Save Search

Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Privacy Amendment (Enhancing Privacy Protection) Bill 2012

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

 

 

 

 

2010-2011-2012

 

 

 

 

 

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

 

 

 

 

 

SENATE

 

 

 

 

 

PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) BILL 2012

 

 

 

 

 

SUPPLEMENTARY EXPLANATORY MEMORANDUM

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Amendments to be Moved on Behalf of the Government

 

 

(Circulated by authority of the Attorney-General,

the Honourable Nicola Roxon, MP)

 





PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) BILL 2012

OUTLINE

The Bill

The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill) amends the Privacy Act 1988 (the Privacy Act) to implement the Government’s first stage response to the Australian Law Reform Commission’s (ALRC) report number 108, called ‘For Your Information: Australian Privacy Law and Practice’ (ALRC Report).  The Bill implements the major legislative elements of the Government’s first stage response.

The Bill amends the Privacy Act to:

  • Create the Australian Privacy Principles (APPs), a single set of privacy principles applying to both Commonwealth agencies and private sector organisations (referred to as APP entities), which replace the Information Privacy Principles (IPPs) for the public sector and the National Privacy Principles (NPPs) for the private sector;
  • Introduce more comprehensive credit reporting with improved privacy protections, at the same time rewriting the credit reporting provisions to achieve greater logical consistency, simplicity and clarity and updating the provisions to more effectively address the significant developments in the operation of the  credit reporting system since the provisions were first enacted in 1990;
  • Introduce new provisions on privacy codes and the credit reporting code (called the CR code), including powers for the Commissioner to develop and register codes in the public interest that are binding on specified agencies and organisations; and
  • Clarify the functions and powers of the Commissioner and improve the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.

The Bill introduces a number of additional safeguards for the protection of privacy, including enhanced notification, quality, correction, and dispute resolution mechanisms for individuals.

The substantive elements of the reforms are contained in six schedules to the Bill.  Each schedule deals with a particular subject and related matters, including related definitions.  The schedules and their topics are:

  • Schedule 1 - Australian Privacy Principles
  • Schedule 2 - Credit reporting
  • Schedule 3 - Privacy codes
  • Schedule 4 - Other amendments of the Privacy Act 1988
  • Schedule 5 - Amendment of other Acts
  • Schedule 6 - Application, transitional and savings provisions

The Amendments

The Government is introducing certain amendments to items in Schedules 1, 2 and 4 of the Bill.  A number of these amendments respond to the recommendations of the Senate Legal and Constitutional Affairs Legislation Committee’s (the Committee) report into the Bill which was tabled on 26 September 2012. 

The amendments to Schedule 1 of the Bill respond to recommendations 1, 2, and 8 of the Committee’s report and will improve the effectiveness of the Bill.  These amendments:

·          Clarify the pseudonymity principle in APP 2 (recommendation 1);

·          Remove the word ‘prohibition’ from the subheading of APP 7 which deals with direct marketing, to more accurately reflect the content of the provisions (recommendation 2);

·          Add notes under those APPs that refer to ‘permitted general situations’ and ‘permitted health situations’ to provide useful cross references to the meaning of those terms (recommendation 8); and

·          Make a minor amendment to the provision dealing with medical research.

The amendments to Schedule 2 of the Bill respond to recommendations 10 and 15 of the Committee’s report.  The amendments to Schedule 2 will also address a number of additional stakeholder concerns.  These amendments:

·          Specify that at least 14 days must elapse from the giving of a written notice before a default is recorded as part of an individual’s credit reporting information (recommendation 10);

·          Broaden the de-identification provision to permit research to be generally about ‘credit’ (recommendation 15);

·          Redraft the ‘Australian link’ requirement to ensure credit providers can continue to undertake various offshore processing activities in relation to credit eligibility information, clarify the scope of the ‘managing credit’ and debt collection provisions and make a number of related changes (a more detailed summary of these ‘Australian link’ related provisions is provided below);

·          Permit credit reporting bodies to disclose repayment history information to mortgage insurers; and

·          Add regulation making powers to:

o    Allow prescribed credit providers that are not licensees, such as Indigenous Business Australia (IBA), to access repayment history information

o    Exempt prescribed credit providers, such as IBA, from certain obligations to be a member of an external dispute resolution (EDR) scheme, and

o    Allow additional relay services that may be developed in the future to be exempted from the requirements to obtain prior written authorisation where the prescribed service is used to assist an individual (an ‘access seeker’) to communicate for the purposes of obtaining access to their credit reporting information.

Clause 2 of the Bill is amended to extend the commencement period of the Bill to 15 months after Royal Assent.  The Government accepted in principle the Senate Committee’s recommendation to provide certainty around the commencement of the Bill, but, after further consultations with industry, has decided to extend the commencement period from 9 months to 15 months.  This longer commencement period will ensure industry has sufficient time to make necessary changes to their systems and procedures, provide an extended period for the Office of the Australian Information Commissioner (OAIC) to develop relevant guidelines, educational material and deal with other implementation matters, and provide time for the development, approval and registration of a Credit Reporting Code of Conduct (CR Code).

The amendments will also add a note to the civil penalty provisions in Schedule 4 of the Bill to clarify the matters that a court must consider in determining an appropriate penalty for multiple breaches of the Act.

Summary of Government amendments in relation to the ‘Australian link’ issue

Credit providers currently make disclosures to overseas recipients for a range of credit assessment and management purposes, including offshore call centres and data processing facilities.  Depending on the nature of the relationship with the credit provider, these overseas recipients may be a related body corporate to the credit provider, an agent of the credit provider, or a credit manager.  The ‘Australian link’ requirement which applies to disclosures of credit eligibility information may limit the ability of credit providers to make disclosures to overseas recipients.  It is not the Government’s policy to prevent existing cross-border disclosures of credit eligibility information that are currently permitted by the Privacy Act.  Accordingly, the Australian link requirement has been removed from a number of permitted disclosures by credit providers.  However, a new clause 21NA has been inserted to ensure that an Australian credit provider remains responsible for the acts or practices of any overseas entity to whom the credit provider discloses credit eligibility information.

Related to these amendments, to address cross-border disclosures of credit eligibility information, certain additional changes have been made.  These changes are to:

·          Clarify that a credit manager may also process an application for credit as well as manage credit provided by the credit provider;

·          Ensure that a credit provider’s privacy policy provides information about possible cross-border disclosures and the location of the overseas recipients, where it is practicable to specify those countries, and to ensure that a credit provider notifies an individual at or before the time of collection of their personal information of these matters.  These obligations are consistent with the general privacy policy and notification obligations set out in APPs 1.4 and 5.2;

·          Adjust the definition of ‘managing credit’ to clearly distinguish a credit manager from a debt collector, recognising that some credit management activities may relate to overdue payments but not take the form of debt collection activity, which is the role of debt collectors.  This clarification is important as the Bill restricts the types of personal information that can be disclosed to debt collectors for collections activities; and

·          Permit credit providers to disclose repayment history information to related bodies corporate and credit managers.

These provisions may apply to a credit provider’s agents or related bodies corporate.  The provisions are not intended to affect the law of agency or the law which determines when an entity is taken to be a related body corporate.

Financial Impact

These amendments will have negligible financial implications.

Acronyms and Abbreviations

Australian Law Reform Commission (ALRC)

Australian Privacy Principle (APP)

Credit Provider (CP)

Credit Reporting Body (CRB)

Credit Reporting Code of Conduct (CR Code)

External Dispute Resolution (EDR)

Indigenous Business Australia (IBA)

Information Privacy Principles (IPPs)

National Consumer Credit Protection (NCCP)

National Privacy Principles (NPPs)

Office of the Australian Information Commissioner (OAIC)

Privacy Act 1988 (the Privacy Act)

Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill)

Senate Legal and Constitutional Affairs Legislation Committee’s (the Committee)

NOTES ON CLAUSES

Amendments 1 to 6: Clause 2, Commencement

The table at clause 2 of the Bill sets out the commencement arrangements for the Bill.  Column 1 states the provision number, and column 2 provides the commencement arrangements for that particular provision.

The table provides that sections 1 to 3 and any other provision in the Act that is not provided for in the table commences on the day the Act receives the Royal Assent.  The table also provides that Items 156 and 162 of Schedule 5 and Parts 1 and 4 of Schedule 6 also commence on the day the Act receives the Royal Assent.

The table had made provision for variable commencement dates for certain provisions based on the actual commencement of certain other relevant Acts.  As these Acts have now commenced the table has been simplified in recognition of their commencement.

The majority of the new provisions have a deferred commencement.  This amendment changes the commencement period from 9 months to 15 months from the day after the Bill receives Royal Assent.  This change will provide agencies and organisations with sufficient time to prepare for the introduction of the new provisions, particularly for the credit reporting provisions.

Amendment 7: Schedule 1, Item 88, Guidelines on use of personal information for medical research

This technical amendment inserts the term ‘by agencies’ in the appropriate place in subsection 95(1) to ensure the intended meaning is achieved.  Item 88 will amend subsection 95(1) of the Privacy Act by clarifying that the CEO of the National Health and Medical Research Council may, with the approval of the Commissioner, issue guidelines for the protection of privacy by agencies in the conduct of medical research.  This clarifies that the privacy protection guidelines will apply to agencies, and confirms that the guidelines are not intended to apply to organisations.

Amendment 8: Schedule 1, Item 104, pseudonymity

This amendment clarifies the operation of Australian Privacy Principle (APP) 2.  It ensures that an APP entity is not required to comply with APP 2 where it is impracticable for the APP entity to deal with individuals who either have not identified themselves or who have used a pseudonym.

Amendment 9: Schedule 1, Item 104, note

This amendment inserts a cross reference at the end of APP 3.4 to section 16A for ‘permitted general situations’ and 16B for ‘permitted health situations’, to indicate that these sections contain additional information about the ‘permitted general situation’ and ‘permitted health situation’ concepts.  These are relevant to exceptions contained in APP 3.4(b) and (c).

Amendment 10: Schedule 1, Item 104, note

This amendment inserts a cross reference at the end of APP 6.2 to section 16A for ‘permitted general situations’ and 16B for ‘permitted health situations’, to indicate that these sections contain additional information about the ‘permitted general situation’ and ‘permitted health situation’ concepts.  These are relevant to exceptions contained in APP 6.2(c) and (d). 

Amendment 11: Schedule 1, Item 104, Australian Privacy Principle 7.1

This amendment changes the title of APP 7 to ‘direct marketing’ from ‘prohibition on direct marketing’ to ensure the heading more appropriately reflects the substance of the provisions.  APP 7 restricts direct marketing involving the use and disclosure of personal information by organisations, but does not prohibit direct marketing.

Amendment 12: Schedule 1, Item 104, note

This amendment inserts a cross reference at the end of APP 8.2 to section 16A for ‘permitted general situations’ and 16B for ‘permitted health situations’, to indicate that these sections contain additional information about the ‘permitted general situation’ and ‘permitted health situation’ concepts.  This is relevant to the exceptions contained in APP 8.2(d). 

Amendments 13 and 14: Schedule 1, Item 104, note

These amendments insert an additional note at the end of APP 9.2 containing a cross reference to section 16A for ‘permitted general situations’ and 16B for ‘permitted health situations’, to indicate that these sections contain additional information about the ‘permitted general situation’ and ‘permitted health situation’ concepts.  This is relevant to the exceptions contained in APP 9.2(d).

Amendment 15: Schedule 2, Item 39, Definition of ‘managing credit’

The term ‘managing credit’ is amended by removing the words ‘an act relating to the collection of’.  This has the effect of limiting the exception to ‘the act of collecting’.  The purpose of this amendment is to clarify the distinction between the act of collecting overdue payments and other credit management activities that may be related to an overdue payment.  Credit providers and their credit managers may undertake a range of activities once a payment becomes overdue, starting from providing the individual with a reminder that the payment is overdue.  The act of collecting overdue payments is an activity undertaken by debt collectors and it is at this point that the distinction with the activities of a credit manager is drawn.

This clarification is necessary because the definition of ‘managing credit’ is used to determine the appropriate functions of agents, credit managers, and debt collectors.  Consistent with existing limitations, clause 21M of the Bill limits the types of information that can be disclosed to a debt collector for the primary purpose of collecting an overdue payment.  Clarifying the definition of ‘managing credit’ assists in accurately delineating the operation of clause 21M.

Amendment 16: Schedule 2, Item 69, Definition of ‘access seeker’

This amendment provides that regulations may prescribe other persons to be excluded from the definition of access seeker.  This regulation making power will provide flexibility to allow additional persons to be excluded from the requirement to be authorised in writing.  For example, new technologies which are not provided by the National Relay Service may provide additional relay services to assist the deaf and hearing impaired.

Amendment 17: Schedule 2, Item 72, access to repayment history information

This amendment allows mortgage insurers, who are not licensees, to access repayment history information. Mortgage insurers have been included to ensure risk is not transferred to the mortgage insurer, as the underwriter of the loan, due to an imbalance in the level of information available to them as opposed to the credit provider.  The amendment also allows other credit providers who are not licensees to have access to repayment history information if they have been prescribed by the regulations.  It is intended that Indigenous Business Australia (IBA), an agency established by the Aboriginal and Torres Strait Islander Act 2005 that provides credit in certain circumstances, will be prescribed as an additional credit provider which can access repayment history information.  This is considered appropriate as IBA has been exempted from holding an Australian Credit Licence under the National Consumer Credit Protection (NCCP) Act 2009 , pursuant to NCCP Regulation 20(7).  This regulation provides that a public body or authority constituted under an Act of the Commonwealth is exempt from the obligations to be a licensee under the NCCP Act.  It is considered appropriate for IBA to have access to the credit reporting system on the same terms as any other credit provider that is a licensee.  It is expected that similar circumstances would exist in relation to any other organisation or type of organisation that is to be prescribed under the regulations.

Amendments 18 to 20: Schedule 2, Item 72, de-identified information

Clause 20M deals with the use or disclosure of credit reporting information that is de-identified.  The provision states that de-identified information can be used or disclosed for the purpose of conducting research in relation to ‘the assessment of the credit worthiness of individuals’.  These amendments simplify this requirement so that research must be in relation to ‘credit’.  To implement this change these amendments change each appropriate reference to ‘credit’.

Amendments 21 and 22: Schedule 2, Item 72, content of credit provider’s privacy policy

These amendments insert additional matters that must be contained in a credit provider’s policy.  These additional obligations are based on APP 1.4(f) and (g).

The insertion of clause 21NA makes clear that credit providers may, where they satisfy the requirements of clause 21NA, disclose credit eligibility information to an entity that does not have an Australian link.  Entities without an Australian link will be located overseas.  Types of overseas entities to which a credit provider may choose to disclose credit eligibility information may include a credit provider’s agents or related body corporates, as well as a credit provider’s credit managers or debt collectors.  Where a credit provider intends to disclose credit eligibility information to an entity without an Australian link, these amendments to clause 21B will require the credit provider to include in its privacy policy a statement that the provider is likely to disclose credit eligibility information to an entity that does not have an Australian link and, where this is likely to occur, the countries in which those entities are likely to be located if it is practicable to specify those countries.

Consistent with the obligations contained in clause 21B, these additional requirements will apply to both credit information as well as credit eligibility information.

Amendments 23 and 24: Schedule 2, Item 72, notification requirements

These amendments insert additional notification obligations which a credit provider must satisfy at, or as soon as practicable after, the collection of information.  These additional obligations are based on APP 5.2(i) and (j).

Clause 21NA makes clear that credit providers may, where they satisfy the requirements of the provision, disclose credit eligibility information to an entity that does not have an Australian link.  Entities without an Australian link will be located overseas.  Types of overseas entities to which a credit provider may choose to disclose credit eligibility information may include a credit provider’s agents or related body corporates, as well as a credit provider’s credit managers or debt collectors.  Clause 21C requires a credit provider to notify an individual of certain matters at or before the time of collection of personal information about the individual that is likely to be disclosed to a credit reporting body.  Where a credit provider intends to disclose credit eligibility information to an entity without an Australian link, these amendments to clause 21C will require the credit provider to notify the individual that the provider is likely to disclose credit eligibility information to an entity that does not have an Australian link and, where this is likely to occur, the countries in which those entities are likely to be located if it is practicable to specify those countries in the credit reporting policy.

Consistent with the obligations contained in clause 21C, these additional requirements will apply to both credit information as well as credit eligibility information.

Amendment 25: Schedule 2, Item 72, External Dispute Resolution requirements for credit providers accessing repayment history information

This amendment provides that regulations may permit prescribed credit providers who are not members of a recognised external dispute resolution scheme to disclose credit information to a credit reporting body.

Paragraph 6G(1)(d) defines credit provider to include an agency, organisation or small business operator that is prescribed by the regulations.  It is intended that Indigenous Business Australia (IBA), will be prescribed by the regulations pursuant to paragraph 6G(1)(d) as a credit provider.  IBA is exempt from holding an Australian Credit Licence under the NCCP Act, pursuant to NCCP Regulation 20(7).  This regulation provides that a public body or authority constituted under an Act of the Commonwealth is exempt from the obligations to be a licensee under the NCCP Act.  It is considered appropriate for IBA to have access to the credit reporting system on the same terms as any other credit provider that is a licensee.

This amendment will ensure that regulations may prescribe IBA for the purposes of this provision.  The regulation making power also provides the option of exempting other bodies from this requirement in appropriate circumstances.  For example, in some circumstances it may be appropriate to exempt commercial credit providers that only access consumer credit reporting from the requirement to be a member of a registered EDR scheme.

Amendment 26: Schedule 2, Item 72, access to repayment history information

This amendment provides that regulations may permit prescribed credit providers who are not licensees to disclose repayment history information to a credit reporting body.

As noted above in relation to amendment 25, it is intended that IBA will be prescribed by regulations as a credit provider.  IBA has been exempted from the requirement to be a licensee under the NCCP Act by NCCP Regulation 20(7).  It is considered appropriate for IBA to have access to the credit reporting system on the same terms as any other credit provider that is a licensee.  This amendment will ensure that regulations may prescribe IBA for the purposes of this provision to ensure that IBA can disclose repayment history information to a credit reporting body.

Amendment 27: Schedule 2, Item 72, time period before recording default information

This amendment implements recommendation 10 of the Senate Committee’s report.

Paragraph 21D(3)(d) permits a credit provider to disclose default information about an individual to a credit reporting body.  Before making such a disclosure, the credit provider must have given the individual a notice in writing stating the provider intends to disclose the information to the credit reporting body.  The provision also requires ‘a reasonable period’ must have passed since giving the notice before the default is disclosed.

This amendment removes the requirement that ‘a reasonable period’ must pass and replaces it with a requirement that at least 14 days must have passed since the giving of the notice before default information can be disclosed to a credit reporting body.  This provides certainty in relation to the minimum time period that must elapse.  However, there may be circumstances where a longer period would be reasonable and the credit provider can allow a longer period to elapse before disclosing default information.

Amendment 28: Schedule 2, Item 72, removing Australian link requirement for related bodies corporate

The requirement that a credit provider’s related bodies corporate have an Australian link is removed by this amendment.  Disclosure of credit eligibility information to a related body corporate without an Australian link must comply with clause 21NA.  In addition, a credit provider that discloses credit eligibility information to a related body corporate that does not have an Australian link will be responsible for the acts and practices of that related body corporate in relation to that credit eligibility information.

Amendment 29: Schedule 2, Item 72, credit managers

Clause 21G(3) permits credit providers to make disclosures of credit eligibility information in certain circumstances.  Paragraph (3)(c) permits disclosures to a person who manages credit provided by the credit provider.  This amendment removes the requirement that a credit provider must have an Australian link.  Disclosure of credit eligibility information to a credit manager under paragraph (3)(c) that does not have an Australian link must comply with the requirements set out in clause 21NA.  In addition, a credit provider that discloses credit eligibility information to a credit manager that does not have an Australian link will be responsible for the acts and practices of that credit manager in relation to that credit eligibility information.

The amendment also extends the paragraph to include a person who processes an application for credit made to the credit provider, as well as a person who manages credit provided by the credit provider.  This amendment is necessary because it is understood credit managers may be used to process an application for credit, as well as to manage credit that has been provided by a credit provider.

The exception of agents from the operation of this provision has been removed.  This means that the provision will apply in situations where a credit manager is considered to be an agent as well as in situations where the credit manager is not an agent of the credit provider.  This amendment ensures that a disclosure to a credit manager that does not have an Australian link will be subject to the requirements of clause 21NA, whether or not the credit manager is also an agent of the credit provider.  This also means that an agent that is a credit manager with an Australian link must also comply with clause 22E, which deals with the use or disclosure of information by credit managers.

Amendment 30: Schedule 2, Item 72, cross reference to 21NA

This amendment inserts a note at the end of subclause 21G(3) to provide a cross-reference to clause 21NA.  Clause 21NA will apply to disclosures under paragraphs (3)(b) or (c) where the recipient does not have an Australian link.

Amendment 31: Schedule 2, Item 72, credit managers etc

Subclause 21G(4) prohibits the disclosure of credit eligibility information that is, or was derived from, repayment history information.  Subclause 21G(5) provides exceptions to this prohibition.  This amendment inserts an exception for disclosures under paragraphs 21G(3)(b) or (c).  This means that credit eligibility information that is, or was derived from, repayment history information may be disclosed to a related body corporate of the credit provider or a credit manager of the credit provider that are not licensees, including where these entities do not have an Australian link.  However, clause 21NA will apply where the recipient does not have an Australian link.

Amendment 32: Schedule 2, Item 72, debt collectors

Clause 21M deals with permitted disclosures by credit providers to debt collectors.  This amendment removes the requirement that a debt collector must have an Australian link.  Disclosure of credit eligibility information to a person or body that collects debts on behalf of others that does not have an Australian link must comply with the requirements set out in clause 21NA.  In addition, a credit provider that discloses credit eligibility information to a debt collector that does not have an Australian link will be responsible for the acts and practices of that debt collector in relation to that credit eligibility information.

Amendment 33: Schedule 2, Item 72, debt collectors

This amendment limits the operation of clause 21M to those situations where credit eligibility information about an individual is disclosed to a debt collector for the primary purpose of collecting payments.  There may be a range of activities related to overdue payments that may be performed by a credit provider or a credit manager on behalf of the credit provider.  These activities may include issuing reminders about the overdue payment, contacting the individual about the overdue payment, and so on.  The purpose of this amendment is to ensure that the restrictions set out in subclause 21M(2) only apply where the information is disclosed at the point of collection activity in relation to debts that are due to the credit provider.  A disclosure to a body or entity that collects debts where the disclosure is for the primary purpose of collecting payments will be subject to the restrictions on the types of information that can be disclosed set out in subclause 21M(2).

Amendment 34: Schedule 2, Item 72, cross reference to 21NA

This amendment inserts a note at the end of subclause 21M(1) to provide a cross-reference to clause 21NA.  Clause 21NA will apply to disclosures to debt collectors that do not have an Australian link.

Amendment 35: Schedule 2, Item 72, new section 21NA, disclosures to certain recipients that do not have an Australian link

This provision has been inserted to deal with permitted disclosures of credit eligibility information to related bodies corporate (pursuant to paragraph 21G(3)(b)), credit managers, including persons that process an application for credit made to a credit provider (pursuant to paragraph 21G(3)(c)), or debt collectors (pursuant to subclause 21M(1)) where these recipients do not have an Australian link.  The purpose of this provision is to:

·          specify the obligations that must be met prior to any permitted disclosure to a recipient without an Australian link; and

·          provide that the credit provider is responsible for the acts or practices of that recipient in relation to the information that was disclosed, so that any act or practice of the recipient that would be a breach of their obligations is taken to have been done by the credit provider.

These provisions are based on the approaches to cross-border disclosures set out in APP 8.1 and clause 16C.  APP 8.1 generally permits cross-border disclosures of personal information, subject to the disclosing entity first taking such steps as are reasonable in the circumstances to ensure the overseas recipient does not breach the APPs (other than APP 1, which requires entities to have a privacy policy) in relation to the information that is disclosed.  Clause 16C deals with the acts and practices of overseas recipients of personal information where information has been disclosed subject to APP 8.1.  Where the overseas recipient does an act or practice that would be a breach of the APPs, the Australian entity is taken to be responsible for any such breach of the APPs.

Subclauses (1) and (2) apply to permitted disclosures made to related bodies corporate or credit managers.

Subclause (1) provides that, before a permitted disclosure is made under paragraph 21G(3)(b) (to a related body corporate) or (c) (to a credit manager) to a recipient that does not have an Australian link, the credit provider must take steps which are reasonable in the circumstances to ensure the recipient does not breach the specified provisions.  The overall effect of this requirement is that the recipient must not breach the APPs, as modified.  Clauses 22D and 22E already deal with the use or disclosure of personal information, including government related identifiers, by related bodies corporate and credit managers.  These provisions operate to take the place of APPs 6, 7 and 8 (which set out the general rules for the use and disclosure of personal information) and APP 9.2 (which deals with the use or disclosure of government related identifiers).  Clauses 22D and 22E will continue to apply, and in addition the remainder of the APPs must also apply, with the exception of APP 1.  APP 1 is excluded because it has been excluded from the operation of APP 8 and its exclusion in this context ensures consistency in the treatment of obligations to be imposed upon overseas recipients.

Subclause 21NA(1) imposes obligations on the credit provider to ensure the recipient of the information does not breach the relevant provisions.  However, consistent with the approach taken in APP 8.1, subclause 21NA(1) does not specify how compliance with the relevant provisions should be effected.  It is expected that contractual terms will underpin the disclosure from the credit provider to the recipient and that the contract will deal with the matters set out in subclause 21NA(1).  Credit providers will be responsible for ensuring compliance with the relevant provisions.  For example, APP 5, which deals with notification of the collection of personal information, must apply to the recipient.  APP 5.1 requires that an entity which collects personal information must take such steps (if any) as are reasonable in the circumstances to notify the individual of certain matters.  It will be a matter for the credit provider and the recipient of the information (the related body corporate or credit manager) to determine what, if any, steps to provide notification are reasonable in the circumstances.  For example, the credit provider that originally collects the information could notify individuals that credit eligibility information about them will be disclosed to the recipient and provide information about the matters set out in APP 5.2 in relation to the recipient’s handling of that information.  In such circumstances, it may be considered appropriate that no steps are necessary to provide further notification to the individual once the information is collected by the recipient.

Subclause (2) provides that a credit provider is responsible for the acts or practices of the recipient that may breach the relevant provisions.  The effect of subclause (2) is cumulative.  It applies where the recipient does not have an Australian link, and the relevant provisions of the Act do not already apply to the recipient, and the recipient does an act, or engages in a practice, in relation to the information that would be a breach of the relevant provisions.  In such a situation, the act or practice is taken to have been done, or engaged in, by the credit provider and to be a breach committed by the credit provider.

APP 8.2 does not apply to these disclosures, nor does clause 21NA contain any provisions based on APP 8.2.  Credit providers will remain responsible in every case for the acts and practices of any related body corporate, credit manager or debt collector to whom they disclose information where that recipient does not have an Australian link.

Subclauses (3) and (4) apply to permitted disclosures made to debt collectors.  These provisions are based on subclauses (1) and (2).  Disclosures to debt collectors are subject to certain restrictions set out in clause 21M.  These restrictions will continue to apply whether or not the debt collector has an Australian link.

Subclause (3) provides that, before a permitted disclosure is made under paragraph 21M(1) to a debt collector that does not have an Australian link, the credit provider must take steps which are reasonable in the circumstances to ensure the recipient does not breach the APPs, with the exception of APP 1.  APP 1 is excluded because it has been excluded from the operation of APP 8 and its exclusion in this context ensures consistency in the treatment of obligations to be imposed upon overseas recipients.  Unlike related bodies corporate or credit managers, the Bill does not provide specific rules dealing with the use or disclosure of personal information by debt collectors.  Accordingly, the credit provider must ensure the debt collector complies with the APPs.

Subclause 21NA(3) imposes obligations on the credit provider to ensure the debt collector does not breach the relevant provisions.  However, consistent with the approach taken in APP 8.1, subclause 21NA(3) does not specify how compliance with the relevant provisions should be effected.  It is expected that contractual terms will underpin the disclosure from the credit provider to the debt collector and that the contract will deal with the matters set out in subclause 21NA(3).  Credit providers will be responsible for ensuring compliance with the relevant provisions.  For example, APP 5, which deals with notification of the collection of personal information, must apply to the debt collector.  APP 5.1 requires that an entity which collects personal information must take such steps (if any) as are reasonable in the circumstances to notify the individual of certain matters.  As noted above in relation to subclause (2), it will be a matter for the credit provider and the debt collector to determine what, if any, steps to provide notification are reasonable in the circumstances.

Subclause (4) provides that a credit provider is responsible for the acts or practices of the debt collector that may breach the APPs.  The effect of subclause (4) is cumulative.  It applies where the debt collector does not have an Australian link, and the APPs do not already apply to the debt collector, and the debt collector does an act, or engages in a practice, in relation to the information that would be a breach of the APPs.  In such a situation, the act or practice is taken to have been done, or engaged in, by the credit provider and to be a breach committed by the credit provider.

APP 8.2 does not apply to these disclosures, nor does clause 21NA contain any provisions based on APP 8.2.  Credit providers will remain responsible in every case for the acts and practices of any related body corporate, credit manager or debt collector to whom they disclose information where that recipient does not have an Australian link.

Amendment 36: Schedule 2, Item 72, credit managers, etc

This is a minor amendment to the heading of section 22E to recognise that it also applies to a person who processes an application for credit made to a credit provider.

Amendment 37: Schedule 2, Item 72, credit managers, etc

This amendment removes the reference to managing credit.  Paragraph 21G(3)(c) now also applies to a person who processes an application for credit made to a credit provider and the reference to paragraph (3)(c) is sufficient.

Amendment 38: Schedule 2, Item 72, credit managers, etc

This amendment removes the reference to managing credit.  Paragraph 21G(3)(c) now also applies to a person who processes an application for credit made to a credit provider and the reference to paragraph (3)(c) is sufficient.

Amendment 39: Schedule 2, Item 72, credit managers, etc

This amendment makes certain that a credit manager is permitted to disclose information back to the credit provider to whom the person provides credit management services (which includes processing of credit applications, as set out in paragraph 21G(3)(c)).

Amendment 40: Schedule 2, Item 72, pecuniary penalty

This amendment adds a note at the end of section 80Z which confirms that, in determining a pecuniary penalty, the court must take into account all relevant matters, including the matters mentioned in subclause 80W(6).  These matters include:

·          The nature and extent of the contravention;

·          The nature and extent of any loss or damage suffered because of the contravention;

·          The circumstances in which the contravention took place; and

·          Whether the entity has previously been found by a court in proceedings under the Privacy Act to have engaged in any similar conduct.

This amendment confirms that the court should consider such matters when determining a penalty for multiple breaches of the Act under clause 80Z.