AUSTRALIAN COMPUTER SOCIETY
Incorporated in A.C.T.

P.O. Box 319, Darlinghurst NSW 2010, AUSTRALIA
Telephone (02) 211 5855, Telex: AA177029 ACSINC, Fax (02) 281 1208
Consumer Credit Reporting
and
Information Privacy Regulation

Every so often, the media subjects credit bureaux to vague allegations accompanied by mild hysteria. This paper provides background information about the operation of credit bureaux in Australia, and identifies the basis for concern.

The Australian Computer Society's policy on the matter is as follows:

  1. Consumer credit reporting should now be the subject of statutory regulation:
  2. Time is needed for the proposed regulatory system to be created, come into effect, and reach maturity.
  3. Any extensions to consumer credit reporting practices should be precluded for a considerable period (say three years) after the new regulatory scheme has been put into place. This moratorium needs to be implemented immediately, to prevent the Payment Performance System proposed by the dominant credit bureau being implemented, and then argued to be a fait accompli.
  4. Any extensions to existing consumer credit reporting practices should require explicit approval either by Parliament, or by the Privacy Commissioner.

Roger Clarke

Chair of the Economic, Legal and Social Implications Committee

of the Australian Computer Society (ACS ELSIC)

Reader in Information Systems

Department of Commerce

Australian National University

ANU: (062) 49 3666

Fax: (062) 48 0026

1. BACKGROUND

The functions of a consumer credit bureau are: For the last decade, the consumer credit reporting industry throughout mainland Australia has been dominated by the Sydney-based company Credit Reference Association of Australia Ltd (CRAA), which was established by the finance industry in 1968, and is owned by it. CRAA claims to have records on 11 million individuals and trading organisations, 4800 clients and 95% of the consumer credit reporting market (CRAA Background Paper, March 1989, p.1). It also claims 50% of the commercial credit reporting market (concerned with businesses and companies).

In addition to organisations which the public would readily recognise as credit-grantors, CRAA has clients whose activities are only within the credit industry on a very broad interpretation of the term. Less obvious clients for its credit data include mercantile agents, real estate agents, insurance companies, Telecom and the Australian Tax Office. Since 1983, CRAA has also provided closely related data collection, storage and dissemination services relating to insurance claims (p.7-8).

The nature of credit data stored by CRAA is of two major types:

Unlike some overseas bureaux, CRAA does not assign ratings to consumers. However, it is currently proposing to considerably increase the amount and intrusiveness of data to be collected, stored and disseminated. It refers to the scheme as 'positive reporting' and the software as the Payment Performance System (PPS).

Consumer credit reporting is subject to some controls in some states, and a voluntary agreement with the N.S.W. Privacy Committee in N.S.W. In practice, the terms of the voluntary agreement are applied in all states, and the statutes largely ignored.

This paper first identifies matters of concern arising from CRAA's current operations, and states A.C.S. policy on the matter. The final section discusses CRAA's proposal for enhancement of its system.

2. CONCERNS ABOUT CURRENT PRACTICES

2.1 Public Opinion

Information privacy is highly valued by the Australian public, as evidenced by the very substantial movement against the Australia Card in late 1987. Judging by the last decade's complaints and enquiries to the country's only long-standing privacy 'watchdog', the N.S.W. Privacy Committee, the public regards consumer credit reporting as the largest single information privacy issue. The Australian public could be expected to be prepared to trade off some other values in return for a reasonably high level of credit information privacy, e.g. by accepting higher one-time charges for loan applications, and if necessary higher loan interest rates to compensate lenders for a higher delinquency rate on loans.

2.2 Limitation of Data Use to Its Original Purposes

It is a fundamental to all major sets of Information Privacy Principles (e.g. those of the OECD and the Commonwealth Privacy Act 1988) that personal data should be used only for the purposes for which it was collected, subject to such exceptions as consent, authority of law, and emergencies. Data about bankruptcies and court judgments concerning debts are, in Australia, a matter of public record, and could be argued to be free of any such constraints on their use. However data about defaults on loans is not public, and nor is data about enquiries by credit-grantors.

CRAA clients appear to be under few limitations as to the purposes for which they may seek and use reports. They are allowed to use it "for legitimate commercial purposes", except "pre-employment checks" (CRAA, pp. 2, 15), "the sale of direct marketing lists" (p.2) and "private investigation purposes" (p.15). This implies that the data may be used for any other business purpose (including checking of current employees, pre-checking of tenants, location of missing debtors, validation or qualification of direct marketing lists, etc).

CRAA's operations result in credit data being used for a variety of purposes, some of which are at best loosely related to the original purpose of collection. It is even used by some clients for entirely different purposes. In particular, insurers enquiring about a person's record in relation to insurance claims are also provided with information relating to credit (e.g. CRAA, p.27).

2.3 Extensibility of the Clientele

Originally, CRAA's clients were all credit-grantors. During its twenty years of operation, the definition of 'credit' has proven to be very malleable, and real estate agents, mercantile agents (debt collectors), Telecom and the Tax Office have been deemed to provide credit services. CRAA now defines its clientele to be "any legitimate and reputable business enterprise which supplies credit or insurance services to the public" (p.16). CRAA's database therefore exhibits the quality referred to in the U.S.A. as 'function creep', in that it progressively gains new uses over time.

As a result of the extension of CRAA's operations in 1983 to include insurance services, two sensitive multi-source databases are maintained for different purposes within a single organisation, and their contents and uses mingled.

CRAA adapts the definition of its clientele on an ongoing basis. Coupled with the use of data for purposes other than the original purpose of collection, this results in a great deal of personal data being made available to a great many organisations for a wide range of purposes.

2.4 Data Quality

The volume of data collected, stored and disseminated by CRAA is very large. In addition, the data is supplied by organisations which have little direct interest in the quality of the data - they supply it merely as a condition of gaining access to other data supplied by other organisations. As a result, the quality of the data (in particular its accuracy, timeliness and completeness) is of a low order.

Particular difficulties arise in ensuring that errors are detected and corrected, and that sufficient data is recorded to provide a complete picture. For example, "many credit providers ... often made erroneous or incomplete reports to [CRAA] [or] would fail to report on transactions with consumers (e.g. the payment of a debt)" (N.S.W. Privacy Committee, Annual Report 1984, p.30); "often information is not updated as expeditiously as it might be" (Annual Report, 1985, p.66); "one major area of concern is the failure of credit providers who have listed defaults with CRAA to update these listings when the debt is paid" (Annual Report, 1986, p.37); and "the Committee continues to receive complaints from consumers that credit providers who have listed their defaults with the credit bureau failed to update the listing when paid" (Annual Report, 1987, p.32).

2.5 Data Security

The data held includes: A person's credit data is privacy-sensitive. So too is a person's address, since any database with substantial coverage of the population is a potential locator device. That name-and-address registers are a privacy concern is attested to by the revulsion against the Australia Card, and by at least some proportion of the 6% of telephone subscribers who pay Telecom's extra charges in order to be 'ex-directory'.

CRAA takes precautions against access to its data by unauthorised persons. Where access is sought by telephone, the caller must provide their client code and a name. Terminal and PC access, whether by leased line or dial-up, requires an account and password. However the security precautions are very limited, given the data's sensitivity. In particular, there are well over 10,000 separate access points throughout Australia, from which any person's data may be accessed. There is no mechanism to enforce deletion of old passwords, or regular change of existing ones.

2.6 Data Subject Rights

Since 1976, under the Voluntary Agreement with the N.S.W. Privacy Committee, CRAA has provided data subjects with access to the data held about them. CRAA advises that 30,000 reports per annum are currently issued to data subjects, of which 8,000 result from requests after loan applications have been rejected, and are provided gratis. Requests under other circumstances incur a fee of $5.

However, data subjects are only made aware of the existence of the bureau files when they are refused credit "principally because of a bureau report". The wording of CRAA's suggested letter to data subjects in such circumstances uses the words "in the light of" instead of "principally because of", and makes no mention of their rights to have a copy of the data, inviting them to make contact only "should you wish to question the contents of" the CRAA report. Further, the suggested wording provides a telephone number, but does not include the (Sydney) STD code. From a limited amount of testing, it appears that there may be insufficient lines and/or operators to cope with demand.

Further, subject access rights apply to identification and credit data held, but apparently not to enquiries from real estate agents or insurers, or to data concerning insurance claims or audit.

2.7 Self-Regulation

Few incentives and disincentives exist to encourage CRAA's clients to comply with the Voluntary Agreement, to facilitate subject access, and to ensure that data they provide to the bureau is accurate and complete.

CRAA states that it is willing and able to discipline its clients if they fail to comply. However serious doubts exist about this. Few clients appear to have ever been suspended, had their memberships cancelled, or had specific employees suspended, for breach of CRAA rules. In 1985, when the Secretary of a Hibernian Credit Union was found to have made an enquiry for purposes other than credit granting (and in the process invented an application for a $50,000 mortgage loan), CRAA failed to discipline either its client or the client's employee (N.S.W. Privacy Committee Annual Report, 1985, pp.92-98). Even a Report to Parliament, the N.S.W. Privacy Committee's ultimate sanction, had no effect.

Further, there is very little to preclude CRAA from changing its practices without notice, or varying them between states.

The N.S.W. Privacy Committee, which instigated the Voluntary Agreement with CRAA in 1976, decided in 1984 that self-regulation was insufficient, and that "the time is now ripe for information privacy legislation" (Annual Report, 1984, p.31).

2.8 Conclusions and A.C.S. Policy

Self-regulation has been trialled for 13 years, and has proven inadequate. Consumer credit reporting should now be the subject of statutory regulation: A representative of the Australian Computer Society wrote to and met with the Commonwealth Minister for Consumer Affairs in early 1988, in order to communicate this policy.

2.9 Subsequent Events

During the latter part of 1988, CRAA publicised its intention to intensify its data collection and dissemination practices along the lines outlined in the following section. This intensified public concerns about its operations, and on 19 April 1989, a 'Summit' was sponsored by the Privacy Foundation. The meeting was attended by 6 Federal Parliamentarians (representing the Government, the Opposition and the Democrats), and 24 representatives of CRAA, credit grantors, State government agencies, consumer and civil liberties groups and the Australian Computer Society.

At the conclusion of the Summit, the Minister for Consumer Affairs announced that the Federal Government intends shortly to extend the Privacy Act 1988, which originally applied only to Commonwealth Government agencies, to cover the consumer credit reporting industry.

The following section provides an outline of CRAA's proposal to extend its system, identifies concerns, and states A.C.S. policy on the matter.

3. PROPOSED FUTURE PRACTICES

3.1 Background

CRAA proposes to extend the scope of the data it holds on credit consumers to include "the recording of all or most of a person's current commitments" (pp.17-23). It stated in early 1989 that it intended implementing the modified system by mid-1989. CRAA uses the term 'Positive Reporting' for this proposal, to emphasise that some of the additional data to be collected, stored and disseminated will tend to reflect positively on the consumer's credit record. CRAA also refers to the proposed service as the Payment Performance System (PPS). It is an idea pioneered in the U.S.A., and now used in some other parts of the Western world, including the U.K., CRAA claims, since 1985.

Under PPS, credit providers would supply CRAA with tapes containing their customers' credit accounts. This data would be merged with previously recorded data every 30 to 60 days. Reports would then contain a complete listing of all known credit accounts, balances owing (at some recent point in time), and the consumer's payment performance on every account during the previous 24 payment periods. Payment performance would be expressed in a single-character code at the end of each payment period (e.g. 0 = up to date, 1-9 = 1-9 instalments due, C = clearout, D = default, L = legal action commenced, W = write-off, etc). Payments 120 days or more overdue would result in a default report being generated automatically.

The stated intention in proposing PPS is to enable credit-grantors to make "an immediate decision ... based on the information supplied by the applicant and the level of commitment shown in the credit report" (p.19), and hence reduce the costs of the application assessment process. In addition, CRAA contends that the increased amount of data would contribute to an increase in the quality of the credit-granting decision-process, and hence a decline in the delinquency rate.

It is proposed that (at least initially) access to PPS would be restricted to a 'closed user group' (p.20) of perhaps the major 50 financiers, responsible for perhaps 85% of lending. However, automatically generated default reports would be available to all clients.

3.2 Concerns

CRAA's proposed PPS system would create a central databank of credit data, to facilitate the interchange of data amongst many organisations. It would make access to CRAA data very attractive to many additional organisations for many additional purposes. Given the very limited constraints on 'function creep', significant additional uses could be expected to accrue. It is therefore an extremely privacy-invasive measure, which demands substantial justification.

Beyond bland statements regarding reduced lending costs and delinquency rates, no case for PPS has been published. Such a case should be prepared, and made available for public comment. Whether the benefits justify the financial and qualitative costs should be assessed by an independent body or person such as Parliament or the Privacy Commissioner. Financial justification would not be easy, considering that:

Finally, in the event that PPS were to proceed, it would require far higher standards of control against purpose, data quality, data security, subject access and client discipline than has been the case until now.

3.3 Conclusions and A.C.S. Policy

3.4 Subsequent Events

During the Summit on 19 April 1989, it was announced that CRAA's Board has acceded to a request from the Commonwealth Minister for Consumer Affairs to delay implementation until 1990.

At the conclusion of the Summit, the Minister announced that the Government was considering whether to refer consideration of PPS to the Privacy Commissioner or the Senate Standing Committee on Legal and Constitutional Affairs.

Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Last Amended: 13 October 1995

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).

The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,

Information Sciences Building Room 211

Xamax Consultancy Pty Ltd, ACN: 002 360 456

78 Sidaway St
Chapman ACT 2611 AUSTRALIA

Tel: +61 6 288 6916 Fax: +61 6 288 1472