Case Citation: I v Major wholesaler [2003] PrivCmrA 7

Subject Heading: Unauthorised access to credit reports held by a credit reporting agency

Law: Sections 18S, 18K of the Privacy Act 1988, Paragraph 37, Explanatory Notes to the Credit Reporting Code of Conduct.

Facts

The complainant alleged that her ex partner's current girlfriend used her position with a major supplier of products on two occasions to access the complainant's credit report to check her financial position. The complainant had not made an application for credit with the company. The complainant became aware of the unauthorised accesses listed on her credit report after she had made an application with her bank for a mortgage and her bank manager conducted a credit check for the mortgage and noted the two enquiries listed by the company.

Issues

Paragraph 37 of the Explanatory Notes to the Credit Reporting Code of Conduct states that a credit provider may only obtain access to a credit report issued by a credit reporting agency if the credit provider is permitted by law to be given the information by the agency.

Section 18K of the Act provides that a credit reporting agency must not disclose personal information contained in the file to a person, body or agency (other than the individual) unless certain exceptions apply. Generally speaking, those exceptions cover when a person makes an application for credit and a credit provider is using the information in the report to assess the application.

Section 18S of the Act provides that a person must not obtain access to an individual's credit information file in the possession or control of a credit reporting agency unless the access is authorised by the Act. Section 18S also includes a penalty provision where there is an intentional contravention of that section.

Outcome

The company is a credit provider under the Act and has a legitimate need for access to, and use of credit reports when people apply for credit for the goods and services it offers. When it was advised of the complaint to the Office of the Privacy Commissioner the company conducted an internal investigation into how the enquiries in the company's name came to be on the complainant's credit report.

The company investigated the employee's actions and its response acknowledged that the employee did access the credit reporting agency's database that included information about the complainant and that the access was not for an authorised purpose under the Privacy Act.

The company recognised that there were potential problems regarding access to, and use of personal information held by credit reporting agencies through its credit application procedures. The company consolidated its credit applications functions into one specialised department in its Sydney office. Previously, four separate divisions, that operated in a number of States, had access to the credit reporting database to assess credit applications. The employee was counselled about her actions and has since left the company. The company also offered the complainant its apologies and agreed to pay compensation of $7,500 for the interference with her privacy.

The investigation was closed under s.41(2)(a) of the Privacy Act, on the grounds that the credit provider had adequately dealt with the matter.

OFFICE OF THE PRIVACY COMMISSIONER JUNE 2003