Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2010 - 2011 - 2012
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
HOUSE OF REPRESENTATIVES
PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) BILL 2012
EXPLANATORY MEMORANDUM
(Circulated by authority of the Attorney-General,
the Honourable Nicola Roxon, MP)
PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) BILL 2012
OUTLINE
This Bill amends the Privacy Act 1988 to implement the Government's first stage response to
the Australian Law Reform Commission's (ALRC) report number 108, called `For Your
Information: Australian Privacy Law and Practice' (ALRC Report). Given the large number
of recommendations, the Government announced that it would respond to the ALRC report in
two stages. The Government's first stage response addressed 197 of the ALRC's 295
recommendations. The Bill implements the major legislative elements of the Government's
first stage response.
The Bill amends the Privacy Act to:
· Create the Australian Privacy Principles (APPs), a single set of privacy principles
applying to both Commonwealth agencies and private sector organisations (referred to
as APP entities), which replace the Information Privacy Principles (IPPs) for the
public sector and the National Privacy Principles (NPPs) for the private sector
· Introduce more comprehensive credit reporting with improved privacy protections, at
the same time rewriting the credit reporting provisions to achieve greater logical
consistency, simplicity and clarity and updating the provisions to more effectively
address the significant developments in the operation of the credit reporting system
since the provisions were first enacted in 1990
· Introduce new provisions on privacy codes and the credit reporting code (called the
CR code), including powers for the Commissioner to develop and register codes in the
public interest that are binding on specified agencies and organisations; and
· Clarify the functions and powers of the Commissioner and improve the
Commissioner's ability to resolve complaints, recognise and encourage the use of
external dispute resolution services, conduct investigations and promote compliance
with privacy obligations.
The Bill introduces modifications to the Act as recommended by the ALRC. The APPs set
out standards, rights and obligations in relation to the handling and maintenance of personal
information by APP entities, including dealing with privacy policies and the collection,
storage, use, disclosure, quality and security of personal information, and access and
correction rights of individuals in relation to their personal information. As recommended by
the ALRC, the APPs and credit reporting provisions are structured to more accurately reflect
the `life cycle' of personal information.
The Bill introduces a number of additional safeguards for the protection of privacy, including
enhanced notification, quality, correction, and dispute resolution mechanisms for individuals.
Structure of the Bill
The substantive elements of the reforms are contained in six schedules to the Bill. Each
schedule deals with a particular subject and related matters, including related definitions.
The schedules and their topics are:
· Schedule 1 - Australian Privacy Principles
· Schedule 2 - Credit reporting
· Schedule 3 - Privacy codes
· Schedule 4 - Other amendments of the Privacy Act 1988
· Schedule 5 - Amendment of other Acts
· Schedule 6 - Application, transitional and savings provisions
Schedule 1 - the Australian Privacy Principles
Schedule 1 of the Bill amends the Privacy Act to create the APPs, a single set of privacy
principles applying to APP entities, a term that refers to both Commonwealth agencies and
private sector organisations. To facilitate ease of reference to the APPs and minimise
confusion around numbering that may result if they were sections of the Act, they are inserted
as a schedule to the Act.
The APPs are grouped into five sets of principles:
1. Principles that require APP entities to consider the privacy of personal information,
including ensuring that APP entities manage personal information in an open and
transparent way (APP 1, APP 2)
2. Principles that deal with the collection of personal information, including unsolicited
personal information (APP 3, APP 4, APP 5)
3. Principles about how APP entities deal with personal information and government
related identifiers, including principles about the use and disclosure (including cross-
border disclosure) of personal information and identifiers (APP 6, APP 7, APP 8,
APP 9)
4. Principles about the integrity, quality and security of personal information (APP 10,
APP 11)
5. Principles that deal with requests for access to, and correction of, personal
information (APP 12, APP 13).
Schedule 1 also deals with a range of amendments relating to the APPs, including
amendments to update or insert new definitions. One key term that has been updated is
`personal information'.
Schedule 1 also repeals Divisions 2 and 3 of Part III of the Act. These divisions provide for
the application of the IPPs, the NPPs and approved privacy codes. The IPPs and NPPs will
be replaced by the APPs. A new Part IIIB will be inserted into the Act dealing with privacy
codes.
Schedule 2 - Credit Reporting
The Privacy Amendment Act 1990, which commenced in September 1991, extended the
coverage of the Privacy Act to consumer credit reporting. The credit reporting provisions of
the Privacy Act are contained in Part IIIA and associated provisions (the credit reporting
provisions). The credit reporting provisions primarily regulate the handling and maintenance
of certain kinds of personal information concerning consumer credit that is intended to be
used wholly or primarily for domestic, family or household purposes.
The purpose of the credit reporting system is to balance an individual's interests in protecting
their personal information with the need to ensure sufficient personal information is available
to assist a credit provider to determine an individual's eligibility for credit following an
application for credit by an individual, and for related matters. The credit reporting system
provides an aid to credit providers in managing the risks of providing consumer credit to
individuals. Only limited and defined kinds of relevant personal information are permitted in
the credit reporting system.
2
The credit reporting system in Australia has been a `negative' reporting system. The main
kinds of personal information permitted in the system were information about:
· a credit provider having sought a credit report regarding an individual in connection
with an application for credit, and the amount of credit sought in the application
· an individual's current credit providers
· any credit defaults; and
· a credit provider's opinion that the individual has committed a serious credit
infringement.
Schedule 2 amends the credit reporting provisions in the Privacy Act. The credit reporting
provisions have been completely revised, consistent with the intention to ensure greater
logical consistency, simplicity and clarity throughout the Privacy Act. The new provisions
are based on the flows of personal information in the credit reporting system and also clearly
address the interaction of the provisions with the APPs where relevant.
This schedule of the Bill implements the ALRC's recommendation to move to a `more
comprehensive' credit reporting system. This means a limited number of additional kinds of
credit related personal information about individuals are permitted in the credit reporting
system. The five new kinds of personal information (also known in the industry as `data
sets') are:
· the date the credit account was opened
· the type of credit account opened
· the date the credit account was closed
· the current limit of each open credit account; and
· repayment performance history about the individual.
The fifth kind of personal information, repayment history information, is only available to
credit providers who are licensees under Chapter 3 of the National Consumer Credit
Protection Act and subject to responsible lending obligations under that Chapter. In certain
defined circumstances repayment history information is also available to mortgage insurers
for mortgage insurance purposes.
Comprehensive credit reporting will give credit providers access to additional personal
information to assist them in establishing an individual's credit worthiness. The additional
personal information will allow credit providers to make a more robust assessment of credit
risk and assist credit providers to meet their responsible lending obligations. It is expected
that this will lead to decreased levels of over-indebtedness and lower credit default rates.
More comprehensive credit reporting is also expected to improve competition and efficiency
in the credit market, which may result in reductions to the cost of credit for individuals.
The new credit reporting provisions will provide additional consumer protections by
enhancing obligations and processes dealing with notification, data quality, access and
correction, and complaints. This includes measures to place greater responsibility on credit
reporting bodies and credit providers to assist individuals to access, correct and resolve
complaints about their personal information. Other measures that will benefit individuals
include the introduction of specific rules to deal with pre-screening of credit offers and the
freezing of access to an individual's personal information in cases of suspected identity theft
or fraud.
3
Schedule 3 - Codes
Schedule 3 replaces the provisions dealing with privacy codes and the Credit Reporting Code
of Conduct with a new Part IIIB dealing with codes of practice under the APPs (called APP
codes) and a code of practice about credit reporting (called the CR Code).
An APP code may be developed by APP code developers (either at their own initiative or
following a request from the Commissioner) or by the Commissioner. APP codes do not
replace the APPs, but operate in addition to the requirements of the APPs. An APP code
must set out how one or more of the APPs are to be applied or complied with. An APP code
may also deal with other relevant matters, and may impose additional requirements to those
imposed by the APPs so long as the additional requirements are not contrary to, or
inconsistent with, the APPs. Once the APP code has been developed an application may be
made to the Commissioner for registration of the code. The Commissioner then decides
whether or not to register the APP code. The Commissioner also has the power to develop an
APP code. This power can only be exercised if the Commissioner has requested the
development of an APP code and the request has not been complied with or the
Commissioner has decided not to register the APP code that was developed as requested.
The Commissioner may then register the APP code that was developed by the Commissioner.
Any APP code that is registered will be a disallowable legislative instrument. An APP entity
that is bound by a registered APP code must not do an act, or engage in a practice, that
breaches the registered APP code. A breach of the registered APP code will be an
interference with privacy by the entity under section 13 of the Act and subject to
investigation by the Commissioner under Part 5 of the Act. Registered APP codes can be
varied or removed from the register.
The CR code is an essential part of the regulatory structure of the credit reporting system.
Accordingly, the Commissioner will request code developers to develop the CR code. The
development process is based on that used for APP. The CR code must set out how one or
more of the credit reporting provisions are to be applied or complied with, and deal with
other matters. The CR code must bind all credit reporting bodies and must set out which
credit providers or other entities (for example, mortgage insurers and trade insurers) are
bound. The Commissioner can develop the CR code if the code developers do not develop
the CR code as requested, or the Commissioner decides not to register the CR code that was
submitted for registration.
A breach of the registered CR Code will be an interference with privacy by the entity under
section 13 and subject to investigation by the Commissioner under Part 5 of the Act. The
registered CR code can be varied.
The Commissioner has certain functions and powers in relation to codes. The Commissioner
must maintain the Codes Register, which contains the registered APP codes and registered
CR code. The Commissioner may issue guidelines to provide assistance in the development
of, and compliance with, APP codes and the CR code. The Commissioner may also make
guidelines about matters the Commissioner may consider in deciding whether to register or
vary an APP code or the CR code, or remove an APP code from the Register. The
Commissioner may also review the operation of any registered codes.
Schedule 4 - Other amendments of the Privacy Act 1988
Schedule 4 inserts an objects clause into the Act, reforms the functions and powers of the
Information Commissioner, and deals with related matters, including reform of the provisions
on interferences with privacy. The amendments improve the Commissioner's ability to
resolve complaints, recognise and encourage the use of external dispute resolution services,
4
conduct investigations and promote compliance with privacy obligations. The amendments
also restructure relevant provisions dealing with the powers and functions of the
Commissioner to improve clarity and consistency in the provisions.
A new provision sets out the general functions of the Commissioner. This is followed by
provisions which outline in greater detail the guidance related functions of the Commissioner,
the monitoring related functions of the Commissioner, and the advice related functions of the
Commissioner. Relevant definitions related to the functions and powers of the Commissioner
are also amended.
Other amendments to the Commissioner's powers and functions made by Schedule 4 include:
· Clause 33C will enable the Commissioner to conduct an assessment of an APP
entity's maintenance of personal information
· Clause 33E will allow the Commissioner to accept written undertakings by entities to
take, or refrain from taking, specified actions to ensure compliance with the Act
· Clause 35A will give the Commissioner the power to recognise external dispute
resolution schemes
· Clause 40A will deal with the conciliation of complaints by the Commissioner
· Item 90 will extend the Commissioner's power to make inquiries of persons other
than the respondent to a complaint; and
· Clause 52(3A) will allow the Commissioner to include in a determination any order
that considered necessary or appropriate.
Schedule 4 also amends the provisions dealing with the extra-territorial operation of the Act.
Subsection 5B(1) is amended to extend the extra-territorial operation of the Act and
registered APP and CR codes to organisations and small businesses with an Australian link.
The term `Australian link' is used to define the entities that are subject to the operation of the
Act, and is used, for example, in APP 8 and throughout the credit reporting provisions.
A new section 13G is inserted, to provide a civil penalty for a serious or repeated interference
with the privacy of an individual. Schedule 4 also inserts a new Part VIB, which deals with
civil penalties.
Schedule 5 - Amendment of other Acts
Schedule 5 contains amendments to other Acts that are consequential to the amendments in
Schedules 1 to 4 of the Bill. These amendments primarily replace references to the IPPs or
NPPS with the APPs and insert new definitions, including certain credit reporting terms, in
other Acts that interact with the Privacy Act.
Schedule 6 - Application, transitional and savings provisions
Schedule 6 contains amendments to address transitional issues relating to the commencement
of the new provisions.
Financial Impact Statement
The Bill will have no significant impact on Commonwealth expenditure or revenue.
Regulation Impact Statement
A regulation impact statement is only required for the credit reporting measures contained in
this Bill.
5
REGULATION IMPACT STATEMENT - CREDIT REPORTING REFORMS
Background, purpose and structure of the Regulation Impact Statement (RIS)
Background
In 2006 the then Australian Government asked the Australian Law Reform Commission
(ALRC) to conduct an inquiry into the extent to which the Privacy Act 1988 (the Privacy Act)
and related laws continue to provide an effective framework for the protection of privacy in
Australia.
In August 2008 the ALRC report For Your Information: Australian Privacy Law and
Practice (108) (the ALRC Report) was publicly released. The ALRC Report contains 295
recommendations for reform of the Privacy Act and related legislation, including
recommendations relating to reform of the consumer credit reporting provisions (Part IIIA of
the Privacy Act).
Over a two year period, the ALRC released an Issues Paper and Discussion Paper to assist in
informing its recommendations in the final report. In developing the consumer credit
reporting recommendations, the ALRC formed a Credit Reporting Advisory Sub Committee
made up of Treasury officials, consumer advocates, credit provider representatives and credit
reporting agency representatives. The ALRC consulted widely with community groups and
the business community, seeking written submissions and conducting a series of roundtables
with individuals, agencies and organisations about consumer credit reporting.
The ALRC recommendations on credit reporting contain two significant proposals:
1. The current consumer credit reporting regime move to a system that includes
`more comprehensive' consumer credit information, as follows:
a. Recommendation 55-1 The new Privacy (Credit Reporting Information)
Regulations should permit credit reporting information to include the
following categories of personal information, in addition to those currently
permitted in credit information files under the Privacy Act:
i. the type of each credit account opened (for example, mortgage,
personal loan, credit card);
ii. the date on which each credit account was opened;
iii. the current limit of each open credit account; and
iv. the date on which each credit account was closed.
b. Recommendation 55-2 Subject to Recommendation 55-3, the new
Privacy (Credit Reporting Information) Regulations should also permit credit
reporting information to include an individual's repayment performance
history, comprised of information indicating:
i. whether, over the prior two years, the individual was meeting his or her
repayment obligations as at each point of the relevant repayment cycle
for a credit account; and, if not,
ii. the number of repayment cycles the individual was in arrears.
c. Recommendation 55-3 The Australian Government should implement
Recommendation 55-2 only after it is satisfied that there is an adequate
framework imposing responsible lending obligations in Commonwealth, state
and territory legislation.
6
d. Recommendation 55-4 The credit reporting code should set out
procedures for reporting repayment performance history, within the
parameters prescribed by the new Privacy (Credit Reporting Information)
Regulations.
e. Recommendation 55-5 The new Privacy (Credit Reporting Information)
Regulations should provide for the deletion of the information referred to in
Recommendation 55-1 two years after the date on which a credit account is
closed.
2. A new credit reporting Code of Conduct be developed by industry, as follows:
a. Recommendation 54-9 Credit reporting agencies and credit providers,
in consultation with consumer groups and regulators, including the Office of
the Privacy Commissioner, should develop a credit reporting code providing
detailed guidance within the framework provided by the Privacy Act and the
new Privacy (Credit Reporting Information) Regulations. The credit reporting
code should deal with a range of operational matters relevant to compliance.
Purpose
The purpose of this RIS is to determine whether the proposed policy objectives in
Recommendations 55-1 to 55-5 and 54-9 should be accepted and if so, the form in which the
recommendations should be accepted.
Structure
The RIS begins by providing background on the issue of consumer credit reporting and
summarises previous reviews. It then provides background on the issue of a credit reporting
Code of Conduct. The RIS is then broken into two parts. Part A considers comprehensive
credit reform, while Part B considers a credit reporting code of conduct. The RIS examines
the problems, options and impacts to determine the most effective and efficient regulatory
approach in relation to both of these issues.
7
Background to Consumer Credit Reporting
The credit reporting system is intended to increase the efficiency of Australia's consumer
credit market. As of June 2008, total consumer credit on issue, including securitisations, was
$1113.4 billion. Of this, housing credit on issue stood at $957.9 billion and other personal
credit on issue was $155.6 billion. The largest sector of consumer credit is residential
mortgages, which are estimated to account for over 86 per cent of all consumer loans.1
Within the consumer credit market credit providers obtain credit reports from credit reporting
agencies (CRAs) to assist in the assessment of credit applications with the aim of minimising
the risk of customer defaults.
CRAs collect information about individuals from credit providers and from publicly available
sources (such as bankruptcy information obtained from the Insolvency and Trustee Service
Australia). This information is used in generating credit reporting information for credit
providers. Credit providers use this information when assessing credit applications, as it
augments information obtained directly from an individual's application form, the credit
provider's own records of past transactions involving the individual (if any), and any other
enquiries the credit provider may choose to make.
Consumer credit reporting is regulated by Part IIIA of the Privacy Act. It regulates the types
of personal information that may be collected and disclosed in the course of consumer credit
reporting by a defined class of CRAs and credit providers. The Privacy Act allows for the
collection and disclosure of `negative' credit reporting information. Subsection 18E(1) of the
Privacy Act sets out a prescriptive list of information which may be included in a credit
information file. This includes:
· a credit provider having sought a credit report in connection with an
application for credit, and the amount of credit sought (inquiry
information)
· a credit provider being a current credit provider in relation to the
individual (current credit provider status)
· credit provided by a credit provider to an individual, where the individual
is at least 60 days overdue in making a payment on that credit (default
information)
· a cheque for $100 or more that has been dishonoured twice
· a court judgment or bankruptcy order made against the individual; and
· a credit provider's opinion that the individual has committed a serious
credit infringement.
In Australia there are currently three CRAs active:
- Veda Advantage (Veda)
- Dun and Bradstreet (D&B); and
- Tasmanian Collection Service
Veda claims a market share of 96%2 with a database of 16.5 million credit-active
Australians3. It is understood that Veda has over 5000 subscribers which use its services,
1
National Consumer Credit Protection Bill 2009 Executive Memorandum p.363 at 10.3
2
`Veda Advantage responds to ALRC Privacy Review proposal' in Wot News, accessed 9 July 2009, from
although these are not exclusively credit providers.4 The next largest CRA, D&B, claims to
have data on 2.8 million individuals in Australia and New Zealand.5
The circumstances in which CRAs can disclose personal information contained in a credit
information file are specified in section 18K of the Act. In general terms, CRAs can only
disclose to credit providers (which is defined by section 6 of the Act to include mortgage
insurers and trade insurers). Section 11B of the Act sets out a more detailed definition of
credit providers, which includes:
· banks
· any entity which provides loans or credit cards for a substantial part of its
business or allow individuals to have goods or services on credit (more than
seven days)
· an entity that provides loans (including by issuing credit cards), provided the
Privacy Commissioner has made a determination in respect of such a class of
entity
· a government agency that provides loans and is determined by the Privacy
Commissioner to be a credit provider for the purposes of the Act
· a person who carries on a business involved in securitisation or managing
loans that are subject to securitisation; or
· an agent of a credit provider while the agent is carrying on a task necessary for
the processing of a loan application, or managing a loan or account with the
credit provider.
The definition does not include debt collectors, real estate agents, employers and general
insurers. CRAs are not permitted to provide credit reports to any organisations which do not
fall within the definition of a credit provider.
National Reform of Consumer Credit Law
Australian Governments are working towards the reform of consumer credit law in Australia.
COAG, the Council of Australian Governments, agreed in March and July 2008 to transfer
consumer credit regulation to the Commonwealth. Subsequently, COAG agreed on
3 October 2008 to a two-stage plan to overhaul consumer credit laws. The first stage of the
plan includes the development of a national licensing scheme for the consumer credit
industry, enacting the Uniform Consumer Credit Code as a Commonwealth law, and
reforming key credit regulation laws.
On 27 April 2009 the then Minister for Superannuation and Corporate Law, Senator Sherry,
released the draft National Consumer Credit Protection Bill 2009 (the NCCP Bill) for public
comment. The NCCP Bill was introduced into the Australian Parliament on 25 June 2009.6
Amongst other things, the NCCP Bill proposes new responsible lending obligations for all
consumer credit in Australia. ALRC Recommendation 55-3 suggested the Government only
3
`Veda Advantage `About Us', accessed 23 July 2009, from < http://www.vedaadvantage.com/about-
veda/au_our-data.dot>
4
ALRC report at paragraph 55.21
5
Dun & Bradstreet `Company profile', accessed 23 July 2009 from <
http://dnb.com.au/Header/About_Us/Company_profile/index.aspx#DB_Australia_and_New_Zealand>
6
Announced by the Minister at:
http://ministers.treasury.gov.au/DisplayDocs.aspx?doc=pressreleases/2009/002.htm&pageID=003&min=ceba&
Year=&DocType=0 viewed 18 September 2009.
9
permit repayment performance history in the credit reporting system if responsible lending
obligations were introduced.
The NCCP Bill introduces a set of responsible lending conduct requirements, which set a
standard of expected behaviour for credit providers when they enter into a credit contract, or
when they suggest a credit contract to a consumer or provide assistance to a consumer to
apply for a credit contract. Compliance with the responsible lending laws will require an
assessment and verification of a consumer's credit needs and financial circumstances,
including that the consumer has the capacity to repay the financial obligations.
Past Reviews of Credit Reporting
The question of whether more comprehensive credit reporting (also known as positive
reporting) should be introduced into Australia has been actively considered since the
enactment of the credit reporting system in 1988. Following is a summary of these proposals
and reviews.
Credit Reference Association of Australia (CRAA) proposal
In 1988 the CRAA stated it would augment its collection of credit reporting information by
including information about the current credit commitments of individuals. The proposal was
named the Payment Performance System (PPS) 7. Under the PPS credit providers would
supply CRAA with tapes containing their customers' credit accounts which would be merged
with existing data every 30 to 60 days. The data would be placed in credit reports containing
a complete listing of all a consumer's credit accounts, balances owing, and payment
performance on every account during the previous 24 payment periods. It was proposed that
payments 120 days or more overdue would automatically generate a default report.
The CRAA's proposal was rejected by the then Government on the grounds that it was a form
of `positive reporting' which was too intrusive to the privacy of individuals.
Financial System Inquiry (Wallis Report) Proposal (1997)
The Wallis Report stated that it was not in a position to assess whether the benefits of
positive credit reporting outweighed the costs, but considered the potential benefits warranted
a complete review of the issue. The Wallis Report recommended that the Attorney-General
establish a working party to review the existing credit provisions of the Privacy Act.8 No
information is available on whether the recommended review occurred.
Senate Legal and Constitutional References Committee
In 2005 the Senate Legal and Constitutional References Committee reported on aspects of
credit reporting as part of its inquiry into the Privacy Act. The Committee's report, The Real
Big Brother: Inquiry into the Privacy Act 1988, found that no reform of the credit reporting
provisions of the Privacy Act was required. The Committee recommended against
introducing positive credit reporting in Australia, stating that9:
the experience with the current range of credit information has shown that industry has not
run the existing credit reporting system as well as would be expected and it is apparent
injustice can prevail. As mentioned elsewhere in this report, positive reporting is also
rejected on the basis that it would magnify the problems associated with the accuracy and
7
ALRC report paragraph 52.34
8
ALRC report paragraphs 55.20 - 21, quoting Financial System Inquiry Committee, Financial System Inquiry
Final Report (1997).
9
ALRC report paragraph 55.23, quoting Senate Legal and Constitutional References Committee, The Real Big
Brother: Inquiry into the Privacy Act 1988 (2005).
10
integrity of the current credit reporting system. The privacy and security risks associated
with the existence of large private sector databases containing detailed information on
millions of people are a major concern.
The Australian Government's response to the Senate Committee's recommendation
concerning credit reporting and stated that review of the credit reporting provisions would be
included in the reference to the ALRC to review privacy law in Australia.
Senate Economics Committee
The Senate Economics Committee also considered the issue in its 2005 report Consenting
Adults, Deficits and Household Debt: Links between Australia's Current Account Deficit, the
Demand for Imported Goods and Household Debt. The Committee stated that it was not
persuaded to take a different view to that expressed by the Senate Legal and Constitutional
References Committee on the basis that10:
· credit providers were not making full use of the information available to them; and
· defaults in the credit card market and other signs of financial distress were very low
and did not justify a move to positive credit reporting.
Victorian Consumer Credit Review
The 2006 Consumer Credit Review examined comprehensive credit reporting as part of a
broad review of the efficiency and fairness of the operation of credit markets and the
regulation of credit in Victoria. The Consumer Credit Review rejected a form of more
comprehensive credit reporting on the basis that there were unanswered questions as to
whether the benefits outweighed the costs. However it recommended that further research
and analysis be undertaken on the effects of comprehensive credit reporting.
House of Representatives Standing Committee on Economics
In November 2008, after the publication of the ALRC Report, the House of Representatives
Standing Committee on Economics' Inquiry Into Competition in the Banking and Non-
Banking Sectors recommended that the Government implement the ALRC's
recommendations on reforming Australia's credit reporting system. In particular, the report
considered the effect of comprehensive credit reporting and concluded that adopting a
comprehensive credit system would provide competitive advantages to both businesses and
individuals. The report referred to The Treasury's findings which noted that the current
negative credit reporting model may represent a barrier to competition as it prevents new
entrants and smaller existing lenders from obtaining comprehensive information on a
prospective customer's ability to service a loan and that only a `customer's existing
lender...has access to the borrower's repayment history'.11
Background to Credit Reporting Code of Conduct
Section 18A of the Privacy Act requires the Privacy Commissioner to issue a Code of
Conduct relating to credit information files and credit reports. The Privacy Commissioner is
10
ALRC report paragraph 55.25
11
House Standing Committee on Economics: Inquiry into competition in the banking and non-banking sectors
http://www.aph.gov.au/house/committee/economics/banking08/report/Fullreport.pdf at 3.138 accessed
16/07/09
11
required to consult with government, commercial, consumer and other relevant bodies and
organisations before issuing the Code of Conduct. The Code of Conduct should deal with:
· the collection of personal information for inclusion in individuals' credit information
files
· the storage of, security of, access to, correction of, use of and disclosure of personal
information included in individuals' credit information files or in credit reports
· the manner in which credit reporting agencies and credit providers are to handle
disputes relating to credit reporting; and
· any other activities, engaged in by CRAs or credit providers, that are connected with
credit reporting.
The Privacy Commissioner issued the Credit Reporting Code of Conduct in 1991. The Code
supplements Part IIIA on matters of detail not addressed by the Privacy Act. Among other
matters, the Code requires credit providers and CRAs to:
· deal promptly with individual requests for access and amendment of
personal credit information, such as proscribing specific timeframes within
which requests must be dealt with
· ensure that only permitted and accurate information is included in an
individual's credit information file
· keep adequate records in regard to any disclosure of personal credit
information
· adopt specific procedures in settling credit reporting disputes, and
· provide staff training on the requirements of the Privacy Act.
The Code supplements Part IIIA of the Privacy Act and creates a set of legally binding rules.
Subsection 18A(4) states that the Code of Conduct is a disallowable instrument. Section 18B
of the Act requires CRAs and credit providers to comply with the Code of Conduct.
The term `credit providers' is defined in section 11B of the Privacy Act. The definition
extends to an organisation that is, among other things, a:
· bank
· corporation, a substantial part of whose business or undertaking is the provision of
loans
· corporation that carries on a retail business in the course of which it issues credit
cards; or
· corporation that provides loans and is included in the class of corporations determined
by the Privacy Commissioner to be credit providers for the purposes of the Privacy
Act.
The term `loan' is defined in section 6(1) of the Privacy Act to mean a contract, arrangement
or understanding under which a person is permitted to defer payment of a debt, and includes a
hire-purchase agreement or an agreement for the hire, lease or renting of goods or services.
The Privacy Commissioner has issued two determinations in relation to the definition of
credit provider. These are the Credit Provider Determination No. 2006-4 (Classes of Credit
Providers) and the Credit Provider Determination No. 2006-3 (Assignees). These
12
determinations state circumstances in which corporations are to be regarded as credit
providers. They include situations where corporations make loans in respect of the provision
of goods or services on terms that allow the deferral of payment, in full or in part, for at least
seven days.
The operation of the Privacy Act and the Privacy Commissioner's Determinations means that
the type of corporations that may be included within the definition of credit provider has been
considerable expanded. Submissions to the ALRC recognised that organisations which are
retailers or service providers, such as video store operators or legal and healthcare service
providers, may fall within the definition of credit provider if they extend payment terms for
seven days or more12. In some situations, organisations that would otherwise be small
businesses may be caught by the operation of the credit reporting provisions.
12
ALRC Report paragraph 54.112
13
PART A: Comprehensive Credit Reporting
1. Problem
1.1 Greater access to independent credit information
A key objective of credit reporting is to facilitate consumer credit transactions by
encouraging transparency in the market and providing access to standardised, reliable and
timely information about an individual's credit risk.13 A significant concern in the consumer
credit industry is that the existing credit reporting system does not sufficiently address the
information asymmetry between credit providers and potential borrowers. Information
asymmetry occurs where the credit provider does not know the full credit history of an
individual applying for credit and therefore the individual has more information about his or
her credit risk than the credit provider. This can result in adverse selection, where a credit
provider operating in response to information asymmetry, prices credit based on the average
credit risk of individuals.14 The credit reporting system attempts to address this information
asymmetry by providing an independent source of information that can assist in the
assessment of an individual's credit application.
The present credit reporting system in Australia is a negative credit reporting type of system,
as opposed to the `positive' credit reporting type of system permitted in other countries. The
difference between the two systems is the type of personal information which is permitted to
be collected. Negative reporting limits the collection of personal information to that which
relates to an individual's credit delinquency, such as defaults on payments or dishonoured
cheques, and inquiries on the credit record. Positive credit reporting permits the collection of
personal information which demonstrates an individual's credit account activity, such as the
timeliness of payments, account type, the credit limit and the amounts of credit liabilities.
However, the terms positive reporting and negative reporting are not clearly defined and can
be confusing. The ALRC uses the term `comprehensive credit reporting' to describe the
inclusion of additional information which would feature in a positive credit reporting system.
It is argued by the credit reporting industry that Australia's current credit reporting system
provides insufficient credit history information about an individual. They argue this may
cause credit providers to incorrectly assess the risk premium of individuals when they apply
for credit, which can cause the following consequences:
· granting credit, or higher amounts of credit, to individuals who cannot afford to meet
their repayment obligations
· not granting credit, or less credit than desired, to individuals who can afford to meet
their repayment obligations
Industry stakeholders argue that the lack of more comprehensive information may mean they
are ignorant of the fact that an individual's circumstances may have changed and therefore
their ability to repay has changed. Credit providers are forced to place a lot of emphasis on
current information contained in credit reports, such as default listings, which do not
accurately reflect an individual's credit risk. A minor default is recorded for a period of 5
years after the event, but information about an individual's changed circumstances, such as
evidence of consistent and timely repayment of debts, is not recorded. Overall, it is argued
there is an information asymmetry which results in the mis-pricing and mis-allocation of
credit.15 In consultations industry stakeholders have suggested that the absence of more
13
M Miller, Credit Reporting Systems and the International Economy, 2003, p 410.
14
15
ALRC Report paragraph 52.17
Dun & Bradstreet, Submission to Senate Economics Reference Committee Inquiry into Possible
14
comprehensive credit reporting may affect the price of credit (both in the consumer credit
market as a whole and for individual consumers) which affects the availability of credit.
They also argue that the lack of more comprehensive credit information may lead to more
defaults, as customers who would not have qualified for credit may be able to obtain credit in
the current negative credit reporting system by exploiting the information asymmetry which
makes it difficult for credit providers to discover information about an applicant's true
financial position.
There does not appear to be independent empirical information available about the Australian
consumer credit reporting system, industry, or the implications of more comprehensive credit
reporting. The lack of independent information was noted by the ALRC.16 Independent
information was not available in the preparation of this RIS.
While the major purpose of credit reporting is to provide information to assist credit
providers to assess applications for credit, an effective credit reporting system may also
facilitate responsible lending by credit providers, helping to ensure individuals do not become
financially overcommitted. The National Consumer Credit Protection Bill 2009 [which has
since passed as the National Consumer Credit Protection Act 2009] proposes extensive
responsible lending obligations which will require credit providers to ensure they adequately
and responsibly assess an individual's application for credit.
1.2 Privacy concerns
Permitting access to more credit information through the credit reporting system directly
affects an individual's privacy. The main concerns from consumer and privacy advocate
stakeholders and some commercial stakeholders are:
- the benefit of comprehensive credit reporting does not outweigh the additional impact
on an individual's privacy
- CRAs will have access to large databases of personal information
- comprehensive credit information may be used for purposes unrelated to assessing
the creditworthiness of an applicant for credit, such as marketing or other
unauthorised purposes, including identity fraud
- there may be an increased risk that information will be inaccurate due to the greater
volume of information (reflecting existing concerns about accuracy of the currently
held credit reporting information) and any inaccuracies may make it more difficult for
individuals to obtain credit
- based upon evidence from overseas, there is an increased risk that the security of data
held by CRA's will be compromised; and
- it would be inappropriate for CRA's to collect and report payment performance
information in relation to utilities such as telecommunications, energy and water.
2. Objectives
2.1 Objectives of government action
The objective of government action is to respond to the ALRC recommendations on
consumer credit reporting reform in the context of the Government's response to the wider
ALRC review of privacy law. The specific objectives are to:
Links between Household Debt, Demand for Imported Goods and Australia's Current Account Deficit,
March2005
16
ALRC report paragraph 55-108
15
· provide consumer credit providers with sufficient information to allow them to
adequately assess credit risk while ensuring the protection of personal information to
the greatest extent possible; and
· encourage responsible lending.
2.2 Existing policy and regulations
Part IIIA of the Privacy Act precisely defines the categories of personal information which
may be collected and disclosed for credit reporting purposes. The policy objective of the
existing credit reporting system is to provide a mechanism to allow a limited amount of
personal information to be collected and disclosed in the credit reporting system for the
efficient operation of the consumer credit market.
The ALRC has recommended changes to the existing credit reporting system in order to
permit more comprehensive credit reporting. Amendments would be required to Part IIIA of
the Privacy Act.
3 Options that may achieve the objectives
3.1 Implementation scope
Part IIIA of the Privacy Act regulates the consumer credit reporting system. Against this
background, the proposed options address the ALRC's recommendations 55-1 and 55-2 on
adopting a more comprehensive consumer credit reporting system within the Privacy Act.
The scope of implementation is limited to amending, or not amending, Part IIIA of the
Privacy Act.
The ALRC considered options to make the current credit reporting system more effective17.
These options included improving the accuracy of existing credit reporting data, requiring
consumer declarations in relation to loan applications and expanding financial literacy
programs. However, the ALRC did not recommend any of these options for action and
accordingly this RIS does not consider these options.
Implementation of the ALRC recommendations would enable CRAs to collect additional
information. However, CRAs would not be obliged to collect additional information. It is
expected that CRAs will only incur any costs in collecting additional information (whether
through redeveloping systems or for other reasons) if they expect the benefits of collecting
more comprehensive credit information to outweigh the costs.
3.2 Option 1 - Maintain the current permitted categories of credit reporting
information, retaining a negative credit reporting system (the status quo)
This option retains the current permitted categories of negative credit reporting information.
No amendments would be made to Part IIIA of the Privacy Act.
3.3 Option 2(a) - Move towards a more comprehensive credit reporting system by
including four additional categories of personal information
This option would permit credit reporting information to include the following categories of
information, in addition to those currently permitted under Part IIIA of the Privacy Act:
· the type of each credit account opened (for example, mortgage, personal loan,
credit card)
· the date on which each credit account was opened
17
ALRC Report paragraph 55.136
16
· the current limit of each open credit account, and
· The date on which each credit account was closed.
This option is based on Recommendation 55-1 from the ALRC Report.
3.4 Option 2(b) - Expand the permitted outlined in Option 2(a) with the addition of
including an individual's repayment history
In addition to the four additional categories of personal information from Option 2(a), this
option would also allow limited repayment history information to be included, as follows:
· whether, over the prior two years, the individual was meeting his or her
repayment obligations as at each point of the relevant repayment cycle for a
credit account; and, if not,
· the number of repayment cycles the individual was in arrears.
Note that the amount of any payments missed would not be included. This option is based
upon Recommendation 55-2 of the ALRC Report, which recommends this option only be
considered where there also exists an adequate legislative framework imposing responsible
lending obligations on credit providers.
4. Assessment of impacts
4.1 Impact group identification
The groups affected by the Options are:
· individuals who apply for credit
· CRAs
· credit providers; and
· small businesses.
The Office of the Privacy Commissioner (the OPC) would remain the responsible regulator
under all of the proposed options. It is expected that Options 2 and 3 would only have no, or
a low, impact upon the OPC.
4.2 Assessment of costs and benefits
4.2.1 Impact of Option 1 - remain with status quo
Individuals - Benefits
The current protections in the Privacy Act limit the amount of personal data that may be
collected, used and disclosed for the purpose of credit reporting. These limitations reduce the
risk of data inaccuracy, misuse for marketing or other unauthorised purposes, or misuse for
illegal activity, including identity fraud.
Individuals - Costs
The limited information available in credit reports may misrepresent the credit worthiness of
individuals. For example, small defaults for small amounts of credit remain on a credit report
for five years and may form the basis of a decision to approve credit, even where this default
may be trivial in contrast to the overall credit history of an individual.
There is a risk that consumer credit may be priced at a higher rate than would otherwise be
the case if more comprehensive credit information was available. There is also a risk that
consumers may be denied credit or only have reduced credit made available because credit
17
providers may not have sufficient information to make fully effective decisions about the
risks associated with the allocation of credit in the market as a whole or in relation to
individual consumers.
Credit Reporting Agencies - Benefits
No requirements to change current data retention practices, business models or database
technology.
Credit Reporting Agencies - Costs
Current regulation prevents CRAs from offering more comprehensive consumer credit
reports which may limit the greater profitability of CRAs.
The current limited number of information categories may create competition costs by
maintaining barriers to market entry for new CRA businesses. Two of the existing CRAs
have large databases. Credit providers are more likely to use these CRAs as the size of the
databases gives them access to the greatest potential number of consumer credit records.
This may limit new entrants into the market because it is likely to take more time to develop
databases of negative events like credit defaults.
Credit Providers - Benefits
No requirements to change current use and disclosure practices in relation to credit reporting
information, business models or credit assessment technology.
Credit Providers - Costs
If an applicant fails to disclose credit accounts and liabilities they hold with other financial
institutions, the credit provider is unable to make a fully informed lending decision resulting
in the possibility of provision of credit to borrowers who are unable to meet their financial
obligations.
New entrants into the credit provider market may face significant barriers to entry as a
consequence of insufficient information about the credit risk of prospective credit consumers.
New players or smaller credit providers are unlikely to have more comprehensive data
available, while existing larger credit providers are able to access their existing customer
base. This may mean knowledge of credit worthiness of individuals is inadequate which may
lead to greater default rates for new and small credit providers.
Small Businesses - Benefits
To the extent that small businesses currently use the credit reporting system, they would not
be required to make any changes.
Small Businesses - Costs
Small businesses may wish to use more comprehensive credit reporting information to
provide greater certainty in the provision of credit to customers. Maintaining the current
negative credit reporting system may place small businesses at proportionally greater risk
from defaulting credit customers. No information is available on the extent of small business
usage of the credit reporting system so it is not possible to quantify the possible costs.
18
4.2.2 Impact of Option 2(a) - Expand the permitted categories to include four additional
categories of personal information
Individuals - Benefits
Permitting additional information provides the opportunity for credit providers to better
understand an individual's credit history. In turn this may:
- result in lower rates of over-indebtedness and default
- allow individuals who are credit worthy to gain access to more appropriately priced
credit (assuming credit providers introduce differential pricing)
- increase the availability of lending (to the extent that lenders currently limit the
availability of credit due to the lack of more comprehensive credit reporting
information)
- reduce the transaction costs in assessing credit applications, which could result in
reduced costs to consumers if the cost savings are passed on by credit providers, and
- allow for greater automation and a faster credit decision making process, assuming
credit providers change existing practices.
The extent to which price benefits (lower rates) would be realised by consumers depends in
part on the level of competition in the consumer credit market - the greater the level of
competition, the more likely that the benefits of comprehensive credit information would be
passed on to consumers. While the magnitude of consumer benefits is uncertain, it is noted
that currently there does not appear to be extensive competition in the consumer credit sector,
raising some doubt that consumers would realise significant price benefits, at least over the
short term.18 Consumers may, however, benefit from greater access to credit.
Individuals - Costs
Individuals who are deemed to be a poor risk based on greater transparency about credit
worthiness may find that the face a higher price for access to credit (assuming credit
providers introduce differential pricing).
Permitting additional categories of personal information to be collected, used and disclosed
may increase the risk of data inaccuracy, misuse for marketing or other unauthorised
purposes, including identity fraud. If there are no significant changes to the numbers of
CRAs operating in Australia, extremely large amounts of data about individuals will be held
and maintained by a small number of CRAs which may increase the risk of data security
challenges and the consequences of any potential breaches. Information is not available to
quantify the possible cost of data inaccuracy. In many instances, the cost to any individual
that may be affected by inaccurate records will not be obvious as individuals may resolve the
issue by dealing directly with the credit provider or the CRA.
Credit Reporting Agencies - Benefits
The business model and marketability of CRAs is expected to be improved by allowing them
to collect, use and disclose a greater amount of data on individuals who apply for credit, in
turn giving CRAs the opportunity to sell a more effective product.
18
Almost all new mortgages in July 2009 were written by the `big four' banking groups, compared with around
60 per cent prior to the credit crisis (The Age 2009). As noted earlier, mortgages make up approximately 86 per
cent of all consumer loans.
19
Credit Reporting Agencies - Costs
CRAs are likely to incur financial costs associated with developing systems to handle the
additional information. However, CRAs can make commercial decisions about how they
raise funds to invest in building systems to expand their systems and business operations and
how they decide to recoup any investments they chose to make. CRAs may choose to off-set
the investment costs against fees obtained from allowing credit providers to access the more
comprehensive credit reporting information. For example, they may change their fee
structure, market their services to a broader range of credit providers, or develop new services
to market to their existing client base of credit providers. CRAs have not provided any
information on the commercial decisions they may make to address any costs.
Credit Providers - Benefits
Access to more comprehensive credit reporting information is expected to allow credit
providers to more accurately assess the risks involved in lending to an individual and in turn
to more appropriately price credit. More information will allow credit providers to avoid
lending to those who are over-committed, leading to lower rates of customer indebtedness
and defaults and reducing costs for credit providers in debt recovery and write-offs.
Access to more comprehensive credit reporting information will provide a more efficient tool
for credit providers to comply with responsible lending obligations under consideration in the
NCCP Bill.
Access to more comprehensive credit reporting information may improve competition in the
consumer credit provider market by reducing information asymmetry between credit
providers, particularly between larger and smaller credit providers. Currently, large credit
providers are able to access more comprehensive credit information from their own
customers and use this to assess credit applications from their existing customers. In a more
comprehensive credit reporting system, small credit providers may use the access to greater
information to make more informed decisions about the provision of their credit which may
make their businesses more competitive. It may also be the case that all credit providers may
be able to reduce the transaction costs involved in assessing credit applications, creating a
more efficient credit market.
Credit Providers - Costs
The systems and processes used by credit providers to assess credit applications may change
to deal with access to more comprehensive information. If systems and processes change this
may result in some costs for credit providers.
There may be higher costs to access credit information if CRAs choose to increase fees to
off-set the costs of developing their systems. It is not possible to quantify these costs as this
will be a commercial decision for CRAs and there is no information available on what
choices CRAs may make to recoup any additional costs they may incur in updating their
systems.
There may be a risk that the increased predictive value of the data available under this option
may not be sufficient to justify the costs of implementation.
Small Businesses - Benefits
To the extent that small businesses currently use the credit reporting system, access to more
comprehensive credit reporting information is expected to allow small businesses to more
accurately assess the risks involved in lending to an individual. More information will allow
20
small businesses to avoid lending to those who are over-committed, leading to lower rates of
customer indebtedness and defaults.
Small Businesses - Costs
Although there is no information available on the number of small businesses that currently
use the credit reporting system, more small businesses may wish to use more comprehensive
credit reporting information to provide greater certainty in the provision of credit to
customers. Small businesses may face costs in developing processes to assess credit
applications with access to more comprehensive information.
There may be higher costs to access credit information if CRAs choose to increase fees to
off-set the costs of developing their systems. It is not possible to quantify these costs as this
will be a commercial decision for CRAs and there is no information available on what
choices CRAs may make to recoup any additional costs they may incur in updating their
systems.
4.2.2.1 Research on credit market efficiency and macro-economic impact of more
comprehensive credit reporting
In examining the introduction of comprehensive credit reporting the ALRC considered
economic analysis provided by industry stakeholders. Broadly, stakeholders in support of
comprehensive credit reporting claim that empirical and macro-economic studies provide
important evidence about the likely improvements to credit market efficiency and economic
benefits of comprehensive credit reporting.
The ALRC did not commission any independent economic analysis on the question of the
possible macro-economic impact of credit reporting systems. The ALRC noted that, on one
view:
this subject matter does not lend itself to precise modelling due to the level of complexity and
the small orders of magnitude involved in terms of benefits. It is questionable whether any
modelling will provide definitive answers.19
The Treasury has confirmed the ALRC views that data constraints restrict the level of macro-
economic modelling that can be done on the possible impact of more comprehensive credit
reporting. However, analysis conducted by Treasury has found that the introduction of
positive credit reporting would be expected to remove information asymmetries in the market
and lead to some small equity and efficiency benefits for credit market participants and the
Australian economy more broadly.20 The Treasury supports the introduction of
comprehensive credit reporting subject to sufficient privacy protections being put in place.
4.2.2.2 Empirical studies on credit market efficiency with more comprehensive
credit reporting
International comparative studies
Research by Barron and Staten published in 2000 compared Australia's credit reporting rules
with that of the United States (US).21 The research compared the accuracy of risk scoring
models using the wider credit reporting information available under the US system with the
more limited information available in Australia. The US model of credit reporting includes
19
ALRC report paragraph 55.108
20
The Department of Treasury Submission to the ALRC Review of the Privacy Act 1988 December 2007
21
J Barron and M Staten, The Value of Comprehensive Credit Reports: Lessons from the US Experience (2000)
Online Privacy Alliance www.privacyalliance.org/resources/staten.pdf; referred to by submissions to the ALRC
and viewed and cited by the ALRC report at paragraph 55.94 and 55.95.
21
information such as the type of account, credit limit, payment history, employer and account
balance.
The findings of the research were that more comprehensive credit reporting rules resulted in
fewer loan defaults while maintaining the same loan approval rate. The report found, for
example, that at an approval rate of 60%, use of the credit reporting information permitted at
present in Australia produced a default rate of 3.35% compared to a default rate of 1.9% in
the US. At the same time, assuming that default rates were maintained at around the same
rate (eg 4%), credit providers using information available in the current Australian system
would extend new credit to 11,000 fewer consumers for every 100,000 applicants than would
be the case in the US under their credit reporting system.
Later research by Barron and Staten, conducted in 2007 at the request of the Australian
Finance Conference, compared the above findings with three other possible credit reporting
models.22 The research found that at the targeted approval rate of 60%, the intermediate
model (similar to Option 2(b)) produced a 2.46% default rate. The ALRC notes the
assertions that the implications of the research are that consumer credit will be less available
and more expensive in countries, such as Australia, where the credit reporting system omits
information that would provide a more complete picture of a consumer's financial position.23
The findings in the Barron and Staten research appear to be supported by other reports which
broadly compared different credit systems in different countries. Research referring to
overseas data demonstrated a lower default rate and reduced bankruptcies following the
introduction of comprehensive credit reporting in several countries. For example,
econometric research analysing the credit reporting regimes and credit markets in 43
countries, including the US, Australia and most other Organisation for Economic Co-
operation and Development countries found that the breadth and depth of a credit market was
positively associated with the extent of the credit information that was exchanged between
lenders.24 A number of submissions to the ALRC cited the example of Hong Kong, which
appears to be experiencing far fewer loan defaults since the introduction of comprehensive
credit reporting in 2002, although the ALRC also noted that it was not clear to what extent
the change was due to the recovery in Hong Kong's economy that occurred at the same
time.25
The ALRC identified methodological limitations and assumptions made by the research26.
For example, the Barron and Staten modelling did not take into account issues such as the
weight given to more comprehensive credit information provide by customers under the
Australian model, the possibility that the assessment processes used by credit providers may
differ from the research models. The research assumed that those credit reporting systems
which collected more information used that information effectively. The research did not
consider other economic factors, including country specific factors, which may have
positively influenced the availability of credit or the impact of any broader economic factors
on default levels. In addition, the research was conducted before the Global Financial Crisis.
Australian studies
22
M Staten and J Barron, Positive Credit Report Data Improves Loan Decision-Making (2007) Australian
Finance Conference, viewed and cited by the ALRC report at paragraph 55.96.
23
ALRC Report paragraph 55.97.
24
T Jappelli and M Pagano, Information Sharing, Lending and Defaults: Cross-Country Evidence (2000) Centre
for Studies in Economics and Finance, University of Salerno. The Jappelli and Pagano research was referred to
in: MasterCard Worldwide, Submission PR 237, viewed and cited by the ALRC Report paragraph 55.98.
25
ALRC Report paragraph 55.103 and 55.104.
26
ALRC Report paragraph 55.100.
22
Research measuring the predictive effect of adding additional information to credit reporting
databases to assess credit worthiness was conducted at the initiative of the Australian Retail
Credit Association (ARCA) and sponsored by a number of credit providers.27 The research
considered a number of models under which additional information was collected. The
models considered were identical to the options identified above (see heading 3, Options).
Four major Australian banks and a number of international financial services groups
participated in the research by analysing their own internal data to estimate the relative
predictive effect of different information variables as identified in each option.
The research produced a percentage score to indicate how useful each option was to credit
providers in collecting information to assess credit worthiness. The benchmark against which
each option was assessed was a hypothetical situation where all relevant credit reporting
information (including, for example, full details of repayment performance, which is not a
feature of any of the options) was available. This benchmark was assigned a performance
score of 100%. When the performance of each option was compared to the benchmark, the
research reached the following conclusions:
· Option 1 - the permitted categories of information are unchanged - the predictive
value of the information is 10%.
· Option 2(a) - the permitted categories of information are expanded to include the four
additional variables - increases the predictive value of the information above option 1
by an additional 23% to a total of 33%.
· Option 2(b) - the permitted categories of information are expanded to include the four
additional variables and repayment performance history - increases the predictive
value of the information above option 2(a) by an additional 22% to a total of 55%.
However, the research methodology and research results are not available and have not been
independently verified. The predictive scores assigned to each option are notional in the
sense that they are a comparison against a benchmark that does not currently exist and there
is no evidence provided to indicate how the contribution of each information element was
assessed. In addition, the benchmark was not recommended by the ALRC, is not an option
proposed in this RIS, and has not been proposed or supported by stakeholders, including
ARCA, as an appropriate model for Australian conditions.
4.2.2.3 Research on macro-economic benefits
A 2004 study conducted by ACIL Tasman for MasterCard modelled the macro-economic
impact of introducing more comprehensive credit reporting in Australia. The report
concluded that comprehensive credit reporting would generate a one-off increase in capital
productivity of 0.1%, which would translate to economic benefits to the Australian economy
of up to $5.3 billion, in net present terms, over the next 10 years.28 ACIL Tasman used what
was described as an `applied general equilibrium model' of the Australian and world
economies to quantify the benefits of more comprehensive credit reporting. In conducting
the research, assumptions were made in the model which assumed that more efficient credit
markets would have implications for most sectors of the economy.
27
Australasian Retail Credit Association, Submission to the ALRC, PR 352, 29 November 2007.
28
ACIL Tasman, Comprehensive Credit Reporting: Executive Summary of an Analysis of its Economic Benefits
for Australia [prepared for MasterCard International] (2004), 3. See also ACIL Tasman, Comprehensive
Credit Reporting: Main Report of an Analysis of its Economic Benefits for Australia [Prepared for MasterCard
International] (2004), 28, viewed and cited by the ALRC Report paragraph 55.106 to 55.108.
23
Research conducted by Access Economics on behalf of Veda Advantage claimed that more
credit reporting information would enable lenders to improve the accuracy of risk assessment,
reduce defaults and debt over commitment and provide credit to those who cannot currently
prove their creditworthiness. Additionally, the research found that comprehensive credit
reporting would also lead to an overall increase in consumer debt levels and a related increase
in consumer spending. 29
Advice from Treasury confirmed that comprehensive credit reporting is likely to lead to some
small equity and efficiency benefits for credit market participants and the economy more
broadly. However, the research is subject to similar criticisms to that made about research on
credit market effects. Treasury have advised that the methodologies employed to measure the
macro-economic effects have limitations. The ALRC noted that it is difficult to model
precisely the macro-economic impact of comprehensive credit reporting due to the level of
complexity and the small orders of magnitude involved in assessing the possible benefits.
The ALRC drew the following conclusion:
It is questionable whether any modelling will provide definitive answers. For example,
Australia is recognised as having a credit market that is very competitive by international
standards. This may limit the potential for further competitive gains resulting from more
comprehensive reporting. Equally, a macro-economic upturn seems likely to have a much
greater influence on credit availability than any change to a credit reporting system.30
4.2.2.4 Research on competition in credit markets
The credit reporting industry strongly advocates the view that comprehensive credit reporting
will have a positive effect on competition in Australian credit markets. The 2004 ACIL
Tasman report stated that, for example, the experience of the US in the 1990s following
increases in the types of personal data collected and used in credit reporting saw a `a wave of
new entrants into the bank credit card market'.31 The benefits of this competition were said
to put downward pressure on interest rates and fees for bank credit cards and encourage the
targeting of lower interest rates to low risk borrowers. The breadth of the credit card market
also expanded. However, the report does not provide evidence to clearly demonstrate the
extent to which the identified benefits were directly attributable to credit reporting changes or
whether other changes in the consumer credit environment had a significant impact.
In summary, the research suggests greater economic benefits than disadvantages flowing
from the introduction of comprehensive credit reporting. The economic benefits are
principally found in improving interest rate pricing. The Treasury in its submission to the
ALRC noted that overall comprehensive credit reporting would address information
asymmetries and thereby improve the targeting of credit, and the assessment, and thus
pricing, of risk.32
29
Access Economics (for Veda Advantage), The Benefits of Broadening Access to Credit via Comprehensive
Credit Reporting, July 2008
30
ALRC Report paragraph 55.108.
31
ACIL Tasman, Comprehensive Credit Reporting: Executive Summary of an Analysis of its Economic Benefits
for Australia [prepared for MasterCard International] (2004), 3.
32
Department of Treasury ALRC Review of Privacy Law Treasury Submission December 2007
24
4.2.3 Impact of Option 2(b) - Expand the permitted categories to include four additional
categories of personal information (Option 2(a)) with the addition of including an
individual's repayment history
Individuals - Benefits
The inclusion of this additional data set will enhance the predictive value of credit worthiness
which should lead to more informed lending practices and result in greater efficiency and
effectiveness in consumer credit lending.
An enhanced predictive value may lead to improved pricing of credit risk which may provide
more affordable credit (through, for example, reduced interest rates or transactions costs) for
low risk consumers and greater access to credit for consumers who may not have been able to
otherwise demonstrate an adequate credit history. However, the likely benefits to consumers
will depend, in part, on the level of competition in the consumer credit market (in the same
way that this issue may influence the possible benefits to individuals noted above under
Option 2(a)).
Individuals -Costs
Individuals who have poor credit histories may have difficulty in obtaining credit or be
required to obtain more costly credit (for example, from providers who lend at higher rates).
As access to this dataset may increase the number of loans issued overall, there may be a risk
that there will be an increase in irresponsible lending to those unable to meet their
obligations. However, the ALRC recommended repayment history information only be
permitted once credit providers are subject to responsible lending obligations.
Individuals who are deemed to be a poor risk based on greater transparency about credit
worthiness may find that the face a higher price for access to credit (assuming credit
providers introduce differential pricing).
This option also presents similar possible costs to individuals as identified in relation to
option 2(a). Permitting additional categories of personal information to be collected, used
and disclosed, including the inclusion of an individual's repayment history may increase the
risk of data inaccuracy, misuse for marketing or other unauthorised purposes, including
identity fraud. Any inaccurate records may create restrict individuals gaining access to
credit. Data is not available to quantify the possible cost. If there are no significant changes
to the numbers of CRAs operating in Australia, extremely large amounts of data about
individuals will be held and maintained by a small number of CRAs which may increase the
risk of data security challenges and the consequences of any potential breaches. Information
is not available to quantify the possible cost of data inaccuracy. In many instances, the cost
to any individual that may be affected by inaccurate records will not be obvious as
individuals may resolve the issue by dealing directly with the credit provider or the CRA.
Credit Reporting Agencies - Benefits
The business model and marketability of CRA's will be improved by allowing them to
collect, use and disclose a greater amount of data on individuals who apply for credit, in turn
giving CRA's the opportunity to sell a more effective product.
Implementing repayment history data at the same time as the other proposed data sets in
Option 2(a) would significantly reduce set up costs for credit reporting agencies than if it was
decided at a later date to separately implement the repayment history data set.
25
Credit Reporting Agencies - Costs
As noted under option 2(a), CRAs are likely to incur financial costs associated with
developing systems to handle the additional information. However, CRAs can make
commercial decisions about how they raise funds to invest in building systems to expand
their systems and business operations and how they decide to recoup any investments they
chose to make. CRAs may choose to off-set the investment costs against fees obtained from
allowing credit providers to access the more comprehensive credit reporting information. For
example, they may change their fee structure, market their services to a broader range of
credit providers, or develop new services to market to their existing client base of credit
providers. CRAs have not provided any information on the commercial decisions they may
make to address any costs.
Credit Providers - Benefits
The listing of repayment history would provide credit providers with an independent and
easily obtainable source of information about an individual's repayment history and may
assist credit providers in identifying individuals who are under credit stress. Access to this
information is viewed by credit providers as an important tool to complement any responsible
lending obligations.
It is possible that the expected greater efficiencies gained by including repayment history
information (in terms of improved credit delinquency predictability, which in turn reduces
costs associated with defaulting customers) may offset the administrative costs involved in
setting up comprehensive credit reporting under the four datasets in Option 2(a).
The inclusion of the repayment history data set in the credit reporting system at the same time
as the other data sets in Option 2(a) will significantly reduce set up costs for credit providers
than if it was decided at a later date to separately implement the repayment history data set.
Credit Providers - Costs
As noted under option 2(a), the systems and processes used by credit providers to assess
credit applications may change to deal with access to more comprehensive information. If
systems and processes change this may result in some costs for credit providers. No
information is available to quantify any cost that may occur.
As noted under option 2(a), there may be higher costs to access credit information if CRAs
choose to increase fees to off-set the costs of developing their systems. It is not possible to
quantify these costs as this will be a commercial decision for CRAs and there is no
information available on what choices CRAs may make to recoup any additional costs they
may incur in updating their systems.
However, a credit provider would not be required to access comprehensive credit reporting
information unless it was deemed necessary for their business and was cost effective. The
regulation would simply set up a tool which credit providers could access voluntary.
Small Businesses - Benefits
To the extent that small businesses currently use the credit reporting system, access to
repayment history information is expected to allow small businesses to more accurately
assess the risks involved in lending to an individual. More information will allow small
businesses to avoid lending to those who are over-committed, leading to lower rates of
customer indebtedness and defaults.
26
Small Businesses - Costs
Although there is no information available on the number of small businesses that currently
use the credit reporting system, more small businesses may wish to use the credit reporting
system in it includes repayment history information. Small businesses may consequently
face costs in developing processes to assess credit applications.
There may be higher costs to access credit information if CRAs choose to increase fees to
off-set the costs of developing their systems. It is not possible to quantify these costs as this
will be a commercial decision for CRAs and there is no information available on what
choices CRAs may make to recoup any additional costs they may incur in updating their
systems.
4.2.3.1 Research specific to the listing of repayment history
As noted above, research by ARCA found that including the repayment history of an
individual significantly increased the predicative value of a credit report to 41%. This
research accords with widely accepted economic theory that making more information
available to credit providers will tend to increase efficiency in the market for credit. It will
also assist in making credit more available to those able to repay and reduce rates of default
(or both). There was no significant disagreement among stakeholders in their submissions to
the ALRC Report that more comprehensive credit reporting has the potential to improve risk
assessment by credit providers, even among those who expressed concern about how this
improved risk assessment would be used in the credit market.
There is little evidence to demonstrate that this additional data set will subject consumers to
greater burdens in terms of higher priced credit or lack of credit. Such matters will be
dependent on the applicable business practices of the credit provider and the need to
adequately price credit in terms of a person's risk. It is noted that in many circumstances the
number `bad risk' customers who are denied credit will effectively be balanced by those
`good risk' customers who are afforded credit under the comprehensive scheme (but would
not have been under the `negative scheme).
It should be noted that Option 2(b) is only to be implemented with the implementation of
responsible lending legislation under the NCCP Bill. While the benefit that repayment
history would provide credit providers in determining credit risk of individuals, there are
strong concerns expressed by privacy and consumer advocates that this extra category of
information does not necessarily guarantee responsible lending of credit. Advocates are
concerned that the repayment history will provide credit providers with a very clear picture of
a person's financial status without imposing any obligations to use this information in a
responsible way. Consumer advocates in particular consider that the availability of more
credit information will lead to less risk adverse decisions by credit providers (i.e. credit
providers will use a good repayment history to justify providing credit to an individual even
where the individual has credit burdens beyond their means). There is therefore a clear link
between potential regulation imposing responsible lending obligations and the possible
implementation of comprehensive credit reporting.
These concerns would be off-set by the requirement that only those credit providers that are
subject to the responsible lending requirements in the NCCP Bill would be allowed to access
repayment history from CRAs.
To offset privacy concerns the ALRC made recommendations that require credit providers
and CRAs to enhance data quality and security requirements and provide for more effective
complaint handling procedures. Chapter 58 and 59 of the ALRC Report outlines a series of
recommendations regarding these matters. Recommendation 58-4 recommended that CRAs
27
should be required to enter into agreements with credit providers to ensure the quality and
security of data and to implement controls to ensure data is accurate, complete and up to date.
Recommendation 58-7 provides that credit providers may only list overdue payment or
repayment performance history where the credit provider is a member of an external dispute
resolution scheme recognised by the Privacy Commissioner. Additionally recommendation
59-8 requires that evidence must be provided to an individual substantiating information in a
credit report within 30 days where the credit reporting information is disputed or alternatively
the matter must be referred to an external dispute resolution scheme recognised by the
Privacy Commissioner.
5 Consultation
5.1 ALRC Report Consultation
The ALRC consulted with a wide variety of stakeholders which included CRAs, credit
providers, consumer and privacy advocates and the OPC. The ALRC found there was broad
support for the implementation of some form of more comprehensive reporting, especially
from CRAs and credit providers.33
Consumer groups, privacy advocates, the OPC and the Banking and Financial Ombudsman
generally opposed more comprehensive credit reporting. These stakeholders focused on
alternatives and desirable pre-conditions to the possible introduction of more comprehensive
credit reporting.34
A number of stakeholders, including OPC, suggested that further study is required before
reaching any decision to recommend the implementation of more comprehensive credit
reporting, including studies which focus on the possible impact on over-indebtedness and
access to affordable credit. A CRA had proposed to the ALRC that it would conduct a
further study to model the effect that more comprehensive consumer credit reporting would
have on the accuracy of credit providers' application risk evaluation. However, the study was
not carried out, in part because of what the CRA believed to be existing restrictions under the
Privacy Act.35
5.2 Consultation since the release of the ALRC Report
The Government undertook extensive consultations with, and received written submissions
from, relevant stakeholders on the ALRC's credit reporting recommendations. Stakeholders
identified included CRAs, credit providers, relevant industry and professional organisations,
academics, and consumer and privacy advocates and organisations. The Government also
publicised the consultations and opened them to submissions from the public.36
The Government held a number of roundtable consultations on the ALRC credit reporting
recommendations in December 2008. There were 22 credit reporting industry attendees and
eight privacy and consumer advocate attendees. 15 written submissions were received from
the stakeholders. The Department also held a number of individual meetings with
stakeholders in the first half of 2009 to discuss the application of the ALRC's
recommendations.
There was broad support for the introduction of more comprehensive credit reporting. While
some consumer and privacy advocates remained opposed to the ALRC's recommendations
for more comprehensive credit reporting, most consumer and privacy advocates reluctantly
33
ALRC Report paragraph 55.115
34
ALRC Report paragraph 55.133
35
ALRC Report paragraph 55.125
36
http://www.smos.gov.au/media/2008/mr_372008.html viewed 2 September 2009.
28
agreed with many of the recommendations and the inclusion of repayment performance
history. Those who agreed with the ALRC recommendations only supported comprehensive
credit reporting to the extent that it was introduced strictly along the lines recommended by
the ALRC Report. CRAs and large credit providers vigorously supported the inclusion of
repayment history and strongly expressed their view that they considered this dataset to be
the decisive factor in improving the credit reporting system. CRAs and credit providers
expressed the view that the absence of repayment history would be likely to mean that the
benefits of comprehensive credit reform would not outweigh the costs of introducing the
other changes.
6 Conclusion and Recommended Option
Option 2(b) is preferred. The introduction of more comprehensive credit reporting in the
form of the additional five data sets will provide consumer credit providers with the
opportunity to access enhanced information to establish an individual's credit worthiness. It
is expected that this will allow more robust assessments of consumer credit risk, both in the
market as a whole and in relation to individual applications, which can assist responsible
lending and potentially lead to lower consumer credit default rates. The economic benefits to
industry and individuals alike outweigh the reduction of privacy protections to these
categories of personal information. However, the extent to which consumers gain will
depend, in part, on the level of competition in the consumer credit market. The inclusion of
repayment history information appears to provide an appropriate increase in the predictive
value of credit reporting information. Recognising the importance of this information to the
ability of credit providers to make responsible lending decisions, the Government has decided
to implement responsible lending obligations in the NCCP Bill.
7 Implementation and Review
The Government will consider the public release of the stage one Government response to the
ALRC Report, which includes the ALRC's credit reporting recommendations. The
Government intends to implement the Government's response to the ALRC
recommendations through draft legislation which will be released for public comment. In
relation to the credit reporting provisions of the draft legislation, it is anticipated that further
consultations will occur with a small number of identified expert stakeholders to obtain their
assistance in addressing technical issues to be covered by the drafting process. As part of this
process transitional issues will be considered, which will include any necessary transitional
arrangements to assist in minimising any possible negative effects to the consumer credit
market from the implementation of the credit reporting reforms.
The Government has released the NCCP Bill for public comment and made announcements
indicating the Government's commitment to introduce responsible lending obligations. This
is consistent with the terms of ALRC recommendation 55-3, which recommended repayment
history information only be made available if the Government is satisfied there is an adequate
framework imposing responsible lending obligations.
ALRC recommendation 55-5 stated that the more comprehensive credit reporting information
should be deleted two years after the date on which a credit account is closed. The
Government will include timeframes for the deletion of information in the implementation of
the Government's response to the credit reporting recommendations.
It is recommended that a review of the introduction of the additional datasets by the
Government take place in five years from the commencement of more comprehensive credit
reporting in accordance with Recommendation 54-8 of the ALRC Report.
29
PART B: Industry Developed Credit Reporting Code of Conduct
8. Problem
Non-legislative guidance should be issued to deal with a range of operational matters to
ensure effective compliance with the requirements of the credit reporting provisions of the
Privacy Act. The appropriate form of this guidance is the issue to be determined.
Section 18A of the Privacy Act currently requires the Privacy Commissioner to issue a Code
of Conduct dealing with operational matters. The Privacy Act sets out high level obligations
and does not deal with detailed operational matters. In addition, the Privacy Act does not
prescribe detailed operational procedures because it would not be a flexible mechanism to
deal with issues of detail. For example, it would be difficult to take into account changing
technical standards and practices that may occur in the credit reporting industry and which
may require the revision of the detailed guidance material.
In recommendation 54-9 the ALRC proposes that CRAs and credit providers develop an
industry Code of Conduct in consultation with consumer groups and regulators. The ALRC
expressed the view that an industry developed Code would form a necessary adjunct to the
credit reporting provisions in the Privacy Act. The ALRC recommended that the Code be
developed by industry because of the perceived need for industry to have a greater
involvement in developing procedures which affect their day to day compliance with the
Privacy Act.
Consistent with ALRC recommendation 48-1 on binding codes, the credit reporting Code
would `fill in the gaps' between the new credit reporting provisions and compliance with the
obligations set out in the provisions. It would provide detailed guidance within the
framework of the requirements of the credit reporting provisions in the Privacy Act.
In assessing the suitability of the type and structure of a credit reporting Code, it should be
noted that the details of the Code's content can only be developed once the Government has
settled the framework of the new credit reporting system. However, it is expected that the
Code would be an appropriate mechanism to address the following matters:
- procedures for reporting repayment performance history
- data quality procedures to ensure consistency and accuracy of credit reporting information,
such as:
o the timeliness of the reporting of credit reporting information;
o rules on the calculation of overdue payments for credit reporting purposes;
o obligations to prevent the multiple listing of the same debt;
o requirements to update credit reporting information; and
o rules around linking credit reporting records which may or may not relate to the
same individual
- dispute resolution processes, and
- protocols and procedures for the auditing of credit reporting information.
9. Objectives
The objective of government action is to respond to the ALRC recommendations on the
introduction of an industry led Code of Conduct in the context of the Government's response
to the ALRC recommendations on the credit reporting system and the wider ALRC review of
privacy law. The specific objective is to provide a mechanism to put into place standards
30
dealing with operational issues to assist compliance by credit reporting industry with the
requirements of the new credit reporting system.
10. Options that may achieve the objectives
10.1 Implementation scope
The jurisdiction of the Privacy Act sets the scope for implementing a credit reporting Code of
Conduct. Within this framework, the parameters of the proposed options are confined to
responding to the ALRC Report's recommendations on a credit reporting Code.
10.2 Option 1 - Maintain the present Credit Reporting Code of Conduct process
This option would preserve the existing requirement for the Privacy Commissioner to issue a
credit reporting Code of Conduct. The existing Code of Conduct will require revision to deal
with operational issues raised by more comprehensive credit reporting (if accepted).
10.3 Option 2 - Introduce a binding Code of Conduct developed by industry in
accordance with the code making powers set out in Part IIIAA of the Privacy Act
Under this option:
· the Privacy Act would specifically require CRAs and credit providers to develop a
Code covering a broad range of operational issues as identified in the Privacy Act and
in consultation with consumer representatives and regulators
· any CRA or credit provider who intended to participate in the consumer credit
reporting industry would be required to be a party to the Code
· the Code would be a legally binding Code under the Privacy Act. It would operate in
addition to the credit reporting provisions and could not override or apply lesser
standards than those contained in the Privacy Act
· the Code must be approved by the Privacy Commissioner, who would also have the
power to review the Code; and
· a breach of the Code would be deemed to be a breach of the Privacy Act and the
Privacy Commissioner or a relevant External Dispute Resolution (EDR) scheme
would be entitled to determine a complaint in accordance with the provisions of the
Privacy Act or Code (as appropriate).
The industry may choose to address some credit reporting issues (such as reciprocity between
industry participants in the credit reporting system) which will not be regulated by the credit
reporting provisions. It would be a matter for industry to determine what, if any, additional
issues should be included. As these matters would fall outside the credit reporting provisions
they would not require approval by the Privacy Commissioner.
10.4 Option 3 - Permit a non-prescribed voluntary industry Code of Conduct
Under this Option:
· the Privacy Act would not set out any requirements for the existence or contents of a
Code of Conduct
· the Code would not be binding under the Privacy Act
· it would be a matter for the credit reporting industry to determine whether to develop
a Code and the contents of the Code
31
· any Code developed by industry would be a non-prescribed voluntary industry code
of conduct under the Trade Practices Act 1974. Depending on the contents of the
Code, it may be authorised by the Australian Competition and Consumer Commission
(ACCC) for certain conduct on public benefit grounds that may otherwise be
proscribed by the Trade Practices Act
· Any Code would establish standards which would be voluntarily agreed by its
signatories. The Code would be a contractual arrangement; and
· the Code would be enforceable where CRAs and credit providers have agreed to be
bound by the Code and established dispute resolution procedures in the Code (such as
an EDR service). The terms of the Code would not be enforceable by the Privacy
Commissioner or the ACCC.
11. Assessment of impacts
11.1 Impact group identification
The groups affected by the Options, in the order of the magnitude of the impact, are:
· CRAs
· Credit Providers
· OPC
· Small businesses; and
· Individuals.
11.2 Assessment of costs and benefits
11.2.1 Impact of Option 1 - maintain the present Code of Conduct process
Credit Reporting Agencies - Benefits
While the existing Code would need to be revised if more comprehensive credit reporting is
introduced, it is likely there would be minimal costs in complying with a revised Code.
CRAs would be consulted in the development of the Code to ensure business practices are
adequately considered. To the extent that CRAs decide to collect more comprehensive credit
reporting information, compliance with the revised Code could be built into the development
of any new systems and procedures required by the adoption of more comprehensive credit
reporting. Where existing requirements of the Code are unchanged, there would be no
compliance costs as CRAs would already be in compliance with these requirements.
Credit Reporting Agencies - Costs
The current Code of Conduct does not deal in detail with some of the operational and
procedural steps used within existing industry practices, which may lead to less clarity and
consistency within the industry. Further detail could provide more precise guidance to CRAs
on current industry practices, assisting CRAs to comply with the credit reporting provisions.
While CRAs would be consulted by the OPC in any Code revision process resulting from the
reforms to the credit reporting provisions, they would not have a central role in amendments
to the Code of Conduct. This reduces the ability of CRAs to form and direct changes in the
Code of Conduct, such as in situations where technological developments may mean changes
to operational practices that could benefit from guidance in the Code of Conduct. CRAs
would not be able to take the initiative in developing and proposing revisions to the Code, but
instead would need to convince the OPC to initiate a review of the Code. A lack of clear
32
guidance may restrict future developments in the industry, which may result from the
adoption of new technologies or the identification of new opportunities to use or manage
data. This may have the cost of reducing possible economic opportunities and benefits.
Evidence is not available to quantify any possible costs.
The purpose of the Code is to provide practical guidance to CRAs to assist compliance with
the requirements of the Privacy Act and it is expected that detailed compliance information
will be of significant assistance to the CRA industry. However, there is a slight possibility
that the existence of the Code may discourage new CRA industry entrants. New entrants may
prefer to establish alternative procedures and processes that comply with the requirements of
the Privacy Act but do not match the detailed guidance contained in the Code. In addition,
new entrants would not have had the opportunity to contribute to the Code development
process.
Credit Providers - Benefits
While the existing Code would need to be revised if more comprehensive credit reporting is
introduced, it is likely there would be minimal costs in complying with a revised Code.
Credit providers would be consulted in the development of the Code to ensure business
practices are adequately considered. Compliance with the revised Code could be built into
the development of any new systems and procedures required by the adoption of more
comprehensive credit reporting. Where other existing requirements of the Code are
unchanged, there would be no compliance costs as credit providers would already be in
compliance with these requirements.
Credit Providers - Costs
Similar issues exist for credit providers as those identified for CRAs. The current Code of
Conduct does not deal in detail with some of the operational and procedural steps used within
existing industry practices, which may lead to less clarity and consistency within the industry.
Further detail could provide more precise guidance to credit providers on current industry
practices, assisting credit providers to comply with the credit reporting provisions.
Credit providers would not have a central role in amendments to the Code of Conduct,
although they would be consulted by the OPC in any Code revision process resulting from
the reforms to the credit reporting provisions. This reduces the ability of credit providers to
form and direct changes in the Code of Conduct, such as in situations where technological
developments may mean changes to operational practices that could benefit from guidance in
the Code of Conduct. The credit industry would not be able to take the initiative in
developing and proposing revisions to the Code, but instead would need to convince the OPC
to initiate a review of the Code. A lack of clear guidance may restrict future developments in
the industry, which may result from the adoption of new technologies or the identification of
new opportunities to use or manage data. This may have the cost of reducing possible
economic opportunities and benefits. Evidence is not available to quantify any possible
costs.
The purpose of the Code is to provide practical guidance to credit providers to assist
compliance with the requirements of the Privacy Act and it is expected that detailed
compliance information will be of significant assistance to credit providers. However, there
is a slight possibility that the existence of the Code may discourage new credit providers.
New credit providers may prefer to establish alternative procedures and processes that
comply with the requirements of the Privacy Act but do not match the detailed guidance
contained in the Code. In addition, new credit providers would not have had the opportunity
to contribute to the Code development process.
33
Office of the Privacy Commissioner - Benefits
This option would ensure that OPC retains complete control over the development and
promulgation of the Code. OPC would continue to be required to consult with stakeholders
in revising the Code, but it would be a matter for OPC to decide when to review the Code and
what elements of the Code require revision.
Office of the Privacy Commissioner - Costs
The OPC does not have the necessary industry knowledge to provide specific guidelines on
operational and procedural issues. While the OPC is required to consult stakeholders and can
obtain extensive information through the consultation process, the OPC would be required to
devote resources to reviewing the Code and developing amendments. The proposed
introduction of more comprehensive credit reporting means that the OPC will be required to
review the Code. It is not possible to estimate the total expected cost of a full review of the
Code and there have been no comprehensive reviews of the Code on which to base estimates
of possible costs.
Small Businesses - Benefits
Some small businesses may be credit providers depending on whether they offer goods or
services on terms that involve credit. It would be expected that any review of the Code by
the OPC would include consultation with small business representatives as stakeholders in
the review. Businesses are not required to participate in the credit reporting system and,
where small businesses chose not to do so, they would not be affected by a revised Code.
Small Businesses - Costs
A revised Code will deal in detail with operational matters arising from the adoption of more
comprehensive credit reporting. To the extent that small businesses decide to participate in
the credit reporting system and use more comprehensive credit reporting information, they
will need to comply with the requirements of the Code, including, for example, requirements
to participate in EDR services. It is not possible to quantify the possible compliance costs for
small businesses as there is no information available on the number of small businesses likely
to use more comprehensive credit reporting.
Individuals - Benefits
Individuals would benefit from consistent operational standards for industry practices.
Individuals would be concerned to ensure that the Code achieved an appropriate balance
between the protection of personal information and the operational needs of the credit
reporting industry. As the OPC has responsibility for the development and review of the
Code, individuals can rely on the OPC to ensure their interests in the effective protection of
personal information are protected.
Individuals would also benefit from the legal status of the Code to ensure their rights are
enforced. The Code would remain a disallowable instrument, which means that a breach of
the Code could be the subject of a complaint to the Privacy Commissioner.
Individuals - Costs
A Code is intended to ensure consistency and certainty in operational practices throughout
the credit reporting industry. There are no obvious costs for individuals.
34
11.2.2 Impact of Option 2 - Introduce a binding Code developed by industry in accordance
with the code making powers set out in Part IIIAA of the Privacy Act
Credit Reporting Agencies - Benefits
This option requires the credit reporting industry to develop a Code that would be binding
under the Privacy Act. Credit industry control of the code making process would:
· allow the industry to apply detailed knowledge of industry practices to determine
the best procedures to ensure practical compliance with the requirements of the
Privacy Act
· provide the industry with the flexibility to review the Code and develop necessary
changes to the Code (subject to OPC approval) as required by changes in industry
standards; and
· ensure the credit reporting industry adopts best standard practices which have
been developed in consultation with all industry participants, improving the
overall reliability of industry practices and enhancing the operation of the credit
reporting system.
The ability of the credit reporting industry to develop (in consultation with stakeholders,
including consumer advocates) and adhere to a binding Code may assist the industry build
greater trust by individuals in the operational standards and reliability of credit reporting
practices.
Credit Reporting Agencies - Costs
The code making process would require the cooperation of all industry participants to
develop specific operational and procedural requirements. The process of developing the
Code may involve costs to the industry, such as:
· the time taken to develop a binding Code may be significant as industry groups
must come to agreement about the provisions of the Code and take into account
that the OPC will also need time to approve the Code
· costs associated with drafting the Code
· costs involved in consulting with stakeholders, both within the credit industry as
well as with consumer and privacy advocates and regulators; and
· possible costs associated with any future review of the Code.
It is not possible to estimate the actual costs that may be incurred. Many of these potential
costs are unlikely to be incurred because the credit industry has already begun work on the
development of a Code. The Australian Retail Credit Association (ARCA) is developing a
draft Code on a range of operational matters that could be readily modified to include
additional matters raised by the introduction of more comprehensive credit reporting. The
ARCA Code is discussed below in section 11.2.4.
It is expected that detailed compliance information will be of significant assistance to the
CRA industry. However, there is a slight possibility that the existence of the Code may
discourage new CRA industry entrants. New entrants may prefer to establish alternative
procedures and processes that comply with the requirements of the Privacy Act but do not
match the detailed guidance contained in the Code. In addition, new entrants would not have
had the opportunity to contribute to the Code development process.
35
Credit Providers - Benefits
This option requires the credit reporting industry to develop a Code that would be binding
under the Privacy Act. Credit industry control of the code making process would:
· allow the industry to apply detailed knowledge of industry practices to determine
the best procedures to ensure practical compliance with the requirements of the
Privacy Act
· provide the industry with the flexibility to review the Code and develop necessary
changes to the Code (subject to OPC approval) as required by changes in industry
standards; and
· ensure the credit reporting industry adopts best standard practices which have
been developed in consultation with all industry participants, improving the
overall reliability of industry practices and enhancing the operation of the credit
reporting system.
The ability of the credit reporting industry to develop (in consultation with stakeholders,
including consumer advocates) and adhere to a binding Code may assist the industry build
greater trust by individuals in the operational standards and reliability of credit reporting
practices.
Credit Providers - Costs
The code making process would require the cooperation of all industry participants to
develop specific operational and procedural requirements. The process of developing the
Code may involve costs to the industry, such as:
· the time taken to develop a binding Code may be significant as industry groups
must come to agreement about the provisions of the Code and take into account
that the OPC will also need time to approve the Code
· costs associated with drafting the Code
· costs involved in consulting with stakeholders, both within the credit industry as
well as with consumer and privacy advocates and regulators; and
· possible costs associated with any future review of the Code.
It is not possible to estimate the actual costs that may be incurred. Many of these potential
costs are unlikely to be incurred because the credit industry has already begun work on the
development of a Code. The Australian Retail Credit Association (ARCA) is developing a
draft Code on a range of operational matters that could be readily modified to include
additional matters raised by the introduction of more comprehensive credit reporting. The
ARCA Code is discussed below in section 11.2.4. However, ARCA appears to represent
large organisations in the credit industry. If ARCA takes a leading role in developing the
Code, it is possible that smaller credit providers which are not members of ARCA may not be
in a position to influence the code making process to the same extent as ARCA members.
This may mean, for example, that industry practices which suit larger organisations are
incorporated into the Code as industry standards, disadvantaging smaller industry participants
that do not use the same practices.
The purpose of the Code is to provide practical guidance to credit providers to assist
compliance with the requirements of the Privacy Act and it is expected that detailed
compliance information will be of significant assistance to credit providers. However, there
is a slight possibility that the existence of the Code may discourage new credit providers.
36
New credit providers may prefer to establish alternative procedures and processes that
comply with the requirements of the Privacy Act but do not match the detailed guidance
contained in the Code. In addition, new credit providers would not have had the opportunity
to contribute to the Code development process.
Office of the Privacy Commissioner - Benefits
A Code would create certainty for the OPC that a breach of the Code is a breach of the
Privacy Act and it would also provide the OPC with industry standards by which to apply the
credit reporting provisions. Industry standards would give greater clarity about the
application of the Act to the industry and should result in more efficient complaint resolution,
resulting in less confusion as to whether a breach of the code is an interference with privacy.
Approval from the OPC would ensure the OPC is satisfied with industry's interpretation of
the credit reporting provisions.
Office of the Privacy Commissioner - Costs
It is expected that the OPC would face minimal costs when compared with Option 1. The
OPC would not face costs in the development of the Code, but would be required to incur
some costs in approving the Code. It is not possible to estimate the costs of approving the
Code until a draft Code is developed.
Small Businesses - Benefits
Some small businesses may be credit providers depending on whether they offer goods or
services on terms that involve credit. In the development of a Code the credit reporting
industry would be required to consult with affected stakeholders. It is expected that this
consultation process would include a mechanism for small businesses to contribute to the
development of the Code, including through consultation with representative organisations.
As the Code would require authorisation by the OPC, it would be expected that the OPC
would consider whether effective consultation had occurred, including with small business
stakeholders. Businesses are not required to participate in the credit reporting system and,
where small businesses chose not to do so, they would not be affected by a Code.
Small Businesses - Costs
A Code will deal in detail with operational matters arising from the adoption of more
comprehensive credit reporting. To the extent that small businesses decide to participate in
the credit reporting system and use more comprehensive credit reporting information, they
will need to comply with the requirements of the Code, including, for example, requirements
to participate in EDR services. It is not possible to quantify the possible compliance costs for
small businesses as there is no information available on the number of small businesses likely
to use more comprehensive credit reporting.
Individuals - Benefits
Complaints by individuals would be subject to a clear EDR process. As the Code would be
enforceable by the OPC, adherence with the Code to the protection of individual's privacy
would be stronger as a breach of the Code would be a breach of the Privacy Act.
Individuals would benefit from consistent operational standards for industry practices.
Individuals would be concerned to ensure that the Code achieved an appropriate balance
between the protection of personal information and the operational needs of the credit
reporting industry. As the OPC has responsibility for the development and review of the
Code, individuals can rely on the OPC to ensure their interests in the effective protection of
personal information are protected.
37
Individuals would also benefit from the legal status of the Code to ensure their rights are
enforced. The Code would remain a disallowable instrument, which means that a breach of
the Code could be the subject of a complaint to the Privacy Commissioner.
Individuals - Costs
A Code is intended to ensure consistency and certainty in operational practices throughout
the credit reporting industry. There are no obvious costs for individuals.
11.2.3 Impact of Option 3 - Introduce a voluntary Code developed by industry
Credit Reporting Agencies - Benefits
This option would not require the credit reporting industry to develop a voluntary Code. It
would be a matter for the industry to decide whether or not to develop a voluntary Code.
Any costs involved in the development of a Code would not be imposed by regulation but
subject to commercial decisions about the costs and benefits by the industry.
If the credit reporting industry chooses to develop a voluntary Code, the industry would
remain in control of the development process. Industry control over the code making process
would:
· allow the industry to apply detailed knowledge of industry practices to determine
the best procedures to ensure practical compliance with the requirements of the
Privacy Act
· provide the industry with the flexibility to review the voluntary Code and develop
necessary changes as required by changes in industry standards; and
· allow the credit reporting industry to determine whether it needed to adopt
standard practices.
A voluntary Code would not require approval from the OPC, potentially reducing costs and
delays in implementation. However, approval from the ACCC may be required depending on
whether the Code required consideration under the Trade Practices Act.
A voluntary Code would not impede new CRAs entering the market as it would be a
commercial decision whether or not the new CRA subscribed to the voluntary Code.
The ability of the credit reporting industry to develop and adhere to a voluntary Code may
assist the industry build greater trust by individuals in the operational standards and reliability
of credit reporting practices.
Credit Reporting Agencies - Costs
The code making process would require industry cooperation to develop specific operational
and procedural requirements. This is expected to involve costs to the industry in the
preparation of the voluntary Code, including a cost to develop and draft the voluntary Code.
However, ARCA has already drafted a Code and it is expected that the Code could be readily
modified to form the basis of the voluntary Code, substantially reducing any costs in the
development of a voluntary Code.
A voluntary Code would be required to comply with the ACCC's guidelines for developing
effective voluntary industry codes of conduct. The voluntary Code may also require
authorisation by the ACCC if it contravenes a provision of the Trades Practices Act, which
may extend the time required to develop the voluntary Code.
38
CRAs would not be required to be members of the voluntary Code. This may lead to
inconsistencies in the credit reporting system in ensuring common compliance with the credit
reporting provisions.
A voluntary Code would not be enforceable by the OPC. This may be seen by stakeholders
(including consumers) as undermining the reliability of the voluntary Code and the
enforceability of any consumer rights or industry obligations imposed by the voluntary Code.
This may detract from stakeholder trust in the reliability of the credit reporting system.
It is unlikely that the existence of the voluntary Code would discourage new CRA industry
entrants. As it will be voluntary, new industry entrants would retain the discretion of not
participating in the voluntary Code. They would be able to establish their own alternative
procedures and processes that comply with the requirements of the Privacy Act but do not
match the detailed guidance contained in the voluntary Code.
Credit Providers - Benefits
This option would not require the credit reporting industry to develop a voluntary Code. It
would be a matter for the industry to decide whether or not to develop a voluntary Code.
Any costs involved in the development of a Code would not be imposed by regulation but
subject to commercial decisions about the costs and benefits by the industry.
If the credit reporting industry chooses to develop a voluntary Code, the industry would
remain in control of the development process. Industry control over the code making process
would:
· allow the industry to apply detailed knowledge of industry practices to determine
the best procedures to ensure practical compliance with the requirements of the
Privacy Act
· provide the industry with the flexibility to review the voluntary Code and develop
necessary changes as required by changes in industry standards; and
· allow the credit reporting industry to determine whether it needed to adopt
standard practices.
A voluntary Code would not require approval from the OPC, potentially reducing costs and
delays in implementation. However, approval from the ACCC may be required depending on
whether the Code required consideration under the Trade Practices Act.
A voluntary Code would not impede new credit providers entering the market as it would be
a commercial decision whether or not the credit provider subscribed to the voluntary Code.
The ability of the credit reporting industry to develop and adhere to a voluntary Code may
assist the industry build greater trust by individuals in the operational standards and reliability
of credit reporting practices.
Credit Providers - Costs
The code making process would require industry cooperation to develop specific operational
and procedural requirements. This is expected to involve costs to the industry in the
preparation of the voluntary Code, including a cost to develop and draft the voluntary Code.
However, ARCA has already drafted a Code and it is expected that the Code could be readily
modified to form the basis of the voluntary Code, substantially reducing any costs in the
development of a voluntary Code.
A voluntary Code would be required to comply with the ACCC's guidelines for developing
effective voluntary industry codes of conduct. The voluntary Code may also require
39
authorisation by the ACCC if it contravenes a provision of the Trades Practices Act, which
may extend the time required to develop the voluntary Code.
Credit providers would not be required to be members of the voluntary Code. This may lead
to inconsistencies in the credit reporting system in ensuring common compliance with the
credit reporting provisions.
A voluntary Code would not be enforceable by the OPC. This may be seen by stakeholders
(including consumers) as undermining the reliability of the voluntary Code and the
enforceability of any consumer rights or industry obligations imposed by the voluntary Code.
This may detract from stakeholder trust in the reliability of the credit reporting system.
It is unlikely that the existence of the voluntary Code would discourage new consumer credit
industry entrants. As it will be voluntary, new industry entrants would retain the discretion of
not participating in the voluntary Code. They would be able to establish their own alternative
procedures and processes that comply with the requirements of the Privacy Act but do not
match the detailed guidance contained in the voluntary Code.
Office of the Privacy Commissioner - Benefits
The OPC would face minimal, if any, costs when compared with Option 1. The OPC would
not have a role in the voluntary Code making process, although the industry may choose to
consult the OPC for guidance, and the OPC would not have a role in reviewing or authorising
the voluntary Code. In any enforcement actions the OPC would not need to consult the
voluntary Code in interpreting the credit reporting provisions.
Office of the Privacy Commissioner - Costs
The OPC would not have control over directing the credit reporting industry to develop a
voluntary Code or the content of the voluntary Code. As the development of a voluntary
Code would not be linked to the Privacy Act, the OPC would not be able to interpret specific
credit reporting provisions by referring to the voluntary Code for practical assistance. This
may lead to a fragmented approach to the operation of the credit reporting provisions, which
may result in increased enforcement costs for the OPC, particularly if individual consumer
complaints increased. It may also lead to increased business education costs for the OPC if it
was necessary to encourage and educate the industry to ensure greater compliance with the
requirements of the credit reporting provisions. It is not possible to quantify these potential
costs as they would depend on the nature and severity of any problems which may be
encountered.
Small Businesses - Benefits
Some small businesses may be credit providers depending on whether they offer goods or
services on terms that involve credit. Businesses are not required to participate in the credit
reporting system and, where small businesses chose not to do so, they would not be affected
by a voluntary Code. Where small businesses choose to participate in the credit reporting
system, participation in the development and implementation of a voluntary Code would
provide them with greater certainty about the operation of the system and may increase
consumer trust in their compliance with the credit reporting provisions.
Small Businesses - Costs
A voluntary Code would deal in detail with operational matters arising from the adoption of
more comprehensive credit reporting. To the extent that small businesses decide to
participate in the credit reporting system and use more comprehensive credit reporting
information, they would need to consider complying with the requirements of the voluntary
40
Code. It is not possible to quantify the possible compliance costs for small businesses as
there is no information available on the number of small businesses likely to use more
comprehensive credit reporting.
Individuals - Benefits
Individuals would benefit from consistency in the type of practices engaged in by credit
reporting industry participants. Development of a voluntary Code would provide consumer
certainty around the practices of participating industry members.
Individuals - Costs
A voluntary Code may not build consumer trust in the practices of the industry or the dispute
resolution procedures. Breaches of the voluntary Code would not be enforceable by the OPC.
If the voluntary Code requires authorisation by the ACCC, there may be consumer confusion
around the appropriate regulator for dispute resolution. It may be the case that not all CRAs
or credit providers participate in the voluntary Code, which may create inconsistency and
uncertainty for individuals in their dealings with the industry and in resolving consumer
complaints.
11.2.4 Further notes relevant to Options 2 and 3: the ARCA Code
ARCA is currently preparing an industry Code to provide safeguards for business-to-business
transactions involving consumer credit information. Amongst other matters, the industry
Code is intended to regulate the operational processes by which credit providers receive data
from CRAs, as well as provide requirements for how credit providers deal with customers on
credit reporting issues. The current members of ARCA are ABACUS (Australian Building
and Credit Union Societies, known as Australian Mutuals), American Express, ANZ Bank,
Bank of Queensland, Bank of Western Australia, Citibank, Commonwealth Bank of
Australia, GE Money, HBOS Australia, HSBC Bank, National Australia Bank, St George
Bank, Telecom New Zealand, Westpac Bank, Dun and Bradstreet, and Veda Advantage.
ARCA has released a draft Credit Reporting Code of Conduct (the ARCA Code) which it has
prepared as a voluntary contractual Code between members along the lines outlined in
Option 3. However, the draft ARCA Code provides that membership is mandatory for any
CRA with operations in Australian and for any credit provider who wishes to use or disclose
credit reporting information. The ARCA Code would require all CRAs to ensure that
organisations that seek access to credit reporting information are signatories to the Code or
are otherwise bound by the Code provisions (e.g. via contract or terms and conditions of
access). It would also allow regulators to require organisations to be bound by the Code (for
example as a condition of obtaining a licence).
ARCA's work in developing a Code on behalf of the industry means that much of the work
required to create a code has been commenced satisfied. ARCA has undertaken a
consultation process and invited submissions from interested parties in April 2009. It is
understood that ARCA is currently in the process of considering those submissions and
revising the draft Code. Whether the ARCA Code forms the basis for a voluntary Code
under Option 3 or a binding Code under Option 2, the document would need to undergo an
approval process by the appropriate regulator (the ACCC for Option 3 or the OPC for
Option 2).
41
12 Consultation
12.1 ALRC Report Consultation
The ALRC consulted with a wide variety of stakeholders which included CRAs, credit
providers, consumer advocates and the OPC. There was broad support for the
implementation of a new credit reporting code. CRAs and the representative body ARCA
were strongly in favour of a new code, and as already demonstrated, ARCA is preparing a
draft credit reporting code. The OPC was also in favour of a new code. In terms of
legislative design, in their submissions to the ALRC, the CRAs and ARCA originally
supported a binding code under Part IIIAA as outlined in Option 2.
Consumer groups and privacy advocates generally favoured a binding code approved by the
Privacy Commissioner. Matters which were of high importance for these groups were to
ensure greater certainty about data accuracy, security and appropriate EDR procedures and
processes.
12.2 Consultation since the release of the ALRC Report
The Government undertook extensive consultations with, and received written submissions
from, both the credit reporting industry and advocates on the credit reporting
recommendations.
The Government held the public roundtable consultations in December 2008. There were 22
credit reporting industry attendees and eight privacy and consumer advocate attendees. 15
written submissions were received from the stakeholders. The Department also held a large
number of one-on-one meetings with stakeholders in the first half of 2009 to discuss the
application of the ALRC's recommendations.
The views of privacy and consumer advocates remained largely unchanged since the
publication of the ALRC Report, and they reinforced their support for a mandatory credit
reporting code approved by the OPC. One large credit provider similarly stressed that there
should be only one regulator responsible for enforcement of the code.
The position of ARCA and CRAs in relation to the design of a code changed from their
original submission to the ALRC. They have submitted that that code should not be binding
under the Privacy Act as under Option 2 and favour instead the adoption of a contractual code
similar to Option 3.
13 Conclusion and Recommended Option
Option 2 is preferred. Unlike Option 1, Option 2 provides the consumer credit industry with
sufficient flexibility and discretion to ensure that the requirements of the Code adequately
address industry practice, while at the same time providing the Privacy Commissioner with
the power to determine (through the approval process) whether the Code is consistent and
compliant with the requirements of the Privacy Act. Option 2 provides for a legally binding
Code, which will allow the Privacy Commissioner to ensure an appropriate balance between
the privacy needs of individuals and the operational needs of the consumer credit industry.
This is not available under Option 3. The requirement under Option 2 for any organisation
which wants to participate in the credit reporting system to be a member of the binding Code
will ensure consistency in practices across the consumer credit industry. Furthermore, a
binding code under the jurisdiction of the Privacy Act (in contrast to a contractual code under
Option 3) allows the OPC to interpret specific credit reporting provisions with reference to
the Code. This will aid in efficient and consistent complaint resolution for individuals,
whether the complaints deal with matters regulated directly by the Privacy Act or by the
Code. In addition, the likely costs for industry in complying with a Code developed under
42
Option 2 are expected to be reduced. The consumer credit industry has already developed
and complies with the ARCA Code, which it is expected would form the basis for the new
industry developed Code of Conduct under Option 2. The use of the ARCA Code is also
likely to reduce the costs to industry in developing a voluntary Code under Option 3.
However, the voluntary Code would not be binding on industry and would not establish the
same level of certainty around industry practices and consumer complaint resolution
procedures as an industry developed Code under Option 2.
14. Implementation and Review
The Government will release a public response to the ALRC Report. The Government has
announced that the first step in the implementation of the Government response will be to
release exposure draft legislation for public comment.
The ALRC recommended the Government initiate a review of the new credit reporting
provisions five years after their commencement.37 The Government will consider this
recommendation in the Government response to the ALRC report.
37
ALRC Report recommendation 54-8
43
Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
This Bill is compatible with the human rights and freedoms recognised or declared in the
international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny)
Act 2011.
Overview of the Bill
The Privacy Amendment Bill 2012 (the Bill) will amend the Privacy Act 1988 (the Act) to
implement the Government's first stage response to the Australian Law Reform
Commission's report number 108 For Your Information: Australian Privacy Law and
Practice. The ALRC, which had undertaken a comprehensive review of privacy law in
Australia, released its report in May 2008. Given the large number of recommendations, the
Government announced that it would respond in two stages. The Government's first stage
response addressed 197 of the ALRC's 295 recommendations. The Bill implements the
major elements of the first stage response.
The Bill will amend the Act to:
· create the Australian Privacy Principles (APPs), a single set of privacy principles
applying to both Commonwealth agencies and private sector organisations, setting out the
standards, rights and obligations for the collection, storage, security, use, disclosure and
quality of personal information, which will replace the Information Privacy Principles
(IPPs) for the public sector and National Privacy Principles (NPPs) for the private sector,
· introduce more comprehensive credit reporting, and
· clarify the functions and powers of the Privacy Commissioner and improve the
Commissioner's ability to resolve complaints, recognise and encourage the use of
external dispute resolution services, conduct investigations and promote compliance with
privacy obligations.
The Bill will reduce complexity, increase consistency and clarify rights and obligations under
the Act and improve usability for entities required to comply with the Act, while continuing
to protect the privacy rights of individuals. The credit reporting provisions will be re-written
to more effectively address the significant changes and increased practical complexity in the
operation of the credit reporting system since the provisions were enacted in 1990. In
introducing more comprehensive credit reporting the rights of individuals will be enhanced,
including rights to access and correct their credit reporting information.
The Act currently provides for the development of APP Codes for particular sectors to guide
their use of personal information. The Bill replaces the existing privacy codes and the credit
reporting code with APP codes and the Credit Reporting Code of Conduct. The Bill will
allow the Privacy Commissioner to create a binding code for the sector following
consultation in circumstances where the private sector does not create its own Code, or the
Code is found to not appropriately regulate the sector's use of information. All Codes, APP
or Credit Reporting, are deemed disallowable legislative instruments by the amendments in
the Bill, and will therefore be subject to Parliamentary scrutiny and accompanied by their
own Statement of Compatibility with human rights.
44
Human rights implications
The Bill engages the following human rights:
· the protection against arbitrary interference with privacy
· the right to freedom of expression and opinion, and
· the right to a fair trial.
Protection against arbitrary interference with privacy
The Bill engages Article 17 of the International Covenant on Civil and Political Rights
(ICCPR), which provides that no one shall be subjected to arbitrary or unlawful interference
with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her
honour and reputation, and that everyone has the right to the protection of the law against
such interference or attacks.
The Bill protects against arbitrary interference with privacy by introducing a number of
specific protections, including enhanced notification (APP 5), data quality (APP 10), data
correction (APP 13) and dispute resolution mechanisms for individuals. In particular, these
measures involve:
· enhancing obligations on agencies and organisations regarding an individual's access to,
and correction of, their personal information, accompanied by a revised approach to
complaints handling, including timeframes for notification and the use of alternative
dispute resolution for credit reporting complaints, to more efficiently deal with
complaints
· prohibiting the collection of credit reporting information about individuals reasonably
known to be under 18
· in circumstances of suspected identity theft or fraud, providing individuals with the
ability to prohibit, for a specified period of time, the disclosure of credit reporting
information about them without their express authorisation
· requiring entities to develop and publish more comprehensive privacy policies to promote
more open and transparent management of personal information
· introducing a requirement for Commonwealth government agencies to accord higher
privacy protection to `sensitive information'
· ensuring that personal information that is received by an entity is still afforded privacy
protections, even where the entity has done nothing to solicit the information
· broadening the matters that that an individual is to be made aware of at the time of
collection of the personal information of the individual
· introducing a new `Direct Marketing' principle, that will place extra limitations on
organisations that use or disclose personal information to promote or sell goods or
services directly to individuals
· improving corrections and complaints processes for consumers, including allowing
complaints to be made directly to the Privacy Commissioner in certain circumstances
· clarifying the functions and powers of the Privacy Commissioner to improve the
Commissioner's ability to resolve complaints, recognise and encourage the use of
external dispute resolution services, conduct investigations and promote compliance with
privacy obligations
· ensuring the Commissioner has the flexibility to apply the Act to existing and emerging
technologies and to enforce compliance where necessary, and
45
· requiring entities to ensure that obligations to protect personal information set out in the
APPs cannot be avoided by disclosing personal information to a recipient outside
Australia.
Reasonably necessary
A key objective of the Act is to balance the protection of the privacy of individuals, with the
interests of public and private sector entities in carrying out their lawful and legitimate
functions and activities. The Bill enables the personal information of an individual to be
collected, used and disclosed in particular circumstances (e.g. APP 3 and APP 6).
Collecting, using, storing and sharing personal information, including its release without an
individual's knowledge or consent, all amount to interferences with privacy. In order for an
interference with the right to privacy to be permissible, the interference must be authorised by
law, be for a legitimate objective and be reasonable, necessary and proportionate to that
objective.
One threshold standard that will apply in the APPs in certain circumstances is where an entity
is able to undertake activities with personal information where it is `necessary' for a
particular purpose, function or activity. For example, an entity may collect sensitive
information without consent if the entity reasonably believes that the collection is necessary
to lessen or prevent a serious threat to the life, health or safety of an individual, or to public
health and safety (APP 3.4 and s 16). These limitations are consistent with the prohibition on
arbitrary interference with privacy as they are directed at legitimate objectives and are
reasonable, necessary and proportionate to those objectives.
The Bill also enables the personal information of an individual to be collected, used and
disclosed in certain circumstances where it is `reasonably necessary' for one or more of the
entity's functions or activities (agencies also have a `directly related' test) (APP 3 and 6). It
is reasonable for these entities to be able to handle personal information in these
circumstances to promote the Government's service delivery, taxation, law enforcement and
national security objectives, and the needs of business to offer services to the public. This is
how the test has operated under the National Privacy Principles since their enactment in
2001. The permitted activities are limited to specific purposes (ie an entity's functions and
activities), and subject to additional safeguards in the case of sensitive information. For these
reasons, the `reasonably necessary' threshold is consistent with the protection against
arbitrary interference with privacy, subject to the additional safeguards in the case of
sensitive information (APP 3.3 and 3.4).
Comprehensive credit reporting
The Bill implements the ALRC's recommendations to move to a more comprehensive credit
reporting system. In this respect, the Bill may limit the prohibition on arbitrary interference
with privacy by adding five new categories to the types of personal information that make up
an individual's credit information in the credit reporting system. Four of the new categories,
which are introduced in the new definition of consumer credit liability information in
subsection 6(1), are:
· the type of credit account opened
· the date on which the consumer credit is entered into
· the date on which the consumer credit is terminated, and
· the current limit of the credit account.
46
The fifth category, repayment history information, is added directly to the definition of credit
information, at part (c) of clause 6N of the Bill.
The Act currently enables the collection and disclosure of personal information that primarily
detracts from an individual's credit worthiness--such as the fact that an individual has
defaulted on a loan. This is commonly referred to as `negative' or `delinquency-based' credit
reporting. The introduction of comprehensive credit reporting is aimed at providing a more
balanced and accurate picture of an individual's credit situation than currently exists,
providing positive information about a person's credit situation such as when an individual
has met their credit payments. The introduction of more comprehensive credit reporting
allows credit providers to access an enhanced set of personal information tools directly
relevant to establishing an individual's credit worthiness. This will allow credit providers to
make a more robust assessment of credit risk, which is expected lead to lower credit default
rates. More comprehensive credit reporting is also expected to improve competition in the
credit market, which may result in reductions to the cost of credit for individuals. The
amendments will enable legitimate commercial activity, facilitating consumer lending and
transactions, and thus the participation of individuals in the economy. These are legitimate
objectives.
The Bill introduces a number of safeguards to provide individuals with the tools to access
information held about them, and correct any inaccuracies. The Bill also makes
improvements to the complaints process, to ensure that the first organisation to receive the
individual's complaint is responsible for taking action. In moving to more comprehensive
credit reporting it has been recognised that additional safeguards around the use of repayment
history information, the fifth new category of information, are also necessary. Repayment
performance history will only be available by credit providers who are licensees [and to
lenders mortgage insurers in relation to services they provide to credit providers] and subject
to the responsible lending obligations in the National Consumer Credit Protection Act 2009
(Cth).38
The Bill continues to state clearly defined and limited uses and disclosures for credit
reporting information. The Government did not support the ALRC's recommendation that
secondary uses of credit reporting information should be subject to a broad discretion
exercised by credit reporting bodies or credit providers. The Government's approach ensures
any effect on privacy rights is proportionate and limited by the introduction of specific
safeguards, including:
· only de-identified information can be used for the purpose of research, and the research
must be reasonably connected to the credit reporting system, and
· the use of credit reporting information for the purposes of pre-screening is expressly
limited to the purpose of excluding adverse credit risks from marketing lists.
Pre-screening is subject to specific requirements, including only the use of negative credit
reporting information, the requirement for notice at the time of collection that information
may be used for this purpose, an opt out opportunity, and a prohibition on individuals being
identified for other direct marketing . Any entity involved in pre-screening must maintain
auditable evidence to verify compliance, and which is available to individuals. Pre-screening
is also only available to credit providers who are subject to the National Consumer Credit
Protection Act 2009 (NCCP Act).
38
National Consumer Credit Protection Act 2009, Chapter 3.
47
In the consumer credit environment it is important to achieve a balance between privacy
protection and the efficient operation of the credit market. Access to narrowly defined
categories of credit information to ensure a more balanced picture of an individual's credit
situation, taking into account positive action such as payment, and not just negative
information like defaults, and to allow for more effective risk assessment by credit providers
is balanced with the enhanced privacy protections set out above.
Any limitations on the prohibition against arbitrary interference with privacy in the Bill are
clearly and narrowly defined, for the legitimate purpose of improving the management of
personal and credit reporting information, and accompanied by sufficient safeguards to
maintain reasonable privacy protections. The measures are reasonable, necessary and
proportionate as they ensure the smallest possible set of data is used for the narrowest
purposes to achieve the objective of providing a functional consumer credit market.
Freedom of expression
The Bill engages Article 19 of the ICCPR. Article 19 guarantees freedom of expression,
including the right to impart and to receive information. The freedom of expression is not an
absolute right, and Article 19(3) of the ICCPR specifies the legitimate aims which any legal
restriction on the exercise of freedom of expression must pursue. In this case the Bill limits
the right to freedom of expression in order to promote respect for the rights or reputations of
others, namely the protection against arbitrary interference with privacy in Article 17.
The Commissioner has the ability to create binding codes in certain, defined circumstances
(new Part IIIB inserted by Schedule 3). Codes will provide additional protections over and
above the APPs. Codes cannot displace or provide for a lower standard of privacy protection
than the APPs. The ability of the Commissioner to create binding codes may in certain
circumstances limit the code developers' (which could be any entity subject to the Act) right
to freedom of expression. Not every code will impinge on this right. The performance of the
functions and powers of the Commissioner, including the development of a binding code,
continue to be governed by Section 29 of the Act, which requires the Commissioner to have
regard to, amongst other things, the protection of important human rights and social interests
that compete with privacy.39 Section 29 also provides that the Commissioner must take
account of international obligations accepted by Australia and any developing international
guidelines relevant to the better protection of individual privacy. When issuing directions
and guidelines the Commissioner must also ensure they are consistent with any relevant
APPs or credit reporting provisions. As noted above, all Codes will be disallowable
legislative instruments, subject to Parliamentary scrutiny, and required to be accompanied by
their own Statement of Compatibility with human rights. These safeguards ensure that the
limitation the Bill places on the right to freedom of expression is reasonable, necessary and
proportionate.
Fair trial
The Bill engages Article 14 of the ICCPR, which guarantees a person be afforded, in the
determination of any criminal charge against them, the right to a fair trial. The United
Nations Human Rights Committee has stated that the notion of criminal charges may `also
39
Privacy Act 1988 (Cth) Part IV Division 2 s29(a)
48
extend to acts that are criminal in nature with sanctions that, regardless of their qualification
in domestic law, must be regarded as penal because of their purpose, character or severity'.40
The Bill removes many of the criminal offences in the Act, replacing them with civil penalty
provisions.41 The civil penalty provisions, such as those in Subdivision D of Part IIIA, are
declared not to be offences under Part VIB. While the provisions provide for significant civil
penalties it is considered that serious breaches of privacy should attract serious penalties. This
is consistent with the civil penalties in the NCCP Act, and with the Government's overall
response to serious breaches by corporations.
The Bill incorporates appropriate safeguards into the civil penalty provisions of the Bill42. It
stipulates that in determining pecuniary penalties a court must take all relevant matters into
account, including the circumstances of the contravention, the nature and extent of any loss or
damage suffered because of the contravention and whether the entity has previously been
found to have engaged in similar conduct. The Bill provides that an entity will not be liable
for more than one pecuniary penalty in relation to the same conduct. These provisions will
ensure that pecuniary penalties are proportionate to any contravention of a civil penalty
provision, and protect the rights expressed in Article 14.
Conclusion
The Bill is compatible with human rights because it advances the protection of human rights,
primarily protection against arbitrary interference with privacy, and, to the extent that it may
also limit other human rights, those limitations are reasonable and proportionate.
40 General Comment No. 32, para 15; Communication No. 1015/2001, Perterer v. Austria, para. 9.2.
41
Privacy Amendment Bill 2012 section ^164(4) of Part VIB
42 section ^164(5) of Part VIB
49
PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) BILL 2012
NOTES ON CLAUSES
List of Abbreviations
APP Australian Privacy Principle
Information Commissioner Australian Information Commissioner
IPP Information Privacy Principle
NPP National Privacy Principle
OAIC Office of the Australian Information Commissioner
Privacy Act Privacy Act 1988
50
NOTES ON CLAUSES
Clause 1 Short title
Clause 1 sets out the title by which the Bill, when enacted, is to be cited - Privacy
Amendment (Enhancing Privacy Protection) Act 2012.
Clause 2 Commencement
Clause 2 inserts a table which provides for the commencement arrangements for each of the
provisions in the table. Column 1 states the provision number, and column 2 provides the
commencement arrangements for that particular provision.
The table provides that sections 1 to 3 and any other provision in the Act that is not provided
for in the table commences on the day the Act receives the Royal Assent. The table also
provides that Items 156 and 162 of Schedule 5 and Parts 1 and 4 of Schedule 6 also
commence on the day the Act receives the Royal Assent.
The majority of the new provisions have a deferred commencement of 9 months from the day
after the Bill receives the Royal Assent. This deferment is to allow agencies and
organisations sufficient time to prepare for the introduction of the new provisions,
particularly for the credit reporting provisions. The table in Clause 2 provides that the
following provisions commence the day after the end of the period of 9 months beginning on
the day this Act receives the Royal Assent:
Schedules 1 to 4, Items 1 to 70, 72 to 79, 81 to 131, 133 to 155, 157 to 161, 163 to 171, and
173 to 180 of Schedule 5, and Parts 2, 3, 5, 6, and 7 of Schedule 6.
Item 71 of Schedule 5 relates to the operation of the Personally Controlled Electronic Health
Records Act 2012 (Personally Controlled Electronic Health Records Act). Item 71 of
Schedule 5 does not commence at all if section 73 of the Personally Controlled Electronic
Health Records Act does not commence. If that provision does commence, Item 71 of
Schedule 5 of this Bill commences immediately after its commencement, or the start of the
day after the end of the period of 9 months beginning on the day this Bill receives the Royal
Assent, whichever occurs later.
This situation also applies to Item 80 of Schedule 5, which relates to the operation of the
Stronger Futures in the Northern Territory Act 2012 (Stronger Futures in the Northern
Territory Act). Item 80 of Schedule 5 does not commence at all if section 105 of the Stronger
Futures in the Northern Territory Act does not commence. If that provision does commence,
item 80 of Schedule 5 commences immediately after its commencement, or the start of the
day after the end of the period of 9 months beginning on the day this Bill receives the Royal
Assent, whichever occurs later.
This commencement arrangement also applies to item 132 Schedule 5, which relates to the
commencement of item 24 of Schedule 5 of the Consumer Credit and Corporations
Legislation Amendment (Enhancements) Act 2012, and item 172 of Schedule 5 which relates
to the commencement of item 32 of Schedule 1 of Personally Controlled Electronic Health
Records (Consequential Amendments) Act 2012.
Clause 3 Schedule(s)
This clause provides for each Act specified in a Schedule to the Bill to be amended in
accordance with the items set out in the relevant Schedule.
51
Schedule 1--Australian Privacy Principles
Introduction
Outline of this schedule
This schedule amends the Privacy Act to include the new Australian Privacy Principles
(APPs). The APPs will be the cornerstone of the privacy protection framework of the
Privacy Act. The APPs will replace the Information Privacy Principles (IPPs), which applied
to Commonwealth agencies, and the National Privacy Principles (NPPs), which applied to
certain private sector organisations. As with these former principles, the APPs will regulate
the collection, holding, use and disclosure of personal information that is included in records.
Schedule 1 also contains amendments to definitions to either replace or clarify them, or add
more definitions to deal with new terms.
Principles based legislation
The APPs will be principles-based law. The best regulatory model for information privacy
protection in Australia is this type of law. By continuing to use high-level principles, the
Privacy Act regulates agencies and organisations in a flexible way. They can tailor personal
information handling practices to their diverse needs and business models, and to the equally
diverse needs of their clients.
The Privacy Act combines principles-based law with more prescriptive rules where
appropriate. This regulation is complemented by guidance and oversight by the regulatory
body, the Office of the Australian Information Commissioner (OAIC). This is comparable to
international regulatory models in jurisdictions such as Canada, New Zealand and the United
Kingdom.
Structure
The order in which the APPs appear is intended to reflect the cycle that occurs as entities
collect, hold, use and disclose personal information.
This broadly consists of the following stages:
· planning in advance how to meet obligations in relation to the handling of personal
information;
· considering whether information may or should be collected;
· collecting information;
· providing notification of collection to the individual concerned;
· using or disclosing the information for the purpose for which it was collected or for an
allowable secondary purpose;
· maintaining the integrity of personal information by securely storing it and ensuring
its quality; and
· when the information is no longer necessary for the functions or activities of the
entity, destroying it or ensuring that it is no longer personal information.
To this end, the APPs have been set out in Parts that move through each of the above
elements of the information-handling chain.
Part 1 sets out principles that require APP entities to consider the privacy of personal
information, including ensuring that APP entities manage personal information in an open
and transparent way.
52
Part 2 sets out principles that deal with the collection of personal information including
unsolicited personal information.
Part 3 sets out principles about how APP entities deal with personal information and
government related identifiers. The Part includes principles about the use and disclosure of
personal information and those identifiers.
Part 4 sets out principles about the integrity of personal information. The Part includes
principles about the quality and security of personal information.
Part 5 sets out principles that deal with requests for access to, and the correction of, personal
information.
Key concepts - definition of `personal information'
The definition of `personal information' has been modified to implement the Government's
acceptance of ALRC Recommendation 6-1.
It is important that this key definition be sufficiently flexible and technology-neutral to
encompass changes in the way that information that identifies an individual is collected and
handled. The ALRC's recommended definition continues to allow this approach and also
brings the definition in line with international standards and precedents.
The proposed definition does not significantly change the scope of what is considered to be
personal information. The application of `reasonably identifiable' ensures the definition
continues to be based on factors which are relevant to the context and circumstances in which
the information is collected and held.
Consistent with the Government's response to ALRC Recommendation 6-2, the Government
encourages the development and publication of appropriate guidance by the OAIC about the
meaning of `identified or reasonably identifiable'. This will be useful in assisting
organisations, agencies and individuals to understand the application of the new definition,
especially given the contextual nature of the definition.
Key concepts - `reasonably necessary'
A number of the APPs allow for collection, use or disclosure where the entity believes that
the collection, use or disclosure is `reasonably necessary' for a particular purpose. It is
intended that this be interpreted objectively and in a practical sense. It is not intended to
provide a lower level of protection compared with the existing NPPs, where an objective test
is implied.
In relation to the requirement that an entity must not collect, use or disclose personal
information unless it is reasonably necessary for a particular purpose, function or activity,
this is intended to reflect the following. The first is that the collection, use or disclosure is
reasonably necessary to pursue that particular purpose, function or activity. Whether the
collection, use or disclosure is reasonably necessary is to be assessed from the perspective of
a reasonable person (not merely from the perspective of the entity proposing to undertake the
activity).
Where a reasonable person would not regard the purpose, function or activity in question as
legitimate for that type of entity, the collection, use or disclosure of personal information will
not be `reasonably necessary' even if the entity cannot effectively pursue that function or
activity without collecting, using or disclosing the personal information.
53
Key concepts - requirement to take reasonable steps
A number of the APPs require an entity to take `reasonable steps'. The expression `such
steps as are reasonable in the circumstances' is intended to be interpreted as being similar in
meaning to the term `reasonable steps' used in the NPPs. Specifically, the term requires an
objective assessment, and the addition of the words `in the circumstances' is only intended to
highlight that when considering what are objectively reasonable steps the specific
circumstances of each case must be considered. In some cases, the words `(if any)' are used
to ensure that, in that particular case, if there are no steps that an entity needs to take to fulfil
its obligations, it need not take any steps.
Key concepts - consent
Consent is a defined concept within the current Privacy Act which will be retained in the
amended Act. Consent is defined to mean `express consent or implied consent'. Express
consent exists where a person makes an informed decision to give their voluntary agreement
to collection, use or disclosure taking place.
Whether consent can be said to be implied depends entirely on the circumstances. Consent
may be implied when, in the circumstances, the individual and the relevant entity have each
engaged in conduct that means that it can be inferred the individual has consented, even
though the individual may not have specifically stated that he or she gives consent.
Consent, in many circumstances, can be withdrawn at any time. In such circumstances, the
consent no longer exists, and an entity would no longer be able to rely on consent having
been given when dealing with the individual's personal information.
Consistent with the Government's response to ALRC Recommendation 19-1, the
Government encourages the development and publication of appropriate guidance by the
OAIC about what is required of agencies and organisations to obtain an individual's consent
for the purposes of the Privacy Act.
Treatment of `sensitive information'
Schedule 1 implements the Government's agreement with the ALRC that the community
expects `sensitive information' to be afforded higher privacy protections than personal
information that is not sensitive. These protections will apply regardless of whether sensitive
information is held by agencies or organisations. These requirements include that sensitive
information may not be collected except where permitted by specified exceptions. These
exceptions reflect the public interest in allowing entities to perform certain functions and
activities.
Item 1 Section 3
Item 1 will amend section 3 of the Privacy Act by removing the reference to the `transfer' of
information. Section 3 provides that the Privacy Act does not affect the operation of State
and Territory legislation that deals with the same subject matter and is capable of operating
concurrently with the Privacy Act.
As a result of the changes in terminology from the NPPs to the APPs, reference to the
`transfer' of information is unnecessary. NPP 9 deals with transborder data flows and uses
the term `transfer'. However, APP 8, which deals with cross-border disclosure of personal
information, uses the term `disclosure'. The term `transfer' is not otherwise used in the
APPs. To ensure that section 3 accurately sets out the content of corresponding State and
Territory privacy laws that are to be saved, it is necessary to omit reference to `transfer'.
54
Item 2 Section 3 (note)
Item 2 will amend section 3 of the Privacy Act by replacing the reference to the NPPs with a
reference to the APPs.
Item 3 Section 5
Item 3 will repeal section 5 of the Privacy Act, which is no longer necessary as it deals with
the interpretation of the IPPs, which will be replaced by the APPs. New section 14 of the
Privacy Act will note that the APPs are set out in Schedule 1 of the Privacy Act, and that a
reference to an APP by a number is a reference to an APP with that number.
Item 4 Subsection 6(1) (paragraph (i) of the definition of `agency')
Item 4 will repeal paragraph (i) of the definition of `agency' in subsection 6(1) of the
Privacy Act, which refers to an `eligible case manager' (see Item 15).
Item 5 Subsection 6(1)
Item 5 will insert a definition of `APP complaint' into subsection 6(1) of the Privacy Act.
This definition means a complaint about an act or practice that, if established, would be an
interference with the privacy of an individual because it breached an APP. A separate
definition is required for an `APP complaint' to distinguish it from other types of complaints
under the Privacy Act (for example, `code complaints', and complaints relating to the
handling of credit reporting information).
Item 6 Subsection 6(1)
Item 6 will insert a definition of `APP entity' into subsection 6(1) of the Privacy Act.
Under the current Act, the IPPs apply to Commonwealth agencies, while the NPPs apply to
certain private sector organisations. Under the amendments in the Bill, both agencies and
organisations will be regulated by the APPs. It is therefore necessary to include a definition
that includes both types of entities.
Item 7 Subsection 6(1)
Item 7 will insert a definition of `APP privacy policy' into subsection 6(1) of the Privacy Act.
The definition is included in APP 1.3, which states that, `[a]n APP entity must have a clearly
expressed and up-to-date policy (the APP privacy policy) about the management of personal
information by the entity'. The intention of APP 1 is to ensure that APP entities manage
personal information in an open and transparent way. APP 1 also contains requirements
about the content of an APP privacy policy and its availability.
Item 8 Subsection 6(1)
Item 8 will insert a definition of `Australian law' into subsection 6(1) of the Privacy Act. The
definition addresses the Government's acceptance in principle of ALRC
Recommendation 16-1 that it should include a reference to `common law or equitable duties',
but exclude `contracts'. In that response, the Government also noted that while a definition
will provide a degree of clarity, the meaning of `law' is best determined on a case-by-case
basis. The Government also outlined some relevant considerations in determining the
application of the required or authorised by law exemption, but also in determining whether
an applicable law is relevant under the Privacy Act.
The definition has been included to clarify the scope of provisions that allow collection, use
or disclosure where it is required or authorised by or under law. Currently there is no
definition of `law' in the Privacy Act and it generally takes its ordinary meaning. The ALRC
55
found that there was a degree of uncertainty around the definition and that an inclusive
definition should be expressly set out to create greater clarity.
Item 9 Subsection 6(1)
Item 9 will insert a definition of `Australian Privacy Principle' into subsection 6(1) of the
Privacy Act. The definition refers to section 14 of the amended Act, which is a provision
ensuring that a reference in any Act to an APP by a number is a reference to the APP with
that number.
Item 10 Subsection 6(1)
Item 10 will insert a definition of `collects' into subsection 6(1) of the Privacy Act.
The definition will capture the substance of section 16B of the Privacy Act and IPPs 1-3,
namely that the Privacy Act applies to personal information collected by entities regulated by
the Privacy Act for inclusion in a record or generally available publication. Section 16B of
the Privacy Act and the IPPs will be repealed.
Item 11 Subsection 6(1)
Item 11 will insert a definition of `Commonwealth record' into subsection 6(1) of the
Privacy Act, which will have the same meaning as in the Archives Act 1983 (Archives Act).
That expression appears in APPs 4 and 11, and ensures that certain requirements under the
Archives Act relating to the retention of Commonwealth records will apply notwithstanding
requirements in the APPs relating to destruction of personal information.
Item 12 Subsection 6(1)
Item 12 will insert a definition of `court/tribunal order' into subsection 6(1) of the
Privacy Act. The inclusion of orders of courts or tribunals as part of clarifying the scope of
the `required by or authorised by or under law' exceptions is ALRC Recommendation 16-1,
which the Government accepted. This definition gives the broadest interpretation to the
concept and is consistent with that terminology as it appears in other laws and regulations
(for example, Legislative Instruments Regulations 2004).
Item 13 Subsection 6(1)
Item 13 will insert a definition of `de facto partner' into subsection 6(1) of the Privacy Act.
This contains a cross-reference to the meaning of that expression in the Acts Interpretation
Act (see section 2D). This definition is relevant to subsection 6(10) of the Privacy Act,
which provides that a `de facto partner of the individual' is taken to be included within the
concept of a `family' for certain purposes.
Item 14 Subsection 6(1)
Item 14 will insert a definition of `de-identified'. This will provide that personal information
is `de-identified' if the information is no longer about an identifiable individual or an
individual who is reasonably identifiable. This term is used in the APPs and the credit
reporting provisions.
Item 15 Subsection 6(1) (definition of `eligible case manager')
Item 15 will repeal the definition of `eligible case manager' in subsection 6(1) of the
Privacy Act.
The concept of `eligible case manager' came from the Employment Services Act 1994, which
was repealed by the Financial Framework Legislation Amendment Act (No. 1) 2006. It is
56
therefore no longer necessary to include that definition. All references to `eligible case
manager' are being removed from the Privacy Act.
Item 16 Subsection 6(1) (after paragraph (b) of the definition of `enforcement
body')
Item 16 will insert a reference to the CrimTrac Agency into the definition of `enforcement
body' in subsection 6(1) of the Privacy Act.
The CrimTrac Agency is the national information-sharing service for Australia's police, law
enforcement and national security agencies. It enables police agencies to share policing
information with one another across Australia's state and territory borders. In view of its
enforcement related functions and activities, and the type of information it collects, uses and
discloses, it is appropriate to include the CrimTrac Agency in the definition of `enforcement
body'. This will enable it to collect personal and sensitive information for its legitimate
functions and activities, and to enable such information to be used or disclosed on its behalf
for an `enforcement related activity'.
Item 17 Subsection 6(1) (after paragraph c) of the definition of `enforcement
body')
Item 17 will insert a reference to the `Immigration Department'. That will be a new
definition in section 6 of the Privacy Act referring to the Department administered by the
Minister administering the Migration Act 1958 (Migration Act).
Currently, this is a reference to the Department of Immigration and Citizenship (DIAC). The
effect of this addition is that DIAC have the ability to collect personal and sensitive
information for its functions and activities (subject to the additional requirement in APP 3.4
that the collection of sensitive information without consent be limited to its enforcement
related activities), and will have the ability to have information used or disclosed on its behalf
for an enforcement related activity.
In view of DIAC's enforcement related functions and activities, and the type of information it
collects, uses and discloses, it is appropriate to include it in the definition of `enforcement
body'. However, given that it has a range of non-enforcement functions and activities, it will
be limited in the collection of sensitive information to its `enforcement related activities'.
Item 18 Subsection 6(1) (after paragraph (e) of the definition of `enforcement
body')
Item 18 will include the Office of the Director of Public Prosecutions (DPP) or similar bodies
established under a law of a State or Territory in the definition of `enforcement body' in
subsection 6(1) of the Privacy Act. A body will be `similar' to the DPP if it has similar
enforcement related functions. A clear example of such a body is a State DPP.
The functions and activities of the Commonwealth and State/Territory DPPs include
prosecuting criminal offences, preparing for, or conducting, proceedings before courts, and
applying for orders relating to the confiscation of proceeds of crime. The DPP offices may, to
some extent, come within the existing definition of `enforcement body' through existing
paragraphs (f) and (g) of that definition. However, to avoid any doubt about whether the DPP
offices are enforcement bodies, it is necessary to include them in the definition.
Item 19 Subsection 6(1) (after paragraph (l) of the definition of `enforcement
body')
Item 19 will include the Corruption and Crime Commission of Western Australia (CCCWA)
in the definition of `enforcement body' in subsection 6(1) of the Privacy Act.
57
The CCCWA was established on 1 January 2004, under the Corruption and Crime
Commission Act 2003, as a permanent investigative commission with the same powers as a
Royal Commission. The CCCWA assists the Western Australia Police Service to combat
organised crime by granting them special powers, and helps public sector agencies minimise
and manage misconduct.
CCCWA is included for consistency, so that all currently-existing State integrity bodies are
listed.
Item 20 Subsection 6(1)
Item 20 will insert a definition of `enforcement related activity' into subsection 6(1) of the
Privacy Act.
The definition will substantially capture the matters covered by NPP 2.1(h), which creates an
exception to the prohibition against organisations using or disclosing personal information for
a secondary purpose by listing a number of activities conducted by or on behalf of law
enforcement bodies in respect of which personal information may be used or disclosed.
The definition of `enforcement related activity' will replicate this list but add paragraphs to
ensure that the definition covers the conduct of surveillance activities, intelligence gathering
activities and other monitoring activities as well as protective or custodial activities. These
types of activities have been included to update and more accurately reflect the range of
activities that law enforcement agencies currently undertake in performing their legitimate
and lawful functions.
The definition is used in APPs 6 and 8 and will enable certain uses and disclosures of
personal and sensitive information which may otherwise be a breach of those APPs. The
definition recognises that the limited use and disclosure of personal information for criminal
law enforcement purposes is in the public interest when balanced with the interest in
protecting an individual's privacy.
Item 21 Subsection 6(1)
Item 21 will insert a definition of `entity' into subsection 6(1) of the Privacy Act.
In the amended Privacy Act, `entity' will mean `an agency, or an organisation or a small
business operator'. Generally, while the APPs will not apply to small business operators,
they may be regulated under provisions of Part IIIA (credit reporting).
Item 22 Subsection 6(1) (definition of `generally available publication')
Item 22 will update the definition of `generally available publication' in subsection 6(1) of
the Privacy Act.
The new definition will explicitly state that a publication is a generally available publication
whether or not payment of a fee is required to access it. The new definition is also more
technologically neutral, in that it clearly covers material available electronically, including on
the internet.
The amendment is not intended to suggest that any website or publication available on the
internet is a generally available publication. An assessment must be made on a case-by-case
basis, taking into account all relevant circumstances, such as the extent to which access to the
publication or website is restricted in some way.
Item 23 Subsection 6(1)
Item 23 will insert a definition of `government related identifier' into subsection 6(1) of the
Privacy Act.
58
Government related identifiers are specifically assigned by one of a range of specifically
listed government-related bodies (in paragraphs (a)-(d) of the definition) and are used to
identify an individual or verify the identity of the individual. The definition extends to State
and Territory authorities as well as Commonwealth agencies. Examples of government
related identifiers include Medicare numbers and driver's licence numbers.
Item 24 Subsection 6(1)
Item 24 will insert a definition of `holds' into subsection 6(1) of the Privacy Act.
The definition will substantially capture the concept formerly included in section 10 of the
Privacy Act relating to record-keepers under the IPPs. That is, an entity holds personal
information if the entity has possession or control of a record that contains the personal
information.
Item 25 Subsection 6(1)
Item 25 will insert a definition of `identifier' into subsection 6(1) of the Privacy Act. The
concept is used in APP 9, which is concerned with the adoption, use or disclosure of
government related identifiers by organisations.
The definition is broader than the definition of `identifier' in NPP 7.3, in that it will apply to a
number, letter or symbol, or combination of any or all of those things, that is used to identify
or to verify the identity of the individual. As with the definition of `identifier' in NPP 7.3, it
will expressly exclude the individual's name, or the individual's ABN (within the meaning of
the A New Tax System (Australian Business Number) Act 1999). It will also exclude anything
else prescribed by the regulations to ensure that there is flexibility to exclude any future
identifiers from the definition.
Item 26 Subsection 6(1)
Item 26 inserts a new definition of `Immigration Department' in section 6 of the Privacy Act
to refer to that Department administered by the Minister administering the Migration Act.
Currently, that is DIAC.
Item 27 Subsection 6(1) (definition of `Information Privacy Principle')
Item 27 will repeal the definition of `Information Privacy Principle', which will no longer be
necessary because the IPPs will be replaced by the APPs.
Item 28 Subsection 6(1) (definition of `IPP complaint')
Item 28 will repeal the definition of `IPP complaint', which will no longer be necessary
because the IPPs will be replaced by the APPs. Complaints about acts and practices
occurring after the commencement of the amendments, will relate only to the APPs.
Item 29 Subsection 6(1)
Item 29 will insert a definition of `misconduct' into subsection 6(1) of the Privacy Act.
The new concept will assist in clarifying the scope of provisions that allow collection, use or
disclosure of personal information for the purposes of taking action against persons who have
engaged in serious misconduct. It includes fraud, negligence, default, breach of trust, breach
of discipline or any other misconduct in the course of duty. It is intended that each of these
terms will take their ordinary/common law meaning.
Item 30 Subsection 6(1) (definition of `National Privacy Principle')
Item 30 will repeal the definition of `National Privacy Principle', which will no longer be
necessary because the NPPs will be replaced by the APPs.
59
Item 31 Subsection 6(1)
Item 31 will insert a definition of `non-profit organisation' into subsection 6(1) of the
Privacy Act.
The definition is based on the definition of `non-profit organisation' in NPP 10.5, which
states that `non-profit organisation means a non-profit organisation that has only racial,
ethnic, political, religious, philosophical, professional, trade or trade union aims'. The
amendment will update the definition so that the terms `racial, ethnic' are included within
`cultural', as well as including `recreational' purposes.
Item 32 Subsection 6(1) (definition of `NPP complaint')
Item 32 will repeal the definition of `NPP complaint', which is no longer necessary because
the NPPs will be replaced by the APPs.
Item 33 Subsection 6(1)
Item 33 will insert a definition of `overseas recipient' into subsection 6(1) of the Privacy Act.
The definition will refer to APP 8, which will deal with cross-border disclosure of personal
information. In APP 8.1, an `overseas recipient' is a reference to a person who is not in
Australia or an external Territory and is not the entity holding the personal information or the
individual who the personal information is about.
Item 34 Subsection 6(1)
Item 34 will insert a definition of `permitted general situation' into subsection 6(1) of the
Privacy Act. The definition refers to the new section 16A (see Item 82) which outlines
situations where the collection, use or disclosure by an APP entity of personal information
about an individual, or of a government related identifier, will not be a breach of the APPs.
Item 35 Subsection 6(1)
Item 35 will insert a definition of `permitted health situation' into subsection 6(1) of the
Privacy Act. The definition refers to the new section 16B (see Item 82) which outlines
situations where the collection, use or disclosure of certain health information or genetic
information, will not be a breach of the APPs.
Item 36 Subsection 6(1) (definition of `personal information')
Item 36 will update the definition of `personal information' in subsection 6(1) of the
Privacy Act.
The new definition will reflect the Government's acceptance of the ALRC's recommendation
that, `personal information' should be defined as `information or an opinion, whether true or
not, and whether recorded in a material form or not, about an identified or reasonably
identifiable individual' (ALRC Recommendation 6-1).
The definition in the Privacy Act refers to, `information or an opinion (including information
or an opinion forming part of a database)'. The reference to databases, which may have
provided clarification in 1988 when the Privacy Act was passed, is no longer necessary and
will not appear in the new definition. It is intended that information forming part of a
database will be included in the new definition, even though databases are no longer
specifically included in the definition.
The Privacy Act refers to `an individual whose identity is apparent, or can reasonably be
ascertained'. The new definition will use the terms `identified' and `reasonably identifiable'.
The new definition has been cast in terms of identification of individuals because this
60
language is more consistent with the APEC Privacy Framework and other international
instruments, which means that international jurisprudence and explanatory material will be
more directly relevant to the Privacy Act.
The new definition will refer to an individual who is, `reasonably identifiable'. Whether an
individual can be identified or is reasonably identifiable depends on context and
circumstances. While it may be technically possible for an agency or organisation to identify
individuals from information it holds, for example, by linking the information with other
information held by it, or another entity, it may be that it is not practically possible. For
example, logistics or legislation may prevent such linkage. In these circumstances,
individuals are not `reasonably identifiable'. Whether an individual is reasonably identifiable
from certain information requires a consideration of the cost, difficulty, practicality and
likelihood that the information will be linked in such a way as to identify him or her.
In agreeing with ALRC Recommendation 6-2, the Government encouraged the development
and publication of appropriate guidance about the meaning of `identified or reasonably
identifiable' in the definition of `personal information' by the OAIC, noting that the decision
to provide guidance was a matter for the OAIC. Guidance issued by the OAIC would play an
important role in assisting organisations, agencies and individuals to understand the
application of the new definition, especially given the contextual nature of the definition.
Item 37 Subsection 6(1) (definition of `record')
Item 37 will amend the definition of `record' in subsection 6(1). In order to allow for
technological advances, `record' will be defined inclusively rather than exhaustively.
Item 38 Subsection 6(1) (paragraphs (b) and (c) of the definition of `record')
Item 38 will amend the definition of `record' in subsection 6(1) to include reference to
`electronic or other device'. This picks up the Government's response to ALRC
Recommendation 6-6, which is that the definition should encompass a broad range of
recorded information, including information held in electronic format. This change will
ensure that the definition is sufficiently flexible to encompass how information will be
recorded and stored in the future.
Item 39 Subsection 6(1) (at the end of the definition of `record')
Item 39 will add a note to the definition of `record' in subsection 6(1). To promote consistent
terminology with other Commonwealth legislation, the note will make it clear that the use of
the term `document' in the definition of `record' is found in section 2B of the Acts
Interpretation Act.
Item 40 Subsection 6(1)
Item 40 will insert a definition of `responsible person' into subsection 6(1) of the
Privacy Act. The definition will direct the reader to the new section 6AA (see Item 52).
Item 41 Subsection 6(1) (subparagraph (a)(viii) of the definition of `sensitive
information')
Item 41 will amend the definition of `sensitive information' in subsection 6(1) to refer to an
individual's sexual `orientation' rather than `preferences'. This minor change is not intended
to change the meaning of the definition but will ensure consistency with other
Commonwealth, state and territory legislation.
61
Item 42 Subsection 6(1) (at the end of the definition of `sensitive information')
Item 42 will amend the definition of sensitive information in subsection 6(1) of the
Privacy Act by adding references to biometric information and biometric templates.
The inclusion of these two paragraphs will implement the Government's response to ALRC
Recommendation 6-4. The Government agreed with the ALRC that biometric information
had similar attributes to other sensitive information and it was therefore desirable to provide
it with a higher level of protection.
Given the broad nature of what can be considered biometric information, the definition makes
it clear that the additional protections only extend to that biometric information which is
specifically being collected for the purpose of automated biometric verification or biometric
identification.
Item 43 Subsection 6(1) (definition of `solicit')
Item 43 will repeal the definition of `solicit' in the Privacy Act. A new definition of `solicits'
will be inserted (see Item 44).
Item 44 Subsection 6(1)
Item 44 will insert a new definition of `solicits' into the Privacy Act.
The new definition will be based on the present definition but use the term `entity'
consistently with the terminology of the amended Privacy Act.
Item 45 Subsection 6(1) (definition of `use')
Item 45 will repeal the definition of `use' in Subsection 6(1) of the Privacy Act. The
amended Privacy Act will contain a single principle applying to both use and disclosure,
rendering this definition unnecessary. The concept of `use' may still apply to any distinction
between use and disclosure under the amended Privacy Act.
Item 46 Subsection 6(2)
Item 46 will repeal subsection 6(2) of the Privacy Act.
The subsection deals with breaches of the IPPs so will not be necessary in the amended
Privacy Act.
Item 47 Paragraph 6(7)(a)
Item 47 will amend paragraph 6(7)(a) of the Privacy Act to refer to an `APP' instead of an
`IPP' in the context of a complaint.
Item 48 Paragraph 6(7)(d)
Item 48 will repeal paragraph 6(7)(d) of the Privacy Act.
The paragraph refers to a `file number complaint and an NPP complaint'. With the
introduction of the APPs, this paragraph will not be necessary in the amended Privacy Act.
The concept of a complaint being both a `file number complaint and an APP complaint' will
be covered under paragraph 6(7)(a) of the Privacy Act.
Item 49 Paragraph 6(7)(f)
Item 49 will amend paragraph 6(7)(f) of the Privacy Act to refer to an `APP' instead of an
`NPP' in the context of a complaint.
62
Item 50 Subsection 6(10)
Item 50 will amend subsection 6(10) of the Privacy Act to refer to new section 16 instead of
section 16E, which is being repealed by Item 82. The new section 16 confirms that the APPs
do not apply to regulate the handling of personal information by an individual where that
information is collected, held, used, disclosed or transferred for personal, family or household
affairs (that is, done other than in the course of business). This is consistent with the
exemption in subsection 7B(1).
Item 51 Paragraph 6(10)(a)
Item 51 will omit the reference to the Acts Interpretation Act in paragraph 6(10)(a) of the
Privacy Act, which refers to de facto partners.
This reference will no longer be necessary, because the amended Privacy Act will contain a
definition of `de facto partner' which gives the term the meaning given by the Acts
Interpretation Act (see Item 13).
Item 52 After section 6
Item 52 will amend the Privacy Act by inserting a definition of `responsible person' after
section 6. This definition replaces the definition in NPP 2.5, which contains a list of persons
who are responsible for an individual under NPP 2.4. Some minor revisions have been made
for consistency with terminology in other Commonwealth legislation.
NPP 2.4 provides that a health service may disclose health information about the individual
to a person responsible for the individual in certain circumstances. NPP 2.4 has been
replaced by new subsection 16B(5) (see Item 82).
Item 53 Section 6A (heading)
Item 53 will amend the heading to section 6A of the Privacy Act by referring to a breach of
an APP instead of a NPP.
Items 54-59 Subsection 6A
Items 54-59 will amend various parts of section 6A of the Privacy Act by referring to the
APPs instead of the NPPs.
Item 60 Subparagraphs 6C(4)(b)(ii) and (iii)
Item 60 will amend subparagraphs 6C(4)(b)(ii) and (iii) of the Privacy Act to remove the
references to the transfer of information.
As a result of the changes in terminology from the NPPs to the APPs, reference to the
`transfer' of information is unnecessary. NPP 9 deals with transborder data flows and uses
the term `transfer'. However, APP 8, which deals with cross-border disclosure of personal
information, uses the term `disclosure'. To ensure that subparagraphs 6C(4)(b)(ii) and (iii) of
the Privacy Act accurately reflect matters regulated by the Privacy Act or under State and
Territory privacy laws, it is necessary to omit reference to `transfer'.
Item 61 Subsection 6EA(1)
Item 61 will amend subsection 6EA(1) of the Privacy Act by removing the provision that
section 16D does not apply to a small business operator if the small business operator
chooses to be treated as an organisation and is registered under section 6EA.
This provision will be removed because section 16D, which deals with the delayed
application of the NPPs to organisations that carry on one or more small businesses, will also
be repealed.
63
Item 62 Paragraph 6F(3)(b)
Item 62 will amend paragraph 6F(3)(b) of the Privacy Act by removing the reference to the
transfer of information. This is being done for the same reason outlined in Item 60. To
ensure that paragraph 6F(3)(b) of the Privacy Act accurately reflect matters regulated by the
Privacy Act, it is necessary to omit reference to `transfer'.
Item 63 Paragraph 7(1)(a)
Item 63 will amend paragraph 7(1)(a) of the Privacy Act by removing the term `eligible case
manager' (see Item 15).
Item 64 Paragraph 7(1)(cb)
Item 64 will repeal paragraph 7(1)(cb) of the Privacy Act, which deals with acts done by an
`eligible case manager' (see Item 15).
Item 65 Paragraphs 7(1)(d) and (e)
Item 65 will amend paragraphs 7(1)(d) and (e) of the Privacy Act by removing the references
to an `eligible case manager' (see Item 15).
Item 66 Paragraphs 7(1)(ea) and (eb)
Item 66 will repeal paragraphs 7(1)(ea) and (eb) of the Privacy Act, which deal with the
affairs of an `eligible case manager' (see Item 15).
Item 67 Subsection 7(2)
Item 67 will amend subsection 7(2) of the Privacy Act by referring to the APPs instead of the
IPPs and the NPPs.
Item 68 Subsection 7B(1) (note)
Item 68 will amend the note to subsection 7B(1) of the Privacy Act by replacing a reference
to section 16E of the Privacy Act with a reference to the new section 16, which also addresses
the application of the APPs to personal, family and household affairs. Section 16E is being
repealed by Item 82.
Item 69 Subsections 7B(1) and (2) (notes)
Item 69 will amend the notes to subsections 7B(1) and (2) by referring to the APPs instead of
the NPPs.
Items 70 and 71 Paragraph 8(2)(b) and subsection 8(2)
Items 70 and 71 will amend paragraph 8(2)(b) and subsection 8(2) of the Privacy Act by
describing an agency as holding a record instead of being a record-keeper in relation to the
record. This amendment will make the provision more consistent with the terminology in the
Privacy Act with the repeal of the IPPs and the new inclusion of the new APPs.
Item 24 will insert a definition of `holds' into subsection 6(1) of the Privacy Act. The new
definition states that, `an entity holds personal information if the entity has possession or
control of a record that contains the personal information'. Therefore, it is necessary to
amend paragraph 8(2)(b) and subsection 8(2) of the Privacy Act so that agency that was a
record-keeper under the former IPPs in relation to a record, can simply be described as an
agency holding a record.
64
Item 72 Section 9
Item 72 will repeal section 9 of the Privacy Act. Section 9 refers to `collectors' of personal
information, which is a term used in the IPPs. It also deemed the act of collection by an
employee of an agency, staff member or special member of the Australian Federal Police, or
for certain unincorporated bodies assisting or connected with an agency, as collections by
those agencies in certain circumstances.
This provision is now unnecessary with the repeal of the IPPs. Under section 8 of the
Privacy Act, acts and practices of employees of these entities, including the collection of
personal information, will still be treated as acts and practices of the entities themselves.
Item 73 Section 10 (heading)
Item 73 will amend the heading to section 10 of the Privacy Act by referring to agencies
taken to hold a record rather than record-keepers.
This amendment will make the heading consistent with Item 24, which will insert a definition
of `holds' into subsection 6(1) of the Privacy Act. The new definition states that `an entity
holds personal information if the entity has possession or control of a record that contains the
personal information', so an agency that is a record-keeper in relation to a record can simply
be described as holding the record. That definition will substantially capture the concept
formerly included in section 10 of the Privacy Act relating to record-keepers under the IPPs.
Item 74 Subsections 10(1) to (3)
Item 74 will repeal subsections 10(1), (2) and (3) of the Privacy Act.
These subsections establish which agencies are record-keepers for the purposes of the
Privacy Act. However, the amended Privacy Act will no longer use the term `record-keeper'
(see Item 73) so the subsections will not be necessary.
Item 75 Subsections 10(4) and (5)
Item 75 will amend subsections 10(4) and (5) of the Privacy Act by referring to agencies
holding records rather than being `record-keepers' in relation to records. As with the
amendments in Items 24 and 73, this amendment reflects the repeal of the `record-keeper'
concept.
Item 76 Section 12
Item 76 will repeal section 12 of the Privacy Act.
Section 12 will no longer be necessary because it provides that the IPPs apply to agencies in
possession of personal information. The APPs, which will replace the IPPs, will not maintain
the distinction between possession and control which forms the basis of section 12.
Item 77 Subsection 13B(1) (note)
Item 77 will amend the note to subsection 13B(1) of the Privacy Act by replacing the
references to the NPPs with references to the APPs.
Item 78 Subsection 13B(1) (note)
Item 78 will amend the note to subsection 13B(1) of the Privacy Act by replacing the
reference to NPP 2 with a reference to APP 6, which will deal with use and disclosure of
personal information.
65
Item 79 Subsection 13B(1A) (note)
Item 79 will amend the note to subsection 13B(1A) of the Privacy Act by replacing the
reference to the NPPs with a reference to the APPs.
Item 80 Subsection 13C(1) (note)
Item 80 will amend the note to subsection 13C(1) of the Privacy Act by replacing the
references to the NPPs with references to the APPs.
Item 81 Subsection 13C(1) (note)
Item 81 will amend the note to subsection 13C(1) of the Privacy Act by replacing the
reference to NPP 2 with a reference to APP 6, which will deal with use and disclosure of
personal information.
Item 82 Divisions 2 and 3 of Part III
Item 82 will repeal Divisions 2 and 3 of Part III of the Privacy Act. These Divisions provide
for the application of the IPPs, the NPPs and approved privacy codes. The IPPs and NPPs
will be replaced by the APPs, and so will no longer be necessary. A new Part IIIB will be
inserted into the Privacy Act dealing with privacy codes.
Item 82 will insert new Divisions 2 and 3 of Part III into the Privacy Act. The new sections
in these Divisions are outlined below.
Section 14 will direct the reader to the APPs in Schedule 1 of the Privacy Act, and provide
that a reference in any Act to an APP by a number is a reference to the APP with that
number.
Section 15 will provide that APP entities must not do an act, or engage in a practice that
breaches an APP. This requirement replaces the requirement relating to the IPPs and the
NPPs in sections 16 and 16A, which are being repealed.
Section 16 will express the same policy as section 16E of the Privacy Act, namely that the
APPs will not apply to any dealings with personal information by an individual if the dealing
is only for the purposes of, or in connection with, his or her personal, family or household
affairs.
Section 16A will create the concept of a `permitted general situation'. This will be a
description of a situation that is permitted (ie, not a breach of privacy) in relation to the
collection, use or disclosure of personal information by an APP entity in certain
circumstances listed in a table. To come within the `permitted general situation' concept, the
table outlines particular entities, the type of information or identifier, and other specified
conditions that need to be satisfied.
Prevention of serious threat to life, health or safety
Item 1 of the table in section 16A will enable an APP entity to collect, use or disclose
personal information or a government related identifier in a permitted general situation
without breaching the APPs.
The first condition is that it is unreasonable and impracticable to obtain the individual's
consent to the collection, use or disclosure. This implements the Government's response to
ALRC Recommendation 25-3 to include an additional safeguard to balance the removal of
the `imminent' element (for example, in IPP 10.1(b)). The ALRC believed that the
`imminent' requirement set a disproportionately high bar to the use and disclosure of personal
information.
66
For the purposes of this exception, whether it was `reasonable' to seek consent would include
whether it is realistic or appropriate to seek consent. This might include whether it could be
reasonably anticipated that the individual would withhold consent (such as where the
individual has threatened to do something to create the serious risk). It would also likely be
unreasonable to seek consent if there is an element of urgency that required quick action.
Whether the individual had, or could be expected to have, capacity to give consent would
also be a factor in determining whether it was `reasonable' to seek consent.
Seeking consent would not be `practicable' in a range of contexts. These could include when
the individual's location is unknown or they cannot be contacted. If seeking consent would
impose a substantial burden then it may not be practicable. It may also not be practicable to
seek consent if the use or disclosure relates to the personal information of a very large
number of individuals.
In assessing whether it is `reasonable or practicable' to seek consent, agencies and
organisations could also take into account the potential consequences and nature of the
serious threat.
This approach creates a presumption that agencies and organisations should consider seeking
consent before using or disclosing personal information in the circumstances set out in the
recommendation.
Secondly, the act or practice will be permitted where the collection, use or disclosure of
personal information or a government related identifier is necessary to lessen or prevent a
serious threat to the life, health or safety of any individual or to public health or safety.
Unlawful activity
Item 2 of the table in section 16A will enable an APP entity to collect, use or disclose
personal information or a government related identifier in a permitted general situation
without breaching the APPs.
This will be where the APP entity has reason to suspect that unlawful activity, or misconduct
of a serious nature, that relates to an entity's functions or activities has been, is being or may
be engaged in; and the entity reasonably believes that the collection, use or disclosure of
personal information or a government identifier is necessary in order for the entity to take
appropriate action in relation to the matter.
The provision, by specifying that the unlawful activity or serious misconduct must relate to
an entity's functions or activities, intends that the exception will apply to an entity's internal
investigations. Examples of `appropriate action' in this context may include collection, use
or disclosure of personal information or a government identifier for an internal investigation
in relation to internal fraud or breach of the Australian Public Service Code of Conduct.
Missing persons
Item 3 of the table in section 16A will enable an APP entity to collect, use or disclose
personal information in a permitted general situation without breaching the APPs.
This will be where the entity reasonably believes that the collection, use or disclosure of
personal information is reasonably necessary to assist any APP entity, body or person to
locate a person who has been reported as missing, and the collection, use or disclosure
complies with rules made by the Information Commissioner under sub-section (2). This
amendment gives effect to the Government's response to ALRC Recommendation 25-2,
where the Government decided that entities should be permitted to use or disclose personal
information for the purpose of locating a reported missing person.
67
Matters which the Information Commissioner's rules should address include:
· that uses and disclosures should only be in response to requests from appropriate bodies
with recognised authority for investigating reported missing persons;
· that, where reasonable and practicable, the individual's consent should be sought before
using or disclosing their personal information;
· where it is either unreasonable or impracticable to obtain consent from the individual, any
use or disclosure should not go against any known wishes of the individual;
· disclosure of personal information should be limited to that which is necessary to offer
`proof of life' or contact information; and
· agencies and organisations should take reasonable steps to assess whether disclosure
would pose a serious threat to any individual.
Consistent with the requirements of the Legislative Instruments Act 2003 (Legislative
Instruments Act), the Information Commissioner should consult with relevant stakeholders in
making these rules.
Legal or equitable claim
Item 4 of the table in section 16A will enable an APP entity to collect, use or disclose
personal information where it is reasonably necessary for the establishment, exercise or
defence of a legal or equitable claim. This is intended to replicate NPP 10.1(e), which
provides a similar exception.
An example of where this exception is intended to apply is where an individual has made a
claim under their life insurance policy, and the insurer is preparing to dispute the claim and it
needs to collect health or other sensitive information about the claimant and about witnesses
in order to prepare its case.
Alternative dispute resolution
Item 5 of the table in section 16A will enable an APP entity to collect, use or disclose
personal information where it is reasonably necessary for the purposes of a confidential
alternative dispute resolution process.
The confidentiality safeguard included in the provision will limit the scope of the alternative
dispute resolution exception and so ensure an additional protection for personal information.
Diplomatic or consular functions
Item 6 of the table in section 16A will enable an agency to collect, use or disclose personal
information where that agency believes that the collection, use or disclosure is necessary for
its diplomatic or consular functions or activities.
This is a new exception and is intended to clarify that such agencies can collect, use and
disclose such information both within and outside Australia. Government officials from
agencies such as the Department of Foreign Affairs and Trade (DFAT), who are based
overseas, regularly collect and disclose to their home agencies in Australia personal
information as part of their diplomatic and consular functions. It would be impractical for
DFAT and other agencies to seek the consent of foreign government officials and other
individuals, about whom these agencies report to Australia, to collect and disclose their
personal information to the Australian Government.
68
Similarly, it is necessary for government officials based overseas to report to DFAT in
Australia in discharging its consular responsibilities, especially in the event of an overseas
crisis where overseas officials are expected to assist Australians.
Defence
Item 7 of the table in section 16A will enable the Defence Force to collect, use or disclose
personal information where it reasonably believes that the collection, use or disclosure of that
information is necessary for any of the following occurring outside of Australia at the
external Territories:
- war or warlike operations;
- peacekeeping or peace enforcement; and
- civil aid, humanitarian assistance, medical or civil emergency or disaster relief.
This is a new exception and is intended to clarify the circumstances where the collection of
sensitive information may occur without consent outside Australia, and where personal
information generally may be disclosed to an overseas recipient. The Defence Force
undertakes a range of activities in other countries that involve the collection and disclosure of
personal information (sometimes in remote and emergency situations) and it is important that
there is certainty about its ability to undertake these activities without breaching the APPs.
Subsection 16A(2)
As noted above, the Information Commissioner may make rules under subsection 16A(2).
This amendment gives effect to the Government's response to ALRC Recommendation 25-2,
where the Government decided that such rules should binding, and in the form of a legislative
instrument.
Section 16B
As noted above, the existing health privacy and research provisions in the Privacy Act have
been incorporated in these amendments. This is implemented through the operation of the
APPs, new section 16B and the provisions dealing with guidelines for medical research,
health and genetic information in sections 95, 95A and 95AA.
Section 16B will create the concept of a `permitted health situation'. This will be a
description of a situation that is permitted (ie not a breach of privacy) in relation to the
collection, use or disclosure of certain health and genetic information by an organisation.
This section is intended to reproduce the exceptions that applied under NPP 2.1(d), 2.1 (ea),
2.4, and 10.2-10.3. APP 6.4 replaces NPP 10.4.
Subsection 16B(1) replaces NPP 10.2 and will continue to allow an organisation to collect
health information if the information is necessary to provide a health service to the individual
and the collection is required or authorised by or under an Australian law, or where it is
collected in accordance with certain rules established by competent health or medical bodies.
Subsection 16B(2) replaces NPP 10.3 and will continue to allow an organisation to collect
health information about an individual for the purpose of research or the compilation of
statistics relevant to public health or safety or for the management, funding or monitoring of a
health service provided the safeguards included in paragraphs 16B(2)(a), (b), (c) and (d) are
satisfied. These safeguards replicate the existing safeguards in NPP 10.3. APP 6.4 replaces
the requirement in NPP 10.4 for an organisation to de-identify health information collected in
accordance with NPP 10.3.
69
Subsection 16B(3) replaces NPP 2.1(d) and will continue to allow an organisation to use or
disclose health information for a secondary purpose if:
- the use or disclosure is necessary for research, or the compilation or analysis of
statistics relevant to public health or public safety,
- it is impracticable for the organisation to obtain the individual's consent to the use or
disclosure;
- the use or disclosure is conducted in accordance with guidelines issued by the
Information Commissioner under section 95A; and
- in the case of disclosure - the organisation reasonably believes that the recipient of
the information will not disclose the health information or personal information
derived from the health information.
Subsection 16B(4) replaces NPP 2.1(ea) and will continue to allow an organisation to use and
disclose genetic information about an individual to a genetic relative in circumstances where
the genetic information may reveal a serious threat to a genetic relative's life, health or
safety. Subsection 16B(4) does not include the reference in NPP 2.1(ea) to `whether or not
the threat is imminent'. The words were initially included in the provision to make it clear
that the limitation in other NPPs that a threat be both serious and imminent did not apply.
This is no longer necessary as the corresponding APPs refer to serious threats rather than
serious and imminent threats.
Subsection 16B(5) replaces NPP 2.4 and will continue to permit disclosure of an individual's
health information by an organisation that provides a health service to a responsible person
for an individual in certain circumstances.
The definition of responsible person will now be included in section 6 (see Item 52).
Section 16C
Section 16C is a key part of the Privacy Act's new approach to dealing with cross-border data
flows. In general terms, there are currently two internationally accepted approaches to
dealing with cross-border data flows: the adequacy approach, adopted by the European Union
in the Data Protection Directive of 1996, and the accountability approach, adopted by the
APEC Privacy Framework in 2004. NPP 9 was expressly based on the adequacy approach of
the EU Directive. Under the new reforms, APP 8 and section 16C will introduce an
accountability approach more consistent with the APEC Privacy Framework.
The accountability concept in the APEC Privacy Framework is, in turn, derived from the
accountability principle from the OECD Guidelines Governing the Protection of Privacy and
Transborder Flows of Personal Data of 1980. The OECD Guidelines did not define
accountability, being content with a statement that `a data controller should be accountable
for complying with measures which give effect to the principles' contained in the Guidelines.
As part of the new accountability approach, section 16C will provide that an APP entity will
be taken to have breached the APPs:
- if an APP entity discloses personal information about an individual to an overseas
recipient,
- APP 8.1 applies to that disclosure,
- the APPs do not apply under the Privacy Act to acts done, or practices engaged in, by
the overseas recipient in relation to the information, and
70
- the overseas recipient does something that would be a breach of the APPs if the APPs
had applied to those acts or practices.
The section complements APP 8, which contains key aspects of the accountability approach
in the Privacy Act. Under APP 8.1, there is a positive requirement on entities to take
reasonable steps to ensure the recipient will protect the information consistent with the APPs
prior to any cross-border transfer occurring. More information about the operation of APP 8
is included below.
Item 83 Section 37 (table items 6 and 7)
Item 83 will repeal table items 6 and 7 in section 37 of the Privacy Act, thereby removing the
references to eligible case managers (see Item 15).
Item 84 Subsections 54(2) and 57(2) (definition of `agency')
Item 84 will amend subsections 54(2) and 57(2) of the Privacy Act by removing the reference
to an `eligible case manager' (see Item 15).
Items 85 and 86 Paragraph 80H(2)(e) and subparagraph 80P(1)(c)(v)
Items 85 and 86 will amend paragraph 80H(2)(e) and subparagraph 80P(1)(c)(v) of the
Privacy Act by using the term `responsible person' or `responsible persons' instead of
`people who are responsible'. These amendments are required as a consequence of the
inclusion of a definition of `responsible person' which will be inserted into the Privacy Act
by Items 40 and 52 to replace NPP 2.5.
Item 87 Paragraph 80Q(1)(c)
Item 87 will replace a reference to a person responsible for the individual in paragraph
80Q(1)(c) of the Privacy Act with the term `responsible person' (see Items 85 and 86).
Guidelines for medical research, health and genetic information
As noted above, the existing health privacy and research provisions have been incorporated in
these amendments. There are some consequential amendments to the provisions dealing with
guidelines for medical research, health and genetic information in sections 95, 95A and
95AA to reflect the changes made by replacing the references to the IPPs or NPPs with
references to the APPs or to new sections, particular APPs or to be consistent with relevant
new sections.
Item 88 Subsection 95(1)
Item 88 will amend subsection 95(1) of the Privacy Act by clarifying that section 95 applies
to agencies and not organisations. This preserves the existing operation of this section.
Item 89-99
These Items make consequential amendments to sections 95, 95A and 95AA.
Item 100 Subsection 95B(1)
Item 100 will amend subsection 95B(1) of the Privacy Act by referring to the APPs instead of
the IPPs.
Item 101 Section 95C
Item 101 will amend section 95C of the Privacy Act by referring to the APPs instead of the
NPPs.
71
Item 102 Subsections 100(2) to (4)
Item 102 will repeal subsections 100(2), (3) and (4) of the Privacy Act and substitute two
replacement subsections. These provisions enable the Governor-General to make regulations
that prescribe a government related identifier, an organisation, a class of organisations, and
circumstances for the purposes of APP 9.3. These changes are necessary because of the
replacement of NPP 7 (identifiers) with APP 9 (adoption, use and disclosure of government
related identifiers).
Consistent with this change, the provisions will apply to `government related identifiers'
rather than `identifiers'. As noted in Item 23, `government related identifiers' are specifically
assigned by one of a range of specifically listed government-related bodies and used to
identify an individual or verify an individual's identity.
The regulation making power in subsection 100(2) will be based on the existing subsection
100(2) but will be different in two respects. First, it will be broadened to enable classes of
organisations, as well as individual organisations, to be prescribed. This approach would still
require that the Government clearly articulate the types of organisations that can interact with
agency identifiers to provide services which are for the public benefit and for a list of the
organisations to be publicly available, however it would not require continual updates to
regulations to take to take account of new organisations.
New subsection 100(2) will also extend to State and Territory authorities as well as
Commonwealth agencies. That will mean the Minister, amongst other things, will need to be
satisfied that a relevant agency or State or Territory authority (or principal executive of such
an agency or authority) has agreed to the matters to be prescribed, and has consulted the
Information Commissioner about these matters.
New subsection 100(2) will also retain the requirement that the Minister is satisfied that the
adoption, use or disclosure of the identifier by the organisation, or the class of organisations,
in the circumstances can only be for the benefit of the individual to whom the identifier
relates.
Under new subsection 100(3), the requirements in subsection 100(2) will not apply to
regulations made in relation to certain uses or disclosures of Commonwealth payroll numbers
and in the provision of superannuation services by an organisation to Commonwealth
employees. That is, in making such regulations there does not have to be consultation with
each individual agency affected. However, the Minister will still be required to consult with
the Information Commissioner before making such regulations.
Item 103 Part X
Item 103 will repeal Part X of the Privacy Act, which contains consequential amendments.
Item 104 Schedules 1 and 3
Item 104 will repeal Schedules 1 and 3 of the Privacy Act, which respectively contain
consequential amendments and the NPPs. The new Schedule 1 will contain the APPs.
Schedule 1--Australian Privacy Principles
Schedule 1 contains the 13 APPs, which are contained in five Parts. The five Parts are:
Part 1 sets out principles that require APP entities to consider the privacy of personal
information, including ensuring that APP entities manage personal information in an open
and transparent way.
72
Part 2 sets out principles that deal with the collection of personal information including
unsolicited personal information.
Part 3 sets out principles about how APP entities deal with personal information and
government related identifiers. The Part includes principles about the use and disclosure of
personal information and those identifiers.
Part 4 sets out principles about the integrity of personal information. The Part includes
principles about the quality and security of personal information.
Part 5 sets out principles that deal with requests for access to, and the correction of, personal
information.
Part 1--Consideration of personal information privacy
Australian Privacy Principle 1--open and transparent management of personal
information
APP 1 requires APP entities to manage personal information in an open and transparent way.
This inclusion of APP 1 will keep the Privacy Act up-to-date with international trends that
promote a `privacy by design' approach, that is, ensuring that privacy and data protection
compliance is included in the design of information systems from their inception.
APP 1 requires an APP entity to consider how it will handle personal information in
compliance with the APPs or a registered APP code. Under APP 1.2 an APP entity must take
such steps as are reasonable in the circumstances to implement practices, procedures and
systems relating to the entity's functions and activities that will ensure compliance with the
APPs or a registered APP code that binds the entity. These practices, procedures and systems
must also enable the entity to deal with inquiries or complaints from individuals.
The expression `such steps as are reasonable in the circumstances' is intended to be
interpreted as being similar in meaning to the term `reasonable steps' used in the NPPs.
Specifically, the term requires an objective assessment, and the addition of the words `in the
circumstances' is only intended to highlight that when considering what are objectively
reasonable steps, the specific circumstances of each case must be considered.
Policies and practices under APP 1.2 could include:
· training staff and communicating to staff information about the agency or organisation's
policies and practices;
· establishing procedures to receive and respond to complaints and inquiries;
· developing information to explain the agency or organisation's policies and procedures;
and
· establishing procedures to identify and manage privacy risks and compliance issues,
including in designing and implementing systems or infrastructure for the collection and
handling of personal information by the agency or organisation.
APP 1.3 will require entities to have a clearly expressed and up-to-date privacy policy about
the management of personal information by the entity. An `up-to-date' privacy policy should
be a privacy policy that is a `living document' and is reviewed regularly.
Under APP 1.4, these policies must contain certain information relating to the kinds of
personal information collected and held; how such information is collected and held; the
purposes for which the entity collects, holds, uses and discloses personal information; access
73
and correction procedures; complaint-handling procedures; and information about any
cross-border disclosure of personal information that might occur.
Where agencies or organisations have particularly significant information handling practices,
these should be included in their privacy policies by clearly setting out how they collect,
hold, use and disclose personal information. For example, where agencies or organisations
have specific information retention or destruction obligations, these should be described as a
necessary part of how they handle personal information.
Under APP 1.5, APP entities must take such steps as are reasonable in the circumstances to
make their privacy policies available to the public free of charge, and in such form as is
appropriate. As noted at the foot of APP 1.5, an APP entity will usually make its privacy
policies available on its website. The inclusion of this note implements recommendation 6 of
the Senate Committee, which considered that the requirement for an entity to make its
privacy policy available in `such form as is appropriate' should be further clarified.
Under APP 1.6, if a person or body requests a copy of the APP privacy policy of an APP
entity in a particular form, the entity must take such steps as are reasonable in the
circumstances to give the person or body a copy in that form. The inclusion of a `body' picks
up a suggestion of the Senate Committee, which considered that the intent of the provision
should be clarified so that entities other than individuals (for example, media organisations)
should be able to request a copy of the policy.
Australian Privacy Principle 2--anonymity and pseudonymity
APP 2 provides that individuals must have the option of dealing with an agency or
organisation anonymously or through use of a pseudonym in relation to a particular matter.
The principle emphasises that it is often not necessary for an entity to identify the individuals
with whom they are dealing. The privacy of individuals will be enhanced if their personal
information is not collected unnecessarily.
An APP entity will not be required to comply with APP 2 where that entity is required or
authorised by or under an Australian law, or a court/tribunal order, to deal with individuals
who have identified themselves. This is likely to be applicable in certain instances for
agencies. For example, if individuals are required under an Australian law to identify
themselves to an agency, then it will not be lawful or practical for the agency to deal with
them anonymously or pseudonymously.
An APP entity will also not be required to comply with APP 2 where it is impracticable for
the APP entity to deal with individuals who have not identified themselves (ie where
individual seeks to remain anonymous or uses a pseudonym). For example, if a service
delivery agency cannot deal with an individual without identification (for example, in
collecting personal information for an application for a benefit), that agency would not be
required to allow that individual to have the option of anonymity when dealing with them on
that particular matter. A similar instance would be where a law enforcement agency is
investigating a criminal offence and requires a person's identity to assist in that
investigation. There may also be circumstances where the nature of a business and the
service provided by an organisation is not compatible with providing the option to interact
anonymously.
Australian Privacy Principle 3--collection of solicited personal information
APP 3 outlines the rules applying to the collection of personal information and sensitive
information.
74
In terms of personal information other than sensitive information, there will be separate
conditions for the collection of solicited personal information by agencies and organisations.
This addresses concerns raised by the Senate Committee about whether organisations should
be able to collect personal information in the same manner as agencies (ie where collection is
`directly related to' one or more of the entity's functions and activities). The Senate
Committee believed that this approach may lower privacy protections and did not support it.
In relation to the requirement that an entity must not collect personal information unless it is
reasonably necessary for the entity's functions or activities, this is intended to operate
objectively and practically in the following manner.
First, the information collected is reasonably necessary to pursue that function or activity.
Whether the collection is reasonably necessary is to be assessed from the perspective of a
reasonable person (not merely from the perspective of the collecting entity). An entity's
functions or activities are only those functions or activities that are legitimate for that type of
entity. .
If an agency or organisation cannot, in practice, effectively pursue a legitimate function or
activity without collecting personal information, then the collection of that personal
information would be regarded as necessary for that legitimate function or activity. Where a
reasonable person would not regard the function or activity in question as legitimate for that
type of entity, the collection of personal information will not be `reasonably necessary' even
if the entity cannot effectively pursue that function or activity without collecting the personal
information. An agency or organisation should not collect personal information on the
off-chance that it may become necessary for one of its functions or activities in the future, or
that it may be merely helpful.
The interpretation of the `reasonably necessary' test applies throughout the APPs and not just
in relation to APP 3.
Under APP 3.1, an agency must not collect personal information unless the information is
reasonably necessary for, or directly related to, one or more of the entity's functions or
activities.
The `directly related to' test ensures that there must be a clear connection between the
collection of personal information and the agency's functions or activities. The `directly
related to' test was contained in IPP 1, which applied to agencies. The test will be retained in
APP 3 because there may be agencies that need to collect solicited personal information in
order to carry out legitimate and defined functions or activities, but may not be able to meet
the `reasonably necessary' test. While the `directly related to' test may, depending on the
circumstances, be a slightly lower threshold, agencies are subject to a wider range of
accountability mechanisms (for example, through the Ombudsman, Ministers and the
Parliament) in relation to information that they handle.
Under APP 3.2, an organisation must not collect personal information unless the information
is reasonably necessary for one or more of the organisation's functions or activities. As noted
above, the inclusion of the `reasonably necessary' test for organisations, implements the
views of the Senate Committee.
APP 3.3 will provide for the collection of `sensitive information', which is a subset of
personal information. The definition of sensitive information is in subsection 6(1) of the
Privacy Act. As noted above, that definition now applies to agencies, and includes biometric
information and biometric templates. The general rule is that sensitive information can only
be collected by agencies or organisations where the collection meets the criteria outlined in
APP 3.1 and APP 3.2 and where the individual has consented to the collection.
75
However, APP 3.4 will provide for exceptions to this general rule. These have been included
to enable the collection of sensitive information without consent where it is in the public
interest to do so when balanced with the interest in protecting an individual's privacy. These
exceptions are outlined in detail below.
APP 3.4(a) Where required or authorised by or under Australian law or a court/tribunal
order
This exception is intended to allow an APP entity to collect sensitive information without
consent where it is required or authorised by or under Australian law or a court/tribunal order.
An example of this involving sensitive information would be section 261AA of the Migration
Act, which provides that a non-citizen migration detention must (other than in the prescribed
circumstances) provide to an authorised officer one or more personal identifiers.
APP 3.4(b) Permitted general situations
See discussion about this exception at Item 82, section 16A.
APP 3.4(c) Permitted health situation
See discussion about this exception at Item 82, section 16B.
APP 3.4(d) Enforcement bodies
This exception is intended to allow an enforcement body (other than the Immigration
Department), to collect sensitive information without consent where it reasonably believes
that the collection is reasonably necessary for, or directly related to, one or more of the
entity's functions or activities. The definition of `enforcement body' is in subsection 6(1) of
the Privacy Act.
Where the enforcement body is the Immigration Department, it will be able to collect
sensitive information without consent where it reasonably believes that the collection is
reasonably necessary for, or directly related to, one or more `enforcement related activities'
conducted by that Department.
The first part of this exception is necessary to enable agencies with law enforcement
functions and activities to be able to collect sensitive information without consent to perform
their lawful and legitimate functions and activities. There is a strong public interest in
enabling law enforcement agencies to enforce the criminal law. A major part of this
important function is the ability to collect information about individuals. An additional
safeguard is that these agencies are also subject to significant accountability and oversight
arrangements over their activities.
The second part of this exception is necessary to enable the Immigration Department to
collect sensitive information without consent to perform their lawful and legitimate
enforcement related activities. This Department has a wide range of enforcement related
activities such as detecting, preventing, investigating and prosecuting breaches of visa,
immigration and citizenship law; preventing and reducing irregular migration, people
smuggling and trafficking in persons; collecting information to assess the criminal history of
applicants for Australian citizenship; and cooperation with other agencies, including
information-sharing, for law enforcement and border security purposes, and the protection of
the public revenue.
However, the Immigration Department has a wider range of non-enforcement functions and
activities than other enforcement bodies, and there is less justification for allowing those to
come within the scope of this exception. Accordingly, the exception has been limited to
where the Immigration Department reasonably believes that the collection is reasonably
76
necessary for, or directly related to, one or more `enforcement related activities' conducted
by that Department.
APP 3.4(e) Non-profit organisations
This exception is similar to NPP 10.1(d) and enables a non-profit organisation to collect
sensitive information without consent if it relates to the activities of the organisation, and the
information relates solely to the members of the organisation, or to individuals who have
regular contact with the organisation in connection with its activities.
Means of collection
APP 3.5 provides that an APP entity must collect personal information only by lawful and
fair means. This is based on NPP 1.2. It is an important safeguard to ensure that personal
information can only be collected by lawful and fair means. The OAIC has interpreted `fair'
to mean without intimidation or deception. The concept of fair would also extend to the
obligation not to use means that are unreasonably intrusive.
APP 3.6 provides that an APP entity must collect personal information about an individual
only from the individual. However, there are two exceptions to this general rule.
First, an agency may collect from a third party where the individual has consented to that
collection; or where it is authorised or required under Australian law, or a court/tribunal
order. In the context of dealings with government agencies, the ability for an individual to
consent would minimise the need for that individual to provide the same personal information
to different agencies. This will assist in giving effect to the Government's `tell us once'
service delivery reform policy.
Secondly, an APP entity may collect from a third party where it is unreasonable or
impractical to collect that personal information directly from the individual. This is a
particularly important exception for agencies. For example, a law enforcement agency may
be investigating an individual for a criminal offence, but could prejudice that investigation by
being forced to seek particular information directly from the individual. This exception will
allow that long-standing type of activity to continue without breaching APP 3.
Solicited personal information
APP 3.7 provides that APP 3 applies to the collection of personal information that is solicited
by an APP entity. As noted above, the concept of soliciting personal information refers to the
situation where an entity requests another entity (which includes an individual) to provide the
personal information, or to provide a kind of information in which that personal information
is included. If an entity has not requested the personal information, but only received it from
another entity (including where, for example, a law enforcement agency has asked another
agency to examine the personal information), that will not be a solicited collection covered
by APP 3. However, as noted below, where personal information is unsolicited, it will still
be required to be handled in accordance with other relevant APPs, if it is not destroyed or
de-identified.
Australian Privacy Principle 4--dealing with unsolicited personal information
APP 4 will ensure that personal information that is received by an entity is still afforded
privacy protections, even where the entity has done nothing to solicit the information.
Under APP 4.1, where unsolicited personal information is received by an APP entity, the
entity must, within a reasonable period, determine whether it could have collected the
information under APP 3 as if it had solicited the information. If it could have been
collected, APPs 5 to 13 will apply to that information as if it had been solicited.
77
To enable the APP entity to determine whether it could have collected the information, APP
4.2 allows that entity to use or disclose the personal information for that limited purpose.
APP 4.3 provides that, if the APP entity could not have collected the information, and if the
information is not contained in a Commonwealth record, the entity must take steps to destroy
the information or ensure that it is no longer personal information (for example, by taking
steps to remove any reference to the individual to whom the information relates).
Information will no longer be personal information when it does not satisfy the definition of
`personal information' in section 6 of the Privacy Act. The compliance burden entailed by
APP 4 will be eased by the provision that the entity must destroy the personal information `as
soon as practicable'.
The reference in APP 4.3 to information `contained in a Commonwealth record' ensures that
the requirements on agencies to retain such information under the Archives Act will override
the APP 4 destruction or de-identification requirements.
APP 4.3 contains the important qualifier `only if it is lawful and reasonable to do so'. An
example of where this would be applicable is where an APP entity has received unsolicited
personal information from a law enforcement agency to assist that agency in its
investigations. If the APP entity decides that it could not have collected the information, it
would normally have to destroy it in accordance with APP 4.3. However, it would not be
`lawful and reasonable' to destroy such information until the assistance that the entity has
given to the law enforcement agency has ended.
Under APP 4.4, if the APP entity cannot destroy or de-identify the information under APP
4.3 (because the information is contained in a Commonwealth record or because it would not
be lawful and reasonable to do so), it must still handle the personal information in accordance
with APPs 5 to 13. This will ensure that the information will be accorded the same privacy
protections as any other personal information being held by the entity.
It is not the intention of APP 4 to prevent the practice of agencies forwarding incorrectly
addressed correspondence. As noted in responses to the Senate Committee, the receipt of
correspondence by Ministers, Members of Parliament and government departments and
agencies would, in normal circumstances, be unsolicited. Under APP 4, these entities must,
within a reasonable period after receiving the information, determine whether the unsolicited
personal information could have been collected under APP 3 if the entity had solicited the
information. It is clear that, in some circumstances, where considering and responding to
concerns of members of the public, and referring them to appropriate recipients, are
legitimate functions of the entity, the unsolicited information could have been collected under
APP 3. Once an entity has determined that the personal information could have been
collected under APP 3, it would be possible for the entity to use or disclose the information
under APP 6.
Under APP 6, disclosure to another Minister or government department would be permitted
where the individual has consented to the use and disclosure. Consent may be implied if it
may reasonably be inferred in the circumstances from the conduct of the individual.
Disclosure would also be permitted under APP 6 where the disclosure is related to the
primary purpose of collection (or directly related, if the information is sensitive information),
and the disclosure is within the individual's reasonable expectations. As the individual has
written with queries, views or representations on particular issues, it is within their reasonable
expectation that their correspondence will be referred to the appropriate entity within
parliament or government.
78
Australian Privacy Principle 5--notification of the collection of personal information
APP 5 sets out the obligation for an entity to ensure that an individual is aware of certain
matters when it collects that individual's personal information. Generally, the individual
must be made aware of how and why personal information is, or will be, collected and how
the entity will deal with that personal information.
APP 5.1 creates the general requirement for an APP entity to provide notification. That must
occur at or before the time or, if that is not practicable, as soon as practicable after the APP
entity collects personal information about an individual. At that time (whichever is relevant),
the APP entity must take such steps (if any) as are reasonable in the circumstances to notify
the individual of such matters referred to in APP 5.2 as are reasonable in the circumstances or
otherwise ensure that the individual is aware of any such matters.
The phrase `reasonable in the circumstances' is an objective test that ensures that the specific
circumstances of each case have to be considered when determining the reasonableness of the
steps in question. This flexibility is necessary given the different types of APP entities and
functions/activities that are to be regulated under the APPs. In many cases, it would be
reasonable in the circumstances for an APP entity to provide the information outlined in
APP 5.2.
However, for agencies with particular functions and activities, this may not be the case. For
example, it would not be reasonable in the circumstances for a law enforcement agency to
notify an individual, who is under investigation for a criminal offence, particularly where that
agency is undertaking covert surveillance, that information is being collected about them.
APP 5.2 lists specific matters of which the individual must be notified. This is based on
IPP 2 and NPP 1.3 and, coupled with APP 1, is intended to give the individual detailed and
enhanced information about how their personal information is to be handled by an APP
entity. This information includes contact details of the APP entity; whether information has
been collected from a third party or under an Australian law or court/tribunal order (and
details about that collection); the purpose of the collection; complaint-handling and
access/correction information in the APP entity's privacy policy; disclosure information,
including to overseas recipients, and the consequences of not collecting the information.
Part 3--Dealing with personal information
Australian Privacy Principle 6--use or disclosure of personal information
APP 6 sets out the circumstances in which entities may use or disclose personal information
that has been collected or received. This APP is based on IPPs 10 and 11, and NPPs 2 and
10. As with those principles, it is implicit from the principle that entities may use or disclose
personal information for the primary purpose for which the information was collected. This
is outlined in general in APP 6.1, which creates the general prohibition on secondary
disclosure.
The provision allows for a situation where there is a general primary purpose (for example,
assessing a person's suitability to enter Australia). How broadly the primary purpose can be
described will need to be determined on a case-by-case basis and it will depend on the
circumstances.
The Government anticipates that the OAIC will develop specific guidance about the meaning
of `primary purpose' in consultation with agencies and organisations.
Generally, personal information must only be used or disclosed for purposes other than the
primary purpose, that is, for a secondary purpose, if the relevant individual has consented, or
79
exceptions in APP 6.2 and 6.3 apply. These exceptions list a number of specific
circumstances in which allowing secondary disclosure is in the public interest when balanced
with the interest in protecting an individual's privacy.
The exceptions will apply to sensitive information as well as to other personal information.
In the particular case where the individual would reasonably expect the entity to use or
disclose the information for the secondary purpose:
· for sensitive information, the use or disclosure must be directly related to the primary
purpose;
· for personal information which is not sensitive information, the use or disclosure must
be related to the primary purpose.
As with APP 3, there are a number of exceptions enabling the use or disclosure of personal
and sensitive information where `required or authorised by or under Australian law or a
court/tribunal order'; in permitted general situations (section 16A); in permitted health
situations (section 16B); and where an `APP entity reasonably believes that the use of
disclosure of the information is reasonably necessary for one or more enforcement related
activities conducted by, or on behalf of, an enforcement body'. The final exception is aimed
at enabling any APP entity to cooperate with an enforcement body where it may have
personal information relevant to an enforcement related activity of that enforcement body.
APP 6.3 will provide that an agency will be allowed to disclose biometric information or
templates if the recipient is an enforcement body and the disclosure is conducted in
accordance with the guidelines made by the Commissioner. This approach recognises that
non-law enforcement agencies have current, and will have future, legitimate reasons to
disclose biometric information and templates to enforcement bodies. A practical example of
the effect of this option would be to enable, consistent with the Commissioner's guidelines,
the automatic provision of biometric information and templates by a non-enforcement agency
into a database operated by an enforcement body. This is currently a gap in the enforcement
related activity exception in the Privacy Act that prevents this increasing activity from
occurring. The privacy safeguard for this new proposal is that the activity in question would
be subject to ongoing oversight by the Information Commissioner through guidelines; this
recognises that there are likely to be continuing developments in the use of biometric
information and templates, and ongoing questions about the appropriate use of this evolving
technology.
APP 6.4 provides that, if an APP entity collects health information about an individual for
certain research purposes under subsection 16B(2), that entity must take such steps as are
reasonable in the circumstances to de-identify that information before it uses or discloses the
information under APP 6.1 or 6.2. This reproduces the requirement in NPP 10.4.
APP 6.5 will provide that if an entity uses or discloses personal information because it is
reasonably necessary for an enforcement related activity, the entity must make a written note
of the use or disclosure. The requirement is based on NPP 2.2 and aims to ensure
accountability for such disclosures, but will not be extended to other exceptions to the rule
against use or disclosure for a secondary purpose because of the compliance burden it would
impose on entities.
APP 6.6 will provide that if a corporation collects personal information and passes it on to a
related corporation, the related corporation will be taken to have collected the personal
information for the same primary purpose as the first corporation. This will ensure that,
unless one of the exceptions listed in APP 6 applies, the related corporation will have to
80
obtain the individual's consent before using or disclosing his or her personal information for
a secondary purpose.
APP 6.7 provides that APP 6 will not apply to the use or disclosure of personal information
for the purposes of direct marketing or to government related identifiers because these
matters are dealt with elsewhere in the APPs.
Australian Privacy Principle 7--direct marketing
Direct marketing involves communicating directly with a consumer to promote the sale of
goods and services to the consumer. The direct marketing communication could be delivered
by a range of methods including mail, telephone, email or SMS. Direct marketers compile
lists of consumers and their contact details from a wide variety of sources, including public
records, the white pages, the electoral roll, registers of births, deaths and marriages and land
title registers. They also include membership lists of business, professional and trade
organisations, survey returns and mail order purchases.
Direct marketing is addressed separately within a discrete principle rather than as a kind of
secondary purpose (see APP 6) because of the significant community interest about the use
and disclosure of personal information for the purposes of direct marketing.
APP 7 will prohibit direct marketing by organisations.
Agencies will generally be exempt from the prohibition as it would impact on their ability to
communicate legitimate and important information to individuals. However, a note to
APP 7.1 draws attention to section 7A of the Privacy Act, which provides that an act or
practice of an agency may be treated as an act or practice of an organisation if the agency
engages in commercial activities. This means that the prohibition against direct marketing
will also apply to agencies engaging in commercial activities.
APP 7 contains a distinction between individuals, such as existing or previous customers,
who have been in contact with an organisation, and those who have not. However, the
principle will not use terms such as `customer' or `non-customer'. Instead, it will capture the
distinction by referring to individuals from whom an organisation has collected information
and individuals from whom it has not. The intention is to apply more stringent obligations
when using personal information of non-existing customers as the individual is less likely to
expect their information to be used or disclosed for direct marketing purposes.
APPs 7.2 to 7.5 list exceptions to the rule against direct marketing. Under APP 7.2, an
organisation may use or disclose personal information (other than sensitive information) for
direct marketing if: the organisation collected the information from the individual; the
individual would reasonably expect the organisation to use the information for direct
marketing; the organisation has provided a simple means by which the individual can request
not to receive direct marketing; and the individual has not availed him or herself of this
means.
This exception will reflect the policy of requiring organisations to allow consumers to opt out
of direct marketing. An opt-out rather than opt-in requirement is appropriate where the
individual has provided the information to the organisation.
In the circumstances where the organisation has not obtained personal information from the
individual, then opt-out still applies but there are additional requirements with respect to
ensuring the individual is informed of their rights and how to exercise these rights.
Under APP 7.3, in cases where the individual would not reasonably expect his or her personal
information to be used for direct marketing or the information has been collected from a third
81
party (so that, again, the individual would not reasonably expect to receive direct marketing
from the organisation), the exception to the rule against direct marketing will be narrower.
Under this provision, an organisation may use or disclose that information for direct
marketing only if: the individual has consented (or it is impracticable to obtain consent); the
organisation has provided the means to opt out and the individual has not opted out; and in
each direct marketing communication the organisation must tell the individual that he or she
may request to no longer receive direct marketing and no request is made.
Under APP 7.4, where an individual has provided sensitive information to an organisation, it
will be necessary for the organisation to obtain the individual's consent before using that
information for direct marketing purposes. There will be no provision that consent need not
be obtained if doing so is impossible or impracticable, and it will not matter whether or not
the individual and organisation have a pre-existing relationship.
Under APP 7.5, a contracted service provider for a Commonwealth contract may use or
disclose personal information for the purposes of direct marketing if doing so meets an
obligation under the contract. This provision will extend the general exemption of agencies
from the rule against direct marketing to parties working for or on behalf of an agency.
APP 7.6 will provide that individuals may ask organisations who hold their personal
information to stop sending direct marketing or to not disclose their personal information to
other organisations for the purposes of direct marketing. They may also ask organisations to
disclose their source of the information. Organisations must comply with such requests free
of charge within a reasonable period. They need not comply with requests to disclose the
source of information if it is impracticable or unreasonable to do so. The `reasonable period'
provisions will ease the compliance burden on organisations.
APP 7.6 applies to organisations that either use or disclose personal information for the
purposes of direct marketing, or for the purpose of facilitating direct marketing by other
organisations.
APP 7.6(b) will capture organisations that collect personal information for the purpose of
providing that information to another organisation to facilitate direct marketing by that other
organisation. For example, this will include a situation where a company has personal
information that it provides to a retailer, and the retailer then uses that personal information
for the purpose of directly marketing its products.
However, it is not intended that APP 7.6(b) will apply to organisations such as mailing
houses that are utilised by a first organisation to simply send out direct marketing material for
those companies. If those types of service providers are APP entities, their handling of
personal information would be subject to the APPs. This is distinct from the situation where
an entity carries out direct marketing on behalf of the first organisation, by for example,
actually conducting the door to door direct marketing on behalf of the first organisation.
APP 7.8 will provide that instruments such as the Spam Act 2003, which contain specific
provisions regarding direct marketing, will displace the more general provisions under the
principle. Thus APP 7 will be displaced where another Act specifically provides for a
particular type of direct marketing or direct marketing by a particular technology, but will
apply to organisations involved in direct marketing relating to electronic messages and other
acts and practices not covered by such instruments.
Australian Privacy Principle 8--cross-border disclosure of personal information
APP 8 sets out a requirement for an APP entity that chooses to disclose personal information
to overseas recipients to take such steps as are reasonable in the circumstances to ensure that
82
the overseas recipient does not breach the APPs. Along with section 16C, this APP
implements the new accountability approach to cross-border disclosure of personal
information. This is reinforced in the note at the foot of APP 8.1, which refers to section 16C
(which will provide that in certain circumstances, an act done, or a practice engaged in, by an
overseas recipient can be taken to be a breach of the APPs by the entity which disclosed the
personal information to the overseas recipient).
The principle will aim to permit cross-border disclosure of personal information and ensure
that any personal information disclosed is still treated in accordance with the Privacy Act.
This is a change from NPP 9, which prohibits cross-border disclosure, subject to some
exceptions. The principle will apply to agencies as well as organisations, which is also a
significant difference from the existing Act.
Although APP 8 explicitly adopts the term `disclosure' rather than `transfer', the APP 8 (and
related provisions) would not apply to the overseas movement of personal information if that
movement is an internal use by the entity, rather than a disclosure. APP 8 will apply where
an organisation sends personal information to a `related body corporate' located outside
Australia.
It is not intended to apply where personal information is routed through servers that may be
outside Australia. However, entities will need to take a risk management approach to ensure
that personal information routed overseas is not accessed by third parties. If the information
is accessed by third parties, this will be a disclosure subject to APP 8 (among other
principles).
In terms of the reach of APP 8, the chain of accountability for APP entities would not be
broken simply because the overseas entity engaged a subcontractor. For example, the
requirements of APP 8 will still apply where an organisation contracts a function to an
overseas entity (thereby making a cross border disclosure), and that overseas entity then
engaged a subcontractor.
In practice, the concept of taking `such steps as are reasonable in the circumstances' will
normally require an entity to enter into a contractual relationship with the overseas recipient.
The general requirement to take reasonable steps to ensure compliance will be qualified by a
number of exceptions:
· When the entity has a reasonable belief that the overseas recipient is subject to legal
or binding obligations to protect information in at least a substantially similar way to
the protection provided by the APPs, the requirement will not apply. For this
exception to apply, there must be accessible mechanisms which allow the individual
to enforce those protection obligations.
The `reasonable belief' test will allow entities to make decisions based on the
information available to them and the context of a particular disclosure. The term
`substantially similar' will not be defined, and provides flexibility in considering the
regulatory elements of the overseas jurisdiction. The term `at least' will be used to
ensure that stricter obligations than the APPs will still be compliant.
It is not essential that the overseas jurisdiction have an office equivalent to the OAIC
in order to provide accessible enforcement mechanisms. It should be possible for a
range of dispute resolution or complaint handling models to satisfy this requirement.
Effective enforcement mechanisms may be expressly included in a law or binding
scheme or may take effect through the operation of cross-border enforcement
83
arrangements between the OAIC and an appropriate regulatory authority in the
foreign jurisdiction.
· The requirement will not apply when an individual consents to the cross-border
disclosure, after the entity informs the individual that the consequence of giving their
consent is that the requirement in APP 8.1 will not apply.
To reduce the compliance burden, this exception should not mean that consent is
required before every proposed cross-border disclosure. Rather, it will apply where
an individual has the explicit option of not consenting to certain disclosures which
may include cross-border disclosures. In addition, an APP entity is required to give
individuals notification about other entities to which the APP entity usually discloses
personal information of the kind collected by the entity (APP 5.2(f)), and whether the
APP entity is likely to disclose the personal information to overseas recipients
(APP 5.2(i)).
· When the disclosure is required or authorised by or under law, the requirement will
not apply.
· When some (but not all) permitted general situations exist (see Item 82), the
requirement will not apply.
· When the disclosure is required or authorised by or under an international agreement
relating to information sharing, the requirement will not apply if the entity is an
agency and Australia is a party to the agreement. This is intended to include all forms
information-sharing agreements made between an Australian and an international
counterpart (for example, treaties, exchange of letters).
· When the entity is an agency, the requirement will not apply if the agency reasonably
believes that the disclosure is reasonably necessary for enforcement related activities
by, or on behalf of, an enforcement body and the overseas recipient's functions or
powers are similar to those of an enforcement body. This is intended to enable an
enforcement body to cooperate with international counterparts for enforcement related
activities.
Australian Privacy Principle 9--adoption, use or disclosure of government related
identifiers
The amended Act will include a definition of `government related identifier' (see Item 23).
Since government related identifiers are generally highly reliable for verification and
identification of individuals, their use and disclosure will be addressed by more specific
guidelines than the general `use and disclosure' principle in APP 6.
APP 9 will regulate the adoption, use or disclosure of government related identifiers by
organisations.
The principle will aim to restrict general use of government related identifiers by the private
sector so that government related identifiers do not become universal identifiers, as well as to
prevent data-matching by organisations facilitated by the use and disclosure of those
identifiers.
The principle will prohibit an organisation from adopting a government related identifier to
identify an individual unless that adoption is required or authorised by or under law or
allowed under the regulations. The principle will also prohibit an organisation from using or
84
disclosing a government related identifier unless that use or disclosure falls within one of a
list of specified exceptions. APP 9.2 will provide for exceptions relating to use or disclosure:
· where it is reasonably necessary to verify the identity of an individual for an
organisation's activities or functions;
· where it is reasonably necessary to fulfil an organisation's obligations to an agency or
State or Territory authority;
· where it is required or authorised by or under an Australian law, or a court/tribunal
order;
· where some (but not all) permitted general situations exist (see Item 82);
· where an organisation reasonably believes is reasonably necessary for enforcement
related activities by, or on behalf of, an enforcement body; and
· where it is allowed under the regulations.
These exceptions will recognise that balanced against the aims of the principle discussed
above, there may be circumstances where use or disclosure of a government related identifier
by an organisation may be necessary for public purposes or present a clear benefit to the
individual. An example is to allow contracted service providers to use or disclose a
government related identifier if necessary for the performance of a Commonwealth contract.
The use of `reasonably necessary' in a number of the exceptions will ensure that an objective
test is applied.
The principle will allow for regulations to prescribe classes of organisations which may fall
within the exception to the general prohibition on adoption, use and disclosure of government
related identifiers. Allowing the regulations to prescribe classes of organisations is intended
to reduce delays which may be caused by the requirement in the NPPs that individual
organisations be prescribed. It will also reduce the need for continual updates to regulations,
while still requiring clear articulation of the types of organisations that can interact with
government related identifiers.
Part 4--Integrity of personal information
Australian Privacy Principle 10--quality of personal information
APP 10 sets out the obligation for an APP entity to take steps (if any) as are reasonable in the
circumstances to ensure that the personal information it collects, uses and discloses meets
certain quality requirements.
APP 10 is intended to ensure that personal information is accurate, up-to-date and complete.
In relation to use and disclosure, the personal information should also be relevant and of a
quality appropriate to the purposes of that use or disclosure. This will require entities to
assess the relevance of personal information against the particular reason for its use or
disclosure and only share so much of the personal information it holds as is relevant to that
purpose. The quality assessment of personal information should occur at the time of
collection, at the time of use and at the time of disclosure.
The requirements in APP 10.1 and 10.2 to `take steps (if any) as are reasonable in the
circumstances' will raise particular issues for information that might be out-of-date. For
agencies, out-of-date information may become relevant for future activities (for example,
prosecution of an individual for a criminal offence). In these circumstances, it may not be
reasonable to update information, if it may, in its preserved form continue to be relevant into
the future for a legitimate function or activity of the APP entity.
85
Australian Privacy Principle 11--security of personal information
APP 11 sets out an APP entity's obligations relating to the protection and destruction of
personal information it holds.
The principle will require an entity to take such steps as are reasonable in the circumstances
to protect personal information from misuse, interference and loss, and from unauthorised
access, modification or disclosure. This should involve active measures by an entity to
ensure the security of personal information.
The inclusion of `interference' in APP 11 is intended to recognise that attacks on personal
information may not be limited to misuse or loss, but may also interfere with the information
in a way that does not amount to a modification of the content of the information (such as
attacks on computer systems). This element may require additional measures to be taken to
protect against computer attacks and other interferences of this nature, but the requirement is
conditional on steps being `reasonable in the circumstances'. Practical measures by entities
to protect against interference of this nature are becoming more commonplace. The use of
the term `interference', which focuses on the result of the activity rather than the means used
to achieve that result, ensures that the technologically neutral approach to the APPs is
retained.
If an entity no longer needs personal information for any purpose for which it may be used or
disclosed under the APPs, and if the information is not contained in a Commonwealth record
or legally required to be retained by the entity, the principle will require that the entity
destroy the information or ensure that it no longer meets the Privacy Act's amended
definition of `personal information'. This would require the entity to permanently remove
from a record any information by which an individual may be identified, in order to prevent
future re-identification from available data. Destruction should be proportional to the form of
the record.
The principle will be flexible, in that the circumstances of each entity will determine when
any personal information it holds is no longer necessary for any permitted purpose. The
principle will in effect impose an obligation on entities to justify their retention of personal
information.
Part 5--Access to, and correction of, personal information
Australian Privacy Principle 12--access to personal information
APP 12 provides that individuals must be granted access to personal information held about
them by an APP entity upon request by the individual, subject to specific exceptions.
The principle will create separate exceptions for access to personal information held by
agencies and organisations. This will reflect the responsibilities that agencies have under
other Commonwealth legislation in relation to access to information, such as the Freedom of
Information Act 1982 (FOI Act). The right to access an individual's personal information
held by an agency was also included in IPP 6. However, the FOI Act was treated as the
principal avenue by which individuals were encouraged to seek access to the personal
information. It is intended that the FOI Act should continue to be the primary legislative
vehicle by which individuals can seek access to their personal information where it is
contained in documents held by agencies.
The ALRC's recommendations which relate to including an enforceable right of access to,
and correction of, an individual's own personal information in the Privacy Act (rather than
maintaining the right through the FOI Act) will be considered at a later date.
86
In relation to organisations, APP 12.3 will create a number of exceptions which largely
replicate NPP 6.1. The principle will combine the two `serious threat' exceptions to remove
the requirement that a threat be `imminent', creating consistency with other sections of the
Privacy Act (see Item 82).
The other exceptions relate to where:
· access would have an unreasonable impact on the privacy of other individuals;
· the request is frivolous or vexatious;
· the information relates to existing or anticipated legal proceedings between the entity
and the individual, and would not be accessible by the process of discovery in those
proceedings;
· giving access would reveal the intentions of the entity in relation to negotiations with
the individual in such a way as to prejudice those negotiations. This is intended to
operate the same way as current NPP 6.1(f). An entity would not have to provide
access to an individual's information if it would show the organisation's intentions and
would prejudice or interfere in negative way in the organisation's negotiations with the
individual (including where the negotiations are yet to commence but are reasonably
anticipated);
· giving access would be unlawful, or denying access is required or authorised by or
under an Australian law or a court/tribunal order;
· the entity has reason to suspect that unlawful activity, or misconduct of a serious
nature, that relates to the entity's functions or activities has been, or is being or may be
engaged in, and giving access would be likely to prejudice the taking of appropriate
action in relation to the matter;
· access would be likely to prejudice one or more enforcement related activities
conducted by, or on behalf of, an enforcement body; or
· access would reveal evaluative information generated within the entity in connection
with a commercially sensitive decision-making process.
If an APP entity refuses to give an individual access to their personal information due to one
of the exceptions, or in the manner requested, APP 12.5 will require the entity to take such
steps (if any) as are reasonable in the circumstances to give access in a way that meets the
needs of the individual and the entity. This will ensure that entities work with individuals to
try to satisfy their request.
Under APP 12.4, there are requirements for responding to the request within a certain
timeframe and giving access to the information in the manner requested, if reasonable and
practicable to do so. For organisations, they must respond to a request for access to personal
information within a reasonable period after the request is made. It is intended that a
`reasonable period' under APP 12.4 relating to more complicated requests will not usually
exceed 30 days.
The principle will provide for the possibility of alternative access through the use of a
mutually agreed intermediary. This will reflect a strengthening of the obligation under NPP
6.3 to `consider' the use of a mutually agreed intermediary.
Under APP 12.8, an organisation that charges an individual for providing access to the
individual's personal information must ensure that the charges are not excessive and must not
87
apply to the making of the request. An excessive charge amount would include recouping
costs above the actual amount incurred by the organisation.
If an APP entity refuses access to an individual's personal information due to one of the
exceptions, or in the manner requested, APP 12.9 will also require the entity to give written
reasons for the refusal. Written reasons will not be required, though, to the extent that it
would be unreasonable with regard to the grounds for the refusal.
APP 12.10 provides that, if an APP entity refuses to give access to the personal information
because of paragraph 12.3(j), the reasons for the refusal may include an explanation for the
commercially sensitive decision. APP 12.10 will operate in the same manner as the repealed
NPP 6.2 that enabled an organisation to provide an explanation for a commercially sensitive
decision rather than direct access to the information.
Australian Privacy Principle 13--correction of personal information
APP 13 will set out the obligation for an entity to take reasonable steps to correct the personal
information it holds about an individual if it is satisfied that the information is inaccurate,
out-of-date, incomplete, irrelevant or misleading, with regard to the purpose for which it is
held, or upon request by the individual. This obligation may include making appropriate
deletions or additions.
The principle is not intended to create a broad obligation on entities to maintain the
correctness of personal information it holds at all times. The principle will interact with
APP 10, such that when the quality of personal information is assessed at the time of use or
disclosure, an entity may need to correct the information before use or disclosure if the entity
is satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or
misleading.
If personal information is held for a range of purposes, and it is considered incorrect with
regard to one of those purposes, the obligation to take reasonable steps to correct the
information should apply.
The principle will remove the requirement in NPP 6.5 for an individual to `establish' that
personal information is incorrect before correction is required.
If an entity corrects the personal information of an individual, APP 13 will require it to take
reasonable steps to notify any other entity to which it had previously disclosed the
information, if that notification is requested by the individual. The compliance burden will
be reduced by the proviso that notification is not required if it would be impracticable or
unlawful.
If an entity refuses to correct personal information in response to an individual's request, the
principle will provide a mechanism for individuals to request that a statement that the
information is inaccurate, out-of-date, incomplete, irrelevant or misleading be associated with
the information. The entity must take reasonable steps to associate the statement so that it is
apparent to users of the personal information. This will ensure that individuals retain control
of how their personal information is handled. The statement should address matters relevant
to the information being inaccurate, out-of-date, incomplete, irrelevant or misleading, and
should not be unreasonably lengthy. The appropriate content and length of any statement
will depend on the circumstances of the case.
Under APP 13.5, there are requirements for responding to requests under APP 13 within a
certain time frame. For organisations, they must respond to such requests within a reasonable
period after the request is made. It is intended that a `reasonable period' under APP 13.5
relating to more complicated requests will not usually exceed 30 days.
88
The ALRC's recommendations relating to including an enforceable right of access to, and
correction of, an individual's own personal information in the Privacy Act (rather than
maintaining the right through the FOI Act) will be considered at a later date.
89
Schedule 2 - Credit Reporting
Introduction
Outline of this schedule
This schedule amends the provisions that deal with credit reporting in the Privacy Act.
Various definitions are replaced and additional definitions inserted to deal with new terms,
Part IIIA is replaced with a new Part IIIA. The new provisions provide clear rules for
participants in the credit reporting system by identifying the flows of personal information in
the system and ensuring that regulation is consistent with the APPs. However, the credit
reporting provisions differ from the APPs by providing different or more specific regulation
in relation to certain personal information in the credit reporting system.
Related amendments to insert new provisions dealing with APP codes and the CR code
(which replaces the previous credit reporting code of conduct) are dealt with in schedule 3.
Amendments to the powers and functions of the Commissioner in relation to credit reporting
are dealt with in schedule 4. The amendments in schedule 1 to insert the APPs are also
relevant. In general terms, the order and structure of the credit reporting provisions reflects
the order and structure of the APPs and the understanding of the personal information life
cycle captured by the APPs. More specifically, where relevant the credit reporting provisions
are directly modelled on the APPs, but modified as necessary to deal with the particular
regulatory requirements of the credit reporting system. There is also the issue of the
relationship between the regulation of personal information by the APPs and the regulation of
certain kinds of personal information by the credit reporting system. The credit reporting
provisions that deal with credit reporting bodies completely replace the APPs in relation to
the defined kinds of personal information in the credit reporting system. Credit providers that
are also APP entities will be subject to both the credit reporting provisions as well as to some
APPs in some circumstances in relation to the kinds of personal information in the credit
reporting system. The relationship between the credit reporting provisions and the APPs is
fully addressed in the provisions and is discussed further below.
Objective of the credit reporting system
The purpose of the credit reporting system is to balance an individual's interests in protecting
their personal information with the need to ensure sufficient personal information is available
to assist a credit provider to determine an individual's eligibility for credit following an
application for credit by an individual. The credit reporting system provides an aid to credit
providers in managing the risks of providing consumer credit to individuals. Only limited
and defined kinds of credit related personal information (described further below) are
permitted in the credit reporting system.
The credit reporting system in Australia has been a `negative' reporting system. The main
kinds of personal information permitted in the system were information about a credit
provider having sought a credit report in relation to an applicant for credit, the amount of
credit sought in the application, the individual's current credit providers (if any), and
information about any credit defaults (a term that was specifically defined). The new
provisions move to a `more comprehensive' credit reporting system. This means a limited
number of additional categories of credit related personal information are permitted in the
credit reporting system, as set out below. The provisions do not establish a `positive' credit
reporting system. That is, the credit reporting system does not provide every piece of credit
related personal information about an individual. Moving to a more comprehensive credit
reporting system balances the privacy interests of the individual while providing sufficient
90
information for credit providers to make an assessment of credit risk when considering an
individual's eligibility for credit.
The credit reporting provisions do not regulate the way in which credit related personal
information about an individual is used by credit providers to assess the risk of providing
credit to an individual. This is a decision for each credit provider to make in the
circumstances of each case in the context of the commercial practice of the credit provider.
Credit providers supply certain credit related personal information into the credit reporting
system by disclosing it to credit reporting bodies. Credit reporting bodies collect and handle
the information supplied by credit providers to create a database of permitted credit related
personal information about an individual. The credit related personal information in the
credit reporting system may be disclosed to other credit providers in defined circumstances.
The credit reporting provisions place obligations on all participants in the credit reporting
system. It is not mandatory for credit providers to participate in the credit reporting system,
but if a credit provider chooses to participate they must comply with the credit reporting
provisions as set out in the legislation and supported by regulations and the registered CR
code. The credit reporting provisions do not deal with commercial arrangements that may be
put into place between credit reporting bodies and credit providers. Matters of industry
practice can be addressed by contractual arrangements or additional industry agreements that
sit alongside the CR code. Industry agreements that may impact on competition in the credit
reporting market would need to be considered by the Australian Competition and Consumer
Commission.
An Australian credit reporting system
The credit reporting system is restricted to information about consumer credit in Australia
and access to the credit reporting system is only available to credit providers in Australia.
The credit reporting system will not contain foreign credit information or information from
foreign credit providers (even if they have provided credit to an individual who is in
Australia), nor will information from the credit reporting system be available to foreign credit
reporting bodies or foreign credit providers.
One option considered to give effect to this policy was a number of general provisions stating
these limitations. However, it was considered that a simpler, clearer and more effective
approach was to ensure appropriate limitations were in place in relation to each relevant
provision dealing with the collection, use and disclosure of information by credit reporting
bodies and credit providers in Part IIIA. The key provisions are as follows. Clause 21D sets
out a general prohibition on the disclosure of credit information by a credit provider to a
credit reporting body (whether or not the body carries on business in Australia or not). This
is followed by a permission to disclose credit information to a credit reporting body that has
an Australian link. However, the provision specifies that the credit information that is
disclosed must relate to credit that is or has been provided, or applied for, in Australia.
Clause 20F, which sets out a table listing the permitted CRB disclosures that can be made,
provides that (once the credit reporting body has collected this credit information) the credit
reporting body can only disclose the credit information to a specified entity that also has an
Australian link. Around these key provisions there are other provisions that contain
appropriate limitations to ensure that relevant entities have an Australian link.
In this context, and consistent with the understanding of APP 8 on cross-border disclosures of
personal information, online applications for credit submitted by an individual physically in
Australia should be regarded as having been collected in Australia by the credit provider.
Where the online application is made to a foreign entity, the foreign entity will not have an
91
Australian link and a credit reporting body will not be permitted to disclose credit reporting
information to that foreign entity.
The concept of an Australian link is used in the APPs and is a term that is further defined in
section 5B of the Act (as amended by schedule 4). It is understood that in the context of
using this term in the credit reporting provisions, an entity with an Australian link should
already have an appropriate link to Australia in place prior to any disclosure to that entity.
The act of disclosure should not be what provides the entity with an Australian link.
Consideration will be given to the sharing of credit reporting information with New Zealand,
which has a very similar credit reporting system and close economic ties with Australia.
When this occurs, it will be necessary to develop specific legislative provisions to amend the
credit reporting system set out in Part IIIA to establish the arrangements by which credit
reporting information will be shared with New Zealand.
Main reforms to the credit reporting provisions
The credit reporting provisions have been completely revised, consistent with the intention to
ensure greater logical consistency, simplicity and clarity throughout the Privacy Act. In
addition to revisions to the credit reporting provisions, the major reforms of the credit
reporting system are:
· Introducing more comprehensive credit reporting to provide additional information
about an individual's ongoing credit arrangements:
o Date credit account opened and date account closed (if any)
o Type of credit
o Maximum credit limit
o Repayment history over previous two years
this category of information is only available to credit providers who
are subject to responsible lending obligations under the National
Consumer Credit Protection Act 2009 (National Consumer Credit
Protection Act)
however, there is an exception to this requirement for mortgage
insurers to allow them to obtain the information from those credit
providers to whom they provide mortgage insurance
· Reforming obligations relating to the retention of different categories of personal
information
· Introducing specific rules to deal with pre-screening of credit offers and the freezing
of access to an individual's personal information in cases of suspected identity theft or
fraud
· Providing additional consumer protections by enhancing obligations and processes
dealing with notification, data quality, access and correction, and complaints; and
· Reforming the regulation of credit reporting to more accurately reflect the information
flows within the system and the general obligations set out in the APPs.
The credit reporting provisions will be supported by regulations and the registered CR code,
which will deal with detailed and practical matters. In particular, the regulations and
registered CR code will provide details on the information that can be collected as part of the
new sets of information. The registered CR code will bind all credit reporting bodies. As it
92
is expected that the registered CR code will deal with certain matters as noted in the credit
reporting provisions, it will also bind credit providers and other third parties who receive
information from credit providers (such as the `affected information recipients' dealt with in
Division 4 of Part IIIA).
Participants in the credit reporting system
The credit reporting provisions apply to three main categories of participants: credit reporting
bodies (formerly known as credit reporting agencies); credit providers; and affected
information recipients, who are other third parties who receive the information from credit
providers. The terms credit reporting bodies and credit providers are defined and have
specific meanings. In general, a credit reporting body is a repository of the prescribed
categories of personal information and does not have a direct relationship with the individuals
to whom the information relates (however, a range of subsequent obligations, for example in
relation to notification, access and correction, and complaints handling, will put a credit
reporting body into direct contact with individuals). In general terms, a credit provider has a
direct relationship with an individual through providing, or considering an application for the
provision of, consumer credit (and, where permitted, commercial credit) to the individual.
The provisions dealing with each type of participant are grouped together, so that:
· Credit reporting bodies are dealt with in division 2
· Credit providers are dealt with in division 3; and
· Other recipients, known as affected information recipients (mortgage and trade
insurers, related body corporate, credit managers, and advisors), are dealt with in
Division 4.
A credit provider is permitted to disclose certain information to another credit provider in
certain circumstances. It is recognised that this sharing of information is necessary to support
the credit reporting system and sharing information in these circumstances does not make the
credit provider subject to the obligations of a credit reporting body.
Categories of personal information in the credit reporting system
The credit reporting system only contains certain narrowly defined categories of credit related
personal information. A number of general terms are used to refer to these categories of
personal information. It is necessary to use a number of terms that incorporate and build
upon other terms because it is essential to accurately describe the actual information flows in
the credit reporting system. Generally, credit reporting bodies and credit providers that
receive information out of the system use the information to determine some sort of credit
score or rating of the credit risk of the individual which they add to the information. Because
credit reporting bodies and credit providers may use personal information in the credit
reporting system to derive and add new personal information to the system, it is important to
accurately describe this process through the use of specific and defined terms. The key terms
are: credit information; credit reporting information; credit eligibility information; and
regulated information. These terms are discussed further, below.
Information flows into and out of the credit reporting system
There are two sides to the credit reporting system: the input side, by which credit providers
put information into the system by disclosing the defined categories of personal information
to credit reporting bodies; and the output side, by which credit reporting bodies disclose
certain personal information to credit providers, where this is consistent with the permitted
disclosures. While in this context it is useful to talk about information flows to understand
93
how the credit reporting system operates, all information flows are in fact comprised of a
series of disclosures and collections of personal information, all of which are regulated by the
credit reporting provisions.
In general terms, there will be a regular flow (disclosure) of information into the credit
reporting system from credit providers to credit reporting bodies, as personal information
about, for example, repayment history may be provided on a monthly basis. However, there
is no automatic or continuous flow (disclosure) of information from credit reporting bodies to
credit providers - information can only be disclosed in prescribed circumstances. Generally,
information only comes out of the system following requests from credit providers to credit
reporting bodies for disclosure for specified purposes (or where disclosures are permitted to
certain recipients for certain purposes by operation of the provisions, such as to an affected
information recipient, or where disclosure is permitted by operation of an exception, such as
where a disclosure is required or authorised by or under an Australian law or court or tribunal
order).
Diagram 1, below, provides a simplified illustration of the significant information flows in
the credit reporting system. The key features of diagram 1 are as follows:
· The central circular relationship is between credit reporting bodies and credit
providers.
o Credit providers disclose `credit information' to credit reporting bodies,
which are the repositories of personal information in the credit reporting
system.
o Credit reporting bodies disclose `credit reporting information' to credit
providers.
· Credit reporting bodies may also disclose credit reporting information to:
o `mortgage insurers'
o `trade insurers'
o `securitisation entities'
o in addition (and not included in the diagram for simplicity) credit reporting
bodies may make a disclosure to another credit reporting body, a `recognised
external dispute resolution scheme', an `enforcement body', as well as a
disclosure that is required or authorised by or under an Australian law or court
or tribunal order, or by regulations.
· Credit providers can disclose `credit eligibility information' to:
o other credit providers
o `affected information recipients'
o in addition (and not included in the diagram for simplicity), credit providers
can make a disclosure to a `recognised external dispute resolution scheme', a
`guarantor', a `debt collector', a mortgage credit assistance scheme, an
`enforcement body', as well as a disclosure that is required or authorised by or
under an Australian law or court or tribunal order, or by regulations.
The use and disclosure of the types of personal information in diagram 1 are regulated, and
are subject to conditions set out in the credit reporting provisions.
94
Diagram 1 - information flows in the credit reporting system
The credit reporting provisions provide different requirements for the participants based on
whether they are taking part in the input side or the output side of the credit reporting system.
This means that the rules for credit providers putting credit information into the credit
reporting system are different to the rules that apply when they obtain credit reporting
information from the credit reporting system. Credit providers have a dual role - they
provide the credit reporting bodies with the personal information (credit information)
necessary for the credit reporting system to operate, but their role on the output side of the
system is to collect credit reporting information, which is personal information collected by
the credit reporting body from other credit providers (if any) and any CRB derived
information, which is personal information added by the credit reporting body, such as a
credit score, assessment or other personal information about an individual that assists in
determining an individual's credit worthiness.
95
This means, for example, that there can't be a single disclosure rule for credit providers, both
because they have different roles in the system and because the personal information changes
as it goes through the system. For this reason, there are provisions relating to the disclosure
by credit providers to credit reporting bodies of credit information into the credit reporting
system (and a related rule for credit reporting bodies dealing with collection of credit
information). However, there are separate provisions relating to the disclosure by credit
reporting bodies to credit providers, since the personal information disclosed will be credit
reporting information. There are further provisions relating to any disclosures by credit
providers of credit eligibility information. Credit eligibility information consists of credit
reporting information disclosed to the credit provider by a credit reporting body, and CP
derived information, which is any personal information added by the credit provider that
assists in determining an individual's credit worthiness. There is not one single category of
personal information that can be regulated by a single rule that will apply in every case.
There are further rules dealing with other permitted disclosures by credit reporting bodies and
credit providers. These disclosures are for specific purposes. Most recipients will be subject
to further provisions in relation to their use of the personal information they have collected,
as well as any further disclosure of the personal information. For example, `authorised
information recipients' are subject to the requirements set out in Division 4 in relation to
`regulated information'. Further disclosure by these authorised information recipients is
prohibited. The credit reporting provisions do not specifically deal with personal information
that is held or maintained by: a recognised external dispute resolution scheme; an
enforcement body; or a debt collector. An enforcement body will be an APP entity, and, if
the other recipients are also an APP entity, they will be subject to the APPs. A recipient who
is a person who is a guarantor is likely to be an individual and exempt from the Act, while a
mortgage credit assistance scheme is expected to be a State or Territory agency and exempt
from the Act.
Key terms that refer to personal information in the credit reporting system
There are a number of definitions associated with the credit reporting provisions that provide
explanations of the terms to assist understanding and ensure that only the precisely defined
kinds of personal information are held in the credit reporting system. This is consistent with
the prescriptive nature of the credit reporting system. Many of these definitions are linked.
This reflects the way in which personal information in the credit reporting system is
maintained and used. In particular, both credit reporting bodies and credit providers use the
personal information they collect to derive their own assessments of the individual's credit
worthiness. In this context, it is understood that to derive means to use the personal
information to determine some sort of credit score or rating (or other relevant personal
information) that usually relates to the perceived credit risk of the individual for the purpose
of considering the individual's credit worthiness. The aggregation of personal information in
this way gives credit providers a better understanding of an individual's credit worthiness. In
the same way that the different kinds of personal information in the credit reporting system
are pulled together, the definitions of terms used to refer
96