57.2 Under the ‘Use and Disclosure’ principle in the model UPPs, an agency or organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:
(a) both of the following apply:
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; and
(ii) the individual would reasonably expect the agency or organisation to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure …
57.3 The relative simplicity of the general principle set out in clause (a), which permits use or disclosure for related secondary purposes within the reasonable expectation of the individual concerned, may be contrasted with the complexity of the use and disclosure provisions of Part IIIA.
57.4 Sections 18K, 18L, 18N, 18P and 18Q all deal with aspects of the use or disclosure of personal information (or both). These provisions place various limits on the use and disclosure of personal information based on the identity of the person or organisation to whom information is disclosed; the source and nature of the information; and the purpose for which the information is to be used. Briefly, the use and disclosure provisions of Part IIIA deal with the following:
s 18K places limits on the disclosure by credit reporting agencies of personal information contained in credit information files;
s 18L places limits on the use by credit providers of personal information contained in credit reports;
s 18N places limits on the disclosure by credit providers of personal information in ‘reports relating to credit worthiness’;
s 18P places limits on the use or disclosure by mortgage insurers or trade insurers of personal information contained in credit reports; and
s 18Q places limits on the use of personal information obtained from credit providers by: a corporation that is related to the credit provider; a corporation that proposes to use the information in connection with an assignment or purchase of debt; or a person who manages loans made by the credit provider.
Comparing Part IIIA and the NPPs
57.5 The Part IIIA provisions may operate to make use and disclosure of credit reporting information more or less restrictive than is the case under general privacy principles. The extent to which any particular category of use or disclosure permitted by Part IIIA also would be permitted by the National Privacy Principles (NPPs) or the model UPPs, however, is difficult to determine. The determination depends primarily on whether the specific circumstances in which use or disclosure is authorised by Part IIIA are related secondary purposes within the reasonable expectations of the individual.
57.6 How broadly an organisation can describe the primary purpose needs to be determined on a case-by-case basis and depends on the circumstances. The Office of the Privacy Commissioner’s (OPC) Guidelines to the National Privacy Principles state that when an individual provides, and an organisation collects, personal information, they almost always do so for a particular purpose. This is ‘the primary purpose of collection even if the organisation has some additional purposes in mind’.
57.7 Even on a broad conception of the term ‘primary purpose’, it is hard to argue that the disclosure of information by a credit provider to a credit reporting agency is for the primary purpose of collection. Disclosure does not directly serve purposes connected with the provision of finance by a credit provider to an individual. Rather, the information is disclosed so that it may be used in the future, including by other credit providers in assessing other loan applications. This conclusion has not been contested.
57.8 In the ALRC’s view, for the same reasons, disclosure to a credit reporting agency is unlikely to be considered a related secondary purpose for the purposes of NPP 2.1(a) or the ‘Use and Disclosure’ principle in the model UPPs. This conclusion, however, has been contested. In a submission to the Inquiry, Nigel Waters of the Cyberspace Law and Policy Centre stated:
It is suggested that it may be necessary for credit providers to obtain consent for disclosures involved in the credit reporting system because they would not fit within the alternative exception for secondary purposes … I submit that it is at least arguable that within the context of the well established operation of the credit market, disclosure to [credit reporting agencies] and other [credit providers] is both a related purpose and within reasonable expectations …
57.9 These comments serve to highlight the fact that different conclusions can be reached even on the most basic questions about how NPP 2 applies to credit reporting information. In this context, the provisions of Part IIIA can be seen as providing some certainty for existing finance industry practices. The provisions remove the need to determine whether, for example, the disclosure by a credit provider of personal information to a credit reporting agency, a mortgage insurer, or the assignee of a debt to the credit provider are within the reasonable expectations of the individual concerned.