Note: this Reading Guide only covers Australian issues as yet.
Privacy issues in financial services can be addressed by a number of means:
The duty was determined to arise as a matter of contract and is qualified by four exceptions:
The ABIO Bulletin No. 28 (March 2001) [not available on the web] describes the types of complaints which arise concerning breaches of confidentiality:
"In some cases the information disclosed included the customer's name and telephone number and was disclosed under the terms of arrangement with the third party with the intention that the customer be contacted by telephone. In another case the information disclosed was limited to the customer's telephone number and postcode.
Some of the purposes of contact were: to conduct market research about the particular bank's customer service; to promote and insurance policy developed with the particular bank's related life company; and to promote an insurance policy developed by the particular bank with an unrelated insurance company.
In some cases a person other than the account holder was taken to have consented to the commencement of an insurance policy on the account holder's behalf and some insurance premiums were debited to the account holder's account."
The ABIO note that one of the banks involved in the behaviour outlined above attempted to rely on the exception in Tournier that "disclosure is in the interests of the bank". The ABIO rejected this defence and note that the defence is limited to actions required to protect the bank's legal interests.
The ABIO notes that it has awarded damages for breaches of confidentiality in the range $200 to $10,000.
Under s13B financial institutions will be able to pass information to and collect information from related bodies corporate. However, the receiving body corporate must abide by the primary purposes identified by the body corporate which first collected the information.
The ABIO Guidelines therefore note:
"If a bank does pass customer information to its insurance arm, the primary purposes which govern how the insurance arm can use the information are those which the bank identified at the time of collecting the information from the individual. The insurance arm cannot automatically start marketing insurance products."
Other areas of areas of concern in financial services are the access and correction principle NPP 6 (which the banks fought hard to ensure excluded access to commercially sensitive evaluative material) and the anonymity principle NPP 8.
Briefly, the Act requires records to be kept of suspicious transactions, cash transactions over $10,000 and all international wire transfers.
"Transactions intended to be initiated by an individual through an electronic terminal by the combined use of an EFT card and a personal identification number (PIN)."
The Code has therefore been the subject of a lengthy review, chaired by the Australian Securities and Investments Commission. The EFT Code review working group issued two discussion papers and a final version of the revised Code was published on April 1, 2001.
The revised EFT Code covers any business to consumer electronic transfer of value. Business to business electronic transfers of value will be excluded where the product being used was intended primarily for business use. An `electronic transfer of value' includes coverage of credit cards in some circumstances, but not where a signature is obtained. It certainly include EFTPOS, ATM transactions, most Internet and telephone banking transactions, direct debits and direct transfers.
Stored value products, such as electronic purses and stored value smart cards, are now included in a new section of the Code - Part B.
Privacy provisions mirroring the new federal privacy legislation for the private sector must be complied with, plus some specific EFT industry privacy guidelines.
While the EFT Code has always been voluntary, it has in the past been a very successful and popular code with both business and consumers - and has achieved a very high rate of industry coverage. It will be interesting to see what proportion of new economy businesses sign up to the Code.
A code dealing with content issues was registered with the ABA. The remaining parts of the draft Code, dealing with issues like financial transactions, advertising, privacy and general complaints handling, remain on the IIA web site but have not progressed to a formal adoption stage. No infrastructure has been put in place to administer the Code or receive complaints.
There has been some renewed interest in developing and implementing the Code later in 2001 as a result of the passage of the Privacy (Private Sector Amendments) Act 2000. A draft of a privacy specific IIA code is now under consideration.
The most notable provision of the Code is that it allows ADMA members to distribute unsolicited commercial email on an opt-out basis. The Code applies to the marketing of many financial services products.
The Model Code repeats (and in part develops) the text of the OECD Guidelines on Consumer Protection in Electronic Commerce.
It includes key provisions on:
Advertising - All Internet advertising must be clearly identifiable as advertising. This is an important development as it provides consumers with an opportunity to complain about buttons, services and searches etc. which are really just paid advertisements.
Spam - The Model Code requires consumer "opt-in" before unsolicited commercial email can be used.
The Model Code has no enforcement provisions, complaints process or administrative structure. It is yet to be adopted or implemented by any industry body. In these circumstances it is best seen as a `virtual code' which gives some useful guidance to business, but to date provides no consumer protection.