17.08.2010
58.5 The ‘Data Quality’ principle in the model UPPs and the data quality obligations in Part IIIA[4] are similar. The ‘Data Quality’ principle, therefore, may be considered adequate to cover credit reporting information without the need for separate provisions in the new Privacy (Credit Reporting Information) Regulations.
58.6 There are, however, some important differences between the obligations in the UPPs and in Part IIIA. These are that:
section 18G(a) provides an additional requirement that personal information be ‘not misleading’; and
the ‘Data Quality’ principle provides an additional requirement that personal information be ‘relevant’.[5]
Discussion Paper proposal
58.7 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC expressed the view that the existing formulation of the data quality obligation set out in s 18G(a) should be retained for the purposes of credit reporting regulation. It proposed that the new Privacy (Credit Reporting Information) Regulations provide that credit providers and credit reporting agencies have an obligation to take reasonable steps to ensure that credit reporting information is accurate, up-to-date, complete and not misleading.[6]
Submissions and consultations
58.8 Stakeholders generally supported the imposition of data quality obligations in the new regulations, as proposed by the ALRC.[7] The Office of the Privacy Commissioner (OPC) submitted, however, that the relevance requirement in the ‘Data Quality’ principle should be ‘retained and strengthened’ in relation to credit reporting.[8] The Cyberspace Law and Policy Centre and the Australian Privacy Foundation also stated that the regulations should include the relevance requirement, to be as consistent as possible with the ‘Data Quality’ principle.[9] Conversely, Veda Advantage submitted that the requirement of relevance is not within the control of credit reporting agencies and, therefore, should not be part of credit reporting data quality obligations.[10]
58.9 The OPC suggested that it provide guidance for credit providers and credit reporting agencies about what measures are considered to be ‘reasonable steps’ to promote and maintain the accuracy of credit reporting information.[11]
ALRC’s view
58.10 The major discrepancy between the criteria set out in the ‘Data Quality’ principle and in s 18G(a) is the additional requirement in s 18G(a) that information be ‘not misleading’. In DP 72, the ALRC stated that, in the credit reporting context, information may be ‘accurate’ but misleading in relation to the credit worthiness of an individual. This may be, for example, due to circumstances surrounding a default listing, such as a billing failure on the part of the credit provider.[12] On the other hand, in most situations where information fails to meet the requirement of ‘not misleading’, it also will not meet the requirements that it must be ‘accurate’, ‘complete’ or ‘up-to-date’.
58.11 The ‘Access and Correction’ principle, unlike the ‘Data Quality’ principle, refers to information being ‘not misleading’.[13] It is sufficient that the ‘not misleading’ requirement only be contained in the ‘Access and Correction’ principle.[14] It is difficult for credit providers or credit reporting agencies to determine whether personal information is ‘not misleading’—for example, because of surrounding circumstances of which they may not be aware—when collecting personal information or maintaining databases. When rights of correction are exercised, however, views may be formed more easily on whether credit reporting information, in a specific context, is or is not misleading.
58.12 The new Privacy (Credit Reporting Information) Regulations will prescribe the permissible content of credit reporting information. Information that is specifically permitted to be collected by the regulations can be assumed to be ‘relevant’ for the purposes of the recommended ‘Data Quality’ principle. Consequently, the relevance requirement will not place any additional obligations on credit providers or credit reporting agencies.
58.13 The ALRC is of the view that general data quality obligations need not be incorporated in the new Privacy (Credit Reporting Information) Regulations. The ALRC’s approach to reform of the credit reporting provisions is that the new regulations should be drafted to contain only those requirements that are different or more specific than those provided for in the model UPPs.[15] The data quality provision in the new regulations proposed in DP 72 would largely duplicate the provisions of the ‘Data Quality’ principle in the model UPPs[16] and is, therefore, unnecessary.
[4] Ibid s 18G(a).
[5] The reasons for the formulation preferred in the model UPPs are set out in Ch 27.
[6]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 54–4.
[7]Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; Consumer Action Law Centre, Submission PR 510, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.
[8]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[9]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[10]Veda Advantage, Submission PR 498, 20 December 2007.
[11]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[12]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [54.71].
[13] See Ch 29.
[14] In Ch 59, the ALRC concludes that the correction provisions of s 18J of the Privacy Act need not be incorporated in the new regulations because this would largely duplicate provisions of the ‘Access and Correction’ principle.
[15] See Rec 54–2.
[16] See Ch 27.