Privacy Law and Policy Reporter
John Corker and Carolyn Bond
Most of the private sector will have its first taste of privacy laws in December 2001 when the National Privacy Principles will apply to the private sector. However, the Federal Privacy Act 1988 and the Credit Reporting Code of Conduct (the Code), have applied to credit reporting activities since 1992. The Code is binding on credit providers and credit reporting agencies. The Office of the Federal Privacy Commissioner (OFPC) is responsible for regulation and complaints handling in this area. Yet the OFPC has declined to investigate the majority of complaints received about credit reporting, and consumer advocates are concerned about the complaints handling procedures. This article argues there is an urgent need for a review of the OFPC’s complaint handling processes.
Credit reporting involves the collection, disclosure and maintenance of information relating to the ‘creditworthiness’ of consumers.
The legislation regulates credit providers and credit reporting agencies, although in practice there is only one significant credit reporting agency — Credit Advantage Ltd (CAL). All major banks, finance companies and many utility providers and other smaller credit providers subscribe to CAL. They disclose information to CAL when a consumer applies for credit, and when a consumer defaults in credit payments. They obtain information about the individual, including details of credit applications and defaults for use in credit assessment. A default remains on a credit report for five years. A ‘serious credit infringement’ (usually noted as a ‘clearout’) remains for seven years. This information can significantly impact on a consumer’s ability to obtain credit, and therefore accuracy and the ability to dispute a listing is vital.
In this area accuracy is often more important to consumers than security of the information, and this is the basis of most complaints to CAL, credit providers, consumer advice services and the OFPC.
Relevantly, the OFPC has the following functions in relation to credit reporting, according to the Privacy Act:
To investigate an act or practice of a credit reporting agency or credit provider that may constitute a credit reporting infringement and, where the Commissioner considers it appropriate to do so, to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the investigation [s 28A(1)(b)].
To promote an understanding and acceptance of the Code of Conduct and the provisions of Part IIIA and the objects of those provisions [s 28A(1)(c)].
Complaints regarding credit reporting constituted the bulk of investigations opened and closed in 1999-2000. A complaint about an alleged interference with privacy must be made in writing. During 1999-2000, 580 written complaints were received by the OFPC.
Of the 420 complaints found to be within jurisdiction, the OFPC declined to investigate 85 per cent of them.
The annual report states:
Most were declined on the basis that the complainant had not first raised the complaint with the respondent organisation or that it was clear without investigation that, while the complaint fell within jurisdiction, there had been no breach of the Act.
The Act provides a presumption that the OFPC will not investigate a complaint if the complainant has not first complained to the respondent. The OFPC may investigate a complaint without there having been a complaint to the respondent if the Commissioner considers that it was not appropriate for the complainant to first complain to the respondent (s 40(1A)).
In addition, cl 3.17 of the Code provides:
The Privacy Commissioner may decide not to investigate a complaint about a credit reporting dispute if the Commissioner considers that:
(a) the dispute should first be dealt with by a credit reporting agency or credit provider; or
(b) the dispute is being, or has been, dealt with adequately by the credit reporting agency or credit provider.
What is at issue here is who the respondent in a credit reporting complaint is and on what basis the discretion not to investigate is exercised by the OFPC. As there is no reporting of the OFPC’s decisions on these matters it is difficult to know the basis of these decisions.
Subsection 36(8) of the Act indicates that ‘the respondent to a complaint about an act or practice ... is the person who engaged in the act or practice complained of’. One view is that the act or practice complained of is the provision by CAL of an inaccurate and misleading credit report and thus CAL is the respondent. Another view is that the act or practice complained of is the provision to CAL by a credit provider of inaccurate and misleading credit information.
From the complainant’s point of view, he or she may know where the adverse credit information came from; however, in many cases the consumer cannot know whether the problem was caused by the credit provider who reported the information or the procedures of the credit reporting agency. What causes a person to complain is the provision of the credit report by CAL. We suggest the better view is that CAL is the respondent. This view gains further support from the Code (cl 3.3) which requires the credit provider to refer to CAL a dispute between the credit provider and an individual about a credit report.
In any event, the OFPC has a discretion to investigate whether the complainant first approached CAL or the credit provider it suspects of providing the adverse information.
During 1999-2000, the OFPC received 4365 telephone calls about matters that were within its jurisdiction. Thirty per cent (1289) of these concerned credit reporting, most involving disputes about listings on the consumer’s credit report. While the results of these calls are not available, it can be assumed that the majority of these callers would have been advised not to lodge a written complaint to the Privacy Commissioner until a complaint had been made to the credit provider.
The Privacy Commissioner commenced investigating only 39 credit reporting complaints during that period. It is not clear what happened to the many hundreds of consumers who were referred back to the credit provider. An optimistic view might suggest that these consumers had their complaints addressed by the credit provider, but the experience of consumer advocates suggests otherwise. There is no reporting of any follow up undertaken by the OFPC despite the OFPC having the functions of promoting an understanding of the Code (s 28A(1)(c) Privacy Act 1988) and conducting audits of reports and files of credit providers to ensure they are maintained in accordance with the Code (s 28A(1)(g)).
At the heart of this issue is the ‘merry-go-round’ that the complainant often finds themself on. This involves the com-plainant going initially to CAL, then to the OFPC, only to be referred to the initial credit provider who may then again refer them to CAL.
A credit provider is obliged under the Act to advise a consumer in writing if credit is refused on the basis of a credit report (s 18M). This is usually when a consumer first becomes aware of adverse information in a credit report. The consumer is entitled to seek a copy of the report from CAL, which is provided at no cost. The consumer is then able to see what information is listed, and which credit provider listed the adverse information. As well as defaults, other information may also be inaccurate, such as past addresses or credit applications made. Many credit providers use this information in their credit assessment process so it is important that all this information is correct.
A form is provided with the report which can be completed by the consumer if they believe the report is inaccurate. CAL and the credit provider are required to make appropriate corrections, deletions and additions to ensure that the personal information is accurate. Where a request for correction made by an individual is refused, the individual can insist that the request for correction be included with the credit file or report.
Most consumers therefore make the first complaint about a dispute to CAL. CAL will investigate the matter and, in many cases, contact the credit provider which lodged the adverse information. In some cases the complaint is resolved at this stage.
Contrary to the logical path of complaint to CAL in the first instance, the dispute settling procedures of the Code provides for a referral path from credit provider to CAL to the OFPC (cll 3.3 to 3.7 of the Code of Conduct).
When CAL advises the complainant of the outcome of its investigation, it is required to advise the consumer that he or she may complain to the OFPC (cl 3.7) — so many of them do then complain to the OFPC. The OFPC almost always advises them that they must first complain in writing to the credit provider which lodged the disputed information before the OFPC will investigate. For most complainants this is after having complained at least once, possibly twice, in writing already.
While the Code requires credit providers to have complaints handling procedures in place, and to have a person identified to deal with complaints, these procedures rarely exist in practice. This has been exacerbated in recent years by the rapid growth of credit providers and the rapid growth of credit (for example, mobile phone providers and ISPs in the telecommunications industry). This complaints ‘merry-go-round’ means that only the highly educated and determined consumers persist to the point of having their complaint fully resolved. The most vulnerable and the most needy will give up after the first, second or third referral.
Consumer advocates’ concerns extend beyond the refusal to investigate complaints. Even if a consumer does manage to have a complaint investigated by the Privacy Commissioner, there are still some concerns about the way the matters are handled. Legal Aid in Queensland has been acting for a client who claimed that a default should not have been listed. The default was removed but it took 22 months after the complaint was first made to the Privacy Commissioner. Two years after the initial complaint was made, the matter is still with the Privacy Commissioner in relation to compensation.
A recent complaint was made to CAL by John, who had been the victim of a fraud. Someone had stolen his mail, then used the contents as identification and redirected his mail. The thief applied for credit on a number of occasions and was successful in obtaining a bank loan. A report was made to the police, the bank investigated, and agreed that John was not liable for payment of the loan. However, seven months later John discovered that the application to the bank, as well as four other credit applications to other lenders, were listed on his credit report. John believed it was the number of applications which had caused refusal of a recent credit application. The bank removed the record of the application when advised.
However, John wanted to remove the record of the four other loan applications. Consumer Credit Legal Service wrote to CAL on John’s behalf, enclosing a copy of the police report and asking that these applications be removed. CAL responded by saying that John had to contact each of the four credit providers individually, and ask their fraud departments to investigate, and the records would only be removed by CAL at the request of those companies.
Another threshold that means many complaints are not investigated is that the act or practice complained of is found by the OFPC not to be ‘an interference with the privacy of an individual’ (s 40(1)(a) Privacy Act 1988). There are no reported decisions on how this phrase has been interpreted although where the Privacy Commissioner decides not to investigate an individual’s complaint about a credit reporting dispute, the Commissioner must advise the individual of the reasons for his or her decision not to investigate the complaint (cl 3.18 of the Code).
This threshold is an important contributor to the non-investigation by the OFPC on the basis that ‘while the complaint fell within jurisdiction, there had been no breach of the Act’.
Complaints handling has been the subject of significant policy development in the past 10 years, and has been recognised as a crucial part of regulation, including co-regulation. A complaints handling standard has been produced by Standards Australia, and the Consumer Affairs division of Department of Industry, Science and Tourism developed benchmarks for industry based customer dispute resolution schemes. Many industries have developed effective alternative dispute resolution schemes, and subsequent monitoring and research has informed us about elements which are necessary for such schemes to be effective.
The Federal benchmarks include factors such as accessibility, accountability and efficiency. Some industry schemes leave much to be desired, but consumer advocates are familiar with complaints schemes which establish reasonable time-limits to facilitate speedy resolution of complaints, encourage ‘one stop shopping’, are independently audited and reviewed, encourage (and act on) feedback from consumer groups, report decisions and issues regularly, and work with industry to improve industry internal dispute resolution procedures. Various schemes implement systems to achieve, or better, the benchmarks. For example, the Board of Insurance Enquiries and Complaints receives a report on any complaint which has not been resolved within six months, and the Australian Banking Industry Ombudsman takes complaints over the telephone by sending the details recorded to the consumer for signature and return to ensure that the requirement of a written complaint does not disadvantage any consumer.
The Privacy Commissioner is a regulator, not an industry dispute resolution scheme, although conciliation is mandated as the preferred method of dispute resolution. Many would expect that the OFPC would be committed to achieving best practice in complaints handling, yet it is far behind what consumers have come to expect.
While the Code could do with revision, the current legal and industry framework does provide an opportunity for a better system.
The OFPC takes the view that it is preferable for the parties involved to settle their differences directly and the ‘real dispute’ is usually between the complainant and a past credit provider. The difficulty with this approach is the ensuing merry-go-round of referrals. Best practice in modern complaint resolution systems provides for a single port of complaint and that person maintaining ownership of the complaint from beginning to end.
The Code has many provisions that encourage or require matters to be referred back and forth between CAL, credit providers and the OFPC. The Code does not indicate that anyone is taking ownership for the complaints handling process. To the contrary, it encourages a decentralised system even though there is an industry structure with CAL at its centre.
There are a number of good reasons why CAL should provide a ‘one stop shop’ for complaints handling, supported by a real right of review to the OFPC.
We suggest that the OFPC may be in error in turning away complainants who have only been to CAL on the basis that they have not first complained to the respondent. As a matter of law and discretion, complainants should not be turned away on this ground.
Most complaints handling bodies, including the OFPC, would rightly argue that it is important to give an industry member the opportunity to resolve the problem first. However, a complaints handling process must ensure that consumers complaints are being dealt with appropriately at industry level, that the consumer is not required to take more steps in the complaints process than necessary and that there are clear lines of referral between the industry member and external complaints handler. Unfor-tunately, we believe that consumers with credit reporting complaints are falling through the cracks.
The OFPC recently stated in the draft NPP guidelines:
The most common way in which the law will be enforced is likely to be through the Commissioner resolving individual complaints against an organisation that has not complied with the principles.
If this is to be the case, the OFPC needs better resourcing in this area and to urgently review its complaint handling procedures.
John Corker is a Senior Associate of Clayton Utz seconded to the Communications Law Centre as its Principal Solicitor. Carolyn Bond is the manager of the Victorian Consumer Credit Legal Service.
 A credit reporting infringement is a breach of the Code or a breach of Pt IIIA of the Act.
 Office of the Federal Privacy Commissioner Operation of the Privacy Act Annual Report 1999-2000 p 53.
 ‘Complaints Handling’ or ‘AS4269 – 1995’ Standards Australia, Homebush NSW.
 Department of Industry Science and Tourism, Consumer Affairs Division ‘Benchmarks for industry based customer dispute resolution schemes’ August 1997.
 See Commonwealth Department of the Treasury ‘Consumer redress study’ June 1999.
 Letter from OFPC to Consumer Credit Legal Service dated 5 July 2001.
 Draft NPP guidelines 7 May 2001, p 22.