17.08.2010
57.10 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC observed that Part IIIA prescribes more than fifty different circumstances in which the use or disclosure of personal information is authorised.[5] As the categories of permitted use and disclosure are exhaustive, all other uses or disclosures of personal information are prohibited. Additional complexity arises because, in some instances, the provisions also limit the kinds of personal information that may be disclosed.[6]
57.11 Despite the extensive nature of these provisions, there may also be some gaps in their coverage. Notably, while the permitted content of credit information files held by credit reporting agencies and the disclosure of personal information contained in those files are regulated in detail by ss 18E and 18L respectively, Part IIIA does not limit expressly the use of credit information files by credit reporting agencies.
Discussion Paper proposal
57.12 In DP 72, the ALRC proposed that the new Privacy (Credit Reporting Information) Regulations provide a simplified list of circumstances in which a credit reporting agency or credit provider may use or disclose credit reporting information, based on those uses and disclosures currently permitted under ss 18K, 18L and 18N of the Privacy Act.[7] It was proposed that the regulations provide that, in addition, a credit reporting agency or credit provider may use or disclose credit reporting information for related secondary purposes, as permitted by the ‘Use and Disclosure’ principle.[8]
Submissions and consultations
57.13 The Cyberspace Law and Policy Centre noted that divergent views on how privacy principles should apply to credit reporting information demonstrate the need for ‘a more prescriptive regulatory regime for the use and disclosure of credit information’, and that ‘it would clearly be unsatisfactory to rely solely on generic privacy principles’.[9]
57.14 Stakeholders supported the general proposition that a simplified list of the circumstances in which use and disclosure of credit reporting information is permitted should be set out in the new Privacy (Credit Reporting Information) Regulations.[10] Stakeholders approaching the issue from different perspectives recognised, however, that the ‘devil would be in the detail’. The Consumer Action Law Centre, for example, stated:
We would be concerned about any extension of circumstances that allowed access at times other than when the consumer made an application, apart from limited uses in relation to debt collection by the credit provider.[11]
57.15 The Mortgage and Finance Association of Australia stated that, while simplification of the use and disclosure provisions was supported,
current provisions regarding disclosure to all entities in the distribution chain and the various outsourced service providers are unclear. There should be free exchange of information throughout the distribution chain but only between those entities dealing with a specific borrower and a specific credit.[12]
57.16 The OPC agreed in principle that the regulations should provide a simplified list of circumstances in which a credit reporting agency or credit provider may use or disclose credit reporting information, based on those uses and disclosures currently permitted.[13]
57.17 The OPC highlighted the need to consider privacy protection for credit reporting information disclosed by credit reporting agencies and credit providers to specified third parties as permitted by the credit reporting regime—particularly if, as recommended by the ALRC, the regulations are to apply only to personal information maintained by credit reporting agencies or used by credit providers in assessing an individual’s credit worthiness.[14] The OPC submitted that the regulations should:
Apply to the handling of credit reporting information disclosed by credit reporting agencies and credit providers to specified third parties and prohibit the secondary use and disclosure of information held by them.[15]
57.18 In the OPC’s view, for example, where a credit provider discloses credit reporting information to a mercantile agent engaged in debt collection, as permitted by s 18N(1)(c), the mercantile agent should be prohibited from using or disclosing that information for secondary purposes.
57.19 The OPC also identified a number of other matters that should be considered as part of the ALRC’s review of the existing use and disclosure provisions. It submitted that the ALRC should:
consider whether the provisions of s 18K ensure an appropriate balance between the needs of law enforcement bodies and the provision of transparency to individuals regarding access by such bodies to their credit reporting information;[16]
ensure that the use and disclosure of credit reporting information in relation to speech to speech relay services is permitted; and
determine whether there are other circumstances in which credit providers disclose credit reporting information that should specifically be provided for in the regulations.[17]
Secondary purposes
57.20 Some stakeholders rejected expressly the ALRC’s proposal that the new Privacy (Credit Reporting Information) Regulations permit use or disclosure of credit reporting information for related secondary purposes on the basis that this would be too permissive.[18] The Australian Privacy Foundation, for example, was of the view that allowing use or disclosure for a related secondary purpose ‘defeats the object of more prescriptive credit reporting Rules’.[19]
57.21 The OPC opposed the proposal, submitting that it was a significant departure from the existing position under Part IIIA without any sound policy justification. The OPC stated that its key concern with the proposal was that
by design, it would broaden the permitted purposes for which credit information may be used or disclosed beyond what is currently prescribed, to an unknown number of secondary purposes. This would appear to be a significant weakening of existing protections, without clear justification being provided.
Over time, it seems likely that such a mechanism would encourage credit providers and credit reporting agencies to make greater use of credit information for purposes other than the assessment of credit worthiness.[20]
57.22 The OPC submitted that the regulations should, at most, provide that a credit reporting agency or credit provider may use or disclose credit reporting information only for ‘directly related secondary purposes (instead of the broader requirement of being a related secondary purpose), to reflect the particular privacy concerns relating to personal credit information’. It also submitted that it should provide guidance on the application of the terms ‘directly related’ and ‘reasonable expectations’ in the context of credit reporting.[21]
57.23 Galexia submitted that there should be an express provision prohibiting the collection of credit reporting information from an individual by employers, insurers and government agencies. Galexia added:
It is also important to note that the economic/public benefit arguments used to justify the special treatment of credit reporting are based on lending dynamics—not employment or other potential applications. If other systems develop that seek access to this type of information they should be consent based and covered by the UPPs.[22]
57.24 Galexia argued that access to credit reporting information should be restricted by a provision in the Privacy Act to ‘credit providers and organisations that require access to credit reporting information for the management of credit’. This, it was said, would effectively establish a ‘tight’ primary purpose for collection of credit reporting information.[23]
57.25 The Australian Finance Conference (AFC) considered that the use or disclosure of credit reporting information for secondary purposes should be permitted in accordance with the ‘Use and Disclosure’ principle. In the AFC’s view,
the secondary use permission contained in UPP 5 is sufficient and a specific regulation is not required. Should a related secondary purpose be identified as a risk to consumer credit privacy, then prohibition of use for this purpose should be contained in a Regulation/the Code (eg prohibition against direct marketing).[24]
Credit industry proposal
57.26 The Australasian Retail Credit Association (ARCA) put forward a detailed proposal for reform of the use and disclosure provisions of Part IIIA.[25] This proposal, which was expressly supported by a number of other stakeholders,[26] would significantly liberalise the existing constraints on the handling of credit reporting information.
57.27 ARCA proposed that credit reporting regulations provide for a primary purpose of credit reporting information, and authorise specified secondary use and disclosure of the information. It was suggested that the primary purpose, in relation to the disclosure of credit reporting information to a credit provider, be defined as disclosure:
for the purpose of making a credit decision affecting an individual and directly related purposes, including the ongoing management and administration of credit and prevention of over commitment, bad debt and identity crime and such other purposes of the credit provider as are specified under the Code.[27]
57.28 ARCA submitted that, in addition to disclosure to credit providers, credit reporting agencies should specifically be authorised to disclose credit reporting information:
to another credit reporting agency;
to dispute resolution bodies, where the credit reporting information is relevant to a dispute;
to a mortgage insurer;
to a trade insurer;
to a government body tasked with assisting individuals with credit;
to a potential assignee of an individual’s debt;
to a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth); and
as otherwise required by law.[28]
57.29 ARCA and Veda Advantage considered that, in addition, credit reporting agencies and credit providers should be able to rely on a new secondary use provision, measured against the prescribed primary purpose. Veda Advantage suggested that regulation should ‘provide for a secondary use mechanism that allows use or disclosure of data that meets the following tests’:
the use is in the reasonable expectation of the consumer
explicit notice is provided
a consumer would have consented if consent is possible
there is benefit for the individual consumer
there is overall public benefit (including economic efficiency).[29]
ALRC’s view
57.30 As noted above, Part IIIA prescribes more than 50 different circumstances in which the use or disclosure of personal information is authorised; and the categories of permitted use and disclosure are exhaustive. It is hard to justify this level of prescription, which risks being overtaken by changes in credit industry practices.
57.31 There is room to simplify and consolidate the use and disclosure provisions of Part IIIA, for example, in relation to use and disclosure by credit reporting agencies and credit providers for the purposes of credit risk assessment;[30] securitisation;[31] or credit assessment of a guarantor.[32]
57.32 A process of consolidation will be necessary, in any case, as a result of the ALRC’s recommendation that there should be no equivalent in the new Privacy (Credit Reporting Information) Regulations of s 18N of the Privacy Act.[33] Some of the circumstances in which the disclosure of information by credit providers is expressly authorised by s 18N may need to be preserved in the regulations, but with application to a more circumscribed category of information.[34]
57.33 The new regulationsshould provide a simplified list of circumstances in which a credit reporting agency or credit provider may use or disclose credit reporting information. This list should be based on the existing provisions of Part IIIA of the Privacy Act, subject to the ALRC’s other recommendations concerning use and disclosure for specified purposes such as direct marketing and identity verification, discussed below.
57.34 The use and disclosure of credit reporting information is potentially useful for a wide range of secondary purposes. Detailed views on specific use or disclosure of credit reporting information were set out in submissions, including, for example, in relation to mortgage and trade insurance, debt collection, direct marketing and identity verification . These views are discussed in more detail below.
57.35 In DP 72, the ALRC proposed that there be an additional category of permitted use and disclosure of credit reporting information incorporating, expressly or by reference, the secondary use provision in the ‘Use and Disclosure’ principle in the model UPPs.
57.36 In the light of stakeholder comments and after further consideration, the ALRC considers that the proposal made in DP 72 to permit use and disclosure of credit reporting information for any related secondary purpose within the reasonable expectations of the individual concerned is unjustifiably broad.
57.37 The ALRC’s view remains, however, that an additional general category of permitted use and disclosure of credit reporting information should be incorporated into the regulations. Use and disclosure of credit information should be permitted for directly related secondary purposes where the individual concerned would reasonably expect such use or disclosure. The ALRC recommends that, as suggested by a number of stakeholders, this provision refer to the primary purpose of the collection of credit reporting information. This primary purpose should be expressed as ‘the assessment of an application for credit or the management of an existing credit account’.
Recommendation 57-1 The new Privacy (Credit Reporting Information) Regulations should provide a simplified list of circumstances in which a credit reporting agency or credit provider may use or disclose credit reporting information. This list should be based on the provisions of Part IIIA of the Privacy Act, which currently authorise the use and disclosure by credit reporting agencies and credit providers of personal information contained in credit information files, credit reports and reports relating to credit worthiness (ss 18L, 18K and 18N).
Recommendation 57-2 The new Privacy (Credit Reporting Information) Regulations should provide that a credit reporting agency or credit provider may use or disclose credit reporting information for a secondary purpose related to the assessment of an application for credit or the management of an existing credit account, where the individual concerned would reasonably expect such use or disclosure.
[5]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [53.5].
[6] For example, s 18N(1)(be) permits the disclosure of personal information to a person or body supplying goods or services to an individual who intends to pay by credit card or electronic funds transfer. The information that may be disclosed is limited to information reasonably necessary to identify the individual, and to determine whether the individual has access to funds sufficient to meet the payment concerned.
[7]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 53–1.
[8]Ibid, Proposal 53–2.
[9]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[10] Consumer Action Law Centre, Submission PR 510, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; HBOS Australia, Submission PR 475, 14 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Financial Counsellors Association of Queensland, Submission PR 371, 30 November 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.
[11]Consumer Action Law Centre, Submission PR 510, 21 December 2007.
[12] Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.
[13]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[14] See Ch 54, Rec 54–3.
[15]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[16]Privacy Act 1988 (Cth) s 18K(1)(m)–(n).
[17]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[18]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Financial Counsellors Association of Queensland, Submission PR 371, 30 November 2007.
[19]Australian Privacy Foundation, Submission PR 553, 2 January 2008.
[20]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[21]Ibid.
[22]Galexia Pty Ltd, Submission PR 465, 13 December 2007.
[23]Ibid.
[24]Australian Finance Conference, Submission PR 398, 7 December 2007.
[25]Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
[26] GE Money Australia, Submission PR 537, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007.
[27] Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
[28]Ibid.
[29]Veda Advantage, Submission PR 498, 20 December 2007.
[30] See, Privacy Act 1988 (Cth) ss 18K(1)(a), 18L(1).
[31] See, Ibid ss 18K(1)(ac), 18L(1)(aa)–(ab).
[32] See, Ibid ss 18K(1)(c), 18L(1)(b).
[33] See Rec 57–6.
[34] That is, credit reporting information, rather than personal information related to credit worthiness as defined by s 18N(9)(b).