Consultation Paper No. 2

Indigenous Business Australia

April 2006

The Office of the Privacy Commissioner is currently reviewing Credit Determinations. The Office has prepared this paper to assist individuals and organisations to prepare comments for part of that review. The Determination discussed in this paper is:

A determination issued under section 11B(1)(d)(ii) of the Privacy Act 1988 (Cwlth) and expiring on 30 October 2006:

• Determination 2005 No. 1 Privacy Act 1988, s.11B(1)(d)(ii) - concerning Indigenous Business Australia

This consultation paper is available from the Office''s web site or on request in hard copy.

Note that Consultation Paper No. 1 discusses Credit Provider Determination No. 2006-01 (Assignees) and Credit Provider Determination No. 2006-02 (Classes of credit providers).

Key date

Due date for comments 31 May 2006.

Contacts

General information: Hotline Ph: 1300 363 992 TTY: 1800 620 241 Contact Officer: Kara Birch Ph: 02 9284 9790 Email: creditconsultation@privacy.gov.auWebsite: www.privacy.gov.au Postal address: GPO Box 5218, Sydney NSW 2001

How to make comments

There is no specified format for comments. They can be presented in electronic or hardcopy formats or audio submissions using TTY.

Participants should not feel the need to address all the topics or be restricted to the issues which the topics raise. Participants are encouraged to provide data, examples, case studies, or other evidence to support the arguments presented in their comments.

Privacy collection statement

This Office will use the personal information it collects in the course of this Review only for the purpose of reviewing the Determinations. The Office may put comments received on its website or may list agencies, organisations or individuals who have commented.

If you do not want your comments posted on the website mark them as "Confidential". Requests for access to comments marked "Confidential" will be determined in accordance with the Freedom of Information Act 1982 (Cwlth).

Scope of the review

This is a general review of the current determinations concerning assignees, classes of credit providers and Indigenous Business Australia being a credit provider. This paper only deals with the determination in relation to Indigenous Business Australia. For the two other determinations refer to Consultation Paper No. 1.

The Office recognises that a review of these determinations may raise other issues which, whatever their validity, are not directly related to the definition of credit provider. At this stage, this Office's focus is on those matters covered by each of the determinations. We ask interested parties to keep this in mind when making comments.

We note that the Australian Law Reform Commission is currently conducting an inquiry into the extent to which the Privacy Act 1988 (Cth) and related laws continue to provide an effective framework for the protection of privacy in Australia. More information about that inquiry can be found at: http://www.alrc.gov.au/

In relation to the Indigenous Business Australia determination:

The purpose of the consultation is to ascertain stakeholders' views regarding the operation of the current determination, as well as previous determinations of a similar kind and whether another determination should be issued in relation to Indigenous Business Australia and, if so, for what period.

In the explanatory statement to the 2005 IBA Determination (attachment 1 to this paper) the Privacy Commissioner signalled an intention to with indigenous and other community groups on any new issues that may be relevant to the appropriateness of a longer term determination.

Table of contents

• A. Legislative Overview and Background
  • 1. Introduction
  • 2. Provisions for Credit Provider Determinations
  • 3. Background to the IBA Determination
  • 4. The Office's Experience
• B. Issues for Consideration
  • 1. Indigenous Business Australia's credit functions
  • 2. General questions
• C. Glossary of key terms
  • Credit
  • Credit Reporting Code of Conduct
  • Credit information file
  • Credit report
  • Credit reporting agency
  • Credit reporting business
  • Loan
• D. Attachment 1
  • Determination 2005 No. 1 Privacy Act 1988, s.11B(1)(d)(ii) - concerning Indigenous Business Australia
• EXPLANATORY STATEMENT
  • 1. PURPOSE
  • 2. REASONS FOR MAKING THE DETERMINATION
  • 3. LIST OF ATTACHMENTS
• Endnotes

A. Legislative Overview and Background

1. Introduction

The privacy aspects of consumer credit reporting in Australia, in effect since 1990, are regulated through Part IIIA of the Privacy Act 1988 (Cwlth), together with the Credit Reporting Code of Conduct (Code of Conduct) issued under section 18A of the Privacy Act.

Part IIIA of the Privacy Act provides safeguards for individuals in relation to consumer credit reporting. In particular, Part IIIA governs the handling of credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers. The Privacy Act ensures that the use of this information is restricted to assessing applications for credit lodged with a credit provider and other appropriate activities involved with giving credit.

Credit reporting agencies and credit providers may be required to comply with the National Privacy Principles in the Privacy Act in their dealings with commercial credit information. There are also some provisions in Part IIIA that relate to commercial credit information. However, in general, Part IIIA is aimed at consumer credit rather than commercial credit.

The Key requirements of Part IIIA include:

• Strict limits on the type of information which can be held on a person's credit information file by a credit reporting agency. There are also limits on how long the information can be held on file.
• Limits on who can obtain access to your credit file held by a credit reporting agency. Generally only credit providers may obtain access and only for specified purposes.
• Limits on the purposes for which a credit provider can use a credit report obtained from a credit reporting agency.
• Prohibition on disclosure by credit providers of credit worthiness information about an individual, including a credit report received from a credit reporting agency, except in specified circumstances.
• Rights of access and correction for individuals in relation to their own personal information contained in credit reports held by credit reporting agencies and credit providers.

Under section 18A(1) of the Privacy Act, the Privacy Commissioner is required to issue a Credit Reporting Code of Conduct (Code of Conduct)1 relating to credit information files and credit reports.

Section 18B obliges credit reporting agencies and credit providers to comply with the Code of Conduct. Under section 28A the Commissioner has the power to investigate an infringement of the Code of Conduct and conduct audits to ensure that it is being complied with.

For further information relating to the operation of Part IIIA of the Privacy Act please see: http://www.privacy.gov.au/law/act/credit/.

2. Provisions for Credit Provider Determinations

Section 11B(1)(d) of the Privacy Act allows the Privacy Commissioner to determine that an Australian Government agency that carries on a business or undertaking that involves the making of loans, is a credit provider.

"Credit" is defined in section 6(1) to mean a loan sought or obtained by an individual from a credit provider in the course of the credit provider carrying on a business or undertaking as a credit provider, being a loan that is intended wholly or primarily for domestic, family or household purposes.

"Commercial credit" is defined in section 6(1) to mean a loan sought or obtained by a person, other than a loan of a kind referred to in the definition of "credit" in the sub-section.

3. Background to the IBA Determination

Indigenous Business Australia (IBA) is a statutory authority established under Part 4 of the Aboriginal and Torres Strait Islander Commission Act 1989 (Cth) (the ATSIC Act). It is also a federal government agency subject to the Privacy Act. On 16 March 2005 the Australian Parliament passed the Aboriginal and Torres Strait Islander Amendment Bill 2005 transferring to IBA the Indigenous Housing Fund and Business Development Program formerly administered by the Aboriginal and Torres Strait Islander Commission (ATSIC).

By these measures, IBA assumed the housing and business loan functions formerly performed by, ATSIC, Aboriginal and Torres Strait Islander Services (ATSIS), and the Department of Employment and Workplace Relations (DEWR), respectively. The legislation effecting these changes came into force on 24 March 2005.

On 22 March 2005, IBA applied for a determination under s.11B(1)(d)(ii) of the Privacy Act to the effect that IBA carries on the business or undertaking that involves the making of loans and, as such, is a credit provider.

The Privacy Commissioner made Determination 2005 No. 1 Privacy Act 1988, s.11B(1)(d)(ii) - concerning Indigenous Business Australia (the IBA Determination) on 20 October 2005 (attachment 1 to this paper), taking effect on 31 October 2005.

ATSIC, ATSIS and DEWR at various stages shared responsibility as credit providers for the provision of loans under the Indigenous Housing Fund and the Business Development Program, respectively. Three determinations were issued to these agencies. These Determinations, which no longer apply, are:

• Credit Reporting Determination: 1999 No. 1 Privacy Act 1988, s.11B(1)(d) - concerning the Aboriginal and Torres Strait Islander Commission
• Determination 2003 No.3 Privacy Act 1988, s.11B(1)(d)(ii) - concerning the Aboriginal and Torres Strait Islander Services
• Determination 2004 No. 1 Privacy Act 1988, s.11B(1)(d)(ii) - concerning the Department of Employment and Workplace Relations

By being granted credit provider status under the terms of the IBA Determination, IBA is permitted to conduct credit reporting in accordance with Part IIIA of the Privacy Act. In particular, it is able to directly access an individual's credit report, held by a credit reporting agency, to assist assessing a loan application. If it needs to, IBA is also permitted to directly access a credit report in the course of collecting payments that are overdue and list either an overdue payment or a serious credit infringement, with a credit reporting agency.

4. The Office's Experience

The Office's records show no complaints against ATSIC, ATSIS, DEWR or IBA as credit providers under any of the relevant determinations.

B. Issues for Consideration

1. Indigenous Business Australia's credit functions

In considering IBA's application for a determination the Privacy Commissioner considered the following:

1. IBA performs the same lending functions in relation to the Indigenous Housing Fund and Business Development Program that ATSIC, ATSIS and DEWR, respectively, performed previously. The same considerations that were deliberated in the previous determinations (in 1999, 2003 and 2004 respectively)2 continued to be relevant to IBA's application.
2. IBA has advised that prudent lending policy is facilitated, inter alia, by timely access to a customer's credit report when it assesses a loan application and in cases where it is necessary to collect payments that are overdue. If IBA was not granted credit provider status it advises that, because some of its customers live in remote localities there could be a delay of six to eight weeks while customers apply to a credit reporting agency to obtain a copy of their credit report which the individual must then forward to IBA. Lastly, IBA would not be able to list with a credit reporting agency that a customer was overdue with a payment or had committed a serious credit infringement.
3. The timely provision of a customer's credit report to IBA assists a customer in establishing to the satisfaction of IBA that he or she has an established credit history and is an acceptable credit risk, and assists those customers to compete with other buyers on an equal footing in purchasing homes or businesses on the open market.
4. The Australian National Audit Office's (ANAO) has issued an audit report in relation to IBA including findings in relation to privacy issues3. In making the current determination the Commissioner, took into account undertakings made by IBA to implement recommendations made in the ANAO report.
5. The Social Justice Commissioner supported the proposed determination, and in particular, expressed the following main points:
   • IBA has a sound reputation for financial management.
   • IBA has not previously administered programs which necessitate the collection of personal data.
   • There is a potential for inconsistencies to exist in the treatment of personal information between regional Indigenous Coordination Centres unless there were clear administrative processes.
   • IBA has committed to implement the recommendations made in the ANAO audit report regarding privacy.

Q 1.1 Has the IBA Determination (and similar previous determinations) operated effectively and in accordance with the underlying obligations and purposes of the Privacy Act? Please provide evidence to support your answer.

Q 1.2 Is there any evidence as to the effect of the IBA Determination (and similar previous determinations) upon the privacy of those individuals affected by the Determinations?

2. General questions

Q 2.1 Should the IBA Determination be renewed?

Q 2.2 How long should any new determination last? Potential durations include 3, 5 or 10 years.

Q2.3 What might be the positive or adverse effects of renewing the IBA determination?

C. Glossary of key terms

Credit

Credit is defined in section 6(1) of the Privacy Act to mean: "…a loan sought or obtained by an individual from a credit provider in the course of the credit provider carrying on a business or undertaking as a credit provider, being a loan that is intended to be used wholly or primarily for domestic, family or household purposes".

Credit Reporting Code of Conduct

Under section18A(1) of the Privacy Act, the Privacy Commissioner is required to issue a Credit Reporting Code of Conduct (Code of Conduct) relating to credit information files and credit reports. In developing such a Code of Conduct, the Commissioner must, "…to the extent that it is appropriate and practicable", consult with government, commercial, consumer and other relevant bodies and organisations. Section 18B obliges credit reporting agencies and credit providers in mandatory terms to comply with the Code of Conduct. Under section 28A the Commissioner has the power to investigate an infringement of the Code of Conduct and conduct audits to ensure it is being complied with. The Code of Conduct is available at http://www.privacy.gov.au/materials/types/codesofconduct/view/6787 .

Credit information file

A credit information file is defined in section 6(1) of the Privacy Act: "…in relation to an individual, means any record that contains information relating to the individual and is kept by a credit reporting agency in the course of carrying on a credit reporting business (whether or not the record is a copy of the whole or part of, or was prepared using, a record kept by another credit reporting agency or any other person)".

Credit report

A credit report is defined in section 6(1) of the Privacy Act as any record or information, whether in a written, oral or other form, that:

1. is being or has been prepared by a credit reporting agency; and
2. has any bearing on an individual's:
   1. eligibility to be provided with credit; or
   2. history in relation to credit; or
   3. capacity to repay credit; and
3. is used, has been used or has the capacity to be used for the purpose of serving as a factor in establishing an individual's eligibility for credit.

Credit reporting agency

A credit reporting agency is defined in section 11A of the Privacy Act: "For the purposes of this Act, a person is a credit reporting agency if the person is a corporation that carries on a credit reporting business".

Credit reporting business

A credit reporting business is defined in section 6(1) of the Privacy Act: "Credit reporting business means a business or undertaking (other than a business or undertaking of a kind in respect of which regulations made for the purposes of subsection (5C) are in force) that involves the preparation or maintenance of records containing personal information relating to individuals (other than records in which the only personal information relating to individuals is publicly available information), for the purpose of, or for purposes that include as the dominant purpose the purpose of, providing to other persons (whether for profit or reward or otherwise) information on an individual's:

1. eligibility to be provided with credit; or
2. history in relation to credit; or
3. capacity to repay credit;

whether or not the information is provided or intended to be provided for the purposes of assessing applications for credit".

Loan

Loan is defined in section 6(1) of the Privacy Act as: "Loan means a contract, arrangement or understanding under which a person is permitted to defer payment of a debt, or to incur a debt and defer its payment, and includes:

1. a hire''purchase agreement; and
2. such a contract, arrangement or understanding for the hire, lease or renting of goods or services, other than a contract, arrangement or understanding under which:
   1. full payment is made before, or at the same time as, the goods or services are provided; and
   2. in the case of a hiring, leasing or renting of goods''an amount greater than or equal to the value of the goods is paid as a deposit for the return of the goods".

D. Attachment 1

Determination 2005 No. 1 Privacy Act 1988, s.11B(1)(d)(ii) - concerning Indigenous Business Australia

Under s.11B(1)(d)(ii) of the Privacy Act 1988, I DETERMINE that:

1. The Australian Government agency Indigenous Business Australia (IBA) is a credit provider for the purposes of the Privacy Act.
2. This determination shall take effect on 31 October 2005 and it shall lapse on 30 October 2006.
3. The following determination is revoked with effect from 31 October 2005:
   • Credit Reporting Determination: 1999 No.1 Privacy Act 1988, s.11B(1)(d) - concerning the Aboriginal and Torres Strait Islander Commission.

The background to, and reasons for, making Determination 2005 No.1 are set in the Explanatory Statement in regard to Determination 2005 No.1 Privacy Act 1988, s.11B(1)(d)(ii) concerning Indigenous Business Australia lodged for registration, together with this Determination, on the Federal Register of Legislative Instruments.

KAREN CURTIS Privacy Commissioner

20 October 2005

EXPLANATORY STATEMENT

in regard to

Determination 2005 No.1 Privacy Act 1988, s.11B(1)(d)(ii)- concerning Indigenous Business Australia

This explanatory statement has been drafted for the purpose of fulfilling the Office of Privacy Commissioner's obligations under s. 26(1) of the Legislative Instruments Act 2003.

1. PURPOSE

The purpose of Determination 2005 No.1 Privacy Act 1988, s.11B(1)(d)(ii)- concerning Indigenous Business Australia (Determination 2005 No.1) is to determine that the applicant, Indigenous Business Australia (IBA), is an Australian government agency that carries on the business or undertaking that involves the making of loans and, as such, is a credit provider pursuant to s.11B(1)(d)(ii) of the Privacy Act 1988 (the Privacy Act).

Determination 2005 No.1 revokes the current determination issued to the Aboriginal and Torres Strait Islander Commission (ATSIC) as it no longer performs lending functions as a credit provider in relation to the Indigenous Housing Fund and the Business development Program, respectively. The determination being revoked with the coming into effect of Determination 2005 No.1 is:

• Credit Reporting Determination: 1999 No.1 Privacy Act 1988, s.11B(1)(d) - concerning the Aboriginal and Torres Strait Islander Commission. (Note: this determination did not specify an expiry date).

Previous credit provider determinations issued in favour of the Aboriginal and Torres Strait Islander Services (ATSIS) and the Department of Employment and Workplace Relations (DEWR) in relation to lending to indigenous individuals specified that they both lapse on 9 October 2005.

By being granted credit provider status under the terms of the determination, IBA will be permitted to conduct credit reporting in accordance with Part IIIA of the Privacy Act. In particular, it will be able to directly access an individual's credit report, held by a credit reporting agency, to assess a loan application. If it needs to, IBA will also be permitted to directly access a credit report for the purpose of collecting payments that are overdue and list either an overdue payment or a serious credit infringement, with a credit reporting agency.

1.1 Provisions for Credit Provider Determinations

Section 11B of the Privacy Act defines "credit providers". Credit providers that can conduct credit reporting include banks and certain other private sector organisations. Section 11B(1)(d) also allows the Privacy Commissioner to determine that an Australian Government agency is a credit provider if it carries on a business or undertaking that involves the making of loans.

"Credit" is defined in section 6(1) to mean a loan sought or obtained by an individual from a credit provider in the course of the credit provider carrying on a business or undertaking as a credit provider, being a loan that is intended wholly or primarily for domestic, family or household purposes.

"Commercial credit" is defined in section 6(1) to mean a loan sought or obtained by a person, other than a loan of a kind referred to in the definition of "credit" in the sub-section.

Information on the definition of a "credit provider" and on the provision for making of a credit provider determination in favour of an Australian government agency is provided below at Section 1.2: "Authority for making this determination".

1.2 Authority for making this determination

Determination 2005 No.1 is made under s.11B(1)(d)(ii) of the Privacy Act. Section 11B(1)(d) states:

1. For the purposes of this Act … a person is a credit provider if the person is:
   1. an agency that:
      1. carries on a business or undertaking that involves the making of loans; and
      2. is determined by the Commissioner to be a credit provider for the purposes of this Act.

Section 28A(1) states that the Commissioner has the following function in respect of credit reporting:

1. to make such determinations as the Commissioner is empowered to make under section 11B or Part IIIA.

1.3 Application for a Credit Provider Determination

On 22 March 2005 IBA's solicitors, the Australian Government Solicitor (AGS), applied for a determination, under s.11B(1)(d)(ii) of the Privacy Act, to the effect that IBA carries on the business or undertaking that involves the making of loans and, as such, is a credit provider (Attachment A). AGS wrote again on 9 May 2005 and 22 August 2005 to clarify aspects of IBA's application (Attachment B). As part of the application process, IBA wrote to the Privacy Commissioner on 19 August 2005 responding to privacy issues raised in the Australian National Audit Office (ANAO) report 53 of 2004-05 (Attachment D).

IBA is a statutory authority established under Part 4 of the Aboriginal and Torres Strait Islander Commission Act 1989. It is also a federal government agency subject to the Privacy Act. On 16 March 2005 the Commonwealth Parliament passed the Aboriginal and Torres Strait Islander Amendment Bill 2005 giving IBA the Indigenous Housing Fund and Business Development Program formerly administered by ATSIC. By these measures, IBA assumed the housing and business loan functions formerly performed by ATSIC, ATSIS and DEWR, respectively. The legislation effecting these changes came into force on 24 March 2005.

ATSIC was abolished by an Act of Parliament on 16 March 2005. ATSIS was abolished on 1 July 2005. DEWR no longer performs any function as a credit provider in relation to the Business Development Program.

For these reasons, AGS advised that the current determinations relating to ATSIC, ATSIS and DEWR respectively (Determinations 1999 No. 1; 2003 No. 3; and 2004 No.1) are no longer required. AGS is also of the opinion that it is unlikely that any of the three determinations can be transferred legally for the benefit of IBA.

The application is for IBA to be granted credit provider status for a period of five years or until IBA ceases to administer the housing and business loan functions.

1.4 Documents incorporated by reference

The following documents are incorporated by reference to them and are attached as appendices to this statement.

• Letter dated 22 March 2005 from IBA's solicitors, AGS, applying for a determination under s.11B(1)(d)(ii) of the Privacy Act (Attachment A).
• Letter dated 9 May 2005 from AGS clarifying aspects of the application (Attachment B).
• Letter dated 5 July 2005 from the Aboriginal and Torres Strait Islander Social Justice Commissioner (Social Justice Commissioner) of the Human Rights and Equal Opportunity Commission regarding consultation on the determination (Attachment C).
• Letter dated 19 August 2005 from IBA responding to privacy issues raised in the ANAO report 53 of 2004-05 (Attachment (D).
• Letter dated 22 August 2005 from AGS further clarifying aspects of the application (Attachment E).

2. REASONS FOR MAKING THE DETERMINATION

2.1 Background to the application for a determination

ATSIC, ATSIS and DEWR at various stages shared responsibility as credit providers for the provision of loans under the Indigenous Housing Fund and the Business Development Program, respectively. Three determinations were issued to these agencies. Details of these determinations, which no longer apply are as follows.

2.1.1 ATSIC credit provider determination

On 16 November 1999, Determination 1999 No.1 was made under section 11B(1)(d)(ii) of the Privacy Act to the effect that the ATSIC was a credit provider for the purposes of the Privacy Act (Attachment F).

For the purposes of that Determination, the Office consulted widely on a number of issues and received advice from the Social Justice Commissioner. Both the issues and the advice received are detailed in the Reasons for Determination forming part of Determination 1999 No. 1.

In making Determination 1999 No.1, a number of factors, as detailed in the Reasons for Determination, were taken into account. They included that ATSIC:

• has a statutory function of making loans to individuals under the Aboriginal and Torres Strait Islander Commission Act 1989 (the ATSIC Act) and the making of such loans formed a core part of ATSIC's business;
• made loans on a basis that equated with the 'normal commercial practice' of other credit providers and that being a credit provider would greatly improve the efficiency of ATSIC's loans procedures.

2.1.2 ATSIS credit provider determination

On 26 September 2003, Determination 2003 No.3 was made under section 11B(1)(d)(ii) of the Privacy Act to the effect that the ATSIS was a credit provider for the purposes of the Privacy Act (Attachment G).

ATSIS was established as a federal Executive Agency under the Public Service Act 1999, and as a prescribed agency under the Financial Management and Accountability Act 1997 with effect from 1 July 2003. ATSIS is subject to the provisions of the Privacy Act.

Pursuant to these legislative arrangements, ATSIS:

• had assumed, on a temporary basis, the financial responsibility for many of the programs formerly administered by ATSIC;
• ATSIC, however, retained responsibility for the housing loans program under the ATSIC Act;
• subject to the making of this determination, it was intended that ATSIS would:
  • make all new business loans, which were made previously by ATSIC, on behalf of the Australian Government;
  • make such loans in accordance with sound commercial practice and within the constraints of the definition of 'commercial credit' in section 6 of the Privacy Act; and
  • administer existing ATSIC business loans, under the terms of an agreement between ATSIC and ATSIS, paying all monies recovered regarding ATSIC's pre-July 2003 loans into an ATSIC bank account.

Consultation with Social Justice Commissioner

The views of the Social Justice Commissioner were sought and received regarding the application by ATSIS. The effect of the Social Justice Commissioner's advice was that:

• the arrangements between ATSIC and ATSIS were temporary, pending a final decision by the Australian Government as to the future of ATSIC and ATSIS;
• the same considerations relating to ATSIC's earlier application for credit provider status then applied to the application by ATSIS; and
• the Social Justice Commissioner supported a similar credit provider determination being made for ATSIS as had been made for ATSIC.
• Conclusions regarding ATSIS application

On the advice then received, it was concluded, inter alia, that:

• as a result of the transfer of some of ATSIC's responsibilities to it, ATSIS would be carrying on a business or undertaking that involved the making of loans;
• the same considerations that had supported the making of Determination 1999 No. 1, concerning ATSIC, applied to the application by ATSIS;
• it would be in the interests, then, of both ATSIS and its clients, for ATSIS to have credit provider status in carrying on the business of making loans for the purposes of the Privacy Act; and
• since ATSIS had advised that the arrangements with ATSIC might be temporary, the life of the determination should not be open-ended, but should be the subject of further review when the administrative arrangements of ATSIS were settled A period of two years commencing 9 October 2003 was considered appropriate for this purpose.

Accordingly, these findings were made:

• ATSIS had satisfied the criteria set out in s.11B(1)(d)(i) of the Privacy Act.
• having regard to the matters identified above, it was substantially in the public interest for the determination sought by ATSIS to be made under s.11B(1)(d)(ii).
• The Determination 2003 No.3 will lapse on 9 October 2005.

2.1.3 Department of Employment and Workplace Relations credit provider determination

On 2 September 2004, Determination 2004 No.1 was made under section 11B(1)(d)(ii) of the Privacy Act to the effect that DEWR was a credit provider for the purposes of the Privacy Act (Attachment H).

It was the Privacy Commissioner's understanding that in April 2004 the Australian Government announced the following legislative proposals:

• the responsibility for ATSIC and ATSIS programmes and functions would be transferred to "mainstream agencies" including DEWR.
• the Australian Government would abolish ATSIC and ATSIS.
• the responsibility for the Business Development Program formerly administered by ATSIC and (from 1 July 2003) by ATSIS would be transferred to DEWR.
• the administration of the Business Development Program would be transferred to a new statutory corporation, IBA, established under Part 4 of the ATSIC Act.

Since 1 July 2004, ATSIS retained a "residual role" in relation to the Business Development Program. It continued to administer loans made before 1 July 2003 on behalf of ATSIC, whereas DEWR assumed the function of administering the Business Development Program.

DEWR applied for separate credit provider status to enable it to perform its loan functions under the Business Development Program.

Consultation with Social Justice Commissioner

For the purposes of DEWR's application, the Social Justice Commissioner was consulted on the proposed determination. The Social Justice Commissioner did not express any concerns regarding the making of the determination.

Conclusions regarding DEWR's Application

On the advice received it was concluded, inter alia, that:

• for the time being, ATSIC and ATSIS should retain their credit provider status under Determination 1999 No.1 and Determination 2003 No.3.
• pending the final resolution of the three agencies future and their loan-making functions and a subsequent review of their credit provider status at an appropriate time, both ATSIC and ATSIS should continue to retain that status.
• similar considerations applied to DEWR's application as were applied to the previous applications which resulted in the Determinations 1999 No.1 and 2003 No.3. These considerations included the outcomes from the consultations conducted with the then Social Justice Commissioner and with other relevant stakeholders.
• given the reasons advanced in support of the applications by ATSIC and ATSIS and the findings that it was in the public interest for determinations to be made granting credit provider status to ATSIC and ATSIS, it followed that, since DEWR performs those same loan functions, there was adequate support for DEWR's application.
• since DEWR advised that the arrangements giving rise to the determination were temporary, the determination would be for a period of two years lapsing on 9 October 2005.

Accordingly, these findings were made:

• DEWR satisfied the criteria set out in section 11B(1)(d)(i) of the Privacy Act.
• it is substantially in the public interest for the determination sought by DEWR to be made under section 11B(1)(d)(ii) to the effect that it is a credit provider for the purposes of the Privacy Act.
• this determination will be referred to as Determination 2004 No.1 Privacy Act 1988 s.11B(1)(d)(ii).
• the determination should lapse, unless continued by a further determination by the Privacy Commissioner, on 9 October 2005.
• subject to any application under s.11B(1)(d)(ii) of the Privacy Act before 9 October 2005 appropriate community consultations into the on-going applicability and suitability of this determination and the related Determinations 1999 No.1 and 2003 No. 3 would be conducted.

2.2 Consultation with the Social Justice Commissioner

For the purposes of IBA's application, the Privacy Commissioner consulted with the Social Justice Commissioner on the proposed determination. The Social Justice Commissioner responded on 5 July 2005 and supported the Privacy Commissioner's proposal to conduct community consultations on the appropriateness of issuing IBA with a longer term determination of credit provider status (Attachment C).

With regard to the Privacy Commissioner's proposal to issue an interim 12 month determination the Social Justice Commissioner expressed the following main points:

• IBA, which was known as the Commercial Development Corporation prior to 2001, has a sound reputation for financial management.
• IBA has not previously administered programs which necessitate the collection of personal data.
• There is potential for inconsistencies to exist in the treatment of personal information between regional Indigenous Coordination Centres unless there are clear administrative processes.
• The Home Ownership Program (HOP) as administered until recently by ATSIS on behalf of ATSIC was audited by the ANAO (Performance Audit Report 53, 2004-05) (ANAO audit report). This report found that "the management and protection of client information did not meet the requirements of the Privacy Act 1988" and that new arrangements for administering the program need to be finalised to ensure compliance with the Act.
• IBA has agreed with the recommendations made in the report regarding privacy and is committed to their implementation.

During the duration of the new determination the Privacy Commissioner proposes to undertake consultation with indigenous and other community groups on any new issues that may be relevant to the appropriateness of a longer term determination being issued. Such review will be completed prior to the expiry of the new interim determination.

2.3 Issues raised by the Applicant

2.3.1 Credit provider determinations

IBA's lawyers advised that it in its view IBA could not legally take the benefit of the existing credit provider determinations by transfer. It submitted that without a credit provider determination, or any delay in granting credit provider status, can be expected to slow the approval of loans by six to eight weeks. In that event customers will be asked by IBA to apply to a credit reporting agency to obtain a copy of their credit report which the individual must then forward to IBA. Without a determination, or a delay in being granted credit provider status, IBA considered that its ability to administer its functions is significantly constrained.

IBA submitted that the Privacy Commissioner could issue a determination that it is a credit provider in relation to both housing and business loans and set that determination to expire once the Office has conducted a consultation process with indigenous and other groups.

The application is for IBA to be granted credit provider status for a period of five years or until IBA ceases to administer the housing and business loan functions.

2.3.2 Response to privacy issues in the ANAO audit report

IBA advised that it assumed the loans functions after the field work for the ANAO audit report was completed. In relation to the following privacy findings in the ANAO audit report, IBA made the following response to the Privacy Commissioner:

• ANAO recommended that HOP management includes detailed statements on all forms collecting personal information by potential or actual applicants about the purpose and authority for the collection of the information. (ANAO recommendation No 2 (point 1):

  IBA response: Agreed. IBA will incorporate purpose and authority statements on all forms which collect customer information. These statements will meet the specifications in IPP 2 of section 14 of the Privacy Act. The statements will include a notice advising individuals that information may be disclosed to a credit reporting agency, as required by paragraph 18E(8)(c) of the Privacy Act.

• ANAO recommended that HOP management establishes with the Indigenous Coordination Centres, where Housing Loans Units operate, appropriate arrangements for the storage and security of HOP client information. (ANAO recommendation No 2 (point 2).

  IBA response: Agreed. IBA has written to the Office of Indigenous Policy Coordination to reiterate the programme's requirements in relation to the Privacy Act and the need to have appropriate facilities for the collection and storage of customer information.

• ANAO noted that appropriate training critical in ensuring HOP staff use the ATSIC Loans System (ALS) database capabilities and provide the best possible service to indigenous clients (paragraph 4.38 of the audit report). With the proposed update of HOP's funding procedures manual, there will be a need to review the ALS operating guide and to provide training to loans officers in the specific application of the revised HOP policies and procedures (paragraph 4.45 of the audit report).

  IBA response: IBA is conscious of the need to ensure its staff are well trained in the use of its loan systems, including ALS. Any update to the HOP funding procedures manual and subsequent revision to the ALS operating guide will be accompanied by appropriate training for staff that use the ALS.

2.4 Public interest and other relevant considerations

In considering the application, the Privacy Commissioner took account a number of factors:

1. IBA is a newly established federal government agency performing the same lending functions in relation to the Indigenous Housing Fund and Business Development Program that ATSIC, ATSIS and DEWR, respectively, performed. The same public interest considerations that were deliberated in the previous determinations (Determinations 1999 No. 1, 2003 No. 3 and 2004 No.1 respectively) continue to be relevant to IBA's application;
2. Part IIIA of the Privacy Act regulates consumer credit and, in limited circumstances, commercial credit. Given that a majority of IBA's business is to lend money to individuals for housing purposes and also for commercial purposes, the provision of a credit provider determination to IBA will enable it to undertake credit reporting in respect of both consumer and commercial credit;
3. If IBA is not granted credit provider status there will be a delay of six to eight weeks while customers apply to a credit reporting agency to obtain a copy of their credit report which the individual must then forward to IBA. If an individual falls into arrears IBA will be dependant on the individual to provide it with a copy of a credit report (with attendant delays) and IBA will not be able to compel its production. Lastly, IBA will not be able to list an individual with a credit reporting agency that he or she is overdue with a payment or has committed a serious credit infringement;
4. It is in the public interest that IBA have direct access to the credit reporting system regulated by Part IIIA of the Privacy Act for the following reasons. IBA's prudent lending policy is facilitated, inter alia, by timely access to a customer's credit report when it assesses a loan application and in cases where it is necessary to collect payments that are overdue. The timely provision of a customer's credit report to IBA assists a customer in establishing to the satisfaction of the lender that that individual has an established credit history and is an acceptable credit risk. The timely approval of a loan application in this way by IBA assists individuals compete with other buyers on an equal footing in purchasing homes or businesses on the open market;
5. As many of IBA's customers live in remote locations it is likely that approval of their loan applications by IBA will be slowed by six to eight weeks while they seek access to their credit reports from a credit reporting agency during the period while the Office conducts community consultation on IBA's application. After consulting with the Social Justice Commissioner, the Privacy Commissioner has formed the view that the determination should be issued for 12 months. This determination of 12 months duration will enable IBA to access the credit reporting system to conduct its business. It will also minimise inconvenience to loan applicants.
6. IBA has agreed to comply with the ANAO's audit report findings into privacy (see 2.3.2 above). The ANAO also recommended that IBA undertake an assessment of the impacts, to client's privacy, associated with the inappropriate access or disclosure of information collected by HOP (recommendation No 1 (point 1)). Although IBA did not comment directly to the Privacy Commissioner on this recommendation it agreed with the recommendation in the published ANAO audit report (paragraph 2.33 of the audit report). Having carefully considered the findings and recommendations made in the ANAO audit report regarding privacy and IBA's commitments to implement them, the Privacy Commissioner was persuaded that IBA's undertakings coupled with the public interest meant that a credit provider determination should not be refused solely on the grounds of the findings in the ANAO audit report. The Office will review progress in the implementation of these undertakings by IBA prior to the consideration of a longer term credit provider determination.

On all the material outlined in the conclusions regarding IBA's application for a determination, the Privacy Commissioner concluded that it was substantially in the public interest for IBA to have credit provider status in carrying on the business of making loans for the purposes of the Privacy Act.

The Privacy Commissioner also concluded that Credit Reporting Determination 1999 No.1 should be revoked as ATSIC was abolished on 24 March 2005 by the Aboriginal and Torres Strait Islander Commission Amendment Act 2005.

3. LIST OF ATTACHMENTS

[The attachments are not included in this consultation paper. For a full copy of the Explanatory Statement, including attachments, please see

• http://www.comlaw.gov.au/... ]

Endnotes

1. http://www.privacy.gov.au/materials/types/codesofconduct/view/6787
2. For more information relating to the previous determinations please refer to Attachment 1.
3. See Performance Audit Report 53, 2004-05 at http://www.anao.gov.au