PRIVACY AMENDMENT (REGIONAL INVESTMENT CORPORATION) REGULATIONS 2023 (F2023L00613) EXPLANATORY STATEMENT

Commonwealth Numbered Regulations - Explanatory Statements

[Index] [Search] [Download] [Related Items] [Help]

PRIVACY AMENDMENT (REGIONAL INVESTMENT CORPORATION) REGULATIONS 2023 (F2023L00613)

EXPLANATORY STATEMENT

Issued by Authority of the Attorney-General

Privacy Act 1988

Privacy Amendment (Regional Investment Corporation) Regulations 2023

Legislative Authority

The Privacy Act 1988 (Privacy Act) provides for the protection of the privacy of individuals. One of the objects of the Privacy Act is to facilitate an efficient credit reporting system while ensuring the privacy of individuals is respected.

Section 100 of the Privacy Act provides that the Governor-General may make regulations, not inconsistent with this Act, prescribing matters required or permitted by this Act to be prescribed or necessary or convenient to be prescribed for carrying out or giving effect to this Act.

Paragraph 6G(1)(d) of the Privacy Act provides that a credit provider is an agency, organisation or small business operator that carries on a business or undertaking that involves providing credit and that is prescribed by the Regulations.

Purpose

The purpose of the Privacy Amendment (Regional Investment Corporation) Regulations 2023 (the Regulations) is to amend the Privacy Regulation 2013 (Privacy Regulation) to ensure the Regional Investment Corporation (RIC) is a credit provider permitted to manage credit information about an individual under the Privacy Act. It does so by:

* prescribing the RIC as a credit provider under the Privacy Act;

* permitting credit reporting bodies (CRBs) to disclose credit reporting information, including repayment history information, to the RIC;

* permitting the RIC to disclose credit information about an individual to a CRB.

Background

The RIC is an agency within the Agriculture, Fisheries and Forestry portfolio that delivers concessional loans to farm businesses, drought-affected small businesses and other eligible businesses under the Regional Investment Corporation Act 2018.

To administer an individual's application for such loans, the RIC needs to manage information about that individual (such as personal information about an individual's identity, consumer credit liability, default information and personal insolvency).

To ensure the RIC can manage this type of information in a manner consistent with the Privacy Act, it is necessary for the RIC to be prescribed as a credit provider by the Privacy Regulation. Currently, Indigenous Business Australia and the Export Finance and Insurance Corporation are prescribed as credit providers under the Privacy Regulation. The Regulations add the RIC to this group.

Impact and effect

The Regulations will permit the RIC to disclose credit information about an individual to a CRB. It will also permit CRBs to disclose credit reporting information, including repayment history information, to the RIC.

The effect of the Regulations is to impose obligations on the RIC to protect an individual's credit information, including credit eligibility information and CRB derived information under the Privacy Act. It does so by prescribing the RIC as a credit provider and, in doing so, requires the RIC to handle information in accordance with the following legislation:

* Part IIIA of the Privacy Act, that deals with the privacy of information relating to credit reporting (as supported by the Privacy Regulation)

* The Privacy (Credit Reporting) Code 2014 (Code).

Part IIIA of the Privacy Act regulates the handling of personal information about an individual's activities in relation to consumer credit. Division 3 of Part IIIA of the Privacy Act outlines:

* the types of credit information credit providers like the RIC can disclose to a CRB to be included in an individual's credit report

* the permitted purposes for which credit providers like the RIC can use credit eligibility information about an individual.

The Code particularises the credit reporting obligations imposed on the RIC by Part IIIA of the Privacy Act and the Privacy Regulation. It covers notification requirements, credit enquiries, financial hardship information, default information and publicly available information, credit bans, access and complaints, among other things.

Consultation

The Department of Agriculture, Fisheries and Forestry, the Department of Finance, Office of the Australian Information Commissioner and the RIC were consulted and are supportive of the Regulations.

The Office of Impact Analysis was consulted in relation to the Regulations and advised that a Regulatory Impact Statement is not required (OBPR22-03006).

Details/Operation

The Regulations are a legislative instrument for the purposes of the Legislation Act 2003.

The Regulations commence on the day after the instrument is registered on the Federal Register of Legislation.

Details of the Regulations are set out in Attachment A.

Other

The Regulations are compatible with the human rights and freedoms recognised or declared under section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011. A statement of compatibility with human rights for the Regulations is at Attachment B.

ATTACHMENT A

Details of the Privacy Amendment (Regional Investment Corporation) Regulations 2023

Section 1 - Name

This section provides that the name of the instrument is the Privacy Amendment (Regional Investment Corporation) Regulations 2023 (the Regulations).

Section 2 - Commencement

This section provides that the instrument commences on the day after the day the instrument is registered on the Federal Register of Legislation.

Section 3 - Authority

This section provides that the Regulations are made under the Privacy Act 1988 (the Privacy Act).

Section 4 - Schedules

This section is the formal enabling provision for the Schedule to the Regulations. This section enables the Privacy Regulation 2013 (Privacy Regulation) to be amended.

Schedule 1 - Amendments

Privacy Regulation 2013

Item [1] - At the end of subsection 10(1)

This item adds paragraph (c) to subsection 10(1) of the Privacy Regulation to provide that the RIC, as an agency, is prescribed as a credit provider under section 6G of the Privacy Act.

The effect of this amendment is that a CRB would be permitted to disclose credit reporting information to the RIC as a credit provider under paragraph 20E(3)(a) of the Privacy Act.

Prescribing the RIC as a credit provider under section 6G of the Privacy Act has resulted in a range of additional privacy obligations applying to the RIC (specifically, the obligations contained in Part IIIA of the Privacy Act and the Code). These relate to the transparency of information, additional notification requirements, the use and disclosure of information, ensuring the integrity and security of information, facilitating access to, and correction of, information and dealing with complaints regarding the handling of information.

Transparency of information

Obligations regarding the transparency of information require the RIC to:

* Prepare a specific policy about its management of credit information and credit eligibility information, making this publicly available and taking reasonable steps to provide a copy of this policy free of charge on request (section 21B of the Privacy Act)

* Implement practices, procedures and systems to ensure that the RIC meets its obligations under Part IIIA of the Privacy Act and the Code and enable the RIC to deal with inquiries or complaints from individuals about its compliance, including through staff training (section 21B of the Privacy Act).

As a credit provider, the RIC's notification obligations under Australian Privacy Principle (APP) 5 of the Privacy Act have been expanded to cover a range of additional matters specified in Part IIIA of the Privacy Act and the Code. In particular, additional notification requirements have been imposed on the RIC where it collects personal information about an individual that is likely to be disclosed to a CRB (section 21C of the Privacy Act). Individuals are able to be informed of these additional matters through the RIC's website. However, the RIC also makes this information available in other forms (to cover people who may not be able to access the information through the website).

Use and disclosure of credit related information

Generally speaking, a credit provider must not disclose credit information about an individual to a CRB (subsection 21D(1) of the Privacy Act). However, this prohibition on disclosure does not apply in the particular circumstances set out in subsection 21D(2). As the RIC has been prescribed as a credit provider and prescribed for the purposes of subparagraphs 21D(2)(a)(i) and 21D(3)(c)(i), the requirements in subsection 21D(2) are met and the prohibition in subsection 21D(1) does not apply provided the RIC handles credit information consistent with other requirements under section 21D.

The RIC is also subject to specific obligations in relation to credit eligibility information disclosed to it by a CRB. Subsection 21G(1) of the Privacy Act prohibits a credit provider from using or disclosing the credit eligibility information that it holds. However, the prohibitions on use and disclosure do not apply in the circumstances set out in subsections 21G(2) - (3). Where the RIC uses or discloses credit eligibility information in those circumstances, the RIC will make a written note of that use or disclosure (subsection 21G(6) of the Privacy Act).

There are also several requirements in paragraph 5.3 of the Code that a credit provider needs to address as part of its disclosure practices, procedures and systems. To meet these obligations, the RIC will make an assessment as to the content and level of detail that should reasonably be included in its practices, procedures and systems to cover its various obligations under the Privacy Act and the Code.

Ensuring the integrity and security of credit related information

As a credit provider, the RIC must ensure the integrity and security of credit related information. In particular:

* The RIC must take reasonable steps to ensure the credit eligibility information it collects, uses and discloses is accurate, up-to-date and complete (section 21Q of the Privacy Act). APP 10 does not apply to the RIC in relation to its handling of credit eligibility information but does apply in relation to credit information generally (that is, information collected from the individual directly).

* The RIC must not disclose credit information or use/disclose credit eligibility information that is false or misleading in a material particular (section 21R of the Privacy Act).

* The RIC must take reasonable steps to protect credit eligibility information from misuse, interference, loss, unauthorised access, modification or disclosure (section 21S of the Privacy Act). These provisions also include requirements for the RIC to destroy or de-identify certain information that it holds in its records where it no longer needs this information for relevant purposes. APP 11 will apply to the RIC in relation to credit information generally (that is, information collected from an individual directly).

The Code also imposes various record keeping obligations on credit providers in relation to their use or disclosure of credit information.

Access to, and correction of, credit related information

There are specific provisions in Part IIIA of the Privacy Act relating to the capacity of an individual to request access to their own credit eligibility information (section 21T of the Privacy Act) and to request correction of their own credit information (section 21V).

Specific obligations are also being imposed on the RIC where it identifies that credit information or credit eligibility information it holds is inaccurate, out of date, incomplete, irrelevant or misleading on its own motion (section 21U). There is no capacity for the RIC to charge for providing such access or making such correction.

These specific provisions alter the operation of the APPs with respect to credit-related information held by the RIC.

Complaints regarding the handling of credit related information

There is a specific complaints-handling regime in Division 5 of Part IIIA of the Privacy Act that applies to certain complaints made to the RIC about its acts or practices that may be a breach of Part IIIA of the Privacy Act or the Code.

In accordance with this regime, the RIC will provide written acknowledgement of the complaint and how it will be handled, investigate the complaint, consult other parties as necessary and make a decision within 30 days unless the individual agrees to a longer period (section 23B of the Privacy Act).

Item [2] - section 13AA

This item repeals and substitutes section 13AA of the Privacy Regulation to provide that the RIC, a credit provider, is prescribed for the purposes of paragraph 20E(4)(a) of the Privacy Act. The effect of this amendment is to permit a CRB to disclose repayment history information about an individual to the RIC, as well as to Indigenous Business Australia.

Item [3] - section 14

This item repeals and substitutes section 14 of the Privacy Regulation to provide that the RIC is prescribed for the purposes of subparagraph 21D(2)(a)(i) of the Privacy Act if it is not a member of, or subject to, a recognised external dispute resolution (EDR) scheme.

Subparagraph 21D(2)(a)(i) of the Privacy Act does not enable a regulation to be made prescribing the RIC in the Privacy Regulation for the purposes of that provision while the RIC is a member of an EDR scheme such as the Australian Financial Complaints Authority (AFCA). This is on the basis that subparagraph 21D(2)(a)(i) presents alternative options - that is, that a credit provider must either be a member of, or subject to, a recognised EDR scheme or be prescribed in the regulations for the purposes of that provision.

This amendment to section 14 of the Privacy Regulation recognises this by prescribing the RIC for the purposes of that provision only in the event that it is not a member of an EDR scheme such as AFCA. This allows the RIC to disclose credit information about an individual to a credit reporting body if it were to cease to be a member of AFCA or another recognised external dispute resolution scheme in future.

This item also repeals and substitutes section 14 of the Privacy Regulation to provide that the RIC is prescribed for the purposes of subparagraph 21D(3)(c)(i) of the Privacy Act.

The effect of this amendment is to permit the RIC to disclose repayment history information or financial hardship information about an individual to a CRB, provided the other requirements of subsection 21D(3) are met. These include the requirements in:

* Subparagraph 21D(3)(c)(ii) (that the consumer credit to which the information relates is consumer credit in relation to which the provider also discloses, or a credit provider has previously disclosed, consumer credit liability information about the individual to the credit reporting body)

* Subparagraph 21D(3)(c)(iii) (that the provider needs to comply with any requirements relating to the disclosure of the information that are prescribed in the regulations). No requirements are currently prescribed in the regulation for the purposes of that provision.

ATTACHMENT B

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Privacy Amendment (Regional Investment Corporation) Regulations 2023

The instrument is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the instrument

The Regional Investment Corporation (RIC) is an agency within the Agriculture, Fisheries and Forestry portfolio that delivers concessional loans to farm businesses, drought-affected small businesses and other eligible businesses under the Regional Investment Corporation Act 2018.

To administer an individual's application for such loans, the RIC needs to manage information about that individual, including information relating to 'credit reporting'. This includes personal information about an individual's identity, consumer credit liability, default information and personal insolvency.

The purpose of the Privacy Amendment (Regional Investment Corporation) Regulations 2023 (the Regulations) is to ensure the RIC is a credit provider permitted to manage credit information about an individual consistent with the Privacy Act. It does so by:

* Prescribing the RIC as a credit provider under the Privacy Act

* Permitting credit reporting bodies (CRBs) to disclose credit reporting information, including repayment history information, to the RIC

* Permitting the RIC to disclose credit information about an individual to a CRB.

Human rights implications

The Regulations engage the prohibition on interference with a person's privacy, family and home in Article 17 of the International Covenant on Civil and Political Rights (ICCPR).

Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful interference with their privacy, family, home or correspondence, nor to unlawful attacks on their honour and reputation. Article 17 of the ICCPR also provides that everyone has the right to the protection of the law against such interference or attacks.

Article 17 of the ICCPR also protects unwarranted and unreasonable intrusions into activities which society recognises as falling within the sphere of individual autonomy. Such intrusions can include:

* The collection, storage, security, use, disclosure, or publication of information

* The regulation of information held on a public register (for example, a legislative requirement to maintain a public register of biosecurity)

* Creating an identification system

* Providing for sharing of information across or within agencies

* Authorising powers of entry to premises or search of persons or premises.

The prohibitions in Article 17 have been given effect by the Privacy Act.

The Privacy Act

The Privacy Act provides for the protection of personal information collected and held by Australian Government agencies and certain private sector organisations. It sets out Australian Privacy Principles (APPs) which deal with all stages of the information lifecycle setting out standards for the collection, storage, security, use, disclosure, and quality of personal information. They also create obligations on agencies and organisations regarding access to, and correction of, an individual's own personal information.

One of the objects of the Privacy Act is to facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected. The laws about credit reporting are intended to balance an individual's right to protect their personal information with the need to ensure credit providers:

* Have sufficient information available to assist them to decide whether to provide an individual with credit

* Can comply with their responsible lending obligations under the National Consumer Credit Protection Act 2009 administered by the Australian Securities and Investment Commission (ASIC).

To promote an individual's right to privacy, Part IIIA of the Privacy Act regulates the handling of personal information about individuals' activities in relation to consumer credit. Division 3 of Part IIIA outlines:

* the types of credit information that credit providers like the RIC can disclose to a CRB, for the purpose of that information being included in an individual's credit report

* the permitted purposes for which credit providers like the RIC can use credit eligibility information about an individual.

The Australian Information Commissioner, through the OAIC, is responsible for monitoring and enforcing compliance with the Privacy Act and can investigate complaints - including from individuals who apply to the RIC for a loan.

An individual's right to privacy when dealing with the RIC is already promoted by the Privacy Act.

The Regulations

The Regulations further promote an individual's right to privacy because prescribing the RIC as a credit provider under section 6G of the Privacy Act has resulted in a range of additional privacy obligations applying to the RIC. These obligations are contained in Part IIIA of the Privacy Act and the Privacy (Credit Reporting) Code 2014 (Code). The obligations relate to the transparency of information, additional notification requirements, the use and disclosure of information, ensuring the integrity and security of information, facilitating access to, and correction of, information and dealing with complaints regarding the handling of information.

Transparency of information

Obligations regarding the transparency of information require the RIC to:

As a credit provider, the RIC's notification obligations under Australian Privacy Principle (APP) 5 of the Privacy Act have been expanded to cover a range of additional matters specified in Part 3A of the Privacy Act and the Code. In particular, additional notification requirements have been imposed on the RIC where it collects personal information about an individual that is likely to be disclosed to a CRB (section 21C of the Privacy Act). Individuals are able to be informed of these additional matters through the RIC's website. However, the RIC also makes this information available in other forms (to cover people who may not be able to access the information through the website).

Use and disclosure of credit related information

Generally speaking, a credit provider must not disclose credit information about an individual to a CRB (subsection 21D(1) of the Privacy Act). However, this prohibition on disclosure does not apply in the particular circumstances set out in subsection 21D(2). As the RIC has been prescribed as a credit provider, the requirements in subsection 21D(2) are met and the prohibition in subsection 21D(1) does not apply provided the RIC handles credit information consistent with other requirements under section 21D.

Ensuring the integrity and security of credit related information

As a credit provider, the RIC must ensure the integrity and security of credit related information. In particular:

* The RIC must not disclose credit information or use/disclose credit eligibility information that is false or misleading in a material particular (section 21R of the Privacy Act)

The Code also imposes various record keeping obligations on credit providers in relation to their use or disclosure of credit information.

Access to, and correction of, credit related information

Specific obligations are also imposed on the RIC where it identifies that credit information or credit eligibility information it holds is inaccurate, out of date, incomplete, irrelevant or misleading on its own motion (section 21U). There is no capacity for the RIC to charge for providing such access or making such correction.

These specific provisions alter the operation of the APPs with respect to credit-related information held by the RIC.

Complaints regarding the handling of credit related information

In accordance with this regime, the RIC will provide written acknowledgement of the request and how it will be handled, investigate the complaint, consult other parties as necessary and make a decision within 30 days unless the individual agrees to a longer period (section 23B of the Privacy Act).

By prescribing the RIC as a credit provider under section 6G of the Privacy Act and imposing obligations under Part IIIA of the Privacy Act and the Code on the RIC, the Regulations further promote an individual's right to privacy when applying for a loan from the RIC.

Conclusion

The instrument is compatible with human rights because it promotes the protection of human rights.

The Hon Mark Dreyfus KC MP

Attorney-General