Auditing credit reporting information

58.86 The audit of credit reporting information may assist to ensure data quality. Under s 28A(1)(g) of the Privacy Act, the Privacy Commissioner has the function of auditing credit information files and credit reports held by credit reporting agencies and credit providers.

58.87 The OPC review of the private sector provisions of the Privacy Act noted that the priority given by the OPC to its complaint-handling functions has diverted resources from other areas of responsibility, including auditing.[92] No credit reporting audits have been conducted since 2003–04.[93]

Submissions and consultations

58.88 In DP 72, the ALRC noted strong support for the use of the Privacy Commissioner’s powers to audit credit reporting information.[94] For example, the Consumer Action Law Centre advocated that the Australian Government allocate more resources to the OPC to perform its auditing functions.

In the credit reporting regulatory scheme, the OPC is both the complaints handler and the regulator. It is therefore even more important that it identify systemic issues or incidents of non-compliance with the scheme and take action where appropriate. Undertaking audits is the key way in which information about non-compliance may be obtained proactively, with complaints received the key way in which such information is obtained reactively.[95]

58.89 The OPC submitted that the audit power under s 28A(1)(g) should be retained in the new Privacy (Credit Reporting Information) Regulations. Other stakeholders noted the practical barriers to audits by the OPC, given the scale of the credit reporting system, and the complexity of agreements and operating systems.[96] One suggested solution is for third parties to carry out privacy audits on behalf of the OPC.[97]

58.90 Another possibility, suggested by a number of stakeholders, is to place more formal obligations on credit reporting agencies to ensure the data quality of information provided by their subscribers, including through audit processes.[98] The Australian Privacy Foundation submitted that credit reporting agencies should be required to include data quality obligations in subscriber agreements; monitor and conduct regular checks on quality; and investigate any possible breaches.[99] The Consumer Action Law Centre stated:

Some auditing (internal and/or external) by credit reporting agencies, and a requirement to report to the regulator could be an efficient way of monitoring some aspects of compliance by the credit provider, as well as the credit reporting agency.[100]

58.91 Other stakeholders highlighted the possible role of self-auditing by credit providers.[101] The OPC, for example, supported the ‘promotion and implementation of self auditing systems for credit reporting compliance within the credit reporting industry’, and recommended that the credit reporting code include procedures for the self-auditing of credit reporting information.[102]

ALRC’s view

58.92 In Chapter 47, the ALRC discusses the consolidation of the Privacy Commissioner’s audit functions under the Privacy Act. The ALRC recommends that the Act be amended to empower the Privacy Commissioner to conduct ‘Privacy Performance Assessments’ of personal information maintained by an organisation for the purpose of ascertaining whether the records are maintained according to the model UPPs, privacy regulations, rules or any privacy code that binds the organisation.[103] If this recommendation is implemented, it would be unnecessary to retain s 28A(1)(g).

58.93 Auditing is an important mechanism by which to ensure data quality and security. It is an important tool that the OPC should be able to use for a range of compliance purposes, including in credit reporting contexts. In practice, an OPC audit of credit reporting information must be used selectively, as it is complex and resource intensive.

58.94 The ALRC does not recommend the implementation of any general requirement on agencies or organisations to self-audit. Such a requirement would place a demand on the OPC’s resources in monitoring the self-audit process, and a compliance burden on agencies and organisations.[104]

58.95 The audit of credit reporting information by a credit reporting agency or credit provider may be required, in some circumstances, to comply with the obligation to ‘take reasonable steps’ under the ‘Data Quality’ or ‘Data Security’ principles. In addition, the ALRC recommends that the new Privacy (Credit Reporting Information) Regulations impose obligations on credit reporting agencies to ensure the quality of credit reporting information.[105] These include an obligation on agencies to audit compliance by credit providers with agreements and monitor controls relating to data quality.

58.96 Finally, as discussed above, the ALRC recommends that the credit reporting code promote data quality by setting out procedures to ensure consistency and accuracy of credit reporting information. These procedures could include the self-auditing of credit reporting information. There would be no benefit in prescribing by regulation more specific audit obligations.

[92] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 160. While the OPC Review referred to auditing of Commonwealth government agencies specifically, diversion of resources may also have affected credit reporting audits.

[93] See Australian Law Reform Commission, Review of Privacy—Credit Reporting Provisions, IP 32 (2006), [4.20]–[4.21].

[94] Consumer Action Law Centre, Submission PR 274, 2 April 2007; National Legal Aid, Submission PR 265, 23 March 2007; Banking and Financial Services Ombudsman Ltd, Submission PR 263, 21 March 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007; Consumer Credit Legal Centre (NSW) Inc, Credit Reporting Research Report (2007) rec 55. See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [54.44]–[54.55].

[95] Consumer Action Law Centre, Submission PR 274, 2 April 2007.

[96] Experian Asia Pacific, Submission PR 228, 9 March 2007; Confidential, Submission PR 227, 9 March 2007.

[97] The costs of the audit would be borne by the credit providers themselves: Confidential, Submission PR 227, 9 March 2007.

[98] Legal Aid Queensland, Submission PR 292, 11 May 2007; Queensland Law Society, Submission PR 286, 20 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007; Veda Advantage, Submission PR 272, 29 March 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007; Consumer Credit Legal Centre (NSW) Inc, Credit Reporting Research Report (2007), rec 41.

[99] Australian Privacy Foundation, Submission PR 275, 2 April 2007.

[100]Consumer Action Law Centre, Submission PR 510, 21 December 2007.

[101] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 292, 11 May 2007; Queensland Law Society, Submission PR 286, 20 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007; Veda Advantage, Submission PR 272, 29 March 2007.

[102] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[103] Rec 47–6.

[104] See Ch 47.

[105] Rec 58–4.