Email this page

Send this page to a friend.

This page is printer friendly.

A Code for All Parties

Notes for an address by Bruce Slane, Privacy Commissioner to the Associated Credit Bureaux of New Zealand

Some of your members may recall that around 1996-97, the credit industry submitted two draft codes covering credit information privacy. Each of the codes took a different approach. One, for example, was confined to credit reporting agencies, the other included credit providers as well. I do not think it would be helpful to engage in a detailed analysis of these drafts at this stage. However, I would say they have provided a useful prelude to the present draft. Some consultation on those drafts took place but, for a variety reasons, my Office was unable to proceed at that time However, early this year I indicated that I was now in a position to consider issuing a code.

Before turning to credit reporting in particular, it may be useful if I outlined the legal position relating to codes as provided for in the Privacy Act. The Privacy Act establishes certain principles with respect to;

  • the collection use and disclosure of information relating to individuals, and
  • access by each individual to information relating to that individual.


The Act has twelve privacy principles, which apply to all agencies collecting or holding information about an individual. As you might appreciate these are drafted in fairly general terms. However, by section 46 of the Act, I may, from time to time, issue a code of practice which may modify any one or more of the information privacy principles by prescribing standards that are more, or less, stringent than the standards set in the principle. I may also exempt any action from any principles, either conditionally, or subject to conditions prescribed in the code. A code may also apply any one or more of the information privacy principles without modification. A code may also prescribe how any one or more of the information privacy principles are to be applied or to be complied with. In other words it can be devised to meet the particular requirements of particular sectors, classes of agencies or types of information processing.

The expansion of computer technology and usage, has led to an increase in the scope for collecting of personal information, and in the range of persons who might access and use it. With these facilities there is now an ability for credit reporting to develop into a broad database of information about the general financial activities and standing of practically the whole population, and for it to be used in various ways which may have little or no relevance to the purpose for which the information was originally supplied and gathered.

Dealing with one's bank or credit provider would normally be confidential. However, the granting of credit can affect other parties who deal with the borrower especially if they default or seek further credit.

Many overseas countries have met challenges to privacy in the credit area by enacting specific legislation, or specific codes, or a combination of both. In the United Kingdom for instance, the Data Protection Act provides for a Data Protection Commissioner. The Commissioner has issued detailed requirements covering credit reference agencies and the two broad categories of their clients. The first of these are the contributing users - typically large lenders who exchange information on a reciprocal basis. The second category is non contributing users who have access to a more restricted set of data for information.

In Ontario, Canada, a specific consumer reporting law applies. A number of other provinces of Canada have similar legislation.

In Hong Kong, the Privacy Commissioner has issued a code of practice on consumer credit data. The introduction to that code states

"this code is designed to promote good practice among data users involved in the handling of consumer credit data. It deals with collection, accuracy, use, security and access and correction issues, as they relate to personal data of individuals, who are or have been applicants for consumer credit. The code covers on the one hand credit reference agencies and on the other hand credit providers and their dealings with credit reference agencies and debt collection agencies".

Closer to home, Australia has a combination of specific requirements in their Privacy Act and code of practice. Because of its relevance to New Zealand, it may be of interest to consider these Australian provisions rather more closely. A previous Australian Privacy Commissioner, Kevin O'Connor summarised the Australian situation as follows:

  • There are strict rules about the types of information that can be held by a credit reporting agency. Negative categories of information are limited to defaults, serious credit infringements, dishonoured cheques, and two items of public records, namely court judgements and bankruptcy orders.
  • There are specific limitations on the types of businesses permitted to gain access to credit reports held by a credit reporting agency. Access is primarily restricted to the individual concerned and to credit providers. It is not possible for credit providers to make casual enquiries. Certain groups are denied access and these include debt collectors, real estate agents, motor car traders (unless acting as credit providers), government agencies (unless access is required by law), insurance companies (unless intending to provide consumer credit).


Kevin O'Connor noted that these restrictions reflect the principle that use of consumer credit information is limited to legitimate uses connected with the provision of credit. Specifically, in the case of Australia:

  • Credit providers can only obtain and use credit reports for specified purposes associated with provision of credit.
  • Credit providers may only disclose information relating to consumer credit worthiness in accordance with the Act. Provisions in the Act tend to take account of the role of other participants in the credit system and their need to have access to credit information in the course of conducting their business.
  • A credit provider may not pass information about an individual to a credit reporting agency without prior notice to the individual.
  • When an application is refused, wholly or partly on the basis of an adverse credit report from a credit reporting agency, the applicant must be informed.
  • Individuals have a right to access and amend their credit files and reports held by credit reporting agencies and providers.
  • Credit providers must ensure that staff receive some training to equip them to meet the requirements of the Act and Code.
  • Credit providers are obliged to handle credit reporting disputes in a fair and efficient timely manner.
  • Credit providers may not report loan defaults against individual credit reporting agencies without first writing to the individual regarding the overdue payment.


The Australian statutory provisions are detailed and fairly complex and provoked some fairly severe criticism from the credit industry in the early years on the grounds that they were complex and prescriptive.

Before we get into the formal consultation process provided for in the Act, I am very interested to receive industry comment and ideas. To this end I asked my Office to prepare a preliminary draft and to circulate to the industry. My mind is still open about the best approach to take on particular issues.

I now draw attention to some specific areas of interest to me and on which you may wish to comment.

First is the question of coverage. To whom should the code apply? The draft you have received includes both credit providers and credit reporting agencies. This tends to follow overseas practice. But some would say the code should only apply to credit reporting agencies and not to credit providers.

Who should have access to credit reports? Clearly credit providers, but what of:

  • employers?
  • landlords?
  • news media?


The current draft allows landlords to have access but excludes media and employers.

Another issue is, what sort of information should be gathered? How far should we extend into positive reporting? The draft sets out the various categories of information which can be collected without infringement. Are these categories adequate?

There is also the issue of re-sorting or combining personal information sourced from public registers. The draft follows one of the industry proposals with respect to a number of listed registers. What comments has the industry on this aspect?

There are other aspects on which I am sure you will wish to comment, for example:

  • the proposed complaints procedure;
  • the proposal in the draft for access to information and the charging provisions; and
  • the various retention periods.


As I have already said, I am most interested to learn your views and these will be taken into account in finalising the formal draft. Of course there will be another opportunity for comment when that draft is issued under section 48 of the Act. Under the provisions of that section, I have to give public notice of my intention to issue the code. Submissions on the proposed code may be made in writing within a period specified in that notice. However, I think it is to all our advantage if you could make preliminary comments and these could be assessed before the formal section 48 stage is reached. So I look forward to receiving those comments as soon as possible.

I am sure that with your co-operation and understanding the code which will eventually be adopted will be one which fairly and openly balances:

  • individual privacy and individual control of personal information, and
  • the credit services and industry's need to obtain and record accurate personal information to provide an effective and efficient credit regime.


For my part, I am required to have regard to the information privacy principles, any developing international guidelines and New Zealand international obligations as well as the protection of important human rights and social interests that compete with privacy - including the general desirability of a free flow of information and the recognition of the right of government and business to achieve their objectives in an efficient way(1) . I hope that these joint endeavours will enable the right balance to be struck.

Footnotes

1. Privacy Act 1993, s.14

Back to top