Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Archive

Topic(s): Credit and finance
 

Review of Credit Determinations Consultation Paper No. 1


Consultation Paper No. 1

  • Assignees

  • Classes of Credit Provider

April 2006

The Office of the Privacy Commissioner is currently reviewing Credit Determinations. The Office has prepared this paper to assist individuals and organisations to prepare comments for part of that review. The Determinations discussed in this paper are:

Two Determinations issued under section 11B(1)(b)(v)(B) of the Privacy Act 1988 (Cwlth) and expiring on 31 August 2006:

This consultation paper is available from the Office's web site or on request in hard copy.

Note that Consultation Paper No. 2 discusses Determination 2005 No. 1 Privacy Act 1988, s.11B(1)(d)(ii)- concerning Indigenous Business Australia.

Key date

Due date for comments: 31 May 2006.

Contacts

General information: Hotline Ph: 1300 363 992 TTY: 1800 620 241 Contact Officer: Kara Birch Ph: 02 9284 9790 Email: creditconsultation@privacy.gov.auWebsite: www.privacy.gov.au Postal address: GPO Box 5218, Sydney NSW 2001

How to make comments

There is no specified format for comments. They can be presented in electronic or hardcopy formats or audio submissions using TTY.

Participants should not feel the need to address all the topics. Participants are encouraged to provide data, examples, case studies, or other evidence to support the views presented in their comments.

Privacy collection statement

This Office will use the personal information it collects in the course of this Review only for the purpose of reviewing the Determinations. The Office may put comments received on its website or may list agencies, organisations or individuals who have commented.

If you do not want your comments posted on the website mark them as 'Confidential'. Requests for access to comments marked "Confidential" will be determined in accordance with the Freedom of Information Act 1982 (Cwlth).

Scope of the review

This is a general review of the current determinations concerning assignees, classes of credit providers and Indigenous Business Australia being a credit provider. This paper only deals with the determinations in relation to assignees and classes of credit providers. For the IBA determination refer to Consultation Paper No. 2.

The Office recognises that a review of these Determinations may raise other issues which, whatever their validity, are not directly related to the definition of credit provider. At this stage, this Office's focus is on those matters covered by each of the Determinations. We ask interested parties to keep this in mind when making comments.

We note that the Australian Law Reform Commission is currently conducting an inquiry into the extent to which the Privacy Act and related laws continue to provide an effective framework for the protection of privacy in Australia. More information about that inquiry can be found at: http://www.alrc.gov.au/;

  • A. Legislative overview and background
  • B. Credit Provider Determination No.2006-01 (Assignees)
  • C. Credit Provider Determination No.2006-02 (Classes of credit provider)
  • D: Glossary of key terms
  • ANNEXURE 1
  • ANNEXURE 2
  • ANNEXURE 3
  • Endnotes

      A. Legislative overview and background

      1. Introduction

      The privacy aspects of consumer credit reporting in Australia, in effect since 1990, are regulated through Part IIIA of the Privacy Act 1988 (Cwlth), together with the Credit Reporting Code of Conduct (Code of Conduct) issued under section 18A of the Privacy Act.

      Part IIIA of the Privacy Act provides safeguards for individuals in relation to consumer credit reporting. In particular, Part IIIA governs the handling of credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers. The Privacy Act ensures that the use of this information is restricted to assessing applications for credit lodged with a credit provider and other appropriate activities involved with giving credit.

      Credit reporting agencies and credit providers may be required to comply with the National Privacy Principles in the Privacy Act in their dealings with commercial credit information. There are also some provisions in Part IIIA that relate to commercial credit information. However, in general, Part IIIA is aimed at consumer credit rather than commercial credit.

      The Key requirements of Part IIIA include:

      • Strict limits on the type of information which can be held on a person's credit information file by a credit reporting agency. There are also limits on how long the information can be held on file.
      • Limits on who can obtain access to your credit file held by a credit reporting agency. Generally only credit providers may obtain access and only for specified purposes.
      • Limits on the purposes for which a credit provider can use a credit report obtained from a credit reporting agency.
      • Prohibition on disclosure by credit providers of credit worthiness information about an individual, including a credit report received from a credit reporting agency, except in specified circumstances.
      • Rights of access and correction for individuals in relation to their own personal information contained in credit reports held by credit reporting agencies and credit providers.

      Under section 18A(1) of the Privacy Act, the Privacy Commissioner is required to issue a Credit Reporting Code of Conduct (Code of Conduct)1 relating to credit information files and credit reports. Section 18B obliges credit reporting agencies and credit providers to comply with the Code of Conduct. Under section 28A the Commissioner has the power to investigate an infringement of the Code of Conduct and conduct audits to ensure that it is being complied with.

      For further information relating to the operation of Part IIIA see: http://www.privacy.gov.au/law/act/credit/.

      2. Provision for Credit Provider Determinations

      Section 11B(1) of the Privacy Act defines "credit providers". The full text of s. 11B(1) is reproduced at Annexure 3. Credit providers that can conduct credit reporting under that section include

      • banks
      • businesses where a substantial part of the business is the provision of loans2 (including credit cards);
      • retail businesses which issue credit cards;
      • businesses that provide loans (including the issue of credit cards) and are determined to by the Commissioner to be credit providers;
      • Australian Government agencies that provide loans and are determined by the Commissioner to be credit providers.

      The authority for the Commissioner to make credit provider determinations in respect of assignees and classes of credit providers rests in sections 11B(1)(b)(v)(B)and 28A(1)(d) of the Privacy Act.

      These provisions do not specify the duration of a credit provider determination. Generally speaking, determinations have been made for a three year period although it is open to the Commissioner to make them for longer or shorter terms.

      B. Credit Provider Determination No.2006-01 (Assignees)

      1. Background

      The effect of the current determination in respect of assignees (the Assignees Determination) is to permit a corporation which acquires the rights of a credit provider in respect of repayment of a loan whether by assignment, subrogation or other means, to undertake credit reporting in respect of the particular loan. The effect of the Assignees Determination extends to businesses that are not corporations, by virtue of s. 11B(1)(c) of the Privacy Act.

      With regard to notices given and consents obtained by the assignor credit provider under the terms of the loan, these are taken to have been given or obtained by an assignee business deemed to be a credit provider by virtue of the Assignees Determination. However, the Assignees Determination does not extend to a business contracted to collect debts on behalf of the credit provider.

      The full text of the current Assignees Determination and the Explanatory Statement is available at Annexure 1.

      A determination concerning assignees was first made in 1995, and substantially similar Determinations were made in 1997, 2002 and 2003 and 2006.

      The initial determination was made following representations from a mortgage insurer taking assignment of a loan upon the default of a borrower. The mortgage insurer wished to be able to conduct credit reporting in relation to such a loan as if it were the original credit provider. Consultation was conducted by the Office before the making of the 1995 determination and subsequently prior to the making of the 1997 determination, at which time peak industry bodies expressed strong support for its renewal. At that time no objections were raised by other interested parties. The Commissioner observed in the "Reasons for Determination" relating to the 2003 determination that there were no problems encountered with the operation of the 1997 and 2002 determinations.

      The Commissioner also observed that the issue of "double listing" by assignees should be further considered upon review of the 2003 determination. "Double listing" occurs when an assignee lists a previous payment default (or serious credit infringement)3 on an individual's credit report where it has already been listed by the original credit provider.

      2. The Office's experience

      The Office's experience shows that complaints about assignees make up around 14% of all "adequately dealt with" credit complaints. Complaints closed as "adequately dealt with" under s. 41(2)(a) of the Privacy Act are those where the respondent was found to be in breach of the Privacy Act and then took adequate steps to resolve the matter, or where the respondent adequately resolved the matter without a formal investigation having commenced. This figure gives an indication of the number of complaints that were substantiated.

      3. Is non-compliance with the credit reporting requirements by some assignees isolated or systemic?

      The assignment of loans can occur in circumstances where over a period of time recovery has proved to be largely unsuccessful and the original credit provider forms the opinion that it is no longer worth pursuing.

      Under clause 2.8 of the Credit Reporting Code of Conduct a credit provider must not list a debt with a credit reporting agency information where recovery of the debt by the credit provider is barred by the statute of limitations. The provisions in State or Territory statutes of limitation vary but the period is usually 6 years.

      Q 1.1 Is there any evidence that there are systemic issues relating to the listing of statue-barred debts by credit providers covered by the Assignees Determination?

      Q 1.2 If there is such evidence, how could the Assignees Determination be changed to reduce this problem?

      The Office foreshadowed that the practice of "double listing" payment defaults or serious credit infringements upon assignment by assignees was an area of concern for review. There are reports that some assignees may be listing payment defaults or serious credit infringements upon assignment. This practice is not permitted by the Privacy Act and can result in an individual having the one default listed in the credit reporting system for longer than the periods allowed by section 18F.

      Q 1.3 Is there any evidence that there are systemic issues relating to unlawful double listings by credit providers covered by the Assignees Determination?

      Q 1.4 If there is such evidence, how could the Assignees Determination be changed to reduce this problem?

      The Office has also been made aware more recently that some borrowers have experienced difficulties accessing relevant information contained in records relating to loans after they have been assigned. For instance, records relating to the loan may be missing, in other cases the records may not have been transferred to the assignee. An example of such a record could consist of a notice given to the borrower at the commencement of the loan under section 18E(8)(c) of the Privacy Act4 in other cases it may be the loan documentation itself. The timely provision of a notice to the individual under section 18E(8)(c) permits credit reporting to be lawfully undertaken. In practical terms this may mean that credit reporting is being undertaken or loans are being recovered even though some of the relevant documentation is incomplete.

      Q 1.5 Is there any evidence that there are systemic issues relating to the record-keeping necessary for compliance with the Privacy Act by credit providers covered by the Assignees Determination?

      Q 1.4 If there is such evidence, how could the Assignees Determination be changed to reduce this problem?

      4. General questions

      Q 1.6 Should the Assignees Determination be renewed?

      Q 1.7 If no, why not?

      Q 1.8 If yes, should it be amended and in what way should it be changed? What evidence can you provide to support your proposed change?

      Q 1.9 How long should any new determination last? Potential durations include 3, 5 or 10 years.

      Q 1.10 What might be the adverse or positive effects of amending the Assignees Determination?

      C. Credit Provider Determination No.2006-02 (Classes of credit provider)

      1. Background

      The effect of the current Determination in respect of classes of credit providers (the Classes Determination) is that a corporation is to be regarded as a credit provider and able to access the consumer credit reporting system in relation to the specific loan that brings them within the class. The effect of the Classes Determination extends to businesses that are not corporations, by virtue of s. 11B(1)(c) of the Privacy Act.

      These classes of corporations are essentially those for which the provision of consumer credit is not a substantial part of their business, but which occasionally offer credit, including the rental or leasing of goods, on terms of at least 7 days.

      The Classes Determination does not affect those businesses that are traditionally considered to be "credit providers" and fall within s. 11B(1)(a) and (b) (iii) and (iv) of the Privacy Act, such as banks, building societies and credit unions. The businesses covered by the Classes Determination include some retail businesses, professional service providers and hire companies.

      The full text of the Classes Determination and the Explanatory Statement concerning classes of credit providers is available at Annexure 2.

      A Determination concerning classes of credit providers was first made in 1991 and substantially similar Determinations were made in 1993, 1996, 2001, 2002, 2003 and 2006.

      Prior to the Commissioner making a three year Determination in 2003, the Office issued a consultation paper to stakeholders and sought comments on the paper.

      The Consultation Paper requested submissions concerning the determination and its operation within the credit reporting system. Areas given detailed consideration included:

      • organisations' access to the credit reporting system
      • claims of non-compliance with Privacy Act requirements involving organisations using the credit reporting system and
      • issues such as, minimum value default listings and the 7-day credit term.

      After considering the submissions that were received, the Commissioner issued a new Determination in 2003 to apply for three years. The background to that Determination stated that the increase in levels of credit activity did not show a corresponding increase in complaints. The Commissioner concluded that the issues raised and considered during that review were not specific to the industries or sectors that gain access to the credit reporting system by virtue of the Classes Determination.

      However the Commissioner noted signs of emerging concerns such as a lack of credit providers' understanding of their credit obligations especially regarding notice provisions, including where listings were not made in accordance with the Code of Conduct. Examples include default listings being made prior to the debt being 60 days overdue or the individual not being advised that the information will be listed with a credit reporting agency.

      The Commissioner analysed the submissions received and concluded the information did not warrant an amendment to the scope of the Determination at that time. The Commissioner noted, however, that he expected that businesses would take steps to raise their awareness of their compliance obligations and that compliance with the requirements of the credit reporting system would be improved over the life of the Determination.

      2. Policy Context

      The policy reasoning discussed below has underpinned all of the Classes Determination issued since 1991 and for this reason is provided here for consideration.

      When the first Credit Provider Determination was issued in 19915 the Commissioner explained that businesses which have a legitimate need for access to the credit referencing system and which genuinely provide credit should have access to it. It was considered that a large number of businesses which have an occasional or minor involvement in the provision of credit can only continue to lawfully participate in the consumer credit reporting system if they are included within a determination. It was felt that this approach recognised the legitimate need for businesses that offered short-term credit such as retailers which don't offer credit cards, small businesses in high-volume/small transaction environments and providers of professional services, to access the credit reporting system.

      In summary, it was felt that, in keeping with the policy intention behind the legislation, the determination should seek to declare as credit providers as wide a range of businesses as was both practicable and permissible whose need to access consumer credit information was similar to that of businesses automatically classed as credit providers under the principal categories of s.11B of the Privacy Act. For reasons of certainty, the class of corporations contained within the determination was defined by objectively assessable criteria based on trading terms practices. This formulation assists to identify whether a particular business is, or is not, within the class for a particular loan.

      It was recognised, however, that the making of the determination did not allow businesses to gain access to the system for purposes unconnected with credit decision making, or to subsequently use or disclose the information obtained except in the strictly defined circumstances laid down by Part IIIA of the Privacy Act. It was considered that the power to investigate individual complaints made including the power to make a Determination under section 52 which could involve the payment of monetary compensation; and the exercise of audit powers both offered ways for any misconduct to be brought to light. In addition significant criminal penalties attach to a wilful breach of the legislation.

      The Office recognises that there is a balance required between protecting individuals' privacy in regards to consumer credit information, and ensuring that businesses, including small businesses, can conduct their business in an efficient way, including by minimising exposure to consumer credit risks. Importantly, non-compliance with the credit reporting provisions, or an inappropriate broadening or narrowing of the definition of "credit provider" in the determination, may have unintended and undesirable consequences for both individuals and for business. The individual consumer may be significantly inconvenienced by lack of access to simple financing arrangements or otherwise hindered in their purchasing. For business, inaccurate credit reporting may result in poor customer relations and incorrectly denying credit to potentially valuable customers.

      3. The Determination's application

      The Office notes indications that some in the telecommunications sector may be of the view that they can only access the credit reporting system by virtue of the Classes Determination.

      For example, the industry code C541:2006 Credit Management produced by the Australian Communications Industry Forum (ACIF) expresses the view that the Classes Determination has the effect of bringing suppliers under Part IIIA of the Privacy Act to the extent that they allow payment for goods/services after 7 days.6

      To date it has not been determined whether a particular telecommunications company is a credit provider by virtue of the Classes Determination, or by virtue of the definition of credit provider in s. 11B(1)(b)(iii).

      To the extent that telecommunications companies may be covered by the Classes Determination, then they are relevant to the current Review.

      4. The Office's experience

      Since the making of the Classes Determination in 2003, the Office's experience is that approximately 7% of all "adequately dealt with" credit complaints involve complaints about industries covered by the Classes Determination other than telecommunications companies (see 3. The Determination's application above).

      Complaints closed as "adequately dealt with" under s. 41(2)(a) of the Privacy Act are those where the respondent was found to be in breach of the Privacy Act and then took adequate steps to resolve the matter, or where the respondent adequately resolved the matter without a formal investigation having commenced. This figure gives an indication of the number of complaints that were substantiated.

      In relation to telecommunications companies the Office's experience is that they make up around 20% of "adequately dealt with" credit complaints.

      During 2004, approximately 65,000 customer default listings were removed from credit records held by a credit reporting agency after the Office found that the failed telecommunications company, One-Tel, did not have systems in place to update customer credit default listings once a debt had been paid.7

      5. Is non-compliance with the credit reporting requirements in certain industries covered by the Classes Determination isolated or systemic?

      The timely provision of a notice to the individual under section 18E(8)(c)8 of the Privacy Act permits credit reporting to be lawfully undertaken. A payment default may not be listed unless 60 days has passed since the default occurred and a letter of demand has been sent to the individual. It has been suggested that failure to provide notice as required by section 18E(8)(c), and failure to meet the 60 day arrears requirement 9 before default listing a debt, are examples of areas where credit providers from some industries fail to meeting their legal obligations.

      Such non-compliance may result in particularly adverse outcomes for the individuals concerned, including denial of access to credit on the basis of the inaccurate information on the individual's credit file.

      Q 2.1 Is there any evidence that there are systemic issues relating to compliance with the Privacy Act by credit providers covered by the Classes Determination?

      Q 2.2 If there is such evidence, how could the Classes Determination be changed to reduce this problem?

      Q 2.3 Has compliance with the requirements of the Privacy Act, by credit providers covered by the Classes Determination, improved over the past three years? What evidence can you produce to support your position?

      6. General questions

      Q 2.4 Should the Classes Determination be renewed?

      Q 2.5 If no, why not?

      Q 2.6 If yes, should it be amended and in what way should it be changed? What evidence can you provide to support your proposed change?

      Q 2.7 How long should a new determination last? Potential durations include 3, 5 or 10 years.

      Q 2.8 What might be the adverse or positive effects of amending the Classes Determination?

      Glossary of key terms

      Credit

      Credit is defined in section 6(1) of the Privacy Act to mean: "...a loan sought or obtained by an individual from a credit provider in the course of the credit provider carrying on a business or undertaking as a credit provider, being a loan that is intended to be used wholly or primarily for domestic, family or household purposes".

      Credit Reporting Code of Conduct

      Under section18A(1) of the Privacy Act, the Privacy Commissioner is required to issue a Credit Reporting Code of Conduct (Code of Conduct) relating to credit information files and credit reports. In developing such a Code of Conduct, the Commissioner must, "...to the extent that it is appropriate and practicable", consult with government, commercial, consumer and other relevant bodies and organisations. Section 18B obliges credit reporting agencies and credit providers in mandatory terms to comply with the Code of Conduct. Under section 28A the Commissioner has the power to investigate an infringement of the Code of Conduct and conduct audits to ensure it is being complied with. The Code of Conduct is available at http://www.privacy.gov.au/materials/types/codesofconduct/view/6787 .

      Credit information file

      A credit information file is defined in section 6(1) of the Privacy Act: "...in relation to an individual, means any record that contains information relating to the individual and is kept by a credit reporting agency in the course of carrying on a credit reporting business (whether or not the record is a copy of the whole or part of, or was prepared using, a record kept by another credit reporting agency or any other person)".

      Credit report

      A credit report is defined in section 6(1) of the Privacy Act as any record or information, whether in a written, oral or other form, that:

      1. is being or has been prepared by a credit reporting agency; and
      2. has any bearing on an individual's:
        1. eligibility to be provided with credit; or
        2. history in relation to credit; or
        3. capacity to repay credit; and
      3. is used, has been used or has the capacity to be used for the purpose of serving as a factor in establishing an individual's eligibility for credit.

      Credit reporting agency

      A credit reporting agency is defined in section 11A of the Privacy Act: "For the purposes of this Act, a person is a credit reporting agency if the person is a corporation that carries on a credit reporting business".

      Credit reporting business

      A credit reporting business is defined in section 6(1) of the Privacy Act: "Credit reporting business means a business or undertaking (other than a business or undertaking of a kind in respect of which regulations made for the purposes of subsection (5C) are in force) that involves the preparation or maintenance of records containing personal information relating to individuals (other than records in which the only personal information relating to individuals is publicly available information), for the purpose of, or for purposes that include as the dominant purpose the purpose of, providing to other persons (whether for profit or reward or otherwise) information on an individual's:

      1. eligibility to be provided with credit; or
      2. history in relation to credit; or
      3. capacity to repay credit;

      whether or not the information is provided or intended to be provided for the purposes of assessing applications for credit".

      Loan

      Loan is defined in section 6(1) of the Privacy Act as: "Loan means a contract, arrangement or understanding under which a person is permitted to defer payment of a debt, or to incur a debt and defer its payment, and includes:

      1. a hire-purchase agreement; and
      2. such a contract, arrangement or understanding for the hire, lease or renting of goods or services, other than a contract, arrangement or understanding under which:
        1. full payment is made before, or at the same time as, the goods or services are provided; and
        2. in the case of a hiring, leasing or renting of goods-an amount greater than or equal to the value of the goods is paid as a deposit for the return of the goods".

      ANNEXURE 1

      Credit Provider Determination No. 2006-1 (Assignees)

      Privacy Act 1988

      Under s.11B(1)(b)(v)(B) of the Privacy Act 1988 , I, Karen Curtis, Privacy Commissioner, determine that:

      1. A corporation which acquires the rights of a credit provider with respect to the repayment of a loan (whether by assignment, subrogation or other means) shall, in relation to that loan, be regarded as the credit provider for the purposes of the Privacy Act.
      2. A corporation deemed to be a credit provider by virtue of paragraph 1, above, shall, for the purposes of the Privacy Act, be regarded as the credit provider to whom the loan application was submitted, or who provided the loan.
      3. This Determination relates to those corporations which are not already credit providers by virtue of paragraphs (a) or (b)(iii) to (iv) of s. 11B(1) of the Privacy Act.
      4. This Determination continues the effect of Determination 2003 No.2 which expires on 24 February 2006.
      5. This Determination is effective from 25 February 2006 to 31 August 2006 (inclusive).

      The background to, and reasons for, making this determination are set out in the explanatory statement lodged for registration, together with this determination, on the Federal Register of Legislative Instruments.

      Karen Curtis Privacy Commissioner

      22 February 2006

      Explanatory Statement

      Credit Provider Determination No. 2006-1 (Assignees)

      This Explanatory Statement has been drafted for the purpose of fulfilling the Office of the Privacy Commissioner's obligations under section 26(1) of the Legislative Instruments Act 2003.

      1. PURPOSE

      The purpose of Credit Provider Determination No. 2006-1 (Assignees) (this Determination) is to determine that a corporation which acquires the rights of a credit provider with respect to the repayment of a loan (whether by assignment, subrogation or other means) shall, in relation to that loan, be regarded as the credit provider for the purposes of the Privacy Act 1988 (the Privacy Act). A corporation deemed to be a credit provider by virtue of the Determination is regarded as the credit provider to whom the loan application was submitted, or who provided the loan.

      This Determination affects those businesses which are not already credit providers by virtue of paragraphs (a) or (b)(iii) to (iv) of s. 11B(1) of the Privacy Act.

      Section 11B(1)(c) extends the operation of this Determination to assignees that are not a corporation and deems such persons credit providers.

      This Determination continues the effect of Determination 2003 No.2 Privacy Act 1988, s.11B(1)(b)(v)(B) - concerning assignees dated 14 February 2003 which lapses on 24 February 2006. The new Determination is substantively the same as all of the previous four Determinations issued over the past 11 years.

      By being granted credit provider status the assignee is able to conduct credit reporting, but only in relation to the assigned loan. In particular, it will be able to directly access an individual's credit report, held by a credit reporting agency in some circumstances. If it needs to, an assignee will be permitted to directly access a credit report held by a credit reporting agency in accordance with Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct, for such purposes as: collecting a payment on the loan that is overdue; listing either an overdue payment or a serious credit infringement in relation to the loan; updating as paid an existing default listing in relation to the loan; and making corrections to information it, or the assignor, has previously reported in relation to that loan.

      1.1 Provisions for Credit Provider Determinations

      Section 11B of the Privacy Act defines "credit providers". Credit providers that can conduct credit reporting include banks and certain other private sector organisations. Section 11B(1)(b)(v)(B) also allows the Privacy Commissioner to determine that a corporation that carries on a business or undertaking involving the provision of loans, (including the provision of loans by issuing credit cards), is a credit provider if it is included in a class of corporations.

      "Credit" is defined in section 6(1) to mean a loan sought or obtained by an individual from a credit provider in the course of the credit provider carrying on a business or undertaking as a credit provider, being a loan that is intended wholly or primarily for domestic, family or household purposes.

      1.2 Authority for making this Determination

      Determination 2005 No.1 is made under s.11B(1)(b)(v) (B) of the Privacy Act. Section 11B(1) states:

      1.  For the purposes of this Act ... a person is a credit provider if the person is:
        1. a corporation (other than an agency)

          (v) that

          1. carries on a business or undertaking that involves the provision of loans (including the provision of loans by issuing credit cards); and
          2. is included in a class of corporations determined by the Commissioner to be credit providers for the purposes of this Act.

      Section 28A(1)(d) states that the Commissioner has the following function in respect of credit reporting:

      1. to make such Determinations as the Commissioner is empowered to make under section 11B or Part IIIA.

      1.3 Document incorporated by reference

      The following document is incorporated by reference in this Determination and is attached as an appendix to this statement.

      • Determination 2003 No.2 Privacy Act 1988, s.11B(1)(b)(v)(B) - concerning assignees dated 14 February 2003 which lapses on 24 February 2006 (Attachment A).

      2. REASONS FOR MAKING THE DETERMINATION

      2.1 Background to Determination

      The term of the new Determination is limited to approximately six months in order that the Privacy Commissioner may undertake consultation with stakeholders affected by this Determination, including individual credit consumers and their representatives, privacy advocates, businesses which sell, purchase or otherwise assign debts incurred by individuals, and credit reporting agencies. The purpose of the consultation is to ascertain stakeholders' views regarding the operation of current and related previous Determinations, and the terms upon which any new Determination should be cast.

      A Determination concerning assignees was first made in 1995, then re-issued without substantive amendment in 1997, 2002 and 2003. The Determination issued in 2003 was made for three years until 24 February 2006.

      The initial Determination was made following representations from a mortgage insurer taking assignment of a loan upon the default of a borrower. The mortgage insurer was concerned that as an assignee it would be able to conduct credit reporting in relation to such a loan as if it were the original credit provider. Consultation was conducted by the Office at the initial stage and subsequently prior to the making of the Determination in 1997 at which time peak industry bodies expressed strong support for its renewal. At that time no objections were raised by the Credit Reporting Consultative Group or other interested parties. The then Commissioner observed prior to the making of the 2003 Determination that there were no problems encountered with the operation of the 1997 and 2002 Determinations.

      The then Commissioner also observed, however, that the issue of "double listing" by assignees should be further considered upon review of that Determination. "Double listing" occurs when an assignee again lists a previous payment default (or serious credit infringement) on an individual's credit report held by a credit reporting agency when the loan is taken over by an assignee.

      2.2 Public interest and other relevant considerations

      In considering making a short-term Determination, the Privacy Commissioner has taken account of section 29 of the Privacy Act. Section 29 requires the Commissioner in the performance of her functions and the exercise of her powers under the Privacy Act to have due regard to the protection of important human rights and social rights that compete with privacy. In particular, the Commissioner has taken account of the following matters.

      1. It is in the public interest that assignees continue to have access to the credit reporting system regulated by Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct while consultation occurs with stakeholders affected by this Determination on any new issues that may be relevant, and with regard to the terms upon which any new Determination should be cast. In particular, during the consultation stage, assignees as credit providers should be permitted to manage existing delinquent loan accounts by conducting credit reporting in accordance with Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct.
      2. Customers with existing listings on their credit reports held by a credit reporting agency should continue to benefit by this continuing access by assignees to the credit reporting system, including by assignees being able to update existing customer default listings when overdue accounts are paid in full. In this way, the public interest is served by individuals being able to demonstrate to potential lenders through access to their credit reports held by a credit reporting agency that they have an acceptable credit history and are an acceptable credit risk.

      The Privacy Commissioner has concluded that it is substantially in the public interest to make this Determination for a period of approximately six months during which time consultation will occur with stakeholders affected by this Determination.

      3. ATTACHMENT

      Attachment A:

      Determination 2003 No.2 Privacy Act 1988, s.11B(1)(b)(v)(B) - concerning assignees dated 14 February 2003 (which lapses on 24 February 2006).

      Attachment A

      Determination 2003 No.2 PRIVACY ACT 1988, s.11B(1)(b)(v)(B) - concerning assignees

      Under s.11B(1)(b)(v)(B) of the Privacy Act 1988, I DETERMINE that:

      1. A corporation which acquires the rights of a credit provider with respect to the repayment of a loan (whether by assignment, subrogation or other means) shall, in relation to that loan, be regarded as the credit provider for the purposes of the Act.
      2. A corporation deemed to be a credit provider by virtue of paragraph 1, above, shall, for the purposes of the Act, be regarded as the credit provider to whom application for the loan was made, or who provided the loan.
      3. This determination relates to those corporations which are not already credit providers by virtue of paragraphs (a) or (b)(i) to (v) of s. 11B(1) of the Act.
      4. This determination represents a continuation of Determination No. 2 of 2002 which expires on 24 February 2003.
      5. This determination shall take effect on 25 February 2003 and shall lapse, unless continued by a further determination of the Privacy Commissioner, on 24 February 2006.

      MALCOLM CROMPTON Federal Privacy Commissioner

      14 February 2003

      DETERMINATION 2003 No. 2 UNDER s.11B(1)(b)(v)(B) - CONCERNING ASSIGNEES: REASONS FOR DETERMINATION

      Background

      Determination No. 2 of 2003 represents a continuation, without amendment, of Determination No. 2 of 2002; this was effectively a continuation of Determination No. 1 of 1997, which was a continuation of Determination No. 1 of 1995.

      History of the determination

      In March 1993, the Privacy Commissioner received a request for a determination from a mortgage insurer for a determination under section 11B(1)(b)(v)(B) of the Act, to enable a corporation which acquires the rights of a credit provider with respect to the repayment of a loan to be regarded as a credit provider for the purposes of the Act. The request arose from concerns about the situation where a mortgage insurer takes assignment of a loan after the borrower defaults.

      It was submitted that a mortgage insurer which takes assignment of a loan from a credit provider should thereafter be regarded as the credit provider in respect of that loan. This would entitle the mortgage insurer to obtain access to consumer credit reports and consumer credit information in relation to that loan, as if it had provided the loan in the first instance.

      Before issuing the original determination, the then Privacy Commissioner undertook extensive consultation on the substance of the matter. Following consultation, it was felt that the determination should not be limited to mortgage insurers but should have a general application to businesses which acquire the rights of credit providers.

      Further consultation on the determination was undertaken prior to the making of Determination No. 1 of 1997; during which peak industry bodies expressed strong support for its renewal. Correspondingly, no objections were raised by the Credit Reporting Consultative Group or other interested parties. In addition, the Office had not encountered problems in the operation of the original determination.

      As noted in the Reasons for Determination No. 2 of 2002, the Office encountered no problems with the operation of Determination No. 1 of 1997. This has remained the case over the past year.

      Operation of the determination

      Resulting from the original consultation process, the decision was taken to issue a determination that a corporation which acquires the rights of a credit provider with respect to the repayment of a loan (whether by assignment, subrogation or other means) shall, in relation to that loan, be regarded as a credit provider for the purposes of the Privacy Act.

      With regard to notices given and consents obtained by the credit provider under the terms of the loan, it was envisaged that these would be taken to have been given or obtained by a business deemed to be a credit provider by virtue of the determination.

      As noted in the Reasons for Determination for the previous Determinations, under section 11B(1)(b)(v)(A) one of the conditions which must be satisfied before the Privacy Commissioner can determine a class of corporations to be credit providers is that those corporations carry on a business or undertaking involving the provision of loans. As such, the determination does not extend, for example, to an agent that collects debts on behalf of a credit provider.

      While the determination is directed to a certain class of corporations, the application of the determination is extended by virtue of section 11B(1)(c) to non-corporations which meet the criteria which apply to corporations under section 11B(1)(b).

      Current issues

      During 2002 and early-2003, the Office engaged with various stakeholders in the credit reporting sector on a range of issues. This was foreshadowed in the Reasons for Determination for Determination No. 2 of 2002, namely that the Office would be further considering other issues relating to the credit reporting sector (including issues relating to Determination No. 1 of 2002), and then looking at whether these issues have a bearing on the current determination. This does not appear to be the case.

      An issue that has been brought to the attention of the Office, however, is that of 'double listing', involving occasions where a consumer's non-payment of a debt is listed with a credit reporting agency, whereafter that debt is taken over by another organisation/credit provider and the debt is effectively re-listed with a credit reporting agency. Such occurrences, which are not permitted by the Act, can result in an individual having the one debt listed in the credit reporting system for longer than the permitted five year period.

      Businesses should regard this as an early indication that they need to review their practices in this area. At this stage, there is an opportunity for credit providers and credit reporting agencies to improve practice themselves, rather than requiring a move toward more regulatory compliance activity or legislative change that delivers greater oversight. This issue, however, clearly needs to be kept under notice, and is highlighted for further consideration on review of this determination.

      Currently, I remain of the view that the operation of the determination continues to be appropriate.

      Determination

      In light of the issues considered above, in my view it is appropriate to issue a further determination, in unchanged terms, in respect to corporations acquiring loans by assignment, subrogation or other means and their relationship with the credit reporting system.

      As to the life of the determination, I take the view that it should not be open-ended. I have therefore decided that the determination should be made for a period of 3 years commencing on 25 February 2003 and lapsing, unless continued by a further determination, on 24 February 2006.

       

      MALCOLM CROMPTON Federal Privacy Commissioner

      14 February 2003

      ANNEXURE 2

      Credit Provider Determination No. 2006-2 (Classes of credit providers)

      Privacy Act 1988

      Under s.11B(1)(b)(v)(B) of the Privacy Act 1988 , I, Karen Curtis, Privacy Commissioner, determine that:

      1. All corporations belonging to the following classes are to be regarded as credit providers for the purposes of the Privacy Act:
        • a corporation where, in relation to a transaction, it is considering providing or has provided a loan in respect of the provision of goods or services on terms which allow the deferral of payment, in full or in part, for at least 7 days; or
        • a corporation engaged in the hiring, leasing or renting of goods, where, in relation to a transaction, no amount, or an amount less than the value of the goods, is paid as deposit for return of the goods, and the relevant arrangement is one of at least 7 days duration.
      2. This Determination affects those businesses which are not already credit providers by virtue of paragraphs (a) or (b)(iii) to (iv) of s. 11B(1) of the Act.
      3. This Determination continues the effect of Determination 2003 No.1 which expires on 25 February 2006.
      4. This Determination is effective from 26 February 2006 to 31 August 2006 (inclusive).

      The background to, and reasons for, making this determination are set out in the explanatory statement lodged for registration, together with this determination, on the Federal Register of Legislative Instruments.

      Karen Curtis Privacy Commissioner

      22 February 2006

      Explanatory Statement

      Credit Provider Determination No. 2006-2 (Classes of credit providers)

      This Explanatory Statement has been drafted for the purpose of fulfilling the Office of the Privacy Commissioner's obligations under section 26(1) of the Legislative Instruments Act 2003.

      1. PURPOSE

      The purpose of Credit ProviderDetermination No. 2006-2 (Classes of credit providers) (this Determination) is to determine that a corporation belonging to the following classes are regarded as credit providers for the purposes of section 11B(1)(b)(v)(B) of the Privacy Act:

      • a corporation where, in relation to a transaction, it is considering providing or has provided a loan in respect of the provision of goods or services on terms which allow the deferral of payment, in full or in part, for at least 7 days; or
      • a corporation engaged in the hiring, leasing or renting of goods, where, in relation to a transaction, no amount, or an amount less than the value of the goods, is paid as deposit for return of the goods, and the relevant arrangement is one of at least 7 days duration.

      This Determination affects those businesses which are not already credit providers by virtue of paragraphs (a) or (b)(iii) to (iv) of s. 11B(1) of the Privacy Act.

      A corporation deemed to be a credit provider by virtue of the Determination is regarded as the credit provider in respect of the specific loan only.

      Section 11B(1)(c) extends the operation of this Determination to assignees that are not a corporation and deems such persons credit providers.

      The Determination continues the effect of Determination 2003 No.1 Privacy Act 1988, s.11B(1)(b)(v)(B) - concerning classes of credit providers dated 14 February 2003 which lapses on 25 February 2006. The new Determination is substantively the same as all of the previous six Determinations issued over the past 15 years.

      By being granted credit provider status under the terms of this Determination, a business falling within the class will be permitted to conduct credit reporting only in relation to the particular loan transaction in accordance with Part IIIA of the Privacy Act. In particular, they will be able to directly access an individual customer's credit report, held by a credit reporting agency in some circumstances.

      If they need to, a business covered by the Determination will be permitted to directly access the individual customer's credit report held by a credit reporting agency in accordance with Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct for purposes including: assessing the loan application, collecting a payment on the loan that is overdue, listing either an overdue payment or a serious credit infringement in relation to the loan, updating as paid an existing default or serious credit infringement listing in relation to the loan, or making corrections to information they have previously reported in relation to the loan.

      1.1 Provisions for Credit Provider Determinations

      Section 11B of the Privacy Act defines "credit providers". Credit providers that can conduct credit reporting include banks and certain other private sector organisations. Section 11B(1)(b)(v)(B) also allows the Privacy Commissioner to determine that a corporation that carries on a business or undertaking involving the provision of loans, (including the provision of loans by issuing credit cards), is a credit provider if is included in a class of corporations.

      "Credit" is defined in section 6(1) to mean a loan sought or obtained by an individual from a credit provider in the course of the credit provider carrying on a business or undertaking as a credit provider, being a loan that is intended wholly or primarily for domestic, family or household purposes.

      1.2 Authority for making these Determinations

      Determination No. 2006-2 is made under s.11B(1)(b)(v) (B) of the Privacy Act. Section 11B(1) states:

      1. For the purposes of this Act ... a person is a credit provider if the person is:
        1. a corporation (other than an agency)

          (v) that

          1. carries on a business or undertaking that involves the provision of loans (including the provision of loans by issuing credit cards); and
          2. is included in a class of corporations determined by the Commissioner to be credit providers for the purposes of this Act.

      Section 28A(1)(d) states that the Commissioner has the following function in respect of credit reporting:

      1. to make such Determinations as the Commissioner is empowered to make under section 11B or Part IIIA.

      1.3 Document incorporated by reference

      The following document is incorporated by reference in this Determination and is attached as an appendix to this statement:

      • Determination 2003 No.1 Privacy Act 1988, s.11B(1)(b)(v)(B) - concerning classes of credit providers dated 14 February 2003 which lapses on 25 February 2006 (Attachment A).

      2. REASONS FOR MAKING THE DETERMINATION

      2.1 Background to Determination

      The term of the new Determination is limited to approximately six months in order that the Privacy Commissioner may undertake consultation with stakeholders affected by this Determination which include individual credit consumers and their representatives; privacy advocates; those businesses whilst not offering loans as a substantial part of their business or undertaking may allow some customers to defer payment of a debt or to incur a debt and defer its payment, which include some retail businesses, telephone companies and some energy utilities; and credit reporting agencies. The purpose of the consultation is to ascertain stakeholders' views regarding the operation of the current and related previous Determinations and the terms upon which any new Determination should be cast.

      A Determination concerning classes of credit providers was made in 1991 then re-issued without substantive amendment in 1993, 1996, 2001, 2002 and 2003. The Determination issued in 2003 was made for three years until 25 February 2006.

      Prior to the making of the Determination in 2003 the Office issued a consultation paper to stakeholders and sought comments on: (a) whether access to the credit reporting system was too broad; (b) whether non-conformance with the credit reporting requirements is systemic in certain industries; (c) whether credit providers, as prescribed by Determination, be required to offer a minimum amount of credit; (d) whether a 7 day credit term is a sufficient benchmark. After considering 18 submissions that were received, the then Commissioner issued a new Determination in 2003. The background to the Determination stated that the increase in levels of credit activity did not show a corresponding increase in complaints; noted that there may be signs of emerging concerns such as a lack of credit providers' understanding of their credit obligations; and the information did not warrant an amendment to the scope of the Determination.

      The then Commissioner noted, however, that he expected that business would take steps to raise its awareness of its compliance obligations and that compliance with the requirements of the credit reporting system would be improved over the life of the previous Determination.

      2.2 Public interest and other relevant considerations

      In considering making a short-term Determination, the Privacy Commissioner has taken account of section 29 of the Privacy Act. Section 29 requires the Commissioner in the performance of her functions and the exercise of her powers under the Act to have due regard to the protection of important human rights and social rights that compete with privacy. In particular, the Commissioner has taken account of the following matters:

      1. It is in the public interest that businesses covered by the Determination continue to have access to the credit reporting system regulated by Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct while consultation occurs with stakeholders affected by this Determination on any new issues that may be relevant, and with regard to the terms upon which any new Determination should be cast. Such credit providers should be permitted to manage existing delinquent loan accounts by conducting credit reporting in accordance with Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct during the consultation stage.
      2. In this way, the public interest is served by individuals being able to demonstrate to potential lenders through access to their credit reports held by a credit reporting agency that they have an acceptable credit history and are an acceptable credit risk. Similarly, customers with existing listings on their credit reports held by a credit reporting agency should also continue to benefit by the continuing access of such credit providers to the credit reporting system, inter alia, by being able to update existing customer default listings when overdue accounts are paid in full.

      The Privacy Commissioner has concluded that it substantially in the public interest to make this Determination for a period of approximately six months during which time consultation will occur with stakeholders affected by this Determination.

      3. ATTACHMENT

      Attachment A:

      Determination 2003 No.1 Privacy Act 1988, s.11B(1)(b)(v)(B) - concerning classes of credit providers dated 14 February 2003 (which lapses on 25 February 2006).

      Attachment A

      Determination 2003 No.1 Privacy Act 1988, s.11B(1)(b)(v)(B) - concerning classes of credit providers

      Under s.11B(1)(b)(v)(B) of the Privacy Act 1988, I DETERMINE that:

      1.  All corporations belonging to the following classes are to be regarded as credit providers for the purposes of the Act:
        • a corporation where, in relation to a transaction, it is considering providing or has provided a loan in respect of the provision of goods or services on terms which allow the deferral of payment, in full or in part, for at least 7 days; or
        • a corporation engaged in the hiring, leasing or renting of goods, where, in relation to a transaction, no amount, or an amount less than the value of the goods, is paid as deposit for return of the goods, and the relevant arrangement is one of at least 7 days duration.
      2. This Determination affects those businesses which are not already credit providers by virtue of paragraphs (a) or (b)(iii) to (iv) of s. 11B(1) of the Act.
      3. This Determination is effectively a continuation of Determination No.1 of 2002, which expires on 25 February 2003. Determination No.1 of 2002 was effectively a continuation of Determination No. 1 of 2001, which was effectively a continuation of Determination No.1 of 1996, which was effectively a continuation of Determination No.1 of 1993, which was effectively a continuation of Determination No.1 of 1991.
      4. This Determination shall take effect on 26 February 2003 and shall lapse, unless continued by a further Determination of the Federal Privacy Commissioner, on 25 February 2006. 

      MALCOLM CROMPTON Federal Privacy Commissioner

      14 February 2003

      DETERMINATION 2003 No. 1 UNDER s.11B(1)(b)(v)(B) - CONCERNING CLASSES OF CREDIT PROVIDERS: REASONS FOR DETERMINATION

       

      Background

      On 11 September 1991, the then Commissioner issued Determination No. 1 of 1991 under section 11B(1)(b)(v)(B) of the Privacy Act 1988 (the Act), which deals with the definition of "credit provider" for the purposes of the Act. Under that Determination all corporations belonging to certain classes were to be regarded as credit providers. At the same time, the Commissioner issued a Statement of Reasons for the Determination.

      Determination No. 1 of 1991 lapsed on 25 August 1993 and was continued, without amendment, by Determination No.1 of 1993. It was again continued, without amendment, by Determination No.1 of 1996, Determination No.1 of 2001, and Determination No.1 of 2002. Those Determinations will collectively be referred to as "the earlier Determinations".

      When Determination No.1 of 2001 was reviewed in January 2002, some submissions expressed concern regarding the credit reporting system in general and the consequences of the earlier Determinations in particular. It was claimed there were widespread compliance failures within the credit reporting system, especially by corporations permitted access to the system by virtue of Determination No. 1 of 2001.

      At that time, I decided there was insufficient information before me to justify a decision not to issue a Determination in similar terms to Determination No. 1 of 2001. Given the issues raised, however, I took the view that they warranted further consideration, and Determination No. 1 of 2002 was therefore only issued for a period of twelve months. This was to enable my Office to further investigate the issues relating to that Determination.

      Consultation in 2002/3

      Review Process

      Throughout 2002, the Office has engaged with a range of stakeholders in the credit reporting sector on a number of issues, including those which relate to this Determination. During the course of this activity, the Office has borne in mind the issues raised in relation to this Determination. As a consequence, in September 2002, the Office released the 'Consultation Paper for the Review of Credit Reporting Determination 2002, No. 1' and called for submissions.

      The Consultation Paper requested submissions concerning the Determination and its operation within the credit reporting system. Areas given detailed consideration included:

      • organisations' access to the credit reporting system;
      • claims of non-compliance involving organisations using the credit reporting system; and
      • issues such as, minimum default listings and the 7-day credit term.

      The Office received 18 submissions, including six from credit reporting agencies and credit providers, three from consumer credit advocate bodies and two from government agencies.

      As well as receiving, reviewing and analysing information arising from submissions to the review of Determination No.1 of 2002, further data has also been gathered and considered. The Office has reviewed its own complaint and enquiries data relating to the credit reporting system generally, and more particularly in relation to those credit providers given access to the credit reporting system by virtue of the earlier Determinations - this has included reviewing the types and rates of complaints and enquiries received for the 18-month period between July 2001 and December 2002.

      The Office also sought further qualitative data on complaints-related matters from industry stakeholders, other regulators and consumer bodies. This information has been sought and reviewed, to assist in making a decision about the further life and scope of this Determination, if any.

      Information arising from submissions: claims and qualitative data

      During the consultation phase, I requested information on the views and experiences of those involved in the credit reporting system in relation to this Determination. Most importantly, however, I sought statistical and other qualitative data in relation to the operation of the credit reporting system, especially regarding assertions about the impact of this Determination on consumers and business. This information was sought to augment the Office's understanding of the system, derived from its own statistical data relating to complaints and enquiries, and its experience in regulating the credit reporting system through complaints and audits.

      Some key issues and information that arose during the consultation process:

      1. Some submissions suggested there has been an increase in the use of the credit reporting system in relation to those businesses that are 'traditional' credit providers under s.11B(1) of Part IIIA of the Act (e.g. businesses in the financial services and telecommunications sectors), as well as by those given access to the reporting system by way of the earlier Determinations (e.g. some retailers and professional service providers, such as legal and health care practitioners).

      2. Some submissions highlighted particular business sectors as harbouring systemic compliance problems. For instance, submissions from consumer advocate groups suggested these compliance issues were specific to businesses that access the reporting system through the earlier Determinations. Claims were made that complaints and enquiries in relation to these businesses have increased substantially, including one estimate of a five-fold rise. Submissions from some businesses, however, suggested the compliance problems were more widespread throughout the system and not specific to businesses with access to the system through the earlier Determinations. The kinds of compliance issues raised through the submissions included lack of providing consumers with adequate notice of the potential for listing, and inappropriately handling disputed defaults.

      3. The Office considered data regarding the current annual rate of consumer credit checking and in turn the number of complaints about the credit reporting system received by the Office.

      This information indicated that the rate of complaints about credit reporting is small, relative to the number of credit checks undertaken. For example, one major credit reporting agency processes in the order of 11 million consumer credit checks annually. Yet, in the period from 1 July 2001 to 31 December 2002, the Office received approximately 300 complaints relating to the whole credit reporting sector (equating to around 200 complaints annually). Of these only 32 related to businesses covered by the Determination. This represents about 11% of all complaints received about credit reporting.

      4. One party submitted that in its view, the earlier Determinations broadened the types of businesses classified as credit providers to such an extent that the Determinations were beyond the Commissioner's statutory powers. Dealing with that issue here, and having considered it closely, I am of the view that the Commissioner's power to make such Determinations under s.11B(1)(b)(v)(B) must be read in conjunction with s.11B(1)(b)(v)(A) and the definition of 'loan' found in s6, and that in light of those sections this Determination is a valid exercise of the Commissioner's powers under the Privacy Act.

      Analysis

      In considering and analysing the issues raised through the consultation process, I will deal with these as set out in the order above:

      1. It appears that the claims regarding the growth in the credit sector and hence the credit reporting sector, relate to the perception that increased activity in these areas results in greater non-compliance overall with the regulatory framework, and so a greater risk to consumer privacy.

      Only limited statistical data was presented to the Office to support these claims, I am able only to draw observations from this information, as well as publicly available data on the operation of the credit sector, and the annual rate of complaints that my Office receives. While not specific to those classes of business covered by this Determination, Reserve Bank data released on the 11 February 2003 indicates a rise in credit activity within Australia through increasing transaction card use, including a growth in interest free credit card accounts of almost 20% over the past 3 years. This data is available at the Reserve Bank's website www.rba.gov.au/NewsArchive/index.html. Greater longitudinal data published by the Reserve Bank also reflects the rising rates and quantum of home finance and fixed loan lending over past 10 years, including for instance a sharp rise of some 35% in the amount of fixed loan lending between mid-2001 and late-2002. This data is available at http://www.rba.gov.au/Statistics/Bulletin/D05hist.xls.

      That Australians are seeking and gaining more credit, including in more and different ways, and that they are involved in more credit transactions is something we can observe as a changing trend in the personal finances of the community. This, in itself, is not a difficulty for the Determination; the question remains whether there are significant problems in the operation of the Determination by way of those businesses that operate under it. Given the increase in credit activity, it might be expected that there would be a corresponding increase in complaints. Indeed, a greater than proportionate increase might signify a systemic failure caused by the growth in the sector. This possibility is not borne out by the Office's experience in receiving and handling complaints. The Office has not seen such an upturn in the numbers of complaints.

      2. Of the assertion that some businesses and business sectors harbour systemic compliance problems with the credit reporting provisions in the Privacy Act, some claims point toward the biggest growth in such problems involving those with access to the credit reporting system by virtue of the Determination.

      I note the reports from consumer advocate bodies that claim there is a rise in consumer enquiries and concerns relating mainly to those businesses covered by the Determination, and including the claim of a five-fold increase in consumer enquiries in this context. This is not reflective of the Office's experience, however, with no such growth in complaints having occurred.

      3. Turning to the Office's complaints data specifically, the rate of credit-related complaints overall (around 200 annually) is not unexpectedly high, given the amount of credit activity in Australia. Most significantly, the Office's figures indicate that only a small proportion of complaints relate to businesses covered by the Determination - as noted earlier, for the period reviewed (1 July 2001 to 31 December 2002) only about 11 per cent of all credit complaints related to those businesses covered by the Determination. In my view, our data and experience, together with the data made available to the Office (limited though it is) does not reflect a system in crisis.

      In the analysis of the submissions and other information gathered, it is apparent that significant importance is placed on the credit reporting system by businesses, as a means to undertake risk management in their provision of loans, goods and other services. In my view, this indicates that decisions surrounding the operation of the Determination are not a 'one-way street'.

      If businesses are denied access to the system, such as by significantly varying the Determination or by not making any further Determination, this may reduce the number of complaints by a small number, but it will not do so in a way cost-neutral to consumers and the community in general. Business will surely seek to manage risk in other ways, such as by requiring bonds and deposits, or by limiting the range and delivery of services so as not to over-expose their financial risk. Such a reduction in the range of services, or in those who are able to gain credit due to the use of such risk management strategies may seriously disadvantage many consumers and their ability to gain access to a range of business products and services.

        The analysis above relates specifically to the Determination, and indicates no significant systemic problem in its operation that could be addressed through changing the scope of the Determination. There may, however, be signs of broader emerging concerns in the system, as a number of submissions, both from consumer advocate bodies and the business sector, claim there is at least some lack of understanding about credit providers' compliance obligations within the sector, especially regarding notice provisions. This includes where listings are not made concordant with the Credit Reporting Code of Conduct, such that listings are made prior to the debt being 60 days overdue or the individual is not advised that the information will be listed with a credit reporting agency.

        This is disturbing if it indicates a breadth of non-compliance in the credit reporting system, particularly after more than a decade of its operation, including that of the Determination currently under consideration. If this turns out to be the case, then it calls for close consideration by the credit reporting sector of its compliance obligations, including those of the businesses that use the system.

        Conclusion

        On the information gathered during the past year, and most especially during the recent consultation process, in my view the policy direction set out by this Determination has not erred in seeking to find a balance between consumer and business needs. The information gathered to date does not warrant amendment to the scope of this Determination at the present time.

        In my opinion, the issues raised and considered during this review are not specific to the industries or sectors that gain access to the credit reporting system by virtue of this Determination. Rather, the assertions about the compliance issues raised during consultation are more general, reflecting either missing knowledge and/or failures in compliance management by a broader set of businesses that use the credit reporting system. While there is limited data on the compliance-related concerns, that they have been raised is troubling and this could reflect something more than my Office is seeing by way of complaints received.

        That there are submissions asserting compliance failure is concerning, especially after so many years of the operation and maturation of the credit reporting system. For businesses participating in this system, this may be an early warning for them to closely consider the issues identified during the consultation process, and to act to assess their compliance and rectify any problems found. It would be most unfortunate if this opportunity were not taken, leading to more regulatory compliance activity or the need for legislative change to deliver more strict regulatory oversight.

        In deciding to renew the Determination in its existing form, therefore, I do so expecting that business will take steps to raise its awareness of its compliance obligations, and that compliance with the requirements of the system will be improved. These are things that need to be achieved during the life of the Determination through improved vigilance to these issues by business, and through the efforts of this Office in its regulatory role. If these aims are not achieved, then consideration of the on-going status of this Determination would be warranted.

        Determination

        I have decided to re-issue the Determination, without amendment as Determination No. 1 of 2003.

        As to the life of the Determination, I again take the view that it should not be open-ended, but should be the subject of further review following sufficient time for improved compliance measures to be instituted. I consider that a period of three years, commencing on 26 February 2003, is appropriate for this purpose.

        I have therefore included in Determination No. 1 of 2003 that it is to lapse, unless continued by a further determination, on 25 February 2006.

        MALCOLM CROMPTON Federal Privacy Commissioner

        14 February 2003

        ANNEXURE 3

        Privacy Act 1988 (Cwlth)

        11B Credit providers

        (1) For the purposes of this Act, but subject to subsection (2), a person is a credit provider if the person is:

        1. a bank; or
        2. a corporation (other than an agency):
          1. a substantial part of whose business or undertaking is the provision of loans (including the provision of loans by issuing credit cards); or
          2. that carries on a retail business in the course of which it issues credit cards to members of the public in connection with the sale of goods, or the supply of services, by the corporation; or
          3. that:
            1. carries on a business or undertaking involving the provision of loans (including the provision of loans by issuing credit cards); and
            2. is included in a class of corporations determined by the Commissioner to be credit providers for the purposes of this Act; or
        3. a person:
          1. who is not a corporation; and
          2. in relation to whom paragraph (b) would apply if the person were a corporation; or
        4. an agency that:
          1. carries on a business or undertaking that involves the making of loans; and
          2. is determined by the Commissioner to be a credit provider for the purposes of this Act.

        (1A) If an agency is a credit provider because of paragraph (1)(d), Part IIIA has effect in relation to the carrying on by the agency of a business or undertaking involving the making of loans despite anything in Part III or in the Freedom of Information Act 1982.

        (2) For the purposes of this Act, a corporation that would, but for this section, be a credit provider is not to be regarded as a credit provider if it is included in a class of corporations declared by the regulations not to be credit providers.

        (3) A determination under sub-subparagraph (1)(b)(v)(B) or subparagraph (1)(d)(ii) is to be made by notice in writing published in the Gazette.

        (4) A notice so published is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901.

        (4A) Subsection (4B) applies to a person who carries on a business that is involved in one or both of the following:

        1. a securitisation arrangement;
        2. managing loans that are the subject of a securitisation arrangement.

        (4B) While a person to whom this subsection applies is performing a task that is reasonably necessary for purchasing, funding or managing, or processing an application for, a loan by means of a securitisation arrangement (being a loan that has been provided by, or in respect of which application has been made to, a credit provider):

        1. the person:
          1. is taken, for the purposes of this Act, to be another credit provider; and
          2. is subject to the same obligations under this Act as any other credit provider; and
        2. for the purposes of this Act, the loan is taken to have been provided by, or the application for the loan is taken to have been made to, both the person and the first-mentioned credit provider.

        (4C) Nothing in this Act prevents a report (within the meaning of subsection 18N(9)) to which section 18N applies being disclosed if:

        1. the disclosure is reasonably necessary for purchasing, funding or managing, or processing an application for, a loan by means of a securitisation arrangement (being a loan that has been provided by, or in respect of which an application has been made to, a credit provider); and
        2. the disclosure takes place between a person to whom subsection (4B) applies in relation to that loan and:
          1. the credit provider; or
          2. another person to whom that subsection applies in relation to that loan.

        (4D) A reference in subsection (4B) or (4C) to purchasing or funding a loan by means of a securitisation arrangement includes a reference to credit enhancement of the loan.

        (4E) A reference in subsection (4B) or (4C) to managing a loan does not include a reference to an act relating to the collection of overdue payments in respect of the loan if the act is undertaken by a person whose primary function in relation to the loan is the collection of overdue payments.

        (5) Subject to subsection (6), while a person is acting as an agent of a credit provider in performing, on behalf of the credit provider, a task that is necessary:

        1. in processing an application for a loan; or
        2. in managing:
          1. a loan given by the credit provider; or
          2. an account maintained by any person with the credit provider;
        the first-mentioned person:
        1. is taken, for the purposes of this Act, to be another credit provider; and
        2. is subject to the same obligations under this Act as any other credit provider.

        (6) Nothing in this Act prevents such an agent of a credit provider disclosing to the credit provider, in the agent's capacity as such an agent, a report (within the meaning of subsection 18N(9)) to which section 18N applies.

        (7) The reference in subsection (5) to the management of a loan does not include a reference to any act relating to the collection of payments that are overdue in respect of the loan.

        Endnotes

        1. http://www.privacy.gov.au/materials/types/codesofconduct/view/6787
        2. "Loan" is defined in section 6(1) of the Privacy Act.
        3. A "serious credit infringement" is defined in section 6(1) of the Privacy Act.
        4. Section 18E(8)(c) states that "a credit provider must not give to a credit reporting agency personal information relating to an individual if ... the credit provider did not, at the time of, or before, acquiring the information, inform the individual that the information might be disclosed to a credit reporting agency".
        5. Located at http://www.privacy.gov.au/materials/types/determinations/view/6741 .
        6. ACIF C541:2006 Credit Management, Appendix B, p. 34.
        7. . Section 18F(3)of the Privacy Act states that a credit provider must as soon as practicable inform the credit reporting agency that the individual has ceased to be overdue or contends that the individual is not overdue.
        8. Section 18E(8)(c) of the Privacy Act provides that a credit provider is not permitted to disclose consumer credit information about an individual to a credit reporting agency unless that individual was notified, at or before the time the information was obtained, that this might occur.
        9. Item 2.7 of the Code of Conduct provides that a credit provider may report an overdue payment to a credit reporting agency:
          1. once 60 days has elapsed since the day on which the payment was due and payable; and
          2. if the credit provider has sent a written notice to the last known address which: 
            1. advises the individual of the overdue payment and requests payment of the amount outstanding; or
            2. in the case of a joint debt where the parties concerned live at separate addresses and those addresses are known, advises the individuals against whom the overdue payment is to be recorded and requests payment of the amount outstanding.