in ‘reports relating to credit worthiness’.[208] Section 18N(9) provides that a ‘report’ is defined, for the purposes of the section, as:

(a) a credit report; or

(b) … any other record or information, whether in a written, oral or other form, that has any bearing on an individual’s credit worthiness, credit standing, credit history or credit capacity;

but does not include a credit report or any other record or information in which the only personal information relating to individuals is publicly available information.[209]

57.191 Consequently, s 18N(9) protects a broader category of information than other provisions of Part IIIA, which protect information contained in a ‘credit report’ or ‘credit information file’. For example, while the disclosure by a credit provider of this broader category of information is protected,[210] credit providers’ obligations to ensure the accuracy and security of information under s 18G apply only to information in a credit report—that is, information provided by a credit reporting agency.

57.192 In effect, s 18N creates a comprehensive regime with regard to the disclosure by credit providers of personal information that may have no connection with the credit reporting system. The section applies to personal information that has ‘any bearing’ on an individual’s credit worthiness, credit standing, credit history or credit capacity. This category of information seems broad enough to include information about, for example, an individual’s income, expenditure and employment and even his or her family or school connections.

57.193 The reach of s 18N is anomalous within Part IIIA, which otherwise applies only to personal information in ‘credit information files’ or ‘credit reports’ as those terms are defined in s 6(1).[211]

57.194 In DP 72,[212] the ALRC noted that the second reading speech for the Bill that introduced the credit reporting provisions[213] indicated that the purpose of the Bill was to establish a privacy framework for the regulation of the ‘consumer credit reporting industry’.[214] There was no reference to the establishment of a regime regulating the disclosure of all credit worthiness information held by credit providers.[215] This resulted from the insertion of an extended definition of ‘report’ following amendments to the Bill in 1990.

Discussion Paper proposal

57.195 In DP 72, the ALRC proposed that there should be no equivalent of s 18N of the Privacy Act in the new Privacy (Credit Reporting Information) Regulations.[216] The ALRC expressed the preliminary view that the use and disclosure limitations in the regulations should apply only to personal information maintained by credit reporting agencies and used in credit reporting—that is, to ‘credit reporting information’ as defined in the regulations.

Submissions and consultations

57.196 There was significant support from industry stakeholders for the ALRC’s proposal.[217] Telstra, for example, stated that it supported the abolition of the s 18N restrictions

on the basis that the new UPPs should provide adequate protection to the information currently covered by the definition of ‘report’. Telstra does not understand the policy reasons behind section 18N (or any new equivalent) imposing additional restrictions to the NPPs in relation to information other than credit reports.[218]

57.197 Other stakeholders considered that an equivalent of s 18N of the Privacy Act should be included and that the new regulations should apply to the broader category of information encompassed by s 18N(9).[219]

57.198 The Cyberspace Law and Policy Centre stated that, notwithstanding the subsequent enactment of privacy principles applying to personal information held by organisations generally, ‘the arguments for more specific regulation of credit related personal information … apply with equal force to both credit reporting information and credit reports as defined in s 18N’.[220] The Centre also noted that, while the scope of s 18N may not be well-known (or observed) by credit providers,[221] ‘this is an argument for greater education and enforcement activity, not for abandoning the regulation, without a more convincing case’.[222]

57.199 The OPC submitted that a term ‘credit worthiness information’ should be defined separately from ‘credit reporting information’ in the new regulations and that the definition should be based, in part, on the definition of ‘report’ in s 18N(9)(b). Further, it submitted that the new regulations should place limits on the use and disclosure of ‘credit worthiness information’ by credit providers. The OPC suggested that explanatory statements to the new regulations provide guidance on what types of personal information are included within the term ‘credit worthiness information’, and expressed a willingness to provide additional guidance on this question.[223]

ALRC’s view

57.200 The ALRC remains unconvinced that there is any good reason to retain an equivalent of s 18N in the new Privacy (Credit Reporting Information) Regulations. The extended reach of s 18N can be understood as eventuating because Part IIIA was enacted before the NPPs. Section 18N was needed to ensure there was no way to avoid the application of the new credit reporting provisions by, for example, disclosure between credit providers directly, without the intermediary of a credit reporting agency. This rationale no longer applies.

57.201 The breadth of the information covered by s 18N means that there is an enormous overlap with the coverage of the NPPs. Information that ‘has any bearing on an individual’s credit worthiness’ in terms of s 18N(9)(b) could include information about an individual’s attitudes, assets, income or even family connections. The handling of personal information relating to credit worthiness that has no relationship with credit reporting agencies should be regulated by general privacy principles and not by the new Privacy (Credit Reporting Information) Regulations.

57.202 The ALRC is not aware of any other jurisdiction that in this way regulates personal information relating to credit worthiness. In New Zealand, for example, the Credit Reporting Privacy Code 2004 (NZ) regulates the use and disclosure of ‘credit information’ by ‘credit reporters’ and the definition of credit information is limited to the information that credit reporters are permitted to collect.

57.203 In Chapter 54, the ALRC recommends that the new Privacy (Credit Reporting Information) Regulations should apply only to information that is maintained by a credit reporting agency; or held by a credit provider, having been prepared by a credit reporting agency, and used in establishing an individual’s eligibility for credit.[224] Consistently, there should be no equivalent in the Privacy (Credit Reporting Information) Regulations of s 18N of the Privacy Act.

Recommendation 57-6 There should be no equivalent in the new Privacy (Credit Reporting Information) Regulations of s 18N of the Privacy Act, which limits the disclosure by credit providers of personal information in ‘reports’ related to credit worthiness. The use and disclosure limitations should apply only to ‘credit reporting information’ as defined for the purposes of the new regulations.

[208] Section 18N is described in detail in Ch 53.

[209]Privacy Act 1988 (Cth) s 18N(9).

[210] See, eg, F v Credit Provider [2003] PrivCmrA 4, where a store breached s 18N by informing a customer’s former partner that her account with the store was in arrears.

[211] With the exception of Privacy Act 1988 (Cth) s 18Q, which applies to information obtained from credit providers by certain persons.

[212]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [53.92].

[213] Privacy Amendment Bill 1989 (Cth).

[214] See, eg, Commonwealth, Parliamentary Debates, Senate, 16 June 1989, 4216 (G Richardson).

[215] The Cyberspace Law and Policy Centre noted, however, that the Second Reading Speech also stated that the principal purpose of the Bill was to provide privacy protection for individuals in relation to their ‘consumer credit records’: Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[216]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 50–5.

[217] GE Money Australia, Submission PR 537, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[218]Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[219]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[220]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[221]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [53.96].

[222]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[223]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[224] Rec 54–3.