Privacy Law and Policy Reporter
CUSCAL's lengthy submission supports most aspects of the proposals in the discussion paper, and the content of the IPPs. The extracts here emphasise those elements where CUSCAL had suggestions or criticisms (General Editor).
Australian credit unions are significant participants in the retail banking market. There are 284 credit unions in Australia with in excess of $15 billion in assets and nearly 3.5 million members. One in five adults has all or part of their financial requirements met by credit unions.
CUSCAL supports in principle this proposal and urges the government to ensure the drafting of the IPPs reflects a sensible `plain English' approach. It is also vital that the consultative approach of the government involving industry in the development of the privacy regime continues as the IPPs are refined.
CUSCAL supports in principle the application of a set of IPPs and makes the following comments on the discussion paper.
[IPP 1] limits the uses which may be made of collected information to the intended purpose and not for undisclosed secondary purposes. CUSCAL would support the application of this principle if credit unions were able to use a consent mechanism in the collection of the information. Such a mechanism would indicate to the credit union member how such information would be used in the credit union at the time of collection and in the future and seek the member's consent to those uses.
[IPP 2] ensures the collection of personal information directly from the person concerned. CUSCAL notes that this principle has the potential to limit a credit union's capacity to attain information from a partner or second person involved in a loan or account joint application. In ensuring that data can be used to assess the needs of members, provide the best service for members and advise members of the most appropriate products for their use, credit unions would again seek the member's consent as outlined above. CUSCAL also notes that with regard to access to data from organisations such as the Credit Reference Association of Australia, credit unions will need to continue to obtain such access as is currently the case.
As a matter of effective administration, staff training on the requirements of IPPs 4 and 5 would be required to ensure awareness and effective implementation of the security requirements for personal information. Credit unions would also be required to make formal appointments of `record keeper(s)' as necessary. In the event that CUSCAL acts in the role of record keeper (in retail banking etc) CUSCAL would also maintain appropriate records and establish restrictions on access as required under the IPP. It is noted that if there is a requirement to track both changes to, and access to, data CUSCAL does not support a requirement for system modification but rather appropriately amended internal controls.
The application of [IPP 6] giving access to `personal information' is supported. CUSCAL would however note that this should be access to personal information as opposed to evaluative material used by the credit union in the course of making a commercial judgment. We also note that the provision of access to all records of an individual may, on occasion, present a heavy administrative burden and the credit union may need to seek some recompense for the work involved.
In further development of the Government's proposal for privacy regulation in the private sector, we would suggest that after receipt of comments on the discussion paper that the Government convene a meeting with industry to progress discussions. It is suggested that this occur before the release of any further proposals, to facilitate the ongoing involvement of industry in the consultative process.