Focus: Privacy law and credit reporting
2 November 2009
In brief: The Australian Government has released the first stage of its response to the Australian Law Reform Commission's report on privacy law. Partner Catherine Parr , Special Counsel Karin Clark and Lawyer Nicholas Tobias report on the credit reporting implications of the proposed reforms.
- Credit reporting positive data
- Credit reporting other data
- Permitted use and disclosure
- Other credit information
- Dispute resolution
- Data quality and security
- Access and correction
How does it affect you?
- Under the proposed reforms, credit providers will have access to additional information when conducting consumer credit checks. Once responsible lending obligations begin in January 2011, this additional information will include consumers' repayment history. However, some information currently held in credit information files will no longer be included.
- Increased notification requirements on credit providers are likely to require amendment of forms, policies and procedures.
- Credit providers who want to list any information with a credit reporting agency and are not members of an external dispute resolution scheme will need to join one.
- Information in consumer credit files will be able to be used to 'pre-screen' marketing lists (but will not otherwise be able to be used for direct marketing) and will be able to be used for identity verification under anti-money laundering legislation.
On 11 August 2008, the Australian Law Reform Commission (the ALRC) published a report, For Your Information: Australian Privacy Law and Practice (ALRC Report 108) (the ALRC report), containing 295 recommendations to improve the protection of privacy in Australia. We published a report on the ALRC's recommendations in relation to credit reporting on 19 August 2008.
The Australian Government committed to responding to the ALRC report in two stages. On 14 October 2009, the Government released the first stage of its response to the ALRC report (the response), which deals with 197 of the 295 recommendations.
We summarised the response in a Client Update: Australian Government's response to ALRC privacy law report 20 October 2009. This article explores in greater depth the key credit reporting reforms proposed in the response.
The Privacy Act 1988 (Cth) will continue to regulate the collection, maintenance, use and disclosure of credit reporting information that is held by credit reporting agencies or credit providers. However, the Government has agreed with the ALRC report that the current credit reporting provisions are overly complex and should be restructured. The redrafted legislation will be supplemented by a binding code of conduct to be developed through consultation between the credit reporting industry, consumer advocates and the Privacy Commissioner, and approved by the Privacy Commissioner. Any organisation wishing to access the credit reporting system will need to subscribe to this code.
As part of the restructuring, the Government has accepted the ALRC's recommendations that the Privacy Act prescribe an exhaustive list of categories of personal information that are permitted to be included in credit reporting information, and a simplified list of circumstances in which a credit reporting agency or credit provider may use or disclose credit reporting information.
Credit reporting information will include information on credit to purchase or refinance residential investment properties, in line with the regulation of such credit under the National Consumer Credit Protection Bill 2009.
The key credit reporting reform proposed in the response is the introduction of five sets of data that will become accessible to credit providers:
- the type of each credit account opened (for example, mortgage, personal loan, credit card);
- the date on which each credit account was opened;
- the current limit of each open credit account;
- the date on which each credit account was closed; and
- a two-year history of whether the individual has met his or her repayment obligations as at each point of the relevant repayment cycle for a credit account and, if not, the number of repayment cycles the individual was in arrears.
The Government asserts that greater access to these five data sets will allow more robust assessment of credit risk, which, in turn, could lead to lower credit default rates. The Government has labeled the information as 'positive' data that will allow individuals to better demonstrate their creditworthiness. The first four data sets will be required to be deleted from a credit file two years after the relevant credit account is closed.
The Government has acknowledged the significant debate surrounding the inclusion of the final data set in relation to repayment history. The Government has decided that the final data set will only be available once proposed responsible lending obligations in the National Consumer Credit Protection Bill 2009 begin in January 2011, and only to lenders who are licensed under that legislation. Regulations will set out how and in what form the repayment history will be listed, when a 'missed payment' will be deemed to occur and the notice requirements for repayment history.
Under the reforms, credit providers will continue to be prohibited from reporting the current balance of a credit account or the amounts of repayments made or overdue.
Once the reforms begin, repayments (or failure to make them) from 14 April 2010 may be reported.
In relation to other credit reporting information, the proposed reforms will permit personal insolvency information to be included in a credit file, provided the different forms of administration are identified and accurately reflected, but will prohibit listing the following information in credit files:
- overdue payments of less than $100;
- presented and dishonoured cheques;
- sensitive information, as defined in the Privacy Act;
- credit reporting information about individuals who the credit provider or credit reporting agency knows, or reasonably should know, to be under the age of 18; and
- personal information about foreign credit, except in certain circumstances with respect to New Zealand. Disclosure of credit reporting information to foreign credit providers is similarly prohibited, except in certain circumstances with respect to New Zealand.
The Government intends to have clearly defined permitted uses and disclosures in relation to credit reporting information that reflect those in the current Part IIIA of the Privacy Act, subject to regulations that may prescribe additional uses and disclosures. For example, where use or disclosure can be shown to be in the public interest, as well as being for the benefit of the individuals whose credit reporting information will be used and disclosed, the Government will prescribe, by regulation, that use of the information for that specified purpose is permitted. The Government will also permit credit providers or credit reporting agencies to 'use and disclose de-identified credit reporting information for research purposes that are deemed to be in the public interest and have a sufficient connection to the credit reporting system.'1 The Government acknowledges that prior notification to the individuals will be required.
The response notes that credit reporting information must not be used or disclosed in any circumstances for the purposes of direct marketing. However, contrary to the ALRC's recommendation, the Government has proposed that use or disclosure of credit reporting information for the purposes of pre-screening should be expressly permitted, although only for the purpose of excluding adverse credit risks from marketing lists, and subject to a number of conditions.
The response accepts the ALRC's recommendation that credit reporting agencies should be permitted to use and disclose credit reporting information for the purpose of identity verification under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
The reforms will impose a number of additional notification obligations on credit providers. First, the response provides that on, or before, disclosure of personal information by a credit provider to a credit reporting agency (that is, at the time an individual applies for credit), the credit provider must take reasonable steps to ensure that the individual is aware of the:
- identity and contact details of the credit reporting agency;
- rights of access to, and correction of, the information; and
- types of entities to whom the agency would usually disclose the information.
Secondly, before disclosing overdue payment information or repayment history information that details missed payments to a credit reporting agency, credit providers will need to notify debtors. This should be done at the relevant time (in other words, a general warning that this may occur in the future will not suffice).
Thirdly, credit providers will need to have taken reasonable steps to contact an individual before reporting a 'serious credit infringement' unless the relevant activity is fraudulent. The Government believes that the requisite criteria for a 'serious credit infringement' should be addressed in the binding industry code.
Finally, the response provides that, if an individual's application for credit is refused, based wholly or partly on credit reporting information, the individual should be provided with information, including the avenues of complaint available if he or she has a complaint about the content of the credit reporting information.
The ALRC recommended that credit information, other than that in, or derived from, a credit report, should not be subject to restrictions or disclosures beyond those contained in the recommended general privacy principle dealing with use and disclosure. The Government disagrees, and intends to retain an equivalent of section 18N in the Privacy Act. However, it will not cover all information that has any bearing on credit history, credit standing, credit capacity or credit worthiness, only information similar to information maintained by a credit reporting agency and information about an individual's credit accounts.
The ALRC report recommended that credit providers be permitted to list overdue payments and repayment performance history only if they are a member of an external dispute resolution scheme recognised by the Privacy Commissioner. The response goes a step further, proposing that all credit providers that list any information about an individual must be members of an external dispute resolution scheme approved by the Privacy Commissioner.
The response also proposes that the obligation to attempt to resolve a dispute will lie with the party to which the individual first complains. All relevant parties would then be required to attempt to resolve the complaint, including by liaising with each other. The binding industry code will set out details such as when a 'dispute' has been raised by an individual and information sharing procedures.
The onus of proving the accuracy or appropriateness of credit reporting information will lie with credit providers and credit reporting agencies. Within 30 days of receiving a complaint, the credit provider or credit reporting agency must:
- provide evidence to substantiate disputed credit reporting information to the individual;
- refer the matter to an external dispute resolution scheme recognised by the Privacy Commissioner; or
- delete or correct the information on the request of the individual.
The Government has accepted the ALRC report's key recommendations in relation to data quality and security. As previously reported (in Focus: Credit reporting and credit information, August 2008), these are as follows:
- prohibiting the listing of any overdue payment if the credit provider is prevented by law from bringing proceedings to recover the amount due, or where the relevant statutory limitation period has expired;
- if an individual enters into a new arrangement to repay an existing debt, an overdue payment under the new arrangement may be listed, and remain part of the individual's file, for the full five-year period permissible under the regulations;
- credit reporting agencies must enter into agreements with credit providers that include obligations to ensure the quality and security of credit reporting information and must themselves establish and maintain controls to ensure that only credit reporting information that is accurate, complete and up-to-date is used or disclosed, and that credit providers are complying with their agreements; and
- the credit reporting code should promote data quality by setting out procedures to deal with matters such as timeliness of reporting of information, calculation of overdue payments, obligations to prevent multiple listings of the same debt and updating of information.
Under the proposed reforms, retention periods for information other than the new 'positive' data sets will be based on those currently set out in the Privacy Act and deletion will be mandatory after the relevant period expires.
Further, the Government agrees with the ALRC that individuals should have the right to restrict access to their credit information file for a period (initially 14 days) if they reasonably believe they are, or are about to be, a victim of identity theft.
The Government has accepted the ALRC report's key recommendations in relation to access and correction. As previously reported, the key reforms propose that the current Privacy Act provisions relating to:
- individuals obtaining access to their own credit reporting information and obtaining a free copy of their credit report; and
- notifying when a refusal of an application for credit is based wholly or partly on credit reporting information,
be mirrored in the new legislation (but in the Act itself, not in regulations, as suggested by the ALRC).
As recommended by the ALRC, the response proposes to remove all existing penalties for credit reporting offences and instead provide for civil penalties.
The changes the Government has indicated it will make to the credit reporting regime will be welcomed by the finance industry. The access for credit providers to additional information in credit files will bring with it some new obligations. Credit providers will need to review carefully their documentation and their processes and procedures to consider the changes they will need to make once the legislation comes into effect.
- Page 116 of the response.
- John GallimoreConsultant,
Ph: +61 7 3334 3135
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.