Preview
Archived Posts Lists

Australian Regulatory Compliance Review
Australian Technology and IP Business
Credit Union and Mutual Law
National Consumer Credit Reform
Personal Property Securities Australia
Longview Business Insights
Australian Private Health Insurers
Wills, Trusts, Super
Mutuals Resource Centre

 Resources

Commonwealth legislation
Corporate Governance
Not-for-Profit links
Regulator Links

January 29, 2013

Collection and disclosure of repayment history information

The Office of the Australian Information Commissioner (OAIC) has published a FAQ setting out its views on the notice required to be given to individuals before their repayment history information can be collected and disclosed as a result of amendments to the Privacy Act made by the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

In part it states:

“Prior to the commencement of the reforms, a credit provider that collects repayment history information (RHI) that it intends to disclose to a credit reporting body (CRB) after commencement should, at a minimum, comply with the notification requirements in National Privacy Principle (NPP) 1 (Collection). For example, the credit provider should notify the individual at or before the time of collection of the RHI that the credit provider will disclose that information to CRBs from March 2014; see NPP 1.3(d).

There is also an argument that, from commencement, a credit provider cannot disclose RHI to a CRB unless it has, to the extent possible, met the notification requirements in s 21C of Schedule 2 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012. The OAIC, therefore, recommends that credit providers also meet the additional notification requirements in s 21C. For example, by notifying the individual of the name and contact details of any CRB to which the credit provider is likely to disclose the individual’s RHI; see s 21C(1)(a).”

Background

We will be discussing notification and transition issues at our February seminars.

Print This Post Print This Post

Posted 29th January 2013 by David Jacobson in Financial Services, Privacy

January 18, 2013

Privacy Act amendments: the effect on current exemptions

The Privacy Act amendments will take effect on 12 March 2014.

How will current exemptions be affected?

Small business exemption
Currently small businesses (with a turnover of $3 million or less) are exempt unless they are:

  • a health service provider
  • a trader in personal information
  • related to a larger business
  • a contractor with Commonwealth
  • a reporting entity under the AML/CTF Act
  • an operator of a residential tenancy database.

A small business can opt in.

The only change to that exemption is that small businesses will be bound by the CR (credit reporting) Code if they elect to participate in the credit reporting system.

Credit providers and credit reporting agencies that are small businesses will be required to comply with the Privacy Act.

Private Sector Employee records
Employee records directly related to a current or former employment relationship will continue to be exempt. But employment agencies and information about prospective employees will continue to be covered by the Privacy Act.

Spam Act and Do Not Call Register Act

APP 7.8 (direct marketing) provides that APP 7 will not apply if the Spam Act or the Do Not Call Register Act apply. These Acts contain specific provisions regarding a particular type of direct marketing or direct marketing by a particular technology.

But if these Acts do not apply then APP 7 will apply to organisations involved in direct marketing relating to electronic messages and other acts and practices not covered by these Acts.

The Spam Act generally applies to any unsolicited commercial electronic message (“spam”) with an Australian link.

The Privacy Act will apply to emails and other non-commercial electronic messages not covered by the Spam Act when it involves the use of “personal information‟.

The amendments could also therefore apply to non-message based online marketing including Twitter and pop up ads.

We will be discussing the effect of the amendments on financial service providers at our February seminars.

Print This Post Print This Post

Posted 18th January 2013 by David Jacobson in Do Not Call Register, Marketing, Privacy

December 31, 2012

Credit reporting code of conduct

The Privacy Commissioner has requested the Australasian Retail Credit Association (ARCA) to develop a Credit Reporting code and apply for the code to be registered.

The Code will replace the existing Code and implement the new credit reporting provisions in the Privacy Amendment act.

ARCA must comply with this request by Friday 19 April 2013.

Print This Post Print This Post

Posted 31st December 2012 by David Jacobson in Financial Services, Privacy

December 24, 2012

Case note: multiple identity credit reports found misleading

In ‘S’ and Veda Advantage Information Services and Solutions Limited [2012] AICmr 33 the Privacy Commissioner determined that Veda Advantage Information Services and Solutions Limited (Veda)’s practice of keeping 2 separate but cross-referenced credit files for the complainant (one in her original name and one in her then married name) interfered with the complainant’s privacy by failing to take reasonable steps to ensure that the personal information contained in the complainant’s credit information file was accurate, up to date, complete and not misleading, in breach of s 18G(a) of the Privacy Act 1988 (Cth) (Privacy Act).

The Privacy Commissioner concluded that:

“During the period 2006-09, the complainant’s credit information files contained a number of duplicated credit enquiry listings, where the enquiry details varied slightly but related to the same credit enquiry (and the same credit application). I consider that, on the balance of probabilities, at least some of those credit providers accessing the complainant’s cross-referenced credit files during that period would have misunderstood the similar enquiries listing information they contained. As such, I am of the view that Veda breached s 18R(1) of the Privacy Act when it provided that information to subscriber credit providers, and that Veda has interfered with the complainant’s privacy in this respect.”

Despite the complainant’s claims that as a result of Veda’s practice, she was unable to obtain credit which, in turn, resulted in her incurring significant financial loss the Privacy Commissioner was not satisfied that the complainant was refused credit or would have been able to obtain credit on more favourable terms had the similar listings not been made.

He rejected the claim for economic loss.

However he decided that the complainant was made anxious by Veda’s practice of duplicating enquiry listings and that this stress and anxiety has spanned the substantial period of time of her complaint about Veda’s practice. He awarded her compensation in the amount of $2000 for non-economic loss .

He accepted’s Veda’s submission that it investigated the matter in accordance with its normal practice and procedures. He did not consider the way in which Veda conducted its case was “high-handed, malicious, insulting or oppressive”. He refused to award aggravated damages.

Although Veda advised of the introduction, since mid-2009, of a ‘multiple identity report’ (MIR) feature, which has ‘fundamentally changed the way in which Veda provides credit reports to approximately 90% of its credit provider subscribers’, in relation to Veda’s practice of recording similar enquiry listings, he recommended that Veda:

  • develop revised training packages and user information guides for subscribers, which clearly address the issue of similar enquiry listings and how to interpret them;
  • engage an independent auditor to assess Veda’s cross-referencing processes, both the MIR option and the non-MIR alternative, in compliance with s 18G(a) of the Privacy Act.

Print This Post Print This Post

Posted 24th December 2012 by David Jacobson in Financial Services, Privacy

December 20, 2012

Consumer credit repayment history information

Under the Privacy Amendment (Enhancing Privacy Protection) Act 2012, licensed credit providers can collect consumer credit repayment history information about individual borrowers from 12 December 2012.

Repayment history information is defined in Section 6V as:

(a) whether or not the individual has met an obligation to make a monthly payment that is due and payable in relation to the consumer credit;
(b) the day on which the monthly payment is due and payable;
(c) if the individual makes the monthly payment after the day on which the payment is due and payable—the day on which the individual makes that payment.

It does not include the amount of any missed payment — only the fact that the borrower made or missed a payment.

It could include payments on a loan or credit card.

From 12 March 2014 licenced credit providers can pass repayment history information on to credit reporting bodies.

Information about any particular payment cannot be held for more than two years from the date it was due.

Repayment history information will not include information about any payment that was due before 12 December 2012.

Print This Post Print This Post

Posted 20th December 2012 by David Jacobson in Financial Services, National Credit Code, Privacy

December 14, 2012

Privacy Amendment Act commences

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 received Royal Assent on 12 December 2012 and commenced on that day.

However the majority of the reforms (including the new credit reporting provisions) will not commence until 12 March 2014.

A transition period has now commenced enabling development of new Privacy Codes and preparation for the new credit reporting rules.

Langes can assist you in this transition.

Background

Print This Post Print This Post

Posted 14th December 2012 by David Jacobson in Financial Services, National Credit Code, Privacy

December 7, 2012

Draft OAIC guide to information security

The Office of the Australian Information Commissioner (OAIC) is conducting a public consultation and is seeking comments on a draft Guide to information security: Reasonable steps to protect personal information.

The guide is aimed at government agencies and the private sector and will cover the reasonable steps that entities have to take under the Privacy Act 1988 (Cth) to protect the personal information that they hold from misuse, loss and from unauthorised access, modification or disclosure. It is also relevant to credit reporting agencies (CRAs), credit providers and tax file number (TFN) recipients.

The guide also includes steps and strategies that entities should consider taking in order to secure personal information including:
•IT security
•data breaches
•physical security
•personnel security
•the information life cycle
•workplace policies
•communications security
•standards

Although it will not be binding, the OAIC will refer to the guide when assessing an entities compliance with its information security obligations in the Privacy Act.

Print This Post Print This Post

Posted 7th December 2012 by David Jacobson in Consumer Law, Financial Services, Privacy, Risk Management

December 4, 2012

CPD Financial Services Law Seminars February 2013: registrations open

Langes+ invites you to this CPD seminar for financial services providers.

In response to feedback we have added a breakfast session for Responsible Managers and a session dealing with Privacy (including the new Australian Privacy Principles and credit reporting) which will be relevant to both marketers and collections staff.

The seminar will cover all the ‘must-know’ rules and traps for each topic. Topics are selected for their relevance and contain practical case studies and examples with time allowed for discussion.

We look forward to seeing you.

PROGRAM

Session 1 (bookable separately)
8am to 9.45 am Introduction to Responsible Managers’ duties (including light breakfast from 7.30am)

Session 2
10 am to 11am Marketing issues:
advertising credit and financial services, dealing with referrers and linked credit

Session 3
11.15 am to 1pm Privacy Act changes (including changes affecting marketing and credit reporting)

Light lunch

Session 4 Collections issues
1.45 pm to 3pm Credit enforcement update: hardship, mortgagee sales and resolving EDR Complaints

When and where
Brisbane 19 February 2013
Sydney 20 February 2013
Melbourne 26 February 2013
Adelaide 27 February 2013

Fees
Whole Program: $550.00 (incl GST)
$495 if you pay by 31 January 2013
$467.50 per person if 3 or more attend from same organisation
OR
All sessions bookable separately
Session 1 $200 (incl GST) ($180 if paid by 31 January 2013)
Sessions 2, 3 and 4 $165 each (incl GST) ($148.50 each if paid by 31 January 2013)

Register now
Brisbane
Sydney
Melbourne
Adelaide

Print This Post Print This Post

Posted 4th December 2012 by David Jacobson in Compliance, Corporations Act, Financial Services, Marketing, National Credit Code, Privacy

November 29, 2012

Privacy Amendment Bill passed

The Senate amendments to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 were agreed to by the House of Representatives on 29 November and the Bill is awaiting Royal Assent. (Background).

Although the reforms will likely commence in March 2014, on a date 15 months after Royal Assent, once the credit reporting provisions commence credit providers will be able to use credit information collected from the date of Royal Assent.

Civil penalties of up to 2,000 penalty units (equivalent to $340,000) are imposed for breaches of the credit reporting provisions in the Act.

If the offending entity is a body corporate the maximum penalty is 5 times the amount of the pecuniary penalty specified for the civil penalty provision (ie a maximum of $1.7million.)

You can see the Privacy Commissioner’s response here

Print This Post Print This Post

Posted 29th November 2012 by David Jacobson in Financial Services, Marketing, National Credit Code, Privacy

November 28, 2012

Privacy Bill passes Senate

The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 has been passed by the Senate, with amendments.

The Bill will now been sent back to the House of Representatives to approve the changes. UPDATE: Amendments approved by House of Reps. More here.

The commencement period of the Bill has been delayed to 15 months after Royal Assent (instead of 9 months).

A number of these amendments respond to the recommendations of the Senate Legal and Constitutional Affairs Legislation Committee’s (the Committee) report into the Bill.

Apart from technical clarifications the changes:

  • Specify that at least 14 days must elapse from the giving of a written notice before a default is recorded as part of an individual’s credit reporting information
  • allow mortgage insurers, who are not credit licensees, to access repayment history information.
  • insert additional matters that must be contained in a credit provider’s policy.
  • insert additional notification obligations which a credit provider must satisfy at, or as soon as practicable after, the collection of information.

Langes will be working with clients to help with the transition.

Background
The Bill amends the Privacy Act to:
• Create the Australian Privacy Principles (APPs), a single set of privacy principles applying to both Commonwealth agencies and private sector organisations, which replace the Information Privacy Principles (IPPs) for the public sector and the National Privacy Principles (NPPs) for the private sector
• Introduce more comprehensive credit reporting with improved privacy protections, at the same time updating the provisions to more effectively address the significant developments in the operation of the credit reporting system since the provisions were first enacted in 1990
• Introduce new provisions on privacy codes and the credit reporting code (called the CR code), including powers for the Commissioner to develop and register codes in the public interest that are binding on specified agencies and organisations; and
• Clarify the functions and powers of the Privacy Commissioner and improve the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.

Print This Post Print This Post

Posted 28th November 2012 by David Jacobson in National Credit Code, Privacy
« Newer PostsOlder Posts »