Case Citation: H v Credit Provider[2004] PrivCmrA18

Subject Heading: Unauthorised payment default listed on consumer credit information file and credit reporting offences

Law: Sections 18E(1)(b)(i), 18E(8)(a), 18E(8)(b), 18G(a), 18S, 18T and 49 of the Privacy Act 1988 (Cth) paragraph 2.5 of the Credit Reporting Code of Conduct.

Facts: The complainant applied to be engaged as a consultant with the respondent. In the course of the application he was asked to complete a standard loan form rather than a form specific to his engagement as a consultant. The complainant later found that that the respondent had accessed his consumer credit information file.

Issues: Sections 18S, 18T and 49 Section 18 S provides that it is an offence to obtain unauthorised access to consumer credit files or credit reports. Section 18 T provides that it is an offence to obtain access to consumer credit information files or credit reports by false pretences. Section 49 provides that the Privacy Commissioner must inform the Police or the Director of Public Prosecutions if he or she is satisfied that credit reporting offences may have been committed.

The Commissioner opened an investigation into this matter and asked the respondent to address the allegations. The respondent provided a copy of the form but failed to address the allegations. However, on the basis of the information obtained the Privacy Commissioner formed the view that the respondent may have committed offences under sections 18S and 18T of the Privacy Act 1998 (Cth). The investigation was suspended and the complaint referred to Australian Federal Police in accordance with section 49.

The Australian Federal Police conducted an investigation into the matter and found that records pertaining to former consultants had been destroyed and that no documentary evidence could be found to prove that the credit checks were conducted under false pretences. The Australian Federal Police advised that it did not have enough evidence to prosecute the respondent and the Commissioner then recommenced investigation of this matter and sought further information from the respondent about the allegations.

Section 18E(1)(b)(i)

Section 18E specifies the permitted contents of consumer credit information files; and allows, at section 18E(1)(b)(i) information to be recorded that is a record of both a credit provider having sought a credit report in relation to an individual in connection with an application for credit or commercial credit made by the individual to the credit provider; and the amount of credit or commercial credit sought in the application.

Section 18E(8)(a) provides that a credit provider must not provide a credit reporting agency with personal information if the credit reporting agency is prohibited under s18E(1) from including the individual's information in the credit information file. Section 18E(8)(b) provides that a credit provider must not provide a credit reporting agency with personal information unless it has reasonable grounds to believe that the information is correct. Section 18G(a) provides that a credit provider or a credit reporting agency in possession or control of a credit report must take reasonable steps to ensure that personal information contained in the file or report is accurate, up-to-date, complete and not misleading.

The Credit Reporting Code of Conduct made under section 18A supplements the credit reporting provisions of Part IIIA on matters of detail not addressed by the Act. Paragraph 2.5 provides that where a credit provider becomes aware that it has given inaccurate information to a credit reporting agency, it must immediately inform the credit reporting agency that the information is incorrect.

The Commissioner's investigation revealed that the complainant's consumer credit information file contained a record of an enquiry by the respondent in relation to a real property mortgage for an unspecified amount. The respondent organisation told the Privacy Commissioner that the complainant had been made aware that each consultant would be provided with a loan for payment of his or her share of professional indemnity insurance, and that as a condition of granting the loan each consultant would be required to undertake a credit check. The respondent denied the complainant's allegation that he was told that the information on the form would only be used for employment purposes.

The Commissioner's investigation found that the terms of engagement did not refer to professional indemnity insurance. The respondent company was asked to provide evidence that it paid for the complainant's indemnity insurance and that the complainant was required to repay his share of the insurance, but it failed to do so. The respondent also failed to produce evidence of a contract, agreement or understanding between itself and the complainant for the provision of a loan.

In addition to arguing that complainant was aware of and consented to the loan application for the purpose of contributing to the indemnity insurance, the respondent also argued that the credit given was commercial credit, and its 'mistake' was merely listing it on the complainant's consumer file. The Commissioner found that that no such arrangement was in place, and that the complainant had not obtained a loan for professional indemnity insurance with the respondent. The respondent could not supply contemporaneous evidence of a commercial loan with the respondent. In any case, the Commissioner formed the view that the provision of professional indemnity insurance did not fall within the definition of 'credit' for the purposes of the Act.

At the conclusion of the investigation the Privacy Commissioner formed the view that the conduct complained about did not comply with the requirements in section 18E(8)(a) of the Act, because the respondent had provided information a credit reporting agency which was not information relating to the complainant's application for credit as required under section 18(E)(1)(b)(i). The Commissioner also formed the view that the respondent was aware that it had provided inaccurate information to the credit reporting agency.

The Commissioner therefore formed the view that the information provided by the respondent to the credit reporting agency was incorrect and that it had failed to take steps to ensure that the information was accurate, up-to-date and not misleading, thereby breaching section 18E(8)(b) and 18G(a) respectively. The Commissioner also formed the view that by providing incorrect information to the credit reporting agency the respondent had breached paragraph 2.5 of the Credit Reporting Code of Conduct.

Outcome: The Commissioner found that the respondent had breached sections 18E(8)(a), 18E(8)(b), 18G(a) of the Privacy Act and Paragraph 2.5 of the Credit Reporting Code of Conduct by accessing the complainant's consumer credit information file and listing an enquiry on it. Following conciliation, the respondent agreed to advise the credit reporting agency that the information it supplied regarding the complainant was inaccurate. It also agreed to pay the complainant $2,500 as full and final payment in resolution of the complaint and offered a no admissions apology.

The Commissioner then closed the complaint under section 41(2)(a) on the grounds that the respondent had adequately dealt with the complaint.

OFFICE OF THE PRIVACY COMMISSIONER December 2004