Privacy Commissioner - Te Mana Matapono Matatapu

General Information Paper

The Credit Reporting Privacy Code 2004 was issued by the Privacy Commissioner on 6 December 2004. Two specific provisions come into force on 1 April 2005 and the balance of the code comes into force on 1 April 2006.

This paper contains some general information about the code and about the privacy issues arising from credit reporting. A further information paper is available on changes made to the proposed code issued in 2003 as a result of public consultation.

The Code of Practice

In New Zealand, the Privacy Act 1993 introduced a general set of information privacy principles and legal enforcement mechanisms. These generic provisions have regulated the handling of personal information by both credit reporters and subscribers. This has brought key benefits to individuals such as the rights of access and correction. However, difficulties have been encountered. Several years ago, the previous Privacy Commissioner concluded that there would be merit in a code of practice. The current Commissioner, having studied the matter and the submissions on the code, agrees and believes that the code she has now issued will bring benefits to individuals and business alike.

The credit industry engaged fully with the Office of the Privacy Commissioner during the statutory consultation process and in subsequent discussions. Many helpful suggestions have been made about the workability of proposed solutions and ways to minimise compliance costs. Substantial changes were made to accommodate these suggestions.

The consultation process leading up to the issuing of the code is more fully explained in the accompanying “Information Paper on Changes to Notified Code”.

The code addresses the 7 key privacy concerns set out below and a number of other issues. It places a high value on improving the accuracy of credit reporting which is an interest that individuals, credit providers and credit reporters all share. It enhances the transparency and openness of the process and provides opportunities for individuals to have a measure of control over the way in which their personal information is handled. It limits the secondary uses of credit information and reduces the opportunities for misuse. It emphasises effective complaints handling procedures and provides greater certainty about how long information will be retained.

What is credit reporting?

Credit reporters occupy an important place in the modern business world. Without them, lending decisions would be more time consuming and less reliable. Their existence is clearly of benefit to credit providers but they can provide benefits to consumers as well. At the same time, it should be recognised that credit reporters hold large amounts of often very sensitive information about most of the adult population of New Zealand.

In any consumer credit transaction, the provider of credit needs to assess the ability of the customer to repay the sum advanced. At the time of an application for credit, the consumer is asked to supply certain information. This information provides a basis for a decision and for making further enquiries. Recourse to a credit reporter can identify information that has not been declared or provide verification of certain other details.

Credit reporters hold huge databases of personal information that has been collected from credit providers such as banks, retailers and utility companies. This may be supplemented with information from publicly available sources such as official lists of undischarged bankrupts. Very little of the information is collected directly from the individuals themselves.

This credit information, which includes identification information as well as aspects of the credit history of most adult New Zealanders, is made available to businesses that subscribe to the service. The majority of subscribers are credit providers for whom the system was established. However, over the years practices have grown up with some credit reporters of allowing broad access to the databases. Credit reporting procedures have evolved from manually recorded information and paper based reports to highly automated electronic systems producing almost instantaneous responses to enquiries. New Zealand’s major credit reporters generate around 18,000 consumer credit reports daily.

Why does credit reporting raise privacy concerns?

Credit reporters amass and sell personal information. While credit reporters provide a valuable service, they do not collect their information directly from the subjects of that information. Some of the financial information is highly sensitive and comes from institutions such as banks that would normally have a duty to maintain the confidentiality of the information. Any mishandling or inaccuracy in the information has the potential to cause real harm to particular individuals.

Individuals have no direct relationship with the credit reporter and have no choice about which credit reporter records their details. They cannot remove themselves from these private databases even if they are dissatisfied with the way in which their personal information is handled. There is a concern at the databases being open to access by businesses who are not involved in granting credit.

Accuracy

Accuracy is a prime concern to those seeking, and granting, credit. Credit reports reflect on an individual’s financial reputation and reporting inaccurate information may cause considerable embarrassment as well as adverse credit decisions. Even if credit is not refused, inaccuracies may affect the rate of interest and other terms. Credit reporters also have an interest in ensuring that the reports provided to their clients are as accurate as possible.

The nature of credit reporting raises special risks of inaccuracy. Credit reporters are not parties to any actual credit transactions and do not collect their information directly from the subject. They are very dependent on the quality of information supplied by others. If inaccurate or disputed information is supplied by credit providers (perhaps through carelessness or as leverage to force payment of disputed debts) it will simply be added to the database. Most default information is not checked for accuracy by the credit reporter and has not been tested in court. Credit providers often fail to update default information as debts are paid off

If internal mis-matching of information occurs, the information may be listed about the wrong individual or multiple individuals. Sometimes one individual may be represented on multiple files on a database, or information about more than one individual may be listed together in a file.

When an individual challenges a default listing on a credit report, credit reporters are normally unwilling to change the listing without the agreement of the credit provider. It can be a drawn out, and daunting process for some consumers, especially in relation to older matters where the credit provider who originally listed the information does not cooperate in verifying the information they have supplied.

Transparency

An important aspect of information privacy is transparency. Many New Zealanders are on credit reporting databases without being fully aware of the fact. Those who know they are on a database will typically be unaware of the exact information that is held about them or how it will be used. Consumers have no direct relationship with the credit reporter. Not all consumers realise that a simple credit check will generate a credit file that will be retained and updated for years to come and will be available to thousands of subscribers for a variety of uses.

Lack of transparency can lead to misunderstandings and suspicion. Individuals often have difficulty understanding why debts that have been repaid are still being reported. They can be surprised to learn that adverse information has been loaded without any notification to them or opportunity to verify or dispute the information. To enquire further about what information is held about them, individuals would normally first have to purchase a credit report.

Control

Consumers applying for credit have a measure of control insofar as individual authorisation is always required in order to carry out a credit check. An individual can decline to provide authorisation and no credit check will be made. However an individual who withheld authorisation would be likely to be turned down for credit. Once they have authorised a particular credit check, the continued reporting process relating to that transaction is irreversible. They are not given the option to remove information from a database even if they have repaid any outstanding debt.

Subscribers are given direct and unmonitored access to the database. The system operates on the basis of contractual undertakings and trust. The existence of an authorisation is not checked by the credit reporter before a disclosure is made. Occasionally subscribers abuse this trust. Individuals are often unclear what they have authorised and are surprised to find disclosures being made many years later.

Secondary uses and function creep

Credit reporting can represent an inroad into expectations of privacy. However, it has a justification in the public interest in a modern society that values the easy availability of credit. The legitimacy of the credit reporting system is directly linked to the nature, risks and needs of the credit system. Many people readily accept the legitimacy of credit reporting when the database of information is accessible only to other credit providers.

However, some industry players have not limited themselves in this way. There has been a growth in secondary uses. Confidential personal information that was provided for credit related purposes is sometimes made available to users having no involvement in the grant of credit to the individual. This poses a challenge to privacy that cannot be cured by recourse to standard form, and effectively mandatory, authorisations. Sometimes access is given to government agencies.

In other countries credit reporters have expanded their activities to include the collection of many additional types of information, as well as a wide array of financial information. Various uses have sprung up such as pre-screening lists used for marketing purposes.

Misuse

A number of concerns exist about misuse of credit reporting systems, including the browsing of credit reporting databases for information about friends, colleagues, estranged spouses or prominent people. Direct access to the database creates special risks. Without suitable “electronic footprints” and effective checking and auditing, misuse can occur and remain undetected. Overseas, the growth of identity theft and other forms of credit fraud have presented major challenges to credit reporters.

Retention

The primary justification for the pooling and retaining of credit information, is that past behaviour is a relevant factor in measuring current credit risk. The usefulness of some information diminishes over time. Once it ceases to be an indicator of current behaviour, the retention of old information can become contrary to privacy principles if no longer relevant.

Virtually all systems of credit reporting regulation require information to be removed from a database after a certain period. Any cut off date will have a certain arbitrary quality about it but there needs to be transparency about the practices adopted by each credit reporter.

Complaints

Some level of dispute between individuals and credit reporters or credit providers is inevitable given the nature and high volume (around 18,000 reports daily) of the credit reporting business. Credit reporters regularly feature in the annual list of the Privacy Commissioner’s top 10 agencies complained against. (It should be noted, however, that many complaints are resolved early with the credit reporter.) In addition, the Commissioner receives hundreds of enquiries about credit reporting. The credit reporters themselves are reported to receive enquiries and complaints numbering in the thousands.

Many of the complaints allege that information is inaccurate or has been improperly disclosed or retained. Some allege that credit providers have reported disputed debts, or have not acted upon a request for correction. Complaints are received about the level of charges made for obtaining access to one’s own information or for placing barriers to obtaining access (such as waivers against liability for any inaccuracy).

Credit reporters have complaints processes. But experience of complaint to the Privacy Commissioner suggests that some complainants can be frustrated at the credit reporter’s complaint handling procedures. Consumers sometimes feel that neither the credit reporter nor the credit provider seems willing to take responsibility for investigating or correcting inaccuracies. Disputed information may continue to be listed for long periods without resolution. Mismatched information may be corrected, only to be mismatched again when new information is listed.

How does the code address these privacy concerns?

The following material discusses aspects of the code in terms of the privacy issues just outlined. Some references to provisions of the code are given in brackets.

Benefits to individuals

Accuracy is a major concern to individuals and the code addresses it in a number of ways. One of the most significant is to require credit reporters to provide individuals with free copies of any credit information held about them, on request (see rule 6(5)(c) and clause 7). Removing charges as a barrier to access will enable individuals regularly to check their credit report and to seek correction of any inaccuracies. It will enable them to become “first auditors” of the information about themselves and also to detect cases of unauthorised access or evidence of identity theft or other fraud.

Credit reporters will need to ensure that information is regularly updated and that systems are in place to ensure that new information is correctly linked or matched to files on existing individuals (see rule 8.) If information is disputed, it will need to be flagged or suppressed until its accuracy has been determined (see rule 7(3)(a)). This will need to be done promptly.

Credit reporters must take proactive steps to ensure accuracy of information held, such as conducting regular audits (rule 8(3)(c) and Schedule 3 clause 5), impose requirements on subscribers to check accuracy and update data (Schedule 3 clauses 2 and 3) and enforce these requirements. Credit reporters must also take measures to minimise incorrect data matching (rule 8(2)).

Transparency is another key theme. The code requires greater openness in dealing with individuals. Information must be given or be available about the purposes for which the information will be used and disclosed by credit reporters (see rule 3(2) and Schedule 3 clause 1). This will help to ensure that individuals are fully informed of the implications when they authorise a credit check. Comprehensive access logs can be viewed to ensure that all access is in accordance with the code or other law (see rule 5(2)(i) and Schedule 3 clause 7). This checking will be assisted by the requirement that each access must also record the purpose for which access was made and a means of identifying the accessor (see rule 5(4) and (5)). Defaults may not be listed unless steps have been taken to recover the debt (see paragraph (e) of the definition of “credit information”.)

Control can only be exercised by the individual within fairly narrow parameters, but the code ensures that individuals are informed of their rights through clearer notifications (mentioned above) and the publication of the Summary of Rights (see rules 6(4) and 7(3) and clause 8(3)).

If things go wrong the code promotes clearer, faster and more effective dispute resolution procedures. For example, if a default entry is disputed, this must be flagged or suppressed while the correct facts are being checked (rule 7(3)). An internal complaints handling process is required to be provided and meet certain standards (clause 8).

Benefits to credit reporters and their subscribers

The code applies directly to credit reporters and will therefore require some changes to their practices. The extent of these changes will depend upon such matters as the current level of compliance with the information privacy principles and the extent to which a company’s current business practices accord with those required under the code. The code also indirectly affects other businesses, such as credit providers, that interact with credit reporters as subscribers or in some other way.

As already outlined in relation to consumers, the code seeks to promote greater accuracy in credit reporting. This has the potential to bring benefits to users of credit reporting services.

As also mentioned, the code promotes processes for better and prompter resolution of disputes. This is expected to benefit users of credit reporting services. Unresolved disputes can escalate into time consuming customer relations and complaints problems. It can also cause uncertainty, pending resolution, about the accuracy of information upon which business decisions must be based.

Since 1993, credit providers and others, have needed to comply with high level principles in this relatively complicated area of information handling. The code tailors the information privacy principles to the practice of credit reporting. It is therefore expected that in certain areas, compliance both by credit reporters and subscribers will be more straightforward through more specific credit reporting rules. A simple example would be in relation to a complaint by an individual who had been discharged from bankruptcy three years before. This individual may complain that information on the bankruptcy should not appear on the credit reporter’s files any more. The Privacy Act applies a high level principle to this complaint and the test under principle 9 is whether the information could still be lawfully used. However, the code applies a permitted retention period which says that bankruptcy information may be kept “7 years from the date of order” (refer Schedule 1). The complaint could therefore be disposed of very easily and quickly.

Although the code tailors the privacy principles to credit reporting, the Commissioner has tried to avoid being overly prescriptive. To use the same example of retention periods, the code provides a standard set of retention periods which, if adhered to, will be compliant but does not impose them as mandatory. A particular credit reporter may depart from the retention periods in the Schedule but will need to justify their position in the event of a complaint.

While the code seeks to place limits on the information that may be reported, this largely reflects existing practice. If there were to be a case for a major change in the scope of information permitted to be reported in the future, this would need to be done by way of a change to this code. A change would be the subject of public consultation which is proper, given the significant effects on individuals involved. However, the code does provide some flexibility to report information beyond prevailing practice. For example, the code allows for the reporting of “serious credit infringements”, a category not currently reported on by the major New Zealand credit reporter. This provision is modelled upon Australian law.

Some subscribers to credit reporting systems do not “follow the rules” laid down by credit reporters and this can adversely affect others in the industry. For example, some credit providers may occasionally list disputed accounts with credit reporters in order to exert leverage over customers. Poor practices like this can reflect on reputable traders. The requirements of the code should see such practices identified earlier and appropriate corrective measures taken (failure to do so represents a breach of the standards imposed by the code).

Implementation and review of the code

A lengthy period has been provided before the code comes fully into effect. This should ease the implementation for credit reporters, particularly those that need to make computer system changes. It will also assist the subscribers who will be required, for instance, to enter into new subscriber contracts.

Codes of practice can be amended by the Privacy Commissioner at any time. The normal process to be followed involves public notification and a submission process, like that followed in issuing the code itself. If urgent problems emerge there is a special procedure whereby a temporary amendment can be made immediately. The processes for change are much more flexible than for an Act of Parliament. Accordingly, the code provides a good framework into which business, such as credit reporters and subscribers, can make a case for further refinement of the rules to meet their needs.

To take advantage of this new flexible regulatory environment, the Commissioner has undertaken to undertake a review of the code two years after it commences, in the light of experience of its operation. While the Commissioner would not wish to make unnecessary changes of a fundamental nature during the period in which credit reporters are bringing their systems into compliance with the new code, she would of course consider any unforeseen compliance difficulties.

A number of issues were identified during the consultation process leading up to the issue of the code, which will be worthy of study at the time of the two year review if not before. Examples include:

• whether an exemption should be given to information privacy principle 12 to enable the use of the driver licence number as a shared identifier for credit reporting
• whether the issue of identity theft warrants a particular response in the credit reporting area such as that recently enacted in the USA
• whether there are any implications for the credit reporting code in any new banking, corporate governance or money laundering initiatives
• whether Australia may be considering permitting positive reporting and, if so, the benefits, risks and implications of doing so here
• whether any special rules on credit scoring are warranted.

Office of the Privacy Commissioner
8 December 2004