Privacy Law and Policy Reporter
The business environment in 1989 was one of uncertainty, rising over- commitment and bankruptcy, with around $42 billion outstanding in consumers' debt. The Credit Reference Association of Australia (CRAA) had announced the previous year that it intended to expand the information it held in its files. It proposed to give credit providers more comprehensive information about an applicant's total credit commitments (positive reporting).
In January 1989, the Australian Financial Review published a story about the CRAA's proposal. This was followed in April by a small public meeting, organised by the Australian Privacy Foundation and attended by the Federal Minister for Consumer Affairs, CRAA and other interested parties. On 31 May 1994, the minister announced he would introduce legislation to regulate credit reporting. On 16 June 1994, the Privacy Amendment Bill was tabled in the Senate. There had been no prior consultation with business groups concerning its intent or wording, and no inquiry by the minister about its possible impact.
The original Bill's definition of ''credit provider' was so narrow, it would have totally banned 4300 (90 per cent) of CRAA's then 4800 members from access to consumer credit information. Businesses banned from exchanging consumer credit data included all the country's larger finance companies, most retailers and motor vehicle dealers, and all finance brokers, accountants, solicitors, mortgage insurers and trade credit insurers. The definition of ''credit report' was so broad it included data regularly published by the Government Printing Office. Missing debtors would have remained undetected, since credit reporting agencies were not permitted to disclose their whereabouts to creditors. Mortgage insurers could not inquire into the credit history of new borrowers.
These, and other problems, led business to predict a possible cost to the economy of $1.28 billion. In the event, none of the above happened because over a period of time reason prevailed. Over two and a half years, almost every peak business and industry body in the country participated in lobbying the Federal government to drop, or at least substantially amend the Bill. The original Bill was eventually substantially modified in 1989 and 1990. Further amendments to the Act occurred in 1991 and 1992.
Prominent and respected privacy- advocates have often criticised government for introducing privacy invasive practices and systems (such as the parallel data-matching program between the Australian Tax Office and the Department of Social Security), without properly considering the cost benefit of those practices.
In particular, the Data-matching Program (Assistance and Tax) Act 1990 (Cth) has been the subject of intense criticism by Associate Professor Roger Clarke of the ANU (see (1994) 1 PLPR 8). Roger Clarke points out, convincingly, that such practices would probably not have been entered into if the Federal government had subjected them to proper cost-benefit studies.
Are those advocating further extensions of privacy legislation, similarly prepared to expose their proposals to a rigorous cost benefit examination? The extension of the Privacy Act to the private sector cost far more than originally predicted by the minister responsible, and I would question whether the relatively minor benefits justify the cost.
In the first two years, following the introduction of the credit reporting amendments, CRAA lost 18 per cent of its business, as a direct result of the Act. This was not solely attributable to the loss of organisations banned from access to consumer credit files, but included smaller credit providers who were intimidated by the complexities of the Act and its substantial penalties.
The financial cost to CRAA (average annual income $20 to $21 million per annum) over the past two and a half years has been $9 million. This is made up of (a) pre- Act lobbying; (b) rewriting computer systems; (c) internal restructuring; and (d) loss of business. In addition, the Act forced CRAA to reorganise its branch structure, to reduce operating costs, over and above the effects of the recession. As a result, 60 people lost their jobs.
While I doubt the government or privacy groups would shed too many tears at this, there is a warning here for other private enterprises who may be seen as candidates for a further extension of the Act.
Initial compliance costs for credit providers across the various industry groups affected were $20 million, made up of (a) computer system changes; (b) new documentation (6 million credit application forms a year); (c) compliance procedures and manuals; and (d) extensive staff training.
Individual credit providers have identified direct costs of $500,000, without taking into account the diversion of skilled resources from other projects. During 1991, the information systems manager of one bank reported that almost the entire system development resource of the bank had been allocated to compliance-related activities.
Ongoing annual administration costs of $3 million are principally the result of additional compliance procedures and ongoing staff training.
The commencement of Pt IIIA of the Privacy Act 1988 (Cth) in October 1991 resulted, almost immediately, in a reduction in the volume of overdue accounts and bad debts reported to CRAA. This was due to s18F(3) of the Act, which requires a credit provider to advise CRAA when any overdue account, previously reported, is brought up to date. Many credit providers have great difficulty complying with this requirement.
This is because accounts referred to collection may be either, transferred out of their main system and held in separate databases under the control of a specialised collection division, or passed on to an independent account management organisation. The end result, is that some have restricted their reporting to the most serious categories of debt, such as missing debtors.
The downturn from pre-Act reporting levels has averaged out as 25 per cent per annum. This translates to some $1.1 billion in unreported debts over the past two and a half years. To a certain extent the gap has been filled by CRAA's access to debt judgment information, from the various State court systems. However, not all overdue accounts result in debt judgments. Furthermore, CRAA does not process up to 15 per cent of debt judgments, due to inferior identity details which could lead to the judgment being attributed to the wrong individual.
What is certain, but not yet quantified, is that an unknown and growing number of people, who are already over committed, will have obtained further credit, which they cannot afford, directly as a result of the Privacy Act.
In NSW the position is more serious than the rest of the country. Some eight years ago the then NSW Premier, Neville Wran, unilaterally cancelled an 18-year agreement under which CRAA obtained access to debt judgment records. The current Liberal State government, has yet to reinstate CRAA's access to this vital source of debt information. It seems likely the recently tabled NSW Privacy and Data Protection Bill 1994 will further delay a decision. This lack of debt judgment information means there are between 40,000 to 43,000 people in NSW, who owe $500 million in overdue or bad debts and, who have a clear CRAA file, due to the Privacy Act and an unnecessary ban on access to what should be publicly- available information.
CRAA is in the initial stages of a survey to determine the degree of credit activity engaged in by people prior to bankruptcy. Our preliminary results (126recent bankruptcies) show that the CRAA files of 35 per cent of the people involved contained no evidence of over commitment in the 18 months prior to bankruptcy. There was no default reported by CRAA members and no debt judgments recorded. In NSW (debt judgments unavailable) the incidence of bankrupts with clear CRAA files, was 46 per cent. These preliminary results reinforce the belief that there is a serious and growing over commitment problem arising from the reporting requirements of subs 18F(3).
Further evidence of the problem is that 44 per cent of people in the CRAA survey applied for new credit in the 12 months prior to bankruptcy. One man, with a clear CRAA file, applied for a new credit card ten days before his bankruptcy.
In summation, the cost of initially extending the Privacy Act to the private sector has been around $31 million in direct charges. The annual, measurable cost for administration and compliance is estimated to be $4 million. The (as yet) unknown cost of a deterioration in information available to credit providers, will be increased bad debts and individual over commitment. The final Bill has yet to arrive.
What have we got for our money? Does the cost justify the result? In CRAA's view a far less costly and far quicker result could have been obtained from an industry code of conduct, backed by appropriate legislation. There is little evidence that the credit reporting amendments have substantially improved the privacy of credit users, beyond what would have been achieved by a simple extension and tightening of CRAA's previous code of practice.
Ten years prior to the Act, CRAA initiated a national public-access protocol, which required its members to tell people if they had been refused credit because of a CRAA report. CRAA undertook to provide any person upon request, with a copy of their CRAA file, free of charge. Should the contents of the file be queried, CRAA would investigate and make any necessary amendments. An average of 38,000 to 40,000 people a year obtained access to their CRAA files, through this voluntary arrangement.
The Privacy Act largely drew upon this established CRAA practice to provide individuals with a legislated right of access and correction covering their credit information files. While CRAA public- access procedures were not substantially affect by the Act, the requirements of s18M did result in an increase in the already high levels of individuals being referred to CRAA by credit providers. The right of appeal to the Privacy Commissioner is a new right conferred by the Act.
CRAA believes there is now widespread public understanding of the credit reporting system. Individuals contacting CRAA are aware of their right of access and correction. Even those people with several default listings in their CRAA file, generally accept the necessity for a central credit referencing system. This improved understanding of the credit reporting system appears to have resulted in fewer threats of legal action, with reduced contact from legal practitioners.
In the 12 months to 30 June 1994, CRAA will process 122,000 telephone calls and requests from individuals seeking access to their CRAA files (60,000 written, 62,000 by telephone). Of these, 11,000 will result in inquiries or disputes concerning information contained in the file. One thousand eight hundred disputed default reports from CRAA members have been deleted. CRAA deletes a disputed default report under two conditions (discussed in more detail later):
As of today, two contacts have resulted in alleged breaches of the Act. Neither have been substantiated.
In introducing the credit reporting amendments to the Privacy Act, the then Minister for Consumer Affairs, Senator Bolkus, said the government intended to prevent access to credit information files by government departments. At the time, Federal and State government departments accounted for 16,000 inquiries per annum, or 0.3 per cent of total consumer credit inquiries. s18K(1)(m) provides for access to CRAA credit information files where ''disclosure is required or authorised by or under law'. In 1994, Federal and State government agencies obtained access under s18K(1)(m) to 1,860 credit information files, representing 3 per cent of total public access. The Act has substantially reduced government access to credit files. It has not stopped access.
The incidence of default (bad debt) reports deleted by CRAA, following the introduction of the Act, has not markedly changed from pre-Act conditions, as shown in the following table.
There was a sharp increase in deletions in 1992 to 3.5 per cent of total access, but this percentage has dropped slowly since then, to 2.8 per cent. Bearing in mind the very considerable pressure now brought to bear on credit providers to agree to the deletion of older default reports, this suggests that pre-Act reporting standards were not unreasonable. As the new reporting systems and procedures adopted by credit providers take effect, CRAA expects the incidence of deletions to steadily reduce to below 1 per cent.
The most common complaint received by CRAA's Public Access Division is that CRAA reports are not balanced and do not fairly reflect the positive aspects of the complainant's dealings with credit providers. A large percentage of people contacting CRAA have expressed concern at our concentration on negative information. Consumer comments such as ''Why don't you tell people about my good accounts you only give half the story' or ''Your files are misleading they don't cover the 90 per cent I paid on time' reflect a common theme.
This theme is further highlighted in a current survey of people who have recently received a copy of their CRAA file. Sixty five per cent of public access requests are from people who have not been refused credit. That is 40,000 people a year take the initiative to ask for a copy of their CRAA file. Many such requests are made by people who are intending to seek further credit.
CRAA is in the process of asking people, who have contacted its Public Access Division, what they thought of the service provided to them. The survey is in the form of a questionnaire sent out with each person's CRAA file. Response to date has been excellent, with over 200 completed questionnaires returned.
Responses indicating ''satisfied' or ''very satisfied' with CRAA on three criteria were 97 per cent for ''willingness to assist', 96 per cent for ''resourcefulness' and ''93 per cent for ease of contact'. As can be seen, a large majority of people contacting CRAA's Public Access Division are either satisfied or very satisfied with the level of service they receive.
There is some level of dissatisfaction with the information recorded on file, with 17 per cent of respondents dissatisfied. It should be noted however, that only 4 per cent of respondents whose CRAA files did not contain default, were dissatisfied with the contents of their files.
Twenty per cent of respondents reported they had some difficulty in reading and understanding their CRAA file. Based on the survey responses, we clearly need to improve the way in which we present information to members of the public. A dissatisfied response of 20 per cent is not acceptable.
When asked to say what CRAA should do to improve its reports, 43 per cent of those who replied to this question (65 per cent of all respondents) said CRAA should record some information about all their credit transactions. Sixty-seven per cent of Victorian respondents said more information should be recorded. It appears people want to advertise their good credit records. This type of response well exceeds all other suggestions received.
Warning private sector compliance with the Privacy Act can be bad for your financial health. CRAA spends 5 per cent of its total annual income to comply with the Act. We believe this level of expenditure to be relatively greater than that incurred by the public sector under FOI legislation. Any further extensions of the Privacy Act into the private sector must take into account the costs of compliance.
Based on CRAA's experience, there are serious implications for other private sector organisations who maintain large databases of personal information, for example, direct marketing, insurance, telecommunications and health companies
This is the first part of a paper presented by Mr Bargon to the IIR Protecting Information Privacy Conference, Sydney Boulevard Hotel, 7 June 1994. In the August issue he will discuss the Code of Conduct and outline amendments needed to the Act.