Privacy Law and Policy Reporter
The Australian Privacy Commissioner addressed an insurance industry meeting at the Parkroyal at Darling Harbour, Sydney, on 25 August 1994. Mr O'Connor gave an overview of Federal privacy law in Australia, looking at the broad framework first, and then how it affects the private sector with reference to the insurance industry, and with particular emphasis on the credit reporting laws in Pt IIIA of the Privacy Act. He concluded with observations on the proposed Life Insurance Code of Conduct, and some emerging privacy issues which are relevant to the insurance industry. Excerpts follow.
On 25 February 1992, new laws governing consumer credit reporting came fully into effect. Those laws, contained for the most part in Pt IIIA of the Privacy Act, govern who may have access to consumer credit information held by credit-reporting agencies, how that information may be used and to whom credit providers may disclose information about an individual's credit worthiness. The intent of the legislation was to ensure that, with few exceptions, only businesses classified as credit providers under the Act may obtain access to consumer credit information, and only for purposes associated with the provision of credit. As a result, many businesses which used to receive consumer credit information are now excluded from access to credit reporting agencies and credit providers. Real estate agents, general insurers, and others not involved in giving credit have been denied access. Also denied access are Commonwealth agencies and State and local authorities which do not provide credit. The circumstances in which a credit reporting agency may disclose information in the form of ''credit reports' are set out in s18K of the Act.
The Act restricts the type of information which a credit reporting agency may hold about an individual's consumer credit worthiness. The contents of ''credit information files' are limited to those types of information which identify an individual, and those which are related to the individual's consumer credit activities. Particulars about the individual's activities in other areas of his or her life such as insurance, or tenancy, are not permitted to be included on the regulated file.
Restrictions are placed on how long information may be kept on the individual's credit information file. In particular, adverse information such as defaults may be held for five years only, and serious credit infringements for seven years only.
The Act strictly limits the circumstances in which credit providers may disclose consumer credit information to others. These restrictions extend to the disclosure not only of ''credit reports' received from a credit reporting agency, but also any information which has a bearing on an individual's credit worthiness. The Act does not allow disclosure of consumer credit information by credit providers to general insurers, unless they happen to fall within one of the other specified categories.
In addition, I have issued a Credit Reporting Code of Conduct with further legally binding requirements upon credit reporting agencies and credit providers. The Code was issued after extensive consultation with peak industry and consumer organisations.
It is important to recognise that the Privacy Act does not greatly affect the area of commercial credit provision. Its focus is upon consumer credit information, and the circumstances in which such information may be used.
I have indicated that credit reporting agencies and credit providers are not permitted to disclose consumer credit information to general insurers. However, the position with respect to mortgage insurers and trade insurers is somewhat different.
Mortgage insurers and trade insurers may receive consumer credit information from a credit-reporting agency to assess whether to give insurance to a credit provider in respect of mortgage or commercial credit given by the credit provider to the individual concerned. Mortgage insurers may receive consumer credit information from credit providers to assess whether to provide insurance to a credit provider giving mortgage credit.
Recent amendments to the Privacy Act relating to mortgage securitisation arrangements also affect insurers.
The amendments allow participants in securitisation schemes to be regarded as credit providers while performing tasks reasonably necessary for the provision and management of securitised loans. The amendments specifically include mortgage insurance within the range of activities which could be regarded as necessary in providing or funding a securitised loan. As such, businesses which insure against loss by parties involved in providing mortgage credit through securitisation schemes would be permitted to receive consumer credit information from credit reporting agencies and also from credit providers involved in the schemes.
I am currently considering a determination which would be of interest to the insurance industry and, in particular, to mortgage insurers. It would deem as a credit provider a corporation which takes assignment of a loan from a credit provider. This would be relevant where, for example, a mortgage insurer takes an assignment of a loan from a credit provider following default by the borrower. As a credit provider, the mortgage insurer would be entitled to access the credit reference system in relation to that loan, for purposes permitted under Pt IIIA of the Act. Currently, such a business may be excluded from access if it does not meet the conditions set out in the Act relating to the definition of a credit provider.
I will deal now with an issue which has been brought to my attention as a concern of the insurance industry, and which I have been asked to address today. That is, the question of access by insurance companies to CRAA consumer credit reports for the purpose of assessing the suitability of insurance brokers and agents. I understand that these arrangements involve the payment of commission in advance to the broker. Insurers are understandably keen to minimise the risks associated with advance payment of commission, including the likelihood of the broker engaging in unscrupulous or inappropriate behaviour. Insurers are also anxious to meet their obligations under the Trade Practices legislation, especially those provisions which prohibit companies, including employees and agents, from engaging in misleading and deceptive conduct.
I have already indicated that the access restrictions in Pt IIIA of the Privacy Act prevent insurers obtaining access to CRAA consumer credit reports for the purpose of assessing applications for insurance; I gather that this point is well understood and is not subject to dispute. However, on the other matter of assessing insurance brokers and agents, some members of the insurance industry have expressed concern that Pt IIIA prevents them from accessing CRAA consumer credit reports for this purpose.
My understanding of the arrangements surrounding advance payments of commission is that the relevant amounts are paid to the broker ahead of business being written. Obviously there is a risk that the broker will abscond or never write any business. While the insurer may see the advance payment of commission as a ''loan', it seems to me that this is not an accurate legal characterisation. What would appear to be occurring, on the information available to me, is that an advance payment is being made in contemplation of and in return for services yet to be performed. While not common, this type of contractual arrangement is not altogether unusual in business. While I can understand that a prudent insurer would want to undertake probity checks before entering into such a contract, it is plain in my view that such a proposed transaction is not one of ''loan' to which the rights and obligations of the Privacy Act attach, nor is the insurer a ''credit provider' within the meaning of the Act in this situation.
So it would not, in my view, be possible to access the CRAA's consumer credit information files in connection with advance payment of commission.
Part IIIA of the Privacy Act does not preclude the operation of reference services which collect and disclose non-credit related information for non-credit related purposes, for example, insurance reference services. However, I should stress the importance of operating any such system in a manner sensitive to the privacy interests of the individuals concerned. This should include notifying individuals about the possible uses of information about them held in the system. I would be most concerned if there was a proliferation of insurance databases with questionable privacy safeguards. I would expect that if insurance reference agencies grew in significance there may be pressures not unlike those which preceded the enactment of Pt IIIA of the Privacy Act, for these agencies and their practices to be regulated in a similar way.
The industry has also sought my advice on various other matters involving insurers, and the effect of the credit reporting legislation on their practices. Let me give you a few examples:Credit providers passing on insurance forms to the insurer
Can a credit provider forward to the insurer, on the individual's behalf, a completed application form for insurance?
Yes. As long as the credit provider does not add any ''fresh' information which, if passed on to the insurer could constitute a disclosure of information.
This is seen as an administrative procedure only, with the credit provider acting as a kind of mailbox.Companies providing both credit and insurance
If a company provides both insurance and credit, can it obtain consumer credit information in respect of the credit being provided?
Yes. As long as the information which is obtained in the capacity of the business providing credit does not flow to the insurance providing arm of the business. Procedures would need to be put into place to ensure that such cross-over of information cannot occur. A company which obtained consumer credit information from a credit- reporting agency or another credit provider might be in breach of the Act if the information was subsequently used for insurance purposes.Credit providers giving ''payout' figure
Can a credit provider disclose to an insurer the amount required to pay out the debt owed to the credit provider where an insurance claim has been made by an individual? This might occur in circumstances where a credit provider had outstanding interests in goods or property for which an insurance claim had been made by an individual. The Act permits the disclosure of ''pay-out' information to a person or body which is considering taking an assignment of, or discharging on the individual's behalf, a debt owed by the individual to the credit provider. The ''pay-out' information must be limited to identifying particulars, and the amount required to be paid in order to discharge the debt.Payment of fidelity bonds
Is the lodgment of a fidelity bond, on behalf of an individual, considered to fall within the meaning of the provision of credit, for which the lodging organisation may be permitted to obtain a credit report about the individual concerned?
No. The lodgment of fidelity bonds is viewed as an undertaking on the part of the issuer to ensure initial payment of a debt which the party on whose behalf the bond is issued may or may not incur in the future. There is no transfer of funds and no debt incurred when the bond is lodged. Therefore, the lodging of a fidelity bond, on an individual's behalf, is not considered to be the provision of credit, and such a body would not be permitted to obtain a consumer credit report about the individual concerned.Insurer acting as agent of individual
May an insurer act as the agent of the individual under s18H(3) for the purposes of obtaining access, on the individual's behalf, to consumer credit information about the individual held by a credit-reporting agency?
The provision enabling access to an individual's consumer credit information file by the individual's authorised agent was meant to facilitate circumstances such as financial counsellors assisting the individual to manage his or her credit obligations, including handling disputes with credit-reporting agencies or credit providers, or circumstances where the individual seeks assistance in amending information on his or her credit report because of a refusal of credit.
If an insurer attempted to act as the individual's agent in seeking access to the individual's consumer credit information file, it would be difficult not to draw inferences about such attempt being a back door method of gaining access to consumer credit information held by a credit reporting agency. The usefulness to an insurer of such access would, in any event, be doubtful, given the delay involved in obtaining access through CRAA's public access system. In addition, access via the individual might, in some circumstances, result in a cost to the individual.
These are examples only; any other circumstances would have to be looked at individually to see how the Privacy Act might apply.
Naturally, I strongly discourage attempts to ''circumvent' the legislation and I have indicated that any abuses might result in amendments to the Code of Conduct. In particular:
Attempts by organisations to put pressure on individuals to furnish a copy of their credit report for non-credit purposes. I have powers under the Act to conduct audits of credit reporting agencies and credit providers to ensure compliance with the Act. Any abuses in these areas which come to light as a result of the audit process will be taken into consideration in subsequent reviews of the Code of Conduct.
Having covered the privacy laws affecting the insurance industry, I should also mention the issue of self-regulation and the role it can play in addressing privacy concerns of consumers. This issue has direct relevance to the insurance industry as the result of recent moves towards the establishment of a Code of Practice for the life insurance industry.
Industry - or organisation-based codes of practice, while not necessarily the complete answer, are a valuable adjunct to privacy law and can play an important role in addressing market problems provided that there is a genuine commitment on the part of the relevant industry or organisation to make the code work.
The Trade Practices Commission (TPC) has provided leadership in this issue through its work on a Guide to Codes of Conduct. In commenting on the TPC's draft Guide to Codes of Conduct, I expressed the view that a strong privacy component should form an integral part of a code of conduct if it is to be successful as a means of guaranteeing quality service to the consumer and improving the performance and image of the industry.
Lately, self-regulation has assumed prominence as an issue not just in the insurance industry but in the private sector generally, as indicated by recent developments such as the Telecommunications Industry Ombudsman (TIO) Scheme, and the Banking Code of Practice.
I will be observing with interest the development of the Life Insurance Code of Practice. I understand that the Government Task Force responsible for developing the Life Insurance Code has circulated a draft for comment by 23 September from interested parties. I have not yet had an opportunity to examine the provisions of the draft Code in detail. However, I plan to do so shortly, with a view to providing advice to the Task Force on privacy issues relevant to the insurance industry.
In recent times a number of issues have emerged which have significant privacy implications, and which are relevant to the insurance industry. I will mention some of them briefly:HIV/AIDS information
The improper handling of HIV/AIDS- related information by organisations which maintain personal records can have serious consequences for the individuals concerned. The value of privacy protection in the context of HIV/AIDS is twofold. First, it is important to express a respect for the rights and needs of people infected with HIV and to ensure that they are protected from unwarranted intrusions into their personal lives. Secondly, it furthers the public health interest in reducing the spread of HIV because it engenders confidence and trust among those at risk of HIV infection and thereby reates an environment in which public health strategies can have maximum impact. In September 1992 I issued guidelines concerning the protection of HIV/AIDS information. Although formulated specifically in the context of HIV/AIDS information, the guidelines could be adapted for use in relation to other medical or personal information of a sensitive nature. While the guidelines apply to government agencies, some of the principles nonetheless bear noting by the wider spectrum of organisations in their handling of this sensitive category of information.Genetic testing
Another newly emerging issue is that of genetic testing. The collection and use of genetic testing information in the medical, employment and health insurance contexts raises a number of privacy issues. There is potential for personal genetic testing information to be used in such a way as to result in discrimination against individuals with a genetic predisposition to certain medical conditions. Some of the issues relating to genetic testing parallel those that arise with HIV/AIDS information. I am currently in the process of preparing a discussion paper on privacy and genetic testing.Direct marketing
In the competitive environment in which the insurance industry operates, direct marketing is clearly a topic of interest. Advances in technology have dramatically accelerated the growth of the direct marketing industry. For example, modern computer systems have the capacity to create new lists out of existing lists. As such, direct marketers are able to sort through lists containing large numbers of names, analyse the data and produce a final list which will generate the highest rate of response. This is just one example of the revolutionary effect which technology has had on direct marketing.
At present there is no general legislative prohibition on passing personal information to a third party for direct marketing purposes. However, where the information in question is credit worthiness information, it is subject to the provisions in Part IIIA of the Privacy Act which I have already described. Other than that, the main controls relating to direct marketing practices can be found in self-regulatory mechanisms such as industry codes of practice etc. The most significant controls as far as direct marketing are concerned are the voluntary guidelines of the Australian Direct Marketing Association (ADMA).
With regard to direct mailing, which is one of the most common forms of direct marketing, there are a number of measures which should be considered to ensure that the privacy interests of individuals are respected, and these include informing people of their right to have their details removed from mailing lists.Telecommunications
More recently, much of my time has been taken up by the issue of the convergence of telecommunications and computer technologies, or the ''information superhighway' as it is often called. This issue has enormous ramifications for all sectors of the community involved in the flow of personal information, including the insurance industry. It is being foreshadowed that in the not too distant future individuals will be able to use their personal computers as a vehicle for conducting many of their day to day transactions including home shopping, banking, paying bills, sending mail, and completing applications for loans, insurance and various other facilities. On the other side, insurance companies and other businesses will have a greatly enhanced capacity to establish detailed customer profiles, and will be able to engage in sophisticated and potentially very intrusive marketing activities using the array of interactive technologies available to them. These are just a few manifestations of the information superhighway. Clearly, these developments raise serious and potentially very complex issues of personal privacy protection which will need to be addressed in the near future