Credit reporting information and credit worthiness

72.157 Concerns were raised in a number of submissions about whether Part 13 of the Telecommunications Act permitted the use and disclosure of credit information and credit worthiness information that would otherwise not be permitted under the Privacy Act.[140]

72.158 Telstra noted that a number of provisions in the Privacy Act prohibit disclosure of credit information except where disclosure ‘is required or authorised by or under law’.[141] In Telstra’s view, a disclosure that falls within one of the exceptions in Part 13 of the Telecommunications Act will be ‘authorised by law’ under Part IIIA and the NPPs in the Privacy Act.[142]

72.159 The OPC expressed concern that the exceptions under ss 289, 290 and 291 of the Telecommunications Act appear to permit additional use and disclosure in relation to consumer credit.[143] The OPC noted that ACMA has published the following advice on its website:

Sections 289 and 290 may be relevant to authorise the disclosure of affairs or personal particulars of another person when a carrier or CSP does credit card checks with a credit card company … Section 289 may operate to authorise the disclosure of affairs or personal particulars of another person in relation to a debt sold to a debt collection agency.[144]

72.160 The OPC submitted that this interpretation of ss 289 and 290 creates two problems.

First, these exceptions appear to go beyond what a credit provider is permitted to do under the credit reporting provisions in Part IIIA of the Privacy Act. However, because of s 303B of the Telecommunications Act … such uses and disclosures are taken to be authorised by law for the purposes of the Privacy Act, when undertaken by telecommunications businesses covered by Part 13.

Second, sections 289 and 290 appear to create more permissive conditions for use and disclosure of personal information related to consumer credit for those credit providers that operate in the telecommunications sector, compared to those that operate in other industries.[145]

72.161 In DP 72, the ALRC proposed that Part 13 of the Telecommunications Act should be amended to provide that use or disclosure by a person of credit reporting information is to be handled in accordance with the Privacy Act.[146]

Submissions and consultations

72.162 A number of stakeholders supported the proposal.[147] Telstra stated that it supported the proposal, provided it was limited to ‘credit reports’ obtained from credit reporting agencies. Telstra argued that it should not apply to billing or payment information of a carrier’s customers which should continue to be dealt with under Part 13 of the Telecommunications Act.[148] AAPT and Optus submitted that the proposal was unnecessary.[149]

ALRC’s view

72.163 Part 13 of the Telecommunications Act should be amended to provide that use or disclosure by a person of ‘credit reporting information’ is to be handled in accordance with the Privacy Act. In Chapter 54, the ALRC recommends that ‘credit reporting information’ should be defined for the purpose of the new Privacy (Credit Reporting Information) Regulations as personal information that is:

  • maintained by a credit reporting agency in the course of carrying on a credit reporting business; or

  • held by a credit provider, and has been prepared by a credit reporting agency, and is used, has been used or has the capacity to be used in establishing an individual’s eligibility for credit.

72.164 Adverse personal credit listings can have a significant impact on an individual. As outlined in Part G of this Report, the regulation of credit reporting requires a specific level of detail to ensure that credit providers, credit reporting agencies and individuals understand their obligations and rights. The use and disclosure of credit reporting information should not be permitted under ss 289, 290 and 291 of the Telecommunications Act. There is no reason why organisations in the telecommunications industry should be subject to more permissive credit reporting rules than organisations in other industries.[150]

Recommendation 72-10 Part 13 of the Telecommunications Act 1997 (Cth) should be amended to provide that use or disclosure by a person of credit reporting information is to be handled in accordance with the Privacy Act.

[140] See, eg, Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; I Graham, Submission PR 427, 9 December 2007.

[141]Privacy Act 1988 (Cth) ss 18Q(3), 18Q(5), 18N(1)(g).

[142]Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[143] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[144] Australian Communications and Media Authority, Disclosure of Customer Details under Part 13 of the Telecommunications Act 1997 FAQs <www.acma.gov> at 6 May 2008.

[145] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[146]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 63–6.

[147]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; I Graham, Submission PR 427, 9 December 2007.

[148]Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[149]Optus, Submission PR 532, 21 December 2007; AAPT Ltd, Submission PR 338, 7 November 2007.

[150] See Ch 54 for a discussion of ‘credit reporting information’ and information about the credit worthiness of another person. In that chapter, the ALRC recommends that the new Privacy (Credit Reporting Information) Regulations should apply only to the handling by credit reporting agencies and credit providers of personal information maintained by credit reporting agencies and used by credit providers in assessing an individual’s credit worthiness. This category of personal information should be defined as ‘credit reporting information’.