A report published by the Australian Law Reform Commission (the ALRC) in August 2008 has been the impetus for driving reform of the privacy laws in Australia. Following this report, the Australian Government committed to responding to the ALRC's recommendations in two stages. The most recent Exposure Draft released by the Senate Finance and Public Administration Committee is the second stage of this response. The earlier response included the publication of a proposed new set of uniform privacy principles to apply to both the public and private sectors called the Australian Privacy Principles (APPs).

The National Consumer Credit Protection Act 2009 is a significant driver in the reform process relating to credit reporting. A fundamental feature of the Commonwealth's consumer credit regime is a requirement for credit providers to collect and verify information about a loan applicant's financial position. This is a necessary part of the loan 'unsuitability assessment' that all credit providers must carry out before entering into a credit contract or increasing a credit limit under a credit contract. Similar obligations also fall on credit assistance providers under this regime. The credit industry has been eagerly awaiting privacy reform which allows more comprehensive information to be maintained by credit reporting agencies and accessed by credit providers. The current regime in Part IIIA restricts the information that can be included in the credit reports to information that is of a negative nature (e.g. defaults and dishonoured cheques). The expansion of credit reporting regime to include comprehensive credit information has been anticipated as powerful tool to assist credit providers to meet their responsible lending obligations.

The Exposure Draft contains provisions relating to the collection, use and disclosure of information for credit reporting purposes. Under these provisions, the Privacy Act will continue to regulate credit reporting in conjunction with the proposed APPs.

The APPs provide a baseline for compliance but the proposed new credit reporting provisions contain more modified and specific rules from the more general obligations in the APPs. It is acknowledged in the guide that the specific credit reporting rules will impose more onerous provisions under the APPs. This is justified in the guide because there is a need to ensure a higher standard of privacy protection where personnel information is collected used and disclosed for credit reporting purposes.

The existence of a separate set of specific rules for credit reporting is of course is not new. There existing rules in Part IIIA of the Privacy Act which specifically relate to credit reporting set out provisions that are more onerous than the more generally drafted National Privacy Principles. The Exposure Draft contains provisions which are proposed to replace Part IIIA.

The key measures of the Exposure Draft are stated by the Commonwealth to be:

The obligations of credit reporting agencies and credit providers in relation to the collection and use of personal information are contained within Divisions 2 and 3 of the Exposure Draft. The definition of 'credit provider' is expanded in the Exposure Draft to include organisations or small business operators that provide credit as a substantial part of its business or undertaking. It is also important to note that the definition of 'credit provider' now also extends to organisations or small business operators acting as agents of credit providers.

Division 4 of the Exposure Draft contains rules in relation to the use of information by other recipients, including mortgage insurers, trade insurers, body corporates, credit managers and legal/financial advisors. These rules ensure that information used and disclosed for the purposes of credit reporting continues to attract the same privacy protections as contained within Part IIIA of the existing Privacy Act. Division 4 somewhat simplifies Part IIIA and also sets out the rules by reference to the recipient of the information. The expansion of the definition of 'credit provider' (as discussed above) will also impact on the operation of the rules contained within this division.

Division 5 of the Exposure Draft provides an avenue for individuals to lodge a complaint against a credit reporting agency or credit provider for failures by credit reporting agencies or credit providers to grant access to or correct personal information in credit reporting information and for a 'credit reporting infringement', defined as a contravention of the credit reporting part of the Privacy Act or of the Credit Reporting Code of Conduct (see discussion below regarding the Code).

Division 5 also contains provisions in relation to how and when a credit reporting agency or credit provider is to respond to a complaint. Generally, the respondent (whether that is a credit provider or a credit reporting agency) will have 7 days to acknowledge the complaint and is then under an obligation to investigate that complaint. Unless the complainant agrees to a longer period, the respondent will have 30 days to give a written notice containing the substantive determination of the complaint and explaining that the complainant may seek further review by taking the matter for external dispute resolution (to the scheme of which the respondent is a member) or to the Information Commissioner. Access to the external dispute resolution scheme or the Information Commissioner is also available if a substantive determination is not made within the relevant 30 period.

The existing retention period provided for under the Privacy Act has been largely followed by the Exposure Draft. However, there are new provisions in relation to personal insolvency agreements, debt agreement proposals and property retention orders. The practical effect of a retention period is that a credit reporting agency must keep credit information about an individual for the maximum permissible period in the event that there is a dispute or request for correction in relation to the information, or some other event occurs which requires the agency to retain the information.

Submissions have been received from a number of Government departments and companies. A list is available on the Parliament of Australia website. Submissions closed on 24 March 2011.

The Exposure Draft, like its predecessor, Part IIIA of the Privacy Act, is relatively complex. At over 100 pages it is quite substantial. In addition it forms only part of the picture so far as future credit reporting practices are concerned. That picture will only be complete once the Credit Reporting Code of Conduct is developed. However the Exposure Draft reconfirms comprehensive credit reporting is a clear reform objective and provides an idea of the additional information that will eventual be available to credit providers for purposes of credit assessment.