17.08.2010
59.163 Part IIIA of the Privacy Act creates a range of credit reporting offences. These include, for example, offences relating to:
credit providers using or disclosing personal information contained in credit reports other than as permitted;[188]
credit reporting agencies or credit providers intentionally giving out a credit report that contains false or misleading information;[189]
persons intentionally obtaining unauthorised access to credit information files or credit reports;[190] and
persons obtaining access to credit information files or credit reports by false pretences.[191]
59.164 In response to IP 32, stakeholders expressed a range of views about penalties. Some stakeholders considered that the existing penalties are sufficiently broad or opposed any new penalty provisions.[192] Other stakeholders favoured the introduction of new civil or administrative penalties.[193]
Discussion Paper proposals
59.165 In DP 72, the ALRC proposed that the Privacy Act be amended to allow a civil penalty to be imposed where there is a serious or repeated interference with the privacy of an individual. The ALRC also proposed that the OPC develop and publish enforcement guidelines setting out the criteria upon which a decision to pursue a civil penalty is made.[194]
59.166 Finally, the ALRC proposed that the Privacy Act should be amended to remove the credit reporting offences and allow a civil penalty to be imposed where there is a serious or repeated breach of the regulations.[195]
Submissions and consultations
59.167 Stakeholders supported the ALRC’s proposal to repeal the credit reporting offences and replace them with a civil penalties regime.[196]
59.168 ARCA submitted that, in addition to the proposed civil penalties, severe or repeated breach of the new regulations should result in temporary or permanent suspension or exclusion from the credit reporting system, in accordance with processes set out in a code of conduct.[197] Galexia stated that
it may be useful for the industry to have a self-policing role in addition to the sanctions available in the Regulations. For example, the ability to limit access to credit reporting information where organisations are found to have engaged in a systemic breach might also apply to systemic breaches of the potential industry Code. Sanctions could be applied by a Code compliance body, and might include suspension or restricted access to credit reporting information, or requirements for specific performance such as corrective advertising, training, changes to procedures etc.[198]
59.169 The OPC suggested that, in addition to the civil penalty regime, the Privacy Act should specify particular conduct that is considered to be a ‘serious’ breach of credit reporting provisions, based on the existing credit reporting offences under Part IIIA of the Act.[199]
ALRC’s view
59.170 In Chapter 50, the ALRC recommends that the Privacy Act should be amended to allow a civil penalty to be imposed where there is a serious or repeated interference with the privacy of an individual.[200] Part IIIA creates a wide range of credit reporting offences. These offences are unnecessary, in light of the recommended civil penalties regime, and should not be retained.
59.171 The ALRC understands that no prosecutions have ever been launched under the credit reporting offence provisions. At least some of the relevant conduct is covered, in any case, by other offences under Commonwealth legislation. The Criminal Code, for example, creates an offence in respect to unauthorised access to, or modification of, data held in a computer to which access is restricted.[201]
59.172 Since the enactment of the credit reporting provisions, civil penalty regimes have become a more common means to enforce consumer protection laws including, for example, under the financial services civil penalty provisions of the Corporations Act[202] and the uniform Consumer Credit Code.[203] The ALRC considers that a civil penalty regime is a more appropriate enforcement mechanism for breaches of credit reporting regulation than the suite of criminal offences currently provided for in the Act.
59.173 In Chapter 54, the ALRC recommends that credit reporting agencies and credit providers, in consultation with consumer groups and regulators, including the OPC, develop a credit reporting code.[204] It may be desirable for this code to provide for penalties, imposed by contract, for breach of the regulations or the code itself. Sanctions for non-compliance, such as suspension or expulsion from the credit reporting system, may raise competition issues and require authorisation by the Australian Competition and Consumer Commission.
Recommendation 59-9 The Privacy Act should be amended to remove the credit reporting offences and allow a civil penalty to be imposed as provided for by Recommendation 50–2.
[188]Privacy Act 1988 (Cth) ss 18L(2), 18N(2).
[189] Ibid s 18R(2).
[190] Ibid s 18S(3).
[191] Ibid s 18T.
[192] Optus, Submission PR 258, 16 March 2007; National Credit Union Association Inc, Submission PR 226, 9 March 2007.
[193] Queensland Law Society, Submission PR 286, 20 April 2007; N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007; Consumer Action Law Centre, Submission PR 274, 2 April 2007.
[194]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 46–2.
[195]Ibid, Proposal 55–8.
[196]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
[197]Australasian Retail Credit Association, Submission PR 352, 29 November 2007.
[198]Galexia Pty Ltd, Submission PR 465, 13 December 2007.
[199]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[200] Rec 50–2.
[201]Criminal Code Act 1995 (Cth) s 478.1.
[202]Corporations Act 2001 (Cth) ss 1317DA, 1317E(1)(ja)–(jg).
[203]Consumer Credit Code pt 6. The Consumer Credit Code is set out in the Consumer Credit (Queensland) Act 1994 (Qld) and is adopted by legislation in other states and territories.
[204] Rec 54–9.