Review of Credit Reporting Privacy Code 2004

Report of Credit Reporting Privacy Code Reference Group Discussions – June 2009

Review of Credit Reporting Privacy Code 2004

Report of Reference Group Discussions – June 2009

Victoria Hinson
Lazar Associates Ltd

This report is released by the Office of the Privacy Commissioner, October 2009

Copies can be obtained from:

Office of the Privacy Commissioner

PO Box 466

Auckland 1140

Tel: 09 302 8680

Email:

Table of Contents

Introduction

Background

Summary of Issues Discussed

Operation of Principal New Obligations in the Code

Complaints

Openness obligations (Rules 3, 9(3), Schedule 4)

Identity Verification and Identity Management

Use of government-issued unique identifiers to match credit reports

Discussion of options for consumers

Public Sector Interaction with Credit Reporting Agencies

Government as a provider of fine or reparation default information

Government as a user of or subscriber to credit reporting agencies, to receive updated contact information

Discussion of greater access to public registers

Content of Credit Reports and Positive Credit Information

Positive credit information (whether the Code should move along the spectrum between full positive and full negative credit reporting)

Driver licence numbers and other identification information

Interrelationship between information available in credit reports and credit scoring

Other information that may need to be collected by credit reporting agencies

Other Issues

Indirect application of the Code to credit providers and other subscribers

Effect of Code on position of certain individuals in business, such as sole traders or directors

Use of credit reporting information for non-credit related processes, such as direct marketing

Trans-Tasman Alignment

Timing for and progress of the Australian law changes

How important is it, and what areas need to be aligned for it to work?

How important is the timing of the Australian reforms for New Zealand?

Conclusion

Next Steps

Appendix 1: Members of Reference Group

Appendix 2: Terms of Reference for Reference Group

Appendix 3: Issues Agreed for Discussion

Report of Credit Reporting Privacy Code Reference Group Discussions – June 2009

Introduction

1. This paper summarises the discussions of the Credit Reporting Privacy Code Reference Group. It is intended to inform the Privacy Commissioner’s independent review of the Credit Reporting Privacy Code and any conclusions she reaches about the need to propose changes to the Code.

Background

1. The Privacy Commissioner is an independent statutory authority, appointed under the Privacy Act 1993. The Commissioner may issue a code of practice pursuant to Part 6 of the Act. The Commissioner is required to consult those affected when issuing, reviewing, and revoking a code of practice, but is required to make all decisions independently.
2. The Credit Reporting Privacy Code (the Code) was issued by the Privacy Commissioner in 2004. Part 1(3) of the Code requires the Privacy Commissioner to review the Code as soon as practicable after 1 April 2008.
3. The Commissioner convened a reference group of stakeholders, the Credit Reporting Privacy Code Reference Group (the Group), to assist in confirming how key aspects of the Code have operated, identifying concerns with the Code, and exploring areas of potential development of the Code. The Group was facilitated by Victoria Hinson, an independent contractor from Lazar Associates. The results of the Group’s discussions are intended to be considered by the Commissioner and are expected to inform her independent review of the Code and any conclusions she reaches about the need to propose changes to the Code. The list of Group members and other participants is attached as Appendix 1.
4. The Group met a total of 5 times at approximately two month intervals between August 2008 and May 2009 by means of video conferencing facilities hosted in Wellington and Auckland. The fifth meeting also included participants from Australia by teleconference. Each of the meetings was around two hours.
5. At its first meeting (20 August 2008), the Group discussed representation, including identifying additional areas and possible representatives. It agreed that additional representation would be sought for the following areas:

• a major credit provider (e.g., Fisher & Paykel Finance)
• the banking and finance sector, with appropriate representative(s) from the New Zealand Bankers’ Association
• a consumer perspective ‘at the coalface’ (e.g., The New ZealandFederation of Family Budgeting Services Inc.).

1. The Group also agreed that, once priorities were identified for discussion, other representatives from particular industries or organisations could be invited to attend specific meetings. Finally, the Group confirmed its understanding of the terms of reference (Appendix 2), meeting dates and times, and the issues it would discuss in future meetings (Appendix 3).

1. The Group met on the following dates and discussed the following topics:

1. Openness obligations (Rules 3, 9(3), Schedule 4)
2. Free subject access to their personal information (Rules 6, 7, and Part 3, clause 7)
3. Internal audit obligations (Rules 5, 8)
4. Internal complaints handling processes (Part 3, clause 8)

1. Standards for matching credit application or default information against information held by credit reporting agencies (Rule 8)
2. Subscriber classes (Rule 11(2))
3. Subscriber documentation (Schedule 3)
4. Subscriber obligations (Schedule 3)

1. Government as a user of or subscriber to credit reporting agencies, to receive updated contact information
2. Public register information currently accessed for credit reports, and whether more registers should be added to Schedule 2 of the Code

1. Government as a provider of default information to credit reporting agencies, such as NZ Transport Agency (previously Land Transport) debts

Summary of Issues Discussed

1. Some of the Group did not limit their comments and submissions to looking back at how the Code has operated to date and what gaps need to be addressed but also made more proactive ‘forward looking’ suggestions. This was particularly the case for the issue of positive credit reporting.

Operation of Principal New Obligations in the Code

1. The members of the Group noted that generally, the Code is working well. One credit reporter noted that 85% of its enquiries relate to a small proportion of subscribers, and the larger subscribers are generally compliant with the subscriber agreement.
2. One Group member noted that the Code introduced several innovative features, such as free subject access to records. There would need to be compelling arguments put forward to warrant changes to the Code.
3. One credit reporter noted that it took the implementation of the Code seriously and implemented it in a way that, in cost of revenue terms, was significant. This included having to cut off 30% of its subscribers (by volume), as they did not meet the Code requirements.

Complaints

1. The Office of the Privacy Commissioner (OPC) provided information to the Group about OPC’s experience of the Code, focusing on the complaints area. Part 3(8) of the Code introduced a new complaints process, requiring complainants to complain first to the relevant credit reporter. If the complaint could not be resolved by the credit reporter, then individuals complain to the OPC. The complaints clause came into force on 1 April 2005, though the Rules in the Code did not come into force until 1 April 2006.

Complaints received by OPC by Rule, since 1 April 2005

1. There was a noticeable decline in complaints against credit reporting agencies following the complaints clause coming into force on 1 April 2005. However, in the two years following the full implementation of the Code, complaint numbers have risen, although not to the levels received prior to the introduction of the Code.
2. The vast majority of complaints received by OPC relate to access to, and accuracy and correction of personal information held by credit reporting agencies. These largely involve defaults that have been listed on credit files that a complainant considers are incorrect to be listed. This may be for a number of reasons, including that the default belongs to another individual, that the individual was not informed that the debt was owed, or that the debt has been paid.[1]
3. Complaints received by OPC have involved two family members with the same name being confused on a credit file (for instance, a default belonging to the son will appear on the father’s report as they share the same name), and instances of identity fraud where someone has used the complainant’s identity to obtain credit.
4. One credit reporter advised that complaints about mixed files or accuracy of information would be drastically reduced, or even made extremely unlikely, if credit reporters were allowed to collect and hold driver licence numbers.

Openness obligations (Rules 3, 9(3), Schedule 4)

Retention of credit information (Rule 9, Schedule 1)

1. Credit providers noted that the Code currently allows information to be retained for up to 5 years (with some exceptions). After 5 years, aggregated credit information and risk models are less helpful in predicting future behaviour. After 8 years, this data is very unreliable.
2. One credit reporter is of the view that that credit information should be able to be held for a greater period of time (8 – 12 years or indefinitely). It originally submitted that this was required to facilitate statistical analysis and research. The company later submitted that, on further reflection, Rule 9 adequately addresses retention for statistics or research in conjunction with Rules 10(1)(f) and 11(2)(d). However, at the end of the Reference Group process the company again submitted that the information should be able to be retained for longer periods and used for statistical and analytical work.
3. The OPCdiscussed with the Group the difference between retaining credit information for inclusion in a credit report, and retaining information for the purposes of statistical analysis and risk modelling, the results of which would be aggregated.
4. A credit reporter suggested OPC consider standardising the information retention periods in the Code (currently 5 or 7 years, depending on the information). The Group discussed the pros and cons of changing the retention periods, as well as their view that retention periods in the Code should be consistent with other related legislation (e.g., Limitation Act 1950;insolvency law allowing the display of No Assets Procedures and Summary Instalment Orders for seven years). However, one Group member noted that compelling reasons should be given for changes to retention periods.

Information provided to individuals and the summary of rights (Rule 3(2), Schedule 4)

1. OPC noted the requirement under Rule 3(2) for credit reporters to display, conspicuously on their website, a statement setting out the purposes of collecting, using, and disclosing credit information. OPCdiscussed with the Group the fact that these statements could not be found following a cursory search of the websites of two major credit reporters, and asked whether compliance with Rule 3(2) was a problem. The credit reporter members of the Group responded that compliance was not a problem.
2. The Group also discussed the Summary of Rights. It was agreed that, while some consumers are uncertain of the law around credit reporting, the plain English wording of the Summary was generally working.

Free subject access to credit reports (Rules 6, 7, and Part 3, clause 7)

1. One credit reporteris concerned about vexatious complaints and suggested that there should be limits on how many times an individual can ask for exactly the same information in a short period of time (when there has been no change since the information was last provided). Such limits could include a lessening of the obligation for free reports (e.g., a limit of one free credit report per year, the ability to impose a reasonable charge). The company explained that there are a number of individuals who repeatedly request their credit file throughout the year, when it remains largely unchanged.
2. Another credit reporter commented that it does not have a major problem with multiple access and this is not a major area of concern for it.
3. OPC noted that the grounds for refusing access to personal information in Part 4 of the Privacy Act 1993 apply to credit reporting agencies. This includes a provision allowing agencies to refuse an access request where the request is vexatious or frivolous, although agencies would need to consider refusing access on a case by case basis. OPC also noted that the idea of credit reporting agencies applying to the Commissioner to declare an individual a ‘vexatious litigant’, and therefore limiting that individual’s access to credit reports, has previously been suggested as a possible useful change to the Privacy Act.
4. The Group noted the Australian Law Reform Commission has recommended one free credit report per year. This is largely because the Commission has recommended moving someway towards a positive credit reporting environment. It is expected that more individuals will request their credit files in this environment, as is the case in the United States and the United Kingdom.
5. The Group discussed circumstances where individuals could have legitimate reasons for requesting more than one credit report per year, such as where they wish to confirm that a debt listed incorrectly has been removed.
6. OPC noted that the principle of free access was a key part of the Code, which regulates an industry built on selling personal information. The Group also discussed how free access may also assist in ensuring information is accurate.

Internal monitoring obligations (Rules 5, 8)

1. OPC requested information from the two credit reporting agencies regarding how they have implemented and comply with the requirements to:

• “monitor usage and regularly check compliance with the agreement, policies, procedures, and controls” under Rule 5(2)(e);
• “identify and investigate possible breaches of the agreement, policies, procedures, and controls” under Rule 5(2)(f), and Rule 8(3)(d);
• “monitor information quality and conduct regular checks on compliance with the agreements and controls” under Rule 8(3)(c).

1. A credit reporter noted that the obligationsare onerous, and placeit in the unusual role of monitoring its subscribers. In practice, the company meets the obligations by doing what is reasonable to encourage compliance by contracting for it; using technology to track and record accesses and maintain an access history; providing training; monitoring; and suspending or terminating access. It noted that its larger subscribers take their responsibilities and obligations under the subscriber agreements seriously, and as a result, the company has a subscription base where approx 97% know what they are doing. The company monitors all new subscribers and can discontinue access to credit reports if the subscriber agreements are breached.
2. Another credit reporter proactively monitors all its subscribers and audits individual users. It also considers patterns, such as subscribers who frequently record incorrect information, changes to ‘constant’ information, such as date of birth, and subscribers who make a lot of changes to a record.
3. The credit providers stated that they have no issues with these obligations.
4. A credit reporter put to the Group that

• Rule 5(2)(f), requiring credit reporting agencies to identify and investigate possible breaches of the agreement, policies, procedures and controls, and
• Schedule 3, requiring subscribers to take appropriate action in relation to identified breaches of the policies and controls,

are inconsistent.

Standards for matching credit application or default information against information held by credit reporting agencies (Rule 8)

1. OPC indicated it would be interested to hear:

• how the credit reporting agencies have implemented the requirement under Rule 8(2) to, “when undertaking a comparison of personal information with other personal information for the purpose of producing or verifying information about an identifiable individual, take such measures as are reasonably practicable to avoid the incorrect matching of the information”;
• what controls credit reporters had put in place to “ensure that, as far as reasonably practicable, only information that is accurate, up to date, complete, relevant, and not misleading is used or disclosed” under Rule 8(3)(b), particularly in regards to defaults listed by subscribers; and
• how subscribers ensure information, particularly default information, is accurate prior to providing it to credit reporting agencies.

1. A credit reportersubmitted that it is committed to doing what is reasonably practicable and legal to improve accuracy and suggesting an improved level of accuracy by selecting one or a combination of measures such as :

1. allowing use of a person’s driver licence number for identification verification when applying for their credit file;
2. making a wider range of such data (e.g., passports) legal to capture and use for accuracy improvement;
3. permitting an individual to authorise such use of data in defined circumstances to improve accuracy;
4. supplementing the foregoing with a secondary use authorisation process.

1. OPC responded to this submission, suggesting it is useful to first ask how the obligation in Rule 8(2) has worked in practice, before moving onto the issue of whether the Code should allow the use of the driver licence number.