Two recent decisions of the Australian Privacy Commissioner have found Veda Advantage Information Services and Solutions Ltd (“Veda”) breached Privacy Act credit reporting provisions.
In Financial Rights Legal Centre Inc. & Others and Veda Advantage Information Services and Solutions Ltd [2016] AICmr 88 the Privacy Commissioner determined that Veda interfered with the privacy of the class of individuals identified as ‘members of the public seeking to access a free copy of their credit report from Veda Advantage’ in breach of the Privacy Act 1988 (Cth) (Privacy Act) by:
- failing to prominently state that individuals have a right to obtain their credit reporting information free of charge in certain circumstances, in contravention of paragraph 19.3(a) of the Privacy (Credit Reporting) Code 2014 (version 1.2) (CR code)
- failing to take reasonable steps to ensure that free access to credit reports was as available and as easy to identify and access as paid access to credit reports, in contravention of paragraph 19.3(b) of the CR code
- using and disclosing personal information it held about individuals seeking free access to credit reports for the purpose of direct marketing in breach of Australian Privacy Principle (APP) 7
- charging for the ‘expedited delivery’ of a credit report in breach of s 20R(5), in circumstances where the individual (or access seeker) had not sought access to credit reporting information within the preceding 12-month period.
Veda was ordered to take action within 6 months to ensure its service of providing free access to credit reporting information is as available, and as easy to identify and access as it is through its fee-based services including in relation to its phone service.
Consumers who purchased MyCreditFile Express for $69.95 on or after 12 March 2014, and had not ordered a credit report from Veda within 12 months prior to this purchase will be eligible for a refund from Veda. Veda has discontinued that charge.
The action involved 3 representative complaints lodged in 2014 on behalf of the class by consumer advocacy groups, Financial Rights Legal Centre Incorporated, the Consumer Action Law Centre, Financial Counselling Australia and the Australian Privacy Foundation.
The Veda website at the relevant time re-directed customers to the” my credit file” website if the appropriate link ‘Get Your Credit Report’ was clicked on, but the Veda website promoted paid access and did not otherwise contain or provide prominent links to free credit reporting information.
The Privacy Commissioner agreed with the complainants: “brochures are not websites. Websites are not generally read in the same front-to-back and left-to-right way as brochures. Users may enter the site from a subpage rather than the home page, and may never go to the home page of a website. Veda’s contention that providing free credit reporting information on only one web page is sufficient does not appear to take this into account.”
In respect of telephone access the Privacy Commissioner concluded:
“I do not agree with Veda’s contention that the telephone is a superfluous access channel where an internet-based service for credit reporting information is available or that the requirements of paragraph 19.3(b) are satisfied in this context by giving individuals the option to access free reports by submitting a request in writing. Paragraph 19.3(b) of the CR code mandates that Veda take reasonable steps to ensure that its free service is as available and easy to identify and access as its fee-based service. I accept the complainants’ contention that telephone access is an important way for many people, which may include the poorest households and those with the lowest literacy levels, to access services. As the information provided by the complainants demonstrates, a significant number of Australians are likely to have difficulty navigating and completing a form online to obtain their credit report. ”
Another complaint related to Veda contacting applicants to offer other products and services:
“If Veda wished to ensure that access seekers consented to being contacted by Veda for direct marketing purposes, then it should have expressed this plainly. In my view, the wording of the statement associated with tick box 1 was such that access seekers were not adequately informed about the consent they were providing when they ticked that box. Accordingly, I find that access seekers who ticked tick box 1 were not consenting to the use or disclosure of their information for the purpose of direct marketing, nor was it within their reasonable expectations that their information would be used or disclosed for that purpose. I find that Veda was in breach of APP 7 in this respect.”
With respect to Veda’s charge of $69.95 to provide a credit report within 24 hours of a request for access the Privacy Commissioner concluded:
“The obligation to provide the credit reporting information free of charge still applies, regardless of at what point in time within that 10-day limitation period Veda responds. The provision of credit reporting information in these circumstances is not an Additional Service. Rather it is an obligation Veda must undertake in accordance with s 20R(3) of the Privacy Act. There is nothing which permits Veda to charge for a credit report on request where a request has not been made in the preceding 12 months.
I therefore find Veda’s practice of charging for the ‘expedited delivery’ of a credit report was in breach of s 20R(5) in circumstances where the access seeker had not sought access to credit reporting information within the preceding 12-month period.”
In ‘KB’ and Veda Advantage Information Services and Solutions Ltd [2016] AICmr 81 the complainant contended that Veda interfered with his privacy by listing a judgment for $7000 on his credit file in error, and by failing to inform his credit providers of the mistake as soon as it became aware of the error.
The complainant was not the defendant in the case to which the judgment related, and had no relationship with the defendant. However, the complainant and the defendant have a similar name. They also reside in different premises within the same apartment building. Because of similarities between the defendant and the complainant’s names and addresses, Veda’s automatic matching systems drew a connection between the judgment and the complainant, and recorded information about the judgment on the complainant’s credit file.
Veda’s systems subsequently provided an automated alert to registered creditors of the complainant to notify those creditors of the judgment. Veda confirmed that the information was disclosed to the complainant’s credit providers.
While on an overseas trip payment on the complainant’s credit card was declined. That evening, the complainant telephoned American Express, his credit card provider. He was told that due to a default judgment notification on his credit file, American Express had suspended his card and he would be unable to make any further purchases.
Further, Citibank Visa credit card payments to his business suppliers were declined.
On complaining to Veda, Veda advised the complainant to approach the court for correction, and indicated that Veda would not take action until it heard from the court.
The Privacy Commissioner determined that Veda interfered with the complainant’s privacy by:
- not taking such steps as were reasonable in the circumstances to ensure that certain credit information it collected about the complainant was accurate, up-to-date, and complete as required by s 20N(1) of the Privacy Act 1988 (Cth);
- not taking such steps as were reasonable in the circumstances to ensure that certain credit reporting information it disclosed was, having regard to the purpose of the disclosure, accurate, up-to-date, complete and relevant as required by s 20N(2) of the Privacy Act;
- using or disclosing credit reporting information that was false or misleading in a material particular in contravention of s 20P of the Privacy Act; and
- failing to give each recipient of the incorrect information written notice of correction within a reasonable period as required by s 20S(2) of the Privacy Act.
Veda was ordered to:
- issue a written apology to the complainant acknowledging its interference with the complainant’s privacy;
- pay the complainant $10,000 for non-economic loss caused by the interference with the complainant’s privacy;
- pay the complainant $5,830 to reimburse him for expenses reasonably incurred in connection with the making of the complaint and the investigation of the complaint; and
- commence a review its procedures in relation to the collection, use and disclosure of court proceedings information, and steps taken to ensure accuracy and correction of this information, and advise the Privacy Commissioner of the results of the review within six months.