Australian Regulatory Compliance Review: Privacy

Privacy case notes 12-17 for 2009

The Privacy Commissioner has released the following case notes:

In Own Motion Investigation v Financial Institution [2009] PrivCmrA 12 the Commissioner commenced an own motion investigation after being advised by an individual that a financial institution had been sending bank account statements to the previous occupant of the individual's residential address for several years, despite these statements consistently being returned, marked ‘Return to sender. Address unknown’. The financial institution gave details to the Commissioner of its "Return to Sender" mail procedures. The Commissioner was satisfied that the financial institution had processes in place to meet its obligations under NPP 3 at the commencement of the investigation, and ceased the own motion investigation into the matter.

In J v Commonwealth Agency [2009] PrivCmrA 13 the complainant disputed his employer agency's need to disclose information about an internal investigation involving him to a doctor assessing his workers compensation claim. The Commissioner was satisfied that the complainant would have been reasonably likely to know the information would be disclosed. The Commissioner also accepted that it is usual practice in workers compensation matters for an employer to provide the assessing doctor with all relevant information about the employee. The complaint was dismissed.

In K v Commonwealth Agency [2009] PrivCmrA 14 the complainant alleged that the disclosure of their spent conviction information by their employer agency in answer to a court subpoena was in breach of the Crimes Act. The Commissioner formed the view that the disclosure of the complainant's spent conviction information by the agency met the requirements of section 85ZZH(c) because it was a disclosure to a court, and was therefore allowed under the Crimes Act.

In L v Health Service Provider [2009] PrivCmrA 15 the complainant alleged the payment default for health services did not relate to credit as defined by the Privacy Act and should not have been listed in his consumer credit information file. While the complainant had failed to pay for the medical procedure, the Commissioner considered the health service provider did not have a sufficient credit relationship with the complainant, and was not a credit provider in accordance with Determination No. 2006-2. The Commissioner formed the view that the health service provider had interfered with the complainant's privacy by listing a payment default when it was not a credit provider in respect of the debt. In response to the complainant's claim that the payment default prevented them from obtaining finance, the health service provider apologised, removed the payment default, and ceased its practice of reporting overdue accounts to a credit reporting agency. The complainant also accepted a confidential financial settlement.

In M v Financial Institution [2009] PrivCmrA 16 the complainant alleged the financial institution had improperly collected their personal information from a third party (a relative of the complainant's former partner)and used it in making a decision about the complainant's joint account, failing to ensure the personal information was accurate, complete and up-to-date. The financial institution argued that it did not collect information from the relative because it did not ask for the information. However, the Commissioner took the view that an organisation collects personal information if it gathers, acquires, or obtains information from any source and by any means (irrespective of whether the information was sought by the organisation). In addition, because the financial institution changed its accounts based on that information, the financial institution collected the information for inclusion in a record in accordance with section 16B of the Privacy Act.

Given the information was not provided by the account holders, was subject to change and had an effect on the complainant's finances, the Commissioner took the view that the financial institution had not taken reasonable steps to check the accuracy of the personal information it collected from the third party. Therefore, the financial institution had failed to comply with NPP 3. The financial institution offered the complainant financial compensation. The complainant accepted the offer.

In N v Commonwealth Agency [2009] PrivCmrA 17 the complainant claimed that their employer agency improperly disclosed their personal information to a contractor hired to investigaste his complaints without his consent. The Commissioner was satisfied that the agency's collection of personal information in the personnel and related files was for the purpose of administering the complainant's employment. As the contractor was engaged to investigate complaints about the complainant's working conditions, the Commissioner considered the use to be directly related to the administration of the complainant's employment. Therefore, the Commissioner was of the view that the agency's use of the complainant's personal information was permissible under IPP 10.1(e), and as such, the issue of consent was not considered.

November 20, 2009 in Privacy | Permalink | Comments (0)

Privacy and credit reporting changes

This article by me was first published in Retail Banking Review.

The Government has confirmed that it will accept the Australian Law Reform Commission’s recommendation to amend the Privacy Act to allow credit reporting to include information about an individual’s repayment history to compliment its proposed credit licensing responsible lending obligations.

What information will be included in credit reports?

The changes will permit credit reporting information to include the following categories of personal information, in addition to those currently permitted in credit information files under the Privacy Act:
(a) the type of each credit account opened (for example, mortgage, personal loan, credit card);
(b) the date on which each credit account was opened;
(c) the current limit of each open credit account; and
(d) the date on which each credit account was closed.

But the information must be deleted two years after the date on which a credit account is closed.

The Government will require the credit reporting industry to develop standards around how it lists the types of credit accounts as well as when a credit account is deemed to be closed. For example, in relation to account closure, confusion exists for individuals around whether some credit products are closed after final payment or whether these are ongoing lines of credit (such as interest free accounts).

The Government proposes that the listing of the four data sets with credit reporting agencies will be permitted to occur in relation to existing accounts open at the time that amendments to the Privacy Act take effect. The Government does not consider there is justification for the argument that listing this type of information should only occur with respect to new accounts opened after the commencement of the amendments.

The Government will consult with stakeholders on whether the ‘plus four’ data sets should be shared prior to the commencement of repayment history (noting that use and disclosure of these data sets will not be dependent on the commencement of the responsible lending obligations).

Repayment history

The Government will also permit credit reporting information to include an individual’s repayment performance history, comprised of information indicating whether, over the prior two years, the individual was meeting his or her repayment obligations as at each point of the relevant repayment cycle for a credit account and, if not, the number of repayment cycles the individual was in arrears.

The Government agrees with the ALRC’s view that the predictive value of this extra data set will lead to more informed lending practices, which in turn will result in greater efficiency and effectiveness in consumer credit lending. The Government considers that the benefits this data set will provide to the Australian credit market, and in turn to individuals and credit providers, outweighs the possible adverse privacy effects.

Collection and use of repayment history information will be subject to the proposed commencement of the responsible lending obligations in the National Consumer Credit Protection Bill 2009.

The Government proposes that, in order to allow viable repayment history to be assessed from the commencement of the repayment history provisions, the period from when repayment history may be reported will commence from 14 April 2010. This will mean all credit consumers will be on notice that six months from the date of release of the Government’s response on 14 October 2009, any repayment history on credit accounts may become available at a later date (ie when the repayment history provision commences) to a credit reporting agency and any other credit providers from which the individual may seek credit.

As the responsible lending obligations will only be applicable to licensees subject to the National Consumer Credit Protection Bill 2009, the Government proposes that repayment history information should only be handled by credit providers subject to the obligations in that Bill.

The Government notes that the full responsible lending obligations will not commence until January 2011 and therefore commencement of provisions about the use and disclosure of repayment history information will be subject to this same commencement date.

Other changes

• The Government will not expand the definition of credit to include commercial credit. However, in line with the National Consumer Credit Protection Reforms, the Government intends to extend the protections of the credit reporting provisions in the Privacy Act to include credit provided to purchase residential investment properties.

• Credit providers and credit reporting agencies that are small businesses will be required to comply with the Privacy Act.

• Credit reporting agencies will not be allowed to maintain information about foreign credit and foreign credit providers or disclose credit reporting information to foreign credit providers but will allow trans-Tasman use and disclosure of credit reporting information.

• Credit reporting agencies are not permitted to list overdue payments of less than $100.

• Information about presented and dishonoured cheques will not be included in the list of permitted contents allowed to be retained by credit reporting agencies.

• Limited categories of information about bankruptcy administration should be allowed to be included in credit reporting information. It should clearly distinguish the type of bankruptcy administration to which the individual has been subject (ie whether it is mandatory or voluntary).

• a credit provider should be required to demonstrate that it has taken reasonable steps to contact the individual where it intends to list a serious credit infringement (eg fraud) based on a reasonable suspicion of non-compliance.

• collecting sensitive (eg health) information for credit reporting purposes will be prohibited .
• collecting credit reporting information about individuals who the credit provider or credit reporting agency knows, or reasonably should know, to be under the age of 18 will be prohibited.

• a credit provider, before disclosing overdue (or missed) payment information to a credit reporting agency, must have taken reasonable steps to ensure that the individual concerned is aware of the intention to report the information.

• credit reporting information must not be used or disclosed in any circumstances for the purposes of direct marketing.

• credit reporting agencies will be allowed to use and disclose credit reporting information for the purposes of identity verification under the AML/CTF Act.

• individuals will be able to highlight to potential credit providers in their credit reporting information that they have been a victim of fraud, including identity theft.

• statute-barred debts should not be allowed to be listed in credit reporting information.

• where a default or serious credit infringement has been listed in an individual’s credit reporting information and the individual enters a new scheme of arrangement relating to that listing, any future default under that arrangement may be listed separately.

• all bankruptcy information should be listed for only five years after date of arrangement

• there will be a statutory right of individuals to receive, on request and within a reasonable timeframe, a free copy of their credit reporting information from a credit reporting agency.

Timetable

The Government will begin preparing exposure draft legislation to implement the proposed changes. The exposure draft will be released in early 2010 for further consultation.

Any changes will be reviewed within five years of commencement of the comprehensive credit reporting amendments.

November 18, 2009 in Privacy | Permalink | Comments (0)

Privacy of personal information online

Shortly after the Government's response to the Australian Law Reform Commission's Privacy Report. ACMA released its research report Attitudes towards use of personal information online.

Key findings include:

There was an acceptance among research participants that using information and communication technologies means sharing personal information. The type of, and level to which, personal information is disclosed is seen to be within an individual’s control and a matter of personal choice.
Users made informed decisions about the risks of disclosing personal information based on the context of their interactions, with two types of situations:
- transaction provision – disclosure of information necessary to obtain a good or service, e.g. internet banking, online shopping, eBay; and
- networking or social provision – where information disclosure is made within an online community to share or exchange opinions, beliefs and personal details, e.g. Facebook.

Respondents saw a distinction depending on nature of information users are providing. In the case of information provided in the course of transactions, a service provider such as a bank was expected to provide good security, whereas on social networking sites where the service provider is merely hosting the content, security breaches are accepted.

Participants on the whole were generally well informed about both risks to their online privacy and strategies to protect their personal information. However, there was a widespread perception that breaches are inevitable, resulting in an accepting attitude towards their ability to fully protect their personal information online.
Risks identified included identity theft, threat to personal safety, invasion of privacy, unwanted communications such as spam, financial loss, fraud and damage to reputation. Severity of these risks was assessed taking into account perceived likelihood of the information being misused and the severity of consequences.

Interestingly the Government's response to the Privacy Report only briefly dealt with the impact of technology on privacy: issues such as radio frequency identification (RFID), biometric systems and data matching will be left to guidelines, the internet was mentioned in passing and a recommendation about electronic health records was accepted in principle. Identity theft was only discussed in the context of credit.

October 28, 2009 in Privacy, Web/Tech | Permalink | Comments (0)

Key credit reporting change dates

As part of the Government's proposed changes to the Privacy Act (see here) 4 additional categories of information ("data sets")(see here) as well as repayment history information will be permitted to be included in credit reports.

The Government has announced the following key dates for implementation:

The exposure draft of the amendments will be released in early 2010 for further consultation;
the listing of the four data sets with credit reporting agencies will be permitted to occur in relation to existing accounts open at the time that the amendments to the Privacy Act take effect;
The Government will consult with stakeholders on whether the ‘plus four’ data sets should be shared prior to the commencement of repayment history disclosure;
the period from when repayment history may be reported will commence from 14 April 2010;
the commencement of provisions about the use and disclosure of repayment history information will be subject to the same commencement date as the full responsible lending obligations in the National Consumer Credit Protection Act (1 January 2011).

October 26, 2009 in Financial Services, Privacy | Permalink | Comments (0)

ACMA v Mobilegate SMS spam penalty

The Federal Court has handed down its penalty in ACMA v Mobilegate (previously discussed here)

According to ACMA the Federal Court has awarded penalties totalling $15.75M against the following defendants:

Mobilegate Ltd: $5 million
Winning Bid Pty Ltd: $3.5 million
Mr Simon Anthony Owen: $3 million
Mr Tarek Andreas Salcedo: $3 million
Mr Glenn Christopher Maughan: $1.25 million

A penalty hearing against 3 other defendants will take place on 30 November.

ACMA instituted proceedings against eight respondents in the Federal Court in December 2008, alleging contraventions of both the Spam Act and the Trade Practices Act in relation to premium SMS chat services. ACMA alleged that the respondents were engaged in a complicated scheme to obtain mobile phone numbers from members of dating websites, using fake member profiles, in order to send commercial electronic messages by SMS.

ACMA alleged that:

after the numbers were obtained, unsolicited messages were sent to the mobile phone numbers offering the opportunity to chat via SMS using services described as the ‘Safe Divert’ or ‘Maybemeet’ services;
the chat was not offered by genuine members of dating websites but employees of Mobilegate and Winning Bid;
consumers were charged up to five dollars per message; and
when users questioned whether the messages were from a real person, they were told that it was a real person who was using the “Safe Divert” service to keep their mobile phone number private.

October 24, 2009 in Marketing, Privacy, Web/Tech | Permalink | Comments (0)

Government responds to Privacy Report

The Commonwealth Government has released its first stage response to the Australian Law Reform Commissions review of privacy law.

The first stage response outlines the Government’s position on 197 recommendations of the 295 recommendations in the ALRC’s report .

Of those 197 recommendations:
• the Government has accepted 141, either in full or in principle;
• 34 are accepted with qualification;
• 20 are not accepted; and
• 2 recommendations are noted.

Many of these require legislative amendment to the Privacy Act.

The Government will:

create a harmonised set of Privacy Principles which will replace the separate sets of public and private sector principles at the federal level, untangling red tape and marking a significant step on the road to national consistency;
redraft and update the Privacy Act to make the law clearer and easier to comply with;
create a comprehensive credit reporting framework which will improve individual credit assessments, complimenting the Government’s reforms to responsible lending practices;
improve health sector information flows, and give individuals new rights to control their health records, contributing to better health service delivery;
require the public and private sector to ensure the right to privacy will continue to be protected if personal information is sent overseas; and
strengthen the Privacy Commissioner’s powers to conduct investigations, resolve complaints and promote compliance, contributing to more effective and stronger protection of the right to privacy.

It is expected that exposure draft legislation to implement the proposed changes will be released in early 2010 for further consultation.

October 14, 2009 in Privacy | Permalink | Comments (0)

Positive credit reporting and responsible lending

This article by me was first published in Retail Banking Review.

It was written before the ASIC consultation paper on responsible lending was issued (see here) but is otherwise up to date.

When the Australian Law Reform Commission recommended in 2008 that the Australian Government amend the Privacy Act to allow credit reporting to include information about an individual’s repayment history, it was on the condition that there was an adequate framework imposing responsible lending obligations.

The finance industry argued that an increase in information available to lenders would facilitate better risk management practices -which in turn would open up the field to greater competition and drive down the cost of credit, especially for low risk and responsible borrowers.

Currently credit providers can only access negative information (mainly defaults) about borrowers. They cannot get information about a borrower’s good repayment history.

Consumer groups were not convinced that more information would be used to assist responsible lending - rather than to advance more credit and contribute to higher levels of indebtedness.

The ALRC recommended that there should be some expansion of the categories of personal information that can be included in credit reporting information held by credit reporting agencies. It proposed that the four additional items should be:

the type of each current credit account opened (eg, mortgage, credit card, personal loan);
the date on which each current credit account was opened;
the credit limit of each current account;and
the date on which each credit account was closed.

In imposing its condition that there be “responsible lending” obligations before the changes be introduced, the ALRC said that good risk management and responsible lending practices do not inevitably flow out of fully comprehensive credit reporting. It referred to the ‘subprime loan crisis’ in the US and the UK. In those jurisdictions, lenders who have had access to more comprehensive information about prospective borrowers nevertheless made conspicuously poor decisions for years, based on the pursuit of market share and short-term incentives.

The Government responded to the ALRC Report by indicating that it would introduce the credit reporting changes by early 2010. But no draft Bills have been released yet.

Responsible lending is due to commence (as part of the National Credit Code package) from 1 January 2010 for brokers and 1 January 2011 for ADI’s and registered finance companies.

Responsible lending

What is “responsible lending” and why are lenders linking it to changes to credit reporting laws?

Both the National Consumer Credit Protection Bill and the Corporations Act (Financial Services Modernisation) Bill require that licensees (for consumer credit and margin lending respectively), comply with responsible lending conduct obligations.

These obligations require disclosure by credit providers to consumers about the application and assessment process as well as prohibiting credit providers from making loans which are unsuitable for borrowers. The Bills, if passed, will specify how unsuitability is assessed and oblige credit providers to make reasonable inquiries about the borrower’s requirements and verify the borrower’s financial information.

It is in the making of the assessment that credit providers believe that access to a borrower’s full loan position (as opposed to just defaults) will be essential.

Although "responsible lending" is not defined in the Bills it is clear that Australia is following the UK model.

The UK Financial Services Authority conducted a Responsible Lending research project in 2007-8. Its key conclusions were:
• lenders could have been more cautious in their approach to lending ;
• more stringent checks could have been applied to ensure customers had the ability to pay over the life of the term;
• in determining affordability, more emphasis could have been put on checking customers' general expenditure as well as expenditure on credit.

What does this mean for Australian lenders?

Lenders must be able to show they have taken into account a customer's ability to repay. The lender's assessment of affordability must be based on their own inquiries rather than using information provided by the borrower without checking it.

There should also be plausibility checks on income and outgoings; information from applications and other statistics should be used to maintain and update this information.

Lenders will need to contact the borrowers' employers to verify employment status and plausibility of income (eg check overtime, bonuses, working hours)

Lenders will need to give appropriate consideration to customer's circumstances and ability to maintain repayments in retirement: they will need to look at the part of the mortgage that will be outstanding at retirement, and the number of years until retirement and check the plausibility of customers' claims that they would work beyond normal retirement date.

Lenders say that they cannot meet these obligations without access to better credit information. They will press for the positive credit reporting changes to be introduced to coincide with responsible lending obligations.

September 10, 2009 in Financial Services, Privacy | Permalink | Comments (0)

Privacy Case Notes 7 - 11 for 2009

The Privacy Commissioner has issued 5 new case notes:

In Own Motion Investigation v Airline [2009] PrivCmrA 7 the Privacy Commissioner investigated a report that an airline had failed to protect its passengers' privacy. An individual had accessed the airline's online flight check-in system using their personal booking number and flight number. When they entered this information the personal information of two other airline passengers was allegedly shown on the screen.

On investigation the Commissioner found that as the airline already had security processes in place and that the code problem which led to the disclosure was remedied soon after the airline was notified of the error, the steps taken to respond to the error were adequate.

In F v Medical Specialist [2009] PrivCmrA 8,the complainant had approached a medical clinic specifically seeking treatment from a consultant. The consultant refused to treat the complainant citing ethical and therapeutic reasons. The consultant then advised the clinic manager of the complainant's need for treatment, the consultant's personal refusal to treat the complainant and the reasons for this refusal.

The Commissioner formed the view that in the circumstances described, the disclosure of the complainant's personal information to the clinic manager was both directly related to the purpose for which the information was collected, and was within the complainant's reasonable expectations. The complaint was closed.

In G v Counselling Service [2009] PrivCmrA 9, the complainant complained that a counselling service had disclosed the content of their counselling sessions to their employer, that it did not inform the complainant that it would make such a disclosure, and that it had failed to keep the notes of the counselling sessions safe and secure.

The Commissioner formed the view that the complainant's information had not been disclosed. The Commissioner also considered the service's practices and formed the view that, although it had misplaced one page of the complainant's notes, it had reasonable steps in place to protect client information.

In H v Telecommunications Company [2009] PrivCmrA 10 the complainant complained about a credit report default listing in relation to an overdue mobile phone account which had been paid. The complaint was closed after investigation showed the default listing was properly made.

In I v Insurance Company [2009] PrivCmrA 11, the complainant alleged that their insurance company had inappropriately disclosed a copy of a letter regarding their claim to the repairer. The Commissioner found that the primary purpose of collection of the information was to process the complainant's insurance claim. The Commissioner accepted that the insurance company disclosed the information to the repairer for a related secondary purpose which was to investigate the complaint about the service that had been provided.

However, the Commissioner did not accept that the complainant would have expected that a full copy of their letter, including the statements made about the repairer, would be disclosed directly to the repairer.

The Commissioner did not consider that the disclosure of the complainant's letter was permitted by NPP 2.1(a) and formed the view that the insurance company had interfered with the complainant's privacy.

The insurance company apologised to the complainant and agreed to amend its staff training program to incorporate the handling of personal information collected in relation to customer complaints.

September 1, 2009 in Privacy | Permalink | Comments (0) | TrackBack

HSBC UK fined for privacy breaches

The UK Financial Services Authority (FSA) has fined three HSBC firms over £3 million for not having adequate systems and controls in place to protect their customers' confidential details from being lost or stolen. These failings contributed to customer data being lost in the post on two occasions.

During its investigation into the firms' data security systems and controls, the FSA found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff were not given sufficient training on how to identify and manage risks like identity theft.

In April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers. In February 2008 HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post. The confidential information on both disks could have helped criminals to steal customers' identities and commit financial crime.

The firms have taken a number of remedial actions to address the concerns raised, including contacting the customers concerned, improving their staff training and requiring that all electronic data in transit is encrypted.

HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000

HSBC Insurance Brokers, HSBC Actuaries and HSBC Life co-operated fully with the FSA in the course of its investigation. All three firms agreed to settle at the early stage of the FSA's investigation and qualified for a 30% discount. Without the discount, the fines would have been £1m for HSBC Insurance Brokers, £1.25m for HSBC Actuaries and £2.3m for HSBC Life.

August 11, 2009 in Privacy | Permalink | Comments (0) | TrackBack

Data breach prevention

Australia does not yet have mandatory data breach notification laws (see last year's ALRC proposals) so we don't know about breaches other than those that get public notoriety (eg files dumped in bins, stolen laptops or forgotten CD's.)

But we can learn from those breaches analysed in the USA: Verizon has published its 2009 Data Breach Investigations Report.

Its analysis of data breaches concluded:

74% were caused externally, 20% internally;
67% were aided by errors, 22% involved privilege misuse;
69% were discovered by a third party, 87% were considered avoidable through simple controls.

The 5 recommendations were: