17.08.2010
58.97 The ‘Data Security’ principle in the model UPPs provides that an agency or organisation must take reasonable steps to:
protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure; and
destroy or render non-identifiable personal information if it is no longer needed for any purpose for which it can be used or disclosed under the UPPs and retention is not required or authorised by or under law.
58.98 In Part IIIA, credit providers and credit reporting agencies have an obligation under s 18G(b) to ensure that credit information files or credit reports are ‘protected, by such security safeguards as are reasonable in the circumstances, against loss, against unauthorised access, use, modification or disclosure, and against other misuse’. Section 18G(c) provides that credit providers and credit reporting agencies must also, if it is necessary for credit reporting information to be given to a person ‘in connection with the provision of a service to the credit reporting agency or credit provider’, ensure that ‘everything reasonably within the power of the credit reporting agency or credit provider is done to prevent unauthorised use or disclosure’.
58.99 In addition, Part IIIA contains provisions requiring credit reporting agencies to ensure that credit reporting information is deleted after the expiry of maximum permissible retention periods set out in s 18F. The deletion of credit reporting information is considered separately below.
58.100 A range of concerns about the security of credit reporting information has been identified by the OPC in the conduct of its credit reporting auditing functions. The security issues included: insufficient security of the manner in which passwords and user codes were provided to new subscribers; passwords of former employees not being automatically deactivated; and the poor security of passwords in the online environment, such as the storage of passwords by web browsers.[106] In addition, it was found that some credit providers did not have provisions in their service provider contracts regarding the security and confidentiality of information, even though these contractors can obtain access to personal information held by credit providers.[107]
58.101 In this Inquiry, the ALRC asked about issues raised by regulation dealing with the security of credit information files and credit reports and how these provisions operate in practice.[108] The ALRC received relatively little comment on data security issues in the context of credit reporting specifically.
Discussion Paper proposal
58.102 In DP 72, the ALRC proposed that the new Privacy (Credit Reporting Information) Regulations contain no equivalent to s 18G(b) and (c), dealing with the security of credit reporting information, as these obligations were adequately covered by the ‘Data Security’ principle.[109]
Submissions and consultations
58.103 Industry and consumer stakeholders agreed that the new regulations should contain no equivalent to s 18G(b) and (c) of the Privacy Act.[110]
58.104 Veda Advantage stated that it would not be necessary for the new Privacy (Credit Reporting Information) Regulations to modify the ‘Data Security’ principle. Veda submitted, however, that agreements between credit reporting agencies and credit providers should be required to cover data security, as well as data quality, obligations.
With the potential increase in personal information shared under reform proposals, a significant potential harm arises from data breach. Accordingly the law should require that agreements cover this risk.[111]
ALRC’s view
58.105 The data security obligation in s 18G(b) provides an additional requirement, as compared to the ‘Data Security’ principle in the model UPPs, that personal information be protected from ‘unauthorised use’. The ‘Data Security’ principle does, however, refer to the ‘misuse’ of personal information, which seems broad enough to cover unauthorised use. The data security obligation in s 18G(c) is not required because credit reporting information in the hands of an organisation other than a credit provider or credit reporting agency will be protected adequately by the UPPs.
58.106 The recommended ‘Data Security’ principle adequately covers credit reporting information and no separate provision dealing with data security is needed in the new Privacy (Credit Reporting Information) Regulations. The ALRC recommends, however, that the regulations provide that credit reporting agencies must enter into agreements with credit providers that contain obligations to ensure the security, as well as the quality, of credit reporting information. This recommendation is incorporated into Recommendation 58–4 above.
[106] Office of the Federal Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2003–30 June 2004 (2004), 65–66; Australian Government Attorney-General’s Department, Response to Questions on Notice for Attorney-General’s Portfolio: Senate Legal and Constitutional Legislation Committee Additional Estimates 2003–2004, Questions 38 to 50, undated, Answer to Q 42.
[107] Australian Government Attorney-General’s Department, Response to Questions on Notice for Attorney-General’s Portfolio: Senate Legal and Constitutional Legislation Committee Additional Estimates 2003–2004, Questions 38 to 50, undated, Answer to Q 42.
[108] Australian Law Reform Commission, Review of Privacy—Credit Reporting Provisions, IP 32 (2006), Question 5–6.
[109]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 54–9.
[110]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007; Australian Finance Conference, Submission PR 294, 18 May 2007.
[111]Veda Advantage, Submission PR 498, 20 December 2007.