Save Search

Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Privacy Amendment (Enhancing Privacy Protection) Bill 2012

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

 

 

 

 

 

 

 

2010 - 2011 - 2012

 

 

 

 

 

 

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

 

 

 

 

 

 

HOUSE OF REPRESENTATIVES

 

 

 

 

 

 

PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) BILL 2012

 

 

 

 

 

 

EXPLANATORY MEMORANDUM

 

 

 

 

 

 

(Circulated by authority of the Attorney-General,

the Honourable Nicola Roxon, MP)

 

 

 

 



PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) BILL 2012

OUTLINE

This Bill amends the Privacy Act 1988 to implement the Government’s first stage response to the Australian Law Reform Commission’s (ALRC) report number 108, called ‘For Your Information: Australian Privacy Law and Practice’ (ALRC Report).  Given the large number of recommendations, the Government announced that it would respond to the ALRC report in two stages.  The Government’s first stage response addressed 197 of the ALRC’s 295 recommendations.  The Bill implements the major legislative elements of the Government’s first stage response.

The Bill amends the Privacy Act to:

  • Create the Australian Privacy Principles (APPs), a single set of privacy principles applying to both Commonwealth agencies and private sector organisations (referred to as APP entities), which replace the Information Privacy Principles (IPPs) for the public sector and the National Privacy Principles (NPPs) for the private sector
  • Introduce more comprehensive credit reporting with improved privacy protections, at the same time rewriting the credit reporting provisions to achieve greater logical consistency, simplicity and clarity and updating the provisions to more effectively address the significant developments in the operation of the  credit reporting system since the provisions were first enacted in 1990
  • Introduce new provisions on privacy codes and the credit reporting code (called the CR code), including powers for the Commissioner to develop and register codes in the public interest that are binding on specified agencies and organisations; and
  • Clarify the functions and powers of the Commissioner and improve the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.

The Bill introduces modifications to the Act as recommended by the ALRC.  The APPs set out standards, rights and obligations in relation to the handling and maintenance of personal information by APP entities, including dealing with privacy policies and the collection, storage, use, disclosure, quality and security of personal information, and access and correction rights of individuals in relation to their personal information. As recommended by the ALRC, the APPs and credit reporting provisions are structured to more accurately reflect the ‘life cycle’ of personal information.

The Bill introduces a number of additional safeguards for the protection of privacy, including enhanced notification, quality, correction, and dispute resolution mechanisms for individuals.

Structure of the Bill

The substantive elements of the reforms are contained in six schedules to the Bill.  Each schedule deals with a particular subject and related matters, including related definitions.  The schedules and their topics are:

  • Schedule 1 - Australian Privacy Principles
  • Schedule 2 - Credit reporting
  • Schedule 3 - Privacy codes
  • Schedule 4 - Other amendments of the Privacy Act 1988


  • Schedule 5 - Amendment of other Acts
  • Schedule 6 - Application, transitional and savings provisions

Schedule 1 - the Australian Privacy Principles

Schedule 1 of the Bill amends the Privacy Act to create the APPs, a single set of privacy principles applying to APP entities, a term that refers to both Commonwealth agencies and private sector organisations.  To facilitate ease of reference to the APPs and minimise confusion around numbering that may result if they were sections of the Act, they are inserted as a schedule to the Act.

The APPs are grouped into five sets of principles:

  1. Principles that require APP entities to consider the privacy of personal information, including ensuring that APP entities manage personal information in an open and transparent way (APP 1, APP 2)
  2. Principles that deal with the collection of personal information, including unsolicited personal information (APP 3, APP 4, APP 5)
  3. Principles about how APP entities deal with personal information and government related identifiers, including principles about the use and disclosure (including cross-border disclosure) of personal information and identifiers (APP 6, APP 7, APP 8, APP 9)
  4. Principles about the integrity, quality and security of personal information (APP 10, APP 11)
  5. Principles that deal with requests for access to, and correction of, personal information (APP 12, APP 13).

Schedule 1 also deals with a range of amendments relating to the APPs, including amendments to update or insert new definitions .  One key term that has been updated is ‘personal information’.

Schedule 1 also repeals Divisions 2 and 3 of Part III of the Act.  These divisions provide for the application of the IPPs, the NPPs and approved privacy codes.  The IPPs and NPPs will be replaced by the APPs.  A new Part IIIB will be inserted into the Act dealing with privacy codes.

Schedule 2 - Credit Reporting

The Privacy Amendment Act 1990 , which commenced in September 1991, extended the coverage of the Privacy Act to consumer credit reporting.  The credit reporting provisions of the Privacy Act are contained in Part IIIA and associated provisions (the credit reporting provisions).  The credit reporting provisions primarily regulate the handling and maintenance of certain kinds of personal information concerning consumer credit that is intended to be used wholly or primarily for domestic, family or household purposes.

The purpose of the credit reporting system is to balance an individual’s interests in protecting their personal information with the need to ensure sufficient personal information is available to assist a credit provider to determine an individual’s eligibility for credit following an application for credit by an individual, and for related matters.  The credit reporting system provides an aid to credit providers in managing the risks of providing consumer credit to individuals.  Only limited and defined kinds of relevant personal information are permitted in the credit reporting system.

The credit reporting system in Australia has been a ‘negative’ reporting system.  The main kinds of personal information permitted in the system were information about :

·          a credit provider having sought a credit report regarding an individual in connection with an application for credit, and the amount of credit sought in the application

·          an individual’s current credit providers

·          any credit defaults; and

·          a credit provider’s opinion that the individual has committed a serious credit infringement.

Schedule 2 amends the credit reporting provisions in the Privacy Act.  The credit reporting provisions have been completely revised, consistent with the intention to ensure greater logical consistency, simplicity and clarity throughout the Privacy Act.  The new provisions are based on the flows of personal information in the credit reporting system and also clearly address the interaction of the provisions with the APPs where relevant.

This schedule of the Bill implements the ALRC’s recommendation to move to a ‘more comprehensive’ credit reporting system.  This means a limited number of additional kinds of credit related personal information about individuals are permitted in the credit reporting system.   The five new kinds of personal information (also known in the industry as ‘data sets’) are:

·          the date the credit account was opened

·          the type of credit account opened

·          the date the credit account was closed

·          the current limit of each open credit account; and

·          repayment performance history about the individual.

The fifth kind of personal information, repayment history information, is only available to credit providers who are licensees under Chapter 3 of the National Consumer Credit Protection Act and subject to responsible lending obligations under that Chapter.  In certain defined circumstances repayment history information is also available to mortgage insurers for mortgage insurance purposes.

Comprehensive credit reporting will give credit providers access to additional personal information to assist them in establishing an individual’s credit worthiness.  The additional personal information will allow credit providers to make a more robust assessment of credit risk and assist credit providers to meet their responsible lending obligations.  It is expected that this will lead to decreased levels of over-indebtedness and lower credit default rates.  More comprehensive credit reporting is also expected to improve competition and efficiency in the credit market, which may result in reductions to the cost of credit for individuals.

The new credit reporting provisions will p rovide additional consumer protections by enhancing obligations and processes dealing with notification, data quality, access and correction, and complaints . This includes measures to place greater responsibility on credit reporting bodies and credit providers to assist individuals to access, correct and resolve complaints about their personal information.  Other measures that will benefit individuals include the introduction of specific rules to deal with pre-screening of credit offers and the freezing of access to an individual’s personal information in cases of suspected identity theft or fraud.

Schedule 3 - Codes

Schedule 3 replaces the provisions dealing with privacy codes and the Credit Reporting Code of Conduct with a new Part IIIB dealing with codes of practice under the APPs (called APP codes) and a code of practice about credit reporting (called the CR Code).

An APP code may be developed by APP code developers (either at their own initiative or following a request from the Commissioner) or by the Commissioner.  APP codes do not replace the APPs, but operate in addition to the requirements of the APPs.  An APP code must set out how one or more of the APPs are to be applied or complied with.  An APP code may also deal with other relevant matters, and may impose additional requirements to those imposed by the APPs so long as the additional requirements are not contrary to, or inconsistent with, the APPs.  Once the APP code has been developed an application may be made to the Commissioner for registration of the code.  The Commissioner then decides whether or not to register the APP code.  The Commissioner also has the power to develop an APP code.  This power can only be exercised if the Commissioner has requested the development of an APP code and the request has not been complied with or the Commissioner has decided not to register the APP code that was developed as requested.  The Commissioner may then register the APP code that was developed by the Commissioner.

Any APP code that is registered will be a disallowable legislative instrument.  A n APP entity that is bound by a registered APP code must not do an act, or engage in a practice, that breaches the registered APP code.  A breach of the registered APP code will be an interference with privacy by the entity under section 13 of the Act and subject to investigation by the Commissioner under Part 5 of the Act.  Registered APP codes can be varied or removed from the register.

The CR code is an essential part of the regulatory structure of the credit reporting system.  Accordingly, the Commissioner will request code developers to develop the CR code.  The development process is based on that used for APP.  The CR code must set out how one or more of the credit reporting provisions are to be applied or complied with, and deal with other matters.  The CR code must bind all credit reporting bodies and must set out which credit providers or other entities (for example, mortgage insurers and trade insurers) are bound.  The Commissioner can develop the CR code if the code developers do not develop the CR code as requested, or the Commissioner decides not to register the CR code that was submitted for registration.

A breach of the registered CR Code will be an interference with privacy by the entity under section 13 and subject to investigation by the Commissioner under Part 5 of the Act.  The registered CR code can be varied.

The Commissioner has certain functions and powers in relation to codes.  The Commissioner must maintain the Codes Register, which contains the registered APP codes and registered CR code.  The Commissioner may issue guidelines to provide assistance in the development of, and compliance with, APP codes and the CR code.  The Commissioner may also make guidelines about matters the Commissioner may consider in deciding whether to register or vary an APP code or the CR code, or remove an APP code from the Register.  The Commissioner may also review the operation of any registered codes.

Schedule 4 - Other amendments of the Privacy Act 1988

Schedule 4 inserts an objects clause into the Act, reforms the functions and powers of the Information Commissioner, and deals with related matters, including reform of the provisions on interferences with privacy.  The amendments improve the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.  The amendments also restructure relevant provisions dealing with the powers and functions of the Commissioner to improve clarity and consistency in the provisions.

A new provision sets out the general functions of the Commissioner.  This is followed by provisions which outline in greater detail the guidance related functions of the Commissioner, the monitoring related functions of the Commissioner, and the advice related functions of the Commissioner. Relevant definitions related to the functions and powers of the Commissioner are also amended.

Other amendments to the Commissioner’s powers and functions made by Schedule 4 include:

  • Clause 33C will enable the Commissioner to conduct an assessment of an APP entity’s maintenance of personal information
  • Clause 33E will allow the Commissioner to accept written undertakings by entities to take, or refrain from taking, specified actions to ensure compliance with the Act
  • Clause 35A will give the Commissioner the power to recognise external dispute resolution schemes
  • Clause 40A will deal with the conciliation of complaints by the Commissioner
  • Item 90 will extend the Commissioner’s power to make inquiries of persons other than the respondent to a complaint; and
  • Clause 52(3A) will allow the Commissioner to include in a determination any order that considered necessary or appropriate.

Schedule 4 also amends the provisions dealing with the extra-territorial operation of the Act.  Subsection 5B(1) is amended to extend the extra-territorial operation of the Act and registered APP and CR codes to organisations and small businesses with an Australian link.  The term ‘Australian link’ is used to define the entities that are subject to the operation of the Act, and is used, for example, in APP 8 and throughout the credit reporting provisions.

A new section 13G is inserted, to provide a civil penalty for a serious or repeated interference with the privacy of an individual.  Schedule 4 also inserts a new Part VIB, which deals with civil penalties.

Schedule 5 - Amendment of other Acts

Schedule 5 contains amendments to other Acts that are consequential to the amendments in Schedules 1 to 4 of the Bill.  These amendments primarily replace references to the IPPs or NPPS with the APPs and insert new definitions, including certain credit reporting terms, in other Acts that interact with the Privacy Act.

Schedule 6 - Application, transitional and savings provisions

Schedule 6 contains amendments to address transitional issues relating to the commencement of the new provisions. 

Financial Impact Statement

The Bill will have no significant impact on Commonwealth expenditure or revenue.

Regulation Impact Statement

A regulation impact statement is only required for the credit reporting measures contained in this Bill.



REGULATION IMPACT STATEMENT - CREDIT REPORTING REFORMS

Background, purpose and structure of the Regulation Impact Statement (RIS)

Background

In 2006 the then Australian Government asked the Australian Law Reform Commission (ALRC) to conduct an inquiry into the extent to which the Privacy Act 1988 (the Privacy Act) and related laws continue to provide an effective framework for the protection of privacy in Australia.

In August 2008 the ALRC report For Your Information: Australian Privacy Law and Practice (108) (the ALRC Report) was publicly released.   The ALRC Report contains 295 recommendations for reform of the Privacy Act and related legislation, including recommendations relating to reform of the consumer credit reporting provisions (Part IIIA of the Privacy Act). 

Over a two year period, the ALRC released an Issues Paper and Discussion Paper to assist in informing its recommendations in the final report.  In developing the consumer credit reporting recommendations, the ALRC formed a Credit Reporting Advisory Sub Committee made up of Treasury officials, consumer advocates, credit provider representatives and credit reporting agency representatives.  The ALRC consulted widely with community groups and the business community, seeking written submissions and conducting a series of roundtables with individuals, agencies and organisations about consumer credit reporting. 

The ALRC recommendations on credit reporting contain two significant proposals:

  1. The current consumer credit reporting regime move to a system that includes ‘more comprehensive’ consumer credit information, as follows:
    1. Recommendation 55-1          The new Privacy (Credit Reporting Information) Regulations should permit credit reporting information to include the following categories of personal information, in addition to those currently permitted in credit information files under the Privacy Act :

                                                              i.       the type of each credit account opened (for example, mortgage, personal loan, credit card);

                                                            ii.       the date on which each credit account was opened;

                                                          iii.       the current limit of each open credit account; and

                                                          iv.       the date on which each credit account was closed.

  1. Recommendation 55-2          Subject to Recommendation 55-3, the new Privacy (Credit Reporting Information) Regulations should also permit credit reporting information to include an individual’s repayment performance history, comprised of information indicating:

                                                              i.       whether, over the prior two years, the individual was meeting his or her repayment obligations as at each point of the relevant repayment cycle for a credit account; and, if not,

                                                            ii.       the number of repayment cycles the individual was in arrears.

    1. Recommendation 55-3          The Australian Government should implement Recommendation 55-2 only after it is satisfied that there is an adequate framework imposing responsible lending obligations in Commonwealth, state and territory legislation.
    2. Recommendation 55-4          The credit reporting code should set out procedures for reporting repayment performance history, within the parameters prescribed by the new Privacy (Credit Reporting Information) Regulations .
    3. Recommendation 55-5          The new Privacy (Credit Reporting Information) Regulations should provide for the deletion of the information referred to in Recommendation 55-1 two years after the date on which a credit account is closed.
  1. A new credit reporting Code of Conduct be developed by industry, as follows:
    1. Recommendation 54-9          Credit reporting agencies and credit providers, in consultation with consumer groups and regulators, including the Office of the Privacy Commissioner, should develop a credit reporting code providing detailed guidance within the framework provided by the Privacy Act and the new Privacy (Credit Reporting Information) Regulations.  The credit reporting code should deal with a range of operational matters relevant to compliance.

Purpose

The purpose of this RIS is to determine whether the proposed policy objectives in Recommendations 55-1 to 55-5 and 54-9 should be accepted and if so, the form in which the recommendations should be accepted.

Structure

The RIS begins by providing background on the issue of consumer credit reporting and summarises previous reviews.  It then provides background on the issue of a credit reporting Code of Conduct.  The RIS is then broken into two parts.  Part A considers comprehensive credit reform, while Part B considers a credit reporting code of conduct.  The RIS examines the problems, options and impacts to determine the most effective and efficient regulatory approach in relation to both of these issues.



Background to Consumer Credit Reporting

The credit reporting system is intended to increase the efficiency of Australia’s consumer credit market.  As of June 2008, total consumer credit on issue, including securitisations, was $1113.4 billion.  Of this, housing credit on issue stood at $957.9 billion and other personal credit on issue was $155.6 billion.  The largest sector of consumer credit is residential mortgages, which are estimated to account for over 86 per cent of all consumer loans. [1]

Within the consumer credit market credit providers obtain credit reports from credit reporting agencies (CRAs) to assist in the assessment of credit applications with the aim of minimising the risk of customer defaults.

CRAs collect information about individuals from credit providers and from publicly available sources (such as bankruptcy information obtained from the Insolvency and Trustee Service Australia).  This information is used in generating credit reporting information for credit providers.  Credit providers use this information when assessing credit applications, as it augments information obtained directly from an individual’s application form, the credit provider’s own records of past transactions involving the individual (if any), and any other enquiries the credit provider may choose to make.

Consumer credit reporting is regulated by Part IIIA of the Privacy Act.  It regulates the types of personal information that may be collected and disclosed in the course of consumer credit reporting by a defined class of CRAs and credit providers.  The Privacy Act allows for the collection and disclosure of ‘negative’ credit reporting information.  Subsection 18E(1) of the Privacy Act sets out a prescriptive list of information which may be included in a credit information file.  This includes:

·          a credit provider having sought a credit report in connection with an application for credit, and the amount of credit sought (inquiry information)

·          a credit provider being a current credit provider in relation to the individual (current credit provider status)

·          credit provided by a credit provider to an individual, where the individual is at least 60 days overdue in making a payment on that credit (default information)

·          a cheque for $100 or more that has been dishonoured twice

·          a court judgment or bankruptcy order made against the individual; and

·          a credit provider’s opinion that the individual has committed a serious credit infringement.

In Australia there are currently three CRAs active:

-           Veda Advantage (Veda)

-           Dun and Bradstreet (D&B); and

-           Tasmanian Collection Service

Veda claims a market share of 96% [2] with a database of 16.5 million credit-active Australians [3] .  It is understood that Veda has over 5000 subscribers which use its services, although these are not exclusively credit providers. [4]   The next largest CRA, D&B, claims to have data on 2.8 million individuals in Australia and New Zealand. [5]

The circumstances in which CRAs can disclose personal information contained in a credit information file are specified in section 18K of the Act.  In general terms, CRAs can only disclose to credit providers (which is defined by section 6 of the Act to include mortgage insurers and trade insurers).  Section 11B of the Act sets out a more detailed definition of credit providers, which includes:

·          banks

·          any entity which provides loans or credit cards for a substantial part of its business or allow individuals to have goods or services on credit (more than seven days)

·          an entity that provides loans (including by issuing credit cards), provided the Privacy Commissioner has made a determination in respect of such a class of entity

·          a government agency that provides loans and is determined by the Privacy Commissioner to be a credit provider for the purposes of the Act

·          a person who carries on a business involved in securitisation or managing loans that are subject to securitisation; or

·          an agent of a credit provider while the agent is carrying on a task necessary for the processing of a loan application, or managing a loan or account with the credit provider.

The definition does not include debt collectors, real estate agents, employers and general insurers.  CRAs are not permitted to provide credit reports to any organisations which do not fall within the definition of a credit provider.

National Reform of Consumer Credit Law

Australian Governments are working towards the reform of consumer credit law in Australia.  COAG, the Council of Australian Governments, agreed in March and July 2008 to transfer consumer credit regulation to the Commonwealth.  Subsequently, COAG agreed on 3 October 2008 to a two-stage plan to overhaul consumer credit laws.  The first stage of the plan includes the development of a national licensing scheme for the consumer credit industry, enacting the Uniform Consumer Credit Code as a Commonwealth law, and reforming key credit regulation laws.

On 27 April 2009 the then Minister for Superannuation and Corporate Law, Senator Sherry, released the draft National Consumer Credit Protection Bill 2009 (the NCCP Bill) for public comment.  The NCCP Bill was introduced into the Australian Parliament on 25 June 2009. [6]   Amongst other things, the NCCP Bill proposes new responsible lending obligations for all consumer credit in Australia.  ALRC Recommendation 55-3 suggested the Government only permit repayment performance history in the credit reporting system if responsible lending obligations were introduced.

The NCCP Bill introduces a set of responsible lending conduct requirements, which set a standard of expected behaviour for credit providers when they enter into a credit contract, or when they suggest a credit contract to a consumer or provide assistance to a consumer to apply for a credit contract.  Compliance with the responsible lending laws will require an assessment and verification of a consumer's credit needs and financial circumstances, including that the consumer has the capacity to repay the financial obligations.

Past Reviews of Credit Reporting

The question of whether more comprehensive credit reporting (also known as positive reporting) should be introduced into Australia has been actively considered since the enactment of the credit reporting system in 1988.  Following is a summary of these proposals and reviews.

Credit Reference Association of Australia (CRAA) proposal

In 1988 the CRAA stated it would augment its collection of credit reporting information by including information about the current credit commitments of individuals.  The proposal was named the Payment Performance System (PPS) [7] .  Under the PPS credit providers would supply CRAA with tapes containing their customers’ credit accounts which would be merged with existing data every 30 to 60 days.  The data would be placed in credit reports containing a complete listing of all a consumer’s credit accounts, balances owing, and payment performance on every account during the previous 24 payment periods.  It was proposed that payments 120 days or more overdue would automatically generate a default report.

The CRAA’s proposal was rejected by the then Government on the grounds that it was a form of ‘positive reporting’ which was too intrusive to the privacy of individuals.

Financial System Inquiry (Wallis Report) Proposal (1997)

The Wallis Report stated that it was not in a position to assess whether the benefits of positive credit reporting outweighed the costs, but considered the potential benefits warranted a complete review of the issue.  The Wallis Report recommended that the Attorney-General establish a working party to review the existing credit provisions of the Privacy Act . [8]   No information is available on whether the recommended review occurred.

Senate Legal and Constitutional References Committee

In 2005 the Senate Legal and Constitutional References Committee reported on aspects of credit reporting as part of its inquiry into the Privacy Act.  The Committee’s report, The Real Big Brother: Inquiry into the Privacy Act 1988 , found that no reform of the credit reporting provisions of the Privacy Act was required.  The Committee recommended against introducing positive credit reporting in Australia, stating that [9] :

the experience with the current range of credit information has shown that industry has not run the existing credit reporting system as well as would be expected and it is apparent injustice can prevail.  As mentioned elsewhere in this report, positive reporting is also rejected on the basis that it would magnify the problems associated with the accuracy and integrity of the current credit reporting system.  The privacy and security risks associated with the existence of large private sector databases containing detailed information on millions of people are a major concern.

The Australian Government’s response to the Senate Committee’s recommendation concerning credit reporting and stated that review of the credit reporting provisions would be included in the reference to the ALRC to review privacy law in Australia.

Senate Economics Committee

The Senate Economics Committee also considered the issue in its 2005 report Consenting Adults, Deficits and Household Debt: Links between Australia’s Current Account Deficit, the Demand for Imported Goods and Household Debt .  The Committee stated that it was not persuaded to take a different view to that expressed by the Senate Legal and Constitutional References Committee on the basis that [10] :

  • credit providers were not making full use of the information available to them; and
  • defaults in the credit card market and other signs of financial distress were very low and did not justify a move to positive credit reporting.

Victorian Consumer Credit Review

The 2006 Consumer Credit Review examined comprehensive credit reporting as part of a broad review of the efficiency and fairness of the operation of credit markets and the regulation of credit in Victoria.  The Consumer Credit Review rejected a form of more comprehensive credit reporting on the basis that there were unanswered questions as to whether the benefits outweighed the costs.  However it recommended that further research and analysis be undertaken on the effects of comprehensive credit reporting.

House of Representatives Standing Committee on Economics

In November 2008, after the publication of the ALRC Report, the House of Representatives Standing Committee on Economics’ Inquiry Into Competition in the Banking and Non-Banking Sectors recommended that the Government implement the ALRC’s recommendations on reforming Australia’s credit reporting system.  In particular, the report considered the effect of comprehensive credit reporting and concluded that adopting a comprehensive credit system would provide competitive advantages to both businesses and individuals.  The report referred to The Treasury’s findings which noted that the current negative credit reporting model may represent a barrier to competition as it prevents new entrants and smaller existing lenders from obtaining comprehensive information on a prospective customer’s ability to service a loan and that only a ‘customer’s existing lender…has access to the borrower’s repayment history’. [11]

Background to Credit Reporting Code of Conduct

Section 18A of the Privacy Act requires the Privacy Commissioner to issue a Code of Conduct relating to credit information files and credit reports.  The Privacy Commissioner is



required to consult with government, commercial, consumer and other relevant bodies and organisations before issuing the Code of Conduct.  The Code of Conduct should deal with:

  • the collection of personal information for inclusion in individuals’ credit information files
  • the storage of, security of, access to, correction of, use of and disclosure of personal information included in individuals’ credit information files or in credit reports
  • the manner in which credit reporting agencies and credit providers are to handle disputes relating to credit reporting; and
  • any other activities, engaged in by CRAs or credit providers, that are connected with credit reporting.

The Privacy Commissioner issued the Credit Reporting Code of Conduct in 1991.  The Code supplements Part IIIA on matters of detail not addressed by the Privacy Act.  Among other matters, the Code requires credit providers and CRAs to:

·          deal promptly with individual requests for access and amendment of personal credit information, such as proscribing specific timeframes within which requests must be dealt with

·          ensure that only permitted and accurate information is included in an individual's credit information file

·          keep adequate records in regard to any disclosure of personal credit information

·          adopt specific procedures in settling credit reporting disputes, and

·          provide staff training on the requirements of the Privacy Act.

The Code supplements Part IIIA of the Privacy Act and creates a set of legally binding rules.  Subsection 18A(4) states that the Code of Conduct is a disallowable instrument.  Section 18B of the Act requires CRAs and credit providers to comply with the Code of Conduct.

The term ‘credit providers’ is defined in section 11B of the Privacy Act.  The definition extends to an organisation that is, among other things, a:

  • bank
  • corporation, a substantial part of whose business or undertaking is the provision of loans
  • corporation that carries on a retail business in the course of which it issues credit cards; or
  • corporation that provides loans and is included in the class of corporations determined by the Privacy Commissioner to be credit providers for the purposes of the Privacy Act.

The term ‘loan’ is defined in section 6(1) of the Privacy Act to mean a contract, arrangement or understanding under which a person is permitted to defer payment of a debt, and includes a hire-purchase agreement or an agreement for the hire, lease or renting of goods or services.

The Privacy Commissioner has issued two determinations in relation to the definition of credit provider.  These are the Credit Provider Determination No. 2006-4 (Classes of Credit Providers) and the Credit Provider Determination No. 2006-3 (Assignees) .  These determinations state circumstances in which corporations are to be regarded as credit providers.  They include situations where corporations make loans in respect of the provision of goods or services on terms that allow the deferral of payment, in full or in part, for at least seven days.

The operation of the Privacy Act and the Privacy Commissioner’s Determinations means that the type of corporations that may be included within the definition of credit provider has been considerable expanded.  Submissions to the ALRC recognised that organisations which are retailers or service providers, such as video store operators or legal and healthcare service providers, may fall within the definition of credit provider if they extend payment terms for seven days or more [12] .  In some situations, organisations that would otherwise be small businesses may be caught by the operation of the credit reporting provisions.



PART A: Comprehensive Credit Reporting

1.       Problem

1.1       Greater access to independent credit information

A key objective of credit reporting is to facilitate consumer credit transactions by encouraging transparency in the market and providing access to standardised, reliable and timely information about an individual’s credit risk. [13]   A significant concern in the consumer credit industry is that the existing credit reporting system does not sufficiently address the information asymmetry between credit providers and potential borrowers.  Information asymmetry occurs where the credit provider does not know the full credit history of an individual applying for credit and therefore the individual has more information about his or her credit risk than the credit provider.  This can result in adverse selection, where a credit provider operating in response to information asymmetry, prices credit based on the average credit risk of individuals. [14]   The credit reporting system attempts to address this information asymmetry by providing an independent source of information that can assist in the assessment of an individual’s credit application.

The present credit reporting system in Australia is a negative credit reporting type of system, as opposed to the ‘positive’ credit reporting type of system permitted in other countries.  The difference between the two systems is the type of personal information which is permitted to be collected.  Negative reporting limits the collection of personal information to that which relates to an individual’s credit delinquency, such as defaults on payments or dishonoured cheques, and inquiries on the credit record.  Positive credit reporting permits the collection of personal information which demonstrates an individual’s credit account activity, such as the timeliness of payments, account type, the credit limit and the amounts of credit liabilities.  However, the terms positive reporting and negative reporting are not clearly defined and can be confusing.  The ALRC uses the term ‘comprehensive credit reporting’ to describe the inclusion of additional information which would feature in a positive credit reporting system.

It is argued by the credit reporting industry that Australia’s current credit reporting system provides insufficient credit history information about an individual.  They argue this may cause credit providers to incorrectly assess the risk premium of individuals when they apply for credit, which can cause the following consequences:

  • granting credit, or higher amounts of credit, to individuals who cannot afford to meet their repayment obligations
  • not granting credit, or less credit than desired, to individuals who can afford to meet their repayment obligations

Industry stakeholders argue that the lack of more comprehensive information may mean they are ignorant of the fact that an individual’s circumstances may have changed and therefore their ability to repay has changed.  Credit providers are forced to place a lot of emphasis on current information contained in credit reports, such as default listings, which do not accurately reflect an individual’s credit risk.  A minor default is recorded for a period of 5 years after the event, but information about an individual’s changed circumstances, such as evidence of consistent and timely repayment of debts, is not recorded.  Overall, it is argued there is an information asymmetry which results in the mis-pricing and mis-allocation of credit. [15]   In consultations industry stakeholders have suggested that the absence of more comprehensive credit reporting may affect the price of credit (both in the consumer credit market as a whole and for individual consumers) which affects the availability of credit.  They also argue that the lack of more comprehensive credit information may lead to more defaults, as customers who would not have qualified for credit may be able to obtain credit in the current negative credit reporting system by exploiting the information asymmetry which makes it difficult for credit providers to discover information about an applicant’s true financial position.

There does not appear to be independent empirical information available about the Australian consumer credit reporting system, industry, or the implications of more comprehensive credit reporting.  The lack of independent information was noted by the ALRC. [16]   Independent information was not available in the preparation of this RIS.

While the major purpose of credit reporting is to provide information to assist credit providers to assess applications for credit, an effective credit reporting system may also facilitate responsible lending by credit providers, helping to ensure individuals do not become financially overcommitted.  The National Consumer Credit Protection Bill 2009 [which has since passed as the National Consumer Credit Protection Act 2009 ] proposes extensive responsible lending obligations which will require credit providers to ensure they adequately and responsibly assess an individual’s application for credit.

1.2       Privacy concerns

Permitting access to more credit information through the credit reporting system directly affects an individual’s privacy.  The main concerns from consumer and privacy advocate stakeholders and some commercial stakeholders are:

-           the benefit of comprehensive credit reporting does not outweigh the additional impact on an individual’s privacy

-           CRAs will have access to large databases of personal information

-            comprehensive credit information may be used for purposes unrelated to assessing the creditworthiness of an applicant for credit, such as marketing or other unauthorised purposes, including identity fraud

-           there may be an increased risk that information will be inaccurate due to the greater volume of information (reflecting existing concerns about accuracy of the currently held credit reporting information) and any inaccuracies may make it more difficult for individuals to obtain credit

-           based upon evidence from overseas, there is an increased risk that the security of data held by CRA’s will be compromised; and

-           it would be inappropriate for CRA’s to collect and report payment performance information in relation to utilities such as telecommunications, energy and water.

2.       Objectives

2.1         Objectives of government action

The objective of government action is to respond to the ALRC recommendations on consumer credit reporting reform in the context of the Government’s response to the wider ALRC review of privacy law.  The specific objectives are to:

  • provide consumer credit providers with sufficient information to allow them to adequately assess credit risk while ensuring the protection of personal information to the greatest extent possible; and
  • encourage responsible lending.

2.2       Existing policy and regulations

Part IIIA of the Privacy Act precisely defines the categories of personal information which may be collected and disclosed for credit reporting purposes.  The policy objective of the existing credit reporting system is to provide a mechanism to allow a limited amount of personal information to be collected and disclosed in the credit reporting system for the efficient operation of the consumer credit market.

The ALRC has recommended changes to the existing credit reporting system in order to permit more comprehensive credit reporting.  Amendments would be required to Part IIIA of the Privacy Act.

3          Options that may achieve the objectives

3.1 Implementation scope

Part IIIA of the Privacy Act regulates the consumer credit reporting system.  Against this background, the proposed options address the ALRC’s recommendations 55-1 and 55-2 on adopting a more comprehensive consumer credit reporting system within the Privacy Act.  The scope of implementation is limited to amending, or not amending, Part IIIA of the Privacy Act. 

The ALRC considered options to make the current credit reporting system more effective [17] .  These options included improving the accuracy of existing credit reporting data, requiring consumer declarations in relation to loan applications and expanding financial literacy programs.  However, the ALRC did not recommend any of these options for action and accordingly this RIS does not consider these options.

Implementation of the ALRC recommendations would enable CRAs to collect additional information.  However, CRAs would not be obliged to collect additional information.  It is expected that CRAs will only incur any costs in collecting additional information (whether through redeveloping systems or for other reasons) if they expect the benefits of collecting more comprehensive credit information to outweigh the costs.

3.2       Option 1 - Maintain the current permitted categories of credit reporting information, retaining a negative credit reporting system (the status quo)

This option retains the current permitted categories of negative credit reporting information.  No amendments would be made to Part IIIA of the Privacy Act.

3.3       Option 2(a) - Move towards a more comprehensive credit reporting system by including four additional categories of personal information

This option would permit credit reporting information to include the following categories of information, in addition to those currently permitted under Part IIIA of the Privacy Act:

  • the type of each credit account opened (for example, mortgage, personal loan, credit card)
  • the date on which each credit account was opened
  • the current limit of each open credit account, and
  • The date on which each credit account was closed.

This option is based on Recommendation 55-1 from the ALRC Report.

3.4       Option 2(b) - Expand the permitted outlined in Option 2(a) with the addition of including an individual’s repayment history

In addition to the four additional categories of personal information from Option 2(a), this option would also allow limited repayment history information to be included, as follows:

·          whether, over the prior two years, the individual was meeting his or her repayment obligations as at each point of the relevant repayment cycle for a credit account; and, if not,

·          the number of repayment cycles the individual was in arrears.

Note that the amount of any payments missed would not be included.  This option is based upon Recommendation 55-2 of the ALRC Report, which recommends this option only be considered where there also exists an adequate legislative framework imposing responsible lending obligations on credit providers .

4.         Assessment of impacts

4.1       Impact group identification

The groups affected by the Options are:

  • individuals who apply for credit
  • CRAs
  • credit providers; and
  • small businesses.

The Office of the Privacy Commissioner (the OPC) would remain the responsible regulator under all of the proposed options.  It is expected that Options 2 and 3 would only have no, or a low, impact upon the OPC.

4.2       Assessment of costs and benefits

4.2.1    Impact of Option 1 - remain with status quo

Individuals - Benefits

The current protections in the Privacy Act limit the amount of personal data that may be collected, used and disclosed for the purpose of credit reporting.  These limitations reduce the risk of data inaccuracy, misuse for marketing or other unauthorised purposes, or misuse for illegal activity, including identity fraud.

Individuals - Costs

The limited information available in credit reports may misrepresent the credit worthiness of individuals.  For example, small defaults for small amounts of credit remain on a credit report for five years and may form the basis of a decision to approve credit, even where this default may be trivial in contrast to the overall credit history of an individual.

There is a risk that consumer credit may be priced at a higher rate than would otherwise be the case if more comprehensive credit information was available.  There is also a risk that consumers may be denied credit or only have reduced credit made available because credit providers may not have sufficient information to make fully effective decisions about the risks associated with the allocation of credit in the market as a whole or in relation to individual consumers.

Credit Reporting Agencies - Benefits

No requirements to change current data retention practices, business models or database technology.

Credit Reporting Agencies - Costs

Current regulation prevents CRAs from offering more comprehensive consumer credit reports which may limit the greater profitability of CRAs.

The current limited number of information categories may create competition costs by maintaining barriers to market entry for new CRA businesses.  Two of the existing CRAs have large databases.  Credit providers are more likely to use these CRAs as the size of the databases gives them access to the greatest potential number of consumer credit records.  This may limit new entrants into the market because it is likely to take more time to develop databases of negative events like credit defaults.

Credit Providers - Benefits

No requirements to change current use and disclosure practices in relation to credit reporting information, business models or credit assessment technology.

Credit Providers - Costs

If an applicant fails to disclose credit accounts and liabilities they hold with other financial institutions, the credit provider is unable to make a fully informed lending decision resulting in the possibility of provision of credit to borrowers who are unable to meet their financial obligations.

New entrants into the credit provider market may face significant barriers to entry as a consequence of insufficient information about the credit risk of prospective credit consumers.  New players or smaller credit providers are unlikely to have more comprehensive data available, while existing larger credit providers are able to access their existing customer base.  This may mean knowledge of credit worthiness of individuals is inadequate which may lead to greater default rates for new and small credit providers .

Small Businesses - Benefits

To the extent that small businesses currently use the credit reporting system, they would not be required to make any changes.

Small Businesses - Costs

Small businesses may wish to use more comprehensive credit reporting information to provide greater certainty in the provision of credit to customers.  Maintaining the current negative credit reporting system may place small businesses at proportionally greater risk from defaulting credit customers.  No information is available on the extent of small business usage of the credit reporting system so it is not possible to quantify the possible costs.



4.2.2    Impact of Option 2(a) - Expand the permitted categories to include four additional categories of personal information

Individuals - Benefits

Permitting additional information provides the opportunity for credit providers to better understand an individual’s credit history.  In turn this may:

-           result in lower rates of over-indebtedness and default

-           allow individuals who are credit worthy to gain access to more appropriately priced credit (assuming credit providers introduce differential pricing)

-           increase the availability of lending (to the extent that lenders currently limit the availability of credit due to the lack of more comprehensive credit reporting information)

-           reduce the transaction costs in assessing credit applications, which could result in reduced costs to consumers if the cost savings are passed on by credit providers, and

-           allow for greater automation and a faster credit decision making process, assuming credit providers change existing practices.

The extent to which price benefits (lower rates) would be realised by consumers depends in part on the level of competition in the consumer credit market - the greater the level of competition, the more likely that the benefits of comprehensive credit information would be passed on to consumers.  While the magnitude of consumer benefits is uncertain, it is noted that currently there does not appear to be extensive competition in the consumer credit sector, raising some doubt that consumers would realise significant price benefits, at least over the short term. [18]   Consumers may, however, benefit from greater access to credit.

Individuals - Costs

Individuals who are deemed to be a poor risk based on greater transparency about credit worthiness may find that the face a higher price for access to credit (assuming credit providers introduce differential pricing).

Permitting additional categories of personal information to be collected, used and disclosed may increase the risk of data inaccuracy, misuse for marketing or other unauthorised purposes, including identity fraud.  If there are no significant changes to the numbers of CRAs operating in Australia, extremely large amounts of data about individuals will be held and maintained by a small number of CRAs which may increase the risk of data security challenges and the consequences of any potential breaches.  Information is not available to quantify the possible cost of data inaccuracy.  In many instances, the cost to any individual that may be affected by inaccurate records will not be obvious as individuals may resolve the issue by dealing directly with the credit provider or the CRA.

Credit Reporting Agencies - Benefits

The business model and marketability of CRAs is expected to be improved by allowing them to collect, use and disclose a greater amount of data on individuals who apply for credit, in turn giving CRAs the opportunity to sell a more effective product.



Credit Reporting Agencies - Costs

CRAs are likely to incur financial costs associated with developing systems to handle the additional information.  However, CRAs can make commercial decisions about how they raise funds to invest in building systems to expand their systems and business operations and how they decide to recoup any investments they chose to make.  CRAs may choose to off-set the investment costs against fees obtained from allowing credit providers to access the more comprehensive credit reporting information.  For example, they may change their fee structure, market their services to a broader range of credit providers, or develop new services to market to their existing client base of credit providers.  CRAs have not provided any information on the commercial decisions they may make to address any costs.

Credit Providers - Benefits

Access to more comprehensive credit reporting information is expected to allow credit providers to more accurately assess the risks involved in lending to an individual and in turn to more appropriately price credit.  More information will allow credit providers to avoid lending to those who are over-committed, leading to lower rates of customer indebtedness and defaults and reducing costs for credit providers in debt recovery and write-offs.

Access to more comprehensive credit reporting information will provide a more efficient tool for credit providers to comply with responsible lending obligations under consideration in the NCCP Bill.

Access to more comprehensive credit reporting information may improve competition in the consumer credit provider market by reducing information asymmetry between credit providers, particularly between larger and smaller credit providers.  Currently, large credit providers are able to access more comprehensive credit information from their own customers and use this to assess credit applications from their existing customers.  In a more comprehensive credit reporting system, small credit providers may use the access to greater information to make more informed decisions about the provision of their credit which may make their businesses more competitive.  It may also be the case that all credit providers may be able to reduce the transaction costs involved in assessing credit applications, creating a more efficient credit market.

Credit Providers - Costs

The systems and processes used by credit providers to assess credit applications may change to deal with access to more comprehensive information.  If systems and processes change this may result in some costs for credit providers.

There may be higher costs to access credit information if CRAs choose to increase fees to off-set the costs of developing their systems.  It is not possible to quantify these costs as this will be a commercial decision for CRAs and there is no information available on what choices CRAs may make to recoup any additional costs they may incur in updating their systems.

There may be a risk that the increased predictive value of the data available under this option may not be sufficient to justify the costs of implementation.

Small Businesses - Benefits

To the extent that small businesses currently use the credit reporting system, access to more comprehensive credit reporting information is expected to allow small businesses to more accurately assess the risks involved in lending to an individual.  More information will allow small businesses to avoid lending to those who are over-committed, leading to lower rates of customer indebtedness and defaults.

Small Businesses - Costs

Although there is no information available on the number of small businesses that currently use the credit reporting system, more small businesses may wish to use more comprehensive credit reporting information to provide greater certainty in the provision of credit to customers.  Small businesses may face costs in developing processes to assess credit applications with access to more comprehensive information.

There may be higher costs to access credit information if CRAs choose to increase fees to off-set the costs of developing their systems.  It is not possible to quantify these costs as this will be a commercial decision for CRAs and there is no information available on what choices CRAs may make to recoup any additional costs they may incur in updating their systems.

4.2.2.1             Research on credit market efficiency and macro-economic impact of more comprehensive credit reporting

In examining the introduction of comprehensive credit reporting the ALRC considered economic analysis provided by industry stakeholders.  Broadly, stakeholders in support of comprehensive credit reporting claim that empirical and macro-economic studies provide important evidence about the likely improvements to credit market efficiency and economic benefits of comprehensive credit reporting.

The ALRC did not commission any independent economic analysis on the question of the possible macro-economic impact of credit reporting systems.  The ALRC noted that, on one view:

this subject matter does not lend itself to precise modelling due to the level of complexity and the small orders of magnitude involved in terms of benefits.  It is questionable whether any modelling will provide definitive answers. [19]

The Treasury has confirmed the ALRC views that data constraints restrict the level of macro-economic modelling that can be done on the possible impact of more comprehensive credit reporting.  However, analysis conducted by Treasury has found that the introduction of positive credit reporting would be expected to remove information asymmetries in the market and lead to some small equity and efficiency benefits for credit market participants and the Australian economy more broadly. [20]   The Treasury supports the introduction of comprehensive credit reporting subject to sufficient privacy protections being put in place.

4.2.2.2             Empirical studies on credit market efficiency with more comprehensive credit reporting

International comparative studies

Research by Barron and Staten published in 2000 compared Australia’s credit reporting rules with that of the United States (US). [21]   The research compared the accuracy of risk scoring models using the wider credit reporting information available under the US system with the more limited information available in Australia.  The US model of credit reporting includes information such as the type of account, credit limit, payment history, employer and account balance.

The findings of the research were that more comprehensive credit reporting rules resulted in fewer loan defaults while maintaining the same loan approval rate.  The report found, for example, that at an approval rate of 60%, use of the credit reporting information permitted at present in Australia produced a default rate of 3.35% compared to a default rate of 1.9% in the US.  At the same time, assuming that default rates were maintained at around the same rate (eg 4%), credit providers using information available in the current Australian system would extend new credit to 11,000 fewer consumers for every 100,000 applicants than would be the case in the US under their credit reporting system.

 Later research by Barron and Staten, conducted in 2007 at the request of the Australian Finance Conference, compared the above findings with three other possible credit reporting models. [22]   The research found that at the targeted approval rate of 60%, the intermediate model (similar to Option 2(b)) produced a 2.46% default rate.  The ALRC notes the assertions that the implications of the research are that consumer credit will be less available and more expensive in countries, such as Australia, where the credit reporting system omits information that would provide a more complete picture of a consumer’s financial position. [23]

The findings in the Barron and Staten research appear to be supported by other reports which broadly compared different credit systems in different countries.  Research referring to overseas data demonstrated a lower default rate and reduced bankruptcies following the introduction of comprehensive credit reporting in several countries.  For example, econometric research analysing the credit reporting regimes and credit markets in 43 countries, including the US, Australia and most other Organisation for Economic Co-operation and Development countries found that the breadth and depth of a credit market was positively associated with the extent of the credit information that was exchanged between lenders. [24]   A number of submissions to the ALRC cited the example of Hong Kong, which appears to be experiencing far fewer loan defaults since the introduction of comprehensive credit reporting in 2002, although the ALRC also noted that it was not clear to what extent the change was due to the recovery in Hong Kong’s economy that occurred at the same time. [25]

The ALRC identified methodological limitations and assumptions made by the research [26] .  For example, the Barron and Staten modelling did not take into account issues such as the weight given to more comprehensive credit information provide by customers under the Australian model, the possibility that the assessment processes used by credit providers may differ from the research models.  The research assumed that those credit reporting systems which collected more information used that information effectively.  The research did not consider other economic factors, including country specific factors, which may have positively influenced the availability of credit or the impact of any broader economic factors on default levels.  In addition, the research was conducted before the Global Financial Crisis.

Australian studies

Research measuring the predictive effect of adding additional information to credit reporting databases to assess credit worthiness was conducted at the initiative of the Australian Retail Credit Association (ARCA) and sponsored by a number of credit providers. [27]   The research considered a number of models under which additional information was collected.  The models considered were identical to the options identified above (see heading 3, Options).  Four major Australian banks and a number of international financial services groups participated in the research by analysing their own internal data to estimate the relative predictive effect of different information variables as identified in each option.

The research produced a percentage score to indicate how useful each option was to credit providers in collecting information to assess credit worthiness.  The benchmark against which each option was assessed was a hypothetical situation where all relevant credit reporting information (including, for example, full details of repayment performance, which is not a feature of any of the options) was available.  This benchmark was assigned a performance score of 100%.  When the performance of each option was compared to the benchmark, the research reached the following conclusions:

  • Option 1 - the permitted categories of information are unchanged - the predictive value of the information is 10%.
  • Option 2(a) - the permitted categories of information are expanded to include the four additional variables - increases the predictive value of the information above option 1 by an additional 23% to a total of 33%.
  • Option 2(b) - the permitted categories of information are expanded to include the four additional variables and repayment performance history - increases the predictive value of the information above option 2(a) by an additional 22% to a total of 55%.

However, the research methodology and research results are not available and have not been independently verified.  The predictive scores assigned to each option are notional in the sense that they are a comparison against a benchmark that does not currently exist and there is no evidence provided to indicate how the contribution of each information element was assessed.  In addition, the benchmark was not recommended by the ALRC, is not an option proposed in this RIS, and has not been proposed or supported by stakeholders, including ARCA, as an appropriate model for Australian conditions.

4.2.2.3             Research on macro-economic benefits

A 2004 study conducted by ACIL Tasman for MasterCard modelled the macro-economic impact of introducing more comprehensive credit reporting in Australia.  The report concluded that comprehensive credit reporting would generate a one-off increase in capital productivity of 0.1%, which would translate to economic benefits to the Australian economy of up to $5.3 billion, in net present terms, over the next 10 years. [28]   ACIL Tasman used what was described as an ‘applied general equilibrium model’ of the Australian and world economies to quantify the benefits of more comprehensive credit reporting.  In conducting the research, assumptions were made in the model which assumed that more efficient credit markets would have implications for most sectors of the economy.

Research conducted by Access Economics on behalf of Veda Advantage claimed that more credit reporting information would enable lenders to improve the accuracy of risk assessment, reduce defaults and debt over commitment and provide credit to those who cannot currently prove their creditworthiness.  Additionally, the research found that comprehensive credit reporting would also lead to an overall increase in consumer debt levels and a related increase in consumer spending. [29]

Advice from Treasury confirmed that comprehensive credit reporting is likely to lead to some small equity and efficiency benefits for credit market participants and the economy more broadly.  However, the research is subject to similar criticisms to that made about research on credit market effects.  Treasury have advised that the methodologies employed to measure the macro-economic effects have limitations.  The ALRC noted that it is difficult to model precisely the macro-economic impact of comprehensive credit reporting due to the level of complexity and the small orders of magnitude involved in assessing the possible benefits.  The ALRC drew the following conclusion:

It is questionable whether any modelling will provide definitive answers.  For example, Australia is recognised as having a credit market that is very competitive by international standards.  This may limit the potential for further competitive gains resulting from more comprehensive reporting.  Equally, a macro-economic upturn seems likely to have a much greater influence on credit availability than any change to a credit reporting system. [30]

4.2.2.4             Research on competition in credit markets

The credit reporting industry strongly advocates the view that comprehensive credit reporting will have a positive effect on competition in Australian credit markets.  The 2004 ACIL Tasman report stated that, for example, the experience of the US in the 1990s following increases in the types of personal data collected and used in credit reporting saw a ‘a wave of new entrants into the bank credit card market’. [31]   The benefits of this competition were said to put downward pressure on interest rates and fees for bank credit cards and encourage the targeting of lower interest rates to low risk borrowers.  The breadth of the credit card market also expanded.  However, the report does not provide evidence to clearly demonstrate the extent to which the identified benefits were directly attributable to credit reporting changes or whether other changes in the consumer credit environment had a significant impact.

In summary, the research suggests greater economic benefits than disadvantages flowing from the introduction of comprehensive credit reporting.  The economic benefits are principally found in improving interest rate pricing.  The Treasury in its submission to the ALRC noted that overall comprehensive credit reporting would address information asymmetries and thereby improve the targeting of credit, and the assessment, and thus pricing, of risk. [32]  



4.2.3    Impact of Option 2(b) - Expand the permitted categories to include four additional categories of personal information (Option 2(a)) with the addition of including an individual’s repayment history

Individuals - Benefits

The inclusion of this additional data set will enhance the predictive value of credit worthiness which should lead to more informed lending practices and result in greater efficiency and effectiveness in consumer credit lending.

An enhanced predictive value may lead to improved pricing of credit risk which may provide more affordable credit (through, for example, reduced interest rates or transactions costs) for low risk consumers and greater access to credit for consumers who may not have been able to otherwise demonstrate an adequate credit history.  However, the likely benefits to consumers will depend, in part, on the level of competition in the consumer credit market (in the same way that this issue may influence the possible benefits to individuals noted above under Option 2(a)).

Individuals -Costs

Individuals who have poor credit histories may have difficulty in obtaining credit or be required to obtain more costly credit (for example, from providers who lend at higher rates).

As access to this dataset may increase the number of loans issued overall, there may be a risk that there will be an increase in irresponsible lending to those unable to meet their obligations.  However, the ALRC recommended repayment history information only be permitted once credit providers are subject to responsible lending obligations.

Individuals who are deemed to be a poor risk based on greater transparency about credit worthiness may find that the face a higher price for access to credit (assuming credit providers introduce differential pricing).

This option also presents similar possible costs to individuals as identified in relation to option 2(a).  Permitting additional categories of personal information to be collected, used and disclosed, including the inclusion of an individual’s repayment history may increase the risk of data inaccuracy, misuse for marketing or other unauthorised purposes, including identity fraud.  Any inaccurate records may create restrict individuals gaining access to credit.  Data is not available to quantify the possible cost.  If there are no significant changes to the numbers of CRAs operating in Australia, extremely large amounts of data about individuals will be held and maintained by a small number of CRAs which may increase the risk of data security challenges and the consequences of any potential breaches.  Information is not available to quantify the possible cost of data inaccuracy.  In many instances, the cost to any individual that may be affected by inaccurate records will not be obvious as individuals may resolve the issue by dealing directly with the credit provider or the CRA.

Credit Reporting Agencies - Benefits

The business model and marketability of CRA’s will be improved by allowing them to collect, use and disclose a greater amount of data on individuals who apply for credit, in turn giving CRA’s the opportunity to sell a more effective product.

Implementing repayment history data at the same time as the other proposed data sets in Option 2(a) would significantly reduce set up costs for credit reporting agencies than if it was decided at a later date to separately implement the repayment history data set.



Credit Reporting Agencies - Costs

As noted under option 2(a), CRAs are likely to incur financial costs associated with developing systems to handle the additional information.  However, CRAs can make commercial decisions about how they raise funds to invest in building systems to expand their systems and business operations and how they decide to recoup any investments they chose to make.  CRAs may choose to off-set the investment costs against fees obtained from allowing credit providers to access the more comprehensive credit reporting information.  For example, they may change their fee structure, market their services to a broader range of credit providers, or develop new services to market to their existing client base of credit providers.  CRAs have not provided any information on the commercial decisions they may make to address any costs.

Credit Providers - Benefits

The listing of repayment history would provide credit providers with an independent and easily obtainable source of information about an individual’s repayment history and may assist credit providers in identifying individuals who are under credit stress.  Access to this information is viewed by credit providers as an important tool to complement any responsible lending obligations.

It is possible that the expected greater efficiencies gained by including repayment history information (in terms of improved credit delinquency predictability, which in turn reduces costs associated with defaulting customers) may offset the administrative costs involved in setting up comprehensive credit reporting under the four datasets in Option 2(a).

The inclusion of the repayment history data set in the credit reporting system at the same time as the other data sets in Option 2(a) will significantly reduce set up costs for credit providers than if it was decided at a later date to separately implement the repayment history data set.

Credit Providers - Costs

As noted under option 2(a), the systems and processes used by credit providers to assess credit applications may change to deal with access to more comprehensive information.  If systems and processes change this may result in some costs for credit providers.  No information is available to quantify any cost that may occur.

As noted under option 2(a), there may be higher costs to access credit information if CRAs choose to increase fees to off-set the costs of developing their systems.  It is not possible to quantify these costs as this will be a commercial decision for CRAs and there is no information available on what choices CRAs may make to recoup any additional costs they may incur in updating their systems.

However, a credit provider would not be required to access comprehensive credit reporting information unless it was deemed necessary for their business and was cost effective.  The regulation would simply set up a tool which credit providers could access voluntary.

Small Businesses - Benefits

To the extent that small businesses currently use the credit reporting system, access to repayment history information is expected to allow small businesses to more accurately assess the risks involved in lending to an individual.  More information will allow small businesses to avoid lending to those who are over-committed, leading to lower rates of customer indebtedness and defaults.



Small Businesses - Costs

Although there is no information available on the number of small businesses that currently use the credit reporting system, more small businesses may wish to use the credit reporting system in it includes repayment history information.  Small businesses may consequently face costs in developing processes to assess credit applications.

There may be higher costs to access credit information if CRAs choose to increase fees to off-set the costs of developing their systems.  It is not possible to quantify these costs as this will be a commercial decision for CRAs and there is no information available on what choices CRAs may make to recoup any additional costs they may incur in updating their systems .

4.2.3.1             Research specific to the listing of repayment history

As noted above, research by ARCA found that including the repayment history of an individual significantly increased the predicative value of a credit report to 41%.  This research accords with widely accepted economic theory that making more information available to credit providers will tend to increase efficiency in the market for credit.  It will also assist in making credit more available to those able to repay and reduce rates of default (or both).  There was no significant disagreement among stakeholders in their submissions to the ALRC Report that more comprehensive credit reporting has the potential to improve risk assessment by credit providers, even among those who expressed concern about how this improved risk assessment would be used in the credit market.

There is little evidence to demonstrate that this additional data set will subject consumers to greater burdens in terms of higher priced credit or lack of credit.  Such matters will be dependent on the applicable business practices of the credit provider and the need to adequately price credit in terms of a person’s risk.  It is noted that in many circumstances the number  ‘bad risk’ customers who are denied credit will effectively be balanced by those ‘good risk’ customers who are afforded credit under the comprehensive scheme (but would not have been  under the ‘negative scheme).

It should be noted that Option 2(b) is only to be implemented with the implementation of responsible lending legislation under the NCCP Bill.  While the benefit that repayment history would provide credit providers in determining credit risk of individuals, there are strong concerns expressed by privacy and consumer advocates that this extra category of information does not necessarily guarantee responsible lending of credit.  Advocates are concerned that the repayment history will provide credit providers with a very clear picture of a person’s financial status without imposing any obligations to use this information in a responsible way.  Consumer advocates in particular consider that the availability of more credit information will lead to less risk adverse decisions by credit providers (i.e. credit providers will use a good repayment history to justify providing credit to an individual even where the individual has credit burdens beyond their means).  There is therefore a clear link between potential regulation imposing responsible lending obligations and the possible implementation of comprehensive credit reporting.

These concerns would be off-set by the requirement that only those credit providers that are subject to the responsible lending requirements in the NCCP Bill would be allowed to access repayment history from CRAs.

To offset privacy concerns the ALRC made recommendations that require credit providers and CRAs to enhance data quality and security requirements and provide for more effective complaint handling procedures.  Chapter 58 and 59 of the ALRC Report outlines a series of recommendations regarding these matters.  Recommendation 58-4 recommended that CRAs should be required to enter into agreements with credit providers to ensure the quality and security of data and to implement controls to ensure data is accurate, complete and up to date.  Recommendation 58-7 provides that credit providers may only list overdue payment or repayment performance history where the credit provider is a member of an external dispute resolution scheme recognised by the Privacy Commissioner.  Additionally recommendation 59-8 requires that evidence must be provided to an individual substantiating information in a credit report within 30 days where the credit reporting information is disputed or alternatively the matter must be referred to an external dispute resolution scheme recognised by the Privacy Commissioner.

5          Consultation

5.1 ALRC Report Consultation

The ALRC consulted with a wide variety of stakeholders which included CRAs, credit providers, consumer and privacy advocates and the OPC.  The ALRC found there was broad support for the implementation of some form of more comprehensive reporting, especially from CRAs and credit providers. [33]

Consumer groups, privacy advocates, the OPC and the Banking and Financial Ombudsman generally opposed more comprehensive credit reporting.  These stakeholders focused on alternatives and desirable pre-conditions to the possible introduction of more comprehensive credit reporting. [34]

A number of stakeholders, including OPC, suggested that further study is required before reaching any decision to recommend the implementation of more comprehensive credit reporting, including studies which focus on the possible impact on over-indebtedness and access to affordable credit.  A CRA had proposed to the ALRC that it would conduct a further study to model the effect that more comprehensive consumer credit reporting would have on the accuracy of credit providers’ application risk evaluation.  However, the study was not carried out, in part because of what the CRA believed to be existing restrictions under the Privacy Act. [35]

5.2 Consultation since the release of the ALRC Report

The Government undertook extensive consultations with, and received written submissions from, relevant stakeholders on the ALRC’s credit reporting recommendations.  Stakeholders identified included CRAs, credit providers, relevant industry and professional organisations, academics, and consumer and privacy advocates and organisations.  The Government also publicised the consultations and opened them to submissions from the public. [36]

The Government held a number of roundtable consultations on the ALRC credit reporting recommendations in December 2008.  There were 22 credit reporting industry attendees and eight privacy and consumer advocate attendees.  15 written submissions were received from the stakeholders.  The Department also held a number of individual meetings with stakeholders in the first half of 2009 to discuss the application of the ALRC’s recommendations.

There was broad support for the introduction of more comprehensive credit reporting.  While some consumer and privacy advocates remained opposed to the ALRC’s recommendations for more comprehensive credit reporting, most consumer and privacy advocates reluctantly agreed with many of the recommendations and the inclusion of repayment performance history.  Those who agreed with the ALRC recommendations only supported comprehensive credit reporting to the extent that it was introduced strictly along the lines recommended by the ALRC Report.  CRAs and large credit providers vigorously supported the inclusion of repayment history and strongly expressed their view that they considered this dataset to be the decisive factor in improving the credit reporting system.  CRAs and credit providers expressed the view that the absence of repayment history would be likely to mean that the benefits of comprehensive credit reform would not outweigh the costs of introducing the other changes.

6          Conclusion and Recommended Option

Option 2(b) is preferred.  The introduction of more comprehensive credit reporting in the form of the additional five data sets will provide consumer credit providers with the opportunity to access enhanced information to establish an individual’s credit worthiness.  It is expected that this will allow more robust assessments of consumer credit risk, both in the market as a whole and in relation to individual applications, which can assist responsible lending and potentially lead to lower consumer credit default rates.  The economic benefits to industry and individuals alike outweigh the reduction of privacy protections to these categories of personal information.  However, the extent to which consumers gain will depend, in part, on the level of competition in the consumer credit market.  The inclusion of repayment history information appears to provide an appropriate increase in the predictive value of credit reporting information.  Recognising the importance of this information to the ability of credit providers to make responsible lending decisions, the Government has decided to implement responsible lending obligations in the NCCP Bill.

7          Implementation and Review

The Government will consider the public release of the stage one Government response to the ALRC Report, which includes the ALRC’s credit reporting recommendations.  The Government intends to implement the Government’s response to the ALRC recommendations through draft legislation which will be released for public comment.  In relation to the credit reporting provisions of the draft legislation, it is anticipated that further consultations will occur with a small number of identified expert stakeholders to obtain their assistance in addressing technical issues to be covered by the drafting process.  As part of this process transitional issues will be considered, which will include any necessary transitional arrangements to assist in minimising any possible negative effects to the consumer credit market from the implementation of the credit reporting reforms.

The Government has released the NCCP Bill for public comment and made announcements indicating the Government’s commitment to introduce responsible lending obligations.  This is consistent with the terms of ALRC recommendation 55-3, which recommended repayment history information only be made available if the Government is satisfied there is an adequate framework imposing responsible lending obligations.

ALRC recommendation 55-5 stated that the more comprehensive credit reporting information should be deleted two years after the date on which a credit account is closed.  The Government will include timeframes for the deletion of information in the implementation of the Government’s response to the credit reporting recommendations.

It is recommended that a review of the introduction of the additional datasets by the Government take place in five years from the commencement of more comprehensive credit reporting in accordance with Recommendation 54-8 of the ALRC Report.



PART B: Industry Developed Credit Reporting Code of Conduct

8.         Problem

Non-legislative guidance should be issued to deal with a range of operational matters to ensure effective compliance with the requirements of the credit reporting provisions of the Privacy Act.  The appropriate form of this guidance is the issue to be determined.

Section 18A of the Privacy Act currently requires the Privacy Commissioner to issue a Code of Conduct dealing with operational matters.  The Privacy Act sets out high level obligations and does not deal with detailed operational matters.  In addition, the Privacy Act does not prescribe detailed operational procedures because it would not be a flexible mechanism to deal with issues of detail.  For example, it would be difficult to take into account changing technical standards and practices that may occur in the credit reporting industry and which may require the revision of the detailed guidance material.

In recommendation 54-9 the ALRC proposes that CRAs and credit providers develop an industry Code of Conduct in consultation with consumer groups and regulators.  The ALRC expressed the view that an industry developed Code would form a necessary adjunct to the credit reporting provisions in the Privacy Act.  The ALRC recommended that the Code be developed by industry because of the perceived need for industry to have a greater involvement in developing procedures which affect their day to day compliance with the Privacy Act.

Consistent with ALRC recommendation 48-1 on binding codes, the credit reporting Code would ‘fill in the gaps’ between the new credit reporting provisions and compliance with the obligations set out in the provisions .   It would provide detailed guidance within the framework of the requirements of the credit reporting provisions in the Privacy Act.

In assessing the suitability of the type and structure of a credit reporting Code, it should be noted that the details of the Code’s content can only be developed once the Government has settled the framework of the new credit reporting system.  However, it is expected that the Code would be an appropriate mechanism to address the following matters:

-        procedures for reporting repayment performance history

-        data quality procedures to ensure consistency and accuracy of credit reporting information, such as:

o   the timeliness of the reporting of credit reporting information;

o   rules on the calculation of overdue payments for credit reporting purposes;

o   obligations to prevent the multiple listing of the same debt;

o   requirements to update credit reporting information; and

o   rules around linking credit reporting records which may or may not relate to the same individual

-        dispute resolution processes, and

-        protocols and procedures for the auditing of credit reporting information.

9.         Objectives

The objective of government action is to respond to the ALRC recommendations on the introduction of an industry led Code of Conduct in the context of the Government’s response to the ALRC recommendations on the credit reporting system and the wider ALRC review of privacy law.  The specific objective is to provide a mechanism to put into place standards dealing with operational issues to assist compliance by credit reporting industry with the requirements of the new credit reporting system.

10.       Options that may achieve the objectives

10.1     Implementation scope

The jurisdiction of the Privacy Act sets the scope for implementing a credit reporting Code of Conduct.  Within this framework, the parameters of the proposed options are confined to responding to the ALRC Report’s recommendations on a credit reporting Code.

10.2     Option 1 - Maintain the present Credit Reporting Code of Conduct process

This option would preserve the existing requirement for the Privacy Commissioner to issue a credit reporting Code of Conduct.  The existing Code of Conduct will require revision to deal with operational issues raised by more comprehensive credit reporting (if accepted).

10.3     Option 2 - Introduce a binding Code of Conduct developed by industry in accordance with the code making powers set out in Part IIIAA of the Privacy Act

Under this option:

  • the Privacy Act would specifically require CRAs and credit providers to develop a Code covering a broad range of operational issues as identified in the Privacy Act and in consultation with consumer representatives and regulators
  • any CRA or credit provider who intended to participate in the consumer credit reporting industry would be required to be a party to the Code
  • the Code would be a legally binding Code under the Privacy Act.  It would operate in addition to the credit reporting provisions and could not override or apply lesser standards than those contained in the Privacy Act
  • the Code must be approved by the Privacy Commissioner, who would also have the power to review the Code; and
  • a breach of the Code would be deemed to be a breach of the Privacy Act and the Privacy Commissioner or a relevant External Dispute Resolution (EDR) scheme would be entitled to determine a complaint in accordance with the provisions of the Privacy Act or Code (as appropriate).

The industry may choose to address some credit reporting issues (such as reciprocity between industry participants in the credit reporting system) which will not be regulated by the credit reporting provisions.  It would be a matter for industry to determine what, if any, additional issues should be included.  As these matters would fall outside the credit reporting provisions they would not require approval by the Privacy Commissioner.

10.4     Option 3 - Permit a non-prescribed voluntary industry Code of Conduct

Under this Option:

  • the Privacy Act would not set out any requirements for the existence or contents of a Code of Conduct
  • the Code would not be binding under the Privacy Act
  • it would be a matter for the credit reporting industry to determine whether to develop a Code and the contents of the Code
  • any Code developed by industry would be a non-prescribed voluntary industry code of conduct under the Trade Practices Act 1974 .  Depending on the contents of the Code, it may be authorised by the Australian Competition and Consumer Commission (ACCC) for certain conduct on public benefit grounds that may otherwise be proscribed by the Trade Practices Act
  •  Any Code would establish standards which would be voluntarily agreed by its signatories.  The Code would be a contractual arrangement; and
  • the Code would be enforceable where CRAs and credit providers have agreed to be bound by the Code and established dispute resolution procedures in the Code (such as an EDR service).  The terms of the Code would not be enforceable by the Privacy Commissioner or the ACCC.

11.       Assessment of impacts

11.1     Impact group identification

The groups affected by the Options, in the order of the magnitude of the impact, are:

·          CRAs

·          Credit Providers

·          OPC

·          Small businesses; and

·          Individuals.

11.2     Assessment of costs and benefits

11.2.1  Impact of Option 1 - maintain the present Code of Conduct process

Credit Reporting Agencies - Benefits

While the existing Code would need to be revised if more comprehensive credit reporting is introduced, it is likely there would be minimal costs in complying with a revised Code.  CRAs would be consulted in the development of the Code to ensure business practices are adequately considered.  To the extent that CRAs decide to collect more comprehensive credit reporting information, compliance with the revised Code could be built into the development of any new systems and procedures required by the adoption of more comprehensive credit reporting.  Where existing requirements of the Code are unchanged, there would be no compliance costs as CRAs would already be in compliance with these requirements.

Credit Reporting Agencies - Costs

The current Code of Conduct does not deal in detail with some of the operational and procedural steps used within existing industry practices, which may lead to less clarity and consistency within the industry.  Further detail could provide more precise guidance to CRAs on current industry practices, assisting CRAs to comply with the credit reporting provisions.

While CRAs would be consulted by the OPC in any Code revision process resulting from the reforms to the credit reporting provisions, they would not have a central role in amendments to the Code of Conduct.  This reduces the ability of CRAs to form and direct changes in the Code of Conduct, such as in situations where technological developments may mean changes to operational practices that could benefit from guidance in the Code of Conduct.  CRAs would not be able to take the initiative in developing and proposing revisions to the Code, but instead would need to convince the OPC to initiate a review of the Code.  A lack of clear guidance may restrict future developments in the industry, which may result from the adoption of new technologies or the identification of new opportunities to use or manage data.  This may have the cost of reducing possible economic opportunities and benefits.  Evidence is not available to quantify any possible costs.

The purpose of the Code is to provide practical guidance to CRAs to assist compliance with the requirements of the Privacy Act and it is expected that detailed compliance information will be of significant assistance to the CRA industry.  However, there is a slight possibility that the existence of the Code may discourage new CRA industry entrants.  New entrants may prefer to establish alternative procedures and processes that comply with the requirements of the Privacy Act but do not match the detailed guidance contained in the Code.  In addition, new entrants would not have had the opportunity to contribute to the Code development process.

Credit Providers - Benefits

While the existing Code would need to be revised if more comprehensive credit reporting is introduced, it is likely there would be minimal costs in complying with a revised Code.  Credit providers would be consulted in the development of the Code to ensure business practices are adequately considered.  Compliance with the revised Code could be built into the development of any new systems and procedures required by the adoption of more comprehensive credit reporting.  Where other existing requirements of the Code are unchanged, there would be no compliance costs as credit providers would already be in compliance with these requirements.

Credit Providers - Costs

Similar issues exist for credit providers as those identified for CRAs.  The current Code of Conduct does not deal in detail with some of the operational and procedural steps used within existing industry practices, which may lead to less clarity and consistency within the industry.  Further detail could provide more precise guidance to credit providers on current industry practices, assisting credit providers to comply with the credit reporting provisions.

Credit providers would not have a central role in amendments to the Code of Conduct, although they would be consulted by the OPC in any Code revision process resulting from the reforms to the credit reporting provisions.  This reduces the ability of credit providers to form and direct changes in the Code of Conduct, such as in situations where technological developments may mean changes to operational practices that could benefit from guidance in the Code of Conduct.  The credit industry would not be able to take the initiative in developing and proposing revisions to the Code, but instead would need to convince the OPC to initiate a review of the Code.  A lack of clear guidance may restrict future developments in the industry, which may result from the adoption of new technologies or the identification of new opportunities to use or manage data.  This may have the cost of reducing possible economic opportunities and benefits.  Evidence is not available to quantify any possible costs.

The purpose of the Code is to provide practical guidance to credit providers to assist compliance with the requirements of the Privacy Act and it is expected that detailed compliance information will be of significant assistance to credit providers.  However, there is a slight possibility that the existence of the Code may discourage new credit providers.  New credit providers may prefer to establish alternative procedures and processes that comply with the requirements of the Privacy Act but do not match the detailed guidance contained in the Code.  In addition, new credit providers would not have had the opportunity to contribute to the Code development process.

Office of the Privacy Commissioner - Benefits

This option would ensure that OPC retains complete control over the development and promulgation of the Code.  OPC would continue to be required to consult with stakeholders in revising the Code, but it would be a matter for OPC to decide when to review the Code and what elements of the Code require revision.

Office of the Privacy Commissioner - Costs

The OPC does not have the necessary industry knowledge to provide specific guidelines on operational and procedural issues.  While the OPC is required to consult stakeholders and can obtain extensive information through the consultation process, the OPC would be required to devote resources to reviewing the Code and developing amendments.  The proposed introduction of more comprehensive credit reporting means that the OPC will be required to review the Code.  It is not possible to estimate the total expected cost of a full review of the Code and there have been no comprehensive reviews of the Code on which to base estimates of possible costs.

Small Businesses - Benefits

Some small businesses may be credit providers depending on whether they offer goods or services on terms that involve credit.  It would be expected that any review of the Code by the OPC would include consultation with small business representatives as stakeholders in the review.  Businesses are not required to participate in the credit reporting system and, where small businesses chose not to do so, they would not be affected by a revised Code.

Small Businesses - Costs

A revised Code will deal in detail with operational matters arising from the adoption of more comprehensive credit reporting.  To the extent that small businesses decide to participate in the credit reporting system and use more comprehensive credit reporting information, they will need to comply with the requirements of the Code, including, for example, requirements to participate in EDR services.  It is not possible to quantify the possible compliance costs for small businesses as there is no information available on the number of small businesses likely to use more comprehensive credit reporting.

Individuals - Benefits

Individuals would benefit from consistent operational standards for industry practices.  Individuals would be concerned to ensure that the Code achieved an appropriate balance between the protection of personal information and the operational needs of the credit reporting industry.  As the OPC has responsibility for the development and review of the Code, individuals can rely on the OPC to ensure their interests in the effective protection of personal information are protected.

Individuals would also benefit from the legal status of the Code to ensure their rights are enforced.  The Code would remain a disallowable instrument, which means that a breach of the Code could be the subject of a complaint to the Privacy Commissioner

Individuals - Costs

A Code is intended to ensure consistency and certainty in operational practices throughout the credit reporting industry.  There are no obvious costs for individuals.

11.2.2  Impact of Option 2 - Introduce a binding Code developed by industry in accordance with the code making powers set out in Part IIIAA of the Privacy Act

Credit Reporting Agencies - Benefits

This option requires the credit reporting industry to develop a Code that would be binding under the Privacy Act.  Credit industry control of the code making process would:

·          allow the industry to apply detailed knowledge of industry practices to determine the best procedures to ensure practical compliance with the requirements of the Privacy Act

·          provide the industry with the flexibility to review the Code and develop necessary changes to the Code (subject to OPC approval) as required by changes in industry standards; and

·          ensure the credit reporting industry adopts best standard practices which have been developed in consultation with all industry participants, improving the overall reliability of industry practices and enhancing the operation of the credit reporting system.

The ability of the credit reporting industry to develop (in consultation with stakeholders, including consumer advocates) and adhere to a binding Code may assist the industry build greater trust by individuals in the operational standards and reliability of credit reporting practices .

Credit Reporting Agencies - Costs

The code making process would require the cooperation of all industry participants to develop specific operational and procedural requirements.  The process of developing the Code may involve costs to the industry, such as:

·          the time taken to develop a binding Code may be significant as industry groups must come to agreement about the provisions of the Code and take into account that the OPC will also need time to approve the Code

·          costs associated with drafting the Code

·          costs involved in consulting with stakeholders, both within the credit industry as well as with consumer and privacy advocates and regulators; and

·          possible costs associated with any future review of the Code.

It is not possible to estimate the actual costs that may be incurred.  Many of these potential costs are unlikely to be incurred because the credit industry has already begun work on the development of a Code.  The Australian Retail Credit Association (ARCA) is developing a draft Code on a range of operational matters that could be readily modified to include additional matters raised by the introduction of more comprehensive credit reporting.  The ARCA Code is discussed below in section 11.2.4.

It is expected that detailed compliance information will be of significant assistance to the CRA industry.  However, there is a slight possibility that the existence of the Code may discourage new CRA industry entrants.  New entrants may prefer to establish alternative procedures and processes that comply with the requirements of the Privacy Act but do not match the detailed guidance contained in the Code.  In addition, new entrants would not have had the opportunity to contribute to the Code development process.

Credit Providers - Benefits

This option requires the credit reporting industry to develop a Code that would be binding under the Privacy Act.  Credit industry control of the code making process would:

·          allow the industry to apply detailed knowledge of industry practices to determine the best procedures to ensure practical compliance with the requirements of the Privacy Act

·          provide the industry with the flexibility to review the Code and develop necessary changes to the Code (subject to OPC approval) as required by changes in industry standards; and

·          ensure the credit reporting industry adopts best standard practices which have been developed in consultation with all industry participants, improving the overall reliability of industry practices and enhancing the operation of the credit reporting system.

 The ability of the credit reporting industry to develop (in consultation with stakeholders, including consumer advocates) and adhere to a binding Code may assist the industry build greater trust by individuals in the operational standards and reliability of credit reporting practices.

Credit Providers - Costs

The code making process would require the cooperation of all industry participants to develop specific operational and procedural requirements.  The process of developing the Code may involve costs to the industry, such as:

·          the time taken to develop a binding Code may be significant as industry groups must come to agreement about the provisions of the Code and take into account that the OPC will also need time to approve the Code

·          costs associated with drafting the Code

·          costs involved in consulting with stakeholders, both within the credit industry as well as with consumer and privacy advocates and regulators; and

·          possible costs associated with any future review of the Code.

It is not possible to estimate the actual costs that may be incurred.  Many of these potential costs are unlikely to be incurred because the credit industry has already begun work on the development of a Code.  The Australian Retail Credit Association (ARCA) is developing a draft Code on a range of operational matters that could be readily modified to include additional matters raised by the introduction of more comprehensive credit reporting.  The ARCA Code is discussed below in section 11.2.4.  However, ARCA appears to represent large organisations in the credit industry.  If ARCA takes a leading role in developing the Code, it is possible that smaller credit providers which are not members of ARCA may not be in a position to influence the code making process to the same extent as ARCA members.  This may mean, for example, that industry practices which suit larger organisations are incorporated into the Code as industry standards, disadvantaging smaller industry participants that do not use the same practices.

The purpose of the Code is to provide practical guidance to credit providers to assist compliance with the requirements of the Privacy Act and it is expected that detailed compliance information will be of significant assistance to credit providers.  However, there is a slight possibility that the existence of the Code may discourage new credit providers.  New credit providers may prefer to establish alternative procedures and processes that comply with the requirements of the Privacy Act but do not match the detailed guidance contained in the Code.  In addition, new credit providers would not have had the opportunity to contribute to the Code development process.

Office of the Privacy Commissioner - Benefits

A Code would create certainty for the OPC that a breach of the Code is a breach of the Privacy Act and it would also provide the OPC with industry standards by which to apply the credit reporting provisions.  Industry standards would give greater clarity about the application of the Act to the industry and should result in more efficient complaint resolution, resulting in less confusion as to whether a breach of the code is an interference with privacy.  Approval from the OPC would ensure the OPC is satisfied with industry’s interpretation of the credit reporting provisions.

Office of the Privacy Commissioner - Costs

It is expected that the OPC would face minimal costs when compared with Option 1.  The OPC would not face costs in the development of the Code, but would be required to incur some costs in approving the Code.  It is not possible to estimate the costs of approving the Code until a draft Code is developed.

Small Businesses - Benefits

Some small businesses may be credit providers depending on whether they offer goods or services on terms that involve credit.  In the development of a Code the credit reporting industry would be required to consult with affected stakeholders.  It is expected that this consultation process would include a mechanism for small businesses to contribute to the development of the Code, including through consultation with representative organisations.  As the Code would require authorisation by the OPC, it would be expected that the OPC would consider whether effective consultation had occurred, including with small business stakeholders.  Businesses are not required to participate in the credit reporting system and, where small businesses chose not to do so, they would not be affected by a Code .

Small Businesses - Costs

A Code will deal in detail with operational matters arising from the adoption of more comprehensive credit reporting.  To the extent that small businesses decide to participate in the credit reporting system and use more comprehensive credit reporting information, they will need to comply with the requirements of the Code, including, for example, requirements to participate in EDR services.  It is not possible to quantify the possible compliance costs for small businesses as there is no information available on the number of small businesses likely to use more comprehensive credit reporting.

Individuals - Benefits

Complaints by individuals would be subject to a clear EDR process.  As the Code would be enforceable by the OPC, adherence with the Code to the protection of individual’s privacy would be stronger as a breach of the Code would be a breach of the Privacy Act.

Individuals would benefit from consistent operational standards for industry practices.  Individuals would be concerned to ensure that the Code achieved an appropriate balance between the protection of personal information and the operational needs of the credit reporting industry.  As the OPC has responsibility for the development and review of the Code, individuals can rely on the OPC to ensure their interests in the effective protection of personal information are protected.

Individuals would also benefit from the legal status of the Code to ensure their rights are enforced.  The Code would remain a disallowable instrument, which means that a breach of the Code could be the subject of a complaint to the Privacy Commissioner. 

Individuals - Costs

A Code is intended to ensure consistency and certainty in operational practices throughout the credit reporting industry.  There are no obvious costs for individuals .

11.2.3  Impact of Option 3 - Introduce a voluntary Code developed by industry

Credit Reporting Agencies - Benefits

This option would not require the credit reporting industry to develop a voluntary Code.  It would be a matter for the industry to decide whether or not to develop a voluntary Code.  Any costs involved in the development of a Code would not be imposed by regulation but subject to commercial decisions about the costs and benefits by the industry.

If the credit reporting industry chooses to develop a voluntary Code, the industry would remain in control of the development process.  Industry control over the code making process would:

·          allow the industry to apply detailed knowledge of industry practices to determine the best procedures to ensure practical compliance with the requirements of the Privacy Act

·          provide the industry with the flexibility to review the voluntary Code and develop necessary changes as required by changes in industry standards; and

·          allow the credit reporting industry to determine whether it needed to adopt standard practices.

A voluntary Code would not require approval from the OPC, potentially reducing costs and delays in implementation.  However, approval from the ACCC may be required depending on whether the Code required consideration under the Trade Practices Act.

A voluntary Code would not impede new CRAs entering the market as it would be a commercial decision whether or not the new CRA subscribed to the voluntary Code.

The ability of the credit reporting industry to develop and adhere to a voluntary Code may assist the industry build greater trust by individuals in the operational standards and reliability of credit reporting practices.

Credit Reporting Agencies - Costs

The code making process would require industry cooperation to develop specific operational and procedural requirements.  This is expected to involve costs to the industry in the preparation of the voluntary Code, including a cost to develop and draft the voluntary Code.  However, ARCA has already drafted a Code and it is expected that the Code could be readily modified to form the basis of the voluntary Code, substantially reducing any costs in the development of a voluntary Code.

A voluntary Code would be required to comply with the ACCC’s guidelines for developing effective voluntary industry codes of conduct.  The voluntary Code may also require authorisation by the ACCC if it contravenes a provision of the Trades Practices Act, which may extend the time required to develop the voluntary Code.

CRAs would not be required to be members of the voluntary Code.  This may lead to inconsistencies in the credit reporting system in ensuring common compliance with the credit reporting provisions.

A voluntary Code would not be enforceable by the OPC.  This may be seen by stakeholders (including consumers) as undermining the reliability of the voluntary Code and the enforceability of any consumer rights or industry obligations imposed by the voluntary Code.  This may detract from stakeholder trust in the reliability of the credit reporting system.

It is unlikely that the existence of the voluntary Code would discourage new CRA industry entrants.  As it will be voluntary, new industry entrants would retain the discretion of not participating in the voluntary Code.  They would be able to establish their own alternative procedures and processes that comply with the requirements of the Privacy Act but do not match the detailed guidance contained in the voluntary Code.

Credit Providers - Benefits

This option would not require the credit reporting industry to develop a voluntary Code.  It would be a matter for the industry to decide whether or not to develop a voluntary Code.  Any costs involved in the development of a Code would not be imposed by regulation but subject to commercial decisions about the costs and benefits by the industry.

If the credit reporting industry chooses to develop a voluntary Code, the industry would remain in control of the development process.  Industry control over the code making process would:

·          allow the industry to apply detailed knowledge of industry practices to determine the best procedures to ensure practical compliance with the requirements of the Privacy Act

·          provide the industry with the flexibility to review the voluntary Code and develop necessary changes as required by changes in industry standards; and

·          allow the credit reporting industry to determine whether it needed to adopt standard practices .

A voluntary Code would not require approval from the OPC, potentially reducing costs and delays in implementation.  However, approval from the ACCC may be required depending on whether the Code required consideration under the Trade Practices Act.

A voluntary Code would not impede new credit providers entering the market as it would be a commercial decision whether or not the credit provider subscribed to the voluntary Code.

The ability of the credit reporting industry to develop and adhere to a voluntary Code may assist the industry build greater trust by individuals in the operational standards and reliability of credit reporting practices.

Credit Providers - Costs

The code making process would require industry cooperation to develop specific operational and procedural requirements.  This is expected to involve costs to the industry in the preparation of the voluntary Code, including a cost to develop and draft the voluntary Code.  However, ARCA has already drafted a Code and it is expected that the Code could be readily modified to form the basis of the voluntary Code, substantially reducing any costs in the development of a voluntary Code.

A voluntary Code would be required to comply with the ACCC’s guidelines for developing effective voluntary industry codes of conduct.  The voluntary Code may also require authorisation by the ACCC if it contravenes a provision of the Trades Practices Act, which may extend the time required to develop the voluntary Code.

Credit providers would not be required to be members of the voluntary Code.  This may lead to inconsistencies in the credit reporting system in ensuring common compliance with the credit reporting provisions.

A voluntary Code would not be enforceable by the OPC.  This may be seen by stakeholders (including consumers) as undermining the reliability of the voluntary Code and the enforceability of any consumer rights or industry obligations imposed by the voluntary Code.  This may detract from stakeholder trust in the reliability of the credit reporting system.

It is unlikely that the existence of the voluntary Code would discourage new consumer credit industry entrants.  As it will be voluntary, new industry entrants would retain the discretion of not participating in the voluntary Code.  They would be able to establish their own alternative procedures and processes that comply with the requirements of the Privacy Act but do not match the detailed guidance contained in the voluntary Code.

Office of the Privacy Commissioner - Benefits

The OPC would face minimal, if any, costs when compared with Option 1.  The OPC would not have a role in the voluntary Code making process, although the industry may choose to consult the OPC for guidance, and the OPC would not have a role in reviewing or authorising the voluntary Code.  In any enforcement actions the OPC would not need to consult the voluntary Code in interpreting the credit reporting provisions.

Office of the Privacy Commissioner - Costs

The OPC would not have control over directing the credit reporting industry to develop a voluntary Code or the content of the voluntary Code.  As the development of a voluntary Code would not be linked to the Privacy Act, the OPC would not be able to interpret specific credit reporting provisions by referring to the voluntary Code for practical assistance.  This may lead to a fragmented approach to the operation of the credit reporting provisions, which may result in increased enforcement costs for the OPC, particularly if individual consumer complaints increased.  It may also lead to increased business education costs for the OPC if it was necessary to encourage and educate the industry to ensure greater compliance with the requirements of the credit reporting provisions.  It is not possible to quantify these potential costs as they would depend on the nature and severity of any problems which may be encountered.

Small Businesses - Benefits

Some small businesses may be credit providers depending on whether they offer goods or services on terms that involve credit.  Businesses are not required to participate in the credit reporting system and, where small businesses chose not to do so, they would not be affected by a voluntary Code.  Where small businesses choose to participate in the credit reporting system, participation in the development and implementation of a voluntary Code would provide them with greater certainty about the operation of the system and may increase consumer trust in their compliance with the credit reporting provisions.

  Small Businesses - Costs

A voluntary Code would deal in detail with operational matters arising from the adoption of more comprehensive credit reporting.  To the extent that small businesses decide to participate in the credit reporting system and use more comprehensive credit reporting information, they would need to consider complying with the requirements of the voluntary Code.  It is not possible to quantify the possible compliance costs for small businesses as there is no information available on the number of small businesses likely to use more comprehensive credit reporting .

Individuals - Benefits

Individuals would benefit from consistency in the type of practices engaged in by credit reporting industry participants.  Development of a voluntary Code would provide consumer certainty around the practices of participating industry members.

Individuals - Costs

A voluntary Code may not build consumer trust in the practices of the industry or the dispute resolution procedures.  Breaches of the voluntary Code would not be enforceable by the OPC.  If the voluntary Code requires authorisation by the ACCC, there may be consumer confusion around the appropriate regulator for dispute resolution.  It may be the case that not all CRAs or credit providers participate in the voluntary Code, which may create inconsistency and uncertainty for individuals in their dealings with the industry and in resolving consumer complaints.

11.2.4              Further notes relevant to Options 2 and 3: the ARCA Code

ARCA is currently preparing an industry Code to provide safeguards for business-to-business transactions involving consumer credit information.  Amongst other matters, the industry Code is intended to regulate the operational processes by which credit providers receive data from CRAs, as well as provide requirements for how credit providers deal with customers on credit reporting issues.  The current members of ARCA are ABACUS (Australian Building and Credit Union Societies, known as Australian Mutuals), American Express, ANZ Bank, Bank of Queensland, Bank of Western Australia, Citibank, Commonwealth Bank of Australia, GE Money, HBOS Australia, HSBC Bank, National Australia Bank, St George Bank, Telecom New Zealand, Westpac Bank, Dun and Bradstreet, and Veda Advantage.

ARCA has released a draft Credit Reporting Code of Conduct (the ARCA Code) which it has prepared as a voluntary contractual Code between members along the lines outlined in Option 3.  However, the draft ARCA Code provides that membership is mandatory for any CRA with operations in Australian and for any credit provider who wishes to use or disclose credit reporting information.  The ARCA Code would require all CRAs to ensure that organisations that seek access to credit reporting information are signatories to the Code or are otherwise bound by the Code provisions (e.g. via contract or terms and conditions of access).  It would also allow regulators to require organisations to be bound by the Code (for example as a condition of obtaining a licence).

ARCA’s work in developing a Code on behalf of the industry means that much of the work required to create a code has been commenced satisfied.  ARCA has undertaken a consultation process and invited submissions from interested parties in April 2009.  It is understood that ARCA is currently in the process of considering those submissions and revising the draft Code.  Whether the ARCA Code forms the basis for a voluntary Code under Option 3 or a binding Code under Option 2, the document would need to undergo an approval process by the appropriate regulator (the ACCC for Option 3 or the OPC for Option 2).

12        Consultation

12.1     ALRC Report Consultation

The ALRC consulted with a wide variety of stakeholders which included CRAs, credit providers, consumer advocates and the OPC.  There was broad support for the implementation of a new credit reporting code.  CRAs and the representative body ARCA were strongly in favour of a new code, and as already demonstrated, ARCA is preparing a draft credit reporting code.  The OPC was also in favour of a new code.  In terms of legislative design, in their submissions to the ALRC, the CRAs and ARCA originally supported a binding code under Part IIIAA as outlined in Option 2.

Consumer groups and privacy advocates generally favoured a binding code approved by the Privacy Commissioner.  Matters which were of high importance for these groups were to ensure greater certainty about data accuracy, security and appropriate EDR procedures and processes.

12.2     Consultation since the release of the ALRC Report

The Government undertook extensive consultations with, and received written submissions from, both the credit reporting industry and advocates on the credit reporting recommendations. 

The Government held the public roundtable consultations in December 2008.  There were 22 credit reporting industry attendees and eight privacy and consumer advocate attendees.  15 written submissions were received from the stakeholders. The Department also held a large number of one-on-one meetings with stakeholders in the first half of 2009 to discuss the application of the ALRC’s recommendations. 

The views of privacy and consumer advocates remained largely unchanged since the publication of the ALRC Report, and they reinforced their support for a mandatory credit reporting code approved by the OPC.  One large credit provider similarly stressed that there should be only one regulator responsible for enforcement of the code.

The position of ARCA and CRAs in relation to the design of a code changed from their original submission to the ALRC.  They have submitted that that code should not be binding under the Privacy Act as under Option 2 and favour instead the adoption of a contractual code similar to Option 3. 

13        Conclusion and Recommended Option

Option 2 is preferred.  Unlike Option 1, Option 2 provides the consumer credit industry with sufficient flexibility and discretion to ensure that the requirements of the Code adequately address industry practice, while at the same time providing the Privacy Commissioner with the power to determine (through the approval process) whether the Code is consistent and compliant with the requirements of the Privacy Act.  Option 2 provides for a legally binding Code, which will allow the Privacy Commissioner to ensure an appropriate balance between the privacy needs of individuals and the operational needs of the consumer credit industry.  This is not available under Option 3.  The requirement under Option 2 for any organisation which wants to participate in the credit reporting system to be a member of the binding Code will ensure consistency in practices across the consumer credit industry.  Furthermore, a binding code under the jurisdiction of the Privacy Act (in contrast to a contractual code under Option 3) allows the OPC to interpret specific credit reporting provisions with reference to the Code.  This will aid in efficient and consistent complaint resolution for individuals, whether the complaints deal with matters regulated directly by the Privacy Act or by the Code.  In addition, the likely costs for industry in complying with a Code developed under Option 2 are expected to be reduced.  The consumer credit industry has already developed and complies with the ARCA Code, which it is expected would form the basis for the new industry developed Code of Conduct under Option 2.  The use of the ARCA Code is also likely to reduce the costs to industry in developing a voluntary Code under Option 3.  However, the voluntary Code would not be binding on industry and would not establish the same level of certainty around industry practices and consumer complaint resolution procedures as an industry developed Code under Option 2.

14.       Implementation and Review

The Government will release a public response to the ALRC Report.  The Government has announced that the first step in the implementation of the Government response will be to release exposure draft legislation for public comment.

The ALRC recommended the Government initiate a review of the new credit reporting provisions five years after their commencement. [37]   The Government will consider this recommendation in the Government response to the ALRC report.



Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 .

 

Overview of the Bill

The Privacy Amendment Bill 2012 (the Bill) will amend the Privacy Act 1988 (the Act) to implement the Government’s first stage response to the Australian Law Reform Commission’s report number 108 For Your Information: Australian Privacy Law and Practice.    The ALRC, which had undertaken a comprehensive review of privacy law in Australia, released its report in May 2008. Given the large number of recommendations, the Government announced that it would respond in two stages.  The Government’s first stage response addressed 197 of the ALRC’s 295 recommendations.  The Bill implements the major elements of the first stage response. 

 

The Bill will amend the Act to:

·          create the Australian Privacy Principles (APPs), a single set of privacy principles applying to both Commonwealth agencies and private sector organisations, setting out the standards, rights and obligations for the collection, storage, security, use, disclosure and quality of personal information , which will replace the Information Privacy Principles (IPPs) for the public sector and National Privacy Principles (NPPs) for the private sector,

·          introduce more comprehensive credit reporting, and

·          clarify the functions and powers of the Privacy Commissioner and improve the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.

 

The Bill will reduce complexity, increase consistency and clarify rights and obligations under the Act and improve usability for entities required to comply with the Act, while continuing to protect the privacy rights of individuals. The credit reporting provisions will be re-written to more effectively address the significant changes and increased practical complexity in the operation of the credit reporting system since the provisions were enacted in 1990.  In introducing more comprehensive credit reporting the rights of individuals will be enhanced, including rights to access and correct their credit reporting information.

 

The Act currently provides for the development of APP Codes for particular sectors to guide their use of personal information. The Bill replaces the existing privacy codes and the credit reporting code with APP codes and the Credit Reporting Code of Conduct.  The Bill will allow the Privacy Commissioner to create a binding code for the sector following consultation in circumstances where the private sector does not create its own Code, or the Code is found to not appropriately regulate the sector’s use of information. All Codes, APP or Credit Reporting, are deemed disallowable legislative instruments by the amendments in the Bill, and will therefore be subject to Parliamentary scrutiny and accompanied by their own Statement of Compatibility with human rights.



Human rights implications

The Bill engages the following human rights:

  • the protection against arbitrary interference with privacy
  • the right to freedom of expression and opinion, and
  • the right to a fair trial.

 

Protection against arbitrary interference with privacy

 

The Bill engages Article 17 of the International Covenant on Civil and Political Rights (ICCPR), which provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation, and that everyone has the right to the protection of the law against such interference or attacks. 

 

The Bill protects against arbitrary interference with privacy by introducing a number of specific protections,  including enhanced notification (APP 5), data quality (APP 10), data correction (APP 13) and dispute resolution mechanisms for individuals.  In particular, these measures involve:

·          enhancing obligations on agencies and organisations regarding an individual’s access to, and correction of, their personal information, accompanied by a revised approach to complaints handling, including timeframes for notification and the use of alternative dispute resolution for credit reporting complaints, to more efficiently deal with complaints

·          prohibiting the collection of credit reporting information about individuals reasonably known to be under 18

·          in circumstances of suspected identity theft or fraud, providing individuals with the ability to prohibit, for a specified period of time, the disclosure of credit reporting information about them without their express authorisation

·          requiring entities to develop and publish more comprehensive privacy policies to promote more open and transparent management of personal information

·          introducing a requirement for Commonwealth government agencies to accord higher privacy protection to ‘sensitive information’

·          ensuring that personal information that is received by an entity is still afforded privacy protections, even where the entity has done nothing to solicit the information

·          broadening the matters that that an individual is to be made aware of at the time of collection of the personal information of the individual

·          introducing a new ‘Direct Marketing’ principle, that will place extra limitations on organisations that use or disclose personal information to promote or sell goods or services directly to individuals

·          improving corrections and complaints processes for consumers, including allowing complaints to be made directly to the Privacy Commissioner in certain circumstances

·          clarifying the functions and powers of the Privacy Commissioner to improve the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy o bligations

·          ensuring the Commissioner has the flexibility to apply the Act to existing and emerging technologies and to enforce compliance where necessary, and

·          requiring entities to ensure that obligations to protect personal information set out in the APPs cannot be avoided by disclosing personal information to a recipient outside Australia.

 

Reasonably necessary

 

A key objective of the Act is to balance the protection of the privacy of individuals, with the interests of public and private sector entities in carrying out their lawful and legitimate functions and activities. The Bill enables the personal information of an individual to be collected, used and disclosed in particular circumstances (e.g. APP 3 and APP 6).   Collecting, using, storing and sharing personal information, including its release without an individual’s knowledge or consent, all amount to interferences with privacy.  In order for an interference with the right to privacy to be permissible, the interference must be authorised by law, be for a legitimate objective and be reasonable, necessary and proportionate to that objective. 

 

One threshold standard that will apply in the APPs in certain circumstances is where an entity is able to undertake activities with personal information where it is ‘necessary’ for a particular purpose, function or activity.  For example, an entity may collect sensitive information without consent if the entity reasonably believes that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health and safety (APP 3.4 and s 16).  These limitations are consistent with the prohibition on arbitrary interference with privacy as they are directed at legitimate objectives and are reasonable, necessary and proportionate to those objectives.

 

The Bill also enables the personal information of an individual to be collected, used and disclosed in certain circumstances where it is ‘reasonably necessary’ for one or more of the entity’s functions or activities (agencies also have a ‘directly related’ test) (APP 3 and 6).  It is reasonable for these entities to be able to handle personal information in these circumstances to promote the Government’s service delivery, taxation, law enforcement and national security objectives, and the needs of business to offer services to the public.  This is how the test has operated under the National Privacy Principles since their enactment in 2001.  The permitted activities are limited to specific purposes (ie an entity’s functions and activities), and subject to additional safeguards in the case of sensitive information.  For these reasons, the ‘reasonably necessary’ threshold is consistent with the protection against arbitrary interference with privacy, subject to the additional safeguards in the case of sensitive information (APP 3.3 and 3.4).

 

Comprehensive credit reporting

 

The Bill implements the ALRC’s recommendations to move to a more comprehensive credit reporting system. In this respect, the Bill may limit the prohibition on arbitrary interference with privacy by adding five new categories to the types of personal information that make up an individual’s credit information in the credit reporting system. Four of the new categories, which are introduced in the new definition of consumer credit liability information in subsection 6(1), are:

  • the type of credit account opened
  • the date on which the consumer credit is entered into
  • the date on which the consumer credit is terminated, and
  • the current limit of the credit account.

The fifth category, repayment history information, is added directly to the definition of credit information, at part (c) of clause 6N of the Bill.

 

The Act currently enables the collection and disclosure of personal information that primarily detracts from an individual’s credit worthiness—such as the fact that an individual has defaulted on a loan. This is commonly referred to as ‘negative’ or ‘delinquency-based’ credit reporting. The introduction of comprehensive credit reporting is aimed at providing a more balanced and accurate picture of an individual’s credit situation than currently exists, providing positive information about a person’s credit situation such as when an individual has met their credit payments. The introduction of more comprehensive credit reporting allows credit providers to access an enhanced set of personal information tools directly relevant to establishing an individual’s credit worthiness.  This will allow credit providers to make a more robust assessment of credit risk, which is expected lead to lower credit default rates. More comprehensive credit reporting is also expected to improve competition in the credit market, which may result in reductions to the cost of credit for individuals. The amendments will enable legitimate commercial activity, facilitating consumer lending and transactions, and thus the participation of individuals in the economy.  These are legitimate objectives.

 

The Bill introduces a number of safeguards to provide individuals with the tools to access information held about them, and correct any inaccuracies.  The Bill also makes improvements to the complaints process, to ensure that the first organisation to receive the individual’s complaint is responsible for taking action.  In moving to more comprehensive credit reporting it has been recognised that additional safeguards around the use of repayment history information, the fifth new category of information, are also necessary. Repayment performance history will only be available by credit providers who are licensees [and to lenders mortgage insurers in relation to services they provide to credit providers] and subject to the responsible lending obligations in the National Consumer Credit Protection Act 2009 (Cth) . [38]

 

The Bill continues to state clearly defined and limited uses and disclosures for credit reporting information. The Government did not support the ALRC’s recommendation that secondary uses of credit reporting information should be subject to a broad discretion exercised by credit reporting bodies or credit providers. The Government’s approach ensures any effect on privacy rights is proportionate and limited by the introduction of specific safeguards, including:

·          only de-identified information can be used for the purpose of research, and the research must be reasonably connected to the credit reporting system, and

·          the use of credit reporting information for the purposes of pre-screening is expressly limited to the purpose of excluding adverse credit risks from marketing lists.

 

Pre-screening is subject to specific requirements, including only the use of negative credit reporting information, the requirement for notice at the time of collection that information may be used for this purpose, an opt out opportunity, and a prohibition on individuals being identified for other direct marketing . Any entity involved in pre-screening must maintain auditable evidence to verify compliance, and which is available to individuals. Pre-screening is also only available to credit providers who are subject to the National Consumer Credit Protection Act 2009 (NCCP Act).

In the consumer credit environment it is important to achieve a balance between privacy protection and the efficient operation of the credit market. Access to narrowly defined categories of credit information to ensure a more balanced picture of an individual’s credit situation, taking into account positive action such as payment, and not just negative information like defaults, and to allow for more effective risk assessment by credit providers is balanced with the enhanced privacy protections set out above.

 

Any limitations on the prohibition against arbitrary interference with privacy in the Bill are clearly and narrowly defined, for the legitimate purpose of improving the management of personal and credit reporting information, and accompanied by sufficient safeguards to maintain reasonable privacy protections.  The measures are reasonable, necessary and proportionate as they ensure the smallest possible set of data is used for the narrowest purposes to achieve the objective of providing a functional consumer credit market.

 

Freedom of expression

 

The Bill engages Article 19 of the ICCPR.  Article 19 guarantees freedom of expression, including the right to impart and to receive information. The freedom of expression is not an absolute right, and Article 19(3) of the ICCPR specifies the legitimate aims which any legal restriction on the exercise of freedom of expression must pursue. In this case the Bill limits the right to freedom of expression in order to promote respect for the rights or reputations of others, namely the protection against arbitrary interference with privacy in Article 17.

 

The Commissioner has the ability to create binding codes in certain, defined circumstances (new Part IIIB inserted by Schedule 3). Codes will provide additional protections over and above the APPs. Codes cannot displace or provide for a lower standard of privacy protection than the APPs. The ability of the Commissioner to create binding codes may in certain circumstances limit the code developers’ (which could be any entity subject to the Act) right to freedom of expression. Not every code will impinge on this right. The performance of the functions and powers of the Commissioner, including the development of a binding code, continue to be governed by Section 29 of the Act, which requires the Commissioner to have regard to, amongst other things, the protection of important human rights and social interests that compete with privacy. [39] Section 29 also provides that the Commissioner must take account of international obligations accepted by Australia and any developing international guidelines relevant to the better protection of individual privacy.   When issuing directions and guidelines the Commissioner must also ensure they are consistent with any relevant APPs or credit reporting provisions.  As noted above, all Codes will be disallowable legislative instruments, subject to Parliamentary scrutiny, and required to be accompanied by their own Statement of Compatibility with human rights. These safeguards ensure that the limitation the Bill places on the right to freedom of expression is reasonable, necessary and proportionate.

 

Fair trial

 

The Bill engages Article 14 of the ICCPR, which guarantees a person be afforded, in the determination of any criminal charge against them, the right to a fair trial. The United Nations Human Rights Committee has stated that the notion of criminal charges may ‘also extend to acts that are criminal in nature with sanctions that, regardless of their qualification in domestic law, must be regarded as penal because of their purpose, character or severity’. [40]

 

The Bill removes many of the criminal offences in the Act, replacing them with civil penalty provisions. [41] The civil penalty provisions, such as those in Subdivision D of Part IIIA, are declared not to be offences under Part VIB. While the provisions provide for significant civil penalties it is considered that serious breaches of privacy should attract serious penalties. This is consistent with the civil penalties in the NCCP Act, and with the Government’s overall response to serious breaches by corporations.

 

The Bill incorporates appropriate safeguards into the civil penalty provisions of the Bill [42] .  It stipulates that in determining pecuniary penalties a court must take all relevant matters into account, including the circumstances of the contravention, the nature and extent of any loss or damage suffered because of the contravention and whether the entity has previously been found to have engaged in similar conduct.  The Bill provides that an entity will not be liable for more than one pecuniary penalty in relation to the same conduct. These provisions will ensure that pecuniary penalties are proportionate to any contravention of a civil penalty provision, and protect the rights expressed in Article 14.

Conclusion

 

The Bill is compatible with human rights because it advances the protection of human rights, primarily protection against arbitrary interference with privacy, and, t o the extent that it may also limit other human rights, those limitations are reasonable and proportionate.

 

 



 

PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) BILL 2012

NOTES ON CLAUSES

List of Abbreviations

APP                                         Australian Privacy Principle

Information Commissioner     Australian Information Commissioner

IPP                                          Information Privacy Principle

NPP                                         National Privacy Principle

OAIC                                      Office of the Australian Information Commissioner

Privacy Act                             Privacy Act 1988

NOTES ON CLAUSES

Clause 1          Short title

Clause 1 sets out the title by which the Bill, when enacted, is to be cited - Privacy Amendment (Enhancing Privacy Protection) Act 2012 .

Clause 2          Commencement

Clause 2 inserts a table which provides for the commencement arrangements for each of the provisions in the table. Column 1 states the provision number, and column 2 provides the commencement arrangements for that particular provision.

The table provides that sections 1 to 3 and any other provision in the Act that is not provided for in the table commences on the day the Act receives the Royal Assent. The table also provides that Items 156 and 162 of Schedule 5 and Parts 1 and 4 of Schedule 6 also commence on the day the Act receives the Royal Assent.

The majority of the new provisions have a deferred commencement of 9 months from the day after the Bill receives the Royal Assent. This deferment is to allow agencies and organisations sufficient time to prepare for the introduction of the new provisions, particularly for the credit reporting provisions. The table in Clause 2 provides that the following provisions commence the day after the end of the period of 9 months beginning on the day this Act receives the Royal Assent:

Schedules 1 to 4, Items 1 to 70, 72 to 79, 81 to 131, 133 to 155, 157 to 161, 163 to 171, and 173 to 180 of Schedule 5, and Parts 2, 3, 5, 6, and 7 of Schedule 6.

Item 71 of Schedule 5 relates to the operation of the Personally Controlled Electronic Health Records Act 2012 (Personally Controlled Electronic Health Records Act). Item 71 of Schedule 5 does not commence at all if section 73 of the Personally Controlled Electronic Health Records Act does not commence. If that provision does commence, Item 71 of Schedule 5 of this Bill commences immediately after its commencement, or the start of the day after the end of the period of 9 months beginning on the day this Bill receives the Royal Assent, whichever occurs later.

This situation also applies to Item 80 of Schedule 5, which relates to the operation of the Stronger Futures in the Northern Territory Act 2012 (Stronger Futures in the Northern Territory Act). Item 80 of Schedule 5 does not commence at all if section 105 of the Stronger Futures in the Northern Territory Act does not commence. If that provision does commence, item 80 of Schedule 5 commences immediately after its commencement, or the start of the day after the end of the period of 9 months beginning on the day this Bill receives the Royal Assent, whichever occurs later.

This commencement arrangement also applies to item 132 Schedule 5, which relates to the commencement of item 24 of Schedule 5 of the Consumer Credit and Corporations Legislation Amendment (Enhancements) Act 2012 , and item 172 of Schedule 5 which relates to the commencement of item 32 of Schedule 1 of Personally Controlled Electronic Health Records (Consequential Amendments) Act 2012 .

Clause 3          Schedule(s)

This clause provides for each Act specified in a Schedule to the Bill to be amended in accordance with the items set out in the relevant Schedule.

Schedule 1—Australian Privacy Principles

Introduction

Outline of this schedule

This schedule amends the Privacy Act to include the new Australian Privacy Principles (APPs).  The APPs will be the cornerstone of the privacy protection framework of the Privacy Act.  The APPs will replace the Information Privacy Principles (IPPs), which applied to Commonwealth agencies, and the National Privacy Principles (NPPs), which applied to certain private sector organisations.  As with these former principles, the APPs will regulate the collection, holding, use and disclosure of personal information that is included in records.  Schedule 1 also contains amendments to definitions to either replace or clarify them, or add more definitions to deal with new terms. 

Principles based legislation

The APPs will be principles-based law.  The best regulatory model for information privacy protection in Australia is this type of law.  By continuing to use high-level principles, the Privacy Act regulates agencies and organisations in a flexible way.  They can tailor personal information handling practices to their diverse needs and business models, and to the equally diverse needs of their clients.

The Privacy Act combines principles-based law with more prescriptive rules where appropriate.  This regulation is complemented by guidance and oversight by the regulatory body, the Office of the Australian Information Commissioner (OAIC).  This is comparable to international regulatory models in jurisdictions such as Canada, New Zealand and the United Kingdom. 

Structure

The order in which the APPs appear is intended to reflect the cycle that occurs as entities collect, hold, use and disclose personal information. 

This broadly consists of the following stages:

·          planning in advance how to meet obligations in relation to the handling of personal information;

·          considering whether information may or should be collected;

·          collecting information;

·          providing notification of collection to the individual concerned;

·          using or disclosing the information for the purpose for which it was collected or for an allowable secondary purpose;

·          maintaining the integrity of personal information by securely storing it and ensuring its quality; and

·          when the information is no longer necessary for the functions or activities of the entity, destroying it or ensuring that it is no longer personal information.

To this end, the APPs have been set out in Parts that move through each of the above elements of the information-handling chain. 

Part 1 sets out principles that require APP entities to consider the privacy of personal information , including ensuring that APP entities manage personal information in an open and transparent way.

Part 2 sets out principles that deal with the collection of personal information including unsolicited personal information.

Part 3 sets out principles about how APP entities deal with personal information and government related identifiers.  The Part includes principles about the use and disclosure of personal information and those identifiers.

Part 4 sets out principles about the integrity of personal information . The Part includes principles about the quality and security of personal information.

Part 5 sets out principles that deal with requests for access to, and the correction of, personal information. 

Key concepts - definition of ‘personal information’

The definition of ‘personal information’ has been modified to implement the Government’s acceptance of ALRC Recommendation 6-1. 

It is important that this key definition be sufficiently flexible and technology-neutral to encompass changes in the way that information that identifies an individual is collected and handled.  The ALRC’s recommended definition continues to allow this approach and also brings the definition in line with international standards and precedents. 

The proposed definition does not significantly change the scope of what is considered to be personal information.  The application of ‘reasonably identifiable’ ensures the definition continues to be based on factors which are relevant to the context and circumstances in which the information is collected and held.   

Consistent with the Government’s response to ALRC Recommendation 6-2, the Government encourages the development and publication of appropriate guidance by the OAIC about the meaning of ‘identified or reasonably identifiable’.  This will be useful in assisting organisations, agencies and individuals to understand the application of the new definition, especially given the contextual nature of the definition. 

Key concepts - ‘reasonably necessary’

A number of the APPs allow for collection, use or disclosure where the entity believes that the collection, use or disclosure is ‘reasonably necessary’ for a particular purpose.  It is intended that this be interpreted objectively and in a practical sense.  It is not intended to provide a lower level of protection compared with the existing NPPs, where an objective test is implied. 

In relation to the requirement that an entity must not collect, use or disclose personal information unless it is reasonably necessary for a particular purpose, function or activity, this is intended to reflect the following.  The first is that the collection, use or disclosure is reasonably necessary to pursue that particular purpose, function or activity.  Whether the collection, use or disclosure is reasonably necessary is to be assessed from the perspective of a reasonable person (not merely from the perspective of the entity proposing to undertake the activity). 

Where a reasonable person would not regard the purpose, function or activity in question as legitimate for that type of entity, the collection, use or disclosure of personal information will not be ‘reasonably necessary’ even if the entity cannot effectively pursue that function or activity without collecting, using or disclosing the personal information.



Key concepts - requirement to take reasonable steps

A number of the APPs require an entity to take ‘reasonable steps’.  The expression ‘such steps as are reasonable in the circumstances’ is intended to be interpreted as being similar in meaning to the term ‘reasonable steps’ used in the NPPs.  Specifically, the term requires an objective assessment, and the addition of the words ‘in the circumstances’ is only intended to highlight that when considering what are objectively reasonable steps the specific circumstances of each case must be considered.  In some cases, the words ‘(if any)’ are used to ensure that, in that particular case, if there are no steps that an entity needs to take to fulfil its obligations, it need not take any steps.

Key concepts - consent

Consent is a defined concept within the current Privacy Act which will be retained in the amended Act.  Consent is defined to mean ‘express consent or implied consent’.  Express consent exists where a person makes an informed decision to give their voluntary agreement to collection, use or disclosure taking place. 

Whether consent can be said to be implied depends entirely on the circumstances.  Consent may be implied when, in the circumstances, the individual and the relevant entity have each engaged in conduct that means that it can be inferred the individual has consented, even though the individual may not have specifically stated that he or she gives consent. 

Consent, in many circumstances, can be withdrawn at any time.  In such circumstances, the consent no longer exists, and an entity would no longer be able to rely on consent having been given when dealing with the individual’s personal information.

Consistent with the Government’s response to ALRC Recommendation 19-1, the Government encourages the development and publication of appropriate guidance by the OAIC about what is required of agencies and organisations to obtain an individual’s consent for the purposes of the Privacy Act. 

Treatment of ‘sensitive information’

Schedule 1 implements the Government’s agreement with the ALRC that the community expects ‘sensitive information’ to be afforded higher privacy protections than personal information that is not sensitive.  These protections will apply regardless of whether sensitive information is held by agencies or organisations.  These requirements include that sensitive information may not be collected except where permitted by specified exceptions.  These exceptions reflect the public interest in allowing entities to perform certain functions and activities.

Item 1             Section 3

Item 1 will amend section 3 of the Privacy Act by removing the reference to the ‘transfer’ of information.  Section 3 provides that the Privacy Act does not affect the operation of State and Territory legislation that deals with the same subject matter and is capable of operating concurrently with the Privacy Act. 

As a result of the changes in terminology from the NPPs to the APPs, reference to the ‘transfer’ of information is unnecessary.  NPP 9 deals with transborder data flows and uses the term ‘transfer’.  However, APP 8, which deals with cross-border disclosure of personal information, uses the term ‘disclosure’.  The term ‘transfer’ is not otherwise used in the APPs.  To ensure that section 3 accurately sets out the content of corresponding State and Territory privacy laws that are to be saved, it is necessary to omit reference to ‘transfer’. 



Item 2             Section 3 (note)

Item 2 will amend section 3 of the Privacy Act by replacing the reference to the NPPs with a reference to the APPs.

Item 3             Section 5

Item 3 will repeal section 5 of the Privacy Act, which is no longer necessary as it deals with the interpretation of the IPPs, which will be replaced by the APPs.  New section 14 of the Privacy Act will note that the APPs are set out in Schedule 1 of the Privacy Act, and that a reference to an APP by a number is a reference to an APP with that number.

Item 4             Subsection 6(1) (paragraph (i) of the definition of ‘agency’)

Item 4 will repeal paragraph (i) of the definition of ‘agency’ in subsection 6(1) of the Privacy Act, which refers to an ‘eligible case manager’ (see Item 15).

Item 5             Subsection 6(1)

Item 5 will insert a definition of ‘APP complaint’ into subsection 6(1) of the Privacy Act.  This definition means a complaint about an act or practice that, if established, would be an interference with the privacy of an individual because it breached an APP.  A separate definition is required for an ‘APP complaint’ to distinguish it from other types of complaints under the Privacy Act (for example, ‘code complaints’, and complaints relating to the handling of credit reporting information). 

Item 6             Subsection 6(1)

Item 6 will insert a definition of ‘APP entity’ into subsection 6(1) of the Privacy Act.

Under the current Act, the IPPs apply to Commonwealth agencies, while the NPPs apply to certain private sector organisations.  Under the amendments in the Bill, both agencies and organisations will be regulated by the APPs.  It is therefore necessary to include a definition that includes both types of entities.  

Item 7                         Subsection 6(1)

Item 7 will insert a definition of ‘APP privacy policy’ into subsection 6(1) of the Privacy Act.  The definition is included in APP 1.3, which states that, ‘[a]n APP entity must have a clearly expressed and up-to-date policy (the APP privacy policy ) about the management of personal information by the entity’.  The intention of APP 1 is to ensure that APP entities manage personal information in an open and transparent way.  APP 1 also contains requirements about the content of an APP privacy policy and its availability. 

Item 8             Subsection 6(1)

Item 8 will insert a definition of ‘Australian law’ into subsection 6(1) of the Privacy Act.  The definition addresses the Government’s acceptance in principle of ALRC Recommendation 16-1 that it should include a reference to ‘common law or equitable duties’, but exclude ‘contracts’.  In that response, the Government also noted that while a definition will provide a degree of clarity, the meaning of ‘law’ is best determined on a case-by-case basis.  The Government also outlined some relevant considerations in determining the application of the required or authorised by law exemption, but also in determining whether an applicable law is relevant under the Privacy Act. 

The definition has been included to clarify the scope of provisions that allow collection, use or disclosure where it is required or authorised by or under law.  Currently there is no definition of ‘law’ in the Privacy Act and it generally takes its ordinary meaning.  The ALRC found that there was a degree of uncertainty around the definition and that an inclusive definition should be expressly set out to create greater clarity. 

Item 9             Subsection 6(1)

Item 9 will insert a definition of ‘Australian Privacy Principle’ into subsection 6(1) of the Privacy Act.  The definition refers to section 14 of the amended Act, which is a provision ensuring that a reference in any Act to an APP by a number is a reference to the APP with that number.

Item 10           Subsection 6(1)

Item 10 will insert a definition of ‘collects’ into subsection 6(1) of the Privacy Act.

The definition will capture the substance of section 16B of the Privacy Act and IPPs 1-3, namely that the Privacy Act applies to personal information collected by entities regulated by the Privacy Act for inclusion in a record or generally available publication.  Section 16B of the Privacy Act and the IPPs will be repealed.

Item 11           Subsection 6(1)

Item 11 will insert a definition of ‘Commonwealth record’ into subsection 6(1) of the Privacy Act, which will have the same meaning as in the Archives Act 1983 (Archives Act).  That expression appears in APPs 4 and 11, and ensures that certain requirements under the Archives Act relating to the retention of Commonwealth records will apply notwithstanding requirements in the APPs relating to destruction of personal information. 

Item 12           Subsection 6(1)

Item 12 will insert a definition of ‘court/tribunal order’ into subsection 6(1) of the Privacy Act.  The inclusion of orders of courts or tribunals as part of clarifying the scope of the ‘required by or authorised by or under law’ exceptions is ALRC Recommendation 16-1, which the Government accepted.  This definition gives the broadest interpretation to the concept and is consistent with that terminology as it appears in other laws and regulations (for example, Legislative Instruments Regulations 2004). 

Item 13           Subsection 6(1)

Item 13 will insert a definition of ‘de facto partner’ into subsection 6(1) of the Privacy Act.  This contains a cross-reference to the meaning of that expression in the Acts Interpretation Act (see section 2D).  This definition is relevant to subsection 6(10) of the Privacy Act, which provides that a ‘de facto partner of the individual’ is taken to be included within the concept of a ‘family’ for certain purposes. 

Item 14           Subsection 6(1)

Item 14 will insert a definition of ‘de-identified’.  This will provide that personal information is ‘de-identified’ if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.  This term is used in the APPs and the credit reporting provisions. 

Item 15           Subsection 6(1) (definition of ‘eligible case manager’)

Item 15 will repeal the definition of ‘eligible case manager’ in subsection 6(1) of the Privacy Act. 

The concept of ‘eligible case manager’ came from the Employment Services Act 1994 , which was repealed by the Financial Framework Legislation Amendment Act (No. 1) 2006 .  It is therefore no longer necessary to include that definition.  All references to ‘eligible case manager’ are being removed from the Privacy Act. 

Item 16           Subsection 6(1) (after paragraph (b) of the definition of ‘enforcement body’)

Item 16 will insert a reference to the CrimTrac Agency into the definition of ‘enforcement body’ in subsection 6(1) of the Privacy Act.

The CrimTrac Agency is the national information-sharing service for Australia's police, law enforcement and national security agencies.  It enables police agencies to share policing information with one another across Australia's state and territory borders.  In view of its enforcement related functions and activities, and the type of information it collects, uses and discloses, it is appropriate to include the CrimTrac Agency in the definition of ‘enforcement body’.  This will enable it to collect personal and sensitive information for its legitimate functions and activities, and to enable such information to be used or disclosed on its behalf for an ‘enforcement related activity’. 

Item 17           Subsection 6(1) (after paragraph c) of the definition of ‘enforcement body’)

Item 17 will insert a reference to the ‘Immigration Department’.  That will be a new definition in section 6 of the Privacy Act referring to the Department administered by the Minister administering the Migration Act 1958 (Migration Act). 

Currently, this is a reference to the Department of Immigration and Citizenship (DIAC).  The effect of this addition is that DIAC have the ability to collect personal and sensitive information for its functions and activities (subject to the additional requirement in APP 3.4 that the collection of sensitive information without consent be limited to its enforcement related activities), and will have the ability to have information used or disclosed on its behalf for an enforcement related activity.

In view of DIAC’s enforcement related functions and activities, and the type of information it collects, uses and discloses, it is appropriate to include it in the definition of ‘enforcement body’.   However, given that it has a range of non-enforcement functions and activities, it will be limited in the collection of sensitive information to its ‘enforcement related activities’. 

Item 18           Subsection 6(1) (after paragraph (e) of the definition of ‘enforcement body’)

Item 18 will include the Office of the Director of Public Prosecutions (DPP) or similar bodies established under a law of a State or Territory in the definition of ‘enforcement body’ in subsection 6(1) of the Privacy Act.  A body will be ‘similar’ to the DPP if it has similar enforcement related functions.  A clear example of such a body is a State DPP. 

The functions and activities of the Commonwealth and State/Territory DPPs include prosecuting criminal offences, preparing for, or conducting, proceedings before courts, and applying for orders relating to the confiscation of proceeds of crime. The DPP offices may, to some extent, come within the existing definition of ‘enforcement body’ through existing paragraphs (f) and (g) of that definition.  However, to avoid any doubt about whether the DPP offices are enforcement bodies, it is necessary to include them in the definition. 

Item 19           Subsection 6(1) (after paragraph (l) of the definition of ‘enforcement body’)

Item 19 will include the Corruption and Crime Commission of Western Australia (CCCWA) in the definition of ‘enforcement body’ in subsection 6(1) of the Privacy Act.

The CCCWA was established on 1 January 2004, under the Corruption and Crime Commission Act 2003 , as a permanent investigative commission with the same powers as a Royal Commission.  The CCCWA assists the Western Australia Police Service to combat organised crime by granting them special powers, and helps public sector agencies minimise and manage misconduct. 

CCCWA is included for consistency, so that all currently-existing State integrity bodies are listed. 

Item 20           Subsection 6(1)

Item 20 will insert a definition of ‘enforcement related activity’ into subsection 6(1) of the Privacy Act.

The definition will substantially capture the matters covered by NPP 2.1(h), which creates an exception to the prohibition against organisations using or disclosing personal information for a secondary purpose by listing a number of activities conducted by or on behalf of law enforcement bodies in respect of which personal information may be used or disclosed. 

The definition of ‘enforcement related activity’ will replicate this list but add paragraphs to ensure that the definition covers the conduct of surveillance activities, intelligence gathering activities and other monitoring activities as well as protective or custodial activities.  These types of activities have been included to update and more accurately reflect the range of activities that law enforcement agencies currently undertake in performing their legitimate and lawful functions.

The definition is used in APPs 6 and 8 and will enable certain uses and disclosures of personal and sensitive information which may otherwise be a breach of those APPs.  The definition recognises that the limited use and disclosure of personal information for criminal law enforcement purposes is in the public interest when balanced with the interest in protecting an individual’s privacy.

Item 21           Subsection 6(1)

Item 21 will insert a definition of ‘entity’ into subsection 6(1) of the Privacy Act.

In the amended Privacy Act, ‘entity’ will mean ‘an agency, or an organisation or a small business operator’.  Generally, while the APPs will not apply to small business operators, they may be regulated under provisions of Part IIIA (credit reporting). 

Item 22           Subsection 6(1) (definition of ‘generally available publication’)

Item 22 will update the definition of ‘generally available publication’ in subsection 6(1) of the Privacy Act.

The new definition will explicitly state that a publication is a generally available publication whether or not payment of a fee is required to access it.  The new definition is also more technologically neutral, in that it clearly covers material available electronically, including on the internet.

The amendment is not intended to suggest that any website or publication available on the internet is a generally available publication.  An assessment must be made on a case-by-case basis, taking into account all relevant circumstances, such as the extent to which access to the publication or website is restricted in some way. 

Item 23           Subsection 6(1)

Item 23 will insert a definition of ‘government related identifier’ into subsection 6(1) of the Privacy Act.

Government related identifiers are specifically assigned by one of a range of specifically listed government-related bodies (in paragraphs (a)-(d) of the definition) and are used to identify an individual or verify the identity of the individual.  The definition extends to State and Territory authorities as well as Commonwealth agencies.  Examples of government related identifiers include Medicare numbers and driver’s licence numbers.

Item 24           Subsection 6(1)

Item 24 will insert a definition of ‘holds’ into subsection 6(1) of the Privacy Act.

The definition will substantially capture the concept formerly included in section 10 of the Privacy Act relating to record-keepers under the IPPs.  That is, an entity holds personal information if the entity has possession or control of a record that contains the personal information. 

Item 25           Subsection 6(1)

Item 25 will insert a definition of ‘identifier’ into subsection 6(1) of the Privacy Act.  The concept is used in APP 9, which is concerned with the adoption, use or disclosure of government related identifiers by organisations. 

The definition is broader than the definition of ‘identifier’ in NPP 7.3, in that it will apply to a number, letter or symbol, or combination of any or all of those things, that is used to identify or to verify the identity of the individual.  As with the definition of ‘identifier’ in NPP 7.3, it will expressly exclude the individual’s name, or the individual’s ABN (within the meaning of the A New Tax System (Australian Business Number) Act 1999 ).  It will also exclude anything else prescribed by the regulations to ensure that there is flexibility to exclude any future identifiers from the definition. 

Item 26           Subsection 6(1)

Item 26 inserts a new definition of ‘Immigration Department’ in section 6 of the Privacy Act to refer to that Department administered by the Minister administering the Migration Act.  Currently, that is DIAC. 

Item 27           Subsection 6(1) (definition of ‘Information Privacy Principle’)

Item 27 will repeal the definition of ‘Information Privacy Principle’, which will no longer be necessary because the IPPs will be replaced by the APPs.

Item 28           Subsection 6(1) (definition of ‘IPP complaint’)

Item 28 will repeal the definition of ‘IPP complaint’, which will no longer be necessary because the IPPs will be replaced by the APPs.  Complaints about acts and practices occurring after the commencement of the amendments, will relate only to the APPs. 

Item 29           Subsection 6(1)

Item 29 will insert a definition of ‘misconduct’ into subsection 6(1) of the Privacy Act.

The new concept will assist in clarifying the scope of provisions that allow collection, use or disclosure of personal information for the purposes of taking action against persons who have engaged in serious misconduct.  It includes fraud, negligence, default, breach of trust, breach of discipline or any other misconduct in the course of duty.  It is intended that each of these terms will take their ordinary/common law meaning. 

Item 30           Subsection 6(1) (definition of ‘National Privacy Principle’)

Item 30 will repeal the definition of ‘National Privacy Principle’, which will no longer be necessary because the NPPs will be replaced by the APPs.

Item 31           Subsection 6(1)

Item 31 will insert a definition of ‘non-profit organisation’ into subsection 6(1) of the Privacy Act.

The definition is based on the definition of ‘non-profit organisation’ in NPP 10.5, which states that ‘ non-profit organisation means a non-profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade or trade union aims’.  The amendment will update the definition so that the terms ‘racial, ethnic’ are included within ‘cultural’, as well as including ‘recreational’ purposes.

Item 32           Subsection 6(1) (definition of ‘NPP complaint’)

Item 32 will repeal the definition of ‘NPP complaint’, which is no longer necessary because the NPPs will be replaced by the APPs.

Item 33           Subsection 6(1)

Item 33 will insert a definition of ‘overseas recipient’ into subsection 6(1) of the Privacy Act.

The definition will refer to APP 8, which will deal with cross-border disclosure of personal information.  In APP 8.1, an ‘overseas recipient’ is a reference to a person who is not in Australia or an external Territory and is not the entity holding the personal information or the individual who the personal information is about.

Item 34           Subsection 6(1)

Item 34 will insert a definition of ‘permitted general situation’ into subsection 6(1) of the Privacy Act.  The definition refers to the new section 16A (see Item 82) which outlines situations where the collection, use or disclosure by an APP entity of personal information about an individual, or of a government related identifier, will not be a breach of the APPs. 

Item 35           Subsection 6(1)

Item 35 will insert a definition of ‘permitted health situation’ into subsection 6(1) of the Privacy Act.  The definition refers to the new section 16B (see Item 82) which outlines situations where the collection, use or disclosure of certain health information or genetic information, will not be a breach of the APPs. 

Item 36           Subsection 6(1) (definition of ‘personal information’)

Item 36 will update the definition of ‘personal information’ in subsection 6(1) of the Privacy Act.

The new definition will reflect the Government’s acceptance of the ALRC’s recommendation that, ‘ personal information’ should be defined as ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual’ (ALRC Recommendation 6-1).

The definition in the Privacy Act refers to, ‘information or an opinion (including information or an opinion forming part of a database)’.  The reference to databases, which may have provided clarification in 1988 when the Privacy Act was passed, is no longer necessary and will not appear in the new definition.  It is intended that information forming part of a database will be included in the new definition, even though databases are no longer specifically included in the definition.

The Privacy Act refers to ‘an individual whose identity is apparent, or can reasonably be ascertained’.  The new definition will use the terms ‘identified’ and ‘reasonably identifiable’.  The new definition has been cast in terms of identification of individuals because this language is more consistent with the APEC Privacy Framework and other international instruments, which means that international jurisprudence and explanatory material will be more directly relevant to the Privacy Act.

The new definition will refer to an individual who is, ‘reasonably identifiable’.  Whether an individual can be identified or is reasonably identifiable depends on context and circumstances.  While it may be technically possible for an agency or organisation to identify individuals from information it holds, for example, by linking the information with other information held by it, or another entity, it may be that it is not practically possible.  For example, logistics or legislation may prevent such linkage.  In these circumstances, individuals are not ‘reasonably identifiable’.  Whether an individual is reasonably identifiable from certain information requires a consideration of the cost, difficulty, practicality and likelihood that the information will be linked in such a way as to identify him or her. 

In agreeing with ALRC Recommendation 6-2, the Government encouraged the development and publication of appropriate guidance about the meaning of ‘identified or reasonably identifiable’ in the definition of ‘personal information’ by the OAIC, noting that the decision to provide guidance was a matter for the OAIC.  Guidance issued by the OAIC would play an important role in assisting organisations, agencies and individuals to understand the application of the new definition, especially given the contextual nature of the definition. 

Item 37           Subsection 6(1) (definition of ‘record’)

Item 37 will amend the definition of ‘record’ in subsection 6(1).  In order to allow for technological advances, ‘record’ will be defined inclusively rather than exhaustively.

Item 38           Subsection 6(1) (paragraphs (b) and (c) of the definition of ‘record’)

Item 38 will amend the definition of ‘record’ in subsection 6(1) to include reference to ‘electronic or other device’.  This picks up the Government’s response to ALRC Recommendation 6-6, which is that the definition should encompass a broad range of recorded information, including information held in electronic format.  This change will ensure that the definition is sufficiently flexible to encompass how information will be recorded and stored in the future. 

Item 39           Subsection 6(1) (at the end of the definition of ‘record’)

Item 39 will add a note to the definition of ‘record’ in subsection 6(1).  To promote consistent terminology with other Commonwealth legislation, the note will make it clear that the use of the term ‘document’ in the definition of ‘record’ is found in section 2B of the Acts Interpretation Act.

Item 40           Subsection 6(1)

Item 40 will insert a definition of ‘responsible person’ into subsection 6(1) of the Privacy Act.  The definition will direct the reader to the new section 6AA (see Item 52).

Item 41           Subsection 6(1) (subparagraph (a)(viii) of the definition of ‘sensitive information’)

Item 41 will amend the definition of ‘sensitive information’ in subsection 6(1) to refer to an individual’s sexual ‘orientation’ rather than ‘preferences’.  This minor change is not intended to change the meaning of the definition but will ensure consistency with other Commonwealth, state and territory legislation.



Item 42           Subsection 6(1) (at the end of the definition of ‘sensitive information’)

Item 42 will amend the definition of sensitive information in subsection 6(1) of the Privacy Act by adding references to biometric information and biometric templates.

The inclusion of these two paragraphs will implement the Government’s response to ALRC Recommendation 6-4.  The Government agreed with the ALRC that biometric information had similar attributes to other sensitive information and it was therefore desirable to provide it with a higher level of protection. 

Given the broad nature of what can be considered biometric information, the definition makes it clear that the additional protections only extend to that biometric information which is specifically being collected for the purpose of automated biometric verification or biometric identification. 

Item 43           Subsection 6(1) (definition of ‘solicit’)

Item 43 will repeal the definition of ‘solicit’ in the Privacy Act.  A new definition of ‘solicits’ will be inserted (see Item 44).

Item 44           Subsection 6(1)

Item 44 will insert a new definition of ‘solicits’ into the Privacy Act.

The new definition will be based on the present definition but use the term ‘entity’ consistently with the terminology of the amended Privacy Act. 

Item 45           Subsection 6(1) (definition of ‘use’)

Item 45 will repeal the definition of ‘use’ in Subsection 6(1) of the Privacy Act.  The amended Privacy Act will contain a single principle applying to both use and disclosure, rendering this definition unnecessary.  The concept of ‘use’ may still apply to any distinction between use and disclosure under the amended Privacy Act. 

Item 46           Subsection 6(2)

Item 46 will repeal subsection 6(2) of the Privacy Act.

The subsection deals with breaches of the IPPs so will not be necessary in the amended Privacy Act.

Item 47           Paragraph 6(7)(a)

Item 47 will amend paragraph 6(7)(a) of the Privacy Act to refer to an ‘APP’ instead of an ‘IPP’ in the context of a complaint.

Item 48           Paragraph 6(7)(d)

Item 48 will repeal paragraph 6(7)(d) of the Privacy Act.

The paragraph refers to a ‘file number complaint and an NPP complaint’.  With the introduction of the APPs, this paragraph will not be necessary in the amended Privacy Act.  The concept of a complaint being both a ‘file number complaint and an APP complaint’ will be covered under paragraph 6(7)(a) of the Privacy Act. 

Item 49           Paragraph 6(7)(f)

Item 49 will amend paragraph 6(7)(f) of the Privacy Act to refer to an ‘APP’ instead of an ‘NPP’ in the context of a complaint.



Item 50           Subsection 6(10)

Item 50 will amend subsection 6(10) of the Privacy Act to refer to new section 16 instead of section 16E, which is being repealed by Item 82.  The new section 16 confirms that the APPs do not apply to regulate the handling of personal information by an individual where that information is collected, held, used, disclosed or transferred for personal, family or household affairs (that is, done other than in the course of business).  This is consistent with the exemption in subsection 7B(1).

Item 51           Paragraph 6(10)(a)

Item 51 will omit the reference to the Acts Interpretation Act in paragraph 6(10)(a) of the Privacy Act, which refers to de facto partners.

This reference will no longer be necessary, because the amended Privacy Act will contain a definition of ‘de facto partner’ which gives the term the meaning given by the Acts Interpretation Act (see Item 13). 

Item 52           After section 6

Item 52 will amend the Privacy Act by inserting a definition of ‘responsible person’ after section 6.  This definition replaces the definition in NPP 2.5, which contains a list of persons who are responsible for an individual under NPP 2.4.  Some minor revisions have been made for consistency with terminology in other Commonwealth legislation. 

NPP 2.4 provides that a health service may disclose health information about the individual to a person responsible for the individual in certain circumstances.  NPP 2.4 has been replaced by new subsection 16B(5) (see Item 82). 

Item 53           Section 6A (heading)

Item 53 will amend the heading to section 6A of the Privacy Act by referring to a breach of an APP instead of a NPP.

Items 54-59     Subsection 6A

Items 54-59 will amend various parts of section 6A of the Privacy Act by referring to the APPs instead of the NPPs.

Item 60           Subparagraphs 6C(4)(b)(ii) and (iii)

Item 60 will amend subparagraphs 6C(4)(b)(ii) and (iii) of the Privacy Act to remove the references to the transfer of information.

As a result of the changes in terminology from the NPPs to the APPs, reference to the ‘transfer’ of information is unnecessary.  NPP 9 deals with transborder data flows and uses the term ‘transfer’.  However, APP 8, which deals with cross-border disclosure of personal information, uses the term ‘disclosure’.  To ensure that subparagraphs 6C(4)(b)(ii) and (iii) of the Privacy Act accurately reflect matters regulated by the Privacy Act or under State and Territory privacy laws, it is necessary to omit reference to ‘transfer’. 

Item 61           Subsection 6EA(1)

Item 61 will amend subsection 6EA(1) of the Privacy Act by removing the provision that section 16D does not apply to a small business operator if the small business operator chooses to be treated as an organisation and is registered under section 6EA.

This provision will be removed because section 16D, which deals with the delayed application of the NPPs to organisations that carry on one or more small businesses, will also be repealed.



Item 62           Paragraph 6F(3)(b)

Item 62 will amend paragraph 6F(3)(b) of the Privacy Act by removing the reference to the transfer of information.  This is being done for the same reason outlined in Item 60.  To ensure that paragraph 6F(3)(b) of the Privacy Act accurately reflect matters regulated by the Privacy Act, it is necessary to omit reference to ‘transfer’.

Item 63           Paragraph 7(1)(a)

Item 63 will amend paragraph 7(1)(a) of the Privacy Act by removing the term ‘eligible case manager’ (see Item 15).

Item 64           Paragraph 7(1)(cb)

Item 64 will repeal paragraph 7(1)(cb) of the Privacy Act, which deals with acts done by an ‘eligible case manager’ (see Item 15).

Item 65           Paragraphs 7(1)(d) and (e)

Item 65 will amend paragraphs 7(1)(d) and (e) of the Privacy Act by removing the references to an ‘eligible case manager’ (see Item 15).

Item 66           Paragraphs 7(1)(ea) and (eb)

Item 66 will repeal paragraphs 7(1)(ea) and (eb) of the Privacy Act, which deal with the affairs of an ‘eligible case manager’ (see Item 15).

Item 67           Subsection 7(2)

Item 67 will amend subsection 7(2) of the Privacy Act by referring to the APPs instead of the IPPs and the NPPs.

Item 68           Subsection 7B(1) (note)

Item 68 will amend the note to subsection 7B(1) of the Privacy Act by replacing a reference to section 16E of the Privacy Act with a reference to the new section 16, which also addresses the application of the APPs to personal, family and household affairs.  Section 16E is being repealed by Item 82. 

Item 69           Subsections 7B(1) and (2) (notes)

Item 69 will amend the notes to subsections 7B(1) and (2) by referring to the APPs instead of the NPPs.

Items 70 and 71  Paragraph 8(2)(b) and subsection 8(2)

Items 70 and 71 will amend paragraph 8(2)(b) and subsection 8(2) of the Privacy Act by describing an agency as holding a record instead of being a record-keeper in relation to the record.  This amendment will make the provision more consistent with the terminology in the Privacy Act with the repeal of the IPPs and the new inclusion of the new APPs. 

Item 24 will insert a definition of ‘holds’ into subsection 6(1) of the Privacy Act.  The new definition states that, ‘an entity holds personal information if the entity has possession or control of a record that contains the personal information’.  Therefore, it is necessary to amend paragraph 8(2)(b) and subsection 8(2) of the Privacy Act so that agency that was a record-keeper under the former IPPs in relation to a record, can simply be described as an agency holding a record.



Item 72           Section 9

Item 72 will repeal section 9 of the Privacy Act.  Section 9 refers to ‘collectors’ of personal information, which is a term used in the IPPs.  It also deemed the act of collection by an employee of an agency, staff member or special member of the Australian Federal Police, or for certain unincorporated bodies assisting or connected with an agency, as collections by those agencies in certain circumstances. 

This provision is now unnecessary with the repeal of the IPPs.  Under section 8 of the Privacy Act, acts and practices of employees of these entities, including the collection of personal information, will still be treated as acts and practices of the entities themselves. 

Item 73           Section 10 (heading)

Item 73 will amend the heading to section 10 of the Privacy Act by referring to agencies taken to hold a record rather than record-keepers.

This amendment will make the heading consistent with Item 24, which will insert a definition of ‘holds’ into subsection 6(1) of the Privacy Act.  The new definition states that ‘an entity holds personal information if the entity has possession or control of a record that contains the personal information’, so an agency that is a record-keeper in relation to a record can simply be described as holding the record.  That definition will substantially capture the concept formerly included in section 10 of the Privacy Act relating to record-keepers under the IPPs. 

Item 74           Subsections 10(1) to (3)

Item 74 will repeal subsections 10(1), (2) and (3) of the Privacy Act.

These subsections establish which agencies are record-keepers for the purposes of the Privacy Act.  However, the amended Privacy Act will no longer use the term ‘record-keeper’ (see Item 73) so the subsections will not be necessary.

Item 75           Subsections 10(4) and (5)

Item 75 will amend subsections 10(4) and (5) of the Privacy Act by referring to agencies holding records rather than being ‘record-keepers’ in relation to records.  As with the amendments in Items 24 and 73, this amendment reflects the repeal of the ‘record-keeper’ concept.

Item 76           Section 12

Item 76 will repeal section 12 of the Privacy Act.

Section 12 will no longer be necessary because it provides that the IPPs apply to agencies in possession of personal information.  The APPs, which will replace the IPPs, will not maintain the distinction between possession and control which forms the basis of section 12.

Item 77           Subsection 13B(1) (note)

Item 77 will amend the note to subsection 13B(1) of the Privacy Act by replacing the references to the NPPs with references to the APPs.

Item 78           Subsection 13B(1) (note)

Item 78 will amend the note to subsection 13B(1) of the Privacy Act by replacing the reference to NPP 2 with a reference to APP 6, which will deal with use and disclosure of personal information.



Item 79           Subsection 13B(1A) (note)

Item 79 will amend the note to subsection 13B(1A) of the Privacy Act by replacing the reference to the NPPs with a reference to the APPs.

Item 80           Subsection 13C(1) (note)

Item 80 will amend the note to subsection 13C(1) of the Privacy Act by replacing the references to the NPPs with references to the APPs.

Item 81           Subsection 13C(1) (note)

Item 81 will amend the note to subsection 13C(1) of the Privacy Act by replacing the reference to NPP 2 with a reference to APP 6, which will deal with use and disclosure of personal information.

Item 82           Divisions 2 and 3 of Part III

Item 82 will repeal Divisions 2 and 3 of Part III of the Privacy Act.  These Divisions provide for the application of the IPPs, the NPPs and approved privacy codes.  The IPPs and NPPs will be replaced by the APPs, and so will no longer be necessary.  A new Part IIIB will be inserted into the Privacy Act dealing with privacy codes. 

Item 82 will insert new Divisions 2 and 3 of Part III into the Privacy Act.  The new sections in these Divisions are outlined below.

Section 14 will direct the reader to the APPs in Schedule 1 of the Privacy Act, and provide that a reference in any Act to an APP by a number is a reference to the APP with that number.

Section 15 will provide that APP entities must not do an act, or engage in a practice that breaches an APP.  This requirement replaces the requirement relating to the IPPs and the NPPs in sections 16 and 16A, which are being repealed.

Section 16 will express the same policy as section 16E of the Privacy Act, namely that the APPs will not apply to any dealings with personal information by an individual if the dealing is only for the purposes of, or in connection with, his or her personal, family or household affairs.

Section 16A will create the concept of a ‘permitted general situation’.  This will be a description of a situation that is permitted (ie, not a breach of privacy) in relation to the collection, use or disclosure of personal information by an APP entity in certain circumstances listed in a table.  To come within the ‘permitted general situation’ concept, the table outlines particular entities, the type of information or identifier, and other specified conditions that need to be satisfied. 

Prevention of serious threat to life, health or safety

Item 1 of the table in section 16A will enable an APP entity to collect, use or disclose personal information or a government related identifier in a permitted general situation without breaching the APPs.  

The first condition is that it is unreasonable and impracticable to obtain the individual’s consent to the collection, use or disclosure.  This implements the Government’s response to ALRC Recommendation 25-3 to include an additional safeguard to balance the removal of the ‘imminent’ element (for example, in IPP 10.1(b)).  The ALRC believed that the ‘imminent’ requirement set a disproportionately high bar to the use and disclosure of personal information.

For the purposes of this exception, whether it was ‘reasonable’ to seek consent would include whether it is realistic or appropriate to seek consent.  This might include whether it could be reasonably anticipated that the individual would withhold consent (such as where the individual has threatened to do something to create the serious risk).  It would also likely be unreasonable to seek consent if there is an element of urgency that required quick action.  Whether the individual had, or could be expected to have, capacity to give consent would also be a factor in determining whether it was ‘reasonable’ to seek consent.

Seeking consent would not be ‘practicable’ in a range of contexts.  These could include when the individual’s location is unknown or they cannot be contacted.  If seeking consent would impose a substantial burden then it may not be practicable.  It may also not be practicable to seek consent if the use or disclosure relates to the personal information of a very large number of individuals. 

In assessing whether it is ‘reasonable or practicable’ to seek consent, agencies and organisations could also take into account the potential consequences and nature of the serious threat.

This approach creates a presumption that agencies and organisations should consider seeking consent before using or disclosing personal information in the circumstances set out in the recommendation.  

Secondly, the act or practice will be permitted where the collection, use or disclosure of personal information or a government related identifier is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety. 

Unlawful activity

Item 2 of the table in section 16A will enable an APP entity to collect, use or disclose personal information or a government related identifier in a permitted general situation without breaching the APPs. 

This will be where the APP entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to an entity’s functions or activities has been, is being or may be engaged in; and the entity reasonably believes that the collection, use or disclosure of personal information or a government identifier is necessary in order for the entity to take appropriate action in relation to the matter.

The provision, by specifying that the unlawful activity or serious misconduct must relate to an entity’s functions or activities, intends that the exception will apply to an entity’s internal investigations.  Examples of ‘appropriate action’ in this context may include collection, use or disclosure of personal information or a government identifier for an internal investigation in relation to internal fraud or breach of the Australian Public Service Code of Conduct. 

Missing persons

Item 3 of the table in section 16A will enable an APP entity to collect, use or disclose personal information in a permitted general situation without breaching the APPs. 

This will be where the entity reasonably believes that the collection, use or disclosure of personal information is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing, and the collection, use or disclosure complies with rules made by the Information Commissioner under sub-section (2).  This amendment gives effect to the Government’s response to ALRC Recommendation 25-2, where the Government decided that entities should be permitted to use or disclose personal information for the purpose of locating a reported missing person. 

Matters which the Information Commissioner’s rules should address include:

·          that uses and disclosures should only be in response to requests from appropriate bodies with recognised authority for investigating reported missing persons;

·          that, where reasonable and practicable, the individual’s consent should be sought before using or disclosing their personal information;

·          where it is either unreasonable or impracticable to obtain consent from the individual, any use or disclosure should not go against any known wishes of the individual;

·          disclosure of personal information should be limited to that which is necessary to offer ‘proof of life’ or contact information; and

·          agencies and organisations should take reasonable steps to assess whether disclosure would pose a serious threat to any individual.

Consistent with the requirements of the Legislative Instruments Act 2003 (Legislative Instruments Act), the Information Commissioner should consult with relevant stakeholders in making these rules. 

Legal or equitable claim

Item 4 of the table in section 16A will enable an APP entity to collect, use or disclose personal information where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim.  This is intended to replicate NPP 10.1(e), which provides a similar exception. 

An example of where this exception is intended to apply is where an individual has made a claim under their life insurance policy, and the insurer is preparing to dispute the claim and it needs to collect health or other sensitive information about the claimant and about witnesses in order to prepare its case.

Alternative dispute resolution

Item 5 of the table in section 16A will enable an APP entity to collect, use or disclose personal information where it is reasonably necessary for the purposes of a confidential alternative dispute resolution process.

The confidentiality safeguard included in the provision will limit the scope of the alternative dispute resolution exception and so ensure an additional protection for personal information.

Diplomatic or consular functions

Item 6 of the table in section 16A will enable an agency to collect, use or disclose personal information where that agency believes that the collection, use or disclosure is necessary for its diplomatic or consular functions or activities. 

This is a new exception and is intended to clarify that such agencies can collect, use and disclose such information both within and outside Australia.  Government officials from agencies such as the Department of Foreign Affairs and Trade (DFAT), who are based overseas, regularly collect and disclose to their home agencies in Australia personal information as part of their diplomatic and consular functions.  It would be impractical for DFAT and other agencies to seek the consent of foreign government officials and other individuals, about whom these agencies report to Australia, to collect and disclose their personal information to the Australian Government. 

Similarly, it is necessary for government officials based overseas to report to DFAT in Australia in discharging its consular responsibilities, especially in the event of an overseas crisis where overseas officials are expected to assist Australians .

Defence

Item 7 of the table in section 16A will enable the Defence Force to collect, use or disclose personal information where it reasonably believes that the collection, use or disclosure of that information is necessary for any of the following occurring outside of Australia at the external Territories:

-           war or warlike operations;

-           peacekeeping or peace enforcement; and

-           civil aid, humanitarian assistance, medical or civil emergency or disaster relief.

This is a new exception and is intended to clarify the circumstances where the collection of sensitive information may occur without consent outside Australia, and where personal information generally may be disclosed to an overseas recipient.  The Defence Force undertakes a range of activities in other countries that involve the collection and disclosure of personal information (sometimes in remote and emergency situations) and it is important that there is certainty about its ability to undertake these activities without breaching the APPs. 

Subsection 16A(2)

As noted above, the Information Commissioner may make rules under subsection 16A(2).  This amendment gives effect to the Government’s response to ALRC Recommendation 25-2, where the Government decided that such rules should binding, and in the form of a legislative instrument. 

Section 16B

As noted above, the existing health privacy and research provisions in the Privacy Act have been incorporated in these amendments.  This is implemented through the operation of the APPs, new section 16B and the provisions dealing with guidelines for medical research, health and genetic information in sections 95, 95A and 95AA.

Section 16B will create the concept of a ‘permitted health situation’.  This will be a description of a situation that is permitted (ie not a breach of privacy) in relation to the collection, use or disclosure of certain health and genetic information by an organisation.  This section is intended to reproduce the exceptions that applied under NPP 2.1(d), 2.1 (ea), 2.4, and 10.2-10.3.  APP 6.4 replaces NPP 10.4.

Subsection 16B(1) replaces NPP 10.2 and will continue to allow an organisation to collect health information if the information is necessary to provide a health service to the individual and the collection is required or authorised by or under an Australian law, or where it is collected in accordance with certain rules established by competent health or medical bodies. 

Subsection 16B(2) replaces NPP 10.3 and will continue to allow an organisation to collect health information about an individual for the purpose of research or the compilation of statistics relevant to public health or safety or for the management, funding or monitoring of a health service provided the safeguards included in paragraphs 16B(2)(a), (b), (c) and (d) are satisfied.  These safeguards replicate the existing safeguards in NPP 10.3.  APP 6.4 replaces the requirement in NPP 10.4 for an organisation to de-identify health information collected in accordance with NPP 10.3.

Subsection 16B(3) replaces NPP 2.1(d) and will continue to allow an organisation to use or disclose health information for a secondary purpose if:

-           the use or disclosure is necessary for research, or the compilation or analysis of statistics relevant to public health or public safety,

-           it is impracticable for the organisation to obtain the individual’s consent to the use or disclosure;

-           the use or disclosure is conducted in accordance with guidelines issued by the Information Commissioner under section 95A; and

-           in the case of disclosure - the organisation reasonably believes that the recipient of the information will not disclose the health information or personal information derived from the health information.

Subsection 16B(4) replaces NPP 2.1(ea) and will continue to allow an organisation to use and disclose genetic information about an individual to a genetic relative in circumstances where the genetic information may reveal a serious threat to a genetic relative’s life, health or safety.  Subsection 16B(4) does not include the reference in NPP 2.1(ea) to ‘whether or not the threat is imminent’.  The words were initially included in the provision to make it clear that the limitation in other NPPs that a threat be both serious and imminent did not apply.  This is no longer necessary as the corresponding APPs refer to serious threats rather than serious and imminent threats. 

Subsection 16B(5) replaces NPP 2.4 and will continue to permit disclosure of an individual’s health information by an organisation that provides a health service to a responsible person for an individual in certain circumstances. 

The definition of responsible person will now be included in section 6 (see Item 52).

Section 16C

Section 16C is a key part of the Privacy Act’s new approach to dealing with cross-border data flows.  In general terms, there are currently two internationally accepted approaches to dealing with cross-border data flows: the adequacy approach, adopted by the European Union in the Data Protection Directive of 1996, and the accountability approach, adopted by the APEC Privacy Framework in 2004.  NPP 9 was expressly based on the adequacy approach of the EU Directive.  Under the new reforms, APP 8 and section 16C will introduce an accountability approach more consistent with the APEC Privacy Framework. 

The accountability concept in the APEC Privacy Framework is, in turn, derived from the accountability principle from the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data of 1980.  The OECD Guidelines did not define accountability, being content with a statement that ‘a data controller should be accountable for complying with measures which give effect to the principles’ contained in the Guidelines. 

As part of the new accountability approach, section 16C will provide that an APP entity will be taken to have breached the APPs:

-           if an APP entity discloses personal information about an individual to an overseas recipient,

-           APP 8.1 applies to that disclosure,

-           the APPs do not apply under the Privacy Act to acts done, or practices engaged in, by the overseas recipient in relation to the information, and

-           the overseas recipient does something that would be a breach of the APPs if the APPs had applied to those acts or practices.

The section complements APP 8, which contains key aspects of the accountability approach in the Privacy Act.  Under APP 8.1, there is a positive requirement on entities to take reasonable steps to ensure the recipient will protect the information consistent with the APPs prior to any cross-border transfer occurring.  More information about the operation of APP 8 is included below. 

Item 83           Section 37 (table items 6 and 7)

Item 83 will repeal table items 6 and 7 in section 37 of the Privacy Act, thereby removing the references to eligible case managers (see Item 15).

Item 84           Subsections 54(2) and 57(2) (definition of ‘agency’)

Item 84 will amend subsections 54(2) and 57(2) of the Privacy Act by removing the reference to an ‘eligible case manager’ (see Item 15).

Items 85 and 86         Paragraph 80H(2)(e) and subparagraph 80P(1)(c)(v)

Items 85 and 86 will amend paragraph 80H(2)(e) and subparagraph 80P(1)(c)(v) of the Privacy Act by using the term ‘responsible person’ or ‘responsible persons’ instead of ‘people who are responsible’.  These amendments are required as a consequence of the inclusion of a definition of ‘responsible person’ which will be inserted into the Privacy Act by Items 40 and 52 to replace NPP 2.5.

Item 87           Paragraph 80Q(1)(c)

Item 87 will replace a reference to a person responsible for the individual in paragraph 80Q(1)(c) of the Privacy Act with the term ‘responsible person’ (see Items 85 and 86).

Guidelines for medical research, health and genetic information

As noted above, the existing health privacy and research provisions have been incorporated in these amendments.  There are some consequential amendments to the provisions dealing with guidelines for medical research, health and genetic information in sections 95, 95A and 95AA to reflect the changes made by replacing the references to the IPPs or NPPs with references to the APPs or to new sections, particular APPs or to be consistent with relevant new sections.

Item 88           Subsection 95(1)

Item 88 will amend subsection 95(1) of the Privacy Act by clarifying that section 95 applies to agencies and not organisations.  This preserves the existing operation of this section.   

Item 89-99 

These Items make consequential amendments to sections 95, 95A and 95AA.

Item 100         Subsection 95B(1)

Item 100 will amend subsection 95B(1) of the Privacy Act by referring to the APPs instead of the IPPs.

Item 101         Section 95C

Item 101 will amend section 95C of the Privacy Act by referring to the APPs instead of the NPPs.



Item 102         Subsections 100(2) to (4)

Item 102 will repeal subsections 100(2), (3) and (4) of the Privacy Act and substitute two replacement subsections.  These provisions enable the Governor-General to make regulations that prescribe a government related identifier, an organisation, a class of organisations, and circumstances for the purposes of APP 9.3.  These changes are necessary because of the replacement of NPP 7 (identifiers) with APP 9 (adoption, use and disclosure of government related identifiers). 

Consistent with this change, the provisions will apply to ‘government related identifiers’ rather than ‘identifiers’.  As noted in Item 23, ‘government related identifiers’ are specifically assigned by one of a range of specifically listed government-related bodies and used to identify an individual or verify an individual’s identity. 

The regulation making power in subsection 100(2) will be based on the existing subsection 100(2) but will be different in two respects.  First, it will be broadened to enable classes of organisations, as well as individual organisations, to be prescribed.  This approach would still require that the Government clearly articulate the types of organisations that can interact with agency identifiers to provide services which are for the public benefit and for a list of the organisations to be publicly available, however it would not require continual updates to regulations to take to take account of new organisations.   

New subsection 100(2) will also extend to State and Territory authorities as well as Commonwealth agencies.  That will mean the Minister, amongst other things, will need to be satisfied that a relevant agency or State or Territory authority (or principal executive of such an agency or authority) has agreed to the matters to be prescribed, and has consulted the Information Commissioner about these matters. 

New subsection 100(2) will also retain the requirement that the Minister is satisfied that the adoption, use or disclosure of the identifier by the organisation, or the class of organisations, in the circumstances can only be for the benefit of the individual to whom the identifier relates. 

Under new subsection 100(3), the requirements in subsection 100(2) will not apply to regulations made in relation to certain uses or disclosures of Commonwealth payroll numbers and in the provision of superannuation services by an organisation to Commonwealth employees.  That is, in making such regulations there does not have to be consultation with each individual agency affected.  However, the Minister will still be required to consult with the Information Commissioner before making such regulations. 

Item 103         Part X

Item 103 will repeal Part X of the Privacy Act, which contains consequential amendments. 

Item 104         Schedules 1 and 3

Item 104 will repeal Schedules 1 and 3 of the Privacy Act, which respectively contain consequential amendments and the NPPs.  The new Schedule 1 will contain the APPs.

Schedule 1—Australian Privacy Principles

Schedule 1 contains the 13 APPs, which are contained in five Parts.  The five Parts are:

Part 1 sets out principles that require APP entities to consider the privacy of personal information, including ensuring that APP entities manage personal information in an open and transparent way.

Part 2 sets out principles that deal with the collection of personal information including unsolicited personal information.

Part 3 sets out principles about how APP entities deal with personal information and government related identifiers. The Part includes principles about the use and disclosure of personal information and those identifiers.

Part 4 sets out principles about the integrity of personal information. The Part includes principles about the quality and security of personal information.

Part 5 sets out principles that deal with requests for access to, and the correction of, personal information.

Part 1—Consideration of personal information privacy

Australian Privacy Principle 1—open and transparent management of personal information

APP 1 requires APP entities to manage personal information in an open and transparent way.  This inclusion of APP 1 will keep the Privacy Act up-to-date with international trends that promote a ‘privacy by design’ approach, that is, ensuring that privacy and data protection compliance is included in the design of information systems from their inception. 

APP 1 requires an APP entity to consider how it will handle personal information in compliance with the APPs or a registered APP code.  Under APP 1.2 an APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions and activities that will ensure compliance with the APPs or a registered APP code that binds the entity.  These practices, procedures and systems must also enable the entity to deal with inquiries or complaints from individuals. 

The expression ‘such steps as are reasonable in the circumstances’ is intended to be interpreted as being similar in meaning to the term ‘reasonable steps’ used in the NPPs. Specifically, the term requires an objective assessment, and the addition of the words ‘in the circumstances’ is only intended to highlight that when considering what are objectively reasonable steps, the specific circumstances of each case must be considered.

Policies and practices under APP 1.2 could include:

·          training staff and communicating to staff information about the agency or organisation’s policies and practices;

·          establishing procedures to receive and respond to complaints and inquiries;

·          developing information to explain the agency or organisation’s policies and procedures; and

·          establishing procedures to identify and manage privacy risks and compliance issues, including in designing and implementing systems or infrastructure for the collection and handling of personal information by the agency or organisation.

APP 1.3 will require entities to have a clearly expressed and up-to-date privacy policy about the management of personal information by the entity.  An ‘up-to-date’ privacy policy should be a privacy policy that is a ‘living document’ and is reviewed regularly.

Under APP 1.4, these policies must contain certain information relating to the kinds of personal information collected and held; how such information is collected and held; the purposes for which the entity collects, holds, uses and discloses personal information; access and correction procedures; complaint-handling procedures; and information about any cross-border disclosure of personal information that might occur.

Where agencies or organisations have particularly significant information handling practices, these should be included in their privacy policies by clearly setting out how they collect, hold, use and disclose personal information.  For example, where agencies or organisations have specific information retention or destruction obligations, these should be described as a necessary part of how they handle personal information.

Under APP 1.5, APP entities must take such steps as are reasonable in the circumstances to make their privacy policies available to the public free of charge, and in such form as is appropriate.  As noted at the foot of APP 1.5, an APP entity will usually make its privacy policies available on its website.  The inclusion of this note implements recommendation 6 of the Senate Committee, which considered that the requirement for an entity to make its privacy policy available in ‘such form as is appropriate’ should be further clarified. 

Under APP 1.6, if a person or body requests a copy of the APP privacy policy of an APP entity in a particular form, the entity must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.  The inclusion of a ‘body’ picks up a suggestion of the Senate Committee, which considered that the intent of the provision should be clarified so that entities other than individuals (for example, media organisations) should be able to request a copy of the policy. 

Australian Privacy Principle 2—anonymity and pseudonymity

APP 2 provides that individuals must have the option of dealing with an agency or organisation anonymously or through use of a pseudonym in relation to a particular matter.  The principle emphasises that it is often not necessary for an entity to identify the individuals with whom they are dealing.  The privacy of individuals will be enhanced if their personal information is not collected unnecessarily.

An APP entity will not be required to comply with APP 2 where that entity is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves.  This is likely to be applicable in certain instances for agencies.  For example, if individuals are required under an Australian law to identify themselves to an agency, then it will not be lawful or practical for the agency to deal with them anonymously or pseudonymously.

An APP entity will also not be required to comply with APP 2 where it is impracticable for the APP entity to deal with individuals who have not identified themselves (ie where individual seeks to remain anonymous or uses a pseudonym).  For example, if a service delivery agency cannot deal with an individual without identification (for example, in collecting personal information for an application for a benefit), that agency would not be required to allow that individual to have the option of anonymity when dealing with them on that particular matter.  A similar instance would be where a law enforcement agency is investigating a criminal offence and requires a person’s identity to assist in that investigation.  There may also be circumstances where the nature of a business and the service provided by an organisation is not compatible with providing the option to interact anonymously.

Australian Privacy Principle 3—collection of solicited personal information

APP 3 outlines the rules applying to the collection of personal information and sensitive information. 

In terms of personal information other than sensitive information, there will be separate conditions for the collection of solicited personal information by agencies and organisations.  This addresses concerns raised by the Senate Committee about whether organisations should be able to collect personal information in the same manner as agencies (ie where collection is ‘directly related to’ one or more of the entity’s functions and activities).  The Senate Committee believed that this approach may lower privacy protections and did not support it. 

In relation to the requirement that an entity must not collect personal information unless it is reasonably necessary for the entity’s functions or activities, this is intended to operate objectively and practically in the following manner. 

First, the information collected is reasonably necessary to pursue that function or activity.  Whether the collection is reasonably necessary is to be assessed from the perspective of a reasonable person (not merely from the perspective of the collecting entity).  An entity’s functions or activities are only those functions or activities that are legitimate for that type of entity.  by legislation .

If an agency or organisation cannot, in practice, effectively pursue a legitimate function or activity without collecting personal information, then the collection of that personal information would be regarded as necessary for that legitimate function or activity.  Where a reasonable person would not regard the function or activity in question as legitimate for that type of entity, the collection of personal information will not be ‘reasonably necessary’ even if  the entity cannot effectively pursue that function or activity without collecting the personal information.  An agency or organisation should not collect personal information on the off-chance that it may become necessary for one of its functions or activities in the future, or that it may be merely helpful.

The interpretation of the ‘reasonably necessary’ test applies throughout the APPs and not just in relation to APP 3. 

Under APP 3.1, an agency must not collect personal information unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities. 

The ‘directly related to’ test ensures that there must be a clear connection between the collection of personal information and the agency's functions or activities.  The ‘directly related to’ test was contained in IPP 1, which applied to agencies.  The test will be retained in APP 3 because there may be agencies that need to collect solicited personal information in order to carry out legitimate and defined functions or activities, but may not be able to meet the ‘reasonably necessary’ test.  While the ‘directly related to’ test may, depending on the circumstances, be a slightly lower threshold, agencies are subject to a wider range of accountability mechanisms (for example, through the Ombudsman, Ministers and the Parliament) in relation to information that they handle. 

Under APP 3.2, an organisation must not collect personal information unless the information is reasonably necessary for one or more of the organisation’s functions or activities.  As noted above, the inclusion of the ‘reasonably necessary’ test for organisations, implements the views of the Senate Committee. 

APP 3.3 will provide for the collection of ‘sensitive information’, which is a subset of personal information.  The definition of sensitive information is in subsection 6(1) of the Privacy Act.  As noted above, that definition now applies to agencies, and includes biometric information and biometric templates.  The general rule is that sensitive information can only be collected by agencies or organisations where the collection meets the criteria outlined in APP 3.1 and APP 3.2 and where the individual has consented to the collection.

However, APP 3.4 will provide for exceptions to this general rule.  These have been included to enable the collection of sensitive information without consent where it is in the public interest to do so when balanced with the interest in protecting an individual’s privacy.  These exceptions are outlined in detail below.

APP 3.4(a) Where required or authorised by or under Australian law or a court/tribunal order

This exception is intended to allow an APP entity to collect sensitive information without consent where it is required or authorised by or under Australian law or a court/tribunal order.  An example of this involving sensitive information would be section 261AA of the Migration Act, which provides that a non-citizen migration detention must (other than in the prescribed circumstances) provide to an authorised officer one or more personal identifiers. 

APP 3.4(b)  Permitted general situations

See discussion about this exception at Item 82, section 16A. 

APP 3.4(c)  Permitted health situation

See discussion about this exception at Item 82, section 16B.

APP 3.4(d)  Enforcement bodies

This exception is intended to allow an enforcement body (other than the Immigration Department), to collect sensitive information without consent where it reasonably believes that the collection is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities.  The definition of ‘enforcement body’ is in subsection 6(1) of the Privacy Act. 

Where the enforcement body is the Immigration Department, it will be able to collect sensitive information without consent where it reasonably believes that the collection is reasonably necessary for, or directly related to, one or more ‘enforcement related activities’ conducted by that Department.

The first part of this exception is necessary to enable agencies with law enforcement functions and activities to be able to collect sensitive information without consent to perform their lawful and legitimate functions and activities.  There is a strong public interest in enabling law enforcement agencies to enforce the criminal law.  A major part of this important function is the ability to collect information about individuals.  An additional safeguard is that these agencies are also subject to significant accountability and oversight arrangements over their activities. 

The second part of this exception is necessary to enable the Immigration Department to collect sensitive information without consent to perform their lawful and legitimate enforcement related activities.  This Department has a wide range of enforcement related activities such as detecting, preventing, investigating and prosecuting breaches of visa, immigration and citizenship law; preventing and reducing irregular migration, people smuggling and trafficking in persons; collecting information to assess the criminal history of applicants for Australian citizenship; and cooperation with other agencies, including information-sharing, for law enforcement and border security purposes, and the protection of the public revenue. 

However, the Immigration Department has a wider range of non-enforcement functions and activities than other enforcement bodies, and there is less justification for allowing those to come within the scope of this exception.  Accordingly, the exception has been limited to where the Immigration Department reasonably believes that the collection is reasonably necessary for, or directly related to, one or more ‘enforcement related activities’ conducted by that Department. 

APP 3.4(e)  Non-profit organisations

This exception is similar to NPP 10.1(d) and enables a non-profit organisation to collect sensitive information without consent if it relates to the activities of the organisation, and the information relates solely to the members of the organisation, or to individuals who have regular contact with the organisation in connection with its activities. 

Means of collection

APP 3.5 provides that an APP entity must collect personal information only by lawful and fair means.  This is based on NPP 1.2.  It is an important safeguard to ensure that personal information can only be collected by lawful and fair means. The OAIC has interpreted ‘fair’ to mean without intimidation or deception.  The concept of fair would also extend to the obligation not to use means that are unreasonably intrusive.

APP 3.6 provides that an APP entity must collect personal information about an individual only from the individual.  However, there are two exceptions to this general rule.  

First, an agency may collect from a third party where the individual has consented to that collection; or where it is authorised or required under Australian law, or a court/tribunal order.  In the context of dealings with government agencies, the ability for an individual to consent would minimise the need for that individual to provide the same personal information to different agencies.  This will assist in giving effect to the Government’s ‘tell us once’ service delivery reform policy. 

Secondly, an APP entity may collect from a third party where it is unreasonable or impractical to collect that personal information directly from the individual.  This is a particularly important exception for agencies.  For example, a law enforcement agency may be investigating an individual for a criminal offence, but could prejudice that investigation by being forced to seek particular information directly from the individual.  This exception will allow that long-standing type of activity to continue without breaching APP 3.

Solicited personal information

APP 3.7 provides that APP 3 applies to the collection of personal information that is solicited by an APP entity.  As noted above, the concept of soliciting personal information refers to the situation where an entity requests another entity (which includes an individual) to provide the personal information, or to provide a kind of information in which that personal information is included.  If an entity has not requested the personal information, but only received it from another entity (including where, for example, a law enforcement agency has asked another agency to examine the personal information), that will not be a solicited collection covered by APP 3.  However, as noted below, where personal information is unsolicited, it will still be required to be handled in accordance with other relevant APPs, if it is not destroyed or de-identified.

Australian Privacy Principle 4—dealing with unsolicited personal information

APP 4 will ensure that personal information that is received by an entity is still afforded privacy protections, even where the entity has done nothing to solicit the information. 

Under APP 4.1, where unsolicited personal information is received by an APP entity, the entity must, within a reasonable period, determine whether it could have collected the information under APP 3 as if it had solicited the information.  If it could have been collected, APPs 5 to 13 will apply to that information as if it had been solicited.

To enable the APP entity to determine whether it could have collected the information, APP 4.2 allows that entity to use or disclose the personal information for that limited purpose.

APP 4.3 provides that, if the APP entity could not have collected the information, and if the information is not contained in a Commonwealth record, the entity must take steps to destroy the information or ensure that it is no longer personal information (for example, by taking steps to remove any reference to the individual to whom the information relates).  Information will no longer be personal information when it does not satisfy the definition of ‘personal information’ in section 6 of the Privacy Act.  The compliance burden entailed by APP 4 will be eased by the provision that the entity must destroy the personal information ‘as soon as practicable’.

The reference in APP 4.3 to information ‘contained in a Commonwealth record’ ensures that the requirements on agencies to retain such information under the Archives Act will override the APP 4 destruction or de-identification requirements.

APP 4.3 contains the important qualifier ‘only if it is lawful and reasonable to do so’.  An example of where this would be applicable is where an APP entity has received unsolicited personal information from a law enforcement agency to assist that agency in its investigations.  If the APP entity decides that it could not have collected the information, it would normally have to destroy it in accordance with APP 4.3.  However, it would not be ‘lawful and reasonable’ to destroy such information until the assistance that the entity has given to the law enforcement agency has ended.  

Under APP 4.4, if the APP entity cannot destroy or de-identify the information under APP 4.3 (because the information is contained in a Commonwealth record or because it would not be lawful and reasonable to do so), it must still handle the personal information in accordance with APPs 5 to 13.  This will ensure that the information will be accorded the same privacy protections as any other personal information being held by the entity.  

It is not the intention of APP 4 to prevent the practice of agencies forwarding incorrectly addressed correspondence .  As noted in responses to the Senate Committee, the receipt of correspondence by Ministers, Members of Parliament and government departments and agencies would, in normal circumstances, be unsolicited.  Under APP 4, these entities must, within a reasonable period after receiving the information, determine whether the unsolicited personal information could have been collected under APP 3 if the entity had solicited the information.  It is clear that, in some circumstances, where considering and responding to concerns of members of the public, and referring them to appropriate recipients, are legitimate functions of the entity, the unsolicited information could have been collected under APP 3.  Once an entity has determined that the personal information could have been collected under APP 3, it would be possible for the entity to use or disclose the information under APP 6.

Under APP 6, disclosure to another Minister or government department would be permitted where the individual has consented to the use and disclosure. Consent may be implied if it may reasonably be inferred in the circumstances from the conduct of the individual.  Disclosure would also be permitted under APP 6 where the disclosure is related to the primary purpose of collection (or directly related, if the information is sensitive information), and the disclosure is within the individual’s reasonable expectations.  As the individual has written with queries, views or representations on particular issues, it is within their reasonable expectation that their correspondence will be referred to the appropriate entity within parliament or government. 



Australian Privacy Principle 5—notification of the collection of personal information

APP 5 sets out the obligation for an entity to ensure that an individual is aware of certain matters when it collects that individual’s personal information.  Generally, the individual must be made aware of how and why personal information is, or will be, collected and how the entity will deal with that personal information. 

APP 5.1 creates the general requirement for an APP entity to provide notification.  That must occur at or before the time or, if that is not practicable, as soon as practicable after the APP entity collects personal information about an individual.  At that time (whichever is relevant), the APP entity must take such steps (if any) as are reasonable in the circumstances to notify the individual of such matters referred to in APP 5.2 as are reasonable in the circumstances or otherwise ensure that the individual is aware of any such matters. 

The phrase ‘reasonable in the circumstances’ is an objective test that ensures that the specific circumstances of each case have to be considered when determining the reasonableness of the steps in question.  This flexibility is necessary given the different types of APP entities and functions/activities that are to be regulated under the APPs.  In many cases, it would be reasonable in the circumstances for an APP entity to provide the information outlined in APP 5.2. 

However, for agencies with particular functions and activities, this may not be the case.  For example, it would not be reasonable in the circumstances for a law enforcement agency to notify an individual, who is under investigation for a criminal offence, particularly where that agency is undertaking covert surveillance, that information is being collected about them. 

APP 5.2 lists specific matters of which the individual must be notified.  This is based on IPP 2 and NPP 1.3 and, coupled with APP 1, is intended to give the individual detailed and enhanced information about how their personal information is to be handled by an APP entity.  This information includes contact details of the APP entity; whether information has been collected from a third party or under an Australian law or court/tribunal order (and details about that collection); the purpose of the collection; complaint-handling and access/correction information in the APP entity’s privacy policy; disclosure information, including to overseas recipients, and the consequences of not collecting the information. 

Part 3—Dealing with personal information

Australian Privacy Principle 6—use or disclosure of personal information

APP 6 sets out the circumstances in which entities may use or disclose personal information that has been collected or received.  This APP is based on IPPs 10 and 11, and NPPs 2 and 10.  As with those principles, it is implicit from the principle that entities may use or disclose personal information for the primary purpose for which the information was collected.  This is outlined in general in APP 6.1, which creates the general prohibition on secondary disclosure. 

The provision allows for a situation where there is a general primary purpose (for example, assessing a person’s suitability to enter Australia).  How broadly the primary purpose can be described will need to be determined on a case-by-case basis and it will depend on the circumstances. 

The Government anticipates that the OAIC will develop specific guidance about the meaning of ‘primary purpose’ in consultation with agencies and organisations.

Generally, personal information must only be used or disclosed for purposes other than the primary purpose, that is, for a secondary purpose, if the relevant individual has consented, or exceptions in APP 6.2 and 6.3 apply.  These exceptions list a number of specific circumstances in which allowing secondary disclosure is in the public interest when balanced with the interest in protecting an individual’s privacy. 

The exceptions will apply to sensitive information as well as to other personal information.  In the particular case where the individual would reasonably expect the entity to use or disclose the information for the secondary purpose:

  • for sensitive information , the use or disclosure must be directly related to the primary purpose;
  • for personal information which is not sensitive information, the use or disclosure must be related to the primary purpose.

As with APP 3, there are a number of exceptions enabling the use or disclosure of personal and sensitive information where ‘required or authorised by or under Australian law or a court/tribunal order’; in permitted general situations (section 16A); in permitted health situations (section 16B); and where an ‘APP entity reasonably believes that the use of disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body’.   The final exception is aimed at enabling any APP entity to cooperate with an enforcement body where it may have personal information relevant to an enforcement related activity of that enforcement body. 

APP 6.3 will provide that an agency will be allowed to disclose biometric information or templates if the recipient is an enforcement body and the disclosure is conducted in accordance with the guidelines made by the Commissioner.  This approach recognises that non-law enforcement agencies have current, and will have future, legitimate reasons to disclose biometric information and templates to enforcement bodies.  A practical example of the effect of this option would be to enable, consistent with the Commissioner’s guidelines, the automatic provision of biometric information and templates by a non-enforcement agency into a database operated by an enforcement body.  This is currently a gap in the enforcement related activity exception in the Privacy Act that prevents this increasing activity from occurring.  The privacy safeguard for this new proposal is that the activity in question would be subject to ongoing oversight by the Information Commissioner through guidelines; this recognises that there are likely to be continuing developments in the use of biometric information and templates, and ongoing questions about the appropriate use of this evolving technology. 

APP 6.4 provides that, if an APP entity collects health information about an individual for certain research purposes under subsection 16B(2), that entity must take such steps as are reasonable in the circumstances to de-identify that information before it uses or discloses the information under APP 6.1 or 6.2.  This reproduces the requirement in NPP 10.4.

APP 6.5 will provide that if an entity uses or discloses personal information because it is reasonably necessary for an enforcement related activity, the entity must make a written note of the use or disclosure.  The requirement is based on NPP 2.2 and aims to ensure accountability for such disclosures, but will not be extended to other exceptions to the rule against use or disclosure for a secondary purpose because of the compliance burden it would impose on entities.

APP 6.6 will provide that if a corporation collects personal information and passes it on to a related corporation, the related corporation will be taken to have collected the personal information for the same primary purpose as the first corporation.  This will ensure that, unless one of the exceptions listed in APP 6 applies, the related corporation will have to obtain the individual’s consent before using or disclosing his or her personal information for a secondary purpose.

APP 6.7 provides that APP 6 will not apply to the use or disclosure of personal information for the purposes of direct marketing or to government related identifiers because these matters are dealt with elsewhere in the APPs.

Australian Privacy Principle 7—direct marketing

Direct marketing involves communicating directly with a consumer to promote the sale of goods and services to the consumer.  The direct marketing communication could be delivered by a range of methods including mail, telephone, email or SMS.  Direct marketers compile lists of consumers and their contact details from a wide variety of sources, including public records, the white pages, the electoral roll, registers of births, deaths and marriages and land title registers.  They also include membership lists of business, professional and trade organisations, survey returns and mail order purchases.

Direct marketing is addressed separately within a discrete principle rather than as a kind of secondary purpose (see APP 6) because of the significant community interest about the use and disclosure of personal information for the purposes of direct marketing.

APP 7 will prohibit direct marketing by organisations. 

Agencies will generally be exempt from the prohibition as it would impact on their ability to communicate legitimate and important information to individuals.  However, a note to APP 7.1 draws attention to section 7A of the Privacy Act, which provides that an act or practice of an agency may be treated as an act or practice of an organisation if the agency engages in commercial activities.  This means that the prohibition against direct marketing will also apply to agencies engaging in commercial activities.

APP 7 contains a distinction between individuals, such as existing or previous customers, who have been in contact with an organisation, and those who have not.  However, the principle will not use terms such as ‘customer’ or ‘non-customer’.  Instead, it will capture the distinction by referring to individuals from whom an organisation has collected information and individuals from whom it has not.  The intention is to apply more stringent obligations when using personal information of non-existing customers as the individual is less likely to expect their information to be used or disclosed for direct marketing purposes.

APPs 7.2 to 7.5 list exceptions to the rule against direct marketing.  Under APP 7.2, an organisation may use or disclose personal information (other than sensitive information) for direct marketing if: the organisation collected the information from the individual; the individual would reasonably expect the organisation to use the information for direct marketing; the organisation has provided a simple means by which the individual can request not to receive direct marketing; and the individual has not availed him or herself of this means.

This exception will reflect the policy of requiring organisations to allow consumers to opt out of direct marketing.  An opt-out rather than opt-in requirement is appropriate where the individual has provided the information to the organisation.

In the circumstances where the organisation has not obtained personal information from the individual, then opt-out still applies but there are additional requirements with respect to ensuring the individual is informed of their rights and how to exercise these rights. 

Under APP 7.3, in cases where the individual would not reasonably expect his or her personal information to be used for direct marketing or the information has been collected from a third party (so that, again, the individual would not reasonably expect to receive direct marketing from the organisation), the exception to the rule against direct marketing will be narrower.   Under this provision, an organisation may use or disclose that information for direct marketing only if: the individual has consented (or it is impracticable to obtain consent); the organisation has provided the means to opt out and the individual has not opted out; and in each direct marketing communication the organisation must tell the individual that he or she may request to no longer receive direct marketing and no request is made.

Under APP 7.4, where an individual has provided sensitive information to an organisation, it will be necessary for the organisation to obtain the individual’s consent before using that information for direct marketing purposes.  There will be no provision that consent need not be obtained if doing so is impossible or impracticable, and it will not matter whether or not the individual and organisation have a pre-existing relationship.

Under APP 7.5, a contracted service provider for a Commonwealth contract may use or disclose personal information for the purposes of direct marketing if doing so meets an obligation under the contract.  This provision will extend the general exemption of agencies from the rule against direct marketing to parties working for or on behalf of an agency.

APP 7.6 will provide that individuals may ask organisations who hold their personal information to stop sending direct marketing or to not disclose their personal information to other organisations for the purposes of direct marketing.  They may also ask organisations to disclose their source of the information.  Organisations must comply with such requests free of charge within a reasonable period.  They need not comply with requests to disclose the source of information if it is impracticable or unreasonable to do so.  The ‘reasonable period’ provisions will ease the compliance burden on organisations.

APP 7.6 applies to organisations that either use or disclose personal information for the purposes of direct marketing, or for the purpose of facilitating direct marketing by other organisations.

APP 7.6(b) will capture organisations that collect personal information for the purpose of providing that information to another organisation to facilitate direct marketing by that other organisation.  For example, this will include a situation where a company has personal information that it provides to a retailer, and the retailer then uses that personal information for the purpose of directly marketing its products.

However, it is not intended that APP 7.6(b) will apply to organisations such as mailing houses that are utilised by a first organisation to simply send out direct marketing material for those companies.  If those types of service providers are APP entities, their handling of personal information would be subject to the APPs.  This is distinct from the situation where an entity carries out direct marketing on behalf of the first organisation, by for example, actually conducting the door to door direct marketing on behalf of the first organisation. 

APP 7.8 will provide that instruments such as the Spam Act 2003 , which contain specific provisions regarding direct marketing, will displace the more general provisions under the principle.  Thus APP 7 will be displaced where another Act specifically provides for a particular type of direct marketing or direct marketing by a particular technology, but will apply to organisations involved in direct marketing relating to electronic messages and other acts and practices not covered by such instruments.

Australian Privacy Principle 8—cross-border disclosure of personal information

APP 8 sets out a requirement for an APP entity that chooses to disclose personal information to overseas recipients to take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs.  Along with section 16C, this APP implements the new accountability approach to cross-border disclosure of personal information.  This is reinforced in the note at the foot of APP 8.1, which refers to section 16C (which will provide that in certain circumstances, an act done, or a practice engaged in, by an overseas recipient can be taken to be a breach of the APPs by the entity which disclosed the personal information to the overseas recipient).

The principle will aim to permit cross-border disclosure of personal information and ensure that any personal information disclosed is still treated in accordance with the Privacy Act.  This is a change from NPP 9, which prohibits cross-border disclosure, subject to some exceptions.  The principle will apply to agencies as well as organisations, which is also a significant difference from the existing Act.

Although APP 8 explicitly adopts the term ‘disclosure’ rather than ‘transfer’, the APP 8 (and related provisions) would not apply to the overseas movement of personal information if that movement is an internal use by the entity, rather than a disclosure.  APP 8 will apply where an organisation sends personal information to a ‘related body corporate’ located outside Australia. 

It is not intended to apply where personal information is routed through servers that may be outside Australia.  However, entities will need to take a risk management approach to ensure that personal information routed overseas is not accessed by third parties.  If the information is accessed by third parties, this will be a disclosure subject to APP 8 (among other principles).

In terms of the reach of APP 8, the chain of accountability for APP entities would not be broken simply because the overseas entity engaged a subcontractor.  For example, the requirements of APP 8 will still apply where an organisation contracts a function to an overseas entity (thereby making a cross border disclosure), and that overseas entity then engaged a subcontractor. 

In practice, the concept of taking ‘such steps as are reasonable in the circumstances’ will normally require an entity to enter into a contractual relationship with the overseas recipient.

The general requirement to take reasonable steps to ensure compliance will be qualified by a number of exceptions:

  • When the entity has a reasonable belief that the overseas recipient is subject to legal or binding obligations to protect information in at least a substantially similar way to the protection provided by the APPs, the requirement will not apply.  For this exception to apply, there must be accessible mechanisms which allow the individual to enforce those protection obligations.

The ‘reasonable belief’ test will allow entities to make decisions based on the information available to them and the context of a particular disclosure.  The term ‘substantially similar’ will not be defined, and provides flexibility in considering the regulatory elements of the overseas jurisdiction.  The term ‘at least’ will be used to ensure that stricter obligations than the APPs will still be compliant.

It is not essential that the overseas jurisdiction have an office equivalent to the OAIC in order to provide accessible enforcement mechanisms.  It should be possible for a range of dispute resolution or complaint handling models to satisfy this requirement.  Effective enforcement mechanisms may be expressly included in a law or binding scheme or may take effect through the operation of cross-border enforcement arrangements between the OAIC and an appropriate regulatory authority in the foreign jurisdiction. 

  • The requirement will not apply when an individual consents to the cross-border disclosure, after the entity informs the individual that the consequence of giving their consent is that the requirement in APP 8.1 will not apply.

To reduce the compliance burden, this exception should not mean that consent is required before every proposed cross-border disclosure.  Rather, it will apply where an individual has the explicit option of not consenting to certain disclosures which may include cross-border disclosures.  In addition, an APP entity is required to give individuals notification about other entities to which the APP entity usually discloses personal information of the kind collected by the entity (APP 5.2(f)), and whether the APP entity is likely to disclose the personal information to overseas recipients (APP 5.2(i)).

  • When the disclosure is required or authorised by or under law, the requirement will not apply.
  • When some (but not all) permitted general situations exist (see Item 82), the requirement will not apply.
  • When the disclosure is required or authorised by or under an international agreement relating to information sharing, the requirement will not apply if the entity is an agency and Australia is a party to the agreement.  This is intended to include all forms information-sharing agreements made between an Australian and an international counterpart (for example, treaties, exchange of letters). 
  • When the entity is an agency, the requirement will not apply if the agency reasonably believes that the disclosure is reasonably necessary for enforcement related activities by, or on behalf of, an enforcement body and the overseas recipient’s functions or powers are similar to those of an enforcement body.  This is intended to enable an enforcement body to cooperate with international counterparts for enforcement related activities. 

Australian Privacy Principle 9—adoption, use or disclosure of government related identifiers

The amended Act will include a definition of ‘government related identifier’ (see Item 23).  Since government related identifiers are generally highly reliable for verification and identification of individuals, their use and disclosure will be addressed by more specific guidelines than the general ‘use and disclosure’ principle in APP 6.

APP 9 will regulate the adoption, use or disclosure of government related identifiers by organisations.

The principle will aim to restrict general use of government related identifiers by the private sector so that government related identifiers do not become universal identifiers, as well as to prevent data-matching by organisations facilitated by the use and disclosure of those identifiers.

The principle will prohibit an organisation from adopting a government related identifier to identify an individual unless that adoption is required or authorised by or under law or allowed under the regulations. The principle will also prohibit an organisation from using or



disclosing a government related identifier unless that use or disclosure falls within one of a list of specified exceptions. APP 9.2 will provide for exceptions relating to use or disclosure:

  • where it is reasonably necessary to verify the identity of an individual for an organisation’s activities or functions;
  • where it is reasonably necessary to fulfil an organisation’s obligations to an agency or State or Territory authority;
  • where it is required or authorised by or under an Australian law, or a court/tribunal order;
  • where some (but not all) permitted general situations exist (see Item 82);
  • where an organisation reasonably believes is reasonably necessary for enforcement related activities by, or on behalf of, an enforcement body; and
  • where it is allowed under the regulations.

These exceptions will recognise that balanced against the aims of the principle discussed above, there may be circumstances where use or disclosure of a government related identifier by an organisation may be necessary for public purposes or present a clear benefit to the individual.  An example is to allow contracted service providers to use or disclose a government related identifier if necessary for the performance of a Commonwealth contract. The use of ‘reasonably necessary’ in a number of the exceptions will ensure that an objective test is applied.

The principle will allow for regulations to prescribe classes of organisations which may fall within the exception to the general prohibition on adoption, use and disclosure of government related identifiers.  Allowing the regulations to prescribe classes of organisations is intended to reduce delays which may be caused by the requirement in the NPPs that individual organisations be prescribed.  It will also reduce the need for continual updates to regulations, while still requiring clear articulation of the types of organisations that can interact with government related identifiers.

Part 4—Integrity of personal information

Australian Privacy Principle 10—quality of personal information

APP 10 sets out the obligation for an APP entity to take steps (if any) as are reasonable in the circumstances to ensure that the personal information it collects, uses and discloses meets certain quality requirements.

APP 10 is intended to ensure that personal information is accurate, up-to-date and complete. In relation to use and disclosure, the personal information should also be relevant and of a quality appropriate to the purposes of that use or disclosure.  This will require entities to assess the relevance of personal information against the particular reason for its use or disclosure and only share so much of the personal information it holds as is relevant to that purpose.  The quality assessment of personal information should occur at the time of collection, at the time of use and at the time of disclosure.

The requirements in APP 10.1 and 10.2 to ‘take steps (if any) as are reasonable in the circumstances’ will raise particular issues for information that might be out-of-date.  For agencies, out-of-date information may become relevant for future activities (for example, prosecution of an individual for a criminal offence).  In these circumstances, it may not be reasonable to update information, if it may, in its preserved form continue to be relevant into the future for a legitimate function or activity of the APP entity. 



Australian Privacy Principle 11—security of personal information

APP 11 sets out an APP entity’s obligations relating to the protection and destruction of personal information it holds.

The principle will require an entity to take such steps as are reasonable in the circumstances to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.  This should involve active measures by an entity to ensure the security of personal information.

The inclusion of ‘interference’ in APP 11 is intended to recognise that attacks on personal information may not be limited to misuse or loss, but may also interfere with the information in a way that does not amount to a modification of the content of the information (such as attacks on computer systems).  This element may require additional measures to be taken to protect against computer attacks and other interferences of this nature, but the requirement is conditional on steps being ‘reasonable in the circumstances’.  Practical measures by entities to protect against interference of this nature are becoming more commonplace.  The use of the term ‘interference’, which focuses on the result of the activity rather than the means used to achieve that result, ensures that the technologically neutral approach to the APPs is retained.

If an entity no longer needs personal information for any purpose for which it may be used or disclosed under the APPs, and if the information is not contained in a Commonwealth record or legally required to be retained by the entity, the principle will require that the entity destroy the information or ensure that it no longer meets the Privacy Act’s amended definition of ‘personal information’. This would require the entity to permanently remove from a record any information by which an individual may be identified, in order to prevent future re-identification from available data.  Destruction should be proportional to the form of the record.

The principle will be flexible, in that the circumstances of each entity will determine when any personal information it holds is no longer necessary for any permitted purpose. The principle will in effect impose an obligation on entities to justify their retention of personal information.

Part 5—Access to, and correction of, personal information

Australian Privacy Principle 12—access to personal information

APP 12 provides that individuals must be granted access to personal information held about them by an APP entity upon request by the individual, subject to specific exceptions.

The principle will create separate exceptions for access to personal information held by agencies and organisations. This will reflect the responsibilities that agencies have under other Commonwealth legislation in relation to access to information, such as the Freedom of Information Act 1982 (FOI Act).  The right to access an individual’s personal information held by an agency was also included in IPP 6.  However, the FOI Act was treated as the principal avenue by which individuals were encouraged to seek access to the personal information.  It is intended that the FOI Act should continue to be the primary legislative vehicle by which individuals can seek access to their personal information where it is contained in documents held by agencies. 

The ALRC’s recommendations which relate to including an enforceable right of access to, and correction of, an individual’s own personal information in the Privacy Act (rather than maintaining the right through the FOI Act) will be considered at a later date. 

In relation to organisations, APP 12.3 will create a number of exceptions which largely replicate NPP 6.1. The principle will combine the two ‘serious threat’ exceptions to remove the requirement that a threat be ‘imminent’, creating consistency with other sections of the Privacy Act (see Item 82).

The other exceptions relate to where:

·                 access would have an unreasonable impact on the privacy of other individuals;

·                 the request is frivolous or vexatious;

·                 the information relates to existing or anticipated legal proceedings between the entity and the individual, and would not be accessible by the process of discovery in those proceedings;

·                 giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations.  This is intended to operate the same way as current NPP 6.1(f).  An entity would not have to provide access to an individual’s information if it would show the organisation’s intentions and would prejudice or interfere in negative way in the organisation’s negotiations with the individual (including where the negotiations are yet to commence but are reasonably anticipated);

·                 giving access would be unlawful, or denying access is required or authorised by or under an Australian law or a court/tribunal order;

·                 the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, or is being or may be engaged in, and giving access would be likely to prejudice the taking of appropriate action in relation to the matter;

·                 access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or

·                 access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.

If an APP entity refuses to give an individual access to their personal information due to one of the exceptions, or in the manner requested, APP 12.5 will require the entity to take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of the individual and the entity.  This will ensure that entities work with individuals to try to satisfy their request.

Under APP 12.4, there are requirements for responding to the request within a certain timeframe and giving access to the information in the manner requested, if reasonable and practicable to do so.  For organisations, they must respond to a request for access to personal information within a reasonable period after the request is made.  It is intended that a ‘reasonable period’ under APP 12.4 relating to more complicated requests will not usually exceed 30 days. 

The principle will provide for the possibility of alternative access through the use of a mutually agreed intermediary. This will reflect a strengthening of the obligation under NPP 6.3 to ‘consider’ the use of a mutually agreed intermediary.

Under APP 12.8, an organisation that charges an individual for providing access to the individual’s personal information must ensure that the charges are not excessive and must not apply to the making of the request.  An excessive charge amount would include recouping costs above the actual amount incurred by the organisation. 

If an APP entity refuses access to an individual’s personal information due to one of the exceptions, or in the manner requested, APP 12.9 will also require the entity to give written reasons for the refusal. Written reasons will not be required, though, to the extent that it would be unreasonable with regard to the grounds for the refusal.

APP 12.10 provides that, if an APP entity refuses to give access to the personal information because of paragraph 12.3(j), the reasons for the refusal may include an explanation for the commercially sensitive decision.  APP 12.10 will operate in the same manner as the repealed NPP 6.2 that enabled an organisation to provide an explanation for a commercially sensitive decision rather than direct access to the information. 

Australian Privacy Principle 13—correction of personal information

APP 13 will set out the obligation for an entity to take reasonable steps to correct the personal information it holds about an individual if it is satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading, with regard to the purpose for which it is held, or upon request by the individual.  This obligation may include making appropriate deletions or additions. 

The principle is not intended to create a broad obligation on entities to maintain the correctness of personal information it holds at all times.  The principle will interact with APP 10, such that when the quality of personal information is assessed at the time of use or disclosure, an entity may need to correct the information before use or disclosure if the entity is satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

If personal information is held for a range of purposes, and it is considered incorrect with regard to one of those purposes, the obligation to take reasonable steps to correct the information should apply.

The principle will remove the requirement in NPP 6.5 for an individual to ‘establish’ that personal information is incorrect before correction is required.

If an entity corrects the personal information of an individual, APP 13 will require it to take reasonable steps to notify any other entity to which it had previously disclosed the information, if that notification is requested by the individual.  The compliance burden will be reduced by the proviso that notification is not required if it would be impracticable or unlawful.

If an entity refuses to correct personal information in response to an individual’s request, the principle will provide a mechanism for individuals to request that a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading be associated with the information.  The entity must take reasonable steps to associate the statement so that it is apparent to users of the personal information.  This will ensure that individuals retain control of how their personal information is handled.  The statement should address matters relevant to the information being inaccurate, out-of-date, incomplete, irrelevant or misleading, and should not be unreasonably lengthy.  The appropriate content and length of any statement will depend on the circumstances of the case. 

Under APP 13.5, there are requirements for responding to requests under APP 13 within a certain time frame.  For organisations, they must respond to such requests within a reasonable period after the request is made.  It is intended that a ‘reasonable period’ under APP 13.5 relating to more complicated requests will not usually exceed 30 days. 

The ALRC’s recommendations relating to including an enforceable right of access to, and correction of, an individual's own personal information in the Privacy Act (rather than maintaining the right through the FOI Act) will be considered at a later date. 



Schedule 2 - Credit Reporting

Introduction

Outline of this schedule

This schedule amends the provisions that deal with credit reporting in the Privacy Act.  Various definitions are replaced and additional definitions inserted to deal with new terms, Part IIIA is replaced with a new Part IIIA.  The new provisions provide clear rules for participants in the credit reporting system by identifying the flows of personal information in the system and ensuring that regulation is consistent with the APPs.  However, the credit reporting provisions differ from the APPs by providing different or more specific regulation in relation to certain personal information in the credit reporting system.

Related amendments to insert new provisions dealing with APP codes and the CR code (which replaces the previous credit reporting code of conduct) are dealt with in schedule 3.  Amendments to the powers and functions of the Commissioner in relation to credit reporting are dealt with in schedule 4.  The amendments in schedule 1 to insert the APPs are also relevant.  In general terms, the order and structure of the credit reporting provisions reflects the order and structure of the APPs and the understanding of the personal information life cycle captured by the APPs.  More specifically, where relevant the credit reporting provisions are directly modelled on the APPs, but modified as necessary to deal with the particular regulatory requirements of the credit reporting system.  There is also the issue of the relationship between the regulation of personal information by the APPs and the regulation of certain kinds of personal information by the credit reporting system.  The credit reporting provisions that deal with credit reporting bodies completely replace the APPs in relation to the defined kinds of personal information in the credit reporting system.  Credit providers that are also APP entities will be subject to both the credit reporting provisions as well as to some APPs in some circumstances in relation to the kinds of personal information in the credit reporting system.  The relationship between the credit reporting provisions and the APPs is fully addressed in the provisions and is discussed further below.

Objective of the credit reporting system

The purpose of the credit reporting system is to balance an individual’s interests in protecting their personal information with the need to ensure sufficient personal information is available to assist a credit provider to determine an individual’s eligibility for credit following an application for credit by an individual.  The credit reporting system provides an aid to credit providers in managing the risks of providing consumer credit to individuals.  Only limited and defined kinds of credit related personal information (described further below) are permitted in the credit reporting system.

The credit reporting system in Australia has been a ‘negative’ reporting system.  The main kinds of personal information permitted in the system were information about a credit provider having sought a credit report in relation to an applicant for credit, the amount of credit sought in the application, the individual’s current credit providers (if any), and information about any credit defaults (a term that was specifically defined).  The new provisions move to a ‘more comprehensive’ credit reporting system.  This means a limited number of additional categories of credit related personal information are permitted in the credit reporting system, as set out below.  The provisions do not establish a ‘positive’ credit reporting system.  That is, the credit reporting system does not provide every piece of credit related personal information about an individual.  Moving to a more comprehensive credit reporting system balances the privacy interests of the individual while providing sufficient information for credit providers to make an assessment of credit risk when considering an individual’s eligibility for credit.

The credit reporting provisions do not regulate the way in which credit related personal information about an individual is used by credit providers to assess the risk of providing credit to an individual.  This is a decision for each credit provider to make in the circumstances of each case in the context of the commercial practice of the credit provider.

Credit providers supply certain credit related personal information into the credit reporting system by disclosing it to credit reporting bodies.  Credit reporting bodies collect and handle the information supplied by credit providers to create a database of permitted credit related personal information about an individual.  The credit related personal information in the credit reporting system may be disclosed to other credit providers in defined circumstances.  The credit reporting provisions place obligations on all participants in the credit reporting system.  It is not mandatory for credit providers to participate in the credit reporting system, but if a credit provider chooses to participate they must comply with the credit reporting provisions as set out in the legislation and supported by regulations and the registered CR code.  The credit reporting provisions do not deal with commercial arrangements that may be put into place between credit reporting bodies and credit providers.  Matters of industry practice can be addressed by contractual arrangements or additional industry agreements that sit alongside the CR code.  Industry agreements that may impact on competition in the credit reporting market would need to be considered by the Australian Competition and Consumer Commission.

An Australian credit reporting system

The credit reporting system is restricted to information about consumer credit in Australia and access to the credit reporting system is only available to credit providers in Australia.  The credit reporting system will not contain foreign credit information or information from foreign credit providers (even if they have provided credit to an individual who is in Australia), nor will information from the credit reporting system be available to foreign credit reporting bodies or foreign credit providers.

One option considered to give effect to this policy was a number of general provisions stating these limitations.  However, it was considered that a simpler, clearer and more effective approach was to ensure appropriate limitations were in place in relation to each relevant provision dealing with the collection, use and disclosure of information by credit reporting bodies and credit providers in Part IIIA.  The key provisions are as follows.  Clause 21D sets out a general prohibition on the disclosure of credit information by a credit provider to a credit reporting body (whether or not the body carries on business in Australia or not).  This is followed by a permission to disclose credit information to a credit reporting body that has an Australian link.  However, the provision specifies that the credit information that is disclosed must relate to credit that is or has been provided, or applied for, in Australia.  Clause 20F, which sets out a table listing the permitted CRB disclosures that can be made, provides that (once the credit reporting body has collected this credit information) the credit reporting body can only disclose the credit information to a specified entity that also has an Australian link.  Around these key provisions there are other provisions that contain appropriate limitations to ensure that relevant entities have an Australian link.

In this context, and consistent with the understanding of APP 8 on cross-border disclosures of personal information, online applications for credit submitted by an individual physically in Australia should be regarded as having been collected in Australia by the credit provider.  Where the online application is made to a foreign entity, the foreign entity will not have an Australian link and a credit reporting body will not be permitted to disclose credit reporting information to that foreign entity.

The concept of an Australian link is used in the APPs and is a term that is further defined in section 5B of the Act (as amended by schedule 4).  It is understood that in the context of using this term in the credit reporting provisions, an entity with an Australian link should already have an appropriate link to Australia in place prior to any disclosure to that entity.  The act of disclosure should not be what provides the entity with an Australian link.

Consideration will be given to the sharing of credit reporting information with New Zealand, which has a very similar credit reporting system and close economic ties with Australia.  When this occurs, it will be necessary to develop specific legislative provisions to amend the credit reporting system set out in Part IIIA to establish the arrangements by which credit reporting information will be shared with New Zealand.

Main reforms to the credit reporting provisions

The credit reporting provisions have been completely revised, consistent with the intention to ensure greater logical consistency, simplicity and clarity throughout the Privacy Act.  In addition to revisions to the credit reporting provisions, the major reforms of the credit reporting system are:

  • Introducing more comprehensive credit reporting to provide additional information about an individual’s ongoing credit arrangements:
    • Date credit account opened and date account closed (if any)
    • Type of credit
    • Maximum credit limit
    • Repayment history over previous two years
      • this category of information is only available to credit providers who are subject to responsible lending obligations under the National Consumer Credit Protection Act 2009 (National Consumer Credit Protection Act)
      • however, there is an exception to this requirement for mortgage insurers to allow them to obtain the information from those credit providers to whom they provide mortgage insurance
  • Reforming obligations relating to the retention of different categories of personal information
  • Introducing specific rules to deal with pre-screening of credit offers and the freezing of access to an individual’s personal information in cases of suspected identity theft or fraud
  • Providing additional consumer protections by enhancing obligations and processes dealing with notification, data quality, access and correction, and complaints; and
  • Reforming the regulation of credit reporting to more accurately reflect the information flows within the system and the general obligations set out in the APPs.

The credit reporting provisions will be supported by regulations and the registered CR code, which will deal with detailed and practical matters.  In particular, the regulations and registered CR code will provide details on the information that can be collected as part of the new sets of information.  The registered CR code will bind all credit reporting bodies.  As it is expected that the registered CR code will deal with certain matters as noted in the credit reporting provisions, it will also bind credit providers and other third parties who receive information from credit providers (such as the ‘affected information recipients’ dealt with in Division 4 of Part IIIA).

Participants in the credit reporting system

The credit reporting provisions apply to three main categories of participants: credit reporting bodies (formerly known as credit reporting agencies); credit providers; and affected information recipients, who are other third parties who receive the information from credit providers.  The terms credit reporting bodies and credit providers are defined and have specific meanings.  In general, a credit reporting body is a repository of the prescribed categories of personal information and does not have a direct relationship with the individuals to whom the information relates (however, a range of subsequent obligations, for example in relation to notification, access and correction, and complaints handling, will put a credit reporting body into direct contact with individuals).  In general terms, a credit provider has a direct relationship with an individual through providing, or considering an application for the provision of, consumer credit (and, where permitted, commercial credit) to the individual.

The provisions dealing with each type of participant are grouped together, so that:

  • Credit reporting bodies are dealt with in division 2
  • Credit providers are dealt with in division 3; and
  • Other recipients, known as affected information recipients (mortgage and trade insurers, related body corporate, credit managers, and advisors), are dealt with in Division 4.

A credit provider is permitted to disclose certain information to another credit provider in certain circumstances.  It is recognised that this sharing of information is necessary to support the credit reporting system and sharing information in these circumstances does not make the credit provider subject to the obligations of a credit reporting body.

Categories of personal information in the credit reporting system

The credit reporting system only contains certain narrowly defined categories of credit related personal information.  A number of general terms are used to refer to these categories of personal information.  It is necessary to use a number of terms that incorporate and build upon other terms because it is essential to accurately describe the actual information flows in the credit reporting system.  Generally, credit reporting bodies and credit providers that receive information out of the system use the information to determine some sort of credit score or rating of the credit risk of the individual which they add to the information.  Because credit reporting bodies and credit providers may use personal information in the credit reporting system to derive and add new personal information to the system, it is important to accurately describe this process through the use of specific and defined terms.  The key terms are: credit information; credit reporting information; credit eligibility information; and regulated information.  These terms are discussed further, below.

Information flows into and out of the credit reporting system

There are two sides to the credit reporting system: the input side, by which credit providers put information into the system by disclosing the defined categories of personal information to credit reporting bodies; and the output side, by which credit reporting bodies disclose certain personal information to credit providers, where this is consistent with the permitted disclosures.  While in this context it is useful to talk about information flows to understand how the credit reporting system operates, all information flows are in fact comprised of a series of disclosures and collections of personal information, all of which are regulated by the credit reporting provisions.

In general terms, there will be a regular flow (disclosure) of information into the credit reporting system from credit providers to credit reporting bodies, as personal information about, for example, repayment history may be provided on a monthly basis.  However, there is no automatic or continuous flow (disclosure) of information from credit reporting bodies to credit providers - information can only be disclosed in prescribed circumstances.  Generally, information only comes out of the system following requests from credit providers to credit reporting bodies for disclosure for specified purposes (or where disclosures are permitted to certain recipients for certain purposes by operation of the provisions, such as to an affected information recipient, or where disclosure is permitted by operation of an exception, such as where a disclosure is required or authorised by or under an Australian law or court or tribunal order).

Diagram 1 , below, provides a simplified illustration of the significant information flows in the credit reporting system.  The key features of diagram 1 are as follows:

  • The central circular relationship is between credit reporting bodies and credit providers.
    •  Credit providers disclose ‘credit information’ to credit reporting bodies, which are the repositories of personal information in the credit reporting system.
    • Credit reporting bodies disclose ‘credit reporting information’ to credit providers.
  • Credit reporting bodies may also disclose credit reporting information to:
    • ‘mortgage insurers’
    • ‘trade insurers’
    • ‘securitisation entities’
    • in addition (and not included in the diagram for simplicity) credit reporting bodies may make a disclosure to another credit reporting body, a ‘recognised external dispute resolution scheme’, an ‘enforcement body’, as well as a disclosure that is required or authorised by or under an Australian law or court or tribunal order, or by regulations.
  • Credit providers can disclose ‘credit eligibility information’ to:
    • other credit providers
    • ‘affected information recipients’
    • in addition (and not included in the diagram for simplicity), credit providers can make a disclosure to a ‘recognised external dispute resolution scheme’, a ‘guarantor’, a ‘debt collector’, a mortgage credit assistance scheme, an ‘enforcement body’, as well as a disclosure that is required or authorised by or under an Australian law or court or tribunal order, or by regulations.

The use and disclosure of the types of personal information in diagram 1 are regulated, and are subject to conditions set out in the credit reporting provisions.

 

2330 AIRs graph (3)

Diagram 1 - information flows in the credit reporting system

 

The credit reporting provisions provide different requirements for the participants based on whether they are taking part in the input side or the output side of the credit reporting system.  This means that the rules for credit providers putting credit information into the credit reporting system are different to the rules that apply when they obtain credit reporting information from the credit reporting system.  Credit providers have a dual role - they provide the credit reporting bodies with the personal information (credit information) necessary for the credit reporting system to operate, but their role on the output side of the system is to collect credit reporting information, which is personal information collected by the credit reporting body from other credit providers (if any) and any CRB derived information, which is personal information added by the credit reporting body, such as a credit score, assessment or other personal information about an individual that assists in determining an individual’s credit worthiness.

This means, for example, that there can’t be a single disclosure rule for credit providers, both because they have different roles in the system and because the personal information changes as it goes through the system.  For this reason, there are provisions relating to the disclosure by credit providers to credit reporting bodies of credit information into the credit reporting system (and a related rule for credit reporting bodies dealing with collection of credit information).  However, there are separate provisions relating to the disclosure by credit reporting bodies to credit providers, since the personal information disclosed will be credit reporting information.  There are further provisions relating to any disclosures by credit providers of credit eligibility information.  Credit eligibility information consists of credit reporting information disclosed to the credit provider by a credit reporting body, and CP derived information, which is any personal information added by the credit provider that assists in determining an individual’s credit worthiness.  There is not one single category of personal information that can be regulated by a single rule that will apply in every case.

There are further rules dealing with other permitted disclosures by credit reporting bodies and credit providers.  These disclosures are for specific purposes.  Most recipients will be subject to further provisions in relation to their use of the personal information they have collected, as well as any further disclosure of the personal information.  For example, ‘authorised information recipients’ are subject to the requirements set out in Division 4 in relation to ‘regulated information’.  Further disclosure by these authorised information recipients is prohibited.  The credit reporting provisions do not specifically deal with personal information that is held or maintained by: a recognised external dispute resolution scheme; an enforcement body; or a debt collector.  An enforcement body will be an APP entity, and, if the other recipients are also an APP entity, they will be subject to the APPs.  A recipient who is a person who is a guarantor is likely to be an individual and exempt from the Act, while a mortgage credit assistance scheme is expected to be a State or Territory agency and exempt from the Act.

Key terms that refer to personal information in the credit reporting system

There are a number of definitions associated with the credit reporting provisions that provide explanations of the terms to assist understanding and ensure that only the precisely defined kinds of personal information are held in the credit reporting system.  This is consistent with the prescriptive nature of the credit reporting system.  Many of these definitions are linked.  This reflects the way in which personal information in the credit reporting system is maintained and used.  In particular, both credit reporting bodies and credit providers use the personal information they collect to derive their own assessments of the individual’s credit worthiness.  In this context, it is understood that to derive means to use the personal information to determine some sort of credit score or rating (or other relevant personal information) that usually relates to the perceived credit risk of the individual for the purpose of considering the individual’s credit worthiness.  The aggregation of personal information in this way gives credit providers a better understanding of an individual’s credit worthiness.  In the same way that the different kinds of personal information in the credit reporting system are pulled together, the definitions of terms used to refer to those kinds of personal information must also be linked rather than stand alone.  Despite the number of specific definitions of terms that are used in the credit reporting provisions, only four key terms deal with the accumulation of relevant personal information through the information flows that make up the credit reporting system.

Diagram 2 , below, provides a simple illustration of the relationship of the key terms to the information flows in the credit reporting system, as well as their relationship to credit providers, credit reporting bodies and authorised information recipients.  For simplicity, diagram 2 does not represent all the information flows in the credit reporting system (as set out in diagram 1).  The credit reporting provisions set out the circumstances in which the different types of personal information can be collected, used or disclosed.

Diagram 2 - key terms that refer to personal information in the credit reporting system

 

(a)        credit information

Credit information is the basic category of personal information in the credit reporting system.  The term credit information brings together a defined list of certain kinds of personal information that are relevant to the credit reporting system.  However, any information that would fall within the definition of sensitive information in the Act is expressly excluded from credit information.  The following types of personal information included in the definition of credit information are also separately defined: identification information; consumer credit liability information; repayment history information; information requests, as well as information about the type and amount of credit sought in the application; default information; payment information; new arrangement information; court proceedings information; and personal insolvency information. The five new types of personal information that comprise the more comprehensive credit reporting reforms are captured as part of consumer credit liability information and repayment history information.  In addition, credit information includes two other types of personal information: information about certain publicly available information about the individual that relates to the individual’s activities in Australia and their credit worthiness; and information that is the opinion of a credit provider that the individual has committed a serious credit infringement (which is itself a defined term).

(b)        credit reporting information

Credit reporting information = credit information + CRB derived information

Credit reporting bodies hold and maintain credit reporting information.  Credit providers collect credit information from individuals who apply for credit.  This credit information is disclosed to credit reporting bodies that compile the credit information about an individual collected from credit providers.  Credit reporting information consists of two categories of personal information; the credit information about an individual that was disclosed to the credit reporting body by credit providers; and CRB derived information.  CRB derived information means any personal information about an individual (that is not sensitive personal information) that the credit reporting body derives from the credit information about the individual held by the credit reporting body.  However, the personal information must have some bearing on the individual’s credit worthiness and be used to establish the individual’s eligibility for consumer credit.

(c)        credit eligibility information

Credit eligibility information = credit reporting information + CP derived information

Credit providers hold and maintain credit eligibility information, which is the final product of the flow of credit information through the credit reporting system. Credit reporting bodies disclose credit reporting information to credit providers in defined circumstances.  A credit provider that receives credit reporting information generally performs its own analysis of that information in relation to the individual’s credit worthiness.  This is CP derived information - personal information (which cannot include sensitive information) derived from the credit reporting information provided to the credit provider which has some bearing on the individual’s credit worthiness and can be used to establish the individual’s eligibility for consumer credit.  Credit eligibility information consists of the credit reporting information provided to the credit provider by the credit reporting body and the CP derived information.

(d)       regulated information

Regulated information = credit eligibility information or credit reporting information

An affected information recipient is a term used to refer to certain entities or persons that may be (apart from trade insurers) provided with credit eligibility information in certain circumstances.  Where the affected information recipient is a mortgage insurer, they may also be provided with credit reporting information by a credit reporting body in certain circumstances.  Where the affected information recipient is a trade insurer, they may be provided with credit reporting information by a credit reporting body in certain circumstances.  The term regulated information refers to these types of personal information in the hands of the affected information recipient, and in relation to which certain obligations are imposed.  The circumstances in which disclosures can be made to affected information recipients are narrowly prescribed.  The term ‘affected information recipients’ refers to a variety of entities or persons, and these entities and persons are subject to obligations in relation to their privacy policy, to provide notice to individuals about certain matters, and in relation to the use and disclosure of regulated information.

Relationship of credit reporting provisions to the APPs

The credit reporting provisions that apply to credit reporting bodies completely replace the APPs in relation to the types of personal information to which they apply.  However, the provisions for credit providers take a different approach.  The credit reporting provisions apply to all credit providers (and, in special cases, to other entities or persons, such as those entities or persons that fall within the definition of an affected information recipient) in relation to the types of personal information to which they apply.  In addition, those credit providers that are also APP entities may also be subject to some APPs depending on the circumstances.  Provisions have been inserted to clarify the relationship of particular credit reporting provisions to the APPs.  Each provision in Division 3 on credit providers that deals with matters that are also covered by one or more of the APPs contains a provision that clarifies the relationship of that provision with the relevant APPs.  In most cases, the provision makes clear that the credit reporting provision replaces the relevant APP in relation to the particular kind of personal information that is regulated.  This difference in approach is due to the very different roles of the parties in the credit reporting system. Credit reporting bodies are central to the system and require rules that apply to every aspect of the system.  However, credit providers take part in the credit reporting system for the purpose of providing or managing credit, and their primary obligations in relation to personal information are established by the APPs.  For credit providers, the credit reporting rules apply over the top of the APPs in relation to the kinds of personal information regulated in the credit reporting system.  In relation to all other kinds of personal information the APPs will apply.

Access, correction and complaints procedures

Specific access, correction and complaints provisions set out obligations of credit reporting bodies and credit providers.  The main feature of these provisions is that a credit reporting body or a credit provider that receives a correction request from the individual is, where necessary, required to undertake appropriate consultations with other credit reporting bodies or credit providers to assist in resolving the correction request.  Consultations will be necessary where the body or provider that receives the correction request does not itself hold the relevant information nor have evidence supporting the information.  It will be necessary for credit reporting bodies and credit providers to develop appropriate systems to ensure that correction requests are dealt with quickly and efficiently.  In addition, a substantiation obligation is imposed where a correction request is refused.  This means that evidence must be provided to the individual demonstrating the accuracy of the information for which correction has been refused.  Finally, obligations around complaints have been developed to ensure that individuals are informed of their options to lodge a complaint with an approved external dispute resolution service or with the Commissioner, using the procedures set out in Part V of the Act.

Civil penalties and offences

There was previously a number of credit reporting offences (criminal offences) in relation to the credit reporting provisions.  These provisions have been removed and replaced with civil penalty provisions were appropriate.  However, where the nature of the conduct that is to be prohibited justifies an offence provision, such provisions have been inserted - see clauses 20P and 21R in relation to the use and disclosure of false and misleading information and clauses 24 and 24A in relation to the unauthorised obtaining of information from a credit reporting body or credit provider.  In each case, civil penalty provisions have also been inserted in relation to the same conduct.  The insertion of both offences and civil penalties allows the appropriate remedy to be sought depending on the particular circumstances of each case.

Transitional arrangements

Transitional arrangements are set out in schedule 6.  Of particular relevance to the credit reporting provisions is the proposed capture of repayment history information prior to commencement.  On commencement credit providers will be permitted to disclose to credit reporting bodies repayment history information dating back to the date of Royal Assent.  As the commencement period will be 9 months, this means that credit providers will be able to disclose approximately 9 months of repayment history information.  The purpose of permitting this arrangement is to provide a meaningful amount of data on repayment history from the commencement of the new credit reporting system.

Credit reporting information that has been de-identified

De-identified information is not a defined term.  However, credit reporting information held by credit reporting bodies that is de-identified is subject to specific regulation by clause 20M.  The de-identification of personal information as an alternative to destruction is an option provided in the APPs, and credit providers are also permitted to de-identify credit information or credit eligibility information by the credit reporting provisions.  However, when credit reporting bodies de-identify credit reporting information, the use and disclosure of that information by credit reporting bodies is regulated.



Notes on Clauses

Item 1             Before section 6

This item inserts the Division heading for the general definitions.

Item 2             Subsection 6(1)

This item inserts a cross-reference to the definition of access seeker in subclause 6L(1).

Item 3             Subsection 6(1)

This item inserts the definition of affected information recipient .  The term ‘affected information recipient’ has been used to refer collectively to a number of different entities or persons to whom certain personal information is disclosed (known as ‘regulated information’) by credit reporting bodies or credit providers in certain circumstances set out in Divisions 2 and 3.  Division 4 contains provisions dealing with the handling of ‘regulated information’ by affected information recipients.  An affected information recipient is a mortgage insurer, a trade insurer, a related body corporate of a credit provider (as referred to in paragraph 21G(3)(b)), a person who manages credit provided by a credit provider (as referred to in paragraph 21G(3)(c)), or an entity or a professional legal adviser or professional financial adviser for the entity (as referred to in paragraph 21N(2)(a)) to whom the credit provider discloses credit eligibility information for certain purposes dealing with assignment of debts, acceptance of debts, or purchasing an interest in the provider.

Item 4             Subsection 6(1)

This item inserts a cross-reference to the definition of amount of credit in subclause 6M(2).

Item 5             Subsection 6(1)

This item clarifies that a reference to the Bankruptcy Act means the Bankruptcy Act 1966 .

Item 6             Subsection 6(1)

This item inserts a cross-reference to the definition of ban period in subclause 20K(3).

Item 7             Subsection 6(1) (definition of commercial credit )

This item repeals the existing definition of commercial credit and inserts a new definition of commercial credit .  The term ‘commercial credit’ is used in other definitions, including the definition of ‘trade insurance purpose’ (see item 64) and ‘trade insurer’ (see item 65).

‘Commercial credit’ is any credit other than consumer credit that is applied for, or provided to, a person.  This means that any credit that is not ‘consumer credit’ is, for the purposes of the credit reporting provisions, taken to be commercial credit.  Note that the definition of ‘consumer credit’ has been expanded to include credit obtained to acquire, maintain, renovate or improved residential property for an investment purposes or to refinance consumer credit provided for this purpose.  This means that credit obtained for residential property investment purposes (that satisfies the criteria set out in the definition of ‘consumer credit’) is not commercial credit. 

Item 8             Subsection 6(1)

This item inserts a definition of commercial credit related purpose .  This definition is linked to the term ‘commercial credit’.  Credit reporting bodies may disclose credit reporting information to a credit provider where the provider requests the information for a commercial credit related purpose (see subclause 20F(1)) and the individual expressly consents to the disclosure.  Where the relevant credit reporting information was disclosed to the credit provider for a commercial credit related purpose, the credit provider can then use the credit eligibility information for that purpose (see subclause 21(H)).  A credit provider can also disclose credit eligibility information to another credit provider for a commercial credit related purpose (see subclause 21J(1)) and the individual expressly consents to the disclosure.

A credit provider has a commercial credit related purpose in relation to a person if the purpose is to assess an application for commercial credit made by that person to the provider, or to collect payments that are overdue in relation to the commercial credit provided by the provider to that person.

Item 9             Subsection 6(1)

This item inserts the definition of consumer credit .  This definition is, along with the definition of ‘credit worthiness’, central to the purpose of the credit reporting system, which is established to allow credit providers to use certain personal information to determine an individual’s ‘credit worthiness’ and establish the individual’s eligibility for consumer credit.

The definition of ‘consumer credit’ has two parts.  Consumer credit is credit for which an individual has made an application to a credit provider, or credit that has been provided to an individual by a credit provider, in the course of the credit provider carrying on a business or undertaking as a credit provider.  In addition, the credit that is applied for or which is provided must be intended to be used wholly or primarily for certain purposes.  These purposes are: for personal, family or household purposes; to acquire, maintain, renovate or improve residential property for investment purposes; or to refinance consumer credit that has been provided wholly or primarily to acquire, maintain, renovate or improve residential property for investment purposes.

Any credit that does not fall within this definition is ‘commercial credit’.

The term ‘consumer credit’ replaces the former definition of ‘credit’.  The credit reporting provisions have, from their insertion into the Act, applied to credit that an individual intends to use wholly or primarily for personal, family or household purposes.  However, the definition has now been broadened to include credit obtained for the purposes of investing in residential property and related purposes as set out in the definition.  Extending the application of the credit reporting system to these credit transactions is consistent with the National Consumer Credit Protection Act, which protects these types of credit transactions.  Formerly, credit transactions in relation to residential property for investment purposes would have been considered commercial credit transactions.  However, extending the protection of NCCP Act to these types of credit transactions recognised that consumers formed a significant segment of the residential investment property credit transactions. Accordingly, it is appropriate to extend the definition of consumer credit to ensure that the personal information of individuals undertaking these transactions is also adequately protected by the credit reporting provisions.

Item 10           Subsection 6(1)

This item inserts the definition of consumer credit liability information .  The term ‘consumer credit liability information’ comprises one of the most significant parts of an individual’s ‘credit information’ (see clause 6N).  ‘Consumer credit liability information’ sets out the important information about an individual’s credit obligations.  Previously, in relation to the description of the individual’s credit obligations, only the name of an individual’s credit provider was permitted to be included as part of the individual’s personal information in the credit reporting system.  This definition now permits certain other types of information to be included along with the credit provider’s name.  These types of information are four of the new types of personal information about an individual that are permitted in the move to a more comprehensive credit reporting system.  The fifth new type of information, repayment history information, is separately defined.

The definition of ‘consumer credit liability information’ refers to certain information about the consumer credit that a credit provider provides to an individual.  Any information about an individual’s commercial credit cannot be included in an individual’s consumer credit liability information.  The definition sets out the types of information that can be included as consumer credit liability information, as follows.

The name of the credit provider allows identification of the credit provider that provides consumer credit to an individual, so that, for example, written notes of disclosures by credit reporting bodies can clearly identify the credit provider to which credit reporting information has been disclosed.

Whether the credit provider is a licensee is also included in the definition.  ‘Licensee’ is defined to have the meaning given to the term by the NCCP Act.  Inclusion of this information is necessary to determine to which credit providers repayment history information can be disclosed.  Repayment history information can only be disclosed to credit providers who are licensees.  This is because licensees are subject to responsible lending obligations under the NCCP Act, and the repayment history information is intended to assist those credit providers meet those obligations.  If it is not clear from an individual’s consumer credit liability information that a credit provider is a licensee, then repayment history information about that individual should not be disclosed to that credit provider.

The type of consumer credit provided to the individual is included in the definition.  It is expected that the registered CR code will set out common descriptors for use in describing different types of consumer credit.  This is not intended to be a detailed description of the circumstances around the provision of credit.  While a general description of the type of credit is permitted, it is expected that the description will provide sufficient information to be useful for establishing an individual’s credit worthiness - for example, mortgage credit is a different type of credit to credit provided for residential property investment.

The day on which the consumer credit was entered into is included in the definition.  It is expected that this will generally refer to the date on which the contract for consumer credit was entered, although it is expected the registered CR code will provide more details about this category - for example, if a contract is not signed immediately but the credit is supplied, it is expected that the day on which the consumer credit was entered into would generally be the day the credit was available to the individual.

The definition of ‘consumer credit liability information’ includes the terms or conditions of the consumer credit that relate to the repayment of the amount of credit.  However, this personal information can only be included where it is prescribed by the regulations.  If no regulations are made setting out the appropriate terms and conditions that are permitted, then no information about these matters can be included as part of an individual’s consumer credit liability information.  The terms and conditions of an individual’s consumer credit are likely to be many and varied.  Only those terms and conditions that would assist in determining an individual’s credit worthiness are intended to be included.  In this regard the regulations may prescribe matters such as, for example, whether the credit is repaid by interest only or by principal and interest, whether the interest rate is fixed or variable, and whether the credit is secured or unsecured.  These matters, if included in regulations, would provide more information to assist understanding the type of consumer credit provided to the individual and, more generally, along with the other information included in the definition of consumer credit liability information, the nature of an individual’s consumer credit liabilities.  The registered CR code may also provide more information on this the terms or conditions to be included.

The maximum amount of credit available under the consumer credit is included in the definition.  This does not refer to the day-to-day balance for an individual’s credit account.  The maximum amount of credit indicates how much credit is available to the individual, but does not indicate whether the individual has used all the credit available.  Different credit products may supply credit in different ways and it may not be straightforward to determine the maximum credit available.  It is expected that the registered CR code will provide guidance on how the maximum amount of credit available is to be determined.

The day on which the consumer credit is terminated or otherwise ceases to be in force is the final type of information included in the definition.  This refers to the day the consumer credit is no longer available to the individual because the consumer credit has been terminated or otherwise ceases to be in force, not to the day the individual has, for example, made the last repayment on consumer credit (unless in the circumstances the day of the last repayment means that the consumer credit ceases to be in force).  Depending on the type of consumer credit, in some circumstances the individual may continue to have access to the credit after repaying the credit.  This means that the consumer credit would not be taken as terminated until the individual no longer had access to the credit.  Credit providers should clearly indicate to consumers the circumstances in which their credit will be terminated or otherwise ceases to be in force, and whether the consumer must take any action in addition to making the final repayment to terminate the credit or for it to otherwise cease to be in force.  There may be other circumstances in which the credit is terminated or otherwise ceases to be in force - for example, the individual does an act that is a serious credit infringement.  The date that the consumer credit is terminated or otherwise ceases to be in force is necessary to calculate retention periods for consumer credit liability information and other credit reporting information about the individual.  It is expected that the registered CR code will provide additional guidance on determining the day on which consumer credit is terminated and the other circumstances in which the consumer credit ceases to be in force.

Item 11           Subsection 6(1)

This item inserts the definition of consumer credit related purpose .  This term is linked to, and should be read with, the definition of ‘consumer credit’.  Credit reporting bodies can disclose credit reporting information to credit providers where the provider request the information for a consumer credit related purpose under subclause 20F(1).  Credit providers can use credit eligibility information for a consumer credit related purpose of the credit provider under subclause 21G(2).  The use and disclosure of certain personal information for a consumer credit related purpose is central to the operation and purpose of the credit reporting system.

A consumer credit related purpose of a credit provider in relation to an individual means either the purpose of assessing an application for consumer credit made by the individual to the provider, or collecting payments that are overdue in relation to consumer credit provided by the provider to the individual.

The definition of consumer credit related purpose limits the purposes for which certain personal information may be uses or disclosed.  The definition sets out the only permitted consumer credit related purposes.  It would not be consistent with the definition for credit reporting bodies to disclose credit reporting information about an individual to credit providers on a regular or continuous basis.  Rather, the credit provider is required to separately request the credit reporting body to disclose the relevant personal information on each occasion where the credit provider wishes to collect that personal information.  While a credit provider is permitted to use credit eligibility information for the purpose of assisting an individual to avoid defaulting (see clause 21H), it is expected that the use for this purpose would only be necessary when the provider has a basis for believing that the individual may be at risk of defaulting.  It would not be consistent with the definition of consumer credit related purpose for the provider to obtain regular disclosures from the credit reporting body simply to monitor or check an individual’s overall credit worthiness or behaviour.

Item 12           Subsection 6(1)

This item inserts the definition of court proceedings information .  Information about court proceedings that is held and maintained as part of an individual’s ‘credit information’ (see clause 6N) must be directly related to credit.  It is not permissible for information about any criminal law matters to be included in an individual’s credit information, nor for information about any other matters, such as commercial or civil law matters, unless the matter is related to the credit provided to, or applied for, by the individual.

This provision only permits information about a judgement of an Australian court - no foreign court information is permitted.  The judgement must be made, or given, against the individual in proceedings, and the judgement must relate to any credit provided to, or applied for, by the individual. 

The definition expressly refers only to judgments, not any other form of, or stages in, court proceedings.  This means that, for example, an originating summons cannot be included in an individual’s credit information as court proceedings information because it is not a judgement (even though it is part of the proceedings of the court).

Item 13           Subsection 6(1)

This item inserts the definition of CP derived information .  CP derived information is any personal information about an individual that is derived from credit reporting information that was disclosed to the credit provider by a credit reporting body under Division 2.  In addition, to be CP derived information the personal information must be information that has any bearing on the individual’s ‘credit worthiness’, and be used (or has been used, or could be used) to establish the individual’s eligibility for ‘consumer credit’.

To derive information from other information (the source information) is to obtain or deduce other personal information from the source information.  It is secondary information in that it is not possible for a credit provider to produce CP derived information without first having the source information about the individual (in this case, the source information is credit reporting information) to form the basis for the derivation process.  Generally, it is understood that CP derived information will include a credit rating or score that has a bearing on the individual’s credit worthiness by indicating the provider’s analysis of the individual’s eligibility for consumer credit.  A provider is not limited to using only credit reporting information to derive for CP derived information, but may also use other information together with credit reporting information to derive CP derived information about the individual (such as, for example, the provider’s risk analysis that takes into account other economic or commercial factors).

CP derived information cannot be ‘sensitive information’ as defined in section 6(1).  This prohibition applies to all forms of sensitive information as set out in the definition of that term.  While, under the APPs, APP entities can generally collect sensitive information with the consent of the individual, this provision makes clear that sensitive information is prohibited in the credit reporting system.  To ensure this is the case it is expected that sensitive information cannot form a part of the information used by a credit provider to derive CP derived information about an individual, or be considered in any way by a provider in CP derived information.

Item 14           Subsection 6(1)

This item inserts the definition of CRB derived information .  CRB derived information is personal information about an individual derived by a credit reporting body from credit information about the individual that is held by the credit reporting body.  In addition, to be CRB derived information it must have some bearing on the individual’s ‘credit worthiness’, and be used (or has been used, or could be used) to establish the individual’s eligibility for consumer credit.

To derive information from other information (the source information) is to obtain or deduce other personal information from the source information.  It is secondary information in that it is not possible for a credit reporting body to produce CRB derived information without first having the source information about the individual (in this case, the source information is credit information) to form the basis for the derivation process.  Generally, it is understood that CRB derived information will include a credit rating or score that has a bearing on the individual’s credit worthiness by indicating the body’s analysis of the individual’s eligibility for consumer credit.  A body is not limited to using only credit information to derive for CRB derived information, but may also use other information together with credit information to derive CRB derived information about the individual (such as, for example, the body’s risk analysis that takes into account other economic or commercial factors).

CRB derived information cannot be ‘sensitive information’ as defined in section 6(1).  This prohibition applies to all forms of sensitive information as set out in the definition of that term.  While, under the APPs, APP entities can generally collect sensitive information with the consent of the individual, this provision makes clear that sensitive information is prohibited in the credit reporting system.  To ensure this is the case it is expected that sensitive information cannot form a part of the information used by a credit reporting body to derive CRB derived information about an individual, or be considered in any way by a provider in CRB derived information.

Item 15           Subsection 6(1) (definition of credit )

This item repeals the existing definition of credit and inserts a cross-reference to the new definition of ‘credit’ in subclauses 6M(1) and (3).  The new definition of credit replaces the former definition of ‘loan’.  The definition of credit includes the term ‘amount of credit’ in subclause 6M(2).

Item 16           Subsection 6(1) (definition of credit card )

This item replaces any references to the term ‘loans’ in the definition of credit card with the term ‘credit’.  The term ‘loans’ has been repealed because this term has been replaced with ‘credit’.

Item 17           Subsection 6(1)

This item inserts the definition of credit eligibility information Credit providers hold and maintain credit eligibility information , which is personal information.  Credit eligibility information comprises ‘credit reporting information’ that was disclosed to the provider by a credit reporting body and ‘CP derived information’.

Credit reporting bodies disclose credit reporting information to credit providers in defined circumstances under Division 2.   It is understood that a credit provider that collects credit reporting information performs its own analysis on that information and may use it (either alone or together with other information) to derive further information about an individual’s credit worthiness that can be used to establish the individual’s eligibility for consumer credit.  The personal information that results from this process is CP derived information.  Credit eligibility information refers to these kinds of personal information about the individual held by the credit provider.  The obligations of credit providers in relation to credit eligibility information are set out in Division 3.

The definition of credit eligibility information only includes credit reporting information disclosed to the credit provider by a credit reporting body.  It does not include other credit-related information that was, for example, collected directly from the individual.  That other credit-related information would not be subject to the credit reporting provisions (but, if the provider is an APP entity, would be subject to the APPs).  In some instances a credit provider may collect the same information from different sources, for example from a credit reporting body and from the individual.  In these circumstances, the credit provider will be required to distinguish between personal information that is credit eligibility information (collected from a credit reporting body) and other personal information they collect.

 

Item 18           Subsection 6(1) (definition of credit enhancement )

This item replaces the reference to the term ‘a loan’ in the definition of credit enhancement with the term ‘credit’.  The term ‘loan’ has been repealed because this concept has been replaced with ‘credit’.

Item 19           Subsection 6(1) (paragraphs (a) and (b) of the definition of credit enhancement )

This item replaces the references to the term ‘the loan’ in the definition of credit enhancement with the term ‘the credit’.  The term ‘loan’ has been repealed because this concept has been replaced with ‘credit’.

Item 20           Subsection 6(1)

This item inserts the definition of credit guarantee purpose .  An individual may wish to act as guarantor for credit provided to another person.  The individual may offer the guarantee either at the time the other person applies for the credit, or after the credit has been provided to the other person.  An individual who offers to act as a guarantor is offering to take on consumer credit liabilities in relation to that credit applied for, or provided to, the other person. 

A credit reporting body is permitted to disclose credit reporting information to a credit provider that requests the information for a credit guarantee purpose (see subclause 20F(1)).  Where the relevant credit reporting information was disclosed to the credit provider for a credit guarantee purpose, the credit provider can then use the credit eligibility information for that purpose (see subclause 21(H)).

A credit guarantee purpose means the purpose of assessing whether to accept the individual as a guarantor for credit for which an application has been made to, or which has been provided by, a credit provider by a person other than the individual who is proposing to be a guarantor.

Item 21           Subsection 6(1)

This item inserts a cross-reference to the definition of credit information in clause 6N.



Item 22           Subsection 6(1) (definition of credit information file )

This item repeals the definition of credit information file as the term is no longer used.  The concept of a file no longer accurately reflects the way personal information is held and maintained in the credit reporting system.

Item 23           Subsection 6(1) (definition of credit provider )

This item inserts a new cross-reference to the definition of credit provider in clauses 6G to 6K, as these clauses replace the previous definition of this term.

Item 24           Subsection 6(1) (definition of credit report )

This item repeals the definition of credit report, as the term is no longer used.  The concept of a credit report no longer accurately reflects the way personal information is held or maintained in the credit reporting system.

Item 25           Subsection 6(1) (definition of credit reporting agency )

This item repeals the definition of credit reporting agency as it has been replaced by the term ‘credit reporting body’.

Item 26           Subsection 6(1)

This item inserts the definition of credit reporting body, which replaces the previous definition of ‘credit reporting agency’.  The reference to ‘agency’ in the previous term has been replaced with ‘body’ to ensure that there is no confusion with Government agencies, particularly now that the definition provides for an agency to be a credit reporting body if it is prescribed by regulations.  A credit reporting body is either an organisation that carries on a ‘credit reporting business’ or an agency prescribed by the regulations that carries on a ‘credit reporting business’ (as defined in clause 6P).  A credit reporting body is subject to the obligations set out in Division 2.

It is not anticipated that any agencies will be prescribed by the regulations.  However, this provision provides the option of prescribing an agency in the future if any agency is established as, or identified to be, a credit reporting body.  An agency that is a credit reporting body will be subject to the same regulatory requirements as an organisation or small business operator that is a credit reporting body.

A credit reporting body that is a small business operator will be treated as an organisation for the purposes of the Act.  The definition of ‘organisation’ in section 6C excludes a small business operator.  However, subsection 6D(4) specifies certain entities that are not small business operators and hence which are treated as organisations.  Item 68 amends subsection 6D(4) by adding an additional paragraph referring to a credit reporting body.  This means that a credit reporting body that is a small business is not, for the purposes of the Act, a small business operator.  It is appropriate that small business operators are permitted to be credit reporting bodies and play a role in the credit reporting system.  However, those small business operators should be subject to the obligations in the Act that apply to other organisations, such as the APPs, and the obligations in the Act that apply to credit reporting bodies, in particular, the obligations set out in Part IIIA of the Act.

Item 27           Subsection 6(1) (definition of credit reporting business )

This item repeals the existing definition of credit reporting business and inserts a cross-reference to the new definition of ‘credit reporting business’ in clause 6P.



Item 28           Subsection 6(1)

This item inserts the definition of credit reporting information .   Credit reporting bodies hold and maintain credit reporting information, which is personal information.  Credit reporting information about an individual consists of ‘credit information’ that was disclosed to the credit reporting body by the credit provider, as well as ‘CRB derived information’. 

Credit providers collect credit information from individuals who apply for credit.  This credit information may be disclosed in certain circumstances (under Division 3) to credit reporting bodies that compile the credit information about an individual collected from credit providers.  It is understood that a credit reporting body that collects credit information performs its own analysis on that information and may use it (either alone or together with other information) to derive further information about an individual’s credit worthiness that can be used to establish the individual’s eligibility for consumer credit.  The personal information that results from this process is CRB derived information.  Credit reporting information refers to these kinds of personal information about the individual held by the credit reporting body.  The obligations of credit reporting bodies in relation to credit reporting information are set out in Division 2.

Item 29           Subsection 6(1)

This item inserts the definition of credit worthiness .  This definition is, along with the definition of ‘consumer credit’, central to the purpose of the credit reporting system, which is established to allow credit providers to use certain personal information to determine an individual’s ‘credit worthiness’ and to establish the individual’s eligibility for consumer credit.  The term ‘credit worthiness’ is used in the definitions of ‘CP derived information’ and CRB derived information’.  These definitions refer to information that has a bearing on an individual’s credit worthiness and is, has or could be used in establishing the individual’s eligibility for consumer credit.  Accordingly, personal information about the individual in the credit reporting system that is held and maintained by credit reporting bodies in the form of ‘credit reporting information’ (under Division 2) and credit providers in the form of ‘credit eligibility information’ (under Division 3) includes information that has a bearing on an individual’s credit worthiness and is, has or could be used in establishing the individual’s eligibility for consumer credit.

There are three components to the definition of an individual’s credit worthiness.  These matters are the individual’s: eligibility to be provided with consumer credit; history in relation to consumer credit’; or capacity to repay an amount of credit that relates to consumer credit.

Item 30           Subsection 6(1) (definition of current credit provider )

This item repeals the definition of current credit provider .

This definition is no longer required.  The definition of ‘consumer credit liability information’ includes information about an individual’s credit provider in relation to the individual’s existing consumer credit liabilities.  This means that any credit provider included consumer credit liability information is a current credit provider in relation to an individual.

Item 31           Subsection 6(1)

This item inserts a cross-reference to the definition of default information in clause 6Q.

Item 32           Subsection 6(1) (definition of eligible communications service )

This item repeals the definition of eligible communications service, as this term is no longer used in the credit reporting provisions.

Item 33           Subsection 6(1) (definition of guarantee )

This item repeals the existing definition of guarantee and replaces it with a new definition that is consistent with the new terms now used in the credit reporting provisions.  Specifically, the definition, which provides that a guarantee includes an indemnity given against the default of a person in making a payment in relation to credit, now concludes by making clear that it is a payment in relation to credit that has been applied for by, or provided to, the person for whom the individual is or will be guarantor.

Item 34           Subsection 6(1)

This item inserts the definition of identification information .  Identification information is a type of information that is included in the definition of ‘credit information’ (see clause 6N).  While the personal information included in this definition does not itself directly refer to an individual’s credit obligations, it is necessary to include this personal information in credit information to ensure that the individual can be effectively identified and linked to other personal information about their credit obligations included in their ‘credit information’.  Credit reporting bodies cannot collect identification information about individuals without collecting or holding other credit information, and can only collect identification information about individuals who are under the age of 18 in certain circumstances (see clause 20C).

The term ‘identification information’ refers to those types of personal information about an individual that are listed in the definition.  No other personal information may be included as identification information in an individual’s credit information, and hence in the credit reporting system.

Identification information about an individual means: the individual’s full name; any alias or previous name of the individual; the individual’s date or birth; and the individual’s sex.  In addition, the definition includes the individual’s current or last known address, and two previous addresses, if any; the name of the individual’s current or last known employer; and the individual’s driver’s licence number (if the individual holds a licence).

The definition does not include any more than two previous addresses for an individual.  While there may be circumstances in which an individual may change addresses relatively frequently in a period of time, it is considered that only including the individual’s current address and two previous addresses in the individual’s identification information sufficiently balances the need to identify the individual accurately with the individual’s interests in maintaining the privacy of the individual’s previous addresses.  This restriction also ensures that there is no possibility of a history of the individual’s addresses being compiled.

Item 35           Subsection 6(1)

This item inserts a cross-reference to the definition of information request in clause 6R.

Item 36           Subsection 6(1)

This item inserts a cross-reference to the definition of interested party in subclauses 20T(3) and 21V(3) (which deal with consultation by a credit reporting body or a credit provider respectively, following an individual’s correction request).

Item 37           Subsection 6(1)

This item states that ‘licensee’ has the meaning given by the NCCP Act.

Repayment history information can only be disclosed in circumstances where the disclosing credit provider, or the recipient of the information from a credit reporting body, is a licensee.  The reason for this is that licensees are subject to responsible lending obligations under the NCCP Act, and the repayment history information is intended to assist those credit providers in meeting those obligations.  Credit providers can only disclose repayment history information to a credit reporting body if the credit provider is a licensee (see paragraph 21D(3)(c)), and can only disclose repayment history information as part of credit eligibility information if the recipient is a licensee (see paragraph 21G(5)(a) - but note that a disclosure to a mortgage insurer is permitted by clause 21L).  Credit reporting bodies can only disclose repayment history information to a credit provider that is a licensee (see subclause 20E(4)).  Defining the term ‘licensee’ by referring to its meaning in the NCCP Act ensures that there is a single source for the meaning of the term which assists in identifying a licensee. 

Item 38           Subsection 6(1) (definition of loan )

This item repeals the definition of loan as the term has been replaced by the term ‘credit’.

Item 39           Subsection 6(1)

This item inserts the definition of managing credit .  A credit provider is permitted to disclose credit eligibility information to a person who manages credit provided by the credit provider for use in managing that credit (see subclause 21G(3)).  A person who manages credit is included in the definition of an ‘affected information recipient’ and is subject to the obligations in Division 4, and in particular clause 22E dealing with the use or disclosure of credit eligibility information by credit managers.  Agents of credit providers and securitisation entities may also manage credit(see clauses 6H and 6J).

The definition operates by excluding certain matters from the meaning of ‘managing credit’.  An act relating to the collection of overdue payments in relation to credit is excluded from the meaning of ‘managing credit’.  The collection of overdue payments is specifically regulated by clause 21M, which provides for disclosures by credit providers of certain limited types of credit eligibility information to debt collectors.  It would undermine the protection afforded to credit eligibility information and the operation of clause 21M if a debt collector could also collect credit eligibility information in the guise of managing credit.

In general terms, it is understood that a credit manager is someone who manages credit for a credit provider (but is not an agent of the credit provider), and to whom disclosures are permitted for that purpose.  The acts that constitute managing credit are likely to vary depending on the services that a credit manager has agreed to provide to a credit provider.  This may vary, for example, from providing all matters relating to the management of credit to only some specific matters.  For example, a credit manager may supply a credit provider with customer management or customer assistance services, or may instead supply a variety of data management or back-office services to a credit provider.  A credit provider should only disclose credit eligibility information for use by the credit manager where that information is necessary for the credit manager to manage the credit provided by the credit provider.  Not all acts that constitute managing credit will require all credit eligibility information to be disclosed to the credit manager, and credit eligibility information shouldn’t be disclosed by credit providers to credit managers as a matter of course.

Item 40           Subsection 6(1) (definition of mortgage credit )

This item repeals the definition of mortgage credit and replaces it with a new definition that is consistent with the new terms now used in the credit reporting provisions.  Specifically, the definition now refers to ‘consumer credit’ as the definition of this term now includes credit for which an individual has made an application, or credit which the individual has been provided, for purposes relating to residential property for investment purposes.  The term ‘mortgage credit’ is used in the definition of ‘mortgage insurance purpose’ and ‘mortgage insurer’ (see items 41 and 42) and is also used in provisions dealing with the collection, use and disclosure of personal information by credit reporting bodies (see Division 2) and credit providers (see Division 3).

Item 41           Subsection 6(1)

This item inserts the definition of mortgage insurance purpose .

A credit provider can disclose credit eligibility information to a mortgage insurer for a mortgage insurance purpose (see clause 21L), and a credit reporting body can disclose credit reporting information to a mortgage insurer where the mortgage insurer requests it for a mortgage insurance related purpose (see subclause 20F(1)).  This definition is necessary to assist the understanding of a mortgage insurance related purpose.  A mortgage insurance purpose is the purpose of assessing: whether to provide insurance to, or the risk of insuring, a credit provider in relation to mortgage credit in certain circumstances; the risk of an individual defaulting on mortgage credit for which the insurer has provided insurance; or the risk of an individual being unable to meet a guarantee provided or proposed to be provided in relation to mortgage credit.

Item 42           Subsection 6(1) (definition of mortgage insurer )

This item repeals the definition of mortgage insurer and replaces it with a new definition that is consistent with the new terms now used in the credit reporting provisions.  A mortgage insurer carries on a business or undertaking that involves providing insurance to credit providers in relation to mortgage credit provided by credit providers to other persons.

In addition, the definition of ‘mortgage insurer’ now clearly includes a small business operator that meets the requirements of this definition, along with any organisation.  This is to ensure effective protection of personal information in the credit reporting system, whether the personal information is held or maintained by a small business operator or an organisation.

Item 43           Subsection 6(1)

This item inserts a cross-reference to the definition of the National Personal Insolvency Index in the Bankruptcy Act (which has been defined to mean the Bankruptcy Act 1966 ). 

Item 44           Subsection 6(1)

This item inserts a cross-reference to the definition of new arrangement information in clause 6S.

Item 45           Subsection 6(1)

This item inserts a cross-reference to the definition of payment information in clause 6T.

Item 46           Subsection 6(1)

This item inserts a cross-reference to the definition of penalty unit in section 4AA of the Crimes Act 1914 to ensure that the term has the same meaning.

Item 47           Subsection 6(1)

This item inserts the definition of pending correction request .  The correction procedures set out in Divisions 2 and 3 permit an individual to make a request for the correction of certain personal information to a credit reporting body or a credit provider and for the recipient of the request to make a decision on the correction request, after, if necessary, consulting any other credit reporting body or credit provider.  However, credit reporting bodies have obligations to destroy or de-identify credit reporting information after the retention period for the information has ended (see clause 20V).  Destruction or de-identification while a correction request is unresolved would not be appropriate.  Accordingly, paragraph 20V(5)(a) deals with the situation where a credit reporting body would otherwise be required to destroy or de-identify information and a correction request is unresolved.  It is necessary to have a defined term of ‘pending correction request’ for this purpose.  In addition, clause 20Z imposes certain obligations on credit reporting bodies in relation to dealing with information if there is a pending correction request.  As the destruction or de-identification obligations apply to credit reporting bodies, the definition of pending correction request is only focussed on the correction of personal information about an individual that may be held by a credit reporting body - that is, credit information or CRB derived information.

A pending correction request in relation to credit information or CRB derived information is a request made under subclause 20T(1) (which provides that an individual may request the correction of credit reporting information) in relation to which a notice informing the individual of the credit reporting body’s decision (to correct the information or not correct the information) has not been given under clause 20U.  A pending correction request also means a request made under subclause 21V(1) (which provides that an individual may request the correction of credit eligibility information) where a credit reporting body has been consulted under that clause and in relation to which a notice informing the individual of the credit provider’s decision (to correct the information or not correct the information) has not been given under clause 21W.

Item 48           Subsection 6(1)

This item inserts the definition of pending dispute .  Division 5 contains provisions dealing with complaints by individuals to credit reporting bodies or credit providers about a breach of Part IIIA.  Other credit reporting bodies or credit providers must be consulted about a complaint where necessary.  In addition, a complaint may be made to a recognised external dispute resolution scheme or to the Commissioner under Part V of the Act.  However, credit reporting bodies have obligations to destroy or de-identify credit reporting information after the retention period for the information has ended (see clause 20V).  Destruction or de-identification while a dispute is unresolved would not be appropriate.  According, paragraph 20V(5)(b) deals with the situation where a credit reporting body would otherwise be required to destroy or de-identify information and a there is an unresolved complaint.  It is necessary to have a defined term of ‘pending dispute’ for this purpose.  In addition, clause 20Z imposes certain obligations on credit reporting bodies in relation to dealing with information if there is a pending dispute.  As the destruction or de-identification obligations apply to credit reporting bodies, the definition of pending dispute is only focussed on a dispute about an individual’s personal information that may be held by a credit reporting body - that is, credit information or CRB derived information.

A pending dispute in relation to credit information or CRB derived information means: a complaint made under clause 23A that relates to the information if a decision about the complaint has not been made under subclause 23B(4); or complaint or other matter relating to the information that is being dealt with by a recognised external dispute resolution scheme; or a complaint made to the Commissioner under Part V.

Item 49           Subsection 6(1)

This item inserts a cross-reference to the definition of permitted CP disclosure which has the meaning given to the term by clauses 21J to 21N.



Item 50           Subsection 6(1)

This item inserts a cross-reference to the definition of permitted CP use which has the meaning given to the term by clause 21H.

Item 51           Subsection 6(1)

This item inserts a cross-reference to the definition of permitted CRB disclosure which has the meaning given to the term by clause 20F.

Item 52           Subsection 6(1)

This item inserts a cross-reference to the definition of personal insolvency information which has the meaning given to the term by clause 6U.

Item 53           Subsection 6(1)

This item inserts a cross-reference to the meaning of pre-screening assessment which has the meaning given to the term by paragraph 20G(2)(d).

Item 54           Subsection 6(1)

This item inserts the definition of purchase .  This definition was previously at subsection 6(5D) (and has been repealed by item 66).  This term is used in the definitions of ‘securitisation arrangement’ and ‘securitisation related purpose’.  The term is defined to clarify that ‘purchase’ when used in relation to credit, includes the purchase of rights to receive payments relating to the credit.  Where the term ‘purchase’ is used in another context (for example, in subclause 21N(2) in relation to purchasing an interest in a credit provider) this special meaning does not apply. 

Item 55           Subsection 6(1)

This item inserts the definition of regulated information .  An ‘affected information recipient’ is subject to certain obligations set out in Division 4 in relation to ‘regulated information’.  The term ‘regulated information’ is defined by reference to the types of personal information that may be disclosed to affected information recipients under Divisions 2 or 3.  Generally, re gulated information is ‘credit eligibility information’ or ‘credit reporting information’ that has been disclosed to affected information recipients.

An affected information recipient is a term used to refer to certain entities or persons that may be provided with credit reporting information or credit eligibility information in certain circumstances.  Where the affected information recipient is a mortgage insurer, a credit reporting body may disclose credit reporting information to a mortgage insurer in certain circumstances (see clause 20F).  A credit provider may disclose credit eligibility information to them in certain circumstances (see clause 21L).   Where the affected information recipient is a trade insurer, a credit reporting body may disclose credit reporting information to them in certain circumstances (see clause 20F).  Where the affected information recipient is a related body corporate, a credit provider may disclose credit eligibility information to them in certain circumstances (see paragraph 21G(3)(b)).  Where the affected information recipient is a person who manages credit for a credit provider, a credit provider may disclose credit eligibility information to them in certain circumstances (see paragraph 21G(3)(c)).  Where the affected information recipient an entity or adviser of an entity, a credit provider may disclose credit eligibility information to them in certain circumstances (see subclause 21N(2)).



Item 56           Subsection 6(1)

This item inserts a cross-reference to the definition of repayment history information which has the meaning given by subclause 6V(1).

Item 57           Subsection 6(1)

This item inserts a cross-reference to the definition of residential property in section 204 of the National Credit Code (within the meaning of the National Consumer Credit Protection Act).

Item 58           Subsection 6(1)

This item inserts the definition of respondent .  This term is used in Division 5 on complaints to identify the credit reporting body or the credit provider to whom the complaint is made under clause 23A.

Item 59           Subsection 6(1)

This item inserts a cross-reference to the definition of retention period which has the meaning given by clauses 20W and 20X.

Item 60           Subsection 6(1) (subparagraphs (a)(i) and (ii) of the definition of securitisation arrangement )

This item replaces part of the definition of securitisation arrangement that previously used the term ‘loan’ with subparagraphs that use the term ‘credit’.  The term ‘loan’ has been repealed because this concept has been replaced with ‘credit’.

Item 61           Subsection 6(1) (paragraph (b) of the definition of securitisation arrangement )

This item replaces any references to the term ‘loans’ in the definition of securitisation arrangement , with the term ‘credit.’  The term ‘loan’ has been repealed because this concept has been replaced with ‘credit’.

Item 62           Subsection 6(1)

This item inserts the definition of securitisation related purpose .  This definition refers to the term ‘securitisation arrangement’.  Credit reporting bodies may disclose credit reporting information to a credit provider where the provider requires the information for a securitisation related purpose (see subclause 20F(1), and note that the meaning of ‘credit provider’ for this purpose is modified by subclause 6J(1)).  Where the relevant credit reporting information was disclosed to the credit provider for a particular securitisation related purpose, the credit provider can then use the credit eligibility information for that particular purpose (see subclause 21(H)) or disclose credit eligibility information to another credit provider (as defined by subclause 6J(1)) for a securitisation purpose in certain circumstances (see subclause 21J(4)).

A credit provider has a securitisation related purpose in relation to an individual if the purpose is to: assess the risk in purchasing credit provided to, or applied for by, an individual or a person for whom the individual is or may be a guarantor; or to assess the risk in undertaking credit enhancement in relation to credit that is, or may be, purchased or funded by a securitisation arrangement and that has been provided to, or applied for by, the individual or a person for whom the individual is or may be a guarantor.



Item 63           Subsection 6(1) (definition of serious credit infringement )

This item repeals the existing definition of serious credit infringement and replaces it with a new definition that makes certain changes to the requirements that must be satisfied before an act of an individual will be a serious credit infringement, and also uses terms that are consistent with the new terms now used in the credit reporting provisions.  Information about a ‘serious credit infringement’ can be included in an individual’s ‘credit information’ (see clause 6N) and the term is also used in relation to the collection, use and disclosure of information about a serious credit infringement in by credit reporting bodies (in Division 2) and credit providers (in Division 3).

There are three situations in which the definition of a serious credit infringement can be satisfied.  An act of an individual will be a serious credit infringement where the act involves fraudulently obtaining consumer credit, or attempting to fraudulently obtain consumer credit.  An act of an individual will also be a serious credit infringement where the act involves fraudulently evading, or attempting to evade, the individual’s obligations in relation to consumer credit.  Both of these situations involve fraud on the part of the individual.

The third situation in which an act of an individual will be a serious credit infringement includes a number of elements that must be present.  The individual must do an act that a reasonable person would consider indicates an intention on the part of the individual to no longer comply with the individual’s obligations in relation to consumer credit provided by a credit provider.  In addition, the credit provider must take steps that are reasonable in the circumstances to contact the individual about the act, and the credit provider must have been unsuccessful in contacting the individual.  The third element is that at least six months must have passed since the provider last had contact with the individual.  It is expected that in most cases, where the serious credit infringement relates to an outstanding amount owed by the individual, the earliest date that the period of six months would be calculated from is the date that the outstanding amount was due.

The listing of a serious credit infringement as part of an individual’s credit information has significant consequences for the individual’s credit worthiness. Where a serious credit infringement is based on fraudulent activity, this activity alone is sufficient to justify listing a serious credit infringement.  However, where fraud is not involved, the changes made to the definition which ensure that all reasonable efforts are made to contact the individual and that 6 months has passed since the provider last had contact with the individual recognise that this situation is not as clear-cut as fraud and is instead based on an act that a reasonable person would consider indicates an intention on the part of the individual to no longer comply with the individual’s consumer credit obligations.

The requirement for six months to have elapsed since the provider last had contact with the individual before the act can be considered to be a serious credit infringement provides a practical timeframe in which the individual may be able to pay the debt before a serious credit infringement is listed.  In some situations, an individual may have moved, for example at the end of a tenancy, with the belief that all outstanding bills have been paid.  The individual may not be contactable because the credit provider does not have a forwarding address.  The individual may also be willing to pay the outstanding amount and may find out about, and pay, the amount once the credit provider has listed a default in relation to the outstanding amount.  Note that the credit provider will be permitted to list a default in relation to the outstanding amount owed by the individual after at least 60 days have elapsed and the other requirements set out in the definition of ‘default’ are satisfied.  In these circumstances, providing an appropriate period of time before the credit provider can list a serious credit infringement will give the individual the opportunity to pay the debt. 

It is expected that the registered CR code will provide guidance and direction on relevant matters, such as: how to interpret whether a credit infringement is ‘serious’ (for example, in determining whether the individual’s conduct can be considered fraudulent); how to establish whether reasonable steps have been taken to contact an individual; how to calculate whether at least six months has passed, and what constitutes the last contact with the individual; and whether a serious credit infringement should be listed where there is a dispute between the parties that is not resolved; and the obligations on credit providers to substantiate that a serious credit infringement has occurred.  However, the provisions of the registered CR code must be consistent with other provisions in Part IIIA.  This means, for example, that where an individual makes a correction request in relation to a serious credit infringement and this request is refused, the credit reporting body or the credit provider will need to provide evidence substantiating the listing.  The registered CR code, in dealing with the obligations of credit reporting bodies and credit providers, should deal with the information and evidence that should be provided to substantiate a serious credit infringement.

Item 64           Subsection 6(1)

This item inserts the definition of trade insurance purpose .

A credit reporting body can disclose credit reporting information to a trade insurer for a trade insurance purpose where the individual has expressly consented, in writing, to the disclosure of the information to the insurer for the trade insurance purpose (see clause 20F(1)).  This definition is necessary to define the trade insurance purpose.  A trade insurance purpose is the purpose of assessing: whether to provide insurance to, or the risk of insuring, a credit provider in relation to commercial credit provided by the provider to the individual or another person; or the risk of a person defaulting on commercial credit for which the insurer has provided insurance to the credit provider.

Item 65           Subsection 6(1) (definition of trade insurer )

This item repeals the existing definition of trade insurer and inserts a new definition that is consistent with the new terms now used in the credit reporting provisions .   A trade insurer carries on a business or undertaking that involves providing insurance to credit providers in relation to commercial credit provided by credit providers to other persons.

In addition, the definition of ‘trade insurer’ now clearly includes a small business operator that meets the requirements of this definition, along with any organisation.  This is to ensure effective protection of personal information in the credit reporting system, whether the personal information is held or maintained by a small business operator or an organisation.

Item 66           Subsections 6(5A) to (5D)

This item repeals subsections 6(5A), (5B) and (5C) as they have been replaced by the definition of credit reporting business set out in clause 6P.

This item also repeals subsection 6(5D), which refers to the meaning of purchase of a loan.  Item 54 inserts a definition of ‘purchase’ in subsection 6(1) based on the definition in subsection 6(5D).

Item 67           Subsection 6(10)

Subsection 6(10) sets out the definition of family as used in the definition of credit .  This item replaces the term ‘credit’ with the term ‘consumer credit’ in that definition as the definitions have been restructured and the term ‘family’ is now used in the definition of ‘consumer credit’ rather than in the definition of ‘credit’.



Item 68           At the end of subsection 6D(4)

This item inserts a new paragraph at the end of subsection 6D(4) which refers to a ‘credit reporting body’.  This means that a credit reporting body that is a small business operator will be treated as an organisation for the purposes of the Act.

The definition of ‘organisation’ in section 6C excludes a small business operator.  However, subsection 6D(4) specifies certain entities that are not small business operators and hence which are treated as organisations.  This amendment adds an additional paragraph to section 6D(4) referring to a credit reporting body.  This means that a credit reporting body that is a small business is not, for the purposes of the Act, a small business operator.  It is appropriate that small business operators are permitted to be credit reporting bodies and play a role in the credit reporting system.  However, those small business operators should be subject to the obligations in the Act that apply to other organisations, such as the APPs, and the obligations in the Act that apply to credit reporting bodies, in particular, the obligations set out in Part IIIA of the Act.

Item 69           After section 6F

This item inserts a new Division containing key definitions relating to credit reporting.

Division 2 - Key definitions relating to credit reporting

Subdivision A - Credit provider

This Subdivision deals with the definitions of the term ‘credit provider’.  Clause 6G sets out the general definition of ‘credit provider’.  Clauses 6H, 6J and 6K deal with specific situations in which an organisation or small business operator will also be considered to be a ‘credit provider’ for the purposes set out in those clauses.

Clause 6G       Meaning of credit provider

This provision inserts the meaning of credit provider .  The general meaning of ‘credit provider’, certain additional situations which extend the general meaning of ‘credit provider’, and certain exclusions to the meaning of ‘credit provider’ are dealt with in this provision.

Subclause (1) sets out the general definition of ‘credit provider’.  Paragraph (a) states that a ‘bank’ is a credit provider, and ‘bank’ is defined in section 6(1).  Paragraph (b) states that an organisation or small business operator that carries on a business or undertaking of which a substantial part of that business or undertaking is the provision of credit will be a credit provider.  In this context, substantial connotes both value and proportion.  An organisation or small business operator could satisfy this aspect of the definition where its activities relating to the provision of credit involved substantial amounts of money, even if its lending activities did not constitute the dominant part of the corporation’s overall business.  However, in order to be a substantial part of the entity’s business, the loans provided by a corporation would have to be an essential or important part of its business, and not merely incidental to it.

Paragraph (c) deals with organisations or small business operators that issue credit cards.  Paragraph (c) provides that an organisation or small business operator that carries on a retail business and which, in the course of the business, issues credit cards to individuals in connection with the sale of goods, or the supply of services, by the organisation or small business operator will be a credit provider.

Paragraph (1)(d) provides that regulations may prescribe an agency, organisation or small business operator that carries on a business or undertaking that involves providing credit is a credit provider for the purposes of clause 6G.  This provision provides the option of dealing with situations where an agency, organisation or small business is involved in providing credit, but does not satisfy the requirements of paragraph (1)(b).  It is expected that regulations will be made to prescribe Indigenous Business Australia as a credit provider.

Subclause (1) makes clear that small business operators are, if they satisfy the requirements of the provision (in the case of paragraph (d), this includes being prescribed by regulations), credit providers that are subject to the credit reporting provisions.  However, a credit provider that is a small business operator may not be an APP entity subject to the APPs depending on the nature of their business and the operation of the small business exemption in section 6D and related provisions.  This is different to the position for small business operators that are credit reporting bodies, which are subject to both the credit reporting provisions and the Act as a whole (including the APPs) because they are excluded from the definition of a ‘small business operator’ (see item 68).

Subclauses (2), (3) and (4) deal with other situations in which an organisation or small business operator may be a credit provider.  However, the organisation or small business operator will be a credit provider only in relation to the circumstances set out in these provisions.  This means that the organisation or small business operator is a credit provider only for limited situations, and not for their whole business or undertaking.  These situations only apply if the organisation or small business operator is not a credit provider under subclause (1).

Subclause (2) deals with situations in which an organisation or small business operator (known in this provision as the ‘supplier’) provides credit in relation to the sale of goods or the supply of services.  If the supplier permits the repayment, whether in full or in part, of the amount of credit to be deferred for at least 7 days, and the supplier is not already a credit provider under subclause (1), then the supplier will be a credit provider, but only in relation to the credit which satisfies this provision.

Subclause (3) deals with situations in which an organisation or small business operator (known in this provision as the ‘lessor’) provides credit in connection with the hiring, leasing or renting of goods.  If the lessor provides such credit and the credit is in force for at least 7 days, and no amount, or an amount that is less than the value of the goods, is paid as a deposit for the return of the goods, and the lessor is not already a credit provider under subclause (1), then the lessor will be a credit provider, but only in relation to the credit which satisfies this provision.

Subclause (4) provides that an organisation or small business operator that satisfies the requirements of clauses 6H, 6H and 6K is a credit provider.

Subclauses (5) and (6) set out situations in which an organisation or small business operator are excluded from the meaning of credit provider, even if they may satisfy any of the other provisions in clause 6G.  Subclause (5) makes clear that any organisation or small business operator that acts in the capacity of a real estate agent, a general insurer (within the meaning of the Insurance Act 1973 ), or an employer of an individual is not a credit provider while acting in that capacity.  It is not consistent with the objectives of the credit reporting system to permit personal information in the credit reporting system to be disclosed or used for any purpose of a real estate agent, a general insurer, or an employer of an individual.  In particular, personal information in the credit reporting system must not be used in relation to the management of rental properties, and this prohibition includes any use for assessing potential tenants for rental properties.  To the extent that any other organisation or small business operator that would otherwise be a credit provider under clause 6G performs the functions of a real estate agent, including the assessment of potential tenants for rental properties, that organisation or small business operator would not be a credit provider for that purpose.  Collection, use or disclosure by a credit reporting body or a credit provider for that purpose would be a breach of the credit reporting provisions and may, depending on the circumstances, be a credit reporting offence.  Similarly, an organisation or small business operator that was acting in its capacity as an employer of an individual would not be a credit provider for any employment related purpose (including, for example, assessing an applicant for a position in which the organisation or small business operator would be the individual’s employer).

Subclause (6) provides that regulations may specify that an organisation or small business operator is not a credit provider if it is included in a class of organisations or small business operators prescribed by the regulations.  The regulations will operate to ensure that an organisation or small business operator is not a credit provider despite the operation of subclauses (1) to (4), under which the organisation or small business operator would otherwise have been a credit provider.

Clause 6H       Agents of credit providers

This provision sets out the circumstances in which an organisation or small business operator that is acting as the agent of a credit provider will be considered to be a credit provider while acting as the credit provider’s agent.

Subclause (1) provides that an organisation or small business operator will be acting as an agent of a credit provider (the principal) if it is performing, on the principal’s behalf, a task that is reasonably necessary in processing an application for credit made to the principal, or a task that is reasonably necessary in ‘managing credit’ provided by the principal.

Subclause (2) limits the application of subclause (1).  If an organisation or small business operator is taken to be a credit provider because it is already acting as the agent of another credit provider (the principal), then any organisation or small business operator that performs tasks for that agent does not become a credit provider under the operation of subclause (1).  Essentially, this provision prevents the agent of an agent becoming the agent of the principal credit provider for the purposes of the credit reporting provisions.

Subclauses (3) and (4) state the effect of the agent satisfying the requirements to be a credit provider under subclause (1).  Subclause (3) provides that, where subclause (1) applies in relation to credit provided by the principal, the credit is taken for the purposes of the Act to have been provided by both the principal and the agent.  Subclause (4) provides that, where subclause (1) applies in relation to an application for credit made to the principal, the application for credit is taken for the purposes of the Act to have been made to both the principal and the agent.

This provision makes clear that small business operators are, if they satisfy the requirements of the provision, credit providers for the purpose of this provision that are subject to the credit reporting provisions.  However, a credit provider that is a small business operator may not be an APP entity subject to the APPs depending on the nature of their business and the operation of the small business exemption in section 6D and related provisions.  This is different to the position for small business operators that are credit reporting bodies, which are subject to both the credit reporting provisions and the Act as a whole (including the APPs) because they are excluded from the definition of a ‘small business operator’ (see item 68).

Clause 6J        Securitisation arrangements etc.

This provision provides the circumstances in which an organisation or small business operator that is a securitisation entity will be considered to be a credit provider.

Subclause (1) sets out the circumstances in which an organisation or small business operator that is a securitisation entity will be a credit provider.  An organisation or small business operator that is a securitisation entity must carry on a business that is involved in either or both of: a ‘securitisation arrangement’; or managing credit that is the subject of a securitisation arrangement.  The securitisation entity must also perform a task that is reasonably necessary for either purchasing, funding or managing, or processing an application for, credit by means of a securitisation arrangement, or reasonably necessary for undertaking ‘credit enhancement’ in relation to credit.  In addition, the credit referred to must have been provided by, or be the subject of an application to, the original credit provider.  In these circumstances, the securitisation entity will be a credit provider while it performs any such task set out above.

Subclause (2) limits the application of subclause (1).  If an organisation or small business operator is taken to be a credit provider because it is already acting as a securitisation entity of another credit provider (the original credit provider), then any organisation or small business operator that performs tasks for the securitisation entity does not become a credit provider under the operation of subclause (1).

Subclauses (3) and (4) state the effect of the securitisation entity satisfying the requirements to be a credit provider under subclause (1).  Subclause (3) provides that, where subclause (1) applies in relation to credit provided by the original credit provider, the credit is taken for the purposes of the Act to have been provided by both the principal and the securitisation entity.  Subclause (4) provides that, where subclause (1) applies in relation to an application for credit made to the original credit provider, the application for credit is taken for the purposes of the Act to have been made to both the principal and the securitisation entity.

This provision makes clear that small business operators are, if they satisfy the requirements of the provision, credit providers for the purpose of this provision that are subject to the credit reporting provisions.  However, a credit provider that is a small business operator may not be an APP entity subject to the APPs depending on the nature of their business and the operation of the small business exemption in section 6D and related provisions.  This is different to the position for small business operators that are credit reporting bodies, which are subject to both the credit reporting provisions and the Act as a whole (including the APPs) because they are excluded from the definition of a ‘small business operator’ (see item 68).

Clause 6K       Acquisition of the rights of a credit provider

This provision provides that an organisation or small business operator which acquires the rights of a credit provider in relation to the amount of credit will be considered to be a credit provider in relation to that particular amount of credit.

Subclause (1) sets out the circumstances in which an organisation or small business operator that acquires the rights of a credit provider will be taken to be a credit provider.  Where the organisation or small business operator (known as the acquirer) acquires (whether by assignment, subrogation or any other means) the rights of the original credit provider in relation to the repayment of an amount of credit, then the acquirer will (subject to paragraph (b)) be a credit provider only in relation to that credit.

Paragraph (1)(b) limits the application of paragraph (1)(a).  If an organisation or small business operator that is an acquirer is already a credit provider under subclause 6G(1), then the acquirer is not also a credit provider under subclause (1).

Subclauses (2) and (3) state the effect of the acquirer satisfying the requirements to be a credit provider under subclause (1).  Subclause (2) provides that, where subclause (1) applies in relation to credit provided by the original credit provider, the credit is taken for the purposes of the Act to have been provided by both the original credit provider and the acquirer.  Subclause (3) provides that, where subclause (1) applies in relation to an application for credit made to the original credit provider, the application for credit is taken for the purposes of the Act to have been made to both the original credit provider and the acquirer.

This provision makes clear that small business operators are, if they satisfy the requirements of the provision, credit providers for the purpose of this provision that are subject to the credit reporting provisions.  However, a credit provider that is a small business operator may not be an APP entity subject to the APPs depending on the nature of their business and the operation of the small business exemption in section 6D and related provisions.  This is different to the position for small business operators that are credit reporting bodies, which are subject to both the credit reporting provisions and the Act as a whole (including the APPs) because they are excluded from the definition of a ‘small business operator’ (see item 68).

Subdivision B - Other definitions

This Subdivision sets out other key credit reporting definitions.

Clause 6L       Meaning of access seeker

This provision inserts the meaning of access seeker .  The term ‘access seeker’ is used to describe a person who requests access to credit reporting information from a credit reporting body (see clause 20R) or credit eligibility information from a credit provider (see clause 21T), and is also used in the offence provisions in Division 6.

Subclause (1) provides that an access seeker in relation to credit reporting information or credit eligibility information about an individual is either the individual, or a person who is assisting the individual to deal with a credit reporting body or credit provider.  Where it is a person assisting the individual, the person must be authorised, in writing, by the individual to make the access request in relation to the individual’s information.

Subclause (2) provides certain exceptions to subclause (1).  An individual is not permitted to authorise a person under subclause (1) if the person is a credit provider, a mortgage insurer, a trade insurer, or a person who is prevented from being a credit provider by subclause 6G(5) or (6).  The access provisions should not be used by these persons because any access would circumvent the provisions prescribing the circumstances in which these entities or persons can collect, or are prohibited from collecting, credit reporting information or credit eligibility information about the individual.  Subclauses 6G(5) and (6) prohibit a real estate agent, a general insurer, or an employer from being a credit provider, or any organisation or small business entity that is prescribed by regulations from being a credit provider.  A person who is any of these cannot be authorised as an access seeker for an individual.

Subclause (3) provides that the National Relay Service is excluded from the definition of ‘access seeker’.  The National Relay Service provides assistance to individuals to communicate with others.  If the National Relay Service is assisting an individual to deal with a credit reporting body or credit provider they would fall within subclause (1) and be required to be authorised in writing by the individual.  However, because of the way the National Relay Service operates, the need for an individual to give written authorisation may be problematic in some situations.  In these circumstances it would not be appropriate to impose an obligation on an individual to authorise the National Relay Service in writing before seeking the Service’s assistance to communicate with a credit reporting body or credit provider.



Clause 6M      Meaning of credit and amount of credit

This provision inserts the meaning of credit and amount of credit .  The term ‘credit’ is central to the credit reporting system and replaces the previous term ‘loan’.  The term ‘amount of credit’ is used in the definitions of ‘consumer credit liability information’ (see item 10), ‘credit worthiness’ (see item 29), ‘credit provider’ (see clause 6G) and ‘new arrangement information’ (see clause 6S).

Subclause (1) states that ‘credit’ is a contract, arrangement or understanding under which: payment of a debt owed by one person to another person is deferred; or one person incurs a debt to another person and defers the payment of the debt.  In the absence of a written agreement allowing deferral of the payment, the provision of credit requires a mutual understanding between the individual and the relevant entity that a credit contract, arrangement or understanding has been entered into, and the terms of that contract, arrangement or understanding.  It may not be sufficient that the individual has not paid the debt, and the entity has failed to enforce payment of it.  Whether an entity has provided credit is a question of fact, and an assessment would need to be made on a case by case basis.

Subclause (3) provides certain examples of what satisfies the meaning of ‘credit’, without limiting the definition set out in subclause (1).

Subclause (2) states that the term ‘amount of credit’ refers to the amount of the debt that is actually deferred, or may be deferred, but does not include any fees or charges payable in connection with the deferral of the debt.

Clause 6N       Meaning of credit information

This provision inserts the meaning of credit information .  ‘Credit information’ is disclosed by credit providers (see clause 21D) and collected by credit reporting bodies (see clauses 20C and 20D).

Credit information is the basic category of personal information in the credit reporting system.  The term credit information comprises a defined list of certain kinds of personal information that are relevant to the purpose of the credit reporting system.  However, any information that would fall within the definition of sensitive information in section 6(1) of the Act is expressly excluded from credit information.

The following types of personal information included in the definition of credit information are separately defined in section 6(1): 'consumer credit liability information' (see item 10 - this type of information includes four of the five new types of personal information that are permitted as part of the move to more comprehensive credit reporting); 'court proceedings information' (see item 12); and 'identification information' (see item 34).  The following types of personal information are separately defined in Division 2, which sets out key definitions relating to credit reporting: 'default information' (see clause 6Q); 'information requests' (see clause 6R); 'new arrangement information' (see clause 6S); 'payment information' (see clause 6T); 'personal insolvency information' (see clause 6U) and 'repayment history information' (see clause 6V - this type of information is the fifth type of personal information that is permitted as part of the move to more comprehensive credit reporting).

The definition of credit information includes, at paragraph (e), information about the type and amount of consumer or commercial credit sought in an application made by an individual to a credit provider (further description of what 'type' and 'amount' mean is given in relation to item 10).

In addition, credit information includes two other kinds of personal information: information about certain publicly available information about the individual that relates to the individual’s activities in Australia or the external Territories and their credit worthiness; and information that is the opinion of a credit provider that the individual has committed a' serious credit infringement' (defined in section 6(1), see item 63).

The type of publicly available information that can be included in an individual's credit information is limited by paragraph (k).  The publicly available information about the individual must relate to the individual's activities in Australia or the external Territories and the individual's credit worthiness.  This limitation ensures that information about an individual's foreign activities is not included.  In addition, the information must relate to the individual's credit worthiness.  This is consistent with the purpose of the credit reporting system.  The other restriction set out in paragraph (k) is that the information must not be court proceedings information about the individual or information that is entered on the National Personal Insolvency Index.  Both of these types of information are publicly available, but the inclusion of these types of information about an individual are specifically dealt with by paragraphs (i) and (j), and separately defined in section 6(1) and clause 6U respectively.

It is expected that the registered CR code will provide further explanation of the meaning of 'publicly available information' to assist in understanding this term and the types of information to which it applies.  Whether information is publically available information is a decision that must be made on a case-by-case basis, taking into account all relevant circumstances, such as the extent to which access to the information is restricted in some way, for example by a fee.

Clause 6P       Meaning of credit reporting business

This provision inserts the meaning of credit reporting business .  The term ‘credit reporting business’ is used in the definition of a ‘credit reporting body’ (see item 26).

Subclause (1) provides that a ‘credit reporting business’ is a business or undertaking that involves collecting, holding, using or disclosing personal information about individuals for the purpose of, or for purposes including the purpose of, providing an entity with information about the credit worthiness of an individual.  Subclause (2) makes clear that subclause (1) applies whether or not the information is provided for profit or reward, or provided, or intended to be provided, for the purposes of assessing an application for consumer credit.

Subclause (3) sets out an exception to subclause (1) where a credit provider provides information about the credit worthiness of an individual to a related body corporate (in addition, see paragraph 21G(3)(b), which permits the disclosure of credit eligibility information to a related body corporate).

Division 3 sets out ‘permitted CP disclosures’ under which a credit provider is permitted to disclose credit eligibility information, including, for example, to other credit providers with the consent of the individual (see subclause 21J(1)).  A credit provider that makes a ‘permitted CP disclosure’ would not, as a result of making that specific permitted disclosure, fall within the general definition set out in subclause (1).

Subclause (4) provides that regulations may exclude certain businesses or undertakings from the definition of a credit reporting business.  A business or undertaking is not a credit reporting business if it is included in a class of businesses or undertakings prescribed by the regulations.

The definition of a ‘credit reporting business’ does not contain a dominant purpose test, which previously featured in the former definition of this term that has been repealed (see item 27).  Any business or undertaking that falls within the terms of subclause (1) is regarded as a credit reporting business.  This does not require, for example, a consideration of whether the activities of a credit reporting business are a large or small component of the overall activities of the business or undertaking.  If the activities of the business or undertaking involve collecting, holding, using or disclosing personal information about individuals, either wholly or partly for the purpose of providing an entity with information about an individual’s credit worthiness, then the business or undertaking is a credit reporting business.  It is considered appropriate that any business or undertaking that is performing these activities should be subject to the obligations set out in the credit reporting provisions.  To the extent that the business or undertaking does other activities that are not part of its credit reporting business, the business or undertaking will be subject to the APPs.  In addition, a credit reporting body that is a small business operator is excluded from the definition of a small business operator and so will be subject to the APPs (see item 26).

Clause 6Q       Meaning of default information

This provision inserts the meaning of default information in relation to consumer credit defaults and guarantor defaults.  ‘Default information’ is a type of information that can be included in an individual’s ‘credit information’ (see clause 6N).  The term is also used in the definitions of ‘new arrangement information’ (see clause 6S) and ‘payment information’ (see clause 6T).  A credit provider can, subject to certain requirements, disclose ‘default information’ as part of ‘credit information’ to a credit reporting body (see paragraph 21D(3)(d)), and must disclose ‘payment information’ in relation to default information it has disclosed to a credit reporting body (see clause 21E).  A credit provider can also disclose certain default information to a debt collector (see subclause 21M(2)).

Default information that is included in an individual’s ‘credit information’ can only be about ‘consumer credit’, whether the individual is the borrower or the guarantor.

Subclause (1) deals with defaults by an individual that has been provided with consumer credit by a credit provider (that is, a borrower).  Default information about an individual is information about a payment (which includes a payment that is wholly or partly a payment of interest) that the individual is overdue in making in relation to consumer credit provided to the individual by the credit provider.  In addition, the individual must be at least 60 days overdue in making the payment, and the provider must have given the individual a written notice informing the individual of the overdue payment and requesting the individual pay the amount of the overdue payment.  However, the overdue payment cannot be default information if the provider is prevented by a statute of limitations from recovering the amount of the overdue payment.  In addition, the overdue payment must be for an amount that is equal to or more than $100, or such other higher amount that is prescribed by regulations.  This amount is based on balancing the need for credit providers to assess adequately the credit risk of an individual against the disproportionate consequences of listing less significant debts.  It is necessary for regulations to be able to prescribe a higher amount in order for it to be changed from time to time based on changing circumstances.

Subclause (2) deals with defaults by an individual that is a guarantor in relation to consumer credit provided to another individual by a credit provider.  Default information about an individual that is a guarantor is information about a payment that the individual is overdue in making as a guarantor in relation to a guarantee given against any default by the borrower in repaying all or any of the deft deferred under consumer credit provided by the provider to the borrower.  In addition, the provider must have given the individual written notice of the borrower’s default that gave rise to the obligation of the guarantor to make the overdue payment, and the written notice must request that the individual pay the amount of the overdue payment.  At least 60 days must have passed since the day on which the notice was given and the provider must have taken other steps (in addition to giving the notice to the guarantor) to recover the amount of the overdue payment from the guarantor).  The provider must also not be prevented by a statute of limitations from recovering the amount of the overdue payment from the guarantor.

If the amount of the overdue payment is less than $100, or any such higher amount prescribed by the regulations, the credit provider is not able to include default information about that overdue amount in the guarantor’s ‘credit information’ An overdue payment of less than $100 or the prescribed amount is not a default due to the operation of paragraph (1)(d).  Subclause (2) only operates where the guarantee relates to a default of the borrower.

Clause 6Q clearly excludes statute barred debts from the definition of default information.  This means that where the credit provider is prevented by a statute of limitations from recovering the amount of the overdue payment from the individual, the credit provider cannot have that overdue payment included as default information in the individual’s ‘credit information’.  Similarly, a credit provider is prohibited from including default information in an individual’s ‘credit information’ where the individual was a guarantor against the default of another person and the credit provider is prevented from a statute of limitations from recovering the amount of the overdue payment from the guarantor.

It is expected that the registered CR code will provide guidance around the operation of the definition, for example on such matters as the timeframes for giving written notice to individuals.

Clause 6R       Meaning of information request

This provision inserts the meaning of information request .  An ‘information request’ can be included in an individual’s ‘credit information’ (see clause 6N) and refers to a request for information about an individual made to a credit reporting body.  A credit reporting body can disclose credit reporting information to a credit provider, mortgage insurer or trade insurer in response to a request for information (see clause 20F).  A credit reporting body may retain an information request about an individual for a specified period (see clause 20W).

The meaning of ‘information request’ varies depending on whether the request for information is made by a credit provider, mortgage insurer, or trade insurer.  These differences reflect the circumstances in which a credit reporting body is permitted to disclose credit reporting information to these entities.

Subclause (1) deals with an information request by a credit provider.  An information request refers to the circumstances when a credit provider has sought information about an individual from a credit reporting body in connection with an application for ‘consumer credit’ or ‘commercial credit’, or for a ‘credit guarantee purpose’ of the provider, or for a ‘securitisation related purpose’ of the provider.

Subclause (2) deals with an information request by a mortgage insurer.  An information request refers the circumstances when a mortgage insurer has sought information about an individual from a credit reporting body in connection with the provision of insurance to a provider in relation to ‘mortgage credit’ provided to the individual or a person for whom the individual is, or proposes to be, a guarantor.

Subclause (3) deals with an information request by a trade insurer.  An information request refers to the circumstances where a trade insurer has sought information about an individual that from a credit reporting body in connection with the provision of insurance to a provider in relation to ‘commercial credit’ provided to the individual or another person.



Clause 6S       Meaning of new arrangement information

This provision inserts the meaning of new arrangement information in relation to consumer credit defaults and serious credit infringements.  ‘New arrangement information’ can be included in an individual’s ‘credit information’ (see clause 6N).  A credit provider can disclose ‘new arrangement information’ to a credit reporting body as ‘credit information’ (see clause 21D).  ‘New arrangement information’ about an individual that is held or maintained by a credit reporting body is subject to specific retention periods (see clause 20W).

Where an individual is overdue in making payments in relation to consumer credit a credit provider may choose to enter into a new arrangement with the individual.  Such a new arrangement only satisfies the definition of ‘new arrangement information’ if the credit provider has previously disclosed ‘default information’ or a ‘serious credit infringement’ in relation to the individual’s overdue payments.  The new arrangement may either vary the original consumer credit arrangements or provide the individual with new consumer credit (either by the original credit provider or a different credit provider) that relates, in whole or in part, to the previous consumer credit.  In some circumstances prior to a default, the credit provider and the individual may agree on a hardship arrangement, as provided for in the NCCP Act.  Hardship arrangements that satisfy the requirements of the NCCP Act are not included within the meaning of ‘new arrangement information’.  Similarly, any new arrangement made in relation to consumer credit where the credit provider has not disclosed default information or a serious credit infringement in relation to that consumer credit is not included in the meaning of ‘new arrangement information’.  It is considered that any such arrangements may appear to be too similar to hardship arrangements to effectively distinguish between them, and increase the risk that individuals may not seek hardship arrangements as permitted in appropriate circumstances.

Once new arrangement information has been included in an individual’s credit information, the consumer credit to which that new arrangement relates is treated in the same way as any other consumer credit.  This means that if, for example, the individual defaults on the consumer credit provided as a result of the new arrangement, that default can be disclosed as part of the individual’s credit information.  Where the new arrangement has the effect of rendering the individual no longer overdue in respect of their payments then the credit provider must disclose the relevant ‘payment information’ in relation to the previously reported default to the credit reporting body.  The question of whether the arrangement has the effect of rendering the individual no longer overdue will depend on the intention of the parties as indicated by the terms of the arrangement and any other circumstances.  It is expected that the registered CR code will provide further guidance on when the new arrangement has the effect of rendering the individual no longer overdue in respect of their payments.

Subclause (1) deals with ‘new arrangement information’ where a credit provider has previously disclosed to a credit reporting body ‘default information’ about an individual that relates to a payment the individual is overdue in making in relation to consumer credit.  Where, as a result of this occurring, the provider has varied the terms and conditions of the original consumer credit, or the provider or a different credit provider has provided the individual with new consumer credit that relates, wholly or in part, to the original amount of credit, then a statement that this has occurred is new arrangement information.  Such as statement can then be included in the individual’s ‘credit information’.  An arrangement would normally involve a significant variation of the main elements of the contract such as the period of the loan, or the size and frequency of repayments.  On this basis, an arrangement would not include, for example, a verbal agreement to allow a one-off later payment.  It is expected that the registered CR code will provide further guidance on what new arrangement fall within paragraph 6S(1)(c) for the purposes of this provision.

Subclause (2) deals with ‘new arrangement information’ where a credit provider has previously disclosed to a credit reporting body the provider’s opinion that the individual has committed a ‘serious credit infringement’ in relation to consumer credit provided by the provider.  Where, as a result of the provider having that opinion, the provider has varied the terms and conditions of the original consumer credit, or the provider or a different credit provider has provided the individual with new consumer credit that relates, wholly or in part, to the original amount of credit, then a statement that this has occurred is new arrangement information.  Such as statement can then be included in the individual’s ‘credit information’.

Clause 6T       Meaning of payment information

This provision inserts the meaning of payment information .  ‘Payment information’ can be included in an individual’s ‘credit information’ (see clause 6N).  Where a credit provider has disclosed ‘default information’ about an individual to a credit reporting body, then the credit provider must disclose ‘payment information’ that satisfies the terms of this definition to the credit reporting body (see clause 21E).  A credit provider is prohibited from disclosing ‘default information’ to a debt collector if the credit provider holds ‘payment information’ (see clause 21M).  ‘Payment information’ about an individual that is held or maintained by a credit reporting body is subject to specific retention periods (see clause 20W).

Payment information about an individual is a statement that the amount of an overdue payment has been paid, specifying the day the payment was made.  Payment information must relate to default information that a credit provider has disclosed about the individual to a credit reporting body, and must refer to the payment of the amount of the overdue payment, where the payment is made on any day after the default information has been disclosed.

A partial payment of an overdue payment is not ‘payment information’.  When the overdue payment is wholly paid (whether by a single payment or a series of payments) then the ‘payment information’ must be disclosed.  It is expected that the registered CR code will provide guidance on payment information, such as how the accrual of fees on an overdue payment is to be treated.

Clause 6U       Meaning of personal insolvency information

This provision inserts the meaning of personal insolvency information .  ‘Personal insolvency information’ can be included in an individual’s ‘credit information’ (see clause 6N) and may be collected by a credit reporting body (consistent with the requirements set out in clause 20C).  ‘Personal insolvency information’ about an individual that is held or maintained by a credit reporting body is subject to specific retention periods for different types of information included in the definition of ‘personal insolvency information’ (see clause 20X).  Disclosure by a credit provider of ‘personal insolvency information’ to a debt collector is subject to specific conditions (see clause 21M).

Paragraph (1)(a) provides that ‘personal insolvency information’ about an individual must be information that is entered or recorded in the National Personal Insolvency Index.  The Index is an official source of personal insolvency information and also sets out the different categories of personal insolvency permitted by the Bankruptcy Act.  Paragraph (1)(b) sets out the types of personal insolvency information on the Index which are included in the definition of ‘personal insolvency information’.

Subclause (2) provides that information which relates to certain matters is excluded from the meaning of ‘personal insolvency information’.

Only the specified types of information on the National Personal Insolvency Index set out in paragraph (b) (and subject to the exclusions in subclause (2)) are permitted to be included as ‘personal insolvency information’ for the purposes of an individual’s ‘credit information’.  Any other personal information about an individual on the National Personal Insolvency Index cannot be collected as ‘credit information’.  By providing specifically in paragraph (b) for the personal information on the National Personal Insolvency Index that can be included in personal insolvency information, it is understood that any other information on the Index that is not included in paragraph (b) could not be collected as publicly available information.

Subclause (3) recognises that the Bankruptcy Act sets out the meaning of certain terms and ensures any terms used in paragraphs (1)(b) or (2)(a) have the same meaning as they do in the Bankruptcy Act.

Clause 6V       Meaning of repayment history information

This provision inserts the meaning of repayment history information .  ‘Repayment history information’ can be included in an individual’s ‘credit information’ (see clause 6N).  The circumstances in which a credit reporting body can collect or disclose ‘repayment history information’ are restricted (see clauses 20C and 20E respectively) and the circumstances in which this type of information can be disclosed by a credit provider are also restricted (see clauses 21D and 21G).  ‘Repayment history information’ about an individual that is held or maintained by a credit reporting body is subject to a specific retention period (see clause 20W).

Repayment history information is one of the five types of credit information that are permitted to be included in the credit reporting system as part of the move towards a more comprehensive credit reporting system.  The other four types of information that are permitted to be included in the credit reporting system as part of the move to a more comprehensive credit reporting are included in the definition of ‘consumer credit liability information’ (see item 10).

Application, transitional and savings provisions are set out in schedule 6 of the Bill.  Part 3 of schedule 6 deals with the application of the credit reporting provisions.  Item 4(6) provides that the definition of ‘repayment history information’ commences on Royal Assent of the Bill.  This means that, on commencement of the Bill, repayment history information that is collected and disclosed can relate to repayment history from the period between Royal Assent and commencement.  As clause 2 of the Bill provides that the credit reporting provisions commence 9 months after Royal Assent, this means that 9 months of repayment history information may be collected or disclosed on commencement.  This is subject to the obligations set out in clause 6V and the credit reporting provisions, as well as any obligations set out in the regulations made pursuant to subclause (2) or contained in the registered CR code.

Subclause (1) provides that repayment history information about consumer credit provided to an individual is information about whether or not the individual has met an obligation to make a monthly payment that is due and payable in relation to the consumer credit.  The information may also include the day on which the monthly payment is due and payable and, if the payment is made after the day on which the payment was due, the day on which the individual makes the payment.

Subclause (2) provides that the regulations may make provision in relation to: whether or not an individual has met an obligation to make a monthly payment; and whether or not a payment is a monthly payment.  It is anticipated that regulations will be made to deal with these matters.  In addition, it is expected that the registered CR code will provide further guidance and set out further requirements in relation to the elements of repayment history information, including the calculation of monthly payments and other related matters.  This is expected to include requirements and guidance dealing with how repayment history that is subject to other periods of repayment (whether weekly, fortnightly, or some other period of time) will be listed on a monthly basis.  In addition, the registered CR code may deal with matters such as grace periods before listing repayment history information and any other relevant matters.

Division 3 - Other matters

Item 70           Paragraphs 7(1)(a) and 8(1)(a)

These paragraphs deal with certain acts and practices.  This item replaces the term ‘credit reporting agency’ with the term ‘credit reporting body’ as this is the term that is now being used.

Item 71           Sections 11A and 11B

This item repeals sections 11A and 11B as the definitions of credit reporting agencies and credit providers set out in these sections have now been replaced.

Item 72           Part IIIA

This provision repeals Part IIIA and substitutes a new Part IIIA on credit reporting.

Division 1 - Introduction

Clause 19        Guide to this Part

This provision is a guide to the Part.

Division 2 - Credit Reporting Bodies

Subdivision A - Introduction and application of this Division etc.

Clause 20        Guide to this Division

This provision is a guide to the Division.

Clause 20A     Application of this Division and the Australian Privacy Principles to credit reporting bodies

This provision states that the Division only applies to credit reporting bodies in relation to their handling of credit reporting information; CP derived information; de-identified information; and pre-screening assessments. 

This provision defines the approach taken to the regulation of credit reporting bodies.  This Division provides a complete set of rules that apply to credit reporting bodies in relation to these categories of information.  As the APPs don’t apply to those categories of information it is necessary to ensure that the rules for credit reporting bodies deal with all relevant matters that would otherwise be covered by the APPs.

Credit reporting bodies have obligations in relation to these four categories of information.  Most of the provisions in this Division relate to the handling of credit reporting information, which is defined to include both credit information and CRB derived information.  Specific provisions relate to pre-screening assessments (clauses 20H and 20J) and credit reporting information that has been de-identified (clause 20M).  While a credit reporting body may not hold CP derived information, clause 20T imposes obligations on credit reporting bodies to provide assistance to an individual who wishes to correct credit information, CRB derived information, or CP derived information about the individual.  If the credit reporting body holds at least one of these categories of information they have certain correction obligations, and the ability to consult with another credit reporting body or credit provider as required.

The requirements set out in this Division apply to these categories of information instead of the APPs - that is, the APPs do not apply and are replaced by these requirements.  The APPs do not generally apply to de-identified information, which is why this category of information is not included in subclause (2).  The reasons for regulating credit reporting information that has been de-identified are set out in the discussion of clause 20M.

To the extent that a credit reporting body handles any other personal information, the handling of that personal information will be regulated by the Australian Privacy Principles. 

Subdivision B - Consideration of information privacy

Clause 20B     Open and transparent management of credit reporting information

This provision is based on the obligations set out in APP 1, modified to apply specifically to credit reporting bodies and their handling of credit reporting information. 

Subclause (1) states the object of the provision.

Subclause (2) imposes a general requirement on credit reporting bodies to take reasonable steps to implement practices, procedures and systems in relation to their credit reporting business that will ensure compliance with the requirements of the Division and the registered CR code and to enable them to deal with inquiries or complaints about their compliance.  It is anticipated that credit reporting bodies will demonstrate their compliance with this obligation by, for example, developing and maintaining training programs, staff manuals, standard procedures and any other relevant documents that demonstrate awareness of, and compliance with, their obligations under the Division and the registered CR code.  In addition, credit reporting bodies should be able to demonstrate that their business systems, such as their data management systems, comply with the requirements of the Division or the registered CR code. 

Subclause (3) requires credit reporting bodies to have a policy dealing with their management of credit reporting information.  The policy must be clearly expressed and up-to-date.

Subclause (4) provides a list of matters on which the policy must contain information.  The list is not exhaustive and the policy can, and should where necessary to satisfy the obligation set out in subclause (3), contain additional information.  The purpose of the list is to provide guidance to credit reporting bodies on information that the policy must contain which is likely to be directly relevant to individuals and their concerns about the information handling practices of credit reporting bodies.  It is not intended that the policy set out matters such as detailed operational or administrative procedures or the processes of internal data management systems, nor is it intended that the policy establish technical data handling standards.

Subclause (5) requires credit reporting bodies to take reasonable steps to make the policy publicly available.  Credit reporting bodies must take reasonable steps to make the policy available free of charge, and must make the policy available in an appropriate form - for example, on the website’.

Subclause (6) ensures that the policy is readily available to the public.  While a credit reporting body may decide to make the policy available on their website, there may be circumstances where a person or body may wish to have the policy in a particular form - for example, in a different digital form that is more accessible for readers with a disability, or as a printed booklet.  Following any such request, credit reporting bodies must take reasonable steps to provide the person or body with a copy of their policy in the requested form.  It is expected that a credit reporting body would not charge for access.

Subdivision C - Collection of credit information

Clause 20C     Collection of solicited credit information

This provision is based on the obligations and structure of APP 3, modified to apply specifically to credit reporting bodies and their collection of credit information.  The provision generally prohibits the collection of solicited credit information by credit reporting bodies, then sets out a series of exceptions to the prohibition.  The primary source from which credit information is collected by credit reporting bodies is credit providers.  The disclosure of credit information by credit providers to a credit reporting body is dealt with by clause 21D.  However, the exceptions to the general prohibition on collection by credit reporting bodies set out other permitted circumstances in which credit reporting bodies can collect solicited credit information.

Taken together, clauses 20C and 21D prescribe the means by which credit information enters the credit reporting system.  In the context of considering the data flows in the credit reporting system, these provisions deal with how credit information flows into the system.  As discussed above in definitions, credit information comprises all of the basic data sets about the individual which are permitted in the credit reporting system and from which all other information in the system is wholly or partly derived.

Subclause (1) prohibits a credit reporting body from collecting credit information about an individual.  Breach of this prohibition is subject to a civil penalty of 2000 penalty units.

Subclauses (2) to (6) deal with the exceptions to the prohibition in subclause (1).

Subclause (2) provides a general exception to the prohibition where the collection is required or authorised by or under an Australian law or a court or tribunal order.

Subclause (3) provides an exception for collection of credit information from a credit provider.  This provision provides a link to the permitted disclosure by credit providers set out in clause 21D.  However, the credit information can only be collected if the collection is done in the course of carrying on a credit reporting business.  A credit reporting body is defined as agency or organisation (which for these purposes includes a small business) that carries on a credit reporting business.  A credit reporting business may have other lines of business.  This provision clarifies that credit information can only be collected from a credit provider if it is for the credit reporting business - this provision does not provide an exception to the prohibition on the collection of credit information for any other line of business that a credit reporting body may conduct.  Finally, a credit reporting body is only permitted to collect identification information about an individual if it also collects, or already holds, another kind of credit information about the individual.  The reference to credit information of another kind refers to the definition of credit information, which lists the kinds of information that can be collected.  The purpose of this limitation is to prevent credit reporting bodies from compiling a data base that comprises identification information about individuals without any associated credit information.  The purpose of the credit reporting system is not to provide an identification data base of individuals in Australia, but to assemble credit information which relates to the credit worthiness of individuals, as these terms are defined.

Subclause (4) sets out the circumstances in which credit reporting bodies are permitted to collect credit information from entities other than credit providers.  Some kinds of credit information (for example, court proceedings information, personal insolvency information, or publicly available information as described in the definition of credit information) may be available from entities other than credit providers and credit reporting bodies may wish to collect these kinds of credit information from those sources.  In addition, there may be circumstances in which a credit provider has assigned debts owing to the credit provider to another entity that is not a credit provider, and a credit reporting body wishes to collect relevant credit information from the entity.  It may also be the case that a credit reporting body wishes to make arrangements to collect credit information from another credit reporting body.  Consistent with subclause (3), the collection of this credit information must be in the course of carrying on a credit reporting business.

Subclause (4) goes on to set a number of limitations on the collection of credit information from entities other than credit providers.  These limitations are consistent with the limitations imposed upon the disclosure of credit information by credit providers in clause 21D.  Because those entities which are not credit providers are not directly regulated by the credit reporting provisions, the only way in which the necessary limitations can be imposed on the flow of credit information into the credit reporting system is to restrict the collection of such information by credit reporting bodies.

Accordingly, the general restriction preventing the collection of credit information about an individual who is under 18 years old is stated in subclause (4)(a)(ii).  In addition, subclause (4)(b) states that the credit information cannot relate to any act, omission, matter or thing that occurred or existed before the individual turned 18.  This is to prevent the back-capture of past activity of an individual after they turn 18.  In general terms, information about any credit related activity undertaken by a person before they turn 18 cannot be included in the credit reporting system (unless permitted by the exceptions to this general rule that follow).  This means that, for example, an individual who obtains credit, repays the loan as required, and concludes the credit contract before they turn 18 will not have any information about that credit contract included in the credit reporting system.  Similarly, if an individual defaults on credit before they turn 18 the default cannot be subsequently listed after the individual turns 18 if the credit has been terminated or otherwise ceases to be in force.  However, subclause (5) states that the prohibition on collection of credit information about an individual before they turned 18 does not apply to identification information.  This will allow, for example, the collection of prior addresses as permitted in the definition of identification information where the prior addresses relate to a time before the individual turned 18.  In addition, subclause (6) states that the prohibition on collecting credit information about an individual before they turned 18 does not apply to consumer credit liability information that was entered into before the individual turned 18, so long as the consumer credit was not terminated or otherwise cease to be in force before the individual turned 18.  The purpose of this exception to the general prohibition on collecting credit information about an individual before they turned 18 is to recognise that consumer credit liability information, as defined, includes information about the day the consumer credit is entered into, and this information, along with all the other consumer credit liability information, can be provided into the credit reporting system.

Subclause (4) also sets out two additional limitations on the collection of credit information by credit reporting bodies from entities other than credit providers.  Subclause (4)(c) states that, if the information to be collected relates to consumer credit or commercial credit, the credit must have been provided, or applied for, in Australia.  This is consistent with the general objective that the credit reporting system is only intended to provide information about credit in Australia, and should not contain information about the credit activities of individuals outside Australia.  Subclause (4)(e) provides that repayment history information can only be collected from an entity that is not a credit provider where that entity is another Australian credit reporting body.

Subclause (7) states the general obligation, consistent with APP 3, that credit reporting bodies must only collect credit information by lawful and fair means.

Subclause (8) states that this provision only applies to credit information that is solicited by a credit reporting body.  This is to distinguish the provision from situations where unsolicited credit information is received.

Clause 20D     Collection of unsolicited credit information

This provision is based on the obligations and structure of APP 4, modified to apply specifically to credit reporting bodies and credit information.

Subclause (1) states that the credit reporting body that receives unsolicited credit information must determine whether the credit reporting body could have collected the information under clause 20C if they had solicited the information.  Any use or disclosure for the purposes of making this determination is permitted by subclause (2).  If the credit reporting body determines that it could have collected the credit information, subclause (3) makes clear that the obligations set out in clauses 20C to 20ZA apply to that collection.  Subclause (4) states that the unsolicited credit information must be destroyed as soon as practicable if the credit reporting body determines that it could not collect the credit information, and imposes a civil penalty of 1000 penalty units for failure to comply with this requirement.  However, there may be circumstances where the credit reporting body is required to retain the unsolicited credit information by or under an Australian law or a court or tribunal order.  In these circumstances, subclause (5) permits the retention of the information.

Subdivision D - Dealing with credit reporting information etc

The provisions in Subdivision D relate to the next stage in the flow of information in the credit reporting system.  Clauses 20C and 20D in Subdivision C dealt with the collection of credit information.  Subdivision D now deals with credit reporting information.  As defined, credit reporting information includes both credit information (collected by credit reporting bodies under clauses 20C or 20D) as well as CRB derived information about an individual.  The provisions in the remainder of this division apply to this broader category of credit reporting information.

Clause 20E     Use or disclosure of credit reporting information

Clause 20E sets out the general rules for the use or disclosure of credit reporting information by credit reporting bodies.  This provision is based on the obligations and structure of APP 6, but has been significantly modified to apply specifically to credit reporting bodies and credit reporting information.

Subclause (1) establishes a general prohibition on the use or disclosure of credit reporting information about an individual by a credit reporting body.  Breach of this prohibition is subject to a civil penalty of 2,000 penalty units.  Subclauses (2) and (3) provide exceptions for this general prohibition.

Subclause (2) sets out the permitted uses, which are exceptions to the prohibition on using credit reporting information in subclause (1).  A credit reporting body is generally permitted to use credit reporting information in the course of carrying on its credit reporting business.  It is anticipated that this will allow the use of credit reporting information for matters such as data management, where this is done in the course of carrying on the credit reporting business.  This would not permit a credit reporting body to use credit reporting information for any other business venture.  Unlike APP 6, no secondary uses of credit reporting information by a credit reporting body are permitted.  Only those uses expressly provided in subclause (2) and other provisions in this Division are permitted.  In addition to the uses permitted in subclause (2), the use of pre-screening assessments is dealt with by clause 20H and the use of de-identified credit reporting information is dealt with by clause 20M.

Paragraphs (2)(b) and (c) also permit a credit reporting body to use credit reporting information if the use is required or authorised by or under Australian law or a court or tribunal order, or the use is prescribed in the regulations.  For example, the use of credit reporting information for certain identity verification purposes is specifically authorised, and regulated by, the Anti-Money Laundering and Counter Terrorism Financing Act 2006 .  The regulation-making power provides a means to permit any currently unforeseen but necessary uses that may arise in the future.  Additional uses will be permitted where the use can be shown to be in the public interest as well as being for the benefit of the individuals whose credit reporting information would be used.  Appropriate public consultation with all relevant stakeholders would be undertaken when considering whether regulations prescribing any additional uses should be prepared.

Subclause (3) sets out the permitted disclosures, which are exceptions to the prohibition on disclosing credit reporting information in subclause (1).  Paragraph (3)(a) provides that a credit reporting body does not breach this provision if the disclosure is a permitted CRB disclosure in relation to the individual.  Clause 20F sets out a table of permitted CRB disclosures, which identifies to whom a disclosure may be made and any related conditions around the disclosure.

The remaining paragraphs of subclause (3) set out specific permitted disclosures.  Paragraph (3)(b) permits disclosures of credit reporting information to another Australian credit reporting body.  This is consistent with subclause 20C(4), which allows the collection of credit information from entities other than credit providers.  Paragraph (3)(c) permits disclosures to external dispute resolution schemes that have been recognised by the Information Commissioner and a credit reporting body or credit provider is a member of the scheme.  This provision is intended to ensure that external dispute resolution schemes can access relevant credit reporting information, where appropriate, to assist in the resolution of complaints made by individuals about their personal information in the credit reporting system.  Paragraph (3)(d) permits disclosures to enforcement bodies in relation to serious credit infringements (as defined).  This provision will assist enforcement bodies in the investigation of alleged serious credit infringements.  Paragraphs (3)(e) and (f) also permit a credit reporting body to disclose credit reporting information if the disclosure is required or authorised by or under Australian law or a court or tribunal order, or the disclosure is prescribed in the regulations.  The regulation-making power provides a means to permit any currently unforeseen but necessary disclosures that may arise in the future.  As stated above in relation to the regulation-making power for uses of credit reporting information, this power would be exercised where the disclosure is in the public interest, for the benefit of the individual, and following appropriate public consultation.

Disclosures under paragraphs (3)(a) (which permits the disclosures set out in the table in clause 20F) and (3)(f) (which permits disclosures under regulations, if any) are subject to an additional limitation if the disclosure is credit reporting information that includes, or was derived from, repayment history information.  Subclause (4) provides that such information can only be disclosed if the credit provider to which it is being disclosed is a licensee (defined to mean a licensee under the National Consumer Credit Protection Act).  This is intended to ensure that repayment history information, or credit reporting information that is derived from repayment history information, can only be disclosed to credit providers who are subject to responsible lending obligations under the National Consumer Credit Protection Act.  This restriction extends to credit reporting information that was derived from repayment history information because it is considered appropriate that credit providers who cannot access repayment history information should not be able to indirectly obtain the benefit of that information through the possibility that credit reporting bodies could provide credit reporting information that incorporates repayment history information in another form.  The civil penalty for breach of subclause (4) is 2,000 penalty units.

Subclause (5) requires credit reporting bodies to make a written note of any disclosure of credit reporting information under subclause (3).  Because subclause (3) includes disclosures which are permitted CRB disclosures under clause 20F, this means that written notes will need to be made of disclosures that fall within clause 20F.  The purpose of requiring notes is to provide a record of all disclosures.  To be an effective record, the written note should identify the date of the disclosure, the entity to which the credit reporting information was disclosed, the type of disclosure (including the specific provision under which the disclosure was authorised), the type of credit reporting information that was disclosed (where this is not clear from the type of disclosure), and any other relevant information (for example, that an individual’s express consent to a disclosure under item 2 of the table at subclause 20F(1) was not in writing because of the circumstances set out in subclause 20F(2)).  In relation to identifying the type of credit reporting information that was disclosed, a reader of the note should be able to determine whether all credit reporting information relating to the individual was disclosed, and if not, what types of credit reporting information were disclosed (for example, repayment history information).  Written notes should be sufficiently associated with the credit reporting information of the relevant individual to ensure that individuals are able to obtain access to all written notes relating to their credit reporting information.  Written notes do not themselves fall within the definition of credit information or credit reporting information, and so are not subject to the specific retention rules set out in clause 20W.  However, as written notes would be personal information about an individual, a credit reporting body will be subject to the general obligations set out in the APPs in relation to the written notes of disclosures.  As mentioned in the note to this subclause, other Acts provide that there are certain circumstances in which a note about a disclosure must not be made and those other Acts prevail over the obligation in this provision (which means complying with those other Acts will not be a breach of this provision).  A breach of this provision attracts a civil penalty of 500 penalty units.

Subclause (6) provides that none of clause 20E applies to direct marketing.  The purpose of this provision is to ensure that there is no inconsistency implied with clause 20G, which generally prohibits the use of credit reporting information for direct marketing.

Clause 20F     Permitted CRB disclosures in relation to individuals

This provision sets out the permitted CRB disclosures that a credit reporting body is authorised to make under paragraph 20E(3)(a).

Subclause (1) states that a disclosure to an entity specified in the table is permitted subject to the conditions set out in the table.  The table lists eight categories of permitted CRB disclosures.  The conditions of each category of permitted CRB disclosure are intended to limit the disclosure to those circumstances that are necessary to achieve the purpose of each permitted disclosure.

The permitted CRB disclosures set out in the table are those disclosures which credit reporting bodies will most commonly make.  When considered in the context of the information flows in the credit reporting system, this provision generally establishes the circumstances in which credit providers will receive information from the credit reporting system.  At this point, information is flowing out of the credit reporting system to credit providers.  Credit providers do not have continuous access to credit reporting information.  They can only obtain credit reporting information where the conditions set out in the table are satisfied.

The recipients of the information nominated in the table are also regulated in relation to the use that they can make of this information.  Each disclosure permitted by a credit reporting body will subsequently be regulated as a use by the recipient.  The disclosures in the table to credit providers are regulated as uses in clause 21H, while the disclosures to mortgage insurers and trade insurers are regulated as uses by clause 22C.  Regulation of the credit reporting information in the hands of the recipient ensures that the use of the information is consistent with the purpose of the disclosure by the credit reporting body under this provision.

A disclosure under item 1 of the table to a credit provider is only permitted if it is for a consumer credit related purpose in relation to the individual about whom the credit reporting information is requested.  The term ‘consumer credit related purpose’ is defined, and this means disclosure can only occur if credit reporting information is necessary to assess an application for consumer credit or to collect overdue payments in relation to credit provided by the credit provider to the individual.

A disclosure under item 2 of the table to a credit provider is only permitted for a commercial credit related purpose.  This is a defined term and means disclosure can only occur if it is for the purpose of assessing an application for commercial credit or to collect overdue payments in relation to commercial credit provided to the individual.  In addition, the disclosure can only occur if the individual expressly consents to the disclosure of the information to the provider for that purpose.  Subclause (2) states that, as a general rule, the express consent of the individual must be given in writing.  However, where the individual has not made the application for commercial credit to the credit provider in writing, it is not necessary for the individual’s consent to be in writing.  A requirement for express consent is included because the credit reporting system does not generally deal with commercial credit matters.  The definition of credit information only permits very limited information about commercial credit to be included as part of an individual’s credit information.  It is recognised that a credit provider may generally find an individual’s credit information useful in assessing an application for commercial credit.  The requirement for express written consent ensures that the individual is aware that their credit information will be used for a non-consumer credit purpose.

A disclosure under item 3 of the table to a credit provider is only permitted for a credit guarantee purpose in relation to the individual, and the individual must expressly consent, in writing, to the disclosure for that purpose.  ‘Credit guarantee purpose’ is a defined term, and means the purpose of assessing whether to accept the individual as a guarantor in relation to credit provided to, or applied for by, another person.  In this context, it is the individual who is proposing to be the guarantor whose credit reporting information is being released, and the proposed guarantor must expressly consent to the disclosure in writing.

A disclosure under item 4 of the table of an individual’s credit reporting information to a credit provider is only permitted if the credit reporting body is satisfied that a credit provider believes on reasonable grounds that the individual has committed a serious credit infringement (which is a defined term).  The credit provider must demonstrate reasonable grounds for this belief to the credit reporting body to justify access under this provision.

A disclosure under item 5 of the table permits disclosure of credit reporting information to a current credit provider of an individual.  A current credit provider is a credit provider that holds credit liability information (a defined term) relating to consumer credit provided to the individual and that consumer credit has not been terminated or otherwise ceased to be in force.  This provision allows credit reporting bodies to provide an individual’s credit providers with default information (or where a payment of a default has occurred, payment information) about the individual.  This provision will also allow credit reporting bodies to provide other relevant credit reporting information.  However, when read with item 5 in the table at clause 21H, any credit reporting information disclosed under this provision can only be used by the recipient credit provider for the purpose of assisting the individual to avoid defaulting on the individual’s consumer credit obligations to that credit provider.

A disclosure under item 6 of the table can be made to a securitisation entity that is defined as a credit provider by subclause 6J(1).  Credit reporting information can be disclosed to such a credit provider only where the provider requests the information for a securitisation related purpose of the credit provider in relation to the individual.  A securitisation related purpose is a defined term and refers to assessing the risk of purchasing, by means of a securitisation arrangement, credit that has been provided to the individual or to a person to whom the individual is or proposes to be a guarantor.  The definition of the term also refers to assessing the risk in undertaking credit enhancement in relation to credit that has been provided to an individual (or a person to whom the individual is or may be a guarantor) through a securitisation arrangement.

A disclosure under item 7 may be made to a mortgage insurer (a defined term) where the credit reporting information is requested by the mortgage insurer for a mortgage insurance purpose in relation to the individual.  The term ‘mortgage insurance purpose’ is defined.

A disclosure under item 8 may be made to a trade insurer (a defined term) where the credit reporting information is requested by the trade insurer for a trade insurance purpose (a defined term) in relation to the individual.  However, in addition the individual must expressly consent in writing to the disclosure of the credit reporting information to the trade insurer for that purpose.  This is consistent with the requirement for express consent for disclosures that relate to the assessment of commercial credit applications.

Clause 20G     Use or disclosure of credit reporting information for the purposes of direct marketing

This provision generally prohibits the use or disclosure of credit reporting information for direct marketing purposes, then deals with pre-screening use and disclosures.

Subclause (1) expressly prohibits the use or disclosure of credit reporting information for the purposes of direct marketing.  Breach of this provision is subject to a civil penalty of 2000 penalty units.

In general terms, subclause (2) permits the use by credit reporting bodies of credit information for pre-screening.  Pre-screening is a direct marketing process by which direct marketing credit offers to individuals are screened against limited categories of credit information about those individuals to remove individuals from the direct marketing credit offer, based on criteria established by the credit provider making the offer, before the offers are sent.  Generally, the process for pre-screening a direct marketing credit offer works as follows.  The credit provider making the credit offer establishes the eligibility requirements for the direct marketing credit offer and provides the list of individuals about whom the pre-screening assessment will be made; the credit reporting body undertakes the pre-screening assessment and determines whether an individual is eligible consistent with those criteria; the credit reporting body discloses the pre-screening assessment to a mailing house which conducts the direct marketing consistent with the pre-screening assessment, and then the pre-screening assessment is destroyed by the credit reporting body and the mailing house.

Subclause (2) sets out the conditions under which pre-screening can occur.  The conditions are cumulative and all must be satisfied for the pre-screening to occur.  Paragraph (2)(a) says that the credit provider who is doing the direct marketing must be an Australian credit provider (that is, have an Australian link as defined) and must be a licensee (that is, subject to responsible lending obligations).  Paragraph (2)(b) states that the direct marketing must be about consumer credit that the credit provider provides in Australia, to ensure that the overall restriction on the use of the credit reporting system for Australian consumer credit is maintained.

Paragraph (2)(c) limits the categories of credit information that are available for pre-screening by excluding consumer credit liability information and repayment history information from use.  As the stated purpose of pre-screening is to remove individuals from the direct marketing offer, it was considered that these two categories provide too much positive information about an individual’s credit arrangements and hence are unnecessary to achieve the stated purpose of pre-screening.  Limiting the types of credit information that are available for use is privacy enhancing.

Paragraph (2)(d) states that the credit reporting body must use the available credit information to assess whether or not the individual is eligible to receive the direct marketing offer of the credit provider.  This must be read with subclause (3), which requires the credit reporting body to have regard to the eligibility requirements the credit provider nominates in relation to the pre-screening of the direct marketing credit offer.  The assessment made by the credit reporting body under this paragraph is called a ‘pre-screening assessment’.  The process set out in this paragraph means that the credit provider itself does not receive any credit information in relation to its credit offer, nor does the credit provider undertake the pre-screening process itself.  Pre-screening is conducted by the credit reporting body on the instructions of the credit provider.

Paragraph (2)(e) states that credit information about an individual can only be used for pre-screening where the individual has not made a request under subclause (5), which allows individuals to ‘opt-out’ of pre-screening.  Paragraph (2)(f) requires the credit reporting body to comply with any additional requirements set out in the registered CR code in relation to pre-screening.  It is expected that the registered CR code may deal with matters such as requirements by credit reporting bodies and recipients of pre-screening assessments to maintain audit trails of pre-screening activity and other process related matters.  It is possible the entities that receive pre-screening information to be bound by the CR code, as the provisions in new Part IIIB on codes provide that the CR code may bind any entity to which Part IIIA (the credit reporting provisions) apply.

As stated above, subclause (3) modifies paragraph (2)(d).  When setting criteria, the credit provider can only nominate criteria that remove individuals from the direct marketing credit offer.

Subclause (4) states that an assessment by a credit reporting body under paragraph (2)(d) is not credit reporting information about this individual.  The assessment is called a ‘pre-screening assessment’ and subject to the specific rules set out in clauses 20H and 20J.  As the assessment is not credit reporting information, it cannot be maintained as part of the individual’s credit reporting information and cannot be disclosed, except as permitted by clause 20H.

Subclause (5) provides the opportunity for individuals to opt-out of having their credit information used for pre-screening of direct marketing credit offers.  At any time an individual can request a credit reporting body that holds credit information about the individual not to use the credit information for pre-screening under subclause (2).  Providing an opt-out option is consistent with the approach taken in APP 7 on direct marketing.  Paragraph 20B(4)(e) expressly requires credit reporting bodies to have policies about the management of credit reporting information which deal with pre-screening and how an individual may make an opt-out request.  A credit provider is required by clause 21C to expressly notify the individual, at or before the time of collection of personal information, the details of the credit reporting bodies which the credit provider deals with and any other matters specified in the registered CR code.  It is expected that these notification requirements and the credit reporting body’s privacy policy will give the individual sufficient opportunity to opt-out of any pre-screening of direct marketing credit offers.  In general, the limitations placed upon the pre-screening process operate as privacy protections and, in the circumstances, an opt-out rule is considered appropriate.  In the consumer credit regulatory environment, it appears that the National Consumer Credit Protection (Home Loans and Credit Cards) Act 2011 imposes an opt-in model for the receipt of direct marketing of credit card limit increase invitations.  It appears that the opt-in approach is not used elsewhere in the National Consumer Credit Protection Act and was chosen to address particular concerns around the marketing of credit card limit increases.  While this approach was chosen in that particular circumstance under that Act, the opt-out approach for pre-screening is consistent with the privacy protections in place.

Subclause (6) prohibits a credit reporting body from charging an individual for making a request under subclause (5) or giving effect to the request.

Subclause (7) requires credit reporting bodies to make a written note of any use of credit information under subclause (2) for pre-screening.  Written notes should be sufficiently associated with the credit reporting information of the individual to ensure that individuals are able to obtain access to all written notes relating to their credit reporting information.  Written notes do not themselves fall within the definition of credit information or credit reporting information, and so are not subject to the specific retention rules set out in clause 20W.  However, as written notes would be personal information about an individual, a credit reporting body will be subject to the general obligations set out in the APPs in relation to the written notes of disclosures.  Breach of this obligation is subject to a civil penalty of 500 penalty units.

Clause 20H     Use or disclosure of pre-screening assessments

This provision deals with the use and disclosure of pre-screening assessments, a defined term which refers to paragraph 20G(2)(d).  This provision regulates the progression of the pre-screening process from the screening stage (dealt with in clause 20G) on to the process of issuing the screened direct marketing credit offers, by controlling the handling of the pre-screening assessment information.  Information flows in the pre-screening process are essentially one-way - the credit provider is not given the results of the pre-screening process (referred to as the ‘pre-screening assessment’ in the Bill) and so cannot determine which individuals may have been excluded from the direct marketing credit offer as a result of the assessment.  This is to ensure that credit providers are not able to target direct marketing to those people who they know have been excluded from their direct marketing offer.  The purpose of pre-screening is purely to provide a process to remove individuals from direct marketing offers, not to allow credit providers to target identified individuals with direct marketing offers.

Subclause (1) generally prohibits the use or disclosure of a pre-screening assessment made by a credit reporting body.  Breach of this provision is subject to a civil penalty of 2000 penalty units.

Subclause (2) provides an exception to the prohibition in subclause (1).  This provision permits the credit reporting body to disclose, for the purposes of direct marketing, the pre-screening assessment to an Australian entity (that is, an entity which has an Australian link).  However, the provision does not permit the disclosure of the pre-screening assessment back to the credit provider on whose behalf the assessment was made.  The credit provider does not have any access to the pre-screening assessment.  As the recipient of the assessment must be an entity, they will be subject to the APPs as well as the specific obligations set out in relation to pre-screening assessments.  The entity (usually a mailing house) undertakes the direct marketing of the credit offer on behalf of the credit provider, consistent with the pre-screening assessment. 

Subclause (3) requires the credit reporting body to make a written note of any disclosure under subclause (2).  As with other written notes, the notes should be sufficiently associated with the credit reporting information of the individual to ensure that individuals are able to obtain access to all written notes relating to their credit reporting information.  Written notes do not themselves fall within the definition of credit information or credit reporting information, and so are not subject to the specific retention rules set out in clause 20W.  However, as written notes would be personal information about an individual, a credit reporting body will be subject to the general obligations set out in the APPs in relation to the written notes of disclosures.  Breach of this obligation is subject to a civil penalty of 500 penalty units.

Subclause (4) establishes a general prohibition to any use or disclosure of the pre-screening assessment by the recipient of the assessment under subclause (2).  Breach of this provision is subject to a civil penalty of 1000 penalty units. 

Subclause (5) operates as an exception to the prohibition in subclause (4).  This provision allows the recipient to use the pre-screening assessment for the purpose of doing the direct marketing by, or on behalf of, the credit provider.

Subclause (6) requires the recipient to make a written note of any use under subclause (5).  It is expected that this written note would be accessible to the individual through the access provisions in the APPs.  Breach of this obligation is subject to a civil penalty of 500 penalty units.

Subclause (7) makes clear that, if the recipient of the pre-screening assessment is an APP entity, then APPs 6, 7 and 8 do not apply in relation to the pre-screening assessment.

Clause 20J      Destruction of pre-screening assessment

This provision deals with the destruction of pre-screening assessments.  Subclause (1) states that an entity (which includes credit reporting bodies) that has possession or control of a pre-screening assessment must destroy the assessment if it is no longer needed for a purpose under clause 20H and the entity is not required by or under an Australian law or court or tribunal order to retain the assessment.  The exception permitting retention where it is required by or under Australian law is also appropriate in these circumstances.  Breach of this provision is subject to a civil penalty of 1000 penalty units.

Subclause (2) makes clear that, if the destruction obligation applies to an APP entity that is not a credit reporting body, APP 11.2 does not apply in relation to the pre-screening assessment.  The application of the APPs to credit reporting bodies in relation to pre-screening assessments has already been addressed in clause 20A.

Clause 20K     No use or disclosure of credit reporting information during a ban period

This provision provides a mechanism for individuals to deal with potential fraud, including identity fraud, by controlling the disclosure of their credit reporting information in certain circumstances for the purpose of assessing applications for credit.  In general terms, where an individual has reasonable grounds to believe that they have been, or are likely to be, the victim of fraud, they can request a credit reporting body not to use or disclose credit reporting information about the individual.  There are limited exceptions to this general rule, and the provision also deals with the period of time for which the request remains active, and how to extend that period of time.  The terms fraud and identity fraud are not defined.  Activities that constitute identify fraud may change over time.  Guidance on identity fraud may be available from law enforcement and crime prevention agencies.

This provision is linked to other provisions to provide a thorough response to identity fraud issues.  Destruction of credit reporting information by the credit reporting body in cases of fraud is dealt with by clause 20Y.  Clause 21F deals with credit providers and limits the disclosure of credit information to credit reporting bodies during a ban period.  Essentially, if a credit provider is unable to obtain access to an individual’s credit reporting information to assess an application for credit due to a ban period but proceeds to provide credit to a person purporting to be the individual, the credit provider cannot list any of the information about that credit as part of the individual’s credit information (unless, as provided in the exception, the credit provider has taken reasonable steps to verify the individual’s identity).  This is intended to ensure that credit providers take reasonable steps to identify a person to whom they intend to provide credit during a ban period.

It is expected that further practical details around the operation of this provision would be covered in the registered CR code.  Matters that may be covered include: notifying the individual of the effect of the ban period and the circumstances in which the individual should be notified that the ban period is ending; the extension of the ban period; notification of credit providers of the ban period; and other relevant matters.

Subclause (1) states that, where a credit reporting body holds credit reporting information about an individual, and the individual believes of reasonable grounds that they have been, or are likely to be, the victim of fraud (including identity fraud), then the individual can request the credit reporting body not to use or disclose their credit reporting information.  Where this request is made, then despite any other provision of this Division, the credit reporting body must not use or disclose the credit reporting information during what is known as the ban period (a term that is further defined in subclauses (3) to (5)).  Breach of this provision is subject to a civil penalty of 2000 penalty units.  The individual must believe on reasonable grounds that they have been, or are likely to be, the victim of fraud.  It is expected that this would generally mean that an individual who is able to explain why they believe they have been, or are likely to be, the victim of fraud would satisfy this requirement.  Identity fraud can happen quickly and consequences for a victim of identity fraud can be significant.  In this context, the purpose of this provision is to allow an individual who has been, or is likely to be, the victim of fraud to act quickly to try to ameliorate the risk of suffering losses.  It is not expected that an individual would ordinarily need to, for example, present documentary evidence to support their belief.

The purpose of this provision is to limit the consequences of actual or suspected fraud on the individual.  However, credit reporting bodies are not prevented from informing credit providers of the fact that a ban period is in place in relation to an individual’s credit reporting information.  Informing credit providers of the ban period may assist them in preventing the perpetrator of the alleged fraud from causing further harm to the individual or others.  It is expected that further procedural details around notification of credit providers of a ban period will be set out in the registered CR code.

Subclause (2) provides limited exceptions to the prohibition on use or disclosure of the individual’s credit reporting information: where the individual expressly consents, in writing to the use or disclosure; or where the use or disclosure is required by or under an Australian law or court or tribunal order (note that this exception only operates where the use or disclosure is required and does not operate in situations where the use or disclosure may merely be authorised).  Express consent by the individual in writing is provided as an exception to ensure that the individual is not adversely affected by the ban on the use or disclosure of their credit reporting information.  An individual who, for example, had made, or was considering making, an application for credit would be able to provide express consent for the credit provider to obtain their credit reporting information from the credit reporting body.  The credit provider would also need to take reasonable steps to identify the individual before relying on the consent.

Subclause (3) describes the operation of the ban period in relation to the credit reporting information of an individual that has satisfied subclause (1).  The ban period starts when the individual makes the request in paragraph (1)(c) and ends 21 days after the day on which the request was made, or on the day after any extension under subclause (4) ends.

Subclause (4) permits the extension of the ban period after the initial 21 day period set out in subclause (3).  The individual can, before the ban period ends, request the credit reporting body to extend the ban period.  If an extension is requested, the credit reporting body must believe on reasonable grounds that the individual has been, or is likely to be, a victim of fraud.  If the body forms such a belief, the body must extend the ban period by such period as it considers reasonable in the circumstances and give the individual written notification of the extension.  Failure to comply with these requirements is subject to a civil penalty of 1000 penalty units.  The difference from the initial request is that an extension can only be made if the credit reporting body forms a belief on reasonable grounds about the likelihood that the individual is, or may be, the victim of fraud.  A credit reporting body could ask the individual to demonstrate the basis for their belief that they are, or may be, the victim of fraud.  This would depend on the circumstances of each case, but would not necessarily require any court based evidence (such as the arrest of a person who is alleged to have committed the fraud).  In some cases, the risk of fraud may continue for a significant period and the credit reporting body should make a judgement in the circumstances of the appropriate period of time for the extension.  It is not intended that an individual would be placed under additional stress by the imposition of short extension periods that have to be regularly renewed if the circumstances do not warrant this approach.  In this context, the registered CR code may provide more detail about the extension process.

Subclause (5) permits a ban period to be extended more than once under subclause (4).

Subclause (6) states that an individual who requests a ban period under paragraph (1)(c) or an extension of a ban period under paragraph (4)(b) should not be charged by the credit reporting body for making the request or giving effect to the request.

Clause 20L     Adoption of government related identifiers

This provision is based on the obligations set out in APP 9(1), modified to apply specifically to credit reporting bodies.

Subclause (1) states that if a credit reporting body holds credit reporting information about an individual and that information is also a government related identifier of the individual, the credit reporting body must not adopt it as its own identifier of the individual.  Breach of this provision is subject to a civil penalty of 2000 penalty units.

Subclause (2) provides an exception to the prohibition where the adoption of a government related identifier is required or authorised by or under an Australian law or a court or tribunal order.

Clause 20M    Use or disclosure of credit reporting information that is de-identified

This provision deals with the use and disclosure of credit reporting information that has been de-identified for research purposes in relation to the assessment of credit worthiness of individuals.  Generally, de-identified personal information is not regulated.  The purpose of regulating de-identified credit reporting information is to clarify that such information can be used or disclosed in specified circumstances.  The use and disclosure provisions for credit reporting agencies are prescriptive and do not permit any secondary uses or disclosures of credit reporting information.  However, it appears that information from the credit reporting system has in the past been used for the purpose of conducting research (including statistical modelling and data analysis) relating to the assessment or management of credit.  This research, where it is in the public interest, should be expressly permitted.  Conducting research with de-identified personal information enhances privacy protection and appears to be consistent with existing industry practices.  In addition, research is not a primary purpose of the credit reporting system and it is not appropriate to allow credit reporting information that identifies individuals to be used for research purposes.  However, there can be concerns about the effectiveness of methods used to de-identify personal information and the risks of that information subsequently being linked again to individuals in a way that allows them to be identified.  To ensure that the proposed research is consistent with these policy objectives and is appropriately limited in scope, the research will only be permitted where it complies with rules that the Commissioner may make about the use or disclosure of de-identified credit reporting information for research purposes.  Permitting disclosure, as well as use, of the de-identified information is necessary to ensure that the credit reporting body can, for example, obtain expert assistance to conduct the research or is able to make the research available to credit providers, as well as other interested parties such as consumer credit advocates and privacy advocates.

Subclause (1) sets out a general prohibition on the use or disclosure of credit reporting information held by the credit reporting body that has been de-identified.  Subclause (2) provides an exception to this prohibition where the use or disclosure of the de-identified information is for the purposes of conducting research in relation to the assessment of the credit worthiness of individuals.  In addition, the credit reporting body must comply with rules made under subclause (3) by the Commissioner.  Subclause (3) states that the Commissioner may make rules relating to the use or disclosure of de-identified information for the purposes of conducting research in relation to the assessment of the credit worthiness of individuals.  Subclause (4) lists certain matters that, without limiting the Commissioner's power to make rules under subclause (3), the rules may deal with.  The list identifies matters that are relevant to ensuring that the permitted research is for the general benefit of the public and in the public interest.



Subdivision E - Integrity of credit reporting information

20N     Quality of credit reporting information

This provision is based on the obligations set out in APP 10, modified, and with additional provisions, to apply specifically to credit reporting bodies .

Subclause (1) provides that a credit reporting body must take such steps as are reasonable in the circumstances to ensure that the credit reporting information the body collects is accurate, up-to-date and complete.  Subclause (2) applies to the use or disclosure of credit reporting information and includes an additional requirement of relevance.  The requirement for information to be ‘complete’ does not require credit reporting bodies to enter into agreements with credit providers to ensure that all available credit information about the individual is disclosed, or for credit providers to disclose all available credit information to the body.   The credit reporting body must take such steps as are reasonable in the circumstances to ensure that the credit reporting information the body uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.  The additional requirement of relevance means that the actual purpose of the use or disclosure must be considered.  As all uses and disclosures of credit reporting information by credit reporting bodies are regulated by this Division, this will require careful consideration of the relevant provisions.

These provisions must be read in conjunction with the other provisions in this Division.  Other provisions impose various restrictions on the collection, use and disclosure of some or all types of credit reporting information.  For example, repayment history information is subject to specific restrictions to limit collection, use and disclosure to situations where credit providers are subject to responsible lending obligations by being licensees (as defined).  In these circumstances, the disclosure, for example, of repayment history information will be restricted and this will limit the general obligation to disclose complete credit reporting information .

Subclause (3) sets out additional obligations imposed on credit reporting bodies to ensure they take appropriate steps to maintain the quality of credit reporting information.  These obligations, which do not limit the general obligations set out in subclauses (1) and (2), require credit reporting bodies to enter into agreements with credit providers to ensure that credit information they disclose to the bodies is accurate, up-to-date and complete; a monitoring obligation, in the form of a requirement to ensure regular audits are conducted by an independent person to determine whether the agreements are being complied with; and an enforcement obligation, which requires bodies to identify and deal with suspected breaches of the agreements.  It is expected that credit reporting bodies would have a range of enforcement mechanisms available to deal with breaches of the agreement, up to and including termination of the agreement with the credit provider, removing the credit provider from the credit reporting system.  It is also expected that arrangements would be made to ensure an effective dispute resolution process was in place to deal with differences between bodies and credit providers in relation to the enforcement of the agreements.  The purpose of these specific obligations is to ensure that both credit reporting bodies and credit providers take proactive steps in establishing practices which maintain the quality of credit information.  Given that credit reporting bodies will play a central role in handling and managing credit information it is appropriate that they be charged with the responsibility to develop appropriate agreements.  It is expected the registered CR code will include further practical details and obligations around the matters set out in subclause (3) to provide additional guidance to credit reporting bodies and credit providers.

Clause 20P     False or misleading credit reporting information

This provision deals with using or disclosing false or misleading credit reporting information.  It provides both an offence provision and a civil penalty provision to deal with this conduct.  While civil penalty provisions have generally been used throughout the Bill to deal with situations in which breach of a provision warrants the imposition of a penalty, some kinds of conduct require the imposition of criminal penalties.  Providing for both a criminal offence and a civil penalty in this provision gives the courts appropriate options to deal with the behaviour, depending on the circumstances of each case.

Subclause (1) states that a credit reporting body commits an offence if the body uses or discloses credit reporting information under this Division and the information is false or misleading in a material particular.  Use or disclosure of unsolicited credit reporting information under subclause 20D(2) or the use or disclosure of information for consultation in response to an individual's request to correct their credit information under subclause 20T(4) are expressly excluded as these are circumstances where the information may be false or misleading and the credit reporting body either does not know, or is taking action to deal with, the errors.  The penalty for this offence is 200 penalty units.

Subclause (2) sets out a civil penalty.  A credit reporting body must not use or disclose credit reporting information under this Division if the information is false or misleading in a material particular.  Once again, any use or disclosure under subclauses 20D(2) or 20T(4) is excluded from the civil penalty.  The civil penalty for breach of this provision is 2000 penalty units.

Clause 20Q     Security of credit reporting information

This provision is based on the obligations set out in APP 11, modified, and with additional provisions, to apply specifically to credit reporting bodies.  The additional obligations imposed on credit reporting bodies in this provision are based on the additional obligations imposed on bodies by clause 20N to maintain the quality of credit information .

Subclause (1) provides that a credit reporting body that holds credit reporting information must take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.  These are fundamental obligations and no exceptions are provided for these obligations.

Subclause (2) sets out additional obligations imposed on credit reporting bodies to ensure they take appropriate steps to maintain the security of credit reporting information.  These obligations, which do not limit the general obligations set out in subclause (1), require credit reporting bodies to enter into agreements with credit providers to ensure that credit providers protect credit reporting information (that is, the category of information that they receive from credit reporting bodies) from misuse, interference and loss, and from unauthorised access, modification or disclosure.  This is followed by a monitoring obligation, in the form of a requirement to ensure regular audits are conducted by an independent person to determine whether the agreements are being complied with, and an enforcement obligation, which requires bodies to identify and deal with suspected breaches of the agreements.  It is expected that credit reporting bodies would have a range of enforcement mechanisms available to deal with breaches of the agreement, up to and including termination of the agreement with the credit provider, removing the credit provider from the credit reporting system.  It is also expected that arrangements would be made to ensure an effective dispute resolution process was in place to deal with differences between bodies and credit providers in relation to the enforcement of the agreements.  The purpose of these specific obligations is to ensure that both credit reporting bodies and credit providers take proactive steps in establishing practices which maintain the security of credit information.  Given that credit reporting bodies will play a central role in handling and managing credit information it is appropriate that they be charged with the responsibility to develop appropriate agreements.  It is expected the registered CR code will include further practical details and obligations around the matters set out in subclause (2) to provide additional guidance to credit reporting bodies and credit providers.

Subdivision F - Access to, and correction of, information

Clause 20R     Access to credit reporting information

This provision is based on the obligations set out in, and the structure of, APP 12, modified to apply specifically to credit reporting bodies.  It is generally intended that access to credit reporting information should occur on the same terms as access to personal information held by an APP entity.

Subclause (1) states the general obligation that if a credit reporting body holds credit reporting information about an individual, the body must, on request by an access seeker, give the access seeker access to the information.  The term access seeker is defined in clause 6L.  In this context an access seeker means the individual to whom the credit reporting information relates, or a person who is assisting the individual deal with the credit reporting body, or an agent of the individual (that is, a person who is authorised in writing by the individual for the purpose of clause 20R, noting the exception provided for the National Relay Service in the definition of ‘access seeker’).  The term is subject to certain exceptions set out in the definition.

This provision permits the individual to obtain access to their credit reporting information.  This includes both the credit information about the individual and the CRB derived information about the individual (for example, any credit scoring or analysis about the individual).  While the individual can obtain access to the CRB derived information about them, this does not provide them with a right to access the methodology, data analysis methods, computer programs, or other information that the credit reporting body may use to manage their credit reporting information or to analyse their credit information to produce the CRB derived information.

Subclause (2) sets out exceptions to access.  This list of exceptions has been deliberately modified and reduced from the list of exceptions set out in APP 12.3, on the basis that there is a significant public interest in ensuring individuals have access to their credit reporting information.  These are the only grounds on which access can be refused.  This provision states that the credit reporting body is not required to give access to the credit reporting information to the extent that: giving access would be unlawful (whether under the Privacy Act or another enactment); denying access is required or authorised by or under an Australian law or a court or tribunal order; or giving access would be likely to prejudice one or more enforcement related activities (a defined term - see schedule 1) by, or on behalf of, an enforcement body (defined in the Act).

Subclause (3) states that a credit reporting body must respond to the request for access within a reasonable period, but not longer than 10 days, after the request is made.  It is considered that 10 days is a sufficient maximum period to provide access to an individual’s credit reporting information and it is expected that reasonable access would ordinarily occur well within the 10 day period.  The business of credit reporting bodies is handling and managing credit reporting information about individuals, so it is expected that bodies will have developed efficient systems to provide ready access to individual’s seeking their credit reporting information.

Subclause (4) deals with the means of access.  It states that, if a credit reporting body gives access, the access must be given in the manner set out in the registered CR code. 

Subclauses (5) and (6) deal with access charges and requires credit reporting bodies to provide individuals with free access to their credit reporting information once every 12 months, on request of the access seeker.  Subclause (5) states that the credit reporting body must not charge an access seeker for making a request or for access if a request has not been made to the body in the previous 12 months.  Subclause (6) provides that, if subclause (5) does not apply, any charge by the credit reporting body for giving access must not be excessive and must not apply to the making of the request.  This is the same test that applies under APP 12.8.

It is considered that credit reporting information is a particularly significant kind of personal information.  As credit reporting information is used for matters relating to an individual’s credit related activities where errors or omissions may have significant consequences for the individual, it is essential that the individual be able to obtain free access on a reasonably regular basis.  It is considered that free annual access should generally be sufficient.  However, there may be circumstances where an individual requires more regular access in a 12 month period, for example where the individual is the victim of fraud or identity fraud.  Credit reporting bodies are not required to charge in every instance after the first free access in 12 months and it is expected that bodies will be flexible in the application of any charges for access.

Subclause (7) sets out the process of providing notice to the access seeker where access is refused.  It provides that, where access is refused because of subclause (2) (which sets out the only exceptions to access), the credit reporting body must give the access seeker a written notice that sets out the reasons for the refusal.  The obligation to provide reasons is limited to the extent that it would be unreasonable to do so, having regard to the grounds for the refusal.  For example, where access to some of an individual’s credit reporting information is refused because it may prejudice an enforcement related activity, it may be unreasonable to set out the details of the law enforcement activity or even that the law enforcement activity has provided the basis for restricting access to a part of the individual’s credit reporting information.

Subclause (7) goes on to provide that the written notice provided to the access seeker must inform the access seeker that, if they are not satisfied with the response to the request, they may access a recognised external dispute resolution scheme of which the body is a member (and provide contact details for that scheme) or make a complaint to the Commissioner under Part V of the Act.

Clause 20S     Correction of credit reporting information

Clauses 20S, 20T and 20U are based on the obligations set out in APP 13, modified, and with additional provisions, to apply specifically to credit reporting bodies.  Read together, these three provisions set out a correction process that provides individuals with specific rights and deal with matters that are particularly important in the context of credit reporting, such as providing evidence to substantiate disputed personal information in the credit reporting system.  Importantly, individuals are able to request the correction of their personal information that may not be held by the credit reporting body, requiring the credit reporting body to consult with the appropriate credit reporting body or credit provider.  This imposes a specific obligation on bodies and credit providers to assist individuals to correct their personal information, no matter whom it is held by in the credit reporting system.  This means that the credit reporting body or credit provider to which the individual first makes a correction request must deal with that request and assist the individual to have their personal information corrected.  The industry participants in the credit reporting system derive significant benefits from the availability of information about individuals in the system and it is considered appropriate that they take on obligations to assist individuals to correct their information.  These provisions are mirrored by clauses 21U, 21V and 21W which impose similar obligations on credit providers.

Clause 20S sets out the general obligations on credit reporting bodies to correct credit reporting information.  The correction obligation is expressly linked to the obligations on credit reporting bodies to ensure the quality of the credit reporting information they maintain.  Subclause (1) provides that a credit reporting body must take reasonable steps (if any) to correct credit reporting information that is inaccurate, out-of-date, incomplete, irrelevant or misleading.  Correction should take into account the purpose for which the information is held.  The purpose of holding information will depend on the provisions of this Division and the definitions, and this will then inform decisions about whether information may be inaccurate, out-of-date, incomplete, irrelevant or misleading (note that if at least one of these descriptions can be applied to an individual’s credit reporting information it must be corrected).  For example, credit information may include an individual’s current address and up to two previous addresses in the previous five years, if any.  Holding the previous addresses does not mean that the credit reporting body has out-of-date information.  However, address information may become out-of-date if, for example, the individual moves from their current address and the credit reporting body is made aware of this change, as the body will now be required to up-date the address information.

Subclause (2) states that a credit reporting body who has corrected credit reporting information that has previously been disclosed under this Division (with the exception of disclosure in relation to unsolicited information under subclause 20D(2) and disclosure to consult on a correction request under subclause 20T(4)) must, within a reasonable period, give each recipient of the information written notice of the correction.  This obligation is to ensure that other recipients are aware of the correction and can take appropriate action to up-date their own records.  As recipients of an individual’s credit reporting information may be making credit related decisions of significance for the individual, it is important that any corrections are transmitted quickly and efficiently.  It is expected that the registered CR code will deal with notification periods and procedures.

Subclause (3) provides that the obligation for written notice under subclause (2) does not apply if it is impracticable for the credit reporting body to give the notice or the credit reporting body is required by or under an Australian law, or a court or tribunal order, not to give the notice.  It is expected that it would generally always be practicable for a credit reporting body to give the notice, as bodies must make written notes of any disclosures and they will also have agreements in place with the recipients of the information, for example to implement the requirements of subclause 20Q(2) on security.  However, there may be circumstances where it is impracticable to provide the notice, for example where a credit provider has ceased trading.

Clause 20T     Individual may request the correction of credit information etc

This provision sets out the process by which an individual may request the correction of certain personal information about them which is held in the credit reporting system.  An individual is able to make a request for the correction of their information to a credit reporting body and the body must, if it does not hold the information or cannot be satisfied that the information should be corrected, take steps to consult another body or a credit provider to assist in resolving the individual’s request.

Subclause (1) provides that an individual may request a credit reporting body to correct specified kinds of personal information in the credit reporting system if the body holds at least one of the specified kinds of personal information.  The personal information about the individual that may be subject to a correction request may be credit information, CRB derived information, or CP derived information.  While a credit reporting body will not hold CP derived information, the provision permits an individual to make a correction request about this kind of information to the body.

Subclause (2) states the obligation to correct the personal information if the credit reporting body is satisfied that it is inaccurate, out-of-date, incomplete, irrelevant or misleading.  The correction must be made within 30 days from the day the request is made, or such longer time as the individual agrees in writing.  It is expected that the registered CR code will deal in greater detail with the process around which extensions of time to respond to correction requests are proposed to the individual.  However, it is generally expected that most requests for correction should be resolved within the 30 days specified in this provision.  The period of 30 days has been specified to provide adequate time for consultation to occur under subclause (3), so the fact that consultation is required should not in itself be grounds for a body to request that the individual agree to a longer period for consideration of the correction request.  Where consultation is not required, it is expected that the correction request would ordinarily be considered and resolved well within the 30 days.  The correction and complaint processes have been streamlined so that an individual can lodge a complaint with the Commissioner or a recognised external dispute resolution service immediately upon receiving notice of a refusal to make the requested correction under clause 20U.  Accordingly, it is considered that a maximum period of 30 days in all but unusual cases should not present an unreasonable delay for the individual to have their correction request considered and resolved.

Where the personal information is corrected by the credit provider after consultation with another credit provider, then the notice obligations set out in clause 21W will operate.  Any interested party consulted must be given notice of the correction.  Those interested parties would be required to correct any personal information they hold or maintain to which the notice of correction relates by the operation of clause 20S (for a credit reporting body) or clause 21U (for a credit provider), which requires bodies or providers to ensure certain personal information they hold or maintain is not inaccurate, out-of-date, incomplete, irrelevant or misleading.

Subclause (3) deals with the process where the credit reporting body must consult so that it can be satisfied of the matter raised in the correction request.  A credit reporting body may consult an interested party, which is either or both of another credit reporting body or a credit provider about the individual’s request.  However, the credit reporting body can only consult an interested party that has an Australian link, consistent with the limitation of the credit reporting system to Australia.

Subclause (4) authorises the use or disclosure of personal information about the individual for the purposes of consultation under subclause (3).  As this information is being used or disclosed because it may not be correct, exceptions exist in other provisions in relation to quality obligations.

Subclause (5) states that the credit reporting body must not charge the individual for the making of the correction request or for correcting the information.



Clause 20U     Notice of correction etc must be given

This provision sets out the notice requirements that apply where the credit reporting body corrects, or does not correct, an individual’s personal information.

Subclause (1) states that this provision applies if an individual requests a credit reporting body to correct personal information under clause 20T.

Subclause (2) deals with notice requirements where a credit reporting body has corrected the individual’s personal information.  The credit reporting body must, within a reasonable time, give written notice of the correction to the individual, to any interested party that the body consulted about the individual’s correction request, and, where the information has been previously disclosed, to each recipient of the information (except where the disclosures were in relation to unsolicited information under subclause 20D(2) or the correction request under subclause 20T(4) - in the latter case, anyone consulted must in any event be given written notice).  However, subclause (4) states that notice of all recipients is not necessary if it is impracticable for the credit reporting body to give the notice.  It is expected that it would generally always be practicable for a credit reporting body to give the notice, as bodies must make written notes of any disclosures and they will also have agreements in place with the recipients of the information, for example to implement the requirements of subclause 20Q(2) on security.  It may be impracticable to give notice in situations where, for example, the recipient of the information has ceased trading.

Subclause (3) deals with notice requirements where a credit reporting body does not correct the personal information as requested.  The credit reporting body must, within a reasonable time, give the individual written notice: stating that the correction has not been made; setting out the body’s reasons for not correcting the information; and informing the individual that, if they are not satisfied with the body’s response to the request, the individual may access a recognised external dispute resolution scheme of which the body is a member or make a complaint to the Commissioner under Part V of the Act.  When the body sets out its reasons for not correcting the information, the body is required to include evidence substantiating the correctness of the information.  The kind of evidence that might substantiate the correctness of the information will depend on the circumstances and the kind of credit reporting information that is the subject of the correction request.  For example, evidence to substantiate a default listing should show that all the elements of the definition of default have been satisfied, including evidence around the timing the notice requirements, and other such matters.  Given that a default listing has a significant impact upon an individual’s credit worthiness, information about the steps taken by the credit provider to satisfy the requirements of the default definition would be necessary, as well as other relevant evidence.  This substantiation requirement means that the onus of proving the correctness of information that has been challenged by an individual rests with the body (which, through the consultation requirements in clause 20T, can obtain substantiation evidence from another body or credit provider).  It is expected that this substantiation requirement will assist in resolving disputes quickly and efficiently, because if evidence substantiating the information cannot be produced it is very unlikely that the body would not be satisfied that the information should not be corrected as requested by the individual.  In such circumstances the general obligations to maintain accurate, up-to-date and complete information will operate in support of the obligations to correct the information.

Subclause (5) sets a general exception to the notice obligations in subclauses (2) and (3) if the credit reporting body is required by or under an Australian law or a court or tribunal order not to give the notice.

Subdivision G - Dealing with credit reporting information after the retention period ends etc

Clause 20V     Destruction etc. of credit reporting information after the retention period ends

Generally, personal information should be destroyed if it is no longer necessary for the purpose for which it was collected.  The very specific nature of the personal information in the credit reporting system and the significant privacy sensitivities around this personal information for individuals means that rules are necessary to limit the retention of the information to specific periods of time and to ensure the destruction, or de-identification, of certain kinds of personal information.

This provision sets out the rules requiring the destruction of credit reporting information after the retention period for the information has ended.  The retention periods are specified in clauses 20W and 20X.  There are different retention periods for different kinds of credit reporting information.  The requirement to destroy information applies to the particular information for which the retention period has ended.  This means that destruction obligations for different kinds of credit reporting information of an individual will require continual monitoring to ensure compliance with the destruction obligations.

Subclause (1) sets out the application rule for this provision.  The provision applies if the credit reporting body holds credit reporting information about an individual and the retention period ends.  However, as indicated in the note, there is no retention period for identification information or credit information that as specified in paragraph 6N(k), which refers to certain kinds of publicly available information.  Identification information is not subject to a specific retention period because it is necessary to identify the individual in relation to the other kinds of credit information.  However, where a credit reporting body is left with only identification information about an individual because all other information has been destroyed consistent with this provision, the credit reporting body can no longer collect any updated identification information under clause 20C.  It is expected the remaining identification information would be destroyed consistent with the obligations to maintain up-to-date records.

Different destruction rules apply to different credit information and CRB derived information (which together make up the credit reporting information).  Where the retention period for credit information has ended, subclause (2) requires the information to be destroyed or de-identified within one month of the end of the retention period.  Failure to comply with this obligation is subject to a civil penalty of 1000 penalty units.  Subclause (3) provides an exception to the destruction rule where, immediately before the retention period ends, there is a pending correction request or a pending dispute (under the complaints arrangements in Division 5 or Part V of the Act) in relation to the credit information.  Failure to comply with these exceptions is subject to a civil penalty of 500 penalty units.  Subclause (4) provides an exception from the destruction rule if the credit reporting body is required by or under an Australian law or a court or tribunal order to retain the information.

Subclause (5) sets out the destruction rule for CRB derived information.  A credit reporting body must destroy, or de-identify, any CRB derived information that was derived from the individual’s credit information in the circumstances described.  Where the CRB derived information is derived from two or more kinds of credit information, and at least one of those kinds of credit information must be destroyed or de-identified because the retention period has ended, then the CRB derived information must also be destroyed or de-identified at the same time.  The effect of this rule is that the retention period for CRB derived information will always be linked to the kind of credit information that has the shortest retention period and which was used to derive the CRB derived information.  For example, CRB derived information that is derived in part from repayment history information will be subject to the two year retention period for that kind of information, irrespective of whether the other kinds of credit information also used to derive the CRB derived information had longer retention periods.  In all other situations, paragraph (5)(b) provides that the CRB derived information is destroyed or de-identified at the same time as the credit information from which it is derived is destroyed or de-identified.  This rule applies to those situations where the CRB derived information is derived form only one kind of credit information.  Failure to comply with any of the obligations in this subclause is subject to a civil penalty of 1000 penalty units.

Subclause (6) provides an exception to the destruction rule for CRB derived information where, immediately before the retention period ends, there is a pending correction request or a pending dispute (under the complaints arrangements in Division 5 or Part V of the Act) in relation to the CRB derived information.  Failure to comply with these exceptions is subject to a civil penalty of 500 penalty units.  Subclause (7) provides an exception from the destruction rule for CRB derived information if the credit reporting body is required by or under an Australian law or a court or tribunal order to retain the information.

Clause 20W    Retention period for credit information - general

Clause 20W sets out the retention periods for credit information held by a credit reporting body that is not personal insolvency information (which is dealt with in clause 20X).  The items in the table describe the different kinds of credit information and the retention period for that information.  As noted above, no retention period is specified for credit information that is identification information about an individual or credit information that is specified kinds of publicly available information.

Item 1 of the table sets the retention period for consumer credit liability information, a defined term, at 2 years from the day on which the consumer credit to which the information relates is terminated or ceases to be in force.  This means consumer credit liability information can be retained for as long as the consumer credit to which it relates continues to run, and then for two years after that consumer credit has been terminated.  In some circumstances, depending on the type of credit, an individual may have no further repayment obligations but the credit may remain available for the individual to use at a later date.  This type of credit product would continue to be in force while credit remains available, and the relevant consumer credit liability information could continue to be held, until such time as the credit product is clearly terminated by closing the credit product so that credit is no longer available to the individual.  At that point the two year retention period would commence.

Item 2 of the table sets the retention period for repayment history information, a defined term, at 2 years from the monthly payment to which the information relates is due and payable.  This means that there is a rolling two year retention period for repayment history information.  Information on any particular monthly payment can be held for no more than two years.

Item 3 of the table sets the retention period for information requests (as described in paragraph 6N(d)) and the type and amount of credit sought in an application (as described in paragraph 6N(e)) at 5 years from the day on which the information request to which the information relates is made.

Item 4 of the table sets the retention period for default information (a defined term) at 5 years from the day that the credit reporting body collects the information.  It is necessary to link the retention period to the collection by the body because there is no other precisely defined date that is readily available to the credit reporting body.

Item 5 of the table sets the retention period for payment information (a defined term) at 5 years from the day on which the default information to which the payment relates is collected by the credit reporting body.  As the payment information directly relates to the default its retention is linked to the default.  It would not be possible to allow retention for a longer period (for example, retention for 5 years from the date of the payment) as this would effectively provide notice of the existence of a prior default even after the default itself could no longer be retained.

Item 6 of the table sets the retention period for new arrangement information as defined in subclause 6S(1) at 2 years from the day that the credit reporting body collects the default information to which the new arrangement relates.

Item 7 of the table sets the retention period for new arrangement information as defined in subclause 6S(2) at 2 years from the day that the credit reporting body collects the information about the opinion to which the new arrangement information relates.

Item 8 of the table sets the retention period for court proceedings information at 5 years from the day judgement to which the information is made or relates is made or given.  Note that the date of judgement may be earlier than the date that the judgement is reported or reasons published.

Item 9 of the table sets the retention period for information under paragraph 6N(l) that is an opinion of a credit provider that an individual has committed a serious credit infringement (a defined term) at 7 years from the day the credit reporting body collects the information.

Clause 20X     Retention period for credit information - personal insolvency information

Clause 20X sets out the retention periods for credit information that is held by a credit reporting body. The items in the table describe the different kinds of personal insolvency information and the retention period for that information.  For each kind of personal insolvency in the table two retention periods are given, the first retention period counted from the start of the personal insolvency (and in each case is 5 years) and the second retention period counted from the end of the personal insolvency (and the retention period varies depending on the type of personal insolvency).  In each case, the later of the two retention periods is the operative period.  The reason for including a retention period for the end of each kind of personal insolvency is to recognise the significant differences between the kinds of personal insolvency arrangements.  Depending on the kind of arrangement that an individual has entered, they may have made significant efforts to meet their obligations under the arrangement, while other individuals may have made no efforts.  These differences should be recognised in determining an individual’s credit worthiness.  The minimum period for the retention of any kind of personal insolvency information will be 5 years, as it is considered that this is an appropriate period to provide information to credit providers to allow then to assess credit risk but to then allow individuals to have the opportunity of a fresh start to their financial affairs at the end of this period.  However, the operation of the retention periods means that in appropriate cases the personal insolvency information may be retained for a longer period depending on the retention period permitted at the end of each kind of personal insolvency.

Item 1 of the table sets the retention period for information about the bankruptcy of an individual at the later of 5 years from the day the individual becomes bankrupt, or 2 years from the day the bankruptcy ends.

Item 2 of the table sets the retention period for information about a personal insolvency agreement (other than an agreement covered by item 3 of the table) at the later of 5 years from the day on which the agreement is executed, or 2 years from the day the agreement is terminated or set aside.

Item 3 of the table sets the retention period for information about a personal insolvency agreement in relation to which a certificate has been signed under section 232 of the Bankruptcy Act at the later of 5 years from the day on which the agreement is executed, the day on which the certificate is signed.

Item 4 of the table sets the retention period for information about a debt agreement (other than an agreement covered by item 5 of the table) at the later of 5 years from the day the agreement starts, or 2 years from the day the agreement is terminated, or the whole agreement is declared void, under the Bankruptcy Act.

Item 5 of the table sets the retention period for information about a debt agreement that ends under section 185N of the Bankruptcy Act at the later of 5 years from the day the agreement starts, or the day on which the agreement ends.

Subclause (2) provides special rules for the retention of information of debt agreement proposals under the Bankruptcy Act.  Special retention rules are required because proposals are not yet debt agreements and there are various things that may happen to proposals under the Bankruptcy Act.  As soon as one of the things happens in relation to the debt agreement proposal as specified in paragraphs (a) to (d) the retention period ends.

Subclause (3) provides a special rule for the retention of personal insolvency information relating to a direction given, or an order made, under section 50 of the Bankruptcy Act, which deals with the control of certain property.  The retention period ends on the day the control of the property to which the direction or order relates ends.

Subclause (4) provides a special rule for the retention of personal insolvency information that relates to an authority signed under section 188 of the Bankruptcy Act.  The retention ends on the day on which the property to which the authority relates in no longer subject to control under Division 2, Part X of that Act.

Subclause (5) states an interpretation rule, which ensures that expressions used in this provision and in the Bankruptcy Act have the meaning set out in that Act.

Clause 20Y     Destruction of credit reporting information in cases of fraud

Clause 20Y sets out a special destruction rule for information in cases of fraud.  Clause 20K provides rules dealing with the use or disclosure of credit reporting information where an individual has been, or is likely to be, the victim of fraud.  In cases where the individual has been the victim of fraud and consumer credit was provided to someone other than the individual, the individual should not continue to have information about that fraudulently obtained consumer credit maintained as part of their credit reporting information.  However, as the information is about consumer credit that was supplied to someone purporting to be the individual, there may be uncertainty around how to deal with this information in the context of the rules set out in clauses 20N (about the quality of credit reporting information) and 20P (prohibiting the maintenance of false or misleading credit reporting information).  This provision sets out special rules to deal with this situation.

Subclause (1) sets out the circumstances under which this provision applies.  The credit reporting body must hold credit reporting information about an individual.  The information must relate to consumer credit that has been provided by a credit provider to the individual, or a person purporting to be the individual.  Finally, the body must be satisfied that the individual has been a victim of fraud and that the consumer credit was provided as a result of that fraud.  While it is for the body to be satisfied of these matters, the evidence necessary to satisfy the body of these matters should be appropriate in the circumstances.  For example, it is not expected that court-based evidence would be necessary in every case before the body was satisfied of these matters.  The appropriate evidence will depend on the circumstances of the fraud.

Where the requirements of subclause (1) have been satisfied, subclause (2) provides that the credit reporting body must destroy the credit reporting information.  Within a reasonable period of time after the information is destroyed, the body must also give the individual a written notice stating that the information has been destroyed and informing the individual that any third parties which received the information will be notified of the information’s destruction (as required by subclause (4)).  The body must also give the credit provider that provided the consumer credit as a result of the fraud a written notice stating that the information has been destroyed.  Breach of this provision is subject to a civil penalty of 1000 penalty units.

Subclause (3) sets out an exception to the destruction requirement in subclause (2).  The requirements of subclause (2) do not apply if the credit reporting body is required by or under an Australian law or a court or tribunal order to retain the credit reporting information.

Subclause (4) sets out notice obligations about the destruction of the information to third parties.  Where information has been destroyed under subclause (2), and the credit reporting body has previously disclosed the information to one or more recipients under Subdivision D of this Division, the body must within a reasonable period after the destruction notify those recipients of the destruction and that the body is satisfied the individual was a victim of fraud the consumer credit was provided as a result of that fraud.  This is a general obligation to notify all recipients and the individual does not need to request notification of third parties. Breach of this provision is subject to a civil penalty of 500 penalty units.  Credit reporting bodies will have retained written notes of any disclosures of the information, as required by various provisions in Subdivision D, which will assist them to comply with this obligation.  Given the significance of credit reporting information to individuals and that decisions about an individual’s credit worthiness may be made based on that information in the future, it is important that notification of all previous recipients occurs so that they can satisfy their obligations to maintain the quality of the credit reporting information that they hold.

Subclause (5) provides an exception to subclause (4).  The requirements of subclause (4) do not apply if the credit reporting body is required by or under an Australian law or a court or tribunal order not to give the notification.

Clause 20Z     Dealing with information if there is a pending correction request etc

Clause 20Z sets out rules to deal with situations where there is a pending correction request or a pending dispute in relation to credit reporting information that may otherwise be subject to destruction under clause 20V.  In these circumstances it would not be appropriate to destroy the information.  However, given that the retention would, but for the operation of these exceptions, be contrary to the destruction obligations, it is important that the Commissioner be informed of the situation and have the opportunity to issue directions about what must be done with the information.  There is no similar provision for credit providers because they do not have any specific destruction obligations like those set out in clause 20V for credit reporting bodies.

Subclause (1) sets out the application of the provision.  The credit reporting body must hold credit reporting information about the individual and either subclause 20V(3) or 20V(6) must apply in relation to the information.  Subclause (2) requires the credit reporting body to notify the Commissioner as soon as practicable of this situation.  Breach of this notification requirement is subject to a civil penalty of 1000 penalty units.  Subclause (3) prohibits any use of disclosure of this information, breach of which is subject to a civil penalty of 2000 penalty units.  However, subclause (4) permits use or disclosure of the information if it is for the purposes of the pending correction request, or pending dispute, in relation to the information.  Use or disclosure if the information is also permitted if the use or disclosure is required by or under an Australian law or court or tribunal order.  If any use or disclosure occurs under subclause (4), then subclause (5) requires a written note to be made of that use or disclosure, subject to a civil penalty of 500 penalty units.  This is consistent with the general approach of requiring credit reporting bodies to make written notes of any uses or disclosures of credit reporting information.

Subclause (6) gives the Commissioner the power to direct, by legislative instrument, that the credit reporting body destroy the information, or ensure it is de-identified, by a specified day.  This power may be exercised by the Commissioner in appropriate circumstances to resolve the issue of whether the information should be destroyed or retained.  For example, in some instances an individual may agree to the destruction of the information without resolving their correction request on the basis that the information will no longer appear as part of their credit reporting information or have any impact upon decisions about their current or future credit worthiness.  Subclause (7) states that a credit reporting body must comply with a direction by the Commissioner given under subclause (6), and failure to do so is subject to a civil penalty of 1000 penalty units.

Subclause (8) clarifies the relationship of this provision to clause 20M, which deals with the use and disclosure of de-identified credit reporting information.  If a credit reporting body is directed by the Commissioner to de-identify the credit reporting information under subclause (6) then clause 20M will apply to that de-identified information.

Clause 20ZA  Dealing with information if an Australian law etc requires it to be retained

Clauses 20V and 20Y provide that credit reporting bodies must not deal with information in the ways otherwise specified in those provisions if they are required by or under an Australian law or a court or tribunal order not to so deal with the information.  Accordingly, clause 20ZA provides rules for how credit reporting bodies are to deal with any information that is subject to these directions by another Australian law or court or tribunal order.

Subclause (1) sets out the application of the provision.  This provision applies if a credit reporting body is not required to: destroy or de-identify credit information under subclause 20V(2) because of subclause 20V(4); destroy or de-identify any CRB derived information under subclause 20V(5) because of subclause 20V(7); or destroy credit reporting information under subclause 20Y(2) because of subclause 20Y(3).

If subclause (1) applies, subclause (2) states that the credit reporting body must not use or disclosure the information, breach of which is subject to a civil penalty of 2000 penalty units.  Subclause (3) provides an exception from this general rule to permit any use or disclosure that is required by or under an Australian law or a court or tribunal order.  Subclause (4) requires the body to make a written note of any such use or disclosure, consistent with the general policy of requiring bodies to note uses or disclosures.  This is subject to a civil penalty of 500 penalty units.

Subclause (5) states that the obligations in relation to the integrity of information set out in Subdivision E (with one exception) do not apply in relation to the use or disclosure of the information.  However, the security obligations in clause 20Q continue to apply.  Subclause (6) states that the access and correction obligations set out in Subdivision F do not apply in relation to the information.  The purpose of these provisions is to clarify the application of these obligations to this information.  If another Australian law or court or tribunal order requires the credit reporting body to do, or not do, certain things in relation to the information, it would be inappropriate to apply the full set of obligations to this information.

Division 3 - Credit providers

Subdivision A - Introduction and application of this Division

Clause 21        Guide to this Division

This provision provides a guide to the Division.

Clause 21A     Application of this Division to credit providers

Clause 21A states that the Division only applies to credit providers in relation to: credit information; credit eligibility information; and CRB derived information. 

Credit reporting information that is disclosed by credit reporting bodies to credit providers becomes credit eligibility information (which also includes CP derived information) in the hands of credit providers.  For this reason credit providers are regulated in relation to credit eligibility information, rather than credit reporting information.  Credit information is also regulated because credit providers have a dual role of both supplying credit information into, and collecting credit reporting information from, the credit reporting system.

This Division provides requirements that apply to credit providers in relation to these categories of information.  While the APPs are completely replaced by the obligations for credit reporting bodies in Division 2, a different approach is taken for credit providers.  The requirements for credit providers set out in Division 3 may apply in addition to the APPs (where a credit provider is an APP entity).  Where any provision in this Division modifies or replaces an APP the relationship with the relevant APP will be made expressly clear in that provision.  Other provisions impose obligations that do not directly relate to the APPs and so are additional to the APP obligations.  Where an APP is not referred to in this Division then that APP will continue to apply to any information regulated by this Division and to credit providers that are APP entities in relation to that information.  For example, this Division does not specifically regulate the collection of the kinds of personal information that are included in the definition of credit information.  This means that APP 3 (dealing with the collection of solicited information) and APP 4 (dealing with the collection of unsolicited information) apply as appropriate and without modification to credit providers that are APP entities.

Credit providers have obligations in relation to these three categories of information.  While a credit provider may not hold CRB derived information, clause 21V imposes obligations on credit providers to provide assistance to an individual who wishes to correct credit information, CRB derived information, or CP derived information about the individual.  If the credit provider holds at least one of these categories of information they have certain correction obligations, and the ability to consult with another credit reporting body or credit provider as required.

To the extent that a credit provider handles any other personal information, the APPs will regulate the handling of that personal information by credit providers that are APP entities.

Subdivision B - Consideration of information privacy

Clause 21B     Open and transparent management of credit information etc.

Clause 21B is based on the obligations set out in APP 1, modified to apply specifically to credit providers and their handling of credit information and credit eligibility information.  The interaction of this provision with APP 1 is dealt with in subclause (7).

Subclause (1) states the object of the provision.

Subclause (2) imposes a general requirement on credit providers to take reasonable steps to implement practices, procedures and systems in relation to their functions or activities as a credit provider that will ensure compliance with: the requirements of the Division and the registered CR code; and to enable them to deal with inquiries or complaints about their compliance.  It is anticipated that credit providers will demonstrate their compliance with this obligation by, for example, developing and maintaining training programs, staff manuals, standard procedures and any other relevant documents that demonstrate awareness of, and compliance with, their obligations under the Division and the registered CR code.  In addition, credit providers should be able to demonstrate that their business systems, such as their data management systems, comply with the requirements of the Division or the registered CR code. 

Subclause (3) requires credit providers to have a policy dealing with their management of credit information and credit eligibility information.  The policy must be clearly expressed and up-to-date.

Subclause (4) provides a list of matters on which the policy must contain information.  The list is not exhaustive and the policy can, and should where necessary to satisfy the obligation set out in subclause (3), contain additional information.  The purpose of the list is to provide guidance to credit providers on information that the policy must contain which is likely to be directly relevant to individuals and their concerns about the information handling practices of credit providers.  It is not intended that the policy set out matters such as detailed operational or administrative procedures or the processes of internal data management systems, nor is it intended that the policy establish technical data handling standards.

Subclause (5) requires credit providers to take reasonable steps to make the policy publicly available.  Credit reporting bodies must take reasonable steps to make the policy available free of charge, and must make the policy available in an appropriate form - for example, on the website’.

Subclause (6) ensures that the policy is readily available to the public.  While a credit provider may decide to make the policy available on their website, there may be circumstances where a person or body may wish to have the policy in a particular form - for example, in a different digital form that is more accessible for readers with a disability, or as a printed booklet.  Following any such request, credit providers must take reasonable steps to provide the person or body with a copy of their policy in the requested form.  It is expected that credit providers would not charge for making the policy available in the requested form.

Subclause (7) deals with the interaction of this provision with the APPs.  It makes clear that APPs 1.3 and 1.4 (which deal with privacy policies) do not apply to the credit provider in relation to credit information or credit eligibility information.  However, the APPs will continue to apply to the credit provider in relation to any other personal information.

Subdivision C - Dealing with credit information

Subdivision C sets out rules for credit providers in relation to credit information.  This is the information that credit providers disclose to credit reporting bodies into the credit reporting system.  Rules to deal with information that credit providers collect from the credit reporting system are set out in Subdivision D.

Clause 21C     Additional notification requirements for the collection of personal information etc.

Clause 21C sets out additional notification requirements for credit providers when they collect personal information that may be disclosed to a credit reporting body (only that personal information which falls within the definition of credit information may be disclosed).  Credit providers must notify individuals about certain matters to whom they are likely to disclose information, and credit providers that are APP entities must also notify individuals of certain matters in relation to the credit provider’s credit reporting privacy policy.  The interaction of this provision with APP 5 is dealt with in subclause (2).

Subclause (1) applies where a credit provider collects personal information about an individual that is likely to be disclosed to a credit reporting body.  At or before the time of collection the credit provider must notify the individual of the name and contact details of the credit reporting body (or bodies, if the information may be disclosed to more than one body) and any other matters specified in the registered CR code.  Alternatively, rather than notifying the individual, the credit provider must otherwise ensure that the individual is aware of the matters specified.  Depending on the circumstances, other approaches may be more appropriate to inform the individual of this information, for example where the credit provider arranges for a third party to notify the individual.  Irrespective of the method used, the individual must be informed of these matters and it is expected that the information about the credit reporting body or bodies would subsequently be readily accessible to the individual for their reference.  It is intended that the registered CR code would include requirements to inform individuals of how their personal information will be handled in the credit reporting system.  This should include providing information that either includes, or allows the individual to readily access, the privacy policies of credit reporting bodies.  As required by clause 20B, the privacy policies of credit reporting bodies must include various matters that are of significance to individuals, including information about access, correction and complaints.  Other matters may also be addressed in the registered CR code.

Subclause (2) deals with the interaction of this provision with the APPs.  The obligations set out in subclause (1) apply in addition to the obligations imposed on a credit provider that is an APP entity by APP 5. 

The credit provider must have a credit reporting privacy policy, as required by clause 21B.  Subclause (3) sets out matters contained in the credit reporting privacy policy about which the credit provider must notify the individual or otherwise bring to the individual’s attention.  This specific notification requirement is to be read with the obligations imposed on a credit provider that is an APP entity by APP 5.

Clause 21D     Disclosure of credit information to a credit reporting body

Clause 21D controls the flow of credit information into the credit reporting system by regulating the disclosure of credit information by the credit provider to a credit reporting body.  As part of this regulation the provision restrict the credit reporting system to Australian participants and to credit provided, or applied for, in Australia.

Subclause (1) establishes a general prohibition on disclosure by a credit provider of credit information about an individual to a credit reporting body.  This prohibition operates irrespective of whether or not the credit reporting body carries on a credit reporting business in Australia.  This means that disclosure of credit information to a foreign credit reporting body is prohibited.  Breach of this provision is subject to a civil penalty of 2000 penalty units.

Subclause (2) provides an exception to the general prohibition in subclause (1) by permitting disclosures by certain credit providers to certain credit reporting bodies.  Before any disclosure can occur, the credit provider must be a member of a ‘recognised external dispute resolution scheme’ and must know, or believe on reasonable grounds, that the individual about whom credit information is to be disclosed is at least 18 years old.  Reasonable grounds will depend on the circumstances, but it is expected that satisfying this obligation would generally require the credit provider to have positively verified the individual’s age.  This requirement is consistent with the policy of not including personal information in the credit reporting system of individuals who are under 18, except in certain defined circumstances (see subclauses (4) and (5) and clause 20C which sets out the circumstances in which a credit reporting body can collect this information).  The credit reporting body to which the disclosure is to be made must be an agency or an organisation or small business operator that has an Australian link.  The term Australian link is defined by section 5B of the Act.  This provision operates to limit the disclosure of credit information to Australian ‘credit reporting bodies’.  In addition, the credit information that is disclosed must meet the requirements of subclause (3).  The note indicates that, even if these conditions are met, clause 21F provides additional limitations on the disclosure of credit information during a ban period (established under clause 20K) where an individual is the victim of fraud, including identity fraud.

Subclause (3) sets out the conditions with which credit information must comply before it can be disclosed to a credit reporting agency under subclause (2).  These conditions are based on the restrictions set out in clause 20C that apply to the collection of credit information by credit reporting bodies.

Paragraph (a) states that the credit information must not relate to an act, omission, matter or thing that occurred or existed before the individual turned 18.  However, subclause (4) permits identification information about an individual to be disclosed.  Clause 20C states that a credit reporting body can only collect identification information where it already holds, or collects at the same time, consumer credit liability information about the individual.  In addition, subclause (5) permits consumer credit liability information about an individual under 18 to be disclosed where the credit has not been terminated or otherwise ceased to be in force before the individual turned 18.  The issue of whether credit has been terminated or otherwise ceases to be in force will depend on the terms of the consumer credit.  Depending on the type of consumer credit, in some circumstances the individual may continue to have access to the credit after repaying the credit.  This means that the consumer credit would not be taken as terminated until the individual no longer had access to the credit.  Credit providers should clearly indicate to consumers the circumstances in which their credit will be terminated, and whether the consumer must take any action in addition to making the final repayment to terminate the credit.  There may be other circumstances in which the credit is terminated - for example, by a serious credit infringement.  The registered CR code will provide additional guidance on determining the day on which consumer credit is terminated and the other circumstances in which the consumer credit ceases to be in force

Paragraph (b) says that any credit information that relates to consumer or commercial credit must relate to credit that is or has been provided, or applied for, in Australia.  Information about the foreign credit activities of individuals cannot be included in the credit reporting system.

Paragraph (c) establishes certain restrictions around credit information that is repayment history information.  It can only be disclosed if: the credit provider is a ‘licensee’ (and hence subject to responsible lending obligations under the National Consumer Credit Protection Act); the consumer credit liability information to which the repayment history information relates must also be, or have been previously, disclosed to the credit reporting body; and the credit provider must comply with any additional requirements in relation to the disclosure of the information prescribed by regulations.  It is expected that regulations will deal with matters such as how to determine whether a payment is a monthly payment and other relevant matters.

Paragraph (d) permits disclosure of credit information that is default information only where the credit provider has given the individual written notice stating the intention to disclose the default information to a credit reporting body, and a reasonable period has passed since the giving of the notice.  The purpose of this additional notification requirement is to ensure that credit providers have done everything reasonable to make individuals aware of the proposed default listing.  It would also provide individuals with one final opportunity to make overdue payments.  The reasonable period that must elapse between the giving of the notice and disclosing the default information to a credit reporting body will depend on the circumstances, and it is expected that additional guidance around the appropriate timeframes will be provided in the registered CR code.

Subclause (6) requires credit providers to make a written note of any disclosure of credit information under this provision.  This is consistent with the policy of requiring credit reporting bodies to make written notes of disclosures.  Certain other Acts set out circumstances in which credit reporting bodies must not make notes (see the note to clause 20E).  A similar note has not been inserted in this provision because there are no Acts which currently set out circumstances in which credit providers must not make a written note of disclosures.  If any such provisions were enacted in another Act in the future, then that other Act would operate to limit the making of written notes by credit providers.  The purpose of requiring notes is to provide a record of all disclosures.  To be an effective record, the written note should identify the date of the disclosure, the entity to which the credit reporting information was disclosed, the type of disclosure (including the specific provision under which the disclosure was authorised), the type of credit information that was disclosed (where this is not clear from the type of disclosure), and any other relevant information.  Written notes should be sufficiently associated with the credit reporting information of the relevant individual to ensure that individuals are able to obtain access to all written notes relating to their credit information.  Written notes do not themselves fall within the definition of credit information or credit reporting information.  However, as written notes would be personal information about an individual, a credit provider that is an APP entity will be subject to the general obligations set out in the APPs in relation to the written notes of disclosures.  A breach of this provision attracts a civil penalty of 500 penalty units.

Subclause (7) deals with the interaction of this provision with the APPs.  It makes clear that APPs 6 and 8 (which deal with use and disclosure and cross-border disclosures) do not apply to a credit provider that is an APP entity in relation to the disclosure of credit information to a credit reporting body.  However, these APPs will continue to apply to a credit provider that is an APP entity in relation to any other personal information the credit provider may hold (except for credit eligibility information, which is dealt with in Subdivision C).  In this regard, it is important to note that any personal information held by a credit provider that is an APP entity will always be subject to the protections available under the Privacy Act.  In general terms, the APPs will apply to the information, unless specific kinds of personal information are subject to different rules set out in the credit reporting provisions.

Clause 21E     Payment information must be disclosed to a credit reporting body

Clause 21E requires credit providers to disclose certain information about the payment of overdue credit obligations.  The purpose of this provision is to ensure that a person who subsequently makes an overdue payment that has been listed as a default has that payment recorded along with the relevant default as part of the individual’s credit information.  The payment information (which is a defined term) may be disclosed to credit providers (as permitted by Division 2) and will be available to assist credit providers to make decisions about an individual’s credit worthiness.

Where a credit provider has disclosed default information about an individual to a credit reporting body, and after the default information was disclosed the amount of the overdue payment was paid, the credit provider must disclose that payment information to the credit reporting body within a reasonable period after the payment is made.  It is expected that the registered CR code will provide guidance to assist in determining what is a reasonable period.  Failure to comply with this provision is subject to a civil penalty of 500 penalty units.

Clause 21F     Limitation on the disclosure of credit information during a ban period

Clause 21F is linked with provisions in Division 2 to provide a thorough response to identity fraud issues.  Clause 20K establishes a mechanism for individuals to deal with potential fraud, including identity fraud, by controlling the disclosure of their credit reporting information in certain circumstances.  Clause 20Y provides for the destruction of credit reporting information by the credit reporting body in cases of fraud. 

Clause 21F limits the disclosure by credit providers of credit information to credit reporting bodies during a ban period.  If a credit provider is unable to obtain access to an individual’s credit reporting information to assess an application for credit due to a ban period but proceeds to provide credit to a person purporting to be the individual, the credit provider cannot list any of the information about that credit as part of the individual’s credit information.  This is intended to ensure that credit providers take reasonable steps to identify a person during a ban period.

Subclause (1) sets out the circumstances in which this provision will operate.  The provision applies if: a credit reporting body holds information about an individual; a credit provider requests disclosure of the individual’s information to assess an application for consumer credit made by the individual or someone purporting to be the individual; the information cannot be disclosed because a ban period is in place; and during the ban period, consumer credit is provided to the individual or the person purporting to be the individual.

A credit reporting body is not prohibited from telling a credit provider whether or not it holds credit reporting information about an individual, nor is it prohibited from telling a credit provider that a ban period is in place in relation to an individual.  The purpose of these provisions is not to prevent a credit provider from knowing about the ban period, but to prevent access to the individual’s credit reporting information without the express consent of the individual.

If subclause (1) is satisfied, subclause (2) provides that the credit provider must not disclose to a credit reporting body any credit information that relates to consumer credit.  Breach of this prohibition is subject to a civil penalty of 2000 penalty units.

Subclause (3) states that the prohibition in subclause (2) does not apply if the credit provider has taken such steps as are reasonable in the circumstances to verify the identity of the individual to whom the provider intends to provide the credit.  The reasonable steps will depend on the circumstances in each case.

It is expected that further practical details around the operation of the provisions dealing with ban periods in cases of fraud would be covered in the registered CR code.  Matters that may be covered include: notifying the individual of the effect of the ban period and the circumstances in which the individual should be notified that the ban period is ending; the extension of the ban period; notification of credit providers of the ban period; and other relevant matters.

Subdivision D - Dealing with credit eligibility information etc.

Subdivision C sets out rules for credit providers in relation to credit eligibility information.  This category of information incorporates the credit reporting information that credit providers collect from the credit reporting system as well as any CP derived information.  Rules to deal with information that credit providers disclose to credit reporting bodies into the credit reporting system are set out in Subdivision B.

This Subdivision contains rules on uses and disclosures of credit eligibility information by credit providers, including rules that provide for disclosures to specific kinds of recipients.  This Subdivision also contains a rule providing for notification of the individual following a refusal of an application for consumer credit based wholly or partly on credit eligibility information about certain persons.

Clause 21G     Use or disclosure of credit eligibility information

Clause 21G sets out the general rules for the use or disclosure of credit eligibility information by credit providers.  This provision is based on the obligations and structure of APP 6, but has been significantly modified to apply specifically to credit providers and credit eligibility information.  Clause 21G is similar in structure to clause 20E, which deals with use and disclosure by credit reporting bodies of credit reporting information.

Subclause (1) establishes a general prohibition on the use or disclosure of credit eligibility information about an individual by a credit provider.  Breach of this prohibition is subject to a civil penalty of 2,000 penalty units.  Subclauses (2) and (3) provide exceptions for this general prohibition.

Subclause (2) sets out the permitted uses, which are exceptions to the prohibition on using credit eligibility information in subclause (1).  Paragraph (2)(a) provides that a credit provider is permitted to use credit eligibility information if the use is for a ‘consumer credit related purpose’ in relation to the individual.  ‘Consumer credit related purpose’ is a defined term and means that the use must be for the purpose of assessing an application for consumer credit made by the individual, or collecting payments that are overdue in relation to consumer credit provided to the individual.

Paragraph (2)(b) provides that a ‘permitted CP use’ in relation to an individual is allowed, and the permitted CP uses are set out in clause 21H.  Paragraph (2)(c) permits the use of credit eligibility information in relation to serious credit infringements.  The provider must believe on reasonable grounds that the individual has committed a serious credit infringement and the use of the information must be in connection with the infringement.  For example, the use may be to try to obtain up-dated identification information to check whether the individual has moved to a new address to allow the provider to try to contact the individual again.

Paragraphs (2)(d) and (e) also permit a credit provider to use credit eligibility information if the use is required or authorised by or under Australian law or a court or tribunal order, or the use is prescribed in the regulations.  The regulation-making power provides a means to permit any currently unforeseen but necessary uses that may arise in the future.  Additional uses will be permitted where the use can be shown to be in the public interest as well as being for the benefit of the individuals whose credit eligibility information would be used.  Appropriate public consultation with all relevant stakeholders would be undertaken when considering whether regulations prescribing any additional uses should be prepared.

Unlike APP 6, no secondary uses of credit eligibility information by a credit provider are permitted.  Only those uses expressly provided in subclause (2) and clause 21H are permitted.

Subclause (3) sets out the permitted disclosures, which are exceptions to the prohibition on disclosing credit eligibility information in subclause (1).  Paragraph (3)(a) provides that a credit provider does not breach this provision if the disclosure is a ‘permitted CP disclosure’ in relation to the individual.  ‘Permitted CP disclosure’ has the meaning given by clauses 21J to 21N, which set out a range of circumstances for permitted disclosures. 

The remaining paragraphs of subclause (3) set out specific permitted disclosures.  Paragraph (3)(b) permits disclosures of credit eligibility information to a related body corporate of the credit provider and the related body corporate must have an ‘Australian link’.  Paragraph (3)(c) permits disclosures to a person who manages credit provided by the credit provider.  The credit manager must not be acting as an agent of the credit provider and must have an ‘Australian link’ to ensure that the credit manager is not a foreign entity.  ‘Agents of credit providers’ is a concept defined in clause 6H, which treats agents as being the credit provider in the circumstances defined.  A credit manager is intended to be someone who is not acting as the credit provider’s agent but instead provides a service to the credit provider to manage credit accounts.  The kinds of services that may be performed by a credit manager will depend on the relationship with the credit provider and decisions made by the credit provider about how it will manage its credit accounts.  Recognizing that circumstances will vary, the term credit manager has not been defined. 

Paragraph (3)(d) permits disclosure of credit eligibility information to another credit provider that has an ‘Australian link’ and to enforcement bodies in relation to ‘serious credit infringements’.  Before making the disclosure the credit provider must believe on reasonable grounds that the individual has committed a ‘serious credit infringement’.  This provision will assist enforcement bodies in the investigation of alleged serious credit infringements.  It will also permit credit providers to alert other providers that they reasonably believe the individual has committed a serious credit infringement. 

Paragraph (3)(e) permits disclosures to external dispute resolution schemes that have been recognised by the Commissioner and a credit provider or credit reporting body is a member of the scheme.  This provision is intended to ensure that external dispute resolution schemes can access relevant credit eligibility information, where appropriate, to assist in the resolution of complaints made by individuals about their personal information in the credit reporting system. 

Paragraphs (3)(f) and (g) also permit a credit provider to disclose credit eligibility information if the disclosure is required or authorised by or under Australian law or a court or tribunal order, or the disclosure is prescribed in the regulations.  The regulation-making power provides a means to permit any currently unforeseen but necessary disclosures that may arise in the future.  As stated above in relation to the regulation-making power for uses of credit eligibility information, this power would be exercised where the disclosure is in the public interest, for the benefit of the individual, and following appropriate public consultation.

Subclauses (4) and (5) impose additional limitations where the proposed disclosure is credit eligibility information that includes, or was derived from, repayment history information.  Subclause (4) prohibits the disclosure of such information. The civil penalty for breach of subclause (4) is 2,000 penalty units.  Subclause (5) provides for exceptions to this prohibition in specified circumstances.  Paragraph (5)(a) provides that this information can be disclosed if the recipient is another credit provider who is a ‘licensee’.  This is intended to ensure that repayment history information, or credit eligibility information that is derived from repayment history information, can only be disclosed to credit providers who are subject to responsible lending obligations under the National Consumer Credit Protection Act.  This restriction extends to credit eligibility information that was derived from repayment history information because it is considered appropriate that credit providers who cannot access repayment history information should not be able to indirectly obtain the benefit of that information through the possibility that credit providers could provide credit eligibility information that incorporates repayment history information in another form.  Paragraph (5)(b) provides an exception where the information is disclosed under clause 21L, which permits the disclosure of credit eligibility information to mortgage insurers in specified circumstances.  As mortgage insurers are underwriting the credit risk taken on by the credit provider in providing consumer credit, it is important that the mortgage insurers have access to the same information available to the credit provider to whom they are offering insurance.  Where this information includes repayment history information, a credit provider can disclose this information to the mortgage insurer for the mortgage insurance purpose as specified in clause 21L.  A mortgage insurer is prohibited from making any further disclosure of that information by clause 22C (except where that disclosure may be required or authorised by or under an Australian law or court or tribunal order).  Paragraph (5)(c) permits disclosure of the information to an enforcement body for the purposes of paragraph (3)(d) (where the disclosure is related to a serious credit infringement). Paragraph (5)(d) permits disclosure for the purposes of paragraph (3)(e) (to a recognised external dispute resolution scheme) and for the purposes of paragraph (3)(f) (where the disclosure is required or authorised by or under an Australian law or a court or tribunal order).

Subclause (6) requires credit reporting bodies to make a written note of any use or disclosure of credit eligibility information under this provision.  Because subclause (2) includes permitted CP uses under clause 21H and subclause (3) includes permitted CP disclosures under clauses 21J to 21N, this means that written notes will need to be made of all these uses and disclosures.  The purpose of requiring notes is to provide a record of all uses and disclosures of credit eligibility information.  To be an effective record, the written note should identify the date of the use or disclosure, the type of use or disclosure (including the specific provision under which the disclosure is authorised), the entity to which the credit eligibility information was disclosed, the type of credit eligibility information that was disclosed (where this is not clear from the type of disclosure), and any other relevant information (for example, that an individual’s express consent to a disclosure under clause 21J was not in writing because of the circumstances set out in subclause 21J(2)).  In relation to identifying the type of credit eligibility information that was disclosed, a reader of the note should be able to determine whether all credit eligibility information relating to the individual was disclosed, and if not, what types of credit eligibility information were disclosed (for example, repayment history information).  Written notes should be sufficiently associated with the credit eligibility information of the relevant individual to ensure that individuals are able to obtain access to all written notes relating to their credit eligibility information.  Written notes do not themselves fall within the definition of credit information or credit eligibility information.  However, as written notes would be personal information about an individual, a credit provider that is an APP entity will be subject to the general obligations set out in the APPs in relation to the written notes of uses and disclosures.  A breach of this provision attracts a civil penalty of 500 penalty units.

Subclauses (7) and (8) both deal with the interaction of this provision with the APPs.  Subclause (7) makes clear that APPs 6 and 8 (which deal with use and disclosure and cross-border disclosures) do not apply to a credit provider that is an APP entity in relation to credit eligibility information.  Subclause (8) provides that, where the credit eligibility information is a government related identifier of the individual (for example, a driver’s licence number), APP 9.2 (which deals with the use or disclosure of such identifiers) does not apply.  However, these APPs will continue to apply to the credit provider in relation to any other personal information the credit provider may hold (except for credit information, which is dealt with above in Subdivision B).  In this regard, it is important to note that any personal information held by a credit provider that is an APP entity will always be subject to the protections available under the Privacy Act.  In general terms, the APPs will apply to the information if the credit provider is an APP entity, unless specific kinds of personal information are subject to different rules set out in the credit reporting provisions.

Clause 21H     Permitted CP uses in relation to individuals

This provision sets out the circumstances in which a use of credit eligibility information by a credit provider will be a ‘permitted CP use’ authorised by paragraph 135(2)(b).  This provision refers to the permitted disclosures of credit reporting information by a credit reporting body pursuant to the table in subclause 20F(1).  It is important to remember the data flows in the credit reporting system and the terms used to describe that data at different points in the system.  Credit reporting information about an individual disclosed by a credit reporting body will become credit eligibility information when the recipient credit provider collects it.  ‘Credit eligibility information’ is held by credit providers and is defined as credit reporting information or any ‘CP derived information’ about the individual.

The provision states that a use of credit eligibility information is permitted where the relevant credit reporting information was disclosed to the credit provider under the provision specified in column 1 of the table (that is, a provision from the table in subclause 20F(1) that permitted a credit reporting body to disclose the information) for the specified purpose.  In these circumstances, the use set out in column 2 of the table is permitted by the credit provider. The table lists six permitted CP uses.

Item 1 of the table provides that a disclosure of credit reporting information for the purpose of assessing an application for consumer credit made by the individual to the credit provider can be used for a ‘securitisation related purpose’ of the credit provider, or the information can be used for the internal management purposes of the provider that are directly related to the provision or management of consumer credit by the provider.  Essentially, the information that has been disclosed under this item can already be used under paragraph 21G(2)(a) for a ‘consumer credit related purpose’, so this item permits these two additional uses to be made of this information.  While item 6 also deals with uses for securitisation related purposes, item 6 applies to a different recipient.  In the case of item 1, the recipient is the credit provider who has assessed an application for credit and that credit provider is now engaging in securitisation activities.  Item 6 of the table, discussed further below, applies to securitisation entities that are, for the purposes of that activity, defined as a credit provider.  The other permitted purpose for which the information may be used under item 1 is internal management purposes of the credit provider that are directly related to the provision or management of consumer credit by the provider.  This will allow the provider to use the information for the purposes of deriving ‘CP derived information’ about the individual, to manage its relationship with the individual as well as to manage its credit business as a whole.  This would permit the credit provider to use the information for data management purposes, for example, or other activities necessary to run the consumer credit business of the provider.

Item 2 of the table permits information that has been disclosed to the credit provider for a particular ‘commercial credit related purpose’ to be used for that purpose.  This means the information can only be used for the purpose of assessing an application for commercial credit or to collect overdue payments in relation to commercial credit provided to the individual.  The table in subclause 20F(1) requires that the individual must have already expressly consented to the disclosure by the credit reporting body of the credit reporting information to the credit provider for this commercial credit purpose.  The requirement for express consent ensures that the individual is aware that their credit information will be used for a non-consumer credit purpose.

Item 3 of the table also refers to disclosures of credit reporting information made for a commercial credit purpose, but in this case the disclosure must be made for the specific purpose of assessing an application for commercial credit made by the individual to the provider, and the permitted use is not for assessing that application (which is dealt with in item 2 above) but instead is for the internal management purposes of the provider that are directly related to the provision or management of commercial credit by the provider.  This means that the information can be used by the credit provider for deriving information about the individual in relation to their commercial credit (similar to the category of information called ‘CP derived information’, but that category refers to consumer credit).  In this context derived information may mean a credit score in relation to the individual’s commercial credit worthiness.  Item 3 is limited to credit reporting information disclosed for the purposes of assessing the application and does not permit the use of information disclosed for the purpose of collecting overdue payments for internal management purposes in relation to commercial credit.  This limitation ensures consistency with the permitted uses in the consumer credit context.  Credit eligibility information which was disclosed for the purpose of assessing an application for commercial credit made by a person to the credit provider could also be used for other internal management purposes, such as data management.  Once again, the table in subclause 20F(1) requires that the individual must have already expressly consented to the disclosure by the credit reporting body of the credit reporting information to the credit provider.

Item 4 of the table provides that information that has been disclosed to the credit provider for a ‘credit guarantee purpose’ of the provider in relation to the individual can only (if directly related to the provision or management of commercial credit by the provider) be used for that ‘credit guarantee purpose’ or for the internal management purposes of the provider directly related to the provision or management of any credit by the provider.  This information can only be disclosed by the credit reporting body once the individual has expressly consented, in writing, to the use of the information for the credit guarantee purpose.  ‘Credit guarantee purpose’ is a defined term, and means the purpose of assessing whether to accept the individual as a guarantor in relation to credit provided to, or applied for by, another person.  In this context, it is the individual who is proposing to be the guarantor whose information is being disclosed.  This information can be used for internal management purposes directly related to any credit provided by the provider - both commercial credit and consumer credit.

Item 5 of the table permits information that has been disclosed to a current credit provider of an individual (that is, a credit provider who provides consumer credit to the individual that has not been terminated or otherwise ceased to be in force) to be used for the purpose of assisting the individual to avoid defaulting on his or her consumer credit obligations to the provider.  When read with item 5 in the table at subclause 20F(1) this provision has the effect of limiting the use of any information disclosed to assisting the individual to avoid defaulting on the individual’s consumer credit obligations to that credit provider.  It would not be consistent with the purpose of the credit reporting system for the provider to obtain regular disclosures from the credit reporting body simply to monitor or check an individual’s overall credit worthiness or behaviour

Item 6 of the table permits information that has been disclosed to a credit provider for a securitisation related purpose of the credit provider in relation to the individual to be used for that particular securitisation purpose.  A ‘securitisation related purpose’ refers to assessing the risk of purchasing, by means of a securitisation arrangement, credit that has been provided to the individual or to a person to whom the individual is or proposes to be a guarantor.  The definition of the term also refers to assessing the risk in undertaking credit enhancement in relation to credit that has been provided to an individual (or a person to whom the individual is or may be a guarantor) through a securitisation arrangement.

Clause 21J      Permitted CP disclosures between credit providers

This provision sets out the circumstances in which a disclosure of credit eligibility information between credit providers will be a ‘permitted CP disclosure’ authorised by paragraph 21G(3)(a).  Four circumstances are identified where a credit provider can disclose information to another credit provider - where the individual consents; where the disclosure is to the agent of a credit provider; in relation to certain securitisation arrangements; and where the disclosure is in relation to mortgage credit secured by the same property - and these circumstances are subject to the specific requirements detailed in this provision.  The credit provider who collects credit eligibility information will be subject to the any conditions set out in this provision in relation to that disclosure as well as any applicable general conditions imposed upon credit providers in relation to the use of credit eligibility information as set out in subclause 21G(2).  Similarly, both the disclosing and the using credit providers will be required to make written notes of their disclosures and uses consistent with the obligation imposed by subclause 21G(6).

Subclause (1) permits a disclosure of credit eligibility information in relation to an individual to another credit provider where the disclosure is for a particular purpose, the credit provider that is the recipient of the information has an Australian link, and the individual has expressly consented to the disclosure of the information to the recipient for the particular purpose.  The requirement that the recipient have an Australian link is consistent with the restriction of the credit reporting system to Australian entities and ensures that the credit provider is not a foreign entity.  The particular purpose of the disclosure will be limited by the permitted uses of a credit provider set out in subclause 21G(2).  The requirement for express consent is subject to the rules set out in subclause (2).  The express consent of the individual to the disclosure for the particular purpose must be given in writing.  The only exception to the writing requirement is where the disclosure is for the purpose of assessing an application for consumer or commercial credit made by the individual and the individual did not make the application for credit in writing.  This provision does not mean that the individual does not need to provide consent where the application was not in writing.  Instead, it means that where the individual’s application was not in writing the individual’s express consent also does not need to be in writing.  However, the individual must still provide express consent to the disclosure.  The consent of the individual (whether in writing or not) must be given to the credit provider who is to disclose the information or to the credit provider who will be the recipient of the information.  It is not necessary for the consent to be given to both credit providers.  Circumstances where the disclosing credit provider would be given the consent may include where the consent is not in writing.  This would enable the disclosing credit provider to confirm that the individual has provided express consent to the disclosure for the particular purpose.

Subclause (1) would not affect any practices credit providers may have in place to share other personal information, with appropriate consent from the individual, outside the credit reporting system where such practices are consistent with the obligations imposed by the APPs on credit providers in their capacity as APP entities.  However, the information sharing practices must comply with the requirements of this provision to the extent that any such information sharing practices include dealing with credit eligibility information (which, by operation of the definitions, includes ‘credit information’ and’ CP derived information’).

Subclause (3) permits a credit provider that is acting as an agent to disclose credit eligibility information about an individual back to the credit provider that is the principal in the agency relationship.  The credit provider making the disclosure under this provision must be acting as an agent of another credit provider that has an Australian link.  The requirement that the credit provider have an Australian link is consistent with the restriction of the credit reporting system to Australian entities and ensures that the credit provider is not a foreign entity.  The credit provider making the disclosure under this provision must be a credit provider in the terms set out in subclause 6H(1), which sets out the rules for determining whether an organization or small business operator is an agent of a credit provider.  The final element in this provision that must be satisfied is that the credit provider (that is, the agent) must be making the disclosure in their capacity as an agent of the principal credit provider.  This provision recognises that there are different organizational structures in the credit industry and in some instances an entity is in fact a credit provider only because it is acting as the agent of a credit provider.  In such situations, the agent must be able to disclose information to the principal in the agent/principal relationship.  Such disclosures would otherwise be prohibited without this provision.

Subclause (4) permits a credit provider that is acting as a securitisation entity to disclose credit eligibility information about an individual back to the original credit provider that provided the credit to which the securitisation arrangements relate.  This provision permits certain disclosures to occur that are necessary due to securitisation relationships between entities and credit providers.  Such disclosures would otherwise be prohibited without this provision.  The credit provider making the disclosure must be a credit provider under subclause 6J(1), which deals with securitisation entities that are taken to be credit providers for the purposes of performing tasks necessary for a securitisation arrangement.  The original credit provider of the credit (or application for credit, as the case may be) to which the securitisation relates must have an Australian link.  The requirement that the credit provider have an Australian link is consistent with the restriction of the credit reporting system to Australian entities and ensures that the credit provider is not a foreign entity.  The original credit provider cannot be a credit provider by the operation of subclause 6J(1).  This provision is intended to break the chain of relationships between entities.  An entity that is only a credit provider because it is performing securitisation related tasks cannot then form a securitisation relationship with another entity and then claim that it is the original credit provider.  If any such relationships are entered, they will not satisfy the requirements for this provision to allow the disclosure of credit eligibility information.  The credit eligibility information that is the subject of the disclosure must be disclosed to the original credit provider or another credit provider that subclause 6J(1) defines as a credit provider in relation to that credit (and in this case, the other credit provider must have an Australian link.  The last requirement in this rule that must be satisfied for the disclosure to be permitted is that the disclosure of the information must be reasonably necessary for a securitisation purpose as set out in subparagraphs (4)(e)(i) and (ii).  The end result of this provision is that it permits disclosures between entities that are involved in a securitisation arrangement, as that relationship is defined in subclause 6J(1).

Subclause (5) permits a credit provider to disclose credit eligibility information about an individual to another credit provider that has provided mortgage credit to the individual secured by the same real property.  However, the disclosure is only permitted where the information relates to overdue payments.  As with the other provisions, the disclosure can only be to another credit provider that has an Australian link.  The requirement that the credit provider have an Australian link is consistent with the restriction of the credit reporting system to Australian entities and ensures that the credit provider is not a foreign entity.  Both credit providers must have provided mortgage credit in relation to which the same real property forms all or part of the security.  The individual must be at least 60 days overdue in making a payment in relation to the mortgage credit provided by either provider.  The final element of this rule that must be satisfied is that the information must be disclosed for the purpose of either provider deciding what action to take in relation to the overdue payment. 

Clause 21K     Permitted CP disclosures relating to guarantees etc.

This provision sets out the circumstances in which a disclosure of credit eligibility information relating to guarantees will be a ‘permitted CP disclosure’ authorised by paragraph 21G(3)(a).  This provision deals with disclosures of information about an individual in two situations: where the disclosure is to a person who is considering whether to offer to act as a guarantor for the person; and where the disclosure is to a person who is already a guarantor of the credit in relation to that individual for certain purposes in relation to that guarantee.

Subclauses (1) and (2) deal with disclosures to a person who is considering whether to act as a guarantor for an individual.  Subclause (1) provides that a disclosure of credit eligibility information about an individual by a credit provider is a permitted disclosure if the credit provider has provided credit to the individual or the individual has applied to the provider for credit.  The disclosure must be to a person for the purpose of that person considering whether to offer to act as a guarantor in relation to credit or to offer property as security for the credit.  The person (that is, the potential guarantor) must have an Australian link.  The requirement that the person have an Australian link is consistent with the restriction of the credit reporting system to Australia.  In addition, the individual whose information is to be disclosed must expressly consent to the disclosure to the person for that purpose.  Subclause (2) provides that the express consent must be given in writing unless the application for the credit that has been provided was not made in writing, or the application for the credit that is being considered was not made in writing.  In these circumstances, express consent is still required but the consent does not need to be in writing.  Disclosures in the circumstances prescribed are intended to provide the prospective guarantor with sufficient information to make an informed decision about the individual’s credit worthiness and whether to provide a guarantee for the individual.

Subclauses (3) and (4) deal with disclosures to an existing guarantor where the individual either: expressly consents to the disclosure; or the disclosure is for a purpose related to the enforcement, or proposed enforcement, of the guarantee.  Subclause (3) requires the disclosure to be to a person who is a guarantor in relation to credit provided by the provider to the individual, or who has provided property as security for the credit.  The person must have an Australian link, consistent with the restriction of the credit reporting system to Australia.  In addition, the individual must either expressly consent to the disclosure, or (where the person is a guarantor in relation to the credit) the disclosure is for a purpose related to the enforcement, or proposed enforcement, of the guarantee.  Subclause (4) provides that the express consent must be given in writing unless the application for the credit that was provided was not made in writing.  In these circumstances, express consent is still required but the consent does not need to be in writing.  Express consent is not required where the disclosure is related to the enforcement or proposed enforcement of the guarantee.

Clause 21L     Permitted CP disclosures to mortgage insurers

This provision sets out the circumstances in which a disclosure of credit eligibility information to mortgage insurers will be a ‘permitted CP disclosure’ authorised by paragraph 21G(3)(a).  Mortgage insurers require access to certain credit eligibility information to assess their risk in underwriting credit, and for this purpose it is also necessary for the mortgage insurer to have access to information that allows the mortgage insurer to assess the risk of the credit provider that is providing the mortgage credit, and the risk of individuals defaulting on the credit or being unable to meet their commitments under a guarantee.

Clause 21L permits a disclosure by a credit provider of credit eligibility information about an individual if it is to a mortgage insurer that has an Australian link, consistent with the restriction of the credit reporting system to Australia.  The disclosure must be for a ‘mortgage insurance purpose’ of the insurer in relation to the individual or for any purpose arising under a contract for mortgage insurance that has been entered into between the credit provider and the mortgage insurer.  A ‘mortgage insurance purpose’ is defined and, in summary, means for the purpose of assessing: whether to provide insurance to a credit provider in relation to mortgage credit; the risk of an individual defaulting on mortgage credit in relation to which insurance has been provided to the provider; or the risk of the individual being unable to meet a liability under a guarantee provided in relation to the mortgage credit of another person.

Mortgage insurers are subject to further obligations in Division 4 in relation to their privacy policies (clause 22A), notification requirements (clause 22B), and any further use and disclosure of information they have collected (clause 22C).

Clause 21M    Permitted CP disclosures to debt collectors

This provision sets out the circumstances in which a disclosure of credit eligibility information to debt collectors will be a ‘permitted CP disclosure’ authorised by paragraph 21G(3)(a).  Disclosures to debt collectors are permitted only in limited circumstances and the information that can be disclosed is also restricted.

Subclause (1) provides that the disclosure must be to a debt collector - that is, a person or body that carries on a business or undertaking that involves the collection of debts on behalf of others.  That person or body must have an Australian link, consistent with the restriction of the credit reporting system to Australia.  The disclosure of the information must be for a purpose directly related to the actual collection of payments that are overdue in relation to consumer credit provided by the provider to the individual, or commercial credit provided by the provider to a person.  However, the kinds of information that can be disclosed are restricted to those set out in subclause (2).

Subclause (2) restricts the kinds of credit eligibility information about an individual that can be disclosed to information that is: ‘identification information’; ‘court proceedings information’; ‘personal insolvency information’; or, where the disclosure is in relation to overdue consumer credit payments, ‘default information’.  However, default information can only be disclosed if the credit provider does not hold, or has not previously held, payment information about the individual that relates to that overdue payment.

Debt collectors that are APP entities must comply with the obligations set out in the APPs in relation to the handling of any information disclosed under this provision.  Debt collectors that are a small business for the purposes of section 6D of the Act may not be subject to the APPs, depending on the circumstances of that debt collector and the conditions set out in section 6D.

Clause 21N     Permitted CP disclosures to other recipients

This provision sets out the circumstances in which a disclosure of credit eligibility information to other recipients will be a ‘permitted CP disclosure’ authorised by paragraph 21G(3)(a).  The other recipients to which disclosures may be permitted are mortgage credit assistance schemes and certain entities in relation to the assignment of debts owed to the credit provider.