17.08.2010
58.107 The ‘Data Security’ principle provides that an agency or organisation must take reasonable steps to ‘destroy or render non-identifiable personal information if it is no longer needed for any purpose for which it can be used or disclosed under the UPPs and retention is not required or authorised by or under law’.
58.108 Part IIIA, in contrast, contains detailed provisions requiring credit reporting agencies to ensure that personal information contained in credit information files is deleted after the expiry of maximum permissible retention periods set out in s 18F.[112] For example:
information about overdue payments must be deleted five years after the day on which the credit reporting agency was informed of the overdue payment concerned;[113]
information that, in a credit provider’s opinion, an individual has committed a specific serious credit infringement must be deleted seven years after the information was included in the credit information file;[114] and
a record of a bankruptcy order must be deleted seven years after the order was made.[115]
Discussion Paper proposals
58.109 In DP 72, the ALRC proposed that the new Privacy (Credit Reporting Information) Regulations provide for the deletion by credit reporting agencies of different categories of credit reporting information after the expiry of maximum permissible periods, based on those currently set out in s 18F of the Privacy Act.[116]
58.110 The ALRC also proposed that the regulations provide for the deletion of information about voluntary arrangements with creditors under Part IX and Part X of the Bankruptcy Act 1966 (Cth) five years from the date of the arrangement as recorded on the National Personal Insolvency Index.[117] The need for this proposal arose as a consequence of the ALRC’s proposal to permit the collection of credit reporting information about all the types of personal insolvency administration available under the Bankruptcy Act 1966 (Cth).[118]
Submissions and consultations
58.111 Stakeholders generally agreed that the new regulations should provide for the deletion of information as currently set out in s 18F.[119] Some stakeholders considered, however, that the specific retention periods should be located in the code of conduct, rather than in the regulations.[120]
58.112 Other stakeholders expressed the view that the maximum permissible retention periods currently applicable should be reviewed more closely.[121] The Cyberspace Law and Policy Centre submitted that the periods set out in s 18F need to be reviewed. In particular, the regulations should require the time period within which a default listing must be deleted ‘to commence from the event rather than from the time of listing’.[122]
58.113 The OPC agreed that the maximum permissible retention periods should be based on those in s 18F, but suggested further consideration of whether
time limits for adverse listings should be on the basis of set monetary amounts on a graduated scale, with the maximum permissible retention periods based on those currently set out in s 18F of the Privacy Act applying to credit reporting information that relates to higher monetary amounts and shorter retention periods applying to lower monetary amounts.[123]
58.114 Others also favoured a ‘more graduated’ set of retention periods,[124] including a two year maximum permissible period for the retention of default listings for non-credit services such as telecommunications.[125]
58.115 The AFC suggested that the maximum permissible retention periods should take into account record-keeping obligations under other regulation such the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).[126] ING Bank was concerned about the impact of the periods prescribed by s 18F on identity verification. Section 18F, it was said,
will potentially exclude customers, who do not represent a money laundering/terrorist financing risk, from being electronically verified if they have not applied for credit in some years.[127]
58.116 Veda Advantage submitted that credit reporting agencies should be able to ‘continue to hold credit reporting information for the building of statistical models’ beyond the retention periods prescribed by the regulations.[128] Veda advised that this is currently done by removing the information from an individual’s ‘credit information file’, as that term is defined in the Act.[129]
58.117 Stakeholders provided support for the proposed five year maximum permissible retention period for information about voluntary arrangements with creditors under Part IX and Part X of the Bankruptcy Act.[130]
58.118 The CCLC expressed concern about the listing of debt agreements under Part IX of the Bankruptcy Act and submitted that such listings, if permitted, should be removed when the debtor has satisfied their obligations under the agreement.[131] Conversely, some industry stakeholders disagreed with the proposal on the basis that the maximum permissible period of retention should be seven years, as is the case for information about bankruptcy orders.[132]
58.119 The OPC also submitted that the new regulations should specify how the data destruction obligations of the ‘Data Security’ principle apply in relation to credit reporting information. As noted above, the ‘Data Security’ principle requires agencies and organisations to ‘destroy or render non-identifiable personal information if it is no longer needed for any purpose for which it can be used or disclosed under the UPPs and retention is not required or authorised by or under law’. The OPC submitted that the application of this principle to credit reporting information would need to reflect that:
The relevant purpose is that permitted by the UPPs as modified by the new Privacy (Credit Reporting Information) Regulations. For example, notwithstanding that information is needed for a purpose permitted by the UPPs, this should not circumvent the requirements to delete the credit reporting information under an equivalent to s 18F.
Credit reporting information should be deleted at the expiry of the relevant maximum retention period, as currently provided under s 18F. To avoid any uncertainty, the option in the ‘Data Security’ principle to render the information ‘non-identifiable’ should not be applicable to credit reporting information.[133]
ALRC’s view
58.120 The retention periods prescribed by s 18F provide an important protection for consumers. The consequences of an adverse listing can be serious. It is important that, after some reasonable period of time, the information should be considered spent, allowing the individual to ‘repair’ their credit record.
58.121 It would not be appropriate, in this context, to rely on the general provisions of the ‘Data Security’ principle, as this would leave credit reporting agencies with too much discretion. One stakeholder noted that the regulation of retention periods is ‘an area in which more rather than less prescription is desirable’.[134]
58.122 There is some concern about the relationship between the maximum permissible periods for the retention of credit reporting information and other records under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). The Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML/CTF Rules) requires reporting entities to retain for seven years records of the provision of a designated service and related documents.[135]
58.123 The AML/CTF Rules state that these record-keeping requirements do not override Part IIIA of the Privacy Act.[136] The explanatory memorandum stated that this means that records retained in compliance with the AML/CTF Rules for longer than the maximum period permitted by the Privacy Act should only be used for purposes associated with fulfilling the requirements of the AML/CTF Rules. Credit reporting agencies and credit providers may, it said, retain credit reporting information that is covered by the record-keeping requirements of the AML/CTF Rules, as long as that information only is used for AML/CTF purposes.[137]
58.124 In any case, the use of credit reporting information for electronic identity verification, which the ALRC recommends be authorised expressly under the AML/CTF Act,[138] depends primarily on the availability of name, date of birth and address information. This information is not subject to a maximum permissible period of retention under s 18F.
58.125 The ALRC does not consider that there is any compelling case for change to the existing retention periods. Credit reporting information technology systems are built around these retention periods and changes may involve significant transition costs. The new Privacy (Credit Reporting Information) Regulations should provide for the deletion of different categories of credit reporting information after the expiry of maximum permissible periods, based on those currently set out in s 18F.
58.126 One exception involves personal insolvency information. As discussed in Chapter 56, the ALRC recommends that the new Privacy (Credit Reporting Information) Regulations permit credit reporting information to include all the types of personal insolvency information recorded on the National Personal Insolvency Index administered under the Bankruptcy Regulations 1966 (Cth).[139] These include voluntary arrangements with creditors under Part IX and Part X of the Bankruptcy Act.
58.127 The ALRC considers that information about voluntary arrangements with creditors under Part IX and Part X should be subject to a five year retention period, rather than the seven years applicable to bankruptcy.[140] An individual who has come to a voluntary arrangement with creditors should not be in a worse position than other individuals who have defaulted.
58.128 Finally, there is no need for the new regulations to specify how the ‘Data Security’ principle applies in relation to the deletion of credit reporting information. The new regulations are to provide that credit reporting information should be deleted after the expiry of the relevant maximum permissible retention period. This specific obligation modifies and overrides the provisions of the ‘Data Security’ principle where credit reporting information is concerned.
Recommendation 58-5 The new Privacy (Credit Reporting Information) Regulations should provide for the deletion by credit reporting agencies of different categories of credit reporting information after the expiry of maximum permissible periods, based on those currently set out in s 18F of the Privacy Act.
Recommendation 58-6 The new Privacy (Credit Reporting Information) Regulations should provide for the deletion by credit reporting agencies of information about voluntary arrangements with creditors under Parts IX and X of the Bankruptcy Act 1966 (Cth) five years from the date of the arrangement as recorded on the National Personal Insolvency Index.
[112] These periods are summarised in Ch 53.
[113]Privacy Act 1988 (Cth) s 18F(2)(c).
[114] Ibid s 18F(2)(g). The definition of ‘serious credit infringement’ is discussed in Ch 56.
[115] Ibid s 18F(2)(f).
[116]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 54–7.
[117]Ibid, Proposal 54–8.
[118]Ibid, Proposal 52–4.
[119] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
[120]Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
[121] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007.
[122]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. As suggested by MasterCard Worldwide: MasterCard Worldwide, Submission PR 237, 13 March 2007.
[123] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. The OPC earlier suggested that the listing period for defaults be reduced from five and seven years to periods of two and four years, respectively, for minor monetary amounts. The OPC also submitted that the ALRC consider shorter credit listing timeframes for minors: Office of the Privacy Commissioner, Submission PR 281, 13 April 2007.
[124] N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007.
[125] Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007; Consumer Credit Legal Centre (NSW) Inc, Credit Reporting Research Report (2007), rec 15.
[126]Australian Finance Conference, Submission PR 398, 7 December 2007.
[127] ING Bank, Submission PR 230, 9 March 2007. See Ch 57 on the use of credit reporting information in electronic identity verification.
[128]Veda Advantage, Submission PR 498, 20 December 2007.
[129]Privacy Act 1988 (Cth) s 6(1).
[130] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Financial Counsellors Association of Queensland, Submission PR 371, 30 November 2007.
[131] Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007; Consumer Credit Legal Centre (NSW) Inc, Credit Reporting Research Report (2007), rec 34.
[132] GE Money Australia, Submission PR 537, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
[133]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[134] N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007. Also Australian Privacy Foundation, Submission PR 275, 2 April 2007.
[135]Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No 1) 2007 (Cth) pt 10.
[136]Ibid r 105.
[137]Replacement Explanatory Memorandum, Anti-money Laundering and Counter-Terrorism Financing Bill 2006 (Cth).
[138] Rec 57–4.
[139] Rec 56–4 and 56–5.
[140] Such a reform was supported by the OPC: Office of the Privacy Commissioner, Submission PR 281, 13 April 2007.