Attorney General releases position paper on proposed regulations to the Privacy Amendment (Enhancing Privacy Protection) Act 2013

June 12, 2013 |

The Attorney General’s Department has released a position paper (found here) on the regulations which are being drafted.

The Position paper provides:.

Table 1—Regulation-making powers relating to credit reporting

 

Regulation-making power

Regulation?

Content

Notes

Subsection 6(1)—meaning of identifier No Discussion Paper indicated no regulation proposed.
Subsection 6(1)—meaning of enforcement related activity No Discussion Paper indicated no regulation proposed.
Terms and conditionsSubsection 6(1)—meaning of consumer credit liability information Yes The following matters to be specified:

  • Amortisation type
  • Term type
  • Term of loan
  • whether guarantor

 

The Government understands that all stakeholders agree on listing these items.  Further detail on the information that may be listed, and the way it is listed, under each of these items can be prescribed in the CR Code.Following stakeholder discussions, the Government does not consider that sufficient justification was provided to warrant the inclusion of additional terms and conditions for determining credit-worthiness.Administrative identifiers

The Government notes that industry uses credit account numbers as administrative identifiers to ensure the correct account information is associated with the correct individual when reported to a CRB.  It is understood these identifiers are not disclosed by the CRB as part of an individual’s credit reporting information.  The Government understands consumer advocates do not object to the use of these identifiers to ensure accuracy of records.  It is understood that these administrative identifiers are treated as personal information by the CRB, but not included in the credit reporting information, not further disclosed by the CRB, and not made available to other CPs.

On this basis, it is not necessary to make regulations dealing with administrative identifiers as they will be regulated as personal information by the APPs.

Subsection 6(1)—meaning of credit reporting body No Discussion Paper indicated no regulation proposed as no agencies carry on a credit reporting business.
Subparagraph 6G(1)(d)(ii)—meaning of credit provider Yes Make regulation providing Indigenous Business Australia (IBA) is a credit provider. This is consistent with Credit Provider Determination 2011-2 (Classes of Credit Providers) in which the Privacy Commissioner identified IBA as a credit provider.
Subsection 6G(6) – meaning of credit provider – exclusions Yes Exclude an organisation or small business operator acting in the capacity of a current or prospective landlord in relation to the individual. A landlord that receives rent in arrears could satisfy the definition of a credit provider.  Excluding any such landlords from the meaning of credit provider is consistent with the existing exclusion of real estate agents in paragraph 6G(5)(a).  The landlord and tenant relationship is regulated by State and Territory legislation and credit reporting should not be a factor in that relationship.
Subsection 6L – meaning of access seeker N/A Excluding landlords from the definition of credit provider means they cannot be an access seeker on behalf of an individual.
Subsection 6P(4) meaning of credit reporting business – exclusions Yes The regulations should:

  • prescribe a business or undertaking that involves providing verification or validation services to a credit provider as a relevant class;
  • define verification or validation services to include the following (and any other relevant) activities:
    • compiling information about an individual from publicly available sources and other sources
    • providing this information to a credit provider for the purposes of assisting the credit provider to verify the individual’s identity, verify that the individual owns the real estate or other assets he or she claims to own and validate the individual’s claimed financial position (in relation to the value of the individual’s assets).
It is considered that an entity which provides verification and validation services to CPs should not be treated as a credit reporting business.It is not necessary to exclude any public sector body that provides public information as these bodies do not meet the definition of ‘credit reporting body’.This approach, which focuses on describing a business or undertaking as ‘involving’ certain specified activities, only excludes an organisation to the extent that it performs verification or validation services.  Section 6P would continue to apply in relation to any other activities performed by the organisation that fall within the meaning of credit reporting business and are subject to Part IIIA obligations as a result.
Default thresholdSubparagraph 6Q(1)(d)(ii)—meaning of default information No The minimum amount for the listing of a default was raised to $150 in subparagraph 6Q(1)(d)(i) in the Privacy Amendment Act.
Monthly cyclesSubsection 6V(2)—meaning of repayment history information Yes The circumstances in which an individual has or has not met an obligation to make a monthly payment that is due and payable should be as follows:Where an individual misses any or all repayments due in a month then the individual will be taken to have missed a repayment.An individual will be considered to have made all payments necessary in a month if they have not missed any payments due in that month. The intention is that once per month, at a consistent relative date each month for that account, an assessment of missed payments is undertaken relative to all of the payments that fell due within that month and the result of that assessment is reported as the ‘repayment history information’ for that account.How a CP reports repayment history information will be dealt with in the CR Code in consultation with stakeholders.This approach could permit the inclusion of ‘grace periods’, which, if stakeholders agree, could be dealt with in the CR Code.

Month: Section 2G of the Acts Interpretation Act 1901 defines a month in the following terms:

(1) In any Act, month means a period:

(a) starting at the start of any day of one of the calendar months; and

(b) ending:         

 (i) immediately before the start of the corresponding day of the next calendar month; or

(ii) if there is no such day–at the end of the next calendar month.

This definition is sufficient to ensure there is only one report each month per account of an individual’s repayment history information.

Partial paymentsSubsection 6V(2)—meaning of repayment history information No If stakeholders agree, this issue can be addressed in the CR Code.
Data standardsSubsection 6V(2)—meaning of repayment history information No Data standards are to be addressed by industry agreements.
Paragraph 20E(2)(c)— CRBs – use of credit reporting information No Discussion Paper indicated no regulation proposed.
Paragraph 20E(3)(f) — CRBs – disclosure of credit reporting information No Discussion Paper indicated no regulation proposed.
Subparagraph 21D(2)(a)(i) – credit providers – disclosure of credit information to a CRB – external dispute resolution scheme Yes Exempt IBA from the requirement to be a member of an EDR scheme. An exemption for IBA was foreshadowed in the Explanatory Memorandum for the Privacy Amendment Act.  IBA is currently exempt from EDR obligations under the NCCP Act.The Government does not consider that credit providers which only provide commercial credit (but access consumer credit reporting information for that purpose) should be exempt from the requirement to be a member of an EDR scheme.
Subparagraph 21D(3)(c)(i)— credit providers – disclosure of credit information to a credit reporting body – licensee Yes Exempt IBA from the requirement to be a licensee This exemption is consistent with the current exemption for IBA from licensee obligations under the NCCP Act.
Subparagraph 21D(3)(c)(iii) – credit providers – comply with any prescribed disclosure requirements No Discussion Paper indicated no regulation proposed.
Paragraph 21G(2)(e) – credit providers – permitted use of credit eligibility information No Discussion Paper indicated no regulation proposed.
Paragraph 21G(3)(g) – credit providers – permitted disclosure of credit eligibility information No Discussion Paper indicated no regulation proposed.

 

 

Table 2—Regulation-making powers relating to the APPs

 

Regulation-making power

Regulation?

Content

Notes

APP 7.8(c)—direct marketing No Discussion Paper indicated no regulation proposed.
APP 9.3—adoption, use or disclosure of government related identifiers Yes Existing regulations 7 to 11 would be continued with appropriately amended wording
APP 12.9(c)—access to personal information No Discussion Paper indicated no regulation proposed.
APP 13.3—correction of personal information No Discussion Paper indicated no regulation proposed.

Table 3—Transitional regulation-making power

 

Regulation-making power

Regulation?

Content

Notes

Privacy Amendment Act, Schedule 6, item 19 – regulations may deal with transitional, application or saving matters Yes Information requests being processed on or before the commencement date will be permitted to be processed under the current credit reporting system until 31 March 2014. The Government does not consider that any other transitional arrangements are necessary.

Table 4—Existing regulation-making powers

 

Regulation-making power

Regulation?

Content

Notes

Subsection 6(1)—meaning of enforcement body No Discussion Paper indicated no regulation proposed.
Subsection 6(5)—Persons taken to be agencies No Discussion Paper indicated no regulation proposed.
Subsection 6C(1)—Meaning of organisation No Discussion Paper indicated no regulation proposed.
Section 6E—Small business operator treated as organisation Yes Remake regulation prescribing operators of residential tenancy databases.
Section 6F—State instrumentalities etc treated as organisations Yes It is proposed that the current regulation would continue.
Subsection 7A(2)—Agencies treated as organisations Yes Remake regulation 4 of the Privacy (Private Sector) Regulations 2001 but omit AIDC which no longer exists.
Subsection 73(1)—Application by agency or organisation No Discussion Paper indicated no regulation proposed.
Subsection 75(3)—Draft determination No Discussion Paper indicated no regulation proposed.
Subparagraph  80P(1)(d)(iii)—Authorisation of collection, use and disclosure of personal information No Discussion Paper indicated no regulation proposed.
Subsection 80P(7)—Authorisation of collection, use and disclosure of personal information Yes Remake regulation 10 of the Privacy (Private Sector) Regulations.
Paragraph 80Q(2)(g)—Disclosure of information—offence No Discussion Paper indicated no regulation proposed.
Section 88—Travel allowance for Privacy Advisory Committee Yes Remake regulation 12 of the Privacy (Private Sector) Regulations.
Subsection 95A(1)—Guidelines for National Privacy Principles about health information No Discussion Paper indicated no regulation proposed.
Subsection 100(1)—Regulations No Discussion Paper indicated no regulation proposed.

 

 

 

Leave a Reply