Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Credit and finance | Telecommunications

Q v Credit Provider [2008] PrivCmrA 17

document icon pdf (27.76 KB)

Case Citation:

Q v Credit Provider [2008] PrivCmrA 17

Subject Heading:

Unauthorised access to consumer credit information files or credit reports by a credit provider

Law:

Section 18S and section 18J(1) of Part IIIA of the Privacy Act 1988 (Cth)

Facts:

The complainant alleged that when they obtained a copy of their consumer credit information file (credit file), they found that a telecommunications company with whom they had previously had an account was listed as having accessed their credit file. That access occurred as recently as several months prior to the complaint being made, yet the complainant claimed that they had not had an account with the telecommunications company for a number of years and there was no valid reason for the company to have accessed their credit file.

The complainant contacted the telecommunications company to enquire as to the reason it had accessed their credit file. The complainant was advised that the telecommunications company had accessed their credit file as part of 'routine check on all current and past members'.

The complainant was dissatisfied with this explanation and made a complaint to the Privacy Commissioner.

Issues:

Section 18S of the Privacy Act places restrictions on the circumstances in which a credit provider can access an individual's consumer credit information file. It permits access to credit files in the possession of a credit reporting agency where authorised by the Privacy Act.

Additionally, explanatory note thirty-seven (37) of the Credit Reporting Code of Conduct states that a credit provider may only obtain access to a credit report issued by a credit reporting agency if the credit provider is permitted by law to be given the information by the credit reporting agency.

Section 18J(1) of the Act requires that credit providers take reasonable steps to ensure that the personal information contained within individuals' consumer credit report is accurate, up-to-date, complete and not misleading.

Outcome:

The Privacy Commissioner opened an investigation into the matter under section 40(1) of the Privacy Act.

The Privacy Commissioner formed the view that although section 18S of the Act places restrictions on the circumstances in which a credit provider can access an individual's consumer credit information file, section 18J(1) of the Act requires that credit providers take reasonable steps to ensure that the personal information contained within individuals' consumer credit report is accurate, up-to-date, complete and not misleading.

In fulfilling its obligation under section 18J(1), the Privacy Commissioner does not consider it unusual or inappropriate for a credit provider to access that portion of an individual's consumer credit information file that relates specifically to a default listing recorded by that credit provider.

Investigation revealed that in this instance, the telecommunications company accessed only that part of the complainant's credit file that related to the default listing made by the telecommunications company.

Further, the telecommunications company advised that it had not accessed that part of the credit file for the purposes of 'routine check on all current and past members' as it had initially advised the complainant. Instead, it had specifically reviewed a number of already listed defaults to ensure that the listings were accurate, complete, up-to-date and not misleading, in accordance with section 18J of the Privacy Act. The default the telecommunications company had listed on the complainant's credit file several years earlier, was one of those being reviewed.

The Privacy Commissioner formed the view that the circumstances in which the telecommunications company had accessed the complainant's credit file were authorised by section 18J(1) of the Privacy Act, and therefore the telecommunications company was not in breach of section 18S of the Privacy Act.

The Commissioner closed the investigation of the complaint under section 41(1)(a) of the Privacy Act, on the basis that there had in the circumstances described been no interference with the complainant's privacy.

OFFICE OF THE PRIVACY COMMISSIONER

June 2008