Attorney General releases position paper on proposed regulations to the Privacy Amendment (Enhancing Privacy Protection) Act 2013
June 12, 2013 |
The Attorney General’s Department has released a position paper (found here) on the regulations which are being drafted.
The Position paper provides:.
Table 1—Regulation-making powers relating to credit reporting
|
Regulation-making power |
Regulation? |
Content |
Notes |
| Subsection 6(1)—meaning of identifier | No | Discussion Paper indicated no regulation proposed. | |
| Subsection 6(1)—meaning of enforcement related activity | No | Discussion Paper indicated no regulation proposed. | |
| Terms and conditionsSubsection 6(1)—meaning of consumer credit liability information | Yes | The following matters to be specified:
|
The Government understands that all stakeholders agree on listing these items. Further detail on the information that may be listed, and the way it is listed, under each of these items can be prescribed in the CR Code.Following stakeholder discussions, the Government does not consider that sufficient justification was provided to warrant the inclusion of additional terms and conditions for determining credit-worthiness.Administrative identifiers
The Government notes that industry uses credit account numbers as administrative identifiers to ensure the correct account information is associated with the correct individual when reported to a CRB. It is understood these identifiers are not disclosed by the CRB as part of an individual’s credit reporting information. The Government understands consumer advocates do not object to the use of these identifiers to ensure accuracy of records. It is understood that these administrative identifiers are treated as personal information by the CRB, but not included in the credit reporting information, not further disclosed by the CRB, and not made available to other CPs. On this basis, it is not necessary to make regulations dealing with administrative identifiers as they will be regulated as personal information by the APPs. |
| Subsection 6(1)—meaning of credit reporting body | No | Discussion Paper indicated no regulation proposed as no agencies carry on a credit reporting business. | |
| Subparagraph 6G(1)(d)(ii)—meaning of credit provider | Yes | Make regulation providing Indigenous Business Australia (IBA) is a credit provider. | This is consistent with Credit Provider Determination 2011-2 (Classes of Credit Providers) in which the Privacy Commissioner identified IBA as a credit provider. |
| Subsection 6G(6) – meaning of credit provider – exclusions | Yes | Exclude an organisation or small business operator acting in the capacity of a current or prospective landlord in relation to the individual. | A landlord that receives rent in arrears could satisfy the definition of a credit provider. Excluding any such landlords from the meaning of credit provider is consistent with the existing exclusion of real estate agents in paragraph 6G(5)(a). The landlord and tenant relationship is regulated by State and Territory legislation and credit reporting should not be a factor in that relationship. |
| Subsection 6L – meaning of access seeker | N/A | Excluding landlords from the definition of credit provider means they cannot be an access seeker on behalf of an individual. | |
| Subsection 6P(4) meaning of credit reporting business – exclusions | Yes | The regulations should:
|
It is considered that an entity which provides verification and validation services to CPs should not be treated as a credit reporting business.It is not necessary to exclude any public sector body that provides public information as these bodies do not meet the definition of ‘credit reporting body’.This approach, which focuses on describing a business or undertaking as ‘involving’ certain specified activities, only excludes an organisation to the extent that it performs verification or validation services. Section 6P would continue to apply in relation to any other activities performed by the organisation that fall within the meaning of credit reporting business and are subject to Part IIIA obligations as a result. |
| Default thresholdSubparagraph 6Q(1)(d)(ii)—meaning of default information | No | The minimum amount for the listing of a default was raised to $150 in subparagraph 6Q(1)(d)(i) in the Privacy Amendment Act. | |
| Monthly cyclesSubsection 6V(2)—meaning of repayment history information | Yes | The circumstances in which an individual has or has not met an obligation to make a monthly payment that is due and payable should be as follows:Where an individual misses any or all repayments due in a month then the individual will be taken to have missed a repayment.An individual will be considered to have made all payments necessary in a month if they have not missed any payments due in that month. | The intention is that once per month, at a consistent relative date each month for that account, an assessment of missed payments is undertaken relative to all of the payments that fell due within that month and the result of that assessment is reported as the ‘repayment history information’ for that account.How a CP reports repayment history information will be dealt with in the CR Code in consultation with stakeholders.This approach could permit the inclusion of ‘grace periods’, which, if stakeholders agree, could be dealt with in the CR Code.
Month: Section 2G of the Acts Interpretation Act 1901 defines a month in the following terms: (1) In any Act, month means a period: (a) starting at the start of any day of one of the calendar months; and (b) ending: (i) immediately before the start of the corresponding day of the next calendar month; or (ii) if there is no such day–at the end of the next calendar month. This definition is sufficient to ensure there is only one report each month per account of an individual’s repayment history information. |
| Partial paymentsSubsection 6V(2)—meaning of repayment history information | No | If stakeholders agree, this issue can be addressed in the CR Code. | |
| Data standardsSubsection 6V(2)—meaning of repayment history information | No | Data standards are to be addressed by industry agreements. | |
| Paragraph 20E(2)(c)— CRBs – use of credit reporting information | No | Discussion Paper indicated no regulation proposed. | |
| Paragraph 20E(3)(f) — CRBs – disclosure of credit reporting information | No | Discussion Paper indicated no regulation proposed. | |
| Subparagraph 21D(2)(a)(i) – credit providers – disclosure of credit information to a CRB – external dispute resolution scheme | Yes | Exempt IBA from the requirement to be a member of an EDR scheme. | An exemption for IBA was foreshadowed in the Explanatory Memorandum for the Privacy Amendment Act. IBA is currently exempt from EDR obligations under the NCCP Act.The Government does not consider that credit providers which only provide commercial credit (but access consumer credit reporting information for that purpose) should be exempt from the requirement to be a member of an EDR scheme. |
| Subparagraph 21D(3)(c)(i)— credit providers – disclosure of credit information to a credit reporting body – licensee | Yes | Exempt IBA from the requirement to be a licensee | This exemption is consistent with the current exemption for IBA from licensee obligations under the NCCP Act. |
| Subparagraph 21D(3)(c)(iii) – credit providers – comply with any prescribed disclosure requirements | No | Discussion Paper indicated no regulation proposed. | |
| Paragraph 21G(2)(e) – credit providers – permitted use of credit eligibility information | No | Discussion Paper indicated no regulation proposed. | |
| Paragraph 21G(3)(g) – credit providers – permitted disclosure of credit eligibility information | No | Discussion Paper indicated no regulation proposed. |
Table 2—Regulation-making powers relating to the APPs
|
Regulation-making power |
Regulation? |
Content |
Notes |
| APP 7.8(c)—direct marketing | No | Discussion Paper indicated no regulation proposed. | |
| APP 9.3—adoption, use or disclosure of government related identifiers | Yes | Existing regulations 7 to 11 would be continued with appropriately amended wording | |
| APP 12.9(c)—access to personal information | No | Discussion Paper indicated no regulation proposed. | |
| APP 13.3—correction of personal information | No | Discussion Paper indicated no regulation proposed. |
Table 3—Transitional regulation-making power
|
Regulation-making power |
Regulation? |
Content |
Notes |
| Privacy Amendment Act, Schedule 6, item 19 – regulations may deal with transitional, application or saving matters | Yes | Information requests being processed on or before the commencement date will be permitted to be processed under the current credit reporting system until 31 March 2014. | The Government does not consider that any other transitional arrangements are necessary. |
Table 4—Existing regulation-making powers
|
Regulation-making power |
Regulation? |
Content |
Notes |
| Subsection 6(1)—meaning of enforcement body | No | Discussion Paper indicated no regulation proposed. | |
| Subsection 6(5)—Persons taken to be agencies | No | Discussion Paper indicated no regulation proposed. | |
| Subsection 6C(1)—Meaning of organisation | No | Discussion Paper indicated no regulation proposed. | |
| Section 6E—Small business operator treated as organisation | Yes | Remake regulation prescribing operators of residential tenancy databases. | |
| Section 6F—State instrumentalities etc treated as organisations | Yes | It is proposed that the current regulation would continue. | |
| Subsection 7A(2)—Agencies treated as organisations | Yes | Remake regulation 4 of the Privacy (Private Sector) Regulations 2001 but omit AIDC which no longer exists. | |
| Subsection 73(1)—Application by agency or organisation | No | Discussion Paper indicated no regulation proposed. | |
| Subsection 75(3)—Draft determination | No | Discussion Paper indicated no regulation proposed. | |
| Subparagraph 80P(1)(d)(iii)—Authorisation of collection, use and disclosure of personal information | No | Discussion Paper indicated no regulation proposed. | |
| Subsection 80P(7)—Authorisation of collection, use and disclosure of personal information | Yes | Remake regulation 10 of the Privacy (Private Sector) Regulations. | |
| Paragraph 80Q(2)(g)—Disclosure of information—offence | No | Discussion Paper indicated no regulation proposed. | |
| Section 88—Travel allowance for Privacy Advisory Committee | Yes | Remake regulation 12 of the Privacy (Private Sector) Regulations. | |
| Subsection 95A(1)—Guidelines for National Privacy Principles about health information | No | Discussion Paper indicated no regulation proposed. | |
| Subsection 100(1)—Regulations | No | Discussion Paper indicated no regulation proposed. |