Responsibilities and powers of the OPC

53.55 The Privacy Act gives the OPC a range of responsibilities and powers under the Act.[111] These responsibilities and powers were described in more detail in Part F of this Report. This chapter describes aspects of the OPC’s responsibilities and powers in relation to:

  • issuing a code of conduct relating to credit information files and credit reports;[112]

  • making certain determinations, on the Privacy Commissioner’s initiative, under the credit reporting provisions of the Privacy Act;[113]

  • auditing credit information files and credit reports held by credit reporting agencies and credit providers;[114] and

  • investigating credit reporting infringements,[115] either in response to a complaint or on the OPC’s initiative,[116] and making determinations after investigating complaints.[117]

Credit Reporting Code of Conduct

53.56 Under s 18A of the Privacy Act, the Privacy Commissioner must, after consulting government, commercial, consumer and other relevant bodies,[118] issue a code of conduct concerning:

(a) the collection of personal information for inclusion in individuals’ credit information files; and

(b) the storage of, security of, access to, correction of, use of and disclosure of personal information included in individuals’ credit information files or in credit reports; and

(c) the manner in which credit reporting agencies and credit providers are to handle disputes relating to credit reporting; and

(d) any other activities, engaged in by credit reporting agencies or credit providers, that are connected with credit reporting.[119]

53.57 In preparing the code of conduct, the Commissioner must have regard to the Information Privacy Principles (IPPs), the NPPs, Part IIIA of the Act and the likely costs to credit reporting agencies and credit providers of complying with the code.[120]

53.58 The Credit Reporting Code of Conduct (Code of Conduct) came into effect on 24 September 1991 and remains in force. The Code of Conduct is legally binding. Section 18B of the Privacy Act provides that a credit reporting agency or credit provider must not do an act, or engage in a practice, that breaches the Code of Conduct. Breach of the Code of Conduct constitutes a credit reporting infringement and an interference with privacy under s 13 of the Act.[121]

53.59 In broad terms, theCode of Conduct supplements Part IIIA on matters of detail not addressed by the Act. Among other things, the Code of Conduct requires credit providers and credit reporting agencies to:

  • deal promptly with individual requests for access to, and amendment of, personal credit information;

  • ensure that only permitted and accurate information is included in an individual’s credit information file;

  • keep adequate records in regard to any disclosure of personal credit information;

  • adopt specific procedures in settling credit reporting disputes; and

  • provide staff training on the requirements of the Privacy Act.[122]

53.60 The Code of Conduct is accompanied by Explanatory Notes, which explain how Part IIIA and the Code interact. For example, in relation to the permitted content of credit information files, the Code of Conduct provides that:

A credit reporting agency recording an enquiry made by a credit provider in connection with an application for credit may include, within the record of the enquiry, a general indication of the nature of the credit being sought.[123]

53.61 The Explanatory Notes explain that, while s 18E(1) expressly permits inclusion of a record of an enquiry made by a credit provider in connection with an application for credit, together with the amount of credit sought:

because of the size of the credit reporting system, and the large number and variety of credit applications recorded every year, it is accepted that an account type indicator should be allowed to be included in the file in order to facilitate speedy and accurate identification verification by credit providers of the enquiries recorded in credit information files.[124]

Determinations

53.62 The Privacy Commissioner has power to make certain determinations under the credit reporting provisions of the Privacy Act, including[125] determinations relating to:

  • the definition of ‘credit provider’;[126] and

  • the kinds of identifying information reasonably necessary to be included in credit information files.[127]

Credit provider determinations

53.63 Under Part IIIA, access to personal information provided by credit reporting agencies generally is restricted to businesses that are credit providers. Section 11B defines ‘credit providers’ for the purposes of the Act. In summary, under s 11B, financial organisations such as banks, building societies, credit unions and retail businesses that issue credit cards are automatically classed as credit providers.

53.64 Other businesses also are credit providers if they provide loans—defined to include arrangements under which a person receives goods or services with payment deferred, such as under a hire-purchase agreement[128]—and are included in a class of corporations determined by the Privacy Commissioner to be credit providers for the purpose of the Act.[129]

53.65 The Privacy Commissioner has made three determinations under s 11B of the Act. These include a determination that corporations are to be regarded as credit providers if they:

  • make loans in respect of the provision of goods or services on terms that allow the deferral of payment, in full or in part, for at least seven days; or

  • engage in the hiring, leasing or renting of goods, where no amount, or an amount less than the value of the goods, is paid as deposit for return of the goods, and the relevant arrangement is one of at least seven days duration.[130]

53.66 Another determination deems corporations to be credit providers where they have acquired the rights of a credit provider with respect to the repayment of a loan (whether by assignment, subrogation or other means).[131]

53.67 Both these determinations are discussed further in Chapter 54, in relation to the definition of credit provider for the purposes of the new Privacy (Credit Reporting Information) Regulations.[132]

Identifying information

53.68 The Privacy Commissioner may determine the kinds of information that are, for the purposes of s 18E(1)(a), ‘reasonably necessary to be included in an individual’s credit information file in order to identify the individual’.[133] The Privacy Commissioner made a determination under this provision in 1991.[134]

Audits of credit information files

53.69 The Privacy Commissioner has power to audit credit information files and credit reports held by credit reporting agencies and credit providers.[135] The purpose of such audits is to ascertain whether credit information files and credit reports are being maintained in accordance with the Code of Conduct and Part IIIA of the Privacy Act.

53.70 The Privacy Commissioner also may examine the records of credit reporting agencies and credit providers to ensure that they are not using personal information in those records for unauthorised purposes, and are taking adequate steps to prevent unauthorised disclosure of those records.[136]

Investigating credit reporting infringements

53.71 Part V, Division 1 of the Privacy Act deals with the investigation of complaints and investigations on the Privacy Commissioner’s initiative.[137] These provisions must be considered in association with the dispute settling procedures relating to credit reporting, which are set out in the Code of Conduct.

53.72 Under s 36(1) of the Privacy Act, an individual may complain to the Privacy Commissioner about ‘an act or practice that may be an interference with the privacy of the individual’. In the case of an act or practice engaged in by a credit reporting agency or credit provider, an act or practice is an interference with the privacy of an individual if it ‘constitutes a credit reporting infringement in relation to personal information that relates to the individual’.[138] In turn, a ‘credit reporting infringement’ means a breach of the Code of Conduct or a breach of a provision of Part IIIA of the Act.[139] Subject to certain exceptions, the Privacy Commissioner must investigate an act or practice that may be an interference with the privacy of an individual if a complaint has been made under s 36.[140]

53.73 Under Part V, Division 2 of the Privacy Act, the Privacy Commissioner may make a determination after investigating a complaint. Under s 52, if the complaint is found to be substantiated, the determination may include declarations that the respondent not repeat or continue the conduct; or provide redress or compensation for any loss or damage suffered by the complainant.[141] The Privacy Commissioner also may order that a respondent make an appropriate correction, deletion or addition to a record, or attach to a record a statement provided by the complainant.[142]

53.74 Under s 41(2), the Privacy Commissioner may decide not to investigate, or to defer investigation, if satisfied that the respondent has dealt, or is dealing, adequately with the complaint; or if the respondent has not yet had an adequate opportunity to deal with the complaint.

53.75 The Code of Conduct sets out dispute-settling procedures that must be followed by credit reporting agencies and credit providers.[143] The Code provides, among other things, that:

  • credit reporting agencies and credit providers must handle credit reporting disputes in a fair, efficient and timely manner;[144]

  • where a credit reporting agency establishes that it is unable to resolve a dispute, it must inform the individual concerned immediately that it is unable to resolve the dispute and that the individual may complain to the Privacy Commissioner;[145] and

  • a credit provider should refer a dispute between that credit provider and an individual to a credit reporting agency for resolution where the dispute concerns the contents of a credit report issued by the credit reporting agency.[146]

[111] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Ch 6.

[112] Office of the Federal Privacy Commissioner, Credit Reporting Code of Conduct (1991) issued under the Privacy Act 1988 (Cth) s 18A.

[113]Privacy Act 1988 (Cth) ss 11B(1), 18E(3), 18K(3), 18L(6), 18N(5).

[114] Ibid s 24A(1)(g).

[115] A ‘credit reporting infringement’ is defined as a breach of either the Credit Reporting Code of Conduct or the provisions of pt IIIA: Ibid s 6.

[116] Ibid pt V.

[117] Ibid s 52.

[118] Ibid s 18A(2).

[119] Ibid s 18A(1). The Code of Conduct is a disallowable instrument: Privacy Act 1988 (Cth) s 18A(4).

[120]Privacy Act 1988 (Cth) s 18A(3).

[121] Ibid s 13(d).

[122] Office of the Federal Privacy Commissioner, Credit Reporting Code of Conduct (1991), 3.

[123] Ibid, [1.1].

[124] Ibid, Explanatory Notes, [1]–[2].

[125] Other determinations by the Privacy Commissioner have been issued under Privacy Act 1988 (Cth) s 18K(3)(b)—permitting the disclosure of certain information included in a credit information file or other record before the commencement of s 18K (24 September 1991).

[126] Ibid s 11B(1).

[127] Ibid s 18E(3).

[128] Ibid s 6.

[129] Ibid s 11B(1)(v)(B).

[130] Privacy Commissioner, Credit Provider Determination No. 2006–4 (Classes of Credit Providers), 21 August 2006.

[131] Privacy Commissioner, Credit Provider Determination No. 2006–3 (Assignees), 21 August 2006.

[132] The third determination involves a specific corporation: Privacy Commissioner, Credit Provider Determination No 2006–5 (Indigenous Business Australia), 25 October 2006.

[133]Privacy Act 1988 (Cth) s 18E(3).

[134] Privacy Commissioner, Determination under the Privacy Act 1988: 1991 No 2 (s 18E(3)): Concerning Identifying Particulars Permitted to be Included in a Credit Information File, 11 September 1991.

[135]Privacy Act 1988 (Cth) s 28A(1)(g).

[136] Office of the Privacy Commissioner, Credit Information Audit Process <www.privacy.gov.au/
publications> at 5 May 2008, 1.

[137] These provisions are discussed in more detail in Ch 49.

[138]Privacy Act 1988 (Cth) s 13(d).

[139] Ibid s 6(1).

[140] Ibid s 40(1).

[141] Ibid s 52(1)(b).

[142] Ibids 52(3B).

[143] Office of the Federal Privacy Commissioner, Credit Reporting Code of Conduct (1991), pt 3.

[144] Ibid, [3.1].

[145] Ibid, [3.2].

[146] Ibid, [3.3].