Data quality obligations of credit reporting agencies

58.73 Much of the credit reporting information provided by credit reporting agencies to their subscribers is supplied to agencies by credit providers. Credit reporting can be described, to some extent, as operating on an ‘honour system’—in that credit reporting agencies do not have the capacity readily to check the accuracy of the information given to them by credit providers.

58.74 While the ‘Data Quality’ principle in the model UPPs requires credit reporting agencies to ‘take reasonable steps’ to ensure the accuracy of information, it has been suggested that, given the high volume of information handled by credit reporting agencies, more detailed obligations are required.[78]

58.75 The New Zealand Credit Reporting Privacy Code 2004 (the NZ Code) provides one model for the imposition of obligations that could be placed on credit reporting agencies to ensure the data quality of credit reporting information, including that supplied to them by credit providers.[79] Under the NZ Code agencies must:

(b) establish and maintain controls to ensure that, as far as reasonably practicable, only information that is accurate, up to date, complete, relevant, and not misleading is used or disclosed;

(c) monitor information quality and conduct regular checks on compliance with the agreements and controls;

(d) identify and investigate possible breaches of the agreements and controls;

(e) take prompt and effective action in respect of any breaches that are identified; and

(f) systematically review the effectiveness of the agreements and controls and promptly remedy any deficiencies.[80]

Discussion Paper proposal

58.76 In DP 72, the ALRC proposed that the new Privacy (Credit Reporting Information) Regulations should provide that credit reporting agencies must:

  • enter into agreements with credit providers that contain obligations to ensure data quality in the information credit providers provide to credit reporting agencies;

  • establish and maintain controls to ensure that only information that is accurate, complete, up-to-date and relevant is used or disclosed;

  • monitor data quality and audit compliance with the agreements and controls; and

  • identify and investigate possible breaches of the agreements and controls.[81]

Submissions and consultations

58.77 The OPC supported the ALRC’s proposal.[82] The OPC also suggested that it produce guidance for credit providers and credit reporting agencies about what constitutes ‘reasonable steps’ to promote and maintain the accuracy of credit reporting information.[83]

58.78 Industry and consumer stakeholders provided considerable, if qualified, support for the ALRC’s proposal.[84] ARCA supported the imposition of new data quality obligations on credit reporting agencies, but submitted that these should be detailed in a code of conduct and not in the regulations.[85] GE Money agreed with the ARCA position, but noted that

reliance on the credit reporting agencies alone to oversee data accuracy and management is problematic. Their willingness to ‘enforce’ may be compromised by the economics of the relationships—a reluctance to ‘bite the hand that feeds’. Only independent oversight and enforcement will be workable.[86]

58.79 The Consumer Action Law Centre supported the ALRC’s proposal but noted that the key to the effectiveness of these provisions will be how the regulations are enforced. The Centre stated:

As well as having an obligation to enter into particular agreements with credit providers, credit reporting agencies should have an obligation to enforce compliance with those agreements.[87]

58.80 Veda Advantage stated that the ALRC’s proposal should include a requirement that credit providers and credit reporting agencies must agree to appropriate deadlines for supplying information when an agency is undertaking an investigation related to data quality.

58.81 Some stakeholders opposed the imposition of new data quality obligations on credit reporting agencies. The AFC questioned why specific provisions are required that ‘effectively restate’ the obligations under the ‘Data Quality’ principle.[88] Telstra objected to the proposal, on the basis that was ‘an unnecessary, over-prescriptive approach, inconsistent with outcomes-based regulatory principles’.[89]

ALRC’s view

58.82 Consumer groups have expressed concerns that there are no adequate incentives for credit reporting agencies or credit providers to correct systemic flaws in the credit reporting system, in part because the cost of dealing with a small number of complaints is less than the cost of ensuring the data is accurate in the first place.[90]

58.83 Credit reporting agencies should take more responsibility for ensuring data quality. This imperative is recognised by agencies themselves. Veda Advantage stated, for example, that a statutory obligation on the credit reporting agencies to be satisfied that credit providers are able to comply with data quality obligations would ‘help [to] ensure regulatory objectives are met’.[91]

58.84 The ALRC recommends that the new Privacy (Credit Reporting Information) Regulations impose obligations on credit reporting agencies to monitor the data quality of information provided to them by credit providers, including through audit, discussed below. A provision containing similar obligations to those contained in the NZ Code should be included in the new Privacy (Credit Reporting Information) Regulations, to encourage the development of audit and other processes to ensure data quality.

58.85 The new Privacy (Credit Reporting Information) Regulations should also provide that credit reporting agencies must enter into agreements with credit providers that contain obligations to ensure the security of credit reporting information. Data security is discussed later in this chapter.

Recommendation 58-4 The new Privacy (Credit Reporting Information) Regulations should provide that credit reporting agencies must:

(a) enter into agreements with credit providers that contain obligations to ensure the quality and security of credit reporting information;

(b) establish and maintain controls to ensure that only credit reporting information that is accurate, complete and up-to-date is used or disclosed;

(c) monitor data quality and audit compliance with the agreements and controls; and

(d) identify and investigate possible breaches of the agreements and controls.

[78] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [5.11].

[79] The NZ Code requires credit reporting agencies to enter into subscriber agreements that comply with the provisions of a schedule to the Code: Credit Reporting Privacy Code 2004 (NZ), r 8(3)(a), sch 3.

[80] Ibid, r 8(3).

[81] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 54–3.

[82]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[83] Office of the Privacy Commissioner, Submission PR 281, 13 April 2007.

[84]Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; Consumer Action Law Centre, Submission PR 510, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Financial Counsellors Association of Queensland, Submission PR 371, 30 November 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[85]Australasian Retail Credit Association, Submission PR 352, 29 November 2007. Dun and Bradstreet submitted that such obligations be included in ‘contractual terms’ as well as in the code of conduct: Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007.

[86]GE Money Australia, Submission PR 537, 21 December 2007.

[87]Consumer Action Law Centre, Submission PR 510, 21 December 2007. The Centre also referred, in this context, to the importance of auditing (discussed below).

[88]Australian Finance Conference, Submission PR 398, 7 December 2007. EnergyAustralia stated that it ‘is hard to see how further regulation could ensure greater accuracy on the part of credit providers’ EnergyAustralia, Submission PR 229, 9 March 2007.

[89]Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[90] See, eg, Australian Law Reform Commission, Review of Privacy—Credit Reporting Provisions, IP 32 (2006); Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 135.

[91] Veda Advantage, Submission PR 272, 29 March 2007.