PRIVACY AMENDMENT (2015 MEASURES NO. 1) REGULATION 2015 (SLI NO 10 OF 2015) EXPLANATORY STATEMENT

Commonwealth Numbered Regulations - Explanatory Statements

[Index] [Search] [Download] [Related Items] [Help]

PRIVACY AMENDMENT (2015 MEASURES NO. 1) REGULATION 2015 (SLI NO 10 OF 2015)

EXPLANATORY STATEMENT

Select Legislative Instrument No. 10, 2015

Issued by the authority of the Attorney-General

Privacy Act 1988

Privacy Amendment (Enhancing Privacy Protection) Act 2012

Privacy Amendment (2015 Measures No. 1) Regulation 2015

The Privacy Act 1988 (Cth) (Privacy Act) establishes, among other things, the Australian Privacy Principles (APPs) which regulate the collection, use, disclosure and storage of personal information by APP entities. Section 100(1) of the Privacy Act provides that the Governor-General may make Regulations prescribing matters required or permitted by the Act to be prescribed, or necessary or convenient to be prescribed, for carrying out or giving effect to the Act.

Item 19 of Schedule 6 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 provides that the Governor General may make regulations dealing with matters of a transitional, application or saving nature relating to the amendments made by this Act.

External dispute resolution membership obligation for credit reporting

Pursuant to subparagraph 21D(2)(a)(i) of the Privacy Act, credit providers are required to be members of an external dispute resolution (EDR) scheme recognised by the Australian Information Commissioner in order to disclose credit information about an individual to a credit reporting body and thereby participate in the credit reporting system. The purpose of this requirement is to ensure that consumers have access to a convenient, speedy and independent avenue of redress for complaints or other issues that might arise between the individual and the organisation on credit reporting matters. Utilities (water, gas and electricity providers) and commercial credit providers (to the extent that they access the consumer credit reporting system) are considered credit providers under the Privacy Act.

Since the commencement of the privacy reforms on 12 March 2014, any utility or commercial credit provider that is not a member of a recognised EDR scheme would not be able to participate in the credit reporting system. This means that the utility or commercial credit provider would not be permitted to provide particular types of personal information (including identification information as well as credit information) about an individual to a credit reporting body, nor would the utility be able to access credit reporting information about any individual. However, the Privacy Amendment (External Dispute Resolution Scheme--Transitional) Regulation 2014 provided a temporary exemption for utilities (providers of water, gas, and electricity services) and commercial credit providers in Australia from the requirement to be a member of an EDR scheme in order to disclose information to a credit reporting body. This temporary exemption expired on 11 March 2015.

Exemption for utilities

All Australian jurisdictions require utilities in that jurisdiction to participate in existing dispute resolution arrangements, in most cases through an energy and water ombudsman service. Utilities ombudsman schemes in NSW, Victoria and Western Australia have been recognised by the Australian Information Commissioner in line with the process for recognition set out in section 35A of the Privacy Act. Other State and Territory ombudsman services have identified the need to make certain legislative amendments or other arrangements in order to enable recognition of their EDR schemes, however these arrangements will not be able to take effect prior to the expiration of the current temporary exemption from the EDR membership obligation on 11 March 2015. This applies to the ACT, the Northern Territory, Queensland, South Australia and Tasmania.

The Regulation grants a time-limited extension to 1 January 2016 of the exemption from the EDR membership obligation for utilities in jurisdictions that are making progress toward, but do not yet have, a recognised EDR scheme. This time-limited extension enables those utilities to continue to access the credit reporting system whilst necessary legislative changes are made.

Exemption for commercial credit providers

Prior to the commencement of the reforms to the Privacy Act in March 2014, commercial credit providers were granted a temporary exemption from the EDR membership obligation as it was not clear that any EDR scheme providers were in a position to accept membership from commercial credit providers. This exemption is provided in sub-regulation 23(2) of the Privacy Regulation 2013 and expired on 11 March 2015.

Targeted consultation was undertaken with stakeholders, including industry representatives, privacy and consumer advocates and an EDR scheme provider, to determine whether the temporary exemption should be allowed to lapse or whether it should be replaced with a permanent exemption. Significant issues considered included the potential costs to industry, the lack of clear evidence of a consumer detriment, and current industry practices. It was noted that the temporary exemption only applied to those credit providers whose sole business is the provision of commercial credit. Financial institutions which provided both consumer and commercial credit services remained subject to EDR membership obligations and were not able to rely upon the exemption. In practice, all major financial institutions are subject to EDR membership obligations for credit reporting purposes, which means that the majority of financial institutions providing commercial credit are already members of an appropriate EDR scheme. Only relatively small credit providers were caught by the temporary exemption. In relation to these commercial credit providers, an EDR membership obligation would present a significant red tape regulatory burden without a clear benefit to consumers. It was also noted that credit reporting bodies remain subject to the EDR membership obligation, and that this provides an alternative avenue for consumers to exercise correction rights and seek redress in relation to any commercial credit information that is recorded on their consumer credit report. It was decided that, in the absence of any clear evidence of consumer detriment or changes in the broader regulatory environment, the temporary exemption for commercial credit providers from the EDR obligation should be replaced with a permanent exemption.

Details of the Regulations are set out in Attachment A.

A Statement of Compatibility with Human Rights is set out in Attachment B prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny Act) 2011.

Consistent with the requirements of the Legislative Instruments Act 2003 the following were consulted in making the Regulations: commercial credit providers and their representatives including peak bodies such as the Australian Retail Credit Association and the Australian Finance Conference; EDR scheme providers; and privacy and consumer credit advocates. Consultation was also undertaken with certain State and Territory energy and water ombudsmen, relevant State and Territory departments responsible for energy and water and relevant State and Territory departments of the Attorney-General, as well as the Office of the Australian Information Commissioner.

The Office of Best Practice Regulation was consulted on this Regulation and advised that no Regulation Impact Statement was required.

The Regulation is a legislative instrument for the purposes of the Legislative Instruments Act 2003.

The Regulation commenced on the day after it was registered.

---

ATTACHMENT A

Privacy Amendment (2015 Measures No. 1) Regulation 2015

Preliminary

Section 1 - Name of Regulation

This section provides that the title of the Regulation is the Privacy Amendment (2015 Measures No. 1) Regulation 2015.

Section 2 - Commencement

This section provides that the Regulation commences on the day after it is registered.

Section 3 - Authority

This section provides that the Regulation is made under the Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

Section 4 - Schedules

This section provides that amendments or repeals have effect according to the terms set out in the Schedule.

Section 13A

This section provides that sub-paragraph 21D(2)(a)(i) of the Privacy Act does not apply in relation to a disclosure of credit information by a commercial credit provider if the disclosure is made in connection with the provision of commercial credit. This section replaces the temporary exemption from the EDR membership obligation previously provided to commercial credit providers in sub-section 23(2) of the regulations and makes the exemption ongoing.

Section 23 - Membership of recognised external dispute resolution

Sub-section 23(1) provides that sub-paragraph 21D(2)(a)(i) of the Privacy Act does not apply in relation to a disclosure of credit information by a credit provider that is an energy or water utility operating in the ACT, the Northern Territory, Queensland, South Australia or Tasmania. This sub-section is time-limited to end on 1 January 2016 by subsection 23(2).

ATTACHMENT B

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Privacy Regulation 2013

This Legislative Instrument is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Legislative Instrument

The Privacy Amendment (2015 Measures No.1) Regulation 2015 (the Regulation) amends Part 5 of the Privacy Regulation 2013 by extending the transitional regulation 23 titled, 'Membership of recognised external dispute resolution schemes' to 1 January 2016 for energy and water utilities operating in the ACT, the Northern Territory, Queensland, South Australia or Tasmania. The effect of the Regulation is to extend the transitional exemption for utilities (providers of water, gas, and electricity services) in Australia from the requirement to be a member of an external dispute resolution (EDR) scheme in order to disclose information to a credit reporting body. The Regulation also amends Part 1 of the Privacy Regulation 2013 by creating regulation 13A which provides that sub-paragraph 21D(2)(a)(i) of the Privacy Act 1988 does not apply in relation to a disclosure of credit information by a commercial credit provider if the disclosure is made in connection with the provision of commercial credit .The effect of this is to make ongoing the exemption for commercial credit providers from the requirement to be a member of an EDR scheme in order to disclose information to a credit reporting body. Section 13A replaces the temporary exemption from the EDR membership obligation previously provided to commercial credit providers in sub-section 23(2) of the Privacy Regulation and makes the exemption ongoing.

Human rights implications

This Legislative Instrument engages the right to the protection against arbitrary interference with privacy, protected in Article 17 of the International Covenant on Civil and Political Rights (ICCPR). The right to privacy in Article 17 of the ICCPR prohibits unlawful or arbitrary interferences with a person's privacy, family, home and correspondence. In order for an interference with a right not to be 'arbitrary', the interference must be for a reason consistent with the relevant Convention and reasonable in the particular circumstances.

The Regulation engages with the use and disclosure of credit information, which may include consumer credit and commercial credit information. By providing that the exemption for utilities (providers of water, gas, and electricity services) from the EDR membership obligation is time limited to 1 January 2016, and by limiting the application of the exemption to only those utilities operating in the ACT, the Northern Territory, Queensland, South Australia or Tasmania, the Regulation ensures that consumers are not disadvantaged simply because of their jurisdiction of residence. The measures are time limited, reasonable, necessary and proportionate as they ensure that a discrete subset of personal data is used for the purpose of providing essential services to Australians.

In making the temporary exemption for commercial credit providers from the EDR obligation ongoing the Regulation takes into account the potential costs to commercial credit providers of compliance with the EDR obligation as well as the absence of any evidence of consumer detriment and thereby ensures that legitimate commercial activity that facilitates consumer lending and transactions can take place in appropriate circumstances. These are legitimate objectives consistent with the Privacy Act.

Conclusion

This Legislative Instrument engages with the right to privacy, through the use and disclosure of personal data, and does so in a reasonable and proportionate way.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback