Privacy law reform and the financial services industry

This article by me first appeared in Complinet.

The Australian Law Reform Commission has released its Report "For Your Information: Australian Privacy Law and Practice".

The 3 volume report covers most areas of privacy law and makes 295 recommendations for reform, starting with the recommendation that the Privacy Act 1988 be redrafted and restructured to achieve significantly greater consistency, clarity and simplicity.

The ALRC’s national consultation exercise identified concern relating to the loss of privacy as one of the major factors considered by consumers in their dealings with businesses. People are concerned that personal information can be exchanged, bought or sold for secondary use without their knowledge or consent. They are concerned about identity fraud, use of personal information on the internet, businesses sending personal information overseas for processing and the use of personal information for marketing.

By sector, the finance sector continues to be the most frequently complained about industry. The Privacy Commissioner expects that this is due to the large number of finance providers, the volume of personal information transactions conducted by the sector and a reflection of the fact that the sector is bound by both the National Privacy Principles and the Credit Reporting provisions.

Main issues affecting financial service providers

International transactions and outsourcing
The ALRC intends to balance the need to transfer information with the protection of an individual’s privacy.

The ALRC recommends that privacy laws should provide that an organisation that transfers personal information about an individual outside Australia will remain responsible for the protection of that information. This will ensure that an individual has the ability to approach a local privacy regulator and seek redress from someone in Australia if the overseas recipient breaches the individual’s privacy.

There are three specific circumstances, however, when the ALRC recommends an organisation should not remain responsible for the protection of information. These are when:
• the organisation reasonably believes that the recipient of the information is subject to privacy protections that are of a similar standard to Australia’s;
• the individual consents to the transfer, after being expressly advised that the consequence of providing consent is that the organisation will no longer be responsible; or
• the organisation is ‘required or authorised by law’ to transfer the personal information.

These qualifications will allow, for example, organisations to deal with any liability through contracts with the recipient of the personal information. Similarly, organisations will be allowed to transfer information overseas when they are required to do so by law.

Data breach notification
The ALRC concluded that given the increasing fear of identity theft and fraud, most customers and users of government services believe they have a right to be informed when the security and privacy of their personal information have been compromised.

Consequently, the ALRC recommends the introduction of a mandatory data breach notification scheme.

The ALRC has recommended that an agency or organisation only be obliged to notify affected individuals and the Privacy Commissioner when a data breach has occurred that may give rise to serious harm to any affected individual.

Credit reporting
The Privacy Act currently regulates the system of credit reporting, limiting the information about an individual’s credit-worthiness which can be collected and disclosed to credit providers. In Australia, this information is collected by a small number of specialist credit reporting companies from credit providers and from publicly available records.

The ALRC recommends that the existing credit reporting provisions of the Privacy Act be repealed.

Instead, it is proposed that credit reporting be regulated under the general provisions of the Act and new credit reporting regulations, incorporating significant recommended changes to the current rules.

The Privacy Act currently allows credit files to include only ‘negative’ information, such as previous defaults. The industry has complained that this makes it difficult for Australians to build up a positive record of responsible borrowing behaviour over time.

The credit industry argued strongly for a wider range of information—such as current credit balances and loan repayment histories—to be collected and disclosed in reports to lenders, on the basis that such information is required for credit providers to make sound decisions about an applicant’s ability to repay. Consumer groups responded that access to more information would be used to advance more credit and contribute to higher levels of indebtedness rather than assist responsible lending.

The ALRC’s recommended approach is that there should be some expansion of the categories of personal information that can be included in credit reporting information held by credit reporting agencies. The four proposed additional items are:
• the type of each current credit account opened (eg, mortgage, credit card, personal loan);
• the date on which each current credit account was opened;
• the credit limit of each current account; and
• the date on which each credit account was closed.

The ALRC recommended that a decision about also including an individual’s repayment history in the categories of personal information that may be held by credit reporting agencies be deferred until the Government is satisfied that there is an adequate framework imposing responsible lending obligations in Commonwealth, state and territory legislation.

The ALRC noted that sub-prime lending in USA and Europe was not limited by the greater access of lenders to repayment information.

Dispute resolution
The ALRC also recommended a greater role for external dispute resolution, by requiring that any credit provider who lists debt defaults on credit information files be part of an external dispute resolution scheme. This will provide a fast, simple process for consumers who wish to dispute a default listing.

Invasion of privacy
The ALRC recommends that federal legislation create a statutory cause of action for a serious
invasion of privacy, including in circumstances in which:
• there has been an interference with an individual’s home or family life;
• an individual has been subjected to unauthorised surveillance;
• an individual’s correspondence or private communication has been interfered with; or
• sensitive facts about an individual’s private life have been disclosed.

Penalties
The ALRC recommended  that the penalty regime be strengthened by allowing the Privacy Commissioner to seek a civil penalty in the federal courts where there is a serious or repeated interference with the privacy of an individual.

There are currently no civil penalties available for serious contraventions of the Privacy Act, and criminal penalties only exist—but rarely are used—for credit reporting and Tax File Number offences.

Implications of changes
A redrafted Privacy and Personal Information Act will consist of clearer principles covering both the public and private sectors combined with a rules-based approach in the form of regulations and industry codes in specified contexts, such as credit reporting.

For financial service providers the greatest impact will be initially in respect of credit reporting and international data flow followed by, in the second stage, data breach notification.

When will the changes start?
Senator The Hon John Faulkner the Special Minister of State says the Commonwealth Government will respond to the Australian Law Reform Commission Privacy Report in stages.

The first stage of the response will include the recommendations relating to credit reporting regulations. Dealing with them at an early stage is consistent with COAG’s current agenda on consumer credit reform.

Senator Faulkner expects that the Government will be able to legislate (as necessary) on the first reform stage within 12 to 18 months.

The second stage of the response will consider the recommendations relating to the removal of exemptions, data breach notices and the tort of privacy.

Across-the-board recommendations such as the harmonisation of Privacy laws and suggestions for reform to the structure and powers of the Privacy Commissioner will be considered by the Government in concert with the two stages of reform.

Compliance tips and next steps

All financial service providers that operate in Australia will be required to review their privacy and credit reporting procedures.

Credit reporting software will need to be redesigned in anticipation of more information being allowed to be retained in databases.

Compliance officers should document the flow of customer information: if data is processed overseas, determine whether those destinations have equivalent privacy standards or there are satisfactory contractual safeguards in place.

Organisations will need to establish compliance plans and reporting mechanisms to assist in identifying data breaches and, if they are significant, reporting breaches.

Although legislation has not yet been drafted the ALRC Report is a road map of likely changes within the next 18 months.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.