Credit-related disputes usually involve privacy issues.
From 12 March 2014, under Part IIIA of the Privacy Act, a credit provider must be a member of an EDR scheme recognised under the Privacy Act to be able to participate in the credit reporting system.
A credit provider must also be a member of a recognised EDR scheme to be able to disclose information to credit reporting bodies.
Credit providers, as defined in s 6G of the Privacy Act, include entities from a range of industries including banks, utility providers and telecommunication service providers.
The Information Commissioner has published the conditions that must be met by EDR schemes to be recognised under the Privacy Act, its approach to existing EDR schemes and when it will allow the EDR scheme to deal with a privacy-related credit complaint rather than the OAIC.
Commercial lenders and businesses who are not already in a consumer credit EDR scheme will be required to join an EDR scheme.
The Information Commissioner has accepted that if a privacy complaint is being dealt with by a recognised EDR scheme or would be more effectively or appropriately dealt with by a recognised EDR scheme then the EDR scheme should manage it.
When the complaint relates to an individual’s request for access to, or correction of, their credit-related information. If an individual requests access to, or correction of, their credit-related information and the request is refused, the individual may make a complaint directly to a recognised EDR scheme of which the credit reporting body or credit provider is a member, or to the Information Commissioner.
The Information Commissioner is aware that many credit providers are already members of EDR schemes. In some instances, other regulatory regimes require those credit providers to be members of particular EDR schemes. The Information Commissioner is mindful of the burden that would be imposed on credit providers if they were required to join an additional EDR scheme for the purposes of participating in the credit reporting system. This outcome will be avoided where possible.
Conditions
EDR schemes should provide privacy-related complaint information to the OAIC on an annual basis for inclusion in the OAIC’s Annual Report. The information should be placed in its appropriate context – for example, by explaining why there may have been an increase in privacy-related complaints compared to the previous year.
Where possible EDR schemes should provide information about:
a) the number of privacy-related complaints received in the financial year;
b) the average time taken to resolve privacy-related complaints in the financial year;
c) for privacy-related complaints finalised in the financial year, statistical information about the outcomes (eg conciliations, withdrawals) and the nature of remedies agreed through conciliation, or by decision (eg compensation, apology, staff training);
d) any systemic privacy-related issues or trends identified in the financial year.
To register an EDR scheme, the Information Commissioner requires the EDR scheme to have processes in place to identify, through complaints and other information received by the scheme, serious or repeated interferences with privacy, and systemic privacy issues of the EDR scheme’s members. An EDR scheme should also have processes in place to refer serious or repeated interferences with privacy and systemic privacy issues to relevant EDR scheme members for response and action, or to the industry regulator where applicable and appropriate (e.g. ACMA or ASIC).
Serious or repeated interferences with privacy and systemic privacy issues should be reported to the Information Commissioner when an EDR scheme has confirmed that such events have occurred.
If EDR scheme members do not appropriately rectify serious or repeated interferences with privacy or systemic issues within a reasonable period of time, the Information Commissioner may investigate the act or practice of an entity on the Commissioner’s own initiative under Part V of the Privacy Act. The Commissioner may also choose to investigate the act or practices of an entity under certain circumstances, such as when it is in the public interest to do so.