Part G—Credit Reporting Provisions

54. Approach to Reform

Recommendation 54–1 The credit reporting provisions of the Privacy Act should be repealed and credit reporting regulated under the general provisions of the Privacy Act, the model Unified Privacy Principles, and regulations under the Privacy Act—the new Privacy (Credit Reporting Information) Regulations—which impose obligations on credit reporting agencies and credit providers with respect to the handling of credit reporting information.

Recommendation 54–2 The new Privacy (Credit Reporting Information) Regulations should be drafted to contain only those requirements that are different or more specific than provided for in the model Unified Privacy Principles.

Recommendation 54–3 The new Privacy (Credit Reporting Information) Regulations should apply only to ‘credit reporting information’, defined for the purposes of the new regulations as personal information that is:

(a) maintained by a credit reporting agency in the course of carrying on a credit reporting business; or

(b) held by a credit provider; and

(i) has been prepared by a credit reporting agency; and

(ii) is used, has been used or has the capacity to be used in establishing an individual’s eligibility for credit.

Recommendation 54–4 The new Privacy (Credit Reporting Information) Regulations should include a simplified definition of ‘credit provider’ under which those agencies and organisations that are currently credit providers for the purposes of the Privacy Act (whether by operation of s 11B or pursuant to determinations of the Privacy Commissioner) should generally continue to be credit providers for the purposes of the regulations.

Recommendation 54–5 The new Privacy (Credit Reporting Information) Regulations should, subject to Recommendation 54–7, exclude the reporting of personal information about foreign credit and the disclosure of credit reporting information to foreign credit providers.

Recommendation 54–6 The Australian Government should include credit reporting regulation in the list of areas identified as possible issues for coordination pursuant to the Memorandum of Understanding Between the Government of New Zealand and the Government of Australia on Coordination of Business Law (2000).

Recommendation 54–7 The new Privacy (Credit Reporting Information) Regulations should empower the Privacy Commissioner to approve the reporting of personal information about foreign credit, and the disclosure of credit reporting information to foreign credit providers, in defined circumstances. The regulations should set out criteria for approval, including the availability of effective enforcement and complaint handling in the foreign jurisdiction.

Recommendation 54–8 The Australian Government should, in five years from the commencement of the new Privacy (Credit Reporting Information) Regulations, initiate a review of the regulations.

Recommendation 54–9 Credit reporting agencies and credit providers, in consultation with consumer groups and regulators, including the Office of the Privacy Commissioner, should develop a credit reporting code providing detailed guidance within the framework provided by the Privacy Act and the new Privacy (Credit Reporting Information) Regulations. The credit reporting code should deal with a range of operational matters relevant to compliance.

55. More Comprehensive Credit Reporting

Recommendation 55–1 The new Privacy (Credit Reporting Information) Regulations should permit credit reporting information to include the following categories of personal information, in addition to those currently permitted in credit information files under the Privacy Act:

(a) the type of each credit account opened (for example, mortgage, personal loan, credit card);

(b) the date on which each credit account was opened;

(c) the current limit of each open credit account; and

(d) the date on which each credit account was closed.

Recommendation 55–2 Subject to Recommendation 55–3, the new Privacy (Credit Reporting Information) Regulations should also permit credit reporting information to include an individual’s repayment performance history, comprised of information indicating:

(a) whether, over the prior two years, the individual was meeting his or her repayment obligations as at each point of the relevant repayment cycle for a credit account; and, if not,

(b) the number of repayment cycles the individual was in arrears.

Recommendation 55–3 The Australian Government should implement Recommendation 55–2 only after it is satisfied that there is an adequate framework imposing responsible lending obligations in Commonwealth, state and territory legislation.

Recommendation 55–4 The credit reporting code should set out procedures for reporting repayment performance history, within the parameters prescribed by the new Privacy (Credit Reporting Information) Regulations.

Recommendation 55–5 The new Privacy (Credit Reporting Information) Regulations should provide for the deletion of the information referred to in Recommendation 55–1 two years after the date on which a credit account is closed.

56. Collection and Permitted Content of Credit Reporting Information

Recommendation 56–1 The new Privacy (Credit Reporting Information) Regulations should prescribe an exhaustive list of the categories of personal information that are permitted to be included in credit reporting information. This list should be based on the provisions of s 18E of the Privacy Act, subject to the changes set out in Recommendations 55–1, 55–2, 56–2 to 56–4, 56–6, 56–8 and 56–9.

Recommendation 56–2 The new Privacy (Credit Reporting Information) Regulations should provide that credit reporting agencies are not permitted to list overdue payments of less than a prescribed amount.

Recommendation 56–3 The new Privacy (Credit Reporting Information) Regulations should not permit credit reporting information to include information about presented and dishonoured cheques.

Recommendation 56–4 The new Privacy (Credit Reporting Information) Regulations should permit credit reporting information to include personal insolvency information recorded on the National Personal Insolvency Index administered under the Bankruptcy Regulations 1966 (Cth).

Recommendation 56–5 Credit reporting agencies should ensure that credit reports adequately differentiate the forms of administration identified on the National Personal Insolvency Index (NPII); and accurately reflect the relevant information recorded on the NPII, as updated from time to time.

Recommendation 56–6 The new Privacy (Credit Reporting Information) Regulations should allow for the listing of a ‘serious credit infringement’ based on the definition currently set out in s 18E(1)(b)(x) of the Privacy Act, amended so that the credit provider is required to have taken reasonable steps to contact the individual before reporting a serious credit infringement under s 18E(1)(b)(x)(c).

Recommendation 56–7 The Office of the Privacy Commissioner should develop and publish guidance on the criteria that need to be satisfied before a serious credit infringement may be listed, including:

(a) how to interpret ‘serious’ (for example, in terms of the individual’s conduct, and the period and amount of overdue payments);

(b) how to establish whether reasonable steps to contact the individual have been taken;

(c) whether a serious credit infringement should be listed where there is a dispute between the parties that is subject to dispute resolution; and

(d) the obligations on credit providers and individuals in proving or disproving that a serious credit infringement has occurred.

Recommendation 56–8 The new Privacy (Credit Reporting Information) Regulations should prohibit the collection in credit reporting information of ‘sensitive information’, as defined in the Privacy Act.

Recommendation 56–9 The new Privacy (Credit Reporting Information) Regulations should prohibit the collection of credit reporting information about individuals who the credit provider or credit reporting agency knows, or reasonably should know, to be under the age of 18.

Recommendation 56–10 The new Privacy (Credit Reporting Information) Regulations should provide, in addition to the other provisions of the ‘Notification’ principle, that at or before the time personal information to be disclosed to a credit reporting agency is collected about an individual, a credit provider must take such steps as are reasonable, if any, to ensure that the individual is aware of the:

(a) identity and contact details of the credit reporting agency;

(b) rights of access to, and correction of, credit reporting information provided by the regulations; and

(c) actual or types of organisations, agencies, entities or persons to whom the credit reporting agency usually discloses credit reporting information.

Recommendation 56–11 The new Privacy (Credit Reporting Information) Regulations should provide that a credit provider, before disclosing overdue payment information to a credit reporting agency, must have taken reasonable steps to ensure that the individual concerned is aware of the intention to report the information. Overdue payment information, for these purposes, means the information currently referred to in s 18E(b)(1)(vi) of the Privacy Act.

57. Use and Disclosure of Credit Reporting Information

Recommendation 57–1 The new Privacy (Credit Reporting Information) Regulations should provide a simplified list of circumstances in which a credit reporting agency or credit provider may use or disclose credit reporting information. This list should be based on the provisions of Part IIIA of the Privacy Act, which currently authorise the use and disclosure by credit reporting agencies and credit providers of personal information contained in credit information files, credit reports and reports relating to credit worthiness (ss 18L, 18K and 18N).

Recommendation 57–2 The new Privacy (Credit Reporting Information) Regulations should provide that a credit reporting agency or credit provider may use or disclose credit reporting information for a secondary purpose related to the assessment of an application for credit or the management of an existing credit account, where the individual concerned would reasonably expect such use or disclosure.

Recommendation 57–3 The new Privacy (Credit Reporting Information) Regulations should prohibit the use or disclosure of credit reporting information for the purposes of direct marketing, including the pre-screening of direct marketing lists.

Recommendation 57–4 The use and disclosure of credit reporting information for electronic identity verification purposes to satisfy obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) should be authorised expressly under the AML/CTF Act.

Recommendation 57–5 The new Privacy (Credit Reporting Information) Regulations should provide individuals with a right to prohibit for a specified period the disclosure by a credit reporting agency of credit reporting information about them without their express authorisation.

Recommendation 57–6 There should be no equivalent in the new Privacy (Credit Reporting Information) Regulations of s 18N of the Privacy Act, which limits the disclosure by credit providers of personal information in ‘reports’ related to credit worthiness. The use and disclosure limitations should apply only to ‘credit reporting information’ as defined for the purposes of the new regulations.

58. Data Quality and Security

Recommendation 58–1 The new Privacy (Credit Reporting Information) Regulations should prohibit expressly the listing of any overdue payment where the credit provider is prevented under any law of the Commonwealth, a state or a territory from bringing proceedings against the individual to recover the amount of the overdue payment; or where any relevant statutory limitation period has expired.

Recommendation 58–2 The new Privacy (Credit Reporting Information) Regulations should provide that where the individual has entered into a new arrangement with a credit provider to repay an existing debt—such as by entering into a scheme of arrangement with the credit provider—an overdue payment under the new arrangement may be listed and remain part of the individual’s credit reporting information for the full five-year period permissible under the regulations.

Recommendation 58–3 The credit reporting code should promote data quality by setting out procedures to ensure consistency and accuracy of credit reporting information. These procedures should deal with matters including:

(a) the timeliness of the reporting of credit reporting information;

(b) the calculation of overdue payments for credit reporting purposes;

(c) obligations to prevent the multiple listing of the same debt;

(d) the updating of credit reporting information; and

(e) the linking of credit reporting information relating to individuals who may or may not be the same individual.

Recommendation 58–4 The new Privacy (Credit Reporting Information) Regulations should provide that credit reporting agencies must:

(a) enter into agreements with credit providers that contain obligations to ensure the quality and security of credit reporting information;

(b) establish and maintain controls to ensure that only credit reporting information that is accurate, complete and up-to-date is used or disclosed;

(c) monitor data quality and audit compliance with the agreements and controls; and

(d) identify and investigate possible breaches of the agreements and controls.

Recommendation 58–5 The new Privacy (Credit Reporting Information) Regulations should provide for the deletion by credit reporting agencies of different categories of credit reporting information after the expiry of maximum permissible periods, based on those currently set out in s 18F of the Privacy Act.

Recommendation 58–6 The new Privacy (Credit Reporting Information) Regulations should provide for the deletion by credit reporting agencies of information about voluntary arrangements with creditors under Parts IX and X of the Bankruptcy Act 1966 (Cth) five years from the date of the arrangement as recorded on the National Personal Insolvency Index.

59. Access and Correction, Complaint Handling and Penalties

Recommendation 59–1 The new Privacy (Credit Reporting Information) Regulations should provide individuals with a right to obtain access to credit reporting information based on the provisions currently set out in s 18H of the Privacy Act.

Recommendation 59–2 The new Privacy (Credit Reporting Information) Regulations should provide that credit reporting agencies must provide individuals, on request, with one free copy of their credit reporting information annually.

Recommendation 59–3 The new Privacy (Credit Reporting Information) Regulations should provide an equivalent of s 18H(3) of the Privacy Act, so that an individual’s rights of access to credit reporting information may be exercised for a credit-related purpose by a person authorised in writing.

Recommendation 59–4 The new Privacy (Credit Reporting Information) Regulations should provide that, where a credit provider refuses an application for credit based wholly or partly on credit reporting information, it must notify an individual of that fact. These notification requirements should be based on the provisions currently set out in s 18M of the Privacy Act.

Recommendation 59–5 The new Privacy (Credit Reporting Information) Regulations should provide that:

(a) credit reporting agencies and credit providers must establish procedures to deal with a request by an individual for resolution of a credit reporting complaint in a fair, efficient and timely manner;

(b) a credit reporting agency should refer to a credit provider for resolution complaints about the content of credit reporting information provided to the agency by that credit provider; and

(c) where a credit reporting agency or credit provider establishes that it is unable to resolve a complaint, it must inform the individual concerned that it is unable to resolve the complaint and that the individual may complain to an external dispute resolution scheme or to the Privacy Commissioner.

Recommendation 59–6 The new Privacy (Credit Reporting Information) Regulations should provide that the information to be given, if an individual’s application for credit is refused based wholly or partly on credit reporting information, should include the avenues of complaint available to the individual if he or she has a complaint about the content of his or her credit reporting information.

Recommendation 59–7 The new Privacy (Credit Reporting Information) Regulations should provide that credit providers only may list overdue payment or repayment performance history where the credit provider is a member of an external dispute resolution scheme recognised by the Privacy Commissioner.

Recommendation 59–8 The new Privacy (Credit Reporting Information) Regulations should provide that, within 30 days, evidence to substantiate disputed credit reporting information must be provided to the individual, or the matter referred to an external dispute resolution scheme recognised by the Privacy Commissioner. If these requirements are not met, the credit reporting agency must delete or correct the information on the request of the individual concerned.

Recommendation 59–9 The Privacy Act should be amended to remove the credit reporting offences and allow a civil penalty to be imposed as provided for by Recommendation 50–2.