Overview of the Impact of the Privacy Reforms on Credit Reporting

Transcription

1 Overview of the Impact of the Privacy Reforms on Credit Reporting June 2012 Andrew Galvin, Partner

2 1 OVERVIEW 1.1 Credit Reporting Reform - Background When initially passed, the Privacy Act 1988 essentially applied to the federal government sector. Shortly after its commencement, Part IIIA of the Privacy Act was introduced and commenced in Part IIIA has operated as a negative credit reporting regime. This means that credit reporting agencies are restricted in the information they can record about a person s consumer credit history. Generally the information is limited to identify information, current debts and a history of defaults and dishonoured cheques. The Credit Reference Association of Australia (CRAA), being Australia s first consumer credit reporting agency (now known as Veda Advantage), described the arrangements as the most restrictive credit reference laws in the Western World. Credit providers and the credit reporting agencies have argued strongly for Australia to adopt positive credit reporting under which credit balances and detailed repayment histories could be checked. The ALRC ultimately recommended that Part IIIA be repealed in its entirety and that credit reporting be regulated under the general provisions of the Act and the general purpose privacy principles. The ALRC has also recommended that there be new Privacy (Credit Reporting ) Regulations which would impose obligations on credit reporting agencies and credit providers with respect to the handling of credit reporting information. Through various recommendations, the ALRC proposed that these regulations carry over many of the features of the existing Part IIIA. Critically, the ALRC recommended: that there be some expansion of the categories of personal information that could be included in a credit information file so as to include the type of each current credit account, the date each account was opened, the credit limit of each account and the date of closure of each account; that the inclusion of repayment histories (going back 2 years) be permitted in credit information files but only after the federal government had established an adequate framework imposing responsible lending obligations on credit providers (such a framework has been included in the National Consumer Credit Protection Act 2009 which commenced in 2010); that the new Privacy Reporting Regulations should prohibit the use or disclosure of credit reporting information for the purposes of direct marketing, including the prescreening of direct marketing lists; that use of credit reports be permitted as a means of electronically verifying the identity of customers be authorised expressly under the AML/CTF Act; as a protection against the effects of identity theft, that the new Privacy Reporting Regulations provide individuals with a right to prohibit for a specified period the disclosure by a credit reporting agency of credit reporting information about them without their express authorisation. Presumably where an individual exercises this right to freeze their credit information file, a prudent credit provider will decline further credit; and /5 page 2

3 that the significant criminal penalties which have applied under Part IIIA be replaced with civil penalties. The new credit reporting framework Under the Privacy Amendment (Enhancing Privacy Protection) Bill, the existing Part IIIA (formerly 19 section being sections 18C-18V) is to be repealed and replaced with a new Part IIIA comprised of 64 sections. The new Part IIIA is dependent upon many more definitions. A summary of the divisions and subdivisions of Part IIIA and a comparison with the current law is set out in the table below. There are four key features of Part IIIA to note: 1 The ALRC recommendation to remove Part IIIA has not been adopted; 2 While part IIIA has been redrafted in its entirety, the substance is largely unchanged, except that consumer credit liability information and repayment history information may be part of a consumer s credit information file and credit information files may be used for pre-screening for marketing purposes subject to consumer opt-out rights; 3 Unlike the current position under which Part IIIA and the National Privacy Principles (NPPs) apply to the credit industry, in many cases, (and in all cases in relation to credit reporting bodies), Part IIIA provisions displace the new Australian Privacy Principles (APPs); and 4 A new dedicated division has been inserted for recipients of credit information other than credit reporting bodies and credit providers (e.g. related bodies corporate, mortgage insurers, trade insurers, credit managers and advisors) /5 page 3

4 Part IIIA This part deals with privacy information relating to credit reporting. Division 2 relates to credit reporting bodies and Division 3 relates to credit providers. Division 4 relates to affected information recipients. Division 1 Introduction Division 2 Credit Reporting Bodies Subdivision A Introduction and application of division Subdivision B Consideration of privacy Subdivision C Collection of Credit This Division, but not the APPs, applies to credit reporting bodies in relation to credit reporting information, CP derived information, and a pre-screening assessment. This Division also applies to credit reporting information that is de-identified. Reasonable steps should be taken to comply with this Division and the CR Code and which enable dealing with enquiries and complaints. A clear and up-to-date policy for management of credit reporting information is required. The policy contents are set out in s. 20B and include information about the kinds of credit reporting information collected and held, and the kind of information derived from that. Access, correction and complaint rights must be explained. It must be available free in appropriate form and a copy is to be given if reasonable. The default rule in s. 20C is that a credit reporting body must not collect credit information. Various exceptions are specified as follows: - collection required or authorised by law or court order; - collection from a credit provider as permitted under the credit provider provisions; - collection from another source if the individual is reasonably believed to be > 18yrs old. If relating to a credit application, it must be an Australian credit application. If it is repayment history, it may only be collected from a credit reporting body with an Australian link. In each case, identity information cannot be collected without other credit information. Credit information may only be collected by lawful and fair means. S. 20D imposes rules for receipt of unsolicited credit information. If the information could not have been collected under s 20C, it must be destroyed unless a law or court order requires its retention. Credit reporting agencies are subject to both Part IIIA and the NPPs. NPP 5 requires organisations to have clearly expressed policies on information management. Policy contents are suggested in PC Guidance. It must be available on request. about the sorts of information held, how and why it is collected and how it is used and disclosed should also be available on request. NPP 1 regulates collection of personal information by organisations including by requiring lawful and fair means to be adopted and various disclosures to be made. Section 18E restricts what can be collected by a credit reporting agency /54 page 4

5 Subdivision D Dealing with Credit Reporting Direct Marketing and prescreening The default rule in s. 20E is that a credit reporting body must not use or disclose credit information. Various exceptions are specified as follows: - use is permitted in carrying on a credit reporting business, where required or authorised by law or court order and where prescribed by regulations; - disclosure is permitted if it is: (a) a permitted CRB disclosure (defined in s. 20F) in relation to an individual; (b) to another credit reporting body with an Australian link; (c) for the purposes of the credit reporting body s or credit provider s EDR scheme; (d) to an enforcement body on a reasonable belief of a serious credit infringement; (e) required or authorised by an Australian law or court order; or (f) prescribed by regulation. Disclosures of repayment history to credit providers may only be made to licensed credit providers. A written note of any disclosure must be made. Permitted CRB disclosures about an individual are defined in s. 20F to include: to credit providers - requested for consumer credit related purposes - requested for commercial credit related purposes with express consent (which must be written unless the loan application is not written) - requested for credit guarantee purposes with express written consent - where satisfied the provider or another credit provider reasonably believes the individual committed a serious credit infringement - consumer credit liability information is held relating to outstanding consumer credit provided to the individual by the credit provider - requested for a securitisation purpose (under s. 6J) to mortgage insurers requested for mortgage insurance purposes to trade insurers requested for trade insurance purposes with written consent. The default rule in s. 20G is that a credit reporting body must not use or disclose credit information for the purposes of direct marketing. A pre-screening exception allows use and disclosure for direct marketing by, or on behalf of, a licensed credit provider with an Australian link in relation to consumer credit it provides in Australia if consumer credit liability information and repayment history information is excluded. Individuals Sections 18K and 18L impose limits on disclosure and use by credit reporting agencies of credit information files. These are largely similar and also require consent in certain circumstances. NPP 2 restricts the use and disclosure of personal information for a purpose other than its primary purpose of collection subject to exceptions in NPP2. No direct marketing exception (or pre-screening exception) has been available to credit reporting agencies under Part IIIA /5 page 5

6 Temporary disclosure bans for fraud victims Government identifiers De-identified information Subdivision E Integrity of Credit Reporting may, without charge, opt out of such use or disclosure by a request to the credit reporting body. Having regard to eligibility requirements nominated by a credit provider, the credit reporting body may use this exception to assess whether an individual is eligible to receive a direct marketing communication. Requirements of the CR Code must also be satisfied and a note of any such use must be made. The default rule under s. 20H is that a credit reporting body must not use or disclose a prescreening assessment. It may disclose such information to a credit provider for direct marketing by or on behalf of the credit provider if the recipient is an entity with an Australian link. A note of any such disclosure must be made. The recipient may only use or disclose the assessment for direct marketing by or on behalf of the credit provider for whom the assessment was undertaken and it must make a note of such use. APPs 6, 7 and 8 do not apply to the recipient in relation to the pre-screening assessment it receives. Under s. 20J, assessments must be destroyed if no longer needed for their permitted purpose assuming a law or court order does not require retention. APP 11.2 (destruction/de-identification) does not apply. Under s. 20K a ban period applies in relation to credit reporting bodies if an individual reasonably believes he or she has been a victim of fraud and requests his or her information not to be disclosed during a ban period of 21 days unless extended. A request for a ban or extension of a ban must be free of charge. Under s. 20L, a government identifier must not be adopted as a credit reporting body s own identifier unless authorised or required by or under a law or court order. Under s. 20M, the default rule is that credit reporting body must not use de-identified information. However, it may be used for research in relation to the assessment of credit worthiness if the Commissioner s rules are complied with. Under s. 20N, reasonable steps must be taken to ensure credit information collected, used or disclosed is accurate, up-to-date and complete. Agreements with credit providers must require the credit providers to ensure the information they provide is accurate, up-to-date and complete. The credit reporting body must ensure credit providers are subject to regular independent audits to determine compliance and must identify and deal with breaches of the agreements. Under s. 20P, a credit reporting body commits an offence and civil penalty contravention if it uses credit reporting information in breach of this Division. Under s. 20Q, a credit reporting body must take reasonable steps to protect credit reporting NPP 7 imposes a similar prohibition on organisations. NPP 4.2 imposes obligations on organisations to de-identify personal information no longer needed. De-identified data ceases to be personal information as defined. NPP 3 requires an organisation to take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date. S. 18J applies similar requirements specifically for credit reporting agencies. S. 18F also requires deletion of certain information after specified periods. NPP 4 imposes similar data security obligations on organisations /5 page 6

7 Subdivision F Access to, and correction of, Subdivision G Dealing with Credit Reporting after retention period ends information from misuse, interference and loss and from unauthorised access, modification and disclosure. Agreements with credit providers must impose an equivalent obligation. The credit reporting body must ensure credit providers are subject to regular independent audits to determine compliance and must identify and deal with breaches of the agreements. Under s. 20R, a credit reporting body must give an access seeker access to personal information it holds concerning an individual. An access seeker is the individual or a person assisting the individual in dealing with a credit reporting body authorised in writing to make the request under s.20r (or s.21t in the case of request to credit providers). Exceptions to access apply including where access would be unlawful, denying access is required or authorised by law or court order and where access would prejudice enforcement activities of an enforcement body. A response to access requests is required within 10 days and access must be given in accordance with the CR Code. No charge can be imposed unless a request has been made in the previous 12 months. Otherwise a reasonable charge may be imposed for giving access (but not requesting it). Written reasons must be given for refusing access unless it would be unreasonable to do so. The response must advise of the right to complain to an EDR scheme and complain to the Commissioner. Under s. 20S, a credit reporting body must take reasonable steps to keep personal information accurate, up-to-date, complete, relevant and not misleading. If a correction is made, recipients of the deficient information must be notified within a reasonable period unless impracticable or inconsistent with a requirement under a law or court order. Under s. 20T, an individual can request correction without charge, which must be done within 30 days or such longer period as agreed if the information is inaccurate. If necessary to satisfy itself of the need for correction, the credit reporting body may consult another credit reporting body or credit provider. Under s. 20U, where a correction is made on request, notice must be given to the individual, any party consulted on the change and any recipient of the inaccurate information. If the change is refused, notice must be given to the individual including reasons and, unless impracticable, details of the right to refer to EDR or the Commissioner. This subdivision establishes the concept of a retention period applicable to most information but not identity information or most publicly available information. Retention periods are set out in s. 20W and 20X and range from 2 7 years Credit information must be destroyed or de-identified within 1 month of expiry of the retention Section 18H(3) requires a credit reporting agency to give individuals access to their credit information files including through a person authorised in writing to do so but only in connection with a loan application or advice sought by the individual in relation to a loan. This is more restrictive. NPP 6 also imposes qualified access obligations on organisations. S. 18G requires a credit reporting agency to take reasonable steps to ensure credit information files and credit reports are accurate, up-to-date, complete and not misleading. NPP 3 requires organisations to ensure personal information it collects, uses or discloses is accurate complete and up-to-date. S. 18J requires credit reporting agencies to make corrections, deletions and additions to ensure personal information is accurate, up-to-date, complete and not misleading. If such changes are not made on an individual s request, the individual may request that a statement be included on the file. NPP 6 gives individuals qualified correction rights in relation to personal information held by organisations. S. 18F imposes maximum permissible periods for keeping personal information which range from 5 7 years depending on the circumstances /5 page 7

8 Division 3 Credit Providers period. Destruction or de-identification must not occur if there is a pending correction request or dispute relating to the information or if destruction would be contrary to law or a court order. Equivalent requirements apply to CRB derived information (i.e. derived from credit information files). Additional destruction obligations apply under s. 20Y where an individual has been a victim of fraud. S. 20Z imposes requirements to notify the Commissioner in writing as soon as practicable if credit information or CRB derived information is not destroyed or de-identified due to a pending correction request or dispute relating to the information. That information must only be used for the purposes of the pending correction request or dispute or a use required by law or a court order. A written note must be taken of such use or disclosure. The Commissioner may also direct the credit reporting body to destroy or de-identify the information by a specified date. Where credit information or CRB derived information is not destroyed or de-identified due to a law or court order, under s.20za, the credit reporting body must not use or disclose that information unless that use or disclosure is required by or under that law or court order. A written note must be taken of such use or disclosure. Subdivisions E (other than s. 20Q which requires the information to be adequately protected) and F of Division 2 do not apply to such information. Subdivision A Introduction and application of division Subdivision B Consideration of privacy This Division applies to credit providers in relation to credit information, credit eligibility information and CRB derived information. If a credit provider is an APP entity, this Division may apply in addition to, or instead of, relevant APPs. Reasonable steps should be taken to comply with this Division and the CR Code and which enable dealing with enquiries and complaints. A clear and up-to-date policy for management of credit information and credit eligibility information is required. The policy contents are set out in s. 21B and include information about the kinds of credit information and credit eligibility information collected and held, and the kind of CP derived information derived from credit reporting information. Access, correction and complaint rights must be explained. It must be available free in appropriate form and a copy is to be given if reasonable. If a credit provider is an APP entity, APP 1.3 and 1.4 do not apply to the credit provider in relation NPP 5 requires organisations to have clearly expressed policies on information management. Policy contents are suggested in PC Guidance. It must be available on request. about the sorts of information held, how and why it is collected and how it is used and disclosed should also be available on request /5 page 8

9 Subdivision C Dealing with Credit Subdivision D Dealing with Credit Eligibility to credit information or credit eligibility information. S. 21C imposes requirements to notify an individual where that individual s personal information may be disclosed to a credit reporting body. The name and contact details of the body and any other matter specified in the CR Code must be provided. If a credit provider is an APP entity, this requirement is additional to APP 5 and the provider must also notify the individual that its policy for management of credit information and credit eligibility information contains information on access, correction and complaint rights as part of its requirements under APP 5.1 (notification of the collection of personal information). The default rule in s. 21D is that a credit provider must not disclose information about an individual to a credit reporting body, however, disclosure is permitted if: - the credit provider is a member of a recognised external dispute resolution scheme and knows, or reasonably believes, that the individual is > 18yrs old; and - the credit reporting body is an agency or an organisation that has an Australian link; and - the requirements of s. 21D(3) are met. A written note of any disclosure must be made. If a credit provider is an APP entity, APP 6 and 8 do not apply to the disclosure by the provider of credit information to a credit reporting body. If a credit provider has disclosed default information about an individual to a credit reporting body but the amount overdue has been paid, the provider must disclose the payment information to the body within a reasonable time. Unless the identify of an individual has been reasonably verified, if a credit provider holds credit information about an individual that relates to consumer credit provided to the individual during a ban period (that has been put in place due to fraud), then notwithstanding the above, the provider must not disclose the credit information to a credit reporting body. The default rule in s. 21G is that a credit provider must not use or disclose an individual s credit eligibility information. Various exceptions are specified as follows: - the use of the credit eligibility information is: (a) for a consumer credit related purpose of the credit provider relating to the individual; (b) a permitted CP use (defined in s. 21H) relating to the individual; (c) in connection with a serious credit infringement that the credit provider This is a new concept that is part of a more positive credit reporting concept. NPP 2 restricts the use and disclosure of personal information for a purpose other than its primary purpose of collection subject to their various exceptions, including consent. S.18F(3) imposes a similar requirement in relation to an individual s payment of an overdue amount that was previously reported. NPP3 requires personal information to be kept accurate, completed and upto-date. Section 18L imposes limits on the use by credit providers of personal information contained in credit reports. These are largely similar and also require consent in certain circumstances /5 page 9

10 reasonably believes the individual has committed; (d) required or authorised by a law or court order; or (e) prescribed by regulation; or - the disclosure of the credit eligibility information is: (a) a permitted CP disclosure (defined in ss. 21J to 21N) relating to the individual; (b) to a related body corporate of the credit provider that has an Australian link; (c) to a person that has an Australian link who manages credit provided by the credit provider for use in managing that credit and the person is not acting as an agent of the provider; (d) to another credit provider with an Australian link or to an enforcement body on reasonable belief that the individual has committed a serious credit infringement; (e) for the purposes of a recognised external dispute resolution scheme of which the credit provider or credit reporting body is a member; (f) required or authorised by a law or court order; or (g) prescribed by regulation. Notwithstanding the above, disclosure of an individual s credit eligibility information that was derived from repayment history information is not permitted unless: - the recipient is another credit provider who is a licensee; or - the disclosure is to a mortgage insurer that has an Australian link for mortgage insurance purposes of the insurer in relation to the individual or any purpose arising under a contract for mortgage insurance between the provider and the insurer; - the disclosure is to an enforcement body on reasonable belief that the individual has committed a serious credit infringement; or - the disclosure is for the purposes of a recognised external dispute resolution scheme of which the credit provider or credit reporting body is a member or is required or authorised by a law or court order. A written note of any use or disclosure must be made. If a credit provider is an APP entity, APP 6, 7 and 8 do not apply to the provider in relation to credit eligibility information. If the credit eligibility information is also a government related identifier of the individual, APP 9.2 does not apply in relation to the information. Section 18N restricts disclosure of reports being information derived from credit reporting agencies and other credit sensitive information subject to a multitude of exceptions, some of which require consent. These are largely similar and also require consent in certain circumstances. NPP2 imposes a general prohibition on the disclosure of personal information for a purpose other than for its primary purpose of collection subject to a range of exceptions including where consent is held and for direct marketing /5 page 10

11 Permitted CP uses Permitted CP uses about an individual are defined in s. 21H and include: - in respect of disclosure for a consumer credit related purpose using the information for securitisation related purposes relating to the individual or internal management purposes directly related to providing or managing consumer credit; - in respect of disclosure for a commercial credit related purpose using the information for that purpose; - in respect of disclosure to assess an application for commercial credit using the information for internal management purposes directly related to providing or managing commercial credit; - in respect of disclosure for a credit guarantee purpose using the information for that purpose or the internal management purposes directly related to providing or managing any credit; - in respect of disclosure to the credit provider on condition that consumer credit liability information is held relating to consumer credit provided to the individual using the information for the purpose of assisting the individual to avoid defaulting on his or her consumer credit obligations to the credit provider; and - for a securitisation purpose using the information for that purpose. Permitted CP disclosures Permitted CP disclosures about an individual are defined in ss. 21J to 21N and include disclosure: - between credit providers: (a) for a particular purpose where the recipient has an Australian link and the individual has provided written consent to the disclosure (unless the information is disclosed to assess an application for credit that was not made in writing); (b) where one provider is acting as agent (by providing credit processing and management services) to another credit provider that has an Australian link; (c) by a securitisation entity in relation to credit provided by, or an application to, a non-securitisation credit provider where disclosure is to that original credit provider or another securitisation entity credit provider with an Australian link where disclosure is necessary for purchasing, funding, or managing, or processing an application for, credit under a securitisation arrangement or to undertake credit enhancement; /5 page 11

12 (d) disclosure between credit providers that have an Australian link and which have provided mortgage credit where the same real property forms all or part of the security but payment is at least 60 days overdue and the information is disclosed for the purposes of determining the course of action to be pursued to recover the overdue payment. - relating to guarantees etc: (a) (b) to a person with an Australian link considering acting as guarantor or providing security for credit that has been provided by, or has been sought from, the provider and the individual has provided written consent to the disclosure (unless the application was not, or has not been, made in writing); and to a person with an Australian link who is a guarantor or has provided security for credit and either the individual has provided written consent to the disclosure (unless the application was not made in writing) or where the person is a guarantor, the information is disclosed for the enforcement or proposed enforcement of the guarantee. - to mortgage insurers: that have an Australian link for mortgage insurance purposes of the insurer or any purpose arising under a contract of mortgage insurance between the provider and the insurer. - to debt collectors: that have an Australian link for the purpose of collecting overdue payments relating to consumer credit or commercial credit provided by the provider and the information is identification information, court proceeds information, personal insolvency information or (in the case of default of consumer credit) default information relating to the overdue payment. - to others who are either: (a) (b) State or Territory authorities responsible for assisting the facilitation of the provision of mortgage credit or for the management or supervision of arrangements under which such assistance is given and where the information is disclosed to enable the authority to determine the extent of assistance to give or to manage or supervise such an arrangement; or entities that have an Australian link and their legal and financial advisors and where the entity proposes to use the information to consider whether to accept an assignment of a debt, accept a debt as security for credit or purchase an interest in the provider or a related body corporate of the provider or in connection with exercising rights arising from the acceptance of such an assignment or debt or the purchase of such an interest. Section 18M imposes requirements to provide written notice to an individual /5 page 12

13 Subdivision E Integrity of Credit and Credit Eligibility Subdivision F Access to, and correction of, Where a credit provider refuses an application for consumer credit made in Australia based wholly or partly on credit eligibility information, the requirements for written notice as set out in s. 21P are similar to those currently existing but for the following additional requirements that the notice must: - be provided within a reasonable period after refusing the application; and - set out the name and contact details of the credit reporting body that disclosed the relevant credit reporting information and any other matter required by the CR Code. Under s. 21Q, reasonable steps must be taken to ensure credit information collected, used or disclosed is accurate, up-to-date and complete. If a credit provider is an APP entity, APP 10 does not apply to the provider in relation to credit eligibility information. Under s. 21R, a credit provider commits an offence and civil penalty contravention if it uses or discloses credit information in breach of this Division. Under s. 21S, a credit provider must take reasonable steps to protect credit eligibility information from misuse, interference and loss and from unauthorised access, modification and disclosure. If a credit provider no longer needs the credit eligibility information for any purpose permitted under this Division and the provider is not required by law or court order to retain the information, the provider must take reasonable steps to destroy or de-identify the information. If a credit provider is an APP entity, APP 11 does not apply in relation to credit eligibility information Under s. 21T, a credit provider must give an access seeker access to credit eligibility information it holds concerning an individual. An access seeker is the individual or a person assisting the individual in dealing with a credit reporting body authorised in writing to make the request. Exceptions to access apply including where access would be unlawful, denying access is required or authorised by law or court order and where access would prejudice enforcement activities of an enforcement body. A response to access requests is required within a reasonable period and access must be given in accordance with the CR Code. No charge can be imposed if the credit provider is an agency. Otherwise, if credit provider is an organisation or small business operator, a reasonable charge may be imposed for giving access (but not requesting it). Written reasons must be given for refusing access unless it would be unreasonable to do so. The if the individual s credit application is refused on the basis (wholly or partly) of information derived from credit reporting agencies and other credit sensitive information. NPP 3 requires an organisation to take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date. Section 18J requires credit providers to make corrections, deletions and additions to ensure personal information is accurate, up-todate, complete and not misleading. If such changes are not made on an individual s request, the individual may request that a statement be included on the file within 30 days of the individual s request for amendment. NPP 4 imposes similar data security obligations on organisations. Section 18H requires a credit provider to give individuals access to any credit report (but not any report) including through a person authorised in writing to do so but only in connection with a loan application or advice sought by the individual in relation to a loan. This is more restrictive. NPP 6 also imposes qualified access obligations on organisation /5 page 13

14 Division 4 Affected Recipients Subdivision A Consideration of information privacy response must advise of right to complain to an EDR scheme and complain to the Commissioner. Under s. 21U, a credit provider must take reasonable steps to keep credit information or credit eligibility information accurate, up-to-date, complete, relevant and not misleading. If a correction is made, recipients of the deficient information must be notified within a reasonable period unless impracticable or inconsistent with a requirement under a law or court order. If a credit provider is an APP entity, APP 13 applies in relation to credit information or credit eligibility information that is identification information but does not apply to any other kind of such information. Under s. 21V, an individual can request correction without charge, which must be done within 30 days or such longer period as agreed if the information is inaccurate. If necessary to satisfy itself of the need for correction, the credit provider may consult a credit reporting body or another credit provider. Under s. 21W, where a correction is made on request, notice must be given to the individual, any party consulted on the change and any recipient of the inaccurate information. If the change is refused, notice must be given to the individual including reasons and, unless impracticable, details of the right to refer to EDR or the Commissioner. This Division sets out rules that apply to affected information recipients in relation to their handling of their regulated information. An affected information recipient means (a) a mortgage insurer, (b) a trade insurer, (c) a body corporate that has an Australian link and is a related body corporate of a credit provider, (d) a credit manager that has an Australian link and is not an agent of a credit provider or (e) an entity or adviser of an entity that has an Australian link. If a credit provider is an APP entity, this Division may apply in addition to, or instead of, the APP. Reasonable steps should be taken to comply with this Division and the CR Code and which enable dealing with enquiries and complaints. A clear and up-to-date policy for management of the regulated information is required. The policy contents are set out in s. 22A and include information about the kinds of regulated information collected and held and the purpose for which such information is collected and held. Access, correction and complaint rights must be explained. It must be available free in appropriate form and a copy to be given if reasonable. If a credit provider is an APP entity, APP 1.3 and 1.4 do not apply to the credit provider in relation Section 18G requires a credit provider to take reasonable steps to ensure credit information files and credit reports are accurate, up-to-date, complete and not misleading. NPP 3 requires organisations to ensure personal information it collects, uses or discloses is accurate complete and up-to-date. Section 18J requires credit providers to make corrections, deletions and additions to ensure personal information is accurate, up-to-date, complete and not misleading. If such changes are not made on an individual s request, the individual may request that a statement be included on the file within 30 days of the individual s request for amendment. NPP 6 gives individuals qualified correction rights in relation to personal information held by organisations. NPP 5 requires organisations to have clearly expressed policies on information management. Policy contents are suggested in PC Guidance. It must be available on request. about the sorts of information held, how and why it is collected and how it is used and disclosed should also be available on request /5 page 14

15 Subdivision B Dealing with Regulated Mortgage insurers or trade insurers Related body corporate Credit managers to credit information or credit eligibility information. S. 22B provides that if an affected information recipient is an APP entity, the recipient must also notify the individual that its policy for management of regulated information contains information on access, correction and complaint rights as part of its requirements under APP 5.1 (notification of the collection of personal information). The default rule in s. 22C is that a mortgage insurer or trade insurer must not use or disclose an individual s personal information and other information disclosed to the insurer by a credit reporting body or credit provider under Divisions 2 and 3. Various exceptions, which are similar to those currently existing but expressed in broader terms, are specified as follows: - in respect of a mortgage insurer, the use is for a mortgage insurance purpose or any purpose arising under a contract for mortgage insurance between the credit provider and insurer; - in respect of a trade insurer, the use is for a trade insurance purpose; or - the use or disclosure is required or authorised by a law or court order. If the insurer is an APP entity, APP 6, 7 and 8 do not apply to the insurer in relation to the information. Also, if the insurer is an APP entity and the information is a government related identifier, then APP 9.2 does not apply to the insurer. The default rule in s. 22D is that a body corporate that has an Australian link and is a related body corporate of a credit provider must not use or disclose an individual s credit eligibility information disclosed to the body corporate by the credit provider. However, the body corporate may use or disclose that information in the manner permitted for the related credit provider under Division 3 as if the body corporate was the credit provider. If the insurer is an APP entity, APP 6,7 and 8 do not apply to the insurer in relation to the information. Also, if the insurer is an APP entity and the information is a government related identifier, then APP 9.2 does not apply to the insurer. The default rule in s. 22E is that a credit manager that has an Australian link must not use or disclose an individual s credit eligibility information disclosed to the credit manager by a credit provider for whom the credit manager is managing credit. However, the credit manager may use that information in managing credit provided by the credit provider or if the use is required or authorised by a law or a court order. If the credit manager is an APP entity, APP 6,7 and 8 do not apply to the credit manager in relation to the information. Also, if the credit manager is an APP entity and the information is a S. 18P imposes limits on the use by mortgage insurers and trade insurers of personal information contained in credit reports. These are largely similar but expressed in narrower terms. S. 18Q(1) imposes limits on the use and disclosure by related body corporate of credit providers of reports or information. These are similar. Sections 18Q(4) imposes limits on the use and disclosure by a credit manager of reports or information received from a credit provider for whom the credit manager is managing credit. These are similar /5 page 15

16 Advisors Division 5 Complaints government related identifier, then APP 9.2 does not apply to the credit manager. The default rule in s. 22F is that an entity that has an Australian link or its legal and financial advisors must not use or disclose an individual s credit eligibility information received from a credit provider in relation to an assignment of debt, an acceptance of debt as security or a purchase of an interest in the provider or a related body corporate of the provider. Various exceptions, which are similar to those currently existing, are specified as follows: - in respect of an entity, the information is used to consider whether to accept an assignment of a debt, accept a debt as security for credit or purchase an interest in the provider or a related body corporate of the provider or in connection with exercising rights arising from the acceptance of such an assignment or debt or the purchase of such an interest; - in respect of a legal or financial advisor, the use is in connection with advising the entity in respect of the above; or - the use or disclosure is required or authorised by a law or court order. If the recipient is an APP entity, APP 6,7 and 8 do not apply to the recipient in relation to the information. Also, if the recipient is an APP entity and the information is a government related identifier, then APP 9.2 does not apply to the recipient. This Division establishes mandatory complaints processes for credit reporting bodies and credit providers about acts or practices that may be a breach Part IIIA or the CR Code. S. 23A provides that individuals may make a complaint (which must specify the nature of the complaint) to a credit reporting body or a credit provider about an act or practice engaged in by the body or provider that may be a breach Part IIIA or the CR Code. The complaint may relate to personal information that has been destroyed or de-identified. No charge can be imposed for the making of the complaint or for dealing with the complaint. S. 23B requires the credit reporting body or credit provider to respond to complaints within 7 days after the complaint is made with a written notice acknowledging the complaint and setting out how it will deal with the complaint. The body or provider must also investigate the complaint. If the body or provider considers it necessary to consult another credit reporting body or credit provider, it must do so. The body or provider must, within 30 days from the day on which the complaint was made (or such longer period agreed to by the individual), give the individual written notice setting out its decision following the investigation and details of the right to refer to EDR or the Commissioner if the individual is not satisfied with the decision. In respect of complaints relating to the correction of personal information by credit reporting Sections 18Q(2) and 18Q(3) impose limits on the use and disclosure by an entity or its legal or financial advisors of reports or information received in relation to an assignment of debt, an acceptance of debt as security or a purchase of an interest in the provider or a related body corporate of the provider. These are similar. Where an NPP has been breached (s.6a) resulting in an interference with the privacy of an individual (s.13a) the affected individual may make a complaint to the Commissioner. The Commissioner s powers to investigate and make determinations in respect of such complaints are set out in Part V. However, there are no prescribed requirements for credit reporting bodies or credit providers in relation to the handling of complaints /5 page 16

17 Division 6 Unauthorised obtaining of credit reporting information Division 7 Court orders bodies, s.23c provides that written notice must be given by: - a credit reporting body to a credit provider that holds credit information or credit eligibility information; and - a credit provider to a credit reporting body (that holds credit reporting information) or another credit provider (that holds credit information or credit eligibility information), in relation to the complaint as soon as practicable after it is made and the body or provider s decision as soon practicable after it is made. If a credit reporting body or a credit provider discloses information to which the complaint relates pursuant to Part IIIA or the APP, the body or provider must give written notice to the recipient about the complaint if a decision on the complaint is still pending. However, the obligations to provide written notice are not required where it is impracticable to do so or the body or provider is required by a law or a court order not to do so. This Division provides for offences and civil penalties for entities that have obtained credit reporting information in an unauthorised manner. It is an offence where an entity has obtained credit reporting information from a credit reporting body or credit eligibility information from a credit provider, and it is a civil penalty if the entity seeks to obtain such information, in a manner that is unauthorised, such as where: - the entity is not one which the information is permitted to be disclosed under Divisions 2 or 3; - the entity is not an access seeker; or - the information is obtained by false pretence. This Division provides for orders that may be made by the Federal Court or the Federal Magistrates Court. S.25 provides that those courts may make orders to award compensation for a person s loss or damage resulting from an entity either being found guilty of committing an offence under Part IIIA or a civil penalty order being made against the entity. S. 25A provides that courts may make other orders to prevent or reduce the loss or damage suffered, or likely to be suffered, by the person. There is a statutory limitation period of 6 years for applications for the above orders. S.18S prohibits unauthorised access to credit information files in possession of a credit reporting agencies and to credit reports in the possession of credit providers or credit reporting agencies. S.18T establishes offences for using false pretences to obtain credit information files and credit reports. Section 55A(2) provides that the Federal Court or the Federal Magistrates Court may make such orders as it thinks fit if the court is satisfied that the respondent has engaged in conduct that constitutes an interference with the privacy of the complainant /5 page 17