Submission Home | Executive Summary | Submission Summary | Summary of Positions | Part A | Part B | Part C | Part D | Part E | Part F | Part G | Part H | Part I | Part J | Bibliography
1. In chapter 48, the ALRC provides an overview of credit reporting, describing the role of credit reporting, the background to national regulation of credit reporting in Australia and the legislative history of the credit reporting provisions in the Privacy Act 1988 (Cth) (Privacy Act).
2. While no specific proposals flow from this chapter, the Office notes what it sees as two key points that the ALRC has covered in chapter48 that it believes should be emphasised in considering proposals for the reform of Australia's credit reporting system.
3. First, the Office notes that the Australian experience of self-regulation of the credit reporting industry was seen as ineffective[345] and that there is ‘a near universal view that the practice of credit reporting should be regulated'.[346]
4. Second, the Office notes that strong privacy concerns about industry proposals for the expansion of the credit reporting system, particularly the inclusion of ‘positive' information such as an individual's current credit accounts and repayment history, provided the momentum for the introduction of the credit reporting provisions in Part IIIA of the Privacy Act. Although the credit reporting amendments were introduced almost 20 years ago, the Office notes that the community continues to have strong concerns about the privacy of their financial information.[347] The research conducted by the Office indicates that Australians are more concerned about providing their financial information to businesses, than any other information.[348]
1. In chapter 49, the ALRC provides an overview of the credit reporting provisions of the Privacy Act 1988 (Cth) (Privacy Act).
2. While no specific proposals flow from this chapter, to expand slightly on the ALRC's overview of the credit reporting provisions, the Office notes that it has published a series of Credit Reporting Fact Sheets[349] on the application of the credit reporting provisions as well as the Credit Reporting Advice Summaries (2001).[350] The advice summaries compile selected written advice given by the Office since the start of Part IIIA of the Privacy Act in September 1991. The fact sheets and advice summaries provide an important indication of how the credit reporting provisions have been interpreted or applied to specific industry practices.
1. The Office agrees with proposal 50-1.
2. The proposal accords with the Office's response to the ALRC's Issues Paper32 (IP 32), that Part IIIA of the Privacy Act 1988 (Cth) (Privacy Act) be repealed. The Office also recommended that credit reporting be regulated under the NPPs in the Privacy Act and a binding credit code.[351] The Office discusses under proposal 50-2 that the handling of credit reporting information should be promulgated in regulations under the Privacy Act.
Small business operators - exemption under the Privacy Act
3. The Office notes that, with the repeal of Part IIIA of the Privacy Act, credit providers and credit reporting agencies that are small business operators would need to be brought within the coverage of the Privacy Act. This would ensure that those entities would be bound by the general provisions of the Act and the proposed UPPs regulating credit reporting should the small business exemption remain in place.
4. As discussed in chapter 35 of this submission, the Office does not support the ALRC's proposal35-1 to remove the small business exemption.
5. Currently, credit providers that are small business operators are regulated by Part IIIA of the Privacy Act in respect of credit reporting but are not necessarily covered by the National Privacy Principles (NPPs) in respect of their information handling activities more generally.
6. In supporting proposal 50-1, the Office submits that regulations would need to be made under section6E of the Privacy Act to prescribe credit providers, credit reporting agencies and mercantile agents that are small business operators to be treated as an organisation for the purposes of the Privacy Act.
7. In its submission to IP32, the Office noted some existing gaps in requirements on credit providers that are small business operators. For example, because section18G of Part IIIA of the Privacy Act applies only in respect of security of credit information files and credit reports, those credit providers not bound by the NPPs do not have obligations under NPP4 to keep credit worthiness information secure.[352] Another example of a gap referred to in the Office's submission are mercantile agents who are small business operators and receive the personal information of a debtor under section 18N(1)(c) of the Privacy Act. Such small business operators do not have any privacy obligations either under Part IIIA or the NPPs.[353]
8. The Office understands the intent of proposal 50-2. However, the Office's preferred position, as submitted in response to IP32, is that such privacy rules should be set out in a binding credit code issued by the Privacy Commissioner as a legislative instrument.[354] In this regard, the Office notes that proposal 44-10 is to empower the Privacy Commissioner to develop and impose binding codes.
9. The Office considers that a binding credit reporting code made under the Privacy Act will achieve similar benefits to using regulations, as outlined in the Office's response to IP32. This includes:
10. However, the Office is concerned to ensure that the increased regulatory flexibility achieved by moving prescriptive credit reporting requirements from the Privacy Act into subordinate legislation is balanced with appropriate consultation and deliberation mechanisms.
11. This is particularly important in light of DP 72's proposal 3-1 to allow regulations under the Privacy Act to modify the proposed UPPs and impose more or less stringent requirements on agencies or organisations than are provided for in the UPPs.[356] The Office has not supported a general regulation making power permitting derogation from the principles, suggesting instead that derogation should only be permitted in regard to specific and well defined matters, and where accompanied by compensatory measures.
12. In this regard, the Office suggests that the ALRC consider whether:
Content of Regulations
13. The Office emphasised in its response to IP32, that the current protections provided to personal information held by credit reporting agencies and credit providers currently underpinned by Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct should not be downgraded by any approach to reform that may be proposed.[358]
14. The Office notes the ALRC's proposal 50-11 that a credit reporting industry code will supplement the regulatory framework. The ALRC proposes that such matters as reciprocity in credit reporting, obligations to report information consistently and other relevant operational matters should be covered by such a code. So as to ensure that current privacy protections are not diminished, the Office is concerned to ensure that content currently covered in Part IIIA of the Privacy Act and most appropriately covered by regulations in future is not shifted to the voluntary industry code.
15. The Office agrees with the ALRC's view that in drafting the credit reporting regulations, the existing provisions of Part IIIA of the Privacy Act (together with the Credit Reporting Code of Conduct) remain an appropriate starting point. Moreover, the Office agrees with the ALRC that in the interests of maintaining privacy protection and minimising the transition costs to industry of new credit reporting regulations, any significant departure from the policy framework of Part IIIA needs to be justified. [359]
Binding codes in addition to regulations
16. The Office notes the ALRC's proposal 44-10 to empower the Privacy Commissioner to issue binding codes.
17. Notwithstanding the proposed credit reporting regulations, the Office suggests that there may be circumstances where a binding code is necessary to regulate particular aspects of credit reporting or parts of the industry (for example, to respond to the impact of developing technologies in relation to credit reporting).[360]
18. The Regulations should not preclude additional obligations on (some or all) credit reporting agencies and credit providers with respect to the handling of credit reporting information being imposed by a binding code. The Office is conscious that as much as possible this process should avoid fragmentation and additional layers of regulation.
19. The Office agrees in principle with proposal 50-3.
20. Although the Office called for a binding credit code issued by the Privacy Commissioner, the proposal generally accords with the Office's response to IP32. In particular, the Office noted in its submission that structural reform of the credit reporting provisions should result in additional provisions to the NPPs for the regulation of personal information held for the purpose of credit reporting.[361]
21. The Office agrees in principle with proposal 50-4.
22. The proposal generally accords with the Office's response to question7-1(i) of IP 32 and is consistent with retaining a principle-based law for regulating information handling.
23. The Office agrees with aspects of the ALRC's proposal 50-5. However, the Office submits that the proposal lowers existing privacy protections. Further, the Office believes that the proposal should be amended to provide that the proposed Privacy (Credit Reporting Information) Regulations should also:
24. As discussed in further detail below (and in chapter53 of this submission in response to proposal 53-4), the Office believes that without a concept of ‘credit worthiness information' and limitations on its use and disclosure, such personal information intended to be shared between credit providers through the credit reporting system will be at risk of disclosure to non-credit providers outside the credit reporting system and for non-credit related purposes.
Definition of ‘credit reporting information'
25. In the Office's response to IP32, the Office supported the ALRC considering the usefulness of retaining the separate terms ‘credit information file' and ‘credit report' defining the information covered by the credit reporting provisions.[362]
26. The Office supports the ALRC's proposal for a simplified single definition of ‘credit reporting information' that combines the current definitions of ‘credit report' and ‘credit information file', which does not incorporate a broad definition based on the definition of ‘report' in section18N(9) of the Privacy Act.
27. A particular benefit of such a revised definition will be to move away from the concepts based on the existence of a physical file or report and reflect the technologically neutral approach in the Privacy Act as supported by the Office.[363]
Narrowing of personal information covered by credit reporting system
28. The Office believes that aspects of proposal 50-5, in conjunction with the ALRC's proposal 53-4 to exclude an equivalent to section18N(9) of the Privacy Act in the proposed regulations, significantly narrows the scope of personal information covered by the credit reporting regime and consequently lessens existing privacy protections.
29. The Office emphasised in its submission to IP32 that the current protections provided to personal information held by credit reporting agencies and credit providers should not be lowered by any approach to reform that may be taken.[364]
30. The Office notes the ALRC's comments in paragraph 53.97 of DP72 that there are arguments that the handling of personal information relating to credit worthiness should be regulated by general privacy principles and not by the proposed Privacy (Credit Reporting information) Regulations.
31. However, the Office submits there are strong public interest reasons for retaining a concept of ‘credit worthiness information' and regulating the use and disclosure of such information according to higher standards than the general privacy principles.
32. As discussed further below, the Office is of the view that:
Consistent treatment of information relating to credit reporting
33. In the Office's submission to IP32, the underlying approach in the Office's suggestions relating to personal information covered by the credit reporting framework was for consistent treatment of information handled in relation to credit reporting. The intention of this approach was to reduce the complexity arising from handling similar categories of information used in credit reporting and credit assessment according to different standards.
34. The Office made a range of suggestions as set out below about where the handling of information in relation to credit reporting could be improved to promote consistency and reduce complexity. These recommendations were made on the basis that, if Part IIIA was repealed, they could be carried across as model provisions in a binding Code.
35. In line with this approach, the Office believes that credit worthiness information should be subject to similar regulation to credit reporting information, given its role in assessing an individual's eligibility to be provided with credit.
Inconsistent treatment of the same personal information
36. The key concern which the Office's recommendation in response to this proposal is intended to address is that the same personal information relating to credit may be subject to different standards of privacy protection.
37. Some credit providers such as banks have obligations to customers under the under the general law to keep their customer's information confidential. These obligations are in addition to those in Part IIIA of the Privacy Act limiting disclosures. However, ‘non-traditional' credit providers do not have similar obligations under the general law to protect the privacy of their customer's credit worthiness information.
38. In the Office's submission to IP32, a loan record of an individual held by a credit provider was noted as an example of ‘credit worthiness information'.[370]
39. If the loan record included information about a payment default, and that default was also reported to a credit reporting agency and included in a credit file or credit report, the same fact of default may be subject to different treatment if credit worthiness information is handled in accordance with the UPPs instead of the requirements in Part IIIA.
40. In this way, the credit report could only be disclosed in accordance with Part IIIA and could not be used for direct marketing, whereas information from the loan record, under the UPP/NPP requirements, could be disclosed to a non-credit provider for a related secondary purpose (if within the individual's reasonable expectations) and potentially used for direct marketing.[371] Over time, there is a risk that, under the ALRC's proposal, it would be possible that the ‘credit worthiness information' would be used for non-credit purposes by employers and private inquiry agents or disclosed for insurance proposals, insurance fraud, rental housing or occupational licensing.[372] Under the current provisions in Part IIIA (section 18N), disclosures for such purposes are not permitted.
41. Another example of possible inconsistent treatment relates to information provided by an individual in a credit application. An individual is likely to be asked about their current credit commitments, whether they have been refused credit and to give information about any previous defaults. The information in the loan application may form the basis for the creation of an individual's credit information file by a credit reporting agency particularly if the individual is new to the credit reporting system.
42. Currently, under Part IIIA, the loan application could be considered ‘credit worthiness information' and covered by the protections in section 18N of the Privacy Act. Under the ALRC's proposal, while the information from the loan application in the possession of the credit reporting agency will be covered by the proposed Privacy (Credit Reporting information) Regulations, the information in the loan application will be covered by the less stringent requirements under the UPPs. In some cases, this inconsistent treatment may create a disincentive to provide full information in a credit application out of concern that the information may be handled inappropriately.
43. The Office believes that the protections applied to personal information relating to credit reporting need to focus on the substance of the information and not the form it appears in. Accordingly the Office suggests that protections for credit worthiness information should be included in the proposed Privacy (Credit Reporting Information) Regulations to avoid potentially inconsistent treatment of personal information relating to credit.
44. Without provisions for regulating credit worthiness information as part of the credit reporting framework, the potential result could be access to credit reporting information content by non-credit providers. This would be contrary to the intention of the credit reporting system to limit access to credit reporting information to credit providers and credit reporting agencies.
Separate concept of ‘credit worthiness information'
45. The Office submits that, in retaining a concept of ‘credit worthiness information' as part of the regulation of credit reporting, the concept should nevertheless be separated from the proposed definition of ‘credit reporting information'.
46. As the ALRC proposes to retain the approach of allowing only expressly permitted content to be reported as part of credit reporting information, the proposed term ‘credit reporting information' will define a precise range of personal information. Credit reporting information will be maintained in records supplied by a credit reporting agency.
47. As the main obligations in relation to credit reporting relate to ‘credit reporting information' it is important that this definition is made as clear as possible. By contrast the concept of ‘credit worthiness information' will not be able to be as precisely defined. The Office view is that it will therefore be best to keep ‘credit worthiness information' as a definition separate from ‘credit reporting information' to avoid complicating an otherwise clearly defined term. ‘Credit worthiness information' will be contained in records generated or held by credit providers. In this regard, in the Office's submission to IP 32, it noted that as an alternative to reconsidering the need for separate terms, the relationship between the terms could be defined with greater precision.[373]
48. The obligations in relation to ‘credit worthiness information' could be characterised as supporting the same main obligations as will apply to credit reporting information. That is, to limit the ability for the same personal information to be used and disclosed inconsistently with the intention of the credit reporting protections applying to credit reporting information.
49. As a starting point, the Office considers that ‘credit worthiness information' could be defined using part of the current definition of ‘report' in section18N(9)(b) of the Privacy Act: ‘any other information that has any bearing on an individual's credit worthiness, credit standing, credit history or credit capacity'. Guidance as to what constitutes credit worthiness information is discussed below.
Scope of ‘credit worthiness information'
50. The Office notes the ALRC's comments in paragraph 53.91 of DP 72 regarding the breadth of information covered by section 18N of the Privacy Act. In particular, the Office notes the ALRC's comments that the existing category of personal information that has ‘any bearing' on an individual's credit worthiness appears to be broad enough in scope to include information about personal information that may have no connection with the credit reporting system, such as an individual's income, expenditure, employment or family or school connections.
51. As has been discussed above, a revised concept of ‘credit worthiness information' will need to provide greater clarity through its definition as to what information is covered. Further, in relation to the ALRC's concerns about the potential breadth of ‘credit worthiness information' as currently defined in section18N of the Privacy Act, the Office submits that the collection principle (NPP1 and proposed UPP 2) would temper this breadth through the requirement that information being collected must be necessary for one or more of its functions or activities. For most credit providers, the application of this principle would likely mean that the collection of personal information about family or school connections would not be necessary for its functions or activities as a credit provider.
52. The Office submits that the extended reach of section18N (or a similarly crafted provision) is required to ensure that an organisation or agency cannot avoid the credit reporting provisions.
53. The Office submits that there is a need for legislation to treat an individual's credit worthiness information as well as credit reporting information consistently so that it is clear to individuals how their personal information will be used or disclosed by credit providers.
Guidance on concept of credit worthiness information
54. The Office submits that the explanatory statements to the proposed Privacy (Credit Reporting Information) Regulations or the legislation could provide guidance on the scope of a revised concept of ‘credit worthiness information'.
55. Such guidance could include particular examples of types of information that may be covered, for example:
56. The Office's Credit Advice Summaries provides useful guidance as to what constitutes credit worthiness information which could also be adapted and included in the explanatory statement or in guidance issued by the Office: [374]
In considering whether a type of information is covered by s 18N(9), it is considered that both the nature of the information and the context of the disclosure should be taken into account. Where information does not provide any indication of the contents of an individual's account, credit status, or overall financial standing, and, in context, the enquiry or use of the information is not directly associated with any assessment of the individual's credit worthiness, the information would not be considered to be information subject to the disclosure rules of section 18N.
‘The disclosure by a credit provider of an individual's name and address may, in circumstances where the recipient has an interest in the credit worthiness of the individual, be a regulated disclosure under the Privacy Act, since the information could constitute a ‘report' as described by s 18N(9) of the Act. An example would be where a marketing firm wishes to obtain access to names and addresses of individuals who have a certain credit limit with the credit provider for the purposes of marketing direct to those individuals. Such a disclosure would not only reveal that those individuals have a credit relationship with the credit provider, but might carry an inference about the individuals' credit standing. Such a disclosure would therefore be a regulated disclosure under the Privacy Act. It follows that the disclosure by a credit provider of name and address details may be considered unlawful unless one of the exceptions set out in s 18N applies.'
Retention of an equivalent to section 18N in the proposed regulations
57. The Office notes the ALRC's proposal 53-4 that there should be no equivalent in the proposed Privacy (Credit Reporting Information) Regulations of section18N of the Privacy Act.
58. The Office has commented on this proposal in chapter 53 of this submission and consistent with its response to proposal 50-5 does not support the removal of ‘credit worthiness information' from the protection of the credit reporting provisions.
Secondary use and disclosure of credit reporting information by other entities
59. The Office notes that proposal 50-5 refers to regulations that only apply to the handling of credit reporting information by credit reporting agencies and credit providers.
60. In the Office's response to IP32, the Office supported the retention of provisions similar to the existing provisions in Part IIIA of the Privacy Act that regulate the secondary use and disclosure of credit information by other entities.[375]
61. In relation to proposal 50-5 the Office therefore submits that the proposed Privacy (Credit Reporting Information) Regulations should also apply to the handling of credit reporting information disclosed by credit reporting agencies and credit providers to specific third parties as permitted by the credit reporting regime, that is, secondary disclosures.
62. The Office has discussed this issue in responding to the ALRC's proposal 53-1 regarding the use and disclosure of credit reporting information.
63. The Office agrees with proposal 50-6.
64. The proposal accords with the Office's response to IP 32.[376]
65. The Office agrees with aspects of proposal 50-7, in relation to simplifying the definition of ‘credit provider' in the proposed regulations.
66. The Office also agrees with the proposal to maintain the existing categories of individuals or organisations that are currently credit providers by virtue of section 11B of the Privacy Act.
67. However, the Office does not support including within the proposed simplified definition the classes of corporations determined by the Privacy Commissioner to be credit providers. The Office recommends that these corporations should continue to be credit providers pursuant to a determination made by the Privacy Commissioner rather than specifically listed in the definition itself.
Credit provider determinations
68. The Office noted in its response to IP 32 that there is an argument that to provide greater certainty to business, the individuals or organisations who are currently ‘credit providers' under the Privacy Act should be included within the statutory definition of ‘credit provider' in section11B in the Privacy Act rather than through a determination under section11B(1)(b)(v)(B) by the Privacy Commissioner.[377] However, this would mean that industry participants and the Office would lose the flexibility that currently exists to review, amend and or remove these Determinations as appropriate.
69. The Office submits that the current power of the Privacy Commissioner to issue a determination in respect of credit providers should not be removed. The provision provides the ability to respond to changes in the future in the credit industry, for example the impact of developing technology and online commerce. Determinations are also subject to regular review.
Meaning of 'substantial'
70. In its response to IP 32, the Office submitted that the definition of credit provider could be improved by defining the meaning and /or breadth of the word ‘substantial' (in relation to a corporation being a credit provider if a ‘substantial' part of its business or undertaking is the provision of loans (see section11B(1)(b(iii) of the Privacy Act).[378]
71. The Office reiterates this view.
State and territory government agencies
72. The Office suggested in its response to IP 32 that state and territory government agencies should have the same opportunity as Australian government agencies to apply for a credit provider determination under section11B(1)(d)(ii) of the Privacy Act.[379]
73. The Office reiterates this view. However, it does not support credit provider status being granted to such agencies merely because they provide rental housing to individuals. Currently, the provision of rental housing is not deemed to be credit under Part IIIA of the Act and in the Office's view this should not change.
Deposit bonds
74. The Office notes the issue raised in its response to IP32 regarding whether deposit bonds used by individuals in lieu of a cash deposit on a house purchase, subject to finance, falls within the definition of credit in the Privacy Act.[380] As noted, if deposit bonds are deemed to be credit then businesses that market such instruments may access the credit reporting system when an individual submits an application. In considering the definition of ‘credit provider' the ALRC may wish to examine whether businesses that trade in deposit bonds should be covered by the definition.
75. Question 50-1 inquires whether the period of seven days currently in the OPC's Credit Provider Determination No. 2006-4 (Classes of Credit Provider) should be changed to at least 30 days. Question 50-2 asks whether definitions of ‘credit provider' and ‘credit' should be modelled on that found in the Credit Reporting Privacy Code 2004 (NZ) (the NZ credit code).
76. The Office's recent review of the Credit Provider Determination No. 2006-4 (Classes of Credit Provider) and relateddeterminations[381] found that no substantive amendments to the determinations were required.
77. The Office received several responses which raised the issue of the time period for deferral of payment as a threshold for being regarded as a credit provider. Suggestions were received both for widening the definition, by regarding any organisation that allows deferral of payment for any time period to be considered a credit provider, and for narrowing the definition by removing this class of organisations from being regarded as credit providers.[382]
78. The review of the determinations at that time found that a tightening or loosening of the definition of credit provider was not necessary.
79. The Office has responded separately in more detail to each of these questions below. In summary:
Tightening the definition of 'credit provider'
80. The current Classes of Credit Provider Determination allows corporations to be regarded as credit providers if they provide goods or services on terms that allow deferral of payment for at least seven days. The Office understands that there has been general support from stakeholders for the seven day payment deferral threshold to be extended to 30 days.
81. If the deferral threshold is changed this could mean that a number of non-traditional credit providers would be excluded from the credit reporting system if they provided credit on terms which did not extend to at least 30 days. If accepted, this aspect could represent a counterbalance to the proposal by the ALRC for the categories of permitted content of credit reporting to be expanded.
82. The Office considers that there is merit in this suggestion for the payment deferral threshold to be extended to 30 days particularly if it receives support from stakeholders.
Definition of ‘credit provider' and ‘credit' in the NZ credit code
83. The Office prefaces its remarks with the comment that it has not undertaken an in-depth analysis of the contents of the NZ credit code. Nevertheless, based on its understanding of some aspects of that code the Office does not support adopting the definitions of ‘credit provider' and ‘credit' used in the NZ credit code. That code defines credit provider as ‘an agency that carries on a business involving the provision of credit to an individual'. ‘Credit' is defined to mean ‘property or services acquired before payment, and money on loan'.[383]
84. In the Office's response to IP32 it submitted that, as a general principle, only credit providers (as currently defined with two exceptions[384]) should be able to access information from credit information files unless there are cogent public interest reasons why other persons should.[385] The Office reiterates this view.
85. The Office understands that the NZ credit code allows debt collectors, real estate agents, prospective landlords and their agents, prospective employers and their agents, insurers and prospective insurers and their agents, access to the credit reporting information directly.[386] The Office is not clear as to the policy basis for access to the credit reporting information by such groups.
86. The expressed intention of credit reporting under Part IIIA of the Privacy Act, on the other hand, was to exclude private investigators, real estate agents, insurance companies, employers and others who were not credit providers from accessing the system.[387] The explanatory material sought to differentiate between credit providers which had a legitimate interest in having access to the credit reporting system, for example to assess a loan application or list a payment default as opposed to non credit providers who wanted access to the system for non-credit purposes.
87. Adopting the NZ credit code definitions of ‘credit provider' and ‘credit', in the Office's opinion, appears to represent a substantial expansion of the credit reporting system in circumstances where the policy arguments in favour of such expansion are not convincing. The Office notes that landlords and estate agents currently have access to residential tenancy databases to screen tenants operated by a number of businesses across Australia. There does not appear to be a cogent policy reason for landlords and estate agents to have access to the credit reporting system for this purpose as well.
88. The Office's view is that the policy justification for restricting access to the Australian credit reporting system is sound and recommends that the credit reporting system should not be opened up to permit access to businesses that do not provide credit which the NZ code definitions of ‘credit provider' and ‘credit' appear to leave open.
Definition of ‘loan' in section 6(1) Privacy Act
89. The Office has concerns with some aspects of the current definition of ‘loan' in section 6(1) of the Privacy Act which is interlinked with the definition of ‘credit'. A loan is defined to include among other things ‘a contract, arrangement or understanding for the hire, lease or renting of goods or services, other than a contract, arrangement or understanding under which:
90. If a transaction concerning the hire, lease or rental of goods is not a loan within the meaning of the definition then it is not lawful both for the business to undertake a credit check against the credit file of the individual or for the credit reporting agency to disclose that information.
91. In the case of a hire, lease or rental of goods, under this definition, if the deposit paid for the return of the goods is not greater than or equal to the value of goods, then the hire, lease or rental of the goods falls within the definition of a loan. In the Office's view these aspects of the definition are problematic.
92. First, the payment must be in the nature of a deposit. Hire, lease or rental payments in respect of goods are nearly always payable in advance and it is not clear that such payments are necessarily classified as ‘deposits'.
93. Secondly, the definition appears to import a subjective assessment to the value of the goods subject to hire, lease or rental, rather than an objective value. For example, the hire, lease or rental of many consumer goods such as white goods, furniture or other items such as videos and DVDs are likely to have depreciated in value, sometimes significantly, even if they are reasonably new. In that case, any deposit paid for the return of the goods could in many cases be ‘greater than or equal to the value of the goods ...'. In this circumstance that transaction will not amount to a loan.
94. The Office submits that the definition of loan should be simplified so that it is clearer. In addition, it should be amended so that a payment is defined as either a deposit, or a payment in advance, provided that the value of the goods is assessed objectively and such deposit or payment is not greater than or equal to the value of the goods.
95. It is also suggested that the explanatory statement to the legislation or the proposed Privacy (Credit Reporting Information) Regulations should provide guidance on what might be considered ‘reasonable' value of goods subject to hire, leas e or rental.
96. The Office agrees with proposal 50-8.
97. The proposal accords with the Office's response to its submission to IP 32.[388]
98. The Office agrees in principle with proposal 50-9.
99. The Office has an existing cooperative relationship with the New Zealand (NZ) Privacy Commissioner's Office. This is reflected in particular by the engagement between the Offices:
100. The Office notes the significant challenges that would exist for coordinating credit reporting regulation, given some of the significant differences in approach to such regulation between Australia and NZ. In this regard, the Office has not undertaken a comprehensive analysis of the NZ privacy legislation in relation to credit reporting. However, for example, theCredit Reporting Privacy Code 2004 (NZ):
101. For these reasons, the Office does not support the complete adoption of the NZ Credit Reporting Privacy Code 2004 as a template model for any future harmonisation of the credit reporting legislation between Australia and NZ.
102. Community surveys conducted by the Office in recent years indicate a high degree of sensitivity over the handling and treatment of individuals' financial information. For this reason, the Office supports the continuation of a greater degree of prescription for credit reporting information. It questions whether the more permissive transborder data flows principle should regulate such activity than the proposed Privacy (Credit Reporting Information) Regulations as has been suggested by some stakeholders.
103. The Office notes that careful consideration will need to be given to overcoming the many practical and legal difficulties concerning amy proposal to allow the reporting of loans taken out overseas to Australian credit reporting agencies and the disclosure of credit reporting information to credit providers and credit reporting agencies overseas.
104. However, the Office notes that two of the major credit reporting agencies in NZ also operate credit reporting businesses in Australia. The Office observes that harmonising credit reporting provisions between NZ and Australia would provide operational efficiencies and opportunities for these agencies and the individuals' who have information listed with the agencies.
105. The Office agrees with proposal 50-10.
106. The Office discussed this issue in its response to IP32, and recommended that personal information relating to credit advanced to an individual for commercial purposes should also be covered by PartIIIA of the Privacy Act. [391]
107. While proposal 50-10 appears to be broader than this recommendation, the Office notes that the definition of ‘commercial credit' is defined (by reference to the definition of ‘credit' in section 6(1) of the Privacy Act) as a loan for any purpose other than a loan intended to be used wholly or primarily for domestic, family or household purposes. The proposal relating to credit advanced ‘for any purpose' is therefore consistent with the approach under the Privacy Act.
108. The Office also notes that the definitions of ‘credit' and ‘commercial credit' in section6(1) of the Privacy Act both refer to a loan ‘sought or obtained' by the individual or person. For consistency with these definitions, the Office recommends that proposal 50-10 be amended such that the proposed regulations apply to personal information relating to credit sought as well as credit advanced to (or obtained by) an individual.
109. The Office notes its suggestion in response to question 5-1(i) of IP32, that personal information relating to commercial credit transactions granted to individuals be included as permitted content of credit reporting files.
110. The Office observes that the proposal does not align with the definition of consumer credit in the Uniform Consumer Credit Code (UCCC). The latter refers to credit ‘provided or intended to be provided wholly or predominantly for personal, domestic or household purposes'.[392] The Office has not examined the possible impact of the proposal in relation to the UCCC.
111. The Office generally agrees with proposal 50-11.
112. As noted in the Office's response to the Office's submission to IP31, the Office supports the use of industry-specific rules, codes and guidelines to allow for more prescriptive regulation than the Privacy Act, where appropriate.[393]
113. However, the Office agrees that a credit reporting industry code should augment rather than substitute legislative regulation. As noted in the Office's response to IP 32, the Office does not support relying on self-regulation of credit reporting by credit reporters and credit reporting agencies as a preferred model for regulating credit reporting.[394]
114. Accordingly consideration needs to be given as to what matters are appropriate to leave to self-regulation in an industry code and what should be specified in the Privacy Act and regulations.
Content of industry code
115. The Office agrees that some matters are not addressed most appropriately through legislation, and that credit providers, credit reporting agencies and their industry associations need to take responsibility for dealing with particular detailed operational matters.
116. In relation to the specific operational matters suggested in proposal 50-11, the Office provides the following comments:
117. The Office has provided further comment in Chapter 51 (proposal 51-2) and Chapter 54 (proposal 54-5) regarding the ALRC's specific proposals for operational matters that the industry code should deal with (namely access to information on the basis of reciprocity and data quality procedures).
Office consultation role
118. The Office supports consultation with consumer groups and regulators, including the Office, in the development of the proposed industry code.
Interaction with binding codes
119. In relation to a non-binding industry codes, the Office notes the ALRC's proposal 44-10 to empower the Office to issue binding codes. The Office has provided further comment in Chapter 44 on the binding codes power.
120. While the Office supports industry developing its own voluntary codes, the Office notes that there may be circumstances where a matter is no longer appropriately left to self-regulation and could become the subject of a binding code, for example, in response to the impact of developing technologies (see the Office's response in Chapter 7).
1. The Office does not at this stage support the ALRC's proposal 51-1.
2. The issue of more comprehensive credit reporting was discussed in the Office's submission to chapter 6 of the ALRC's Issues Paper 32 (IP32). As noted in that submission, on the current evidence available, the Office does not believe that there is a compelling argument to support the introduction of more comprehensive credit reporting in Australia at this stage.
3. The Office reiterates its recommendation from its response to question6-1 of IP32[396] that independent research be conducted on the impact that comprehensive credit reporting would have on the Australian financial system and Australian consumers, which should provide recommendations about:
4. In reiterating this position, the Office emphasises that it does not oppose outright any form of expansion of the categories of personal information involved in credit reporting. In this regard, the Office has considered the detail of the ALRC's proposed expansion below and recognises it as a reasonable proposal for reform of the existing categories of permitted information.
5. However, the Office is of the view that a policy decision on the introduction of more comprehensive credit reporting needs to be informed by further independent and locally focused research.
6. The Office also notes that, in chapter50 of this submission, it has suggested specific credit reporting regulation should be pursued through a binding code rather than in a regulation.
Further independent research into the introduction of more comprehensive credit reporting
7. The Office argued for further independent research in its response to question 6-1 of IP32.[397]
8. The Office notes the ALRC's comment in Discussion Paper 72 (DP72) that ‘research results cannot determine the policy position to be adopted'.[398] While further research may not be determinative of the appropriate approach, the Office is of the view that further independent research will provide a clearer foundation from which to make policy decisions. As noted in the Office's response to question 6-1of IP32,[399] the existing research does not provide conclusive, consistent evidence in support of the introduction of more comprehensive credit reporting.
9. In terms of being able to strike an appropriate balance between efficiency in credit markets and privacy protection (as stated by the ALRC in paragraph 51.160 of DP72), the Office suggests there needs to be greater clarity in what factors are being balanced so that they can be appropriately weighted in undertaking such a balancing process.
10. Although it has not been practicable to undertake such research as part of the ALRC's broader inquiry into the Privacy Act 1988 (Cth)(Privacy Act) as a whole (as noted by the ALRC in paragraph 51.158 of DP72), the Office nevertheless considers it is necessary that further detailed consideration be given prior to the introduction of more comprehensive credit reporting.
11. As noted above, the Office recommends that such research consider what if any model should be adopted. This should include consideration of the ALRC's proposal 51-1 as one such model.
Comparison of proposed expansion with existing and suggested permitted content
12. As noted by the ALRC in paragraph 51.152 of DP72, the Office previously suggested that if the current credit reporting provisions allowing listing of current credit provider status and credit providers to share information with an individual's consent were being fully utilised, the introduction of more comprehensive credit reporting may be unnecessary.
13. In this regard, the Office notes that the current Part IIIA of the Privacy Act allows for information to be recorded that can provide an indication of similar content to the proposed additional categories.
14. For example, inquiry information-the record of a credit provider having sought a credit report in relation to a credit application, the amount of the credit sought in the application, a general indication of the nature of the credit being sought and the date of the inquiry (permitted content under s18E(1)(b)(i)(A) and (B) of the Privacy Act and paragraph 1.1 of the Credit Reporting Code of Conduct)-could be matched against the listing of current credit providers to provide a possible indication of an individual's current credit commitments based on the inquiry information.
15. Further, if a note of the acceptance of an offer of credit was permitted content, as suggested by the Office in its response to question 5-1 of IP32,[400] again this could be matched against the inquiry information to provide a somewhat clearer indication of an individual's current credit commitments.[401] For example, if the acceptance of a credit offer was noted in an individual's credit information file, then when matched against the relevant inquiry information the following may be able to be determined:
16. Given the similarities of the proposed four additional categories to information that is potentially already available to credit providers, the Office acknowledges that the ALRC's proposal is indeed a ‘modest' expansion (as noted by the ALRC in paragraph 51.164 of DP72).
17. The Office notes the ALRC's comments in paragraph 51.166 of DP72 that under the proposed system, credit providers would be aware of an individual's major potential credit commitments, and that this additional information is intended to assist in highlighting discrepancies with the information provided by the individual credit applicant.
18. Notwithstanding that the Office accepts that the ALRC's proposal 51-1 might be a reasonable expansion of permitted content of credit reporting information, the Office nevertheless considers that further independent research is required before the introduction of any model of more comprehensive credit reporting.
19. The Office notes that these four additional categories are intended to replace the existing ability to list current credit provider status under s18E(1)(b)(v) of the Privacy Act;[402] and be included as additional items of permitted content as currently set out in s18E of the Privacy Act.
Additional protections if more comprehensive credit reporting is introduced
20. In the Office's response to question 6-4 of IP32,[403] the Office discussed potential changes if Australian law is amended to permit more comprehensive credit reporting.
21. In addition to those comments, the Office notes the following as potential issues that may need to be addressed if the ALRC's proposed model of comprehensive credit reporting were introduced (these are discussed below and later in this chapter):
Requirement to notify the closing of a credit account
22. The Office notes proposal 51-1(d) to allow for the recording of the date each credit account is closed as part of an individual's credit reporting information.
23. The reporting of permitted content by credit providers to credit reporting agencies is not mandatory (and the Office does not support compulsory reporting of permitted content as stated in its response to question 5-2 of IP32). [404]
24. However, the Office believes that where a credit provider has reported details of the opening of a credit account, there should be a requirement for the credit provider to notify, as soon as practicable on the closing of the account, any credit reporting agency that was previously informed of the opening of the relevant account. This would be a similar requirement to s18F(5) of the Privacy Act in relation to updating current credit provider status.
25. Ensuring that the closing date of credit accounts is reported is an important part of providing an accurate picture of the individual's current credit commitments. Such a requirement would be consistent with the general obligation in s 18G(a) of the Privacy Act that credit providers and credit reporting agencies to take reasonable steps to ensure that credit reporting information is accurate, complete, up-to-date and not misleading.[405]
26. The Office notes ALRC proposal 54-5 that the proposed credit reporting industry code should specify procedures for ensuring data accuracy. The Office believes that a requirement to notify the closing of a credit account should be included in the Privacy (Credit Reporting Information) Regulations or binding Credit Reporting Code, as well as the industry code specifying the processes for ensuring that such notification occurs as soon as practicable.
Retention of more comprehensive credit reporting information
27. The Office notes that there is no proposed maximum retention period for the additional four categories of credit reporting information.
28. Proposal 51-1 would therefore provide credit providers with a picture of an individual's past as well as current credit commitments.
29. In this regard, the Office notes that most permitted content under PartIIIA is subject to the deletion requirement in s18F of the Privacy Act after the expiry of the maximum retention period of 5 or 7 years, other than:
30. The Office recognises that some types of credit accounts, such as a mortgage or ongoing credit card account, remain open for extended periods of time greater than 5 or 7 years and it would not be appropriate to require deletion of current account details.
31. However, similar to the existing requirement to remove current credit provide status from a credit information file where the current credit provider ceases to be a credit provider to the individual, where an account is closed the Office believes that consideration should be given to how long closed account information should be retained.
32. The Office is concerned that past records of closed credit accounts may have the potential to impact in a ‘negative' way on an individual's credit risk assessment, similar to the impact that multiple inquiry records may have (for example, where the credit file indicates that an individual had a large number of accounts during a particular period which have all been closed).
33. While the general data security principle in NPP4.2 and the proposed UPP8(b) require that information is only held as long as necessary for the purpose for which it was collected, it may be appropriate for a maximum retention period to be specified.
34. In this regard, the ability for an individual's credit history to be ‘repaired' after the expiry of a particular time period is an underlying feature of the credit reporting framework in Part IIIA of the Privacy Act. The introduction of additional categories of credit reporting information that are retained indefinitely is therefore a significant departure from the existing policy framework and, as noted by the ALRC in paragraph 50.69 of DP72, would require clear and compelling justification.
35. Accordingly the Office suggests that, if more comprehensive credit reporting is to be introduced as proposed by the ALRC, further consideration be given to specifying a maximum retention period of the proposed additional categories of credit reporting information where the relevant accounts have been closed.
36. The Office notes in ALRC proposal 54-7 that no substantial change should be made to the existing retention periods under s18F of the Privacy Act. The Office has provided further comment on the proposal in chapter54 of this submission.
Role of inquiry information under a more comprehensive credit reporting scheme
37. In paragraph 52.25 of DP72, the ALRC noted that it would welcome further comment on the role of inquiry information under the more comprehensive credit reporting scheme, and whether any other reform relating to the collection, use or disclosure of inquiry information is desirable.
38. The Office commented on the role of inquiry information as permitted content of a credit information file in its response to question 5-1 of IP32.[406]
39. In particular, the Office noted the value of having a requirement to record inquiry information on a credit information file as a privacy safeguard, to help ensure transparency so that an individual is aware of the name of the entity which accessed his or her credit information file and the date and purpose of access. The Office also noted the potential role of this requirement as a deterrent to inappropriate access. For these reasons it would be important to retain inquiry information in an individual's credit information file.
40. However, the Office also recognises the issue of inquiry information being potentially misleading in credit risk assessment-where multiple inquiries recorded on a credit file may be assessed as a negative factor notwithstanding that the reason for the multiple inquiries is from activity that is not necessarily a credit risk, such as ‘shopping around' for the most competitive credit.
41. In response to this issue, the Office suggested in its response to question 5-1 of IP32[407] (as noted above), that permitted content include an additional category of information allowing for a voluntary note or listing by a credit provider that an individual has accepted an offer of credit (but not the amount).
42. The Office notes the ALRC's comment in paragraph 51.166 of DP72[408] that matching information about credit inquiries with credit granted would address concerns about the currently potentially misleading nature of inquiry information.
43. Similarly, the ALRC notes in paragraph 52.25 of DP72 that the proposed reform under proposal 51-1 should mean that inquiry information will no longer be as open to misinterpretation or relied on to the same extent in credit scoring processes, by allowing information about credit granted to be matched against inquiry information.
44. The Office suggests however that further consideration be given to whether credit providers should continue to be permitted access to inquiry information under a more comprehensive credit reporting system that provides a clearer picture of an individual's current (and past) credit commitments.
45. The Office believes that the relevant general principle that should guide such a consideration is that the credit reporting system should only provide access to information that is necessary for the purpose of assessing the credit worthiness of an individual. If inquiry information is no longer necessary for that purpose because of the availability of other information, or has limited value for that purpose because it does not contribute effectively to the purpose (that is, it is susceptible to being misleading and hence cannot be considered necessary for assessing credit risk) then continued access to the inquiry information may need to be reconsidered.
46. Accordingly, the Office suggests that as part of the further research it has recommended, the removal of credit provider access to inquiry information be considered where the need to rely on or interpret inquiry information is mitigated by the availability of other information such as the proposed additional categories of permitted content.
Inquiry information as a privacy safeguard
47. Notwithstanding the possibility of restricting credit provider access to inquiry information, given the importance of inquiry information as a privacy safeguard as noted above, such information should continue to be recorded as part of an individual's credit reporting information and be accessible by the individual.
48. The Office notes the position under Rule 5(2)(i) of the New Zealand Credit Reporting Privacy Code 2004, where credit reporting agencies must, as a measure to safeguard the information they hold against unauthorised access or misuse, maintain an access log of the time, date and purpose of access to the credit reporting information.
49. The Office suggests that as part of considering the removal of credit provider access to inquiry information, a similar requirement to maintain an access log (accessible by individuals but not credit providers) could be introduced. This requirement could be characterised as a reasonable step to be taken in protecting personal information from misuse and loss and from unauthorised access, modification or disclosure, as required under the proposed Data Security principle (UPP 8(a)).
50. The Office notes that it has provided comment on the proposed Data Security principle and data security obligations in relation to credit reporting information in chapters 25 and 54 of this submission.
51. The Office agrees in principle with the ALRC's proposal 51-2, to the extent that credit providers and credit reporting agencies should have responsibility for determining how access to information on credit reporting files is to be managed within the regulatory framework.
52. In this regard, the Office agrees with the ALRC's observation in paragraph 51.167 of DP72 that it is not an appropriate role for regulation or a binding code to mandate reporting obligations. As noted by the Office in its response to question 5-2 of IP32, the Office does not support compulsory reporting by credit providers to credit reporting agencies.[409]
53. At the same time the Office recognises, as identified by the ALRC in paragraph 51.167 of DP72, that ‘in order for [the reform in ALRC proposal 51-1] to benefit the operation of the credit market, reporting by credit providers of the additional data items needs to be as universal as possible'.
54. While access to credit reporting information on the basis of a principle of reciprocity does not necessarily compel reporting by credit providers to credit reporting agencies, the practical reality may be the establishment of a ‘de facto' mandatory reporting system.
55. The Office noted in its response to question 5-2 of IP32, that if compulsory reporting is introduced the Office suggests that the provisions regulating the use and disclosure of credit information for non-credit related purposes should be strengthened.[410]
56. The Office has commented on proposals regarding use and disclosure of credit reporting information and data accuracy in chapters 53 and 54 of this submission respectively.
Reciprocity
57. The Office is not qualified to comment on the advantages or disadvantages to the operation of the credit reporting market of access to credit reporting information on the basis of a principle of reciprocity.
58. However, in terms of privacy considerations the Office notes the following in relation to the principle of reciprocity as outlined by the ALRC in DP72:[411]
59. In terms of other considerations, the Office would be concerned to ensure that reciprocity does not discourage credit providers' exercising discretion not to list a default in extenuating circumstances or entering into a scheme of arrangement. The Office also notes that the application of reciprocity may need to be tailored to account for ‘non-traditional' and small or medium sized credit providers.
60. The Office suggests that consideration of the operation of the principle of reciprocity could be included as part of the further research into more comprehensive credit reporting as recommended by the Office in response to the ALRC's proposal 51-1.
Required contents of the credit reporting industry code
61. The Office has commented on the ALRC's proposal 50-11 for a credit reporting industry code in chapter 50 of this submission. The Office generally supports the development of an industry code, but is concerned that an appropriate distinction is made between matters that should be covered by binding regulations (or a binding code)[412] and those that can be dealt with under a voluntary industry code.
62. The Office suggests that the ALRC provide clarification about the interaction of the proposed industry code with, for example, a binding Code prescribed by the Privacy Commissioner or the proposed Privacy (Credit Reporting Information) Regulations. In particular, the Office suggests clarifying whether the intention of proposals 50-11 and 51-2 is to include provisions in the Privacy Act, the proposed Privacy (Credit Reporting Information) Regulations or binding Credit Reporting Code that:
63. In the case of the latter dot point, the Office notes that industry would have the choice to adopt a different approach to data sharing other than reciprocity.
Mandatory external dispute resolution scheme membership
64. The ALRC's proposal 55-6 requires credit providers that list defaults to be members of an approved external dispute resolution (EDR) scheme.
65. The Office notes that, on the basis of the principle of reciprocity, a credit provider who wishes to access default listings would therefore be required to contribute default listings and consequently be required to join an approved EDR scheme.
66. Given the intention of proposal 55-6 is to lessen the compliance burden by not requiring all credit providers to be members of EDR schemes, the Office suggests that it may be appropriate for other forms of access to credit reporting information to operate in addition to reciprocal access.
67. The Office agrees in principle with proposal 51-3, and supports a review of any regulatory reforms to the credit reporting regime after a period of operation, whether or not the reforms are implemented as the proposed Privacy (Credit Reporting Information) Regulations or as a binding code or include provisions that introduce more comprehensive credit reporting.
Focus of the review
68. If more comprehensive credit reporting is introduced, the Office agrees that a focus of a review of the regulations should include the impact of more comprehensive credit reporting on privacy and the credit market. However, as noted in the Office's response to proposal 51-1 above, the Office recommends that further independent research be conducted before the introduction of more comprehensive credit reporting.
69. The Office suggests that, at the time of introduction of credit reporting reforms, consideration be given to criteria against which impacts and performance of the reforms could be measured.
70. For example, the levels of privacy complaints relating to credit reporting will be an important factor in assessing impacts on privacy. Given the ALRC's proposals in chapter 55 of DP72 that emphasise credit providers and credit reporting agencies handling complaints at first instance and the use of external dispute resolution schemes, there may be a need for an agreed approach to capturing information relating to handling of credit reporting privacy complaints to assist in the review process.
71. The Office notes the ALRC's proposal 54-6 to consider as part of the proposed five year review whether further regulation to ensure data quality of credit reporting information is required. The Office has provided comment on this proposal in chapter 54 of this submission.
72. The Office has also suggested in chapters 54 and 55 of this submission additional issues that could be specifically considered as part of the proposed review, such as the maximum retention periods for credit reporting information and the need for an express prohibition on the collection of individuals' credit information files by some third parties (such as employers, insurers or government agencies) for non-credit related purposes.[413]
Conduct of the review
73. In relation to the conduct of a review, while the Office has relevant expertise and experience in considering the impact on privacy of more comprehensive credit reporting, the Office notes its response to question 6-2 of IP32, that the Office is not qualified to provide expert opinion on the broader economic and social impact that comprehensive credit reporting may have in Australia.[414]
74. Given the proposed focus of the review on the impact of more comprehensive credit reporting on credit markets, and potentially other questions of broader economic and social impact, the Office suggests that the ALRC consider what other appropriate agencies could contribute to or conduct the review process. For example, the Office suggests that a review could be conducted by the Productivity Commission or via a tripartite agreement between the credit reporting agencies, the Office and an independent auditor.
1. In principle the Office agrees with proposal52-1.
2. In response to question 7-1 of IP 31 the Office proposed that the current credit reporting provisions under Part IIIA of the Privacy Act 1988 (the Privacy Act) and replaced with an enforceable Code, rather than Regulations[415]. The Office's preferred position, as submitted in response to IP32, is that such privacy rules should be set out in a binding credit code issued by the Privacy Commissioner as a legislative instrument,[1]rather than in Regulations.
3. .However, the substance of this proposal accords with the Office's position in its submission to IP32 at question5-23.
4. In addition, the Office submits there may also be a need to enable the removal of identity theft notification either by lapsing after a period of time or being removed once the identity theft has been resolved, as stated in the Office's submission to IP32.[416]
5. The Office notes its recent submission to the Model Criminal Law Officers' Committee of the Standing Committee of Attorneys-General consultation on model offences to combat identity crime.[417] In the submission the Office encouraged proposed legislation to be consistent with the Privacy Act and credit reporting provisions as far as possible. The Office was also supportive of the proposal that victims of identity crime be able to obtain a court issued certificate recording particular transactions or criminal conduct. Such a mechanism would facilitate the notation of identity theft in an individual's credit reporting information as proposed by the ALRC in proposal52-1.
6. The Office agrees with proposal52-2.
7. The proposal accords with the Office's position in its submission to IP32 at question5-1(i),[418] that there should be a statutory minimum amount below which the overdue payment listings should not be permitted content of a credit information file under s18E of the Privacy Act. The Office supported the ALRC considering $500 as the statutory minimum listing amount.
8. As noted by the Office in its response to IP32, chapter5 at paragraph24, the adverse impact on an individual's ability to secure credit by the practice of listing small debts may be disproportionate to the potential financial risks encountered by credit providers assessing a loan application.
9. The Office therefore considers that it is appropriate to introduce a minimum threshold amount for listing overdue payments to mitigate this disproportionate impact.
10. In its response to question 54-7 of DP 72 the Office reiterated that, consistent with its response to question 5.1(i) of IP 32, that consideration be given to whether time limits for adverse listings should be on the basis of set monetary amounts on a graduated scale; rather than being based on the category of credit reporting information[419].
11. Further discussion regarding this issue can be found at question 54-7 of this submission.
12. The Office supports a minimum amount for the listing of overdue payments being prescribed in the Privacy (Credit Reporting Information) Regulations or a binding Credit Reporting Code.
13. Prescribing the amount in Regulations or a Code would:
14. As noted above in relation to proposal 52-2, the Office suggested the ALRC consider a minimum listing amount of $500 for overdue payments.
15. The Office submits that the threshold amount should be determined through consultation with industry, consumer groups and relevant regulators and subject to periodic review.
16. In principle the Office agrees with proposal 52-3.
17. The proposal accords with the Office's response to question 5-1(i) of IP32.[420]
18. The Office agrees with proposal 52-4.
19. In it's response to question 5-1 of IP 32 the Office suggested that debt agreements under PartIX and personal insolvency agreements under PartX of the Bankruptcy Act 1966 (Cth) (Bankruptcy Act) be made permitted contents of a credit information file[421].
20. The Office notes the related proposals 50-6 and 52-6 in DP 72 to, respectively, remove the exclusion of ‘publicly available information' from the definition of credit reporting business and to include publicly available information as permitted content of credit reporting information. The Office has provided further comment on these proposals below and in chapter50 of this submission.
Acts of bankruptcy
21. The Office notes the permitted content of a credit information file under s18E(1)(b)(ix) includes bankruptcy orders made against the individual.
22. As the term ‘bankruptcy orders' is defined in neither the Privacy Act nor the Bankruptcy Act, the Office suggested in its submission to IP32 at question 5-1(i),[422] that that the term ‘bankruptcy orders' should be replaced with the term ‘act of bankruptcy' as defined in s40 of the Bankruptcy Act.
23. Pursuant to Regulation13.03 of the Bankruptcy Regulations 1996, the NPII includes the information set out in schedule8 to those regulations. Schedule8 indicates that the information entered in the NPII comes from documents that result from or relate to ‘acts of bankruptcy' (eg. court orders, debtors and creditors petitions, sequestration orders) as well as other arrangements such as Part IX debt agreements (schedule8, items21 and 22) and personal insolvency agreements (schedule8, item25).
24. The Office is therefore of the view that permitting personal insolvency information from the NPII to be included in credit reporting information will provide an appropriate indication of an individual's insolvency status under the Bankruptcy Act without needing the proposed Privacy (Credit Reporting Information) Regulations to refer to the defined term ‘act of bankruptcy'.
25. The Office notes that proposal 52-4 relates to the inclusion in credit reporting information of personal insolvency information recorded on the NPII. In this regard the Office notes that the NPII includes information that does not relate to an individual's insolvency status, such as records of an individual's application to be a trustee, registration as trustee and voluntary termination of trustee registration (see items 16, 17 and 18 of schedule8 to the Bankruptcy Regulations 1996). The Office does not consider that this information from the NPII would need to be included in credit reporting information.
26. In its response to proposal 54-6 of DP 72 the Office noted that not all publicly available information is relevant in terms of assessing an individual's credit eligibility. The Office submits that only publicly available information that is relevant for credit reporting purposes should be permitted content.
27. On this basis, the Office has recommended that an exhaustive list of the publicly available information should be prescribed as permitted content for credit reporting purposes be set out in the Privacy (Credit Reporting Information) Regulations or binding Credit Reporting Code.
28. The Office has provided further comments about publicly available information in this submission to proposals 50-6 and 54-6.
29. The Office agrees with proposal52-5.
30. The Office notes the ALRC's proposal54-4 that credit providers and credit reporting agencies have an obligation to take reasonable steps to ensure that credit reporting information is accurate, up-to-date, complete and not misleading.
31. The Office agrees that this obligation regarding accuracy and completeness includes credit reporting agencies adequately differentiating between the forms of administration identified on the NPII when such information is included in credit reporting information.
32. It will also be important that NPII information that is included in credit reporting information is kept updated to reflect changes to the information in the NPII. In this regard, the Office notes regulation13.04 of the Bankruptcy Regulations 1996 which allows a person who is a debtor or bankrupt to apply for information not to be entered on the NPII, to be removed from the NPII or to be corrected on certain grounds. These grounds include where inclusion of the information on the NPII jeopardises, or is likely to jeopardise, the person's safety, or where inclusion is inaccurate or misleading.