Home | Databases | WorldLII | Search | Feedback Australian Senate Standing Committee for the Scrutiny of Bills - Scrutiny Digests

You are here: 

National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 [2018] AUSStaCSBSD 118 (9 May 2018)

National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018

Significant matters in delegated legislation
Privacy ^[47]

1.65 The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (2012 Act) amended the Privacy Act 1988 (Privacy Act) to establish a framework under which credit providers and credit reporting bodies could collect, use and disclose a greater range of credit information. This framework came into effect on 12 March 2014.

1.66 Prior to the enactment of the framework established by the 2012 Act, the credit reporting system limited the information that could be collected, used and disclosed by credit providers and credit reporting bodies to 'negative information' about an individual. This included identity information, default history information and bankruptcy information. The 2012 Act expanded the information permitted to be collected, used and disclosed to include repayment information, as well as the type of credit a person has and the maximum amount of credit available to a person under a consumer credit agreement. The 2012 Act enabled credit providers to disclose this information to credit reporting bodies on a voluntary basis.

1.67 The present bill seeks to amend the Privacy Act and the National Consumer Credit Protection Act 2009 (Credit Act) to mandate a comprehensive consumer credit reporting scheme. To implement this scheme, the bill seeks to designate large Authorised Deposit-taking Institutions (ADIs)^[48] and certain other credit providers as 'eligible licensees', and to require those licensees to supply credit information about all open accounts held with the licensee to credit reporting bodies. The information that must be provided ('mandatory credit information') includes the following:

• identification information, including name, date of birth and address;

• consumer credit liability information, including the name of the credit provider, type of consumer credit, and maximum amount of credit available;

• repayment history information, including whether or not an individual is obliged to make monthly payments in relation to a consumer credit agreement, and when those payments are due and payable;

• default information, including information about payments that are overdue, and steps taken to recover the overdue amounts;

• payment information including information about payments of overdue amounts that have been made by an individual; and

• new arrangement information, including information about variations to a consumer credit agreement.^[49]

1.68 Eligible licensees would be required to provide mandatory credit information to eligible credit reporting bodies in two tranches—each comprising mandatory credit information about half the accounts held by the licensee. A failure to provide this information would be punishable by a civil penalty of 2,000 penalty units,^[50] and would also be an offence attracting a penalty of 100 penalty units.^[51]

1.69 The explanatory memorandum provides that the bill seeks to correct an information asymmetry between consumers and credit providers, and thereby to improve the management of personal and credit reporting information.^[52] In this regard, the statement of compatibility further states:

A more comprehensive credit reporting regime allows credit providers to better establish a consumer's credit worthiness and lead to a more competitive and efficient credit market. [This] benefits consumers by enabling...reliable individuals to seek more competitive rates when purchasing credit and enabling those with a historically poor credit rating to demonstrate their credit worthiness through future consistency and reliability.^[53]

1.70 The committee acknowledges the importance of improving the administration of Australia's credit reporting regime. However, the committee is concerned that requiring the disclosure of mandatory credit information has the potential to unduly trespass on the privacy of individuals—particularly the customers of the large ADIs contemplated by the bill, as the information required to be disclosed includes a substantial amount of personal and financial information about individuals.

1.71 The explanatory memorandum provides that the mandatory credit reporting regime proposed by the bill does not alter existing provisions set out in the Privacy Act and the Privacy Code governing use and disclosure of credit information.^[54] The explanatory memorandum further states that the Act and the Code will continue to:

• set out the permitted uses and disclosure of an individual's personal and credit information by credit providers and credit reporting bodies;

• impose requirements on credit providers and reporting bodies to ensure the accuracy and currency of information in the credit reporting system;

• impose a requirement on a credit reporting body to protect the information it collects from misuse and unauthorised access;

• impose a requirement on a credit reporting body to have a publically available policy on how it collects, holds, uses and discloses credit information as well as procedures in place to ensure that the obligations under the Privacy Act and Privacy Code are met; and

• impose timeframes on both credit providers and credit reporting bodies on how long credit information can be kept before it must be destroyed.^[55]

1.72 The statement of compatibility also emphasises that the present bill does not propose to alter any protections in the Privacy Act, and sets out the safeguards introduced by the 2012 Act to protect individuals' credit information from improper use and disclosure.^[56]

1.73 While noting these safeguards, the committee is concerned that the bill appears to leave a number of relatively substantial elements of the mandatory credit reporting scheme—which may have significant privacy implications—to delegated legislation. For example, the bill seeks to require 'eligible licensees' to supply credit information to 'eligible credit reporting bodies'. The terms 'eligible licensee' and 'eligible credit reporting body' are defined in proposed section 133CN as follows:

• a licensee will be an 'eligible licensee' if it is a large ADI or a body corporate of a kind prescribed by the regulations, and it is a credit provider;^[57]

• a reporting body will be an 'eligible credit reporting body' for a licensee if:

• on 2 November 2017, there was an agreement of the kind referred to in paragraph 20Q(2)(a) of the Privacy Act in force between the body and the licensee, and the licensee is an eligible licensee on 1 July 2018; or

• the conditions, if any, prescribed by the regulations are met.^[58]

1.74 The bill would therefore appear to leave significant elements of the mandatory credit reporting scheme (for example, the entities required to provide credit information and the entities to which credit information must be provided) to delegated legislation.

1.75 The committee is concerned that leaving part of the definition of 'eligible credit reporting body' to regulations has the potential to undermine existing protections in the Privacy Act. Currently, paragraph 20Q(2)(a) of the Privacy Act requires a credit reporting body to enter into agreements with credit providers that require the providers to protect credit reporting information^[59] from misuse, interference and loss, and from unauthorised access, modification and disclosure. Section 20Q was inserted by the 2012 Act. In relation to that provision, the explanatory memorandum to the 2012 bill stated:

The purpose of these specific obligations is to ensure that both credit reporting bodies and credit providers take proactive steps in establishing practices which maintain the security of credit information. Given that credit reporting bodies will play a central role in handling and managing credit information it is appropriate that they be charged with the responsibility to develop appropriate agreements.^[60]

1.76 The explanatory memorandum to the present bill recognises the importance of agreements under paragraph 20Q(2)(a), stating that they ensure the credit provider has an established relationship with the credit reporting body, and has an agreement in place to ensure that information remains confidential and secure.^[61]

1.77 However, under proposed section 133CN a licensee that becomes an 'eligible licensee' after 1 July 2018 must make its initial bulk supply of mandatory credit information to a credit reporting body that meets conditions prescribed by the regulations—rather than to a reporting body with which the licensee has an agreement under paragraph 20Q(2)(a) of the Privacy Act. While acknowledging that credit providers would be required to supply credit information on an ongoing basis to reporting bodies with whom they have a contract under paragraph 20Q(2)(a), the committee is concerned that the requirement to make the bulk supply of credit information to a body that meets conditions prescribed by regulations could weaken the protections conferred by the Privacy Act. The explanatory memorandum does not provide an explanation of the conditions that may be imposed under the regulations.

1.78 Additionally, proposed Division 3 provides that regulations may set out the circumstances in which a credit reporting body must share ('on-disclose') credit information received under the mandatory credit reporting scheme proposed by the bill. For example, proposed section 133CZA:

• prohibits a credit reporting body from disclosing protected information that is prescribed by the regulations, or is of a kind prescribed by the regulations, to a credit provider where certain conditions are met;^[62] and

• requires a credit reporting body to disclose such protected information as the regulations require to be disclosed, or is of a kind prescribed by the regulations, to a credit provider where certain conditions are met.^[63]

Breaches of those provisions would be punishable by a civil penalty of 2,000 penalty units, and may also attract a criminal penalty of 100 penalty units.^[64]

1.79 With respect to those provisions, the statement of compatibility states that:

These circumstances [that is, the circumstances in which information must, or must not, be shared] will be limited and not extend beyond those circumstances in the Privacy Act. Primarily this will be when a credit provider is seeking information about a customer's credit worthiness when considering a request for consumer credit.^[65]

1.80 While noting this explanation, and the example of circumstances in which disclosure would be required or permitted, the committee remains concerned that the bill would leave a significant element of the mandatory credit reporting regime (that is, when information may be on-disclosed) to delegated legislation.

1.81 The committee's consistent view is that significant matters, such as key elements of a mandatory credit reporting scheme, should be included in primary legislation unless a sound justification for the use of delegated legislation is provided. In this instance, the committee's concerns are heightened because the elements proposed to be left to delegated legislation (that is, the persons required to disclose credit information, the entities to whom that information must be disclosed, and the circumstances in which 'on-disclosure' is required and prohibited) may have significant implications for individuals' privacy. The explanatory memorandum does not provide a justification for why it is proposed to use delegated legislation in this way—merely outlining the operation and effect of the relevant provisions.

1.82 Further, where the Parliament delegates its legislative power in relation to significant legislative schemes, the committee considers that it is appropriate that specific consultation obligations (beyond those in section 17 of the Legislation Act 2003) apply to the making of legislative instruments, and that compliance with those obligations is a condition of the relevant instruments' validity. The committee notes that no such consultation requirements are currently set out in the bill.

1.83 As the explanatory materials do not adequately address this matter, the committee requests the Treasurer's detailed justification for leaving key elements of the mandatory credit reporting scheme proposed by the bill—including matters that may have significant impacts on individuals' privacy—to delegated legislation.

1.84 The committee also requests the minister's advice as to the type of consultation that it is envisaged will be conducted prior to the making of regulations in relation to the proposed credit reporting scheme, and as to whether specific consultation obligations (beyond those in section 17 of the Legislation Act 2003) can be included in the legislation, with compliance with such obligations a condition of the regulations' validity.

[47] Schedule 1, item 4, proposed sections 133CN and 133CZA. The committee draws senators' attention to these provisions pursuant to Senate Standing Order 24(1)(a)(iv).

[48] An ADI is likely to be considered 'large' if its total resident assets exceed $100 billion. See explanatory memorandum, p. 11.

[49] See proposed section 133CP. For further detail on the type of information that must be provided, see sections 6, 6V,  6Q , 6T and 6S of the Privacy Act 1988.

[50] See proposed section 133CR.

[51] See proposed section 133CX.

[52] Explanatory memorandum, pp. 6-7.

[53] Statement of compatibility, pp. 42-43.

[54] Explanatory memorandum, p. 9.

[55] Explanatory memorandum, pp. 9-10.

[56] Statement of compatibility, p. 43.

[57] See proposed subsection 133CN(1).

[58] See proposed subsection 133CN(2).

[59] Disclosed under Division 2 of that Act—which relates to credit reporting bodies.

[60] Explanatory memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, pp. 146-147.

[61] Explanatory memorandum, p. 28.

[62] See proposed subsection 133CZA(2). 'Protected information' is defined in proposed section 133CZA(1), and includes any information that the credit reporting body is supplied under Division 2 (which sets up the mandatory supply requirements), and any information derived from information supplied under Division 2.

[63] See proposed subsection 133CZA(3).

[64] See proposed section 133CZB.

[65] Statement of compatibility, p. 44.