AUSTRALIAN COMPUTER SOCIETY
Incorporated in A.C.T.
P.O. Box 319, Darlinghurst NSW 2010, AUSTRALIA
Telephone (02) 211 5855, Telex: AA177029 ACSINC, Fax (02) 281
1208
Consumer Credit Reporting
and
Information Privacy Regulation
Every so often, the media subjects credit bureaux to vague allegations
accompanied by mild hysteria. This paper provides background information about
the operation of credit bureaux in Australia, and identifies the basis for
concern.
The Australian Computer Society's policy on the matter is as follows:
- Consumer credit reporting should now be the subject of statutory
regulation:
- nationally; and
- in a manner which:
- provides the Privacy Commissioner with appropriate investigation, audit,
supervisory and enforcement powers; and
- gives rise to rights which consumers themselves can enforce.
- Time is needed for the proposed regulatory system to be created, come into
effect, and reach maturity.
- Any extensions to consumer credit reporting practices should be precluded
for a considerable period (say three years) after the new regulatory scheme has
been put into place. This moratorium needs to be implemented immediately, to
prevent the Payment Performance System proposed by the dominant credit bureau
being implemented, and then argued to be a fait accompli.
- Any extensions to existing consumer credit reporting practices should
require explicit approval either by Parliament, or by the Privacy
Commissioner.
Roger Clarke
Chair of the Economic, Legal and Social Implications Committee
of the Australian Computer Society (ACS ELSIC)
Reader in Information Systems
Department of Commerce
Australian National University
ANU: (062) 49 3666
Fax: (062) 48 0026
1. BACKGROUND
The functions of a consumer credit bureau are:
- to gather information, from various sources, concerning consumers who have
been or may be involved in credit-related transactions; and
- to provide that information to its clients.
For the last decade, the consumer credit reporting industry throughout mainland
Australia has been dominated by the Sydney-based company Credit Reference
Association of Australia Ltd (CRAA), which was established by the finance
industry in 1968, and is owned by it. CRAA claims to have records on 11
million individuals and trading organisations, 4800 clients and 95% of the
consumer credit reporting market (CRAA Background Paper, March 1989, p.1). It
also claims 50% of the commercial credit reporting market (concerned with
businesses and companies).
In addition to organisations which the public would readily recognise as
credit-grantors, CRAA has clients whose activities are only within the credit
industry on a very broad interpretation of the term. Less obvious clients for
its credit data include mercantile agents, real estate agents, insurance
companies, Telecom and the Australian Tax Office. Since 1983, CRAA has also
provided closely related data collection, storage and dissemination services
relating to insurance claims (p.7-8).
The nature of credit data stored by CRAA is of two major types:
- data concerning consumers with poor credit performance, in particular
reports on bankruptcies, court judgments relating to debts, and defaults on
loans; and
- a list of all enquiries made by credit-grantors during the last five
years.
Unlike some overseas bureaux, CRAA does not assign ratings to consumers.
However, it is currently proposing to considerably increase the amount and
intrusiveness of data to be collected, stored and disseminated. It refers to
the scheme as 'positive reporting' and the software as the Payment Performance
System (PPS).
Consumer credit reporting is subject to some controls in some states, and a
voluntary agreement with the N.S.W. Privacy Committee in N.S.W. In practice,
the terms of the voluntary agreement are applied in all states, and the
statutes largely ignored.
This paper first identifies matters of concern arising from CRAA's current
operations, and states A.C.S. policy on the matter. The final section
discusses CRAA's proposal for enhancement of its system.
2. CONCERNS ABOUT CURRENT PRACTICES
2.1 Public Opinion
Information privacy is highly valued by the Australian public, as evidenced by
the very substantial movement against the Australia Card in late 1987. Judging
by the last decade's complaints and enquiries to the country's only
long-standing privacy 'watchdog', the N.S.W. Privacy Committee, the public
regards consumer credit reporting as the largest single information privacy
issue. The Australian public could be expected to be prepared to trade off
some other values in return for a reasonably high level of credit information
privacy, e.g. by accepting higher one-time charges for loan applications, and
if necessary higher loan interest rates to compensate lenders for a higher
delinquency rate on loans.
2.2 Limitation of Data Use to Its Original Purposes
It is a fundamental to all major sets of Information Privacy Principles (e.g.
those of the OECD and the Commonwealth Privacy Act 1988) that personal data
should be used only for the purposes for which it was collected, subject to
such exceptions as consent, authority of law, and emergencies. Data about
bankruptcies and court judgments concerning debts are, in Australia, a matter
of public record, and could be argued to be free of any such constraints on
their use. However data about defaults on loans is not public, and nor is data
about enquiries by credit-grantors.
CRAA clients appear to be under few limitations as to the purposes for which
they may seek and use reports. They are allowed to use it "for legitimate
commercial purposes", except "pre-employment checks" (CRAA, pp. 2, 15), "the
sale of direct marketing lists" (p.2) and "private investigation purposes"
(p.15). This implies that the data may be used for any other business purpose
(including checking of current employees, pre-checking of tenants, location of
missing debtors, validation or qualification of direct marketing lists, etc).
CRAA's operations result in credit data being used for a variety of purposes,
some of which are at best loosely related to the original purpose of
collection. It is even used by some clients for entirely different purposes.
In particular, insurers enquiring about a person's record in relation to
insurance claims are also provided with information relating to credit (e.g.
CRAA, p.27).
2.3 Extensibility of the Clientele
Originally, CRAA's clients were all credit-grantors. During its twenty years
of operation, the definition of 'credit' has proven to be very malleable, and
real estate agents, mercantile agents (debt collectors), Telecom and the Tax
Office have been deemed to provide credit services. CRAA now defines its
clientele to be "any legitimate and reputable business enterprise which
supplies credit or insurance services to the public" (p.16). CRAA's database
therefore exhibits the quality referred to in the U.S.A. as 'function creep',
in that it progressively gains new uses over time.
As a result of the extension of CRAA's operations in 1983 to include insurance
services, two sensitive multi-source databases are maintained for different
purposes within a single organisation, and their contents and uses mingled.
CRAA adapts the definition of its clientele on an ongoing basis. Coupled with
the use of data for purposes other than the original purpose of collection,
this results in a great deal of personal data being made available to a great
many organisations for a wide range of purposes.
2.4 Data Quality
The volume of data collected, stored and disseminated by CRAA is very large.
In addition, the data is supplied by organisations which have little direct
interest in the quality of the data - they supply it merely as a condition of
gaining access to other data supplied by other organisations. As a result, the
quality of the data (in particular its accuracy, timeliness and completeness)
is of a low order.
Particular difficulties arise in ensuring that errors are detected and
corrected, and that sufficient data is recorded to provide a complete picture.
For example, "many credit providers ... often made erroneous or incomplete
reports to [CRAA] [or] would fail to report on transactions with consumers
(e.g. the payment of a debt)" (N.S.W. Privacy Committee, Annual Report 1984,
p.30); "often information is not updated as expeditiously as it might be"
(Annual Report, 1985, p.66); "one major area of concern is the failure of
credit providers who have listed defaults with CRAA to update these listings
when the debt is paid" (Annual Report, 1986, p.37); and "the Committee
continues to receive complaints from consumers that credit providers who have
listed their defaults with the credit bureau failed to update the listing when
paid" (Annual Report, 1987, p.32).
2.5 Data Security
The data held includes:
- identification data (full name, date of birth and driver's licence number);
- present and recent addresses;
- occupation and employer;
- spouse's identification data;
- spouse's employment;
- cross-references to other persons (such as business partners);
- details of directorships;
- negative credit data (including bankruptcies, court judgments and default
reports by CRAA clients);
- data about enquiries made of CRAA by mercantile agents (i.e. debt
collectors);
- data about enquiries made of CRAA by CRAA's credit-granting clients;
- data about enquiries made of CRAA by CRAA's other clients;
- data about insurance claims; and
- audit data.
A person's credit data is privacy-sensitive. So too is a person's address,
since any database with substantial coverage of the population is a potential
locator device. That name-and-address registers are a privacy concern is
attested to by the revulsion against the Australia Card, and by at least some
proportion of the 6% of telephone subscribers who pay Telecom's extra charges
in order to be 'ex-directory'.
CRAA takes precautions against access to its data by unauthorised persons.
Where access is sought by telephone, the caller must provide their client code
and a name. Terminal and PC access, whether by leased line or dial-up,
requires an account and password. However the security precautions are very
limited, given the data's sensitivity. In particular, there are well over
10,000 separate access points throughout Australia, from which any person's
data may be accessed. There is no mechanism to enforce deletion of old
passwords, or regular change of existing ones.
2.6 Data Subject Rights
Since 1976, under the Voluntary Agreement with the N.S.W. Privacy Committee,
CRAA has provided data subjects with access to the data held about them. CRAA
advises that 30,000 reports per annum are currently issued to data subjects, of
which 8,000 result from requests after loan applications have been rejected,
and are provided gratis. Requests under other circumstances incur a fee of
$5.
However, data subjects are only made aware of the existence of the bureau files
when they are refused credit "principally because of a bureau report". The
wording of CRAA's suggested letter to data subjects in such circumstances uses
the words "in the light of" instead of "principally because of", and makes no
mention of their rights to have a copy of the data, inviting them to make
contact only "should you wish to question the contents of" the CRAA report.
Further, the suggested wording provides a telephone number, but does not
include the (Sydney) STD code. From a limited amount of testing, it appears
that there may be insufficient lines and/or operators to cope with demand.
Further, subject access rights apply to identification and credit data held,
but apparently not to enquiries from real estate agents or insurers, or to data
concerning insurance claims or audit.
2.7 Self-Regulation
Few incentives and disincentives exist to encourage CRAA's clients to comply
with the Voluntary Agreement, to facilitate subject access, and to ensure that
data they provide to the bureau is accurate and complete.
CRAA states that it is willing and able to discipline its clients if they fail
to comply. However serious doubts exist about this. Few clients appear to
have ever been suspended, had their memberships cancelled, or had specific
employees suspended, for breach of CRAA rules. In 1985, when the Secretary of
a Hibernian Credit Union was found to have made an enquiry for purposes other
than credit granting (and in the process invented an application for a $50,000
mortgage loan), CRAA failed to discipline either its client or the client's
employee (N.S.W. Privacy Committee Annual Report, 1985, pp.92-98). Even a
Report to Parliament, the N.S.W. Privacy Committee's ultimate sanction, had no
effect.
Further, there is very little to preclude CRAA from changing its practices
without notice, or varying them between states.
The N.S.W. Privacy Committee, which instigated the Voluntary Agreement with
CRAA in 1976, decided in 1984 that self-regulation was insufficient, and that
"the time is now ripe for information privacy legislation" (Annual Report,
1984, p.31).
2.8 Conclusions and A.C.S. Policy
Self-regulation has been trialled for 13 years, and has proven inadequate.
Consumer credit reporting should now be the subject of statutory regulation:
- nationally; and
- in a manner which:
- provides the Privacy Commissioner with appropriate investigation, audit,
supervisory and enforcement powers; and
- gives rise to rights which consumers themselves can enforce.
A representative of the Australian Computer Society wrote to and met with the
Commonwealth Minister for Consumer Affairs in early 1988, in order to
communicate this policy.
2.9 Subsequent Events
During the latter part of 1988, CRAA publicised its intention to intensify its
data collection and dissemination practices along the lines outlined in the
following section. This intensified public concerns about its operations, and
on 19 April 1989, a 'Summit' was sponsored by the Privacy Foundation. The
meeting was attended by 6 Federal Parliamentarians (representing the
Government, the Opposition and the Democrats), and 24 representatives of CRAA,
credit grantors, State government agencies, consumer and civil liberties groups
and the Australian Computer Society.
At the conclusion of the Summit, the Minister for Consumer Affairs announced
that the Federal Government intends shortly to extend the Privacy Act 1988,
which originally applied only to Commonwealth Government agencies, to cover the
consumer credit reporting industry.
The following section provides an outline of CRAA's proposal to extend its
system, identifies concerns, and states A.C.S. policy on the matter.
3. PROPOSED FUTURE PRACTICES
3.1 Background
CRAA proposes to extend the scope of the data it holds on credit consumers to
include "the recording of all or most of a person's current commitments"
(pp.17-23). It stated in early 1989 that it intended implementing the modified
system by mid-1989. CRAA uses the term 'Positive Reporting' for this proposal,
to emphasise that some of the additional data to be collected, stored and
disseminated will tend to reflect positively on the consumer's credit record.
CRAA also refers to the proposed service as the Payment Performance System
(PPS). It is an idea pioneered in the U.S.A., and now used in some other parts
of the Western world, including the U.K., CRAA claims, since 1985.
Under PPS, credit providers would supply CRAA with tapes containing their
customers' credit accounts. This data would be merged with previously recorded
data every 30 to 60 days. Reports would then contain a complete listing of all
known credit accounts, balances owing (at some recent point in time), and the
consumer's payment performance on every account during the previous 24 payment
periods. Payment performance would be expressed in a single-character code at
the end of each payment period (e.g. 0 = up to date, 1-9 = 1-9 instalments due,
C = clearout, D = default, L = legal action commenced, W = write-off, etc).
Payments 120 days or more overdue would result in a default report being
generated automatically.
The stated intention in proposing PPS is to enable credit-grantors to make "an
immediate decision ... based on the information supplied by the applicant and
the level of commitment shown in the credit report" (p.19), and hence reduce
the costs of the application assessment process. In addition, CRAA contends
that the increased amount of data would contribute to an increase in the
quality of the credit-granting decision-process, and hence a decline in the
delinquency rate.
It is proposed that (at least initially) access to PPS would be restricted to a
'closed user group' (p.20) of perhaps the major 50 financiers, responsible for
perhaps 85% of lending. However, automatically generated default reports would
be available to all clients.
3.2 Concerns
CRAA's proposed PPS system would create a central databank of credit data, to
facilitate the interchange of data amongst many organisations. It would make
access to CRAA data very attractive to many additional organisations for many
additional purposes. Given the very limited constraints on 'function creep',
significant additional uses could be expected to accrue. It is therefore an
extremely privacy-invasive measure, which demands substantial justification.
Beyond bland statements regarding reduced lending costs and delinquency rates,
no case for PPS has been published. Such a case should be prepared, and made
available for public comment. Whether the benefits justify the financial and
qualitative costs should be assessed by an independent body or person such as
Parliament or the Privacy Commissioner. Financial justification would not be
easy, considering that:
- Australia has a relatively low delinquency rate (which CRAA suggests is c.
1%, cf. 2.7% in the U.S.A. - p.18);
- the updating cycle proposed is quite slow (p.19); and
- the data about each person's current indebtedness and commitments will be
far from complete, due to the non-inclusion of many smaller credit-grantors
(many of whom are CRAA members), and various other lenders such as solicitors
and rich aunts. Moreover, many of the potential problem-borrowers are
especially likely to borrow from fringe institutions which are not part of the
scheme, and would be unreliable sources of data even if they were included.
Finally, in the event that PPS were to proceed, it would require far higher
standards of control against purpose, data quality, data security, subject
access and client discipline than has been the case until now.
3.3 Conclusions and A.C.S. Policy
- Time is needed for the proposed regulatory system to be created, come into
effect, and reach maturity.
- Any extensions to consumer credit reporting practices should be precluded
for a considerable period (say three years) after the new regulatory scheme has
been put into place. This moratorium needs to be implemented immediately, to
prevent the Payment Performance System being proposed by CRAA being
implemented, and then argued to be a fait accompli.
- Any extensions to existing consumer credit reporting practices should
require explicit approval either by Parliament, or by the Privacy
Commissioner.
3.4 Subsequent Events
During the Summit on 19 April 1989, it was announced that CRAA's Board has
acceded to a request from the Commonwealth Minister for Consumer Affairs to
delay implementation until 1990.
At the conclusion of the Summit, the Minister announced that the Government was
considering whether to refer consideration of PPS to the Privacy Commissioner
or the Senate Standing Committee on Legal and Constitutional Affairs.
Navigation
Go to
Roger's
Home Page.
Go to
the
contents-page for this segment.
Send
an email to Roger
Last Amended: 13 October 1995
|
These community service pages are a joint offering
of the Australian National University (which provides the infrastructure), and
Roger Clarke (who provides the content). |
|