Privacy Commissioner - Te Mana Matapono Matatapu

Information paper on changes to notified code

A proposed code of practice dealing with credit reporting was publicly notified by the then Privacy Commissioner in July 2003 and released for public consultation. A number of written submissions were received in 2003 and consultation meetings were held early in 2004. Throughout 2004 the Commissioner’s staff studied the comments filed, met with stakeholders and solicited supplementary submissions. The current Privacy Commissioner adjusted the proposed code in light of submissions and issued the Credit Reporting Privacy Code 2004 on 6 December 2004. This paper outlines and explains the changes.

In this paper:

• notified code means the version dated 30 June 2003 headed “Proposed Code for consultation: Credit Information Privacy Code 2003” which was publicly notified in July 2003
• issued code means the Credit Reporting Privacy Code 2004 issued on 6 December 2004.

Consultation process

In July 2003 the then Commissioner publicly notified his intention to issue the Credit Information Privacy Code 2003 (the notified code). The notified code had built upon drafting and consultation that had been undertaken over several years. Public notices were placed in newspapers in the main centres and in several business publications. An information paper was prepared and made available with the notified code on the Commissioner’s website and in response to public enquiries. Copies were distributed to organisations that might be interested.

Formal written submissions were received from some 58 organisations and individuals. A number of these people later made supplementary submissions. During March 2004 a series of meetings were held in Wellington and Auckland between submitters and the new Privacy Commissioner.

The Commissioner gave careful consideration to the matters raised in the submissions and during the hearings. Many follow-up meetings were held with some of those who made submissions and with other stakeholders. Intensive discussions took place with the major credit reporting agencies themselves.

In September 2004 the Commissioner circulated a revised version of the code as a basis for further discussion with those who made submissions and some other stakeholders. It was shared with submitters with an information paper highlighting proposed changes. About 15 further submissions were received as a result. A number of refinements were made to the code as a result of this last round of consultations.

The Commissioner issued the Credit Reporting Privacy Code 2004 in early December 2004.

Summary of major changes to the notified code

This paper draws attention to many of the principal changes between the notified and issued codes and the reasons for those changes. A separate information paper outlining key features of the code is also available.

Scope

The notified code attempted to regulate credit reporting by controlling the way both credit reporters and credit providers handled credit information. Although having the advantage of enabling all issues to be addressed directly, the wide coverage had some undesired side effects.

The issued code has been re-focused on credit reporters alone. Credit providers and other accessing agencies are no longer directly covered by the code. Some compliance obligations that were originally placed directly on subscribers are now imposed indirectly through requirements to be included in subscriber agreements or addressed through new mechanisms such as the Summary of Rights. Some proposed obligations on credit providers have been dropped altogether.

The result is a clearer and more streamlined code with simplified and reduced compliance obligations. The narrower scope is reflected in the change in the code’s title from “credit information” to “credit reporting” code.

Subscriber limitations

Submissions were made by existing subscribers who would be denied access to the credit reporting databases under the notified code. This was an area where the Commissioner specifically invited comments. Some submitters were able to make a convincing case to expand access. However, the purposes for widened access are all closely linked to the primary purpose for which the information was collected. The new provisions have been tightly drawn and will be closely monitored for any evidence of misuse.

Controls on comparisons

Several submitters questioned the approach of Part 3 of the notified code that imposed controls on the comparison of information. After discussions with credit reporters it was decided to adopt a standards based approach on the information matching issue. The original Part 3 has been removed and replaced with a single clause (see rule 8(2)).

Trans-Tasman compatibility

Trans-Tasman compatibility was raised by several submitters. The trans-Tasman nature of the two main consumer credit reporters was also kept in mind. Several changes reflect Australian provisions, although the very different legislative frameworks in the two countries need to be considered. An example is the inclusion of the Australian “serious credit infringement” category of information in the permissible content of credit reports.

Clarifying application of rules

Some submitters seemed unfamiliar with normal rules of statutory interpretation and unaware of the existing application of the information privacy principles to information obtained before the commencement of the Privacy Act (refer Privacy Act, s.8). Although the provisions governing the application of the notified code’s rules to future actions and existing holdings of information were seen as appropriate, drafting changes make the position clearer. For example, several rules stated that they applied to “credit information obtained before or after” the rule’s commencement. These have been clarified to state that the relevant rules apply to “credit information held by a credit reporter that was obtained before or after” the commencement of the respective rules. An application clause in rule 5 explicitly states that certain access authentication controls must be in place from a particular date but only “in respect of accesses made from that date”, rather than leaving it merely as a matter of inference.

Commencement

The notified code proposed a single commencement date but comments were sought on what that date should be and whether any parts of the code should have a delayed implementation. The issued code has a staged implementation with just the clauses dealing with complaints and charges commencing upon 1 April 2005 and the rest of the code starting a year later on 1 April 2006.

Analysis

The following analysis of the main changes may be of assistance.

Title (clause 1)

The code has been re-styled as the Credit Reporting Privacy Code 2004 to better reflect the narrowed focus. The issued code now only touches upon credit providers as they interface with credit reporting systems. The code no longer directly applies to credit providers, although they are indirectly affected by the subscriber agreements (and of course they remain subject to the information privacy principles in the Privacy Act).

Commencement (clause 2)

The majority of the issued code will come into force on 1 April 2006 (rather than 1 February 2004 as the notified code optimistically proposed). The long lead-in has been allowed as the Commissioner was convinced by industry submissions that the time was necessary in order to make the necessary systems changes.

Two important provisions, dealing with complaints and charges, come into force a year earlier on 1 April 2005 as they will not require any computer re-programming. It was noted that this date coincides with the commencement of new consumer credit laws.

Review (clause 3)

The Commissioner is committed to a review of the code as soon as practicable after it has been fully operational for 2 years i.e. after 1 April 2008. This will be an opportunity to reflect upon how the code has operated. It does not preclude the Commissioner earlier amending the code if this is warranted.

Application and effect of code (clause 4)

The code no longer applies to credit providers or other classes of accessing agencies. The focus is more clearly on credit reporting and the credit reporting interface. The information privacy principles continue to regulate the handling of credit information in other contexts.

Interpretation (clause 5)

There have been a number of definitional changes.

Definition of credit information
The issued code makes a stylistic change by including in clause 5 a complete definition of “credit information”, whereas the notified code achieved the same effect by cross-referring to rule 1(2). It was decided that this approach may be slightly clearer for users. The definition has been modified in several other respects:

• “supplementary identification information” has been added to enable confirmation of occupation and employer
• “compromised” identification documents join references to lost or stolen documents
• “amount sought” and “capacity of the individual” have been added to credit application information
• credit default information now encompasses a client reference number (and listing is subject to the requirement that the subscriber has taken steps to recover the outstanding amount)
• “serious credit infringement information” has been included
• references to correction statement, notice of disputed debt and administrative information have been added.

Changes to other definitions
Changes have been made to the following definitions contained in the notified code:

• credit reporter: redefined to include only those agencies reporting to other agencies for a fee – to prevent certain arrangements between affiliated companies being subject to the code, although of course such arrangements will still need to be compliant with the information privacy principles
• credit score: a change from “a coded indicator derived from credit information … that classifies the creditworthiness of an individual” to “a statistically based rating of the credit default risk of an individual” – the new definition was devised to meet concerns from some submitters about the correct meaning of the term.

The definition of “accessing agency” has been omitted (replaced in part by the new definition of “subscriber”).

New definitions

New definitions have been included, particularly for terms introduced by the issued code: “debt collector”, “previous enquiry record”, “prospective employer”, “prospective insurer”, “prospective landlord”, “rule”, “serious credit infringement”, “subscriber”, “subscriber agreement”, “Summary of Rights” and “supplementary identification information”.

Several of these definitions are required because of the expansion of the list of agencies that may obtain credit reports (i.e. debt collectors, prospective employers, prospective insurers and prospective landlords). The term “subscriber” collectively encompasses these accessing agencies and each is required to have a “subscriber agreement”.

“Serious credit infringement” is, as the title suggests, a record of certain serious actions. The definition is in material respects identical to the term contained in the applicable Australian law (although the wording of the third paragraph differs in a superficial respect).

The “Summary of Rights” is a new requirement referred to in rules 6 and 7 and clause 8.

Credit reporting privacy rules (clause 6)

Rule 1:

This rule has been truncated but the substance is unchanged. “Credit information” is now defined in clause 5.

Rule 2:

The rule has been shortened and made clearer by the deletion of 3 now-redundant exceptions that only applied to credit providers.

Rule 3:

The notified code had a provision requiring credit providers to advise individuals, when collecting information from them for credit reporting, of the use that the credit reporter would make of the information. This enhanced notification requirement is no longer included in the rule as the code no longer applies to credit providers. However the same requirement has been addressed indirectly through the subscriber agreement and through a new obligation on credit reporters to display a purpose statement on their websites.

Rule 4:

No change.

Rule 5:

Significant changes have been made to this rule. The obligations on subscribers to take measures to safeguard against improper access have been removed from the rule but similar obligations are required to be imposed under the subscriber agreement. The obligations on credit reporters now include more detailed access logs and more stringent access authentication controls.

Rule 6:

This rule introduces the Summary of Rights which is modelled upon a similar document prepared by the Federal Trade Commission under the US Fair Credit Reporting Act. Credit reporters are required, in the access context, to provide a copy of the Summary of Rights or to display it on their website.

Rule 7:

A number of submissions questioned the merit of the provision in the notified code that would have required information that had been disputed pursuant to a correction request to be suppressed until a decision on accuracy is taken. The issued code requires all disputed information to be clearly identified, but no longer requires suppression pending the decision on correction. (It is of course open to a credit reporter to suppress the information if that is its policy or it seems appropriate in the particular case.)

The rule imposes a requirement, in the correction context, to provide a copy of the Summary of Rights or to display it on the website. It also requires credit reporters to provide the individual with a copy of any corrected information.

Rule 8:

The rule now imposes a standards-based obligation on credit reporters undertaking information matching. This replaces more detailed obligations earlier proposed in Part 3 of the notified code which drew some expressions of concern from credit reporters in the consultation process.

Several notification requirements placed on subscribers have been removed, although similar matters are dealt with in the subscriber agreement requirements.

The obligation on subscribers to supply the individual with a copy of their credit report free of charge has been omitted altogether. (Free access from credit reporters remains a central feature of the code.)

Rule 9:

A new requirement adopted by the issued code is that a credit reporter must display on its website a statement of the retention periods applicable to each type of credit information. This was seen as a desirable transparency requirement given the approach of the code not to make the scheduled maximum retention periods mandatory.

Rule 10:

No change.

Rule 11:

There have been significant changes made to rule 11 in response to submissions. The rule has been restructured and access is no longer limited to credit providers. A wider group of subscribers including certain debt collectors, prospective landlords, prospective employers and prospective insurers have been given access in specified circumstances.

Access by this group also requires a Schedule 3 compliant subscriber agreement.

Access may also be given to enable an insurer to investigate a case of suspected insurance fraud. (Insurance companies may, of course, also have access in those cases where they are providing credit in their business.)

Credit reporters may continue to resell credit information contained in databases consisting solely of information sourced from a publicly available publication.

Supplementary identification information can now be held by credit reporters but can only be disclosed by way of confirmation.

Rule 12:

No change.

Old Part 3

Part 3 of the notified code, which dealt with controls on the comparison of information, has been deleted in response to submissions. The same issues are now addressed in rule 8.

Clause 7 – Charges (clauses 9 and 10 in notified code)

The clause providing for free access from credit providers has been deleted as the code no longer applies to credit providers.

Credit reporters cannot charge for acting upon individuals’ access or correction requests under the code. Several changes have been made to the charges clause to make it clear that charges are not permitted for various particular actions associated with granting access or making a correction.

Free access to credit information is required unless the individual requests urgent access within 5 working days, in which case a reasonable charge may be made. The period has been reduced from the 10 working days provided in the notified code.

Clause 8 – Complaints (clause 11 in notified code)

A new requirement of the issued code is that a copy of the Summary of Rights must be provided to complainants (unless already supplied on an earlier occasion).

Schedules

Schedule 1

The retention period for identification information has been deleted after consideration of submissions. Five year retention periods have been included for previous enquiry records and serious credit infringements, both newly defined terms in the issued code.

Schedule 2

The list of specified public register provisions now includes section 189 of the Companies Act 1993.

Schedule 3

A new schedule sets out the obligations that a credit reporter must include in subscriber agreements. These generally reflect matters mentioned above in the notes on the rules.

Schedule 4

Summary of Rights
This is a brief and easily read summary of the rights given to individuals by the code and the Act. It is anticipated that credit reporters will display the summary on their website although it is short enough for easy distribution in hard copy.

This document is also available as a downloadable PDF file (7 pages):