Privacy Law and Policy Reporter
The Credit Reporting Consultative Group has been a worthwhile initiative. The group reports to the Privacy Commissioner and comprises representatives of the main interest groups affected by the Act, plus government officers, including representatives of the Retail Traders' Association, Australian Bankers Association, Australian Finance Conference, Credit Union Service Corp Ltd, Australian Association of Permanent Building Societies, Australian Finance Counselling and Credit Reform Association, Australian Federation of Consumer Organisations, NSW Privacy Committee, Credit Reference Association, Privacy Commissioner, Federal Attorney-General's Department and Federal Bureau of Consumer Affairs.
Its principal role has been to assist the Commissioner in the preparation of the Credit Reporting Code of Conduct, and to consider various issues and anomalies which have come to light following the commencement of the Act. Over three years, the group has recommended a number of amendments which have subsequently been adopted by the government.
As might be expected, individual members do not always agree on which course of action is most appropriate for a given circumstance. Nonetheless, the group has worked well and should be given credit for contributing to the development of sensible, workable regulations and guidelines which have been incorporated into the Code of Conduct. The group has met seven times since its formation in early 1991.
The Code of Conduct is contained in Pt IIIA of the Privacy Act 1988 (Cth),s18A. Its provisions have the force of law and are supported by non-binding explanatory notes, which are intended to assist in understanding the relationship between the Code of Conduct and the Act, and give guidance on what practical steps should be taken to achieve compliance.
The Code came into effect on 24 September 1991, nine months after the credit reporting sections of the Act received Royal Assent. Its provisions became legally binding five months later on 25 February 1992. The intention behind the two periods of grace was to allow credit providers time to adjust to the Act's new provisions, make the necessary internal changes and introduce staff training, to ensure compliance.
While the Code is comprehensive, (it has some 63 sections and multiple subsections), it does not seek to cover all aspects of credit reporting practice. It covers credit reporting agencies (18 sections), credit providers (23 sections), dispute settling procedures (198 sections), and other matters such as education (4 sections). It is to be reviewed on a regular basis and a review is currently being carried out by the Privacy Commissioner. Included in the review are a range of issues, most of which are directed at clarifying or further defining existing practices. Two matters under review have some significance public access to the credit reporting system and logging of disclosures by credit-reporting agencies.
Public access a small number of individuals are prone to abuse their right of access and CRAA has instances where individuals regularly seek access to their credit files for trivial or non-credit related purposes. To counteract this, CRAA has suggested it be permitted to charge for access under certain limited circumstances. This is not a major issue for CRAA, but could assist in controlling unreasonable demands for access.
Logging of disclosure by credit reporting agencies it has been suggested that certain types of access to credit information files should not be recorded, for example, access by a law enforcement agency made in the course of an official investigation. CRAA accepts that an official investigation could conceivably be compromised should an individual discover he or she was the subject of inquiry by a government agency. We have some reservations about how such exemptions from the requirement to log all disclosure would be controlled.
Other matters under review include new sections to cover the December 1992 amendments to the Act; dispute settlement procedures; deletion of information; effect of the Statute of Limitations; disclosures between credit providers; reporting of overdue accounts; reporting schemes of arrangement; and disclosures under law.
CRAA and its members play a central educational role in informing people about the existence of the Privacy Act and their rights under the Act. Approximately 2.5 million people a year apply for some form of credit many apply more than once or to more than one credit provider. Every time they apply for credit, the credit application form contains a clearly identified segment telling them about the Privacy Act and spelling out what may happen to the information they are providing to the credit provider.
Since mid-1991 CRAA has provided Privacy Act compliance training to 20,000 people employed in the credit/finance industry. We continue to conduct an average of six training sessions for CRAA members every working day. CRAA has distributed 6,000 copies of the Act and the Code of Conduct to credit providers. Ninety thousand people have been sent information booklets about the Privacy Act. The company has also sponsored production of a teachers aid ''Credit People and Work' which is used in 2,000 of Australia's 2,700 secondary schools. The material includes reference to the Privacy Act and credit reporting.
The Privacy Commissioner operates a toll free ''Hotline', which commenced on 1 July 1991. In the 12 months to June 1993 the Commissioner's Office received 14,535 Hotline calls, of which credit reporting accounted for 42.5 per cent. Since it was established, the Hotline has received 19,200 inquiries relating to credit reporting.
Inquiries from individuals account for 77 per cent. These inquiries have ranged across a variety of issues: alleged inaccuracy of files; access to CRAA or advice on interpreting files; alleged unlawful disclosure; advice on various credit reporting issues; alleged unauthorised access to CRAA; and reporting requests for a file from third parties.
Inquiries from credit providers account for 11 per cent. Typically, these cover requests for advice on the wording of consent documents, advice on whether an organisation is a credit provider, advice on disclosures under s18N,particularly s18N(1)(g) or s18N(1)(bf) (assignments of debts). Other inquiries were from legal firms (10 per cent), and from other sources including community legal centres and government (2 per cent).
The Commissioner's Office has also issued 152,000 Fact Sheets and brochures, covering a wide range of credit reporting related issues.
The task of adjusting to the Act would have been a great deal more difficult and there would possibly have been considerable confrontation but for the approach taken by the Privacy Commissioner and his staff in ensuring private sector compliance.
The Privacy Commissioner's 1992-1993 Annual Report reveals that 48 per cent of the 254 complaints received during the year, related to alleged breaches of credit reporting. Of the 123 credit reporting complaints, 50 per cent were closed during the year. Of those closed, 39 per cent were withdrawn or revealed no breach and 61 per cent were considered to have been adequately dealt. Of those cases closed as ''adequately dealt with', compensation was paid by one credit provider and a comprehensive apology was provided by another.
In effect 48 out of 62 credit complaints were closed on the basis that there was either no interference with the privacy of the complainant or there was only a very minimal interference which the respondent had (in many cases) corrected prior to the complainant lodging a complaint with this office.
The Commissioner's Annual Report contains a further telling quote:
It is the experience of complaints officers that complaints about file accuracy are usually made after credit has been refused ... Complainants appear to believe that they can use the Act to pressure credit providers to remove adverse listings and thereby increase the possibility of the complainant obtaining credit.
CRAA's Public Access Division has recorded several hundred cases where individuals or their legal representatives have attempted to intimidate credit providers into removing legitimate, correct default reports from the CRAA file, by threatening to involve the creditor in a formal complaint to the Commissioner.
Unfortunately for the integrity of the credit-reporting system, some credit providers will ask for correct information to be deleted from a CRAA file rather than become embroiled in a formal complaint.
The Commissioner's Office is in daily contact with CRAA Public Access personnel concerning pressing complaints, or seeking follow up information on matters previously referred to CRAA. Monthly liaison meetings between CRAA and Commission staff are held to deal with outstanding issues and identify possible training needs which may have surfaced as a result of complaints received. Problems, either existing or potential, are dealt with in a consultative, rather than confrontationist environment. The Credit Reporting Consultative Group also plays a role as a problem solving medium.
As a critic of the credit reporting amendments, I am tempted to suggest we junk them and start over again. We could have done so much better. However, the effort and system changes now invested in the legislation, no matter how bad it may be, may mean that we have to learn to live with it and concentrate on cleaning off the rough edges.
These changes are required:
The legislative approach which attempts to prohibit everything other than that specifically approved, presupposes a god-like omnipotence which Canberra does not possess. In the case of the credit reporting amendments, a relatively simple, straightforward concept (that is, applying the Information Privacy Principles to credit reporting), was so distorted and complicated as to make compliance something of a nightmare. The end result has been multiple amendments to get things more or less right, plus inevitable ongoing amendments to keep the Act relevant in a rapidly changing business environment.
Perhaps our legislators will, in future, consult before contemplating further extension of the Act into the private sector.
Privacy advocates will hopefully apply to their own proposals (not all of which I disagree with) the same cost benefit regimes which they have urged upon the Federal Government's data matching schemes.
Business must recognise there are valid privacy considerations to be brought into account in the development and operation of large information systems.
This paper was presented to the IIR Protecting Information Privacy Conference, Sydney Boulevard Hotel, 7 June 1994.