University of New South Wales - Faculty of Law - Information Technology Law
(Originally published in (1992) 66 ALJ 672 -674;
reprinted in Vol 9 Computer Law and Security Report, 64-65)
The origins of the Act are instructive. Credit reporting in Australia is dominated by the Credit Reference Association of Australia (CRAA), which provides over 95% of consumer credit reports (about 6 million per year) and over 50% of all commercial credit reports. There is also a small Tasmanian credit bureaux. Australian credit bureaux had always only provided `negative reporting', meaning that its credit provider members only reported details of a consumer's credit transactions to the bureaux if and when a consumer defaulted on a credit arrangement, by late payment or otherwise. They also recorded details of a person's applications for credit, but not whether credit was granted. In 1989 it became generally known that CRAA proposed to change to a system of `positive reporting' whereby all major credit providers in Australia would provide CRAA with a monthly computer tape listing the `payment performance' of each of their credit customers, whether or not there had been any default on the account. The industry claimed that this would allow credit providers to assess whether an applicant was over-committed.
The `positive reporting' proposal resulted in considerable adverse media comment. At the conclusion of a meeting in early 1990 convened by the Australian Privacy Foundation, the then Commonwealth Attorney-General (Senator Bowen) and Minister for Consumer Affairs (Senator Bolkus) announced that the Government would introduce legislation to prohibit `positive reporting' and, furthermore, to comprehensively regulate credit reporting. The resulting Privacy Amendment Bill 1989 was described by CRAA as `the most restrictive credit reference laws in the Western world'. The credit industry launched a concerted media and Parliamentary campaign against the Bill, and in 1990 the Minister for Justice and Consumer Affairs, Senator Tate, introduced a number of amendments, and accepted others initiated by the Australian Democrats, but the 1989 Bill remained substantially intact when enacted.
CRAA had successfully extended the scope of its reporting activities for at least fifteen years. However, in attempting to further expand into `positive reporting', it provoked a degree of legislative control which it had avoided in the past. Some of its past expansion was now about to be reversed.
The Privacy Act 1988 (Cth) has been amended by insertion of a new Pt IIIA - Credit Reporting (ss 18C - 18V). These provisions are of very considerable complexity, and it is only intended here to indicate some of their more important and problematic features.
The Commonwealth Privacy Commissioner administers the legislation. He has issued an enforceable Code of Conduct to supplement the Pt IIIA provisons (s18A). He is also empowered to investigate alleged breaches of either Pt IIIA or the Code and provide remedies; to issue (non enforceable) Guidelines to compliance with Pt IIIA and the Code; and to audit the files of credit reporting agencies and credit providers (s28A).
A `credit reporting infringement' is defined as a breach of either the Code of Conduct or the Part IIIA provisions (s6). Any such infringement will then constitute an `interference with privacy' for the purpose of s13 of the Privacy Act, and all of the complaints procedures, enforcement provisions and remedies of the Privacy Act are then available (See XXX ALJ XXX). In addition to these normal civil methods of enforcement, the Act also provides an extensive range of offences where there is a 'knowing or reckless' contravention of various provisions of Part IIIA, all of which may attract penalties of up to $150,000. Breaches of the Code of Conduct do not constitute criminal offences.
The general aim of the legislation is to regulate information that passes through the files of `credit reporting agencies' (credit bureaux) in the course of their carrying on a `credit reporting business'. The use and disclosure of such a `credit report' by a credit provider is regulated, generally being restricted to the purpose for which it was obtained (s18N).
For the most part, the legislation does not regulate a credit provider's `own' records (records which do not originate from credit reporting agencies), or their disclosure or subsequent use. The major exception is that credit providers are (with few exceptions) restricted from disclosing any information relevant to a person's credit standing (no matter what its source) to anyone else unless they have obtained the consent of the person concerned (s18N). The provision of `banker's opinions' is therefore now subject to regulation. It is arguable, but unclear, whether the Privacy Commissioner could exercise his powers to issue a Code of Conduct to regulate other aspects of a credit provider's use of its own records, by reliance upon s18A(d) which refers to `any other activities, engaged in by ... credit providers that are connected with credit reporting'. He has not done so in his Code.
In general, the Act distinguishes between consumer credit transactions (essentially loans `intended to be used wholly or primarily for domestic, family or household purposes': s6) and commercial credit transactions and only seeks to regulate consumer credit transactions and the use of information about them. The original intention of the distinction was to protect privacy by recognising that a distinction between personal affairs and business affairs. However, there are now complex provisions (much of the thrust of the 1990 and 1991 amendments), the nett effect of which is that consumer credit information can be used in commercial credit transactions, and vice-versa, provided that specific written consents are obtained. The result is that there is little restriction in reality on the interconnection between consumer credit and commercial credit reporting, but no privacy protections such as access and correction rights provided in relation to `commercial credit' information. At least where small businesses are concerned, where the distinction between consumer and commercial credit is often not very meaningful, it seems that the baby may have been thrown out with the bath-water. The legislation might have been simpler and more effective if this distinction had been avoided.
A further significan limitation on the scope of the legislation is that the use of `publicly available information' is left unregulated, provided that it is kept separate from other information which affects credit-worthiness (s6 `credit reporting business', s18K and s18N(9)). Any private sector organisation can therefore keep and disseminate information such as default judgement information or bankruptcy information without providing even basic privacy rights such as access and correction. Credit bureaus can also keep such information separately, and none of the consumer rights, or criminal offences, which apply to the other consumer records kept by them, will apply to these record, even if they do allow consumer access and correction simply to maintain good consumer relations. This limitation has, in effect, created a distinction between regulated and unregulated credit reporting
The permitted contents of bureau files are defined, these being principally identifying information, details of previous credit applications, the existence of current accounts, and various categories of information about credit defaults (s18E(1)). The proposed `positive reporting' is therefore banned, because it would involve bureaus recording details of credit transactions which do not involve such defaults. Inclusion of `sensitive' information concerning a person's beliefs or affiliations, criminal record, medical history, physical handicaps, race, ethnic or national origins, sexual preferences or practices, or lifestyle, character or reputation, is prohibited (s18E(2)), but was not kept in any event. Default information must be deleted after five years, except for bankruptcies and `serious credit defaults', which may be retained for seven years (s18F). Credit providers must also inform a bureau when an account is no longer overdue, and when a listed current account which was not in default has been paid off - a `data quality' obligation on the credit grantors to keep bureau files up-to-date.
Individuals have a right to obtain access to their credit bureau file (s18H). Both bureaus and credit providers are also required to take reasonable steps to make appropriate corrections to bureaus files or reports (s18J). Where a credit refusal is based wholly or partly on information derived from a bureau report, the credit provider must give the person written notice of access rights (s18M).
Over the previous twenty years, in the absence of effective prohibitions in State legislation, CRAA had allowed real estate agents to check prospective tenants, government departments to check some occupational licence applicants and applicants for telephone and other government services, insurers to check the credit history of suspect insurance claimants, and mercantile agents to search for debtors' addresses. Access to credit reporting files for any of these purposes is now prohibited (s18K). The legislation therefore not only limits the future expansion of credit reporting in the private sector, it effectively `rolls back the clock' by banning past extensions of credit surveillance which had become accepted practice in the private sector. It is rare for privacy legislation anywhere in the world to attempt such a retrospective repeal of the extension of data surveillance - in the parlance of `Yes, Prime Minister' it would be described as `courageous'!
Credit providers may only use bureau reports for purposes related to credit provision (s18L). Use for unauthorised purposes such as employment checksis an offences carrying $150,000 a fine. Similar offences prohibit anyone from obtaining unathorised access, or access by false pretences, to bureau files (ss 18S, 18T).
employment access effectively circumvented due to individual access
The Privacy Amendment Act 1990 (Cth), is the first major extension of the Privacy Act 1988 into the private sector, although there were prior extensions in relation to the tax file number, and to spent convictions. Three aspects of the Act are important as potential models for the extension of privacy regulation to the private sector. First, the method by which the Commonwealth asserts constitutional power over credit reporting, through the postal and telecommunications powers, as well as the corporations, trade and commerce, banking and insurance powers (ss18C and 18D), could be used as the basis for Commonwealth assertions of power to legislate for data protection concerning other significant private sector activities. Secondly, an attempt has been made to keep the credit reporting provisions consistent (s18A(3)(a)) with the Privacy Act's Information Privacy Principles (IPPs), which relate to government agencies, so a consistent set of data protection principles for both the public sector and the private sector may emerge, though varying in strength and detail in different sectors.Thirdly, the use of the same Privacy Act enforcement provisions for credit reporting means that uniform procedures in relation to both the public and private sectors will develop. The excessive complexity of of the credit rporting legislation may be criticised, but this general approach of using the Privacy Act as a framework is what is required for the development of a coherent law of data protection in Australia, because decisions by the the Commissioner and by the Courts will more easily be able to be regarded as of general application across all sectors.