Third party access

59.39 Part IIIA places some specific constraints on direct access to credit reporting information by persons authorised by the individual. Section 18H(3) of the Privacy Act states that an individual’s rights of access under the section

may also be exercised by a person (other than a credit provider, mortgage insurer or trade insurer) authorised, in writing, by the individual to exercise those rights on the individual’s behalf in connection with:

(a) an application, or a proposed application, by the individual for a loan; or

(b) the individual having sought advice in relation to a loan.

59.40 In DP 72, the ALRC asked whether the new regulations should provide an equivalent of s 18H(3), so that an individual’s rights of access to credit reporting information may be exercised by a person authorised in writing and for a credit-related purpose.[40]

59.41 A related issue concerns whether the access rights provided by s 18H may be used as a ‘backdoor’ means of indirect access by entities prohibited from obtaining credit reports.[41] Employers, insurers or government agencies, for example, might request individuals to provide copies of their credit reporting information for employment, insurance, licensing or other purposes unrelated to the provision of credit.[42]

59.42 In DP 72, the ALRC stated that there was no need for any new legislative provision prohibiting the collection of an individual’s credit reporting information by third parties (that is, persons other than the individual, credit reporting agency or a credit provider for credit-related purposes), such as employers, insurers or government agencies, through the individual concerned.[43]

Submissions and consultations

59.43 Some stakeholders agreed that it would be desirable to include an equivalent of s 18H(3) in the regulations.[44] The OPC supported including an equivalent of s 18H(3), and submitted that, in developing such a provision, consideration should be given to:

(a) providing for appropriate exemptions to the requirement that an authorisation be in writing, if necessary for the provision of speech to speech relay services; and

(b) options for restricting the categories of persons or entities that are able to be authorised by the individual.[45]

59.44 Other stakeholders expressed concern that restrictions on access by third parties might create difficulties for credit providers and their customers. The Mortgage and Finance Association of Australia, for example, stated:

It is important that agents for borrowers can obtain the information, without prescribing that those agents need any specific qualifications (ie they do not need to be lawyers, financial planners, finance brokers etc).[46]

59.45 Legal Aid Queensland observed that it is

important that individuals are able to request copies of their reports through advocacy, financial counselling and consumer agencies as well as the consumer’s legal representative and that that access is not unduly restricted.[47]

59.46 The AFC noted that credit providers may need to discuss credit commitments with non-English speaking customers over the telephone through an English speaking intermediary; or with hearing or speech-impaired customers using the National Relay Service (NRS).[48] The AFC stated that:

The current credit reporting provisions prevent the credit provider from discussing the customer’s credit commitments with a third party without the ‘written’ authorisation of the customer. While verbal or implicit consent is permitted in other provisions of the Act, written consent only is permissible in this instance.[49]

59.47 The AFC submitted that authority to access credit reporting information should not need to be in writing, but be based on the implied or express consent of the individual concerned. The AFC also questioned the desirability of restricting access for a ‘credit-related purpose’.

Given access must be with the individual’s authorisation, we see no reason why these third parties should not be able to directly obtain a copy of the report and use for the reason the authorisation was obtained.[50]

59.48 Other stakeholders also considered that there should be less restriction on individuals providing access to their credit reporting information to third parties. The Institute of Mercantile Agents referred to

a growing trend, especially by larger employers such as multi-nationals concerned about the prospects of fraudulent behaviour and seeing the provision of credit histories as a positive identification step. Similarly, insurers may well be keen in the face of a suspicious claim say for a vehicle theft or fire damage of premises to require a claimant to produce his/her personal credit history … If there are legitimate grounds for access, especially when initiated by the individual concerned, then access ought to be granted—with the credit history information recorded, the ability to provide low cost access should be not be at all difficult or onerous.[51]

59.49 Some stakeholders supported including an equivalent of s 18H(3) in the new regulations, but submitted that credit reporting regulation, and the Privacy Act generally, should be drafted to prevent ‘forced’ or ‘coerced’ access for the purposes of third parties.[52] The CCLC recommended that an offence should be created under the Privacy Act to prevent persons from ‘requiring an individual to provide a copy of his/her credit report in the course of any business or enterprise’.[53]

59.50 The OPC recommended that it provide guidance on practices that require individuals to provide copies of their credit reports for any purpose unrelated to the provision of credit. It also suggested that review of the new regulations[54] include ‘further consideration of the need for an express provision prohibiting the collection of an individual’s credit information file by employers, insurers and government agencies’.[55]

ALRC’s view

59.51 As discussed in Chapter 70, there is nothing in the Privacy Act that prevents an individual from providing consent for an agency or organisation to disclose information to a third party. While there are concerns that such consensual arrangements are not implemented consistently or recognised by agencies and organisations, there is no requirement that consent be in writing or any limitation placed on the purposes for which information may be disclosed, with consent, to a third party.

59.52 The ALRC does not recommend any change to the Privacy Act with regard to third party access with consent.[56] Rather, the ALRC considers that guidance is the most appropriate way to deal with problems about consensual third party arrangements and recommends that the OPC develop and publish guidance on third party representatives.[57]

59.53 Section 18H(3) requires authorisation in writing and limits the purposes for which an individual’s access rights may be exercised by another person. This may be seen as contrary to the more flexible policy approach adopted by the ALRC in relation to third party access more generally.

59.54 In the ALRC’s view, however, the privacy risks involved with credit reporting information—including, for example, the risk of identity fraud—justify the more stringent approach. The fact that there may be pressure on individuals to consent to third party access—for example, by employers, insurers or government agencies— is another reason to adopt this approach.

59.55 The ALRC is not convinced, however, that there is any need for new legislative provisions prohibiting individuals from being required to provide their credit reporting information for non-credit related purposes. The collection of credit reporting information for non-credit related purposes should be regulated adequately by the ‘Collection’ principle in the model UPPs (that is, collection must be ‘necessary’ for one or more of an organisation’s or agency’s functions or activities).[58]

59.56 An equivalent of s 18H(3) would not prevent third parties—such as the NRS—providing assistance to individuals in communicating with credit providers or credit reporting agencies. A distinction should be made between circumstances in which a third party is assisting the individual to obtain access, and where the third party is seeking to obtain access to information directly from the credit provider or credit reporting agency for their own purposes. In the former case, the third party is not, in terms of s 18H(3), exercising rights of access ‘on the individual’s behalf’, but is assisting the individual to exercise those rights themselves. This is a matter that could be dealt with by OPC guidance.

Recommendation 59-3 The new Privacy (Credit Reporting Information) Regulations should provide an equivalent of s 18H(3) of the Privacy Act, so that an individual’s rights of access to credit reporting information may be exercised for a credit-related purpose by a person authorised in writing.

[40] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 55–2.

[41] G Greenleaf, ‘The Most Restrictive Credit Reference Laws in the Western World?’ (1992) 66 Australian Law Journal 672, 674.

[42] Office of the Privacy Commissioner, Submission PR 281, 13 April 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007; Consumer Credit Legal Centre (NSW) Inc, Credit Reporting Research Report (2007), rec 36.

[43] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [55.31].

[44]GE Money Australia, Submission PR 537, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.

[45]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[46]Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.

[47]Legal Aid Queensland, Submission PR 489, 19 December 2007

[48] The NRS is discussed further in Ch 70.

[49]Australian Finance Conference, Submission PR 398, 7 December 2007.

[50]Ibid.

[51] Institute of Mercantile Agents, Submission PR 270, 28 March 2007.

[52] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[53] Consumer Credit Legal Centre (NSW) Inc, Submission PR 255, 16 March 2007; Consumer Credit Legal Centre (NSW) Inc, Credit Reporting Research Report (2007), rec 36.

[54] Rec 54–8.

[55]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[56] The ALRC does recommend, however, that the Privacy Act be amended to provide for nominee arrangements establishing long term recognition of nominated substitute decision makers: Recs 70–1, 70–2.

[57] Rec 70–3.

[58] Rec 21–5.