Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2010-2011-2012
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
SENATE
PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) BILL 2012
SUPPLEMENTARY EXPLANATORY MEMORANDUM
AMENDMENTS TO BE MOVED ON BEHALF OF THE GOVERNMENT
(Circulated by authority of the Attorney-General,
the Honourable Nicola Roxon, MP)
PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) BILL 2012
OUTLINE
The Bill
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill) amends the
Privacy Act 1988 (the Privacy Act) to implement the Government's first stage response to the
Australian Law Reform Commission's (ALRC) report number 108, called `For Your
Information: Australian Privacy Law and Practice' (ALRC Report). The Bill implements the
major legislative elements of the Government's first stage response.
The Bill amends the Privacy Act to:
· Create the Australian Privacy Principles (APPs), a single set of privacy principles
applying to both Commonwealth agencies and private sector organisations (referred to
as APP entities), which replace the Information Privacy Principles (IPPs) for the
public sector and the National Privacy Principles (NPPs) for the private sector;
· Introduce more comprehensive credit reporting with improved privacy protections, at
the same time rewriting the credit reporting provisions to achieve greater logical
consistency, simplicity and clarity and updating the provisions to more effectively
address the significant developments in the operation of the credit reporting system
since the provisions were first enacted in 1990;
· Introduce new provisions on privacy codes and the credit reporting code (called the
CR code), including powers for the Commissioner to develop and register codes in the
public interest that are binding on specified agencies and organisations; and
· Clarify the functions and powers of the Commissioner and improve the
Commissioner's ability to resolve complaints, recognise and encourage the use of
external dispute resolution services, conduct investigations and promote compliance
with privacy obligations.
The Bill introduces a number of additional safeguards for the protection of privacy, including
enhanced notification, quality, correction, and dispute resolution mechanisms for individuals.
The substantive elements of the reforms are contained in six schedules to the Bill. Each
schedule deals with a particular subject and related matters, including related definitions.
The schedules and their topics are:
· Schedule 1 - Australian Privacy Principles
· Schedule 2 - Credit reporting
· Schedule 3 - Privacy codes
· Schedule 4 - Other amendments of the Privacy Act 1988
· Schedule 5 - Amendment of other Acts
· Schedule 6 - Application, transitional and savings provisions
The Amendments
The Government is introducing certain amendments to items in Schedules 1, 2 and 4 of the
Bill. A number of these amendments respond to the recommendations of the Senate Legal
and Constitutional Affairs Legislation Committee's (the Committee) report into the Bill
which was tabled on 26 September 2012.
2
The amendments to Schedule 1 of the Bill respond to recommendations 1, 2, and 8 of the
Committee's report and will improve the effectiveness of the Bill. These amendments:
· Clarify the pseudonymity principle in APP 2 (recommendation 1);
· Remove the word `prohibition' from the subheading of APP 7 which deals with direct
marketing, to more accurately reflect the content of the provisions
(recommendation 2);
· Add notes under those APPs that refer to `permitted general situations' and `permitted
health situations' to provide useful cross references to the meaning of those terms
(recommendation 8); and
· Make a minor amendment to the provision dealing with medical research.
The amendments to Schedule 2 of the Bill respond to recommendations 10 and 15 of the
Committee's report. The amendments to Schedule 2 will also address a number of additional
stakeholder concerns. These amendments:
· Specify that at least 14 days must elapse from the giving of a written notice before a
default is recorded as part of an individual's credit reporting information
(recommendation 10);
· Broaden the de-identification provision to permit research to be generally about
`credit' (recommendation 15);
· Redraft the `Australian link' requirement to ensure credit providers can continue to
undertake various offshore processing activities in relation to credit eligibility
information, clarify the scope of the `managing credit' and debt collection provisions
and make a number of related changes (a more detailed summary of these `Australian
link' related provisions is provided below);
· Permit credit reporting bodies to disclose repayment history information to mortgage
insurers; and
· Add regulation making powers to:
o Allow prescribed credit providers that are not licensees, such as Indigenous
Business Australia (IBA), to access repayment history information
o Exempt prescribed credit providers, such as IBA, from certain obligations to
be a member of an external dispute resolution (EDR) scheme, and
o Allow additional relay services that may be developed in the future to be
exempted from the requirements to obtain prior written authorisation where
the prescribed service is used to assist an individual (an `access seeker') to
communicate for the purposes of obtaining access to their credit reporting
information.
Clause 2 of the Bill is amended to extend the commencement period of the Bill to 15 months
after Royal Assent. The Government accepted in principle the Senate Committee's
recommendation to provide certainty around the commencement of the Bill, but, after further
consultations with industry, has decided to extend the commencement period from 9 months
to 15 months. This longer commencement period will ensure industry has sufficient time to
make necessary changes to their systems and procedures, provide an extended period for the
Office of the Australian Information Commissioner (OAIC) to develop relevant guidelines,
3
educational material and deal with other implementation matters, and provide time for the
development, approval and registration of a Credit Reporting Code of Conduct (CR Code).
The amendments will also add a note to the civil penalty provisions in Schedule 4 of the Bill
to clarify the matters that a court must consider in determining an appropriate penalty for
multiple breaches of the Act.
Summary of Government amendments in relation to the `Australian link' issue
Credit providers currently make disclosures to overseas recipients for a range of credit
assessment and management purposes, including offshore call centres and data processing
facilities. Depending on the nature of the relationship with the credit provider, these overseas
recipients may be a related body corporate to the credit provider, an agent of the credit
provider, or a credit manager. The `Australian link' requirement which applies to disclosures
of credit eligibility information may limit the ability of credit providers to make disclosures
to overseas recipients. It is not the Government's policy to prevent existing cross-border
disclosures of credit eligibility information that are currently permitted by the Privacy Act.
Accordingly, the Australian link requirement has been removed from a number of permitted
disclosures by credit providers. However, a new clause 21NA has been inserted to ensure
that an Australian credit provider remains responsible for the acts or practices of any overseas
entity to whom the credit provider discloses credit eligibility information.
Related to these amendments, to address cross-border disclosures of credit eligibility
information, certain additional changes have been made. These changes are to:
· Clarify that a credit manager may also process an application for credit as well as
manage credit provided by the credit provider;
· Ensure that a credit provider's privacy policy provides information about possible
cross-border disclosures and the location of the overseas recipients, where it is
practicable to specify those countries, and to ensure that a credit provider notifies an
individual at or before the time of collection of their personal information of these
matters. These obligations are consistent with the general privacy policy and
notification obligations set out in APPs 1.4 and 5.2;
· Adjust the definition of `managing credit' to clearly distinguish a credit manager from
a debt collector, recognising that some credit management activities may relate to
overdue payments but not take the form of debt collection activity, which is the role
of debt collectors. This clarification is important as the Bill restricts the types of
personal information that can be disclosed to debt collectors for collections activities;
and
· Permit credit providers to disclose repayment history information to related bodies
corporate and credit managers.
These provisions may apply to a credit provider's agents or related bodies corporate. The
provisions are not intended to affect the law of agency or the law which determines when an
entity is taken to be a related body corporate.
Financial Impact
These amendments will have negligible financial implications.
4
ACRONYMS AND ABBREVIATIONS
Australian Law Reform Commission (ALRC)
Australian Privacy Principle (APP)
Credit Provider (CP)
Credit Reporting Body (CRB)
Credit Reporting Code of Conduct (CR Code)
External Dispute Resolution (EDR)
Indigenous Business Australia (IBA)
Information Privacy Principles (IPPs)
National Consumer Credit Protection (NCCP)
National Privacy Principles (NPPs)
Office of the Australian Information Commissioner (OAIC)
Privacy Act 1988 (the Privacy Act)
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill)
Senate Legal and Constitutional Affairs Legislation Committee's (the Committee)
5
NOTES ON CLAUSES
Amendments 1 to 6: Clause 2, Commencement
The table at clause 2 of the Bill sets out the commencement arrangements for the Bill.
Column 1 states the provision number, and column 2 provides the commencement
arrangements for that particular provision.
The table provides that sections 1 to 3 and any other provision in the Act that is not provided
for in the table commences on the day the Act receives the Royal Assent. The table also
provides that Items 156 and 162 of Schedule 5 and Parts 1 and 4 of Schedule 6 also
commence on the day the Act receives the Royal Assent.
The table had made provision for variable commencement dates for certain provisions based
on the actual commencement of certain other relevant Acts. As these Acts have now
commenced the table has been simplified in recognition of their commencement.
The majority of the new provisions have a deferred commencement. This amendment
changes the commencement period from 9 months to 15 months from the day after the Bill
receives Royal Assent. This change will provide agencies and organisations with sufficient
time to prepare for the introduction of the new provisions, particularly for the credit reporting
provisions.
Amendment 7: Schedule 1, Item 88, Guidelines on use of personal information for
medical research
This technical amendment inserts the term `by agencies' in the appropriate place in
subsection 95(1) to ensure the intended meaning is achieved. Item 88 will amend subsection
95(1) of the Privacy Act by clarifying that the CEO of the National Health and Medical
Research Council may, with the approval of the Commissioner, issue guidelines for the
protection of privacy by agencies in the conduct of medical research. This clarifies that the
privacy protection guidelines will apply to agencies, and confirms that the guidelines are not
intended to apply to organisations.
Amendment 8: Schedule 1, Item 104, pseudonymity
This amendment clarifies the operation of Australian Privacy Principle (APP) 2. It ensures
that an APP entity is not required to comply with APP 2 where it is impracticable for the APP
entity to deal with individuals who either have not identified themselves or who have used a
pseudonym.
Amendment 9: Schedule 1, Item 104, note
This amendment inserts a cross reference at the end of APP 3.4 to section 16A for `permitted
general situations' and 16B for `permitted health situations', to indicate that these sections
contain additional information about the `permitted general situation' and `permitted health
situation' concepts. These are relevant to exceptions contained in APP 3.4(b) and (c).
Amendment 10: Schedule 1, Item 104, note
This amendment inserts a cross reference at the end of APP 6.2 to section 16A for `permitted
general situations' and 16B for `permitted health situations', to indicate that these sections
contain additional information about the `permitted general situation' and `permitted health
situation' concepts. These are relevant to exceptions contained in APP 6.2(c) and (d).
Amendment 11: Schedule 1, Item 104, Australian Privacy Principle 7.1
This amendment changes the title of APP 7 to `direct marketing' from `prohibition on direct
marketing' to ensure the heading more appropriately reflects the substance of the provisions.
6
APP 7 restricts direct marketing involving the use and disclosure of personal information by
organisations, but does not prohibit direct marketing.
Amendment 12: Schedule 1, Item 104, note
This amendment inserts a cross reference at the end of APP 8.2 to section 16A for `permitted
general situations' and 16B for `permitted health situations', to indicate that these sections
contain additional information about the `permitted general situation' and `permitted health
situation' concepts. This is relevant to the exceptions contained in APP 8.2(d).
Amendments 13 and 14: Schedule 1, Item 104, note
These amendments insert an additional note at the end of APP 9.2 containing a cross
reference to section 16A for `permitted general situations' and 16B for `permitted health
situations', to indicate that these sections contain additional information about the `permitted
general situation' and `permitted health situation' concepts. This is relevant to the exceptions
contained in APP 9.2(d).
Amendment 15: Schedule 2, Item 39, Definition of `managing credit'
The term `managing credit' is amended by removing the words `an act relating to the
collection of'. This has the effect of limiting the exception to `the act of collecting'. The
purpose of this amendment is to clarify the distinction between the act of collecting overdue
payments and other credit management activities that may be related to an overdue payment.
Credit providers and their credit managers may undertake a range of activities once a
payment becomes overdue, starting from providing the individual with a reminder that the
payment is overdue. The act of collecting overdue payments is an activity undertaken by
debt collectors and it is at this point that the distinction with the activities of a credit manager
is drawn.
This clarification is necessary because the definition of `managing credit' is used to
determine the appropriate functions of agents, credit managers, and debt collectors.
Consistent with existing limitations, clause 21M of the Bill limits the types of information
that can be disclosed to a debt collector for the primary purpose of collecting an overdue
payment. Clarifying the definition of `managing credit' assists in accurately delineating the
operation of clause 21M.
Amendment 16: Schedule 2, Item 69, Definition of `access seeker'
This amendment provides that regulations may prescribe other persons to be excluded from
the definition of access seeker. This regulation making power will provide flexibility to
allow additional persons to be excluded from the requirement to be authorised in writing. For
example, new technologies which are not provided by the National Relay Service may
provide additional relay services to assist the deaf and hearing impaired.
Amendment 17: Schedule 2, Item 72, access to repayment history information
This amendment allows mortgage insurers, who are not licensees, to access repayment
history information. Mortgage insurers have been included to ensure risk is not transferred to
the mortgage insurer, as the underwriter of the loan, due to an imbalance in the level of
information available to them as opposed to the credit provider. The amendment also allows
other credit providers who are not licensees to have access to repayment history information
if they have been prescribed by the regulations. It is intended that Indigenous Business
Australia (IBA), an agency established by the Aboriginal and Torres Strait Islander Act 2005
that provides credit in certain circumstances, will be prescribed as an additional credit
provider which can access repayment history information. This is considered appropriate as
7
IBA has been exempted from holding an Australian Credit Licence under the National
Consumer Credit Protection (NCCP) Act 2009, pursuant to NCCP Regulation 20(7). This
regulation provides that a public body or authority constituted under an Act of the
Commonwealth is exempt from the obligations to be a licensee under the NCCP Act. It is
considered appropriate for IBA to have access to the credit reporting system on the same
terms as any other credit provider that is a licensee. It is expected that similar circumstances
would exist in relation to any other organisation or type of organisation that is to be
prescribed under the regulations.
Amendments 18 to 20: Schedule 2, Item 72, de-identified information
Clause 20M deals with the use or disclosure of credit reporting information that is de-
identified. The provision states that de-identified information can be used or disclosed for the
purpose of conducting research in relation to `the assessment of the credit worthiness of
individuals'. These amendments simplify this requirement so that research must be in
relation to `credit'. To implement this change these amendments change each appropriate
reference to `credit'.
Amendments 21 and 22: Schedule 2, Item 72, content of credit provider's privacy policy
These amendments insert additional matters that must be contained in a credit provider's
policy. These additional obligations are based on APP 1.4(f) and (g).
The insertion of clause 21NA makes clear that credit providers may, where they satisfy the
requirements of clause 21NA, disclose credit eligibility information to an entity that does not
have an Australian link. Entities without an Australian link will be located overseas. Types
of overseas entities to which a credit provider may choose to disclose credit eligibility
information may include a credit provider's agents or related body corporates, as well as a
credit provider's credit managers or debt collectors. Where a credit provider intends to
disclose credit eligibility information to an entity without an Australian link, these
amendments to clause 21B will require the credit provider to include in its privacy policy a
statement that the provider is likely to disclose credit eligibility information to an entity that
does not have an Australian link and, where this is likely to occur, the countries in which
those entities are likely to be located if it is practicable to specify those countries.
Consistent with the obligations contained in clause 21B, these additional requirements will
apply to both credit information as well as credit eligibility information.
Amendments 23 and 24: Schedule 2, Item 72, notification requirements
These amendments insert additional notification obligations which a credit provider must
satisfy at, or as soon as practicable after, the collection of information. These additional
obligations are based on APP 5.2(i) and (j).
Clause 21NA makes clear that credit providers may, where they satisfy the requirements of
the provision, disclose credit eligibility information to an entity that does not have an
Australian link. Entities without an Australian link will be located overseas. Types of
overseas entities to which a credit provider may choose to disclose credit eligibility
information may include a credit provider's agents or related body corporates, as well as a
credit provider's credit managers or debt collectors. Clause 21C requires a credit provider to
notify an individual of certain matters at or before the time of collection of personal
information about the individual that is likely to be disclosed to a credit reporting body.
Where a credit provider intends to disclose credit eligibility information to an entity without
an Australian link, these amendments to clause 21C will require the credit provider to notify
the individual that the provider is likely to disclose credit eligibility information to an entity
8
that does not have an Australian link and, where this is likely to occur, the countries in which
those entities are likely to be located if it is practicable to specify those countries in the credit
reporting policy.
Consistent with the obligations contained in clause 21C, these additional requirements will
apply to both credit information as well as credit eligibility information.
Amendment 25: Schedule 2, Item 72, External Dispute Resolution requirements for credit
providers accessing repayment history information
This amendment provides that regulations may permit prescribed credit providers who are not
members of a recognised external dispute resolution scheme to disclose credit information to
a credit reporting body.
Paragraph 6G(1)(d) defines credit provider to include an agency, organisation or small
business operator that is prescribed by the regulations. It is intended that Indigenous
Business Australia (IBA), will be prescribed by the regulations pursuant to paragraph
6G(1)(d) as a credit provider. IBA is exempt from holding an Australian Credit Licence
under the NCCP Act, pursuant to NCCP Regulation 20(7). This regulation provides that a
public body or authority constituted under an Act of the Commonwealth is exempt from the
obligations to be a licensee under the NCCP Act. It is considered appropriate for IBA to have
access to the credit reporting system on the same terms as any other credit provider that is a
licensee.
This amendment will ensure that regulations may prescribe IBA for the purposes of this
provision. The regulation making power also provides the option of exempting other bodies
from this requirement in appropriate circumstances. For example, in some circumstances it
may be appropriate to exempt commercial credit providers that only access consumer credit
reporting from the requirement to be a member of a registered EDR scheme.
Amendment 26: Schedule 2, Item 72, access to repayment history information
This amendment provides that regulations may permit prescribed credit providers who are not
licensees to disclose repayment history information to a credit reporting body.
As noted above in relation to amendment 25, it is intended that IBA will be prescribed by
regulations as a credit provider. IBA has been exempted from the requirement to be a
licensee under the NCCP Act by NCCP Regulation 20(7). It is considered appropriate for
IBA to have access to the credit reporting system on the same terms as any other credit
provider that is a licensee. This amendment will ensure that regulations may prescribe IBA
for the purposes of this provision to ensure that IBA can disclose repayment history
information to a credit reporting body.
Amendment 27: Schedule 2, Item 72, time period before recording default information
This amendment implements recommendation 10 of the Senate Committee's report.
Paragraph 21D(3)(d) permits a credit provider to disclose default information about an
individual to a credit reporting body. Before making such a disclosure, the credit provider
must have given the individual a notice in writing stating the provider intends to disclose the
information to the credit reporting body. The provision also requires `a reasonable period'
must have passed since giving the notice before the default is disclosed.
This amendment removes the requirement that `a reasonable period' must pass and replaces it
with a requirement that at least 14 days must have passed since the giving of the notice before
default information can be disclosed to a credit reporting body. This provides certainty in
relation to the minimum time period that must elapse. However, there may be circumstances
9
where a longer period would be reasonable and the credit provider can allow a longer period
to elapse before disclosing default information.
Amendment 28: Schedule 2, Item 72, removing Australian link requirement for related
bodies corporate
The requirement that a credit provider's related bodies corporate have an Australian link is
removed by this amendment. Disclosure of credit eligibility information to a related body
corporate without an Australian link must comply with clause 21NA. In addition, a credit
provider that discloses credit eligibility information to a related body corporate that does not
have an Australian link will be responsible for the acts and practices of that related body
corporate in relation to that credit eligibility information.
Amendment 29: Schedule 2, Item 72, credit managers
Clause 21G(3) permits credit providers to make disclosures of credit eligibility information in
certain circumstances. Paragraph (3)(c) permits disclosures to a person who manages credit
provided by the credit provider. This amendment removes the requirement that a credit
provider must have an Australian link. Disclosure of credit eligibility information to a credit
manager under paragraph (3)(c) that does not have an Australian link must comply with the
requirements set out in clause 21NA. In addition, a credit provider that discloses credit
eligibility information to a credit manager that does not have an Australian link will be
responsible for the acts and practices of that credit manager in relation to that credit eligibility
information.
The amendment also extends the paragraph to include a person who processes an application
for credit made to the credit provider, as well as a person who manages credit provided by the
credit provider. This amendment is necessary because it is understood credit managers may
be used to process an application for credit, as well as to manage credit that has been
provided by a credit provider.
The exception of agents from the operation of this provision has been removed. This means
that the provision will apply in situations where a credit manager is considered to be an agent
as well as in situations where the credit manager is not an agent of the credit provider. This
amendment ensures that a disclosure to a credit manager that does not have an Australian link
will be subject to the requirements of clause 21NA, whether or not the credit manager is also
an agent of the credit provider. This also means that an agent that is a credit manager with an
Australian link must also comply with clause 22E, which deals with the use or disclosure of
information by credit managers.
Amendment 30: Schedule 2, Item 72, cross reference to 21NA
This amendment inserts a note at the end of subclause 21G(3) to provide a cross-reference to
clause 21NA. Clause 21NA will apply to disclosures under paragraphs (3)(b) or (c) where
the recipient does not have an Australian link.
Amendment 31: Schedule 2, Item 72, credit managers etc
Subclause 21G(4) prohibits the disclosure of credit eligibility information that is, or was
derived from, repayment history information. Subclause 21G(5) provides exceptions to this
prohibition. This amendment inserts an exception for disclosures under paragraphs
21G(3)(b) or (c). This means that credit eligibility information that is, or was derived from,
repayment history information may be disclosed to a related body corporate of the credit
provider or a credit manager of the credit provider that are not licensees, including where
these entities do not have an Australian link. However, clause 21NA will apply where the
recipient does not have an Australian link.
10
Amendment 32: Schedule 2, Item 72, debt collectors
Clause 21M deals with permitted disclosures by credit providers to debt collectors. This
amendment removes the requirement that a debt collector must have an Australian link.
Disclosure of credit eligibility information to a person or body that collects debts on behalf of
others that does not have an Australian link must comply with the requirements set out in
clause 21NA. In addition, a credit provider that discloses credit eligibility information to a
debt collector that does not have an Australian link will be responsible for the acts and
practices of that debt collector in relation to that credit eligibility information.
Amendment 33: Schedule 2, Item 72, debt collectors
This amendment limits the operation of clause 21M to those situations where credit eligibility
information about an individual is disclosed to a debt collector for the primary purpose of
collecting payments. There may be a range of activities related to overdue payments that
may be performed by a credit provider or a credit manager on behalf of the credit provider.
These activities may include issuing reminders about the overdue payment, contacting the
individual about the overdue payment, and so on. The purpose of this amendment is to
ensure that the restrictions set out in subclause 21M(2) only apply where the information is
disclosed at the point of collection activity in relation to debts that are due to the credit
provider. A disclosure to a body or entity that collects debts where the disclosure is for the
primary purpose of collecting payments will be subject to the restrictions on the types of
information that can be disclosed set out in subclause 21M(2).
Amendment 34: Schedule 2, Item 72, cross reference to 21NA
This amendment inserts a note at the end of subclause 21M(1) to provide a cross-reference to
clause 21NA. Clause 21NA will apply to disclosures to debt collectors that do not have an
Australian link.
Amendment 35: Schedule 2, Item 72, new section 21NA, disclosures to certain recipients
that do not have an Australian link
This provision has been inserted to deal with permitted disclosures of credit eligibility
information to related bodies corporate (pursuant to paragraph 21G(3)(b)), credit managers,
including persons that process an application for credit made to a credit provider (pursuant to
paragraph 21G(3)(c)), or debt collectors (pursuant to subclause 21M(1)) where these
recipients do not have an Australian link. The purpose of this provision is to:
· specify the obligations that must be met prior to any permitted disclosure to a
recipient without an Australian link; and
· provide that the credit provider is responsible for the acts or practices of that recipient
in relation to the information that was disclosed, so that any act or practice of the
recipient that would be a breach of their obligations is taken to have been done by the
credit provider.
These provisions are based on the approaches to cross-border disclosures set out in APP 8.1
and clause 16C. APP 8.1 generally permits cross-border disclosures of personal information,
subject to the disclosing entity first taking such steps as are reasonable in the circumstances
to ensure the overseas recipient does not breach the APPs (other than APP 1, which requires
entities to have a privacy policy) in relation to the information that is disclosed. Clause 16C
deals with the acts and practices of overseas recipients of personal information where
information has been disclosed subject to APP 8.1. Where the overseas recipient does an act
or practice that would be a breach of the APPs, the Australian entity is taken to be responsible
for any such breach of the APPs.
11
Subclauses (1) and (2) apply to permitted disclosures made to related bodies corporate or
credit managers.
Subclause (1) provides that, before a permitted disclosure is made under paragraph 21G(3)(b)
(to a related body corporate) or (c) (to a credit manager) to a recipient that does not have an
Australian link, the credit provider must take steps which are reasonable in the circumstances
to ensure the recipient does not breach the specified provisions. The overall effect of this
requirement is that the recipient must not breach the APPs, as modified. Clauses 22D and
22E already deal with the use or disclosure of personal information, including government
related identifiers, by related bodies corporate and credit managers. These provisions operate
to take the place of APPs 6, 7 and 8 (which set out the general rules for the use and disclosure
of personal information) and APP 9.2 (which deals with the use or disclosure of government
related identifiers). Clauses 22D and 22E will continue to apply, and in addition the
remainder of the APPs must also apply, with the exception of APP 1. APP 1 is excluded
because it has been excluded from the operation of APP 8 and its exclusion in this context
ensures consistency in the treatment of obligations to be imposed upon overseas recipients.
Subclause 21NA(1) imposes obligations on the credit provider to ensure the recipient of the
information does not breach the relevant provisions. However, consistent with the approach
taken in APP 8.1, subclause 21NA(1) does not specify how compliance with the relevant
provisions should be effected. It is expected that contractual terms will underpin the
disclosure from the credit provider to the recipient and that the contract will deal with the
matters set out in subclause 21NA(1). Credit providers will be responsible for ensuring
compliance with the relevant provisions. For example, APP 5, which deals with notification
of the collection of personal information, must apply to the recipient. APP 5.1 requires that
an entity which collects personal information must take such steps (if any) as are reasonable
in the circumstances to notify the individual of certain matters. It will be a matter for the
credit provider and the recipient of the information (the related body corporate or credit
manager) to determine what, if any, steps to provide notification are reasonable in the
circumstances. For example, the credit provider that originally collects the information could
notify individuals that credit eligibility information about them will be disclosed to the
recipient and provide information about the matters set out in APP 5.2 in relation to the
recipient's handling of that information. In such circumstances, it may be considered
appropriate that no steps are necessary to provide further notification to the individual once
the information is collected by the recipient.
Subclause (2) provides that a credit provider is responsible for the acts or practices of the
recipient that may breach the relevant provisions. The effect of subclause (2) is cumulative.
It applies where the recipient does not have an Australian link, and the relevant provisions of
the Act do not already apply to the recipient, and the recipient does an act, or engages in a
practice, in relation to the information that would be a breach of the relevant provisions. In
such a situation, the act or practice is taken to have been done, or engaged in, by the credit
provider and to be a breach committed by the credit provider.
APP 8.2 does not apply to these disclosures, nor does clause 21NA contain any provisions
based on APP 8.2. Credit providers will remain responsible in every case for the acts and
practices of any related body corporate, credit manager or debt collector to whom they
disclose information where that recipient does not have an Australian link.
Subclauses (3) and (4) apply to permitted disclosures made to debt collectors. These
provisions are based on subclauses (1) and (2). Disclosures to debt collectors are subject to
certain restrictions set out in clause 21M. These restrictions will continue to apply whether or
not the debt collector has an Australian link.
12
Subclause (3) provides that, before a permitted disclosure is made under paragraph 21M(1) to
a debt collector that does not have an Australian link, the credit provider must take steps
which are reasonable in the circumstances to ensure the recipient does not breach the APPs,
with the exception of APP 1. APP 1 is excluded because it has been excluded from the
operation of APP 8 and its exclusion in this context ensures consistency in the treatment of
obligations to be imposed upon overseas recipients. Unlike related bodies corporate or credit
managers, the Bill does not provide specific rules dealing with the use or disclosure of
personal information by debt collectors. Accordingly, the credit provider must ensure the
debt collector complies with the APPs.
Subclause 21NA(3) imposes obligations on the credit provider to ensure the debt collector
does not breach the relevant provisions. However, consistent with the approach taken in APP
8.1, subclause 21NA(3) does not specify how compliance with the relevant provisions should
be effected. It is expected that contractual terms will underpin the disclosure from the credit
provider to the debt collector and that the contract will deal with the matters set out in
subclause 21NA(3). Credit providers will be responsible for ensuring compliance with the
relevant provisions. For example, APP 5, which deals with notification of the collection of
personal information, must apply to the debt collector. APP 5.1 requires that an entity which
collects personal information must take such steps (if any) as are reasonable in the
circumstances to notify the individual of certain matters. As noted above in relation to
subclause (2), it will be a matter for the credit provider and the debt collector to determine
what, if any, steps to provide notification are reasonable in the circumstances.
Subclause (4) provides that a credit provider is responsible for the acts or practices of the debt
collector that may breach the APPs. The effect of subclause (4) is cumulative. It applies
where the debt collector does not have an Australian link, and the APPs do not already apply
to the debt collector, and the debt collector does an act, or engages in a practice, in relation to
the information that would be a breach of the APPs. In such a situation, the act or practice is
taken to have been done, or engaged in, by the credit provider and to be a breach committed
by the credit provider.
APP 8.2 does not apply to these disclosures, nor does clause 21NA contain any provisions
based on APP 8.2. Credit providers will remain responsible in every case for the acts and
practices of any related body corporate, credit manager or debt collector to whom they
disclose information where that recipient does not have an Australian link.
Amendment 36: Schedule 2, Item 72, credit managers, etc
This is a minor amendment to the heading of section 22E to recognise that it also applies to a
person who processes an application for credit made to a credit provider.
Amendment 37: Schedule 2, Item 72, credit managers, etc
This amendment removes the reference to managing credit. Paragraph 21G(3)(c) now also
applies to a person who processes an application for credit made to a credit provider and the
reference to paragraph (3)(c) is sufficient.
Amendment 38: Schedule 2, Item 72, credit managers, etc
This amendment removes the reference to managing credit. Paragraph 21G(3)(c) now also
applies to a person who processes an application for credit made to a credit provider and the
reference to paragraph (3)(c) is sufficient.
13
Amendment 39: Schedule 2, Item 72, credit managers, etc
This amendment makes certain that a credit manager is permitted to disclose information
back to the credit provider to whom the person provides credit management services (which
includes processing of credit applications, as set out in paragraph 21G(3)(c)).
Amendment 40: Schedule 2, Item 72, pecuniary penalty
This amendment adds a note at the end of section 80Z which confirms that, in determining a
pecuniary penalty, the court must take into account all relevant matters, including the matters
mentioned in subclause 80W(6). These matters include:
· The nature and extent of the contravention;
· The nature and extent of any loss or damage suffered because of the contravention;
· The circumstances in which the contravention took place; and
· Whether the entity has previously been found by a court in proceedings under the
Privacy Act to have engaged in any similar conduct.
This amendment confirms that the court should consider such matters when determining a
penalty for multiple breaches of the Act under clause 80Z.
14
Index]
[Search]
[Download]
[Bill]
[Help]