Federal Cabinet Secretary Senator John Faulkner recently gave further details of the Federal Government’s intended approach to privacy reform. In a speech to the Cyberspace Law and Policy Centre Symposium on ‘Meeting Privacy Challenges—the ALRC and NSWLRC Reviews’1, Senator Faulkner outlined how the Federal Government intends to meet its objective to legislate within 12–18 months on selected aspects (including credit reporting) of the 2,700-page Australian Law Reform Commission (ALRC or commission) report, ‘For Your Information: Australian Privacy Law and Practice’ (report).
Senator Faulkner announced that the Federal Government has initiated consultations with government agencies and state and territory Attorneys-General. The government also intends to shortly announce a series of half-day meetings to be held in Canberra for interested parties to raise any issues they have with the ALRC’s recommendations. Meetings in relation to the Unified Privacy Principles2 (UPPs) and credit reporting will be held later this year, with a meeting on health to follow in early 2009.
In anticipation of the meeting on credit reporting, this article takes a closer look at the ALRC’s proposals to reform Australia’s consumer credit reporting system. For more about the report generally, see our overview3 published in August.
A new regulatory framework
Currently the law in this area centres around Part IIIA of the Privacy Act 1988 (Cth) (Privacy Act) and the related Credit Reporting Code of Conduct. However, many credit providers and credit reporting agencies are also subject to the National Privacy Principles in the Privacy Act, which overlap in some respects with the specific credit reporting obligations.
Central among its general recommendations is the ALRC’s proposal that the Privacy Act be amended to include the new UPPs to apply nationally across all sectors, including credit. They then recommend supplementing the UPPs with the Privacy (Credit Reporting Information) Regulations (regulations) which would contain only requirements that are different or more specific than those set out in the UPPs.
The ALRC sees the UPPs and the regulations as the central sources of credit reporting obligations, and have in fact suggested that some provisions of the current Credit Reporting Code of Conduct be moved to the regulations. Nevertheless, they do see a role for a new credit reporting code to deal with operational issues, but do not insist that it be binding as the current code is. The ALRC proposes that the new code be developed by the industry in consultation with consumer groups and regulators.
More limited definition of credit reporting information
Parts of the current regime apply broadly to any information that has any bearing on an individual’s credit worthiness. However, the ALRC now recommends restricting the application of the regulations to ‘credit reporting information’ prepared or maintained by credit reporting agencies. Most other personal information will only be regulated by the UPPs.
Opening the door to Trans-Tasman credit reporting
Citing concerns about enforcement and complaint handling, the ALRC has recommended that the regulations should exclude the reporting of personal information about foreign credit and the disclosure of credit reporting information to foreign credit providers. However, the commission has recommended that the regulations empower the Privacy Commissioner to approve such activities in defined circumstances, according to specified approval criteria.
These recommendations are likely to be of greatest relevance in relation to New Zealand, given that both major credit reporting agencies and many major credit providers operate in both Australia and New Zealand. An additional recommendation proposes coordination between both governments in regulating this area.
More comprehensive credit reporting
Australia’s current credit reporting system is known as a ‘negative’ credit reporting system as credit reports focus on negative events such as defaults, and are not allowed to record details of positive information such as accounts opened or repayments met.
The ALRC’s recommendations include some steps in the direction of a ‘positive’ credit reporting system—in the style of the United States or the United Kingdom—although the commission prefers the term ‘more comprehensive’ credit reporting. The ALRC suggests expanding the permitted contents of credit reports to include the dates and types of credit accounts opened and closed and their limits.
They also propose allowing an individual’s repayment history to be recorded, but only once the government is satisfied that adequate responsible lending obligations are in place. This is already on the government’s agenda, since the states and territories agreed in a recent Council of Australian Government (COAG) meeting to give the Federal Government all responsibility for regulation of consumer credit.
Veda Advantage, one of the two major credit reporting agencies in Australia, claims that the current credit reporting system only gives credit providers 11 per cent of the information required to assess credit risk. They say that the first round of changes proposed will add 22 per cent, but that the elements which have been put on hold, account status and payment history, would contribute 64 per cent. In defending its decision to not move further in the direction of comprehensive credit reporting, ALRC President David Weisbrot said that the availability of extensive credit reporting information in countries like the United States had not prevented widespread sub-prime lending.
Even if these reforms take effect, it will still be some time before the credit reporting agencies will have a significant volume of the new categories of information, as it is unlikely that credit providers will submit information relating to existing credit arrangements. Credit providers keen to get a head start in relation to the reforms may wish to consider amending their privacy notices now, so that if the reforms are introduced as anticipated, they will have the ability to disclose the additional information about borrowers who apply in the lead-up to the reforms taking effect.
New restrictions on default listing
The ALRC has recommended that credit providers should only be able to list overdue payments with a credit reporting agency where a minimum dollar threshold is exceeded. They do not recommend an amount, leaving this to be set in drafting the regulations. The report notes that Veda Advantage only currently lists debts of $100 or more. The commission also recommends removing the ability of credit providers to report about dishonoured cheques.
On the topic of statute-barred debts, the ALRC recommends that overdue payments should not be able to be listed where the statutory limitation period has expired or any law prevents the credit provider bringing recovery proceedings.
The ALRC also proposes to settle some existing uncertainty by recommending that where a payment arrangement is made for an existing debt, overdue payments under that arrangement may be treated as new defaults and listed for the full five year period.
The report also recommends that a credit provider wishing to list defaults or repayment history information will have to be a member of an external dispute resolution scheme approved by the Privacy Commissioner.
Guidance on serious credit infringements
The Privacy Act currently permits credit providers to list ‘serious credit infringements’, certain acts involving fraud or the intention to avoid credit obligations. The explanatory notes (that is, the non-binding component) to the current Credit Reporting Code of Conduct suggest that reasonable efforts to contact an individual by a credit provider with no success are relevant to whether there has been a serious credit infringement. The ALRC recommends elevating this to a legal obligation in the regulations, by requiring credit providers take reasonable steps to contact before listing serious credit infringements. The commission also suggests that the Privacy Commissioner develop more detailed guidance about this and other issues relevant to serious credit infringements including:
- what is ‘serious’ (for example, by reference to the individual’s conduct and the period and amount of overdue payments)
- whether to list when there is a current dispute, and
- obligations in relation to proving or disproving that a serious credit infringement has occurred.
No credit reporting about minors
The ALRC recommends prohibiting the collection of credit reporting information about individuals who the credit provider or credit reporting agency know, or should reasonably know, are under 18.
New requirements for privacy notifications
Recommendations in relation to the UPPs and the regulations will have a number of impacts on the required content of privacy notifications. Among the items that may need to be added to existing notifications are details of:
- any collection of personal information which the individual may not be aware of
- individuals’ rights to correct their personal information
- rights of access and correction in relation to credit reporting information
- avenues of complaint
- any laws authorising, not just requiring, the collection of the personal information
- the credit reporting agency’ s identity and contact details, and
- the third parties to whom the credit reporting agency usually discloses credit reporting information.
Among other things, section 18E of the Privacy Act requires credit providers to inform individuals that their payments overdue by more than 60 days may be listed with a credit reporting agency. The report acknowledges the current uncertainty about whether credit providers must provide this notification at the time of application, or merely before submitting the default listing. If the ALRC’s recommendations are followed, the new regime will require credit providers to:
- include in upfront privacy notifications the information about credit reporting agencies referred to in the points above, and
- inform debtors of intended default listing closer to the time it may occur.
Simplifying use and disclosure rules
The ALRC was keen to move away from the current approach in Part IIIA of the Privacy Act, which contains over 50 circumstances in which the use or disclosure of personal information is authorised. They have recommended simplifying and consolidating these provisions, more in form than substance.
The ALRC also recommended adding a general right for credit reporting agencies and credit providers to use and disclose credit reporting information for purposes related to assessing applications and managing credit, within the individual’s reasonable expectations.
Direct marketing and pre-screening prohibition
The ALRC has recommended that the regulations prohibit the use or disclosure of credit reporting information for direct marketing purposes, including ‘pre-screening’, a process which would involve something like the credit reporting agency using a credit provider’s criteria to remove contacts from the credit provider’s draft mailing list and then providing the filtered list to a mailing house.
Electronic identity verification and AML/CTF
Currently, credit providers are not permitted to use credit reporting information for electronic identity verification in order to meet their obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (Act). The ALRC has recommended that this be addressed by including a specific permission in that Act.
New right to freeze disclosure
Partially in response to identity theft concerns, the ALRC has recommended that individuals have the right to prohibit disclosure of their credit reporting information without express authorisation. Credit providers who provide credit to an individual during a ‘freeze’ period like this, must also seek express authorisation before listing any information concerning that credit.
Audits and other measures to improve data quality and security
The ALRC recommends that credit reporting agencies be required to:
- enter into agreements with credit providers imposing data quality and security obligations
- establish and maintain controls to ensure that only accurate, complete and up-to-date credit reporting information is used and disclosed
- monitor data quality and audit the compliance of credit providers, and
- identify and investigate potential breaches by credit providers.
The commission also sees the new credit reporting code (which, as stated above, may or may not be binding) as an appropriate vehicle for setting out procedures to ensure consistency and accuracy of credit reporting information. A number of areas characterised by inconsistent practices at present were identified for inclusion:
- timeliness of reporting
- calculation of overdue payments
- preventing multiple listing of the same debt
- updating information, and
- linking information of two individuals who may not be the same person.
Reallocating responsibility for complaint-handling
While currently primary responsibility for complaint-handling sits with the credit reporting agencies, the ALRC recommends the following changes:
- Credit reporting agencies and credit providers should have procedures for handling credit reporting complaints in a fair, efficient and timely manner.
- Credit providers should take initial responsibility for complaints relating to information they provided to the credit reporting agency.
- Where a credit reporting agency or credit provider cannot resolve a complaint, it must inform the individual of their ability to complain to the Privacy Commissioner or an external dispute resolution scheme.
- Within 30 days, evidence to substantiate disputed credit reporting information must be provided to the individual, or the matter referred for approved external dispute resolution, otherwise the credit reporting agency will be obliged to delete or correct as requested by the individual.
Penalties
One of the ALRC’s general recommendations was that the Privacy Commissioner be empowered to seek civil penalties where serious or repeated breaches occur. Currently the Privacy Act contains a number of offences for credit reporting breaches, for which substantial fines could be imposed. The ALRC recommends that these offences be repealed and that the civil penalty regime apply to credit reporting as well as other privacy breaches.
Further information
Keep an eye on Freehills’ website for guidance on other aspects of the report in the near future.
Endnotes
1. 'Meeting Privacy Challenges—the ALRC and NSWLRC Reviews'
2. Unified Privacy Principles
3. Overview of ALRC report
This article was written by Kaman Tsoi, Senior Associate, Melbourne.
More information
For information regarding possible implications for your business, contact