CONSENT/NOTIFICATION AT APPLICATION STAGE

The principles of control and ownership are also closely related to the issue of consumer consent to their information being collected, used and disclosed.

Typically consumers will be asked to sign a Privacy Act authority notifying them that their information may be given to a credit reporting agency, and that the credit provider is authorised to obtain information from the credit reporting agency and other credit providers. However, consumer groups have argued that this is ineffective. It is unlikely that consumers will read the privacy consents and even if they do, in many instances the consent wording is complex and confusing, and does not reflect the true nature of the consent and its often significant consequences. For example, a standard privacy consent runs for two A4 pages and the font size is no bigger than eight. Further, privacy

“consents” are buried in pages of other documentation presented at a time when the loan applicant is focussed on the loan transaction itself, rather than any incidental material.

Consumer groups have also criticised the industry practice of bundling consent to disclose personal information to a credit reporting agency with other consents in credit applications. The notice to the consumer that their information may be disclosed to the credit reporting agency is contained in the same document as other Privacy Act notices.

They argue that the imbalance of power between credit providers and consumers means that consumers are not in any position to give real consent. This point is also acknowledged by Baycorp:

In the case of a bundled consent, where an organisation typically seeks a blanket sign off to use personal information for multiple purposes, the reality is in many cases: no sign-off, no product/service. In other words, there is a complete absence of choice, let alone informed consent, on the part of the individual.³⁷

Industry, on the other hand, argues on business efficacy grounds that a prohibition on the use of bundled consent would be “an unwarranted and intrusive restriction on business”.³⁸ Given these opposing views, it is unfortunate that the Privacy Act does not allow for more protection. Section 18E(8)(c) simply requires that a credit provider must not give to a credit reporting agency personal information relating to an individual if … (c) the credit provider did not, at the time of, or before, acquiring the information, inform the individual that the information might be disclosed to a credit reporting agency.

37 Baycorp Advantage, submission to Senate Legal and Constitutional Committee, Parliament of Australia, Canberra, Inquiry into the Privacy Act, 15.

38 Senate Legal and Constitutional Committee, above n 14, 102.

The way in which the subsection is drafted leaves little room for consumer protection.

While it requires that a consumer must be informed, the key requirement is not consent, but simply notification. It would suffice for the credit provider who is collecting the information that they tell the consumer the information will be passed on to a credit reporting agency. The consumer is not required to give their consent. In addition, the wording of the subsection is not that the credit provider cannot collect information if no notification is given, but merely that the collected information cannot be passed on.

Further, even if the requirement for collection and use of the information is notification and not informed consent, many caseworkers reported that they were often contacted by people who complained that they were never notified that they would be listed:

I was never notified that I would be listed.

0 2 4 6 8

often sometimes rarely never Frequency of occurrence

Number of responses

Whether or not these consumers were actually notified, the notice is clearly not effective.

In addition, there are also concerns in relation to the interpretation of the notice provisions and the timing of the notice. In the context of a discussion about default listings, the OPC, in correspondence with consumer representatives, has expressed a view that the phrase “acquiring the information” in s 18E(8)(c) refers to acquiring information of the fact of the person’s default, rather than acquiring their personal information, such that the notice provisions come into play immediately prior to the listing, and not at the time of application.

A representative complaint under s 36(2A) of the Privacy Act has been made to the OPC about the interpretation of this provision by CCLC and the Consumer Credit Legal Service (Vic) Inc. The complaint relates to Alliance Factoring listing 600,000 defaults for former Telstra debts. There was never any evidence produced that Telstra notified the affected consumers when they applied for a telephone service that they may be listed.

The complaint argues that the correct interpretation of s18E(8)(c) requires credit providers to notify individuals that their information might be disclosed to a credit reporting agency at the time of the application for credit on three bases. Firstly, the natural meaning of the phrase “acquiring information” must refer to the acquisition of the

relevant identifying personal information that is being collected, and not the acquisition of information relating to consumer defaults on a payment.

Secondly, the complaint argues that the parliamentary intent of the provision is to ensure that credit providers inform consumers about the potential use for the personal information before the consumer discloses that information. In the Second Reading speech during the passage of the Privacy Amendment Bill (1990), the then Attorney-General the Hon. Michael Duffy stated:

An important aspect of the Government’s proposed regulation is that there will be strict requirements for consent before consumer credit information can be sought or passed on.

Such information can be passed on at present without the consent or knowledge of the consumer. The new controls will mean that consumers will be able to have authority over information about themselves. Credit providers will be able to continue to maintain their own information on their clients.³⁹

It appears that parliament contemplated a high level of individual control over personal information. It is also clear that the amendment was introduced to overcome the difficulty of consumers not knowing that their information can be passed on. Section 18E(8)(c) was intended to ensure that the consumer knows how that information could be used, and gives them the choice of disclosure or non-disclosure of personal information through their decision to proceed, or not, with the credit transaction.

Thirdly, the consumer advocacy services argued that it is consistent with other provisions of the Privacy Act and the Credit Reporting Code of Conduct that the relevant time for notification is at the time of application, given that clearout listings are made in circumstances where the consumer cannot be contacted and therefore by definition cannot be notified that they would be listed.

The question must also be asked whether a regime reliant on consent alone, even informed consent, is in the public interest. In a society very much dependent on credit, most consumers feel there is no real choice, and therefore take little heed of the consents and notifications they are regularly asked to sign. Clearly consumer privacy protection must have considerably wider scope than consent or notice provisions to be effective.

The former Privacy Commissioner Malcolm Crompton queried in a recent speech whether or not “the current privacy protection laws are too ‘front end loaded’ by being too dependent on notice, collection limitation and purpose limitation”, or whether there should be a more focus on “‘back end’ frameworks based around a security, data quality and general information governance framework”.⁴⁰ He quotes from US academic Professor Fred H Cate who remarked,

39 Commonwealth, Parliamentary Debates, House of Representatives, 4 December 1990, 4343, (The Hon Michael Duffy, Attorney-General).

40 Malcolm Crompton, ‘The Networked Society: Identity, Surveillance and Privacy’ (Speech delivered on 24 August 2005).

… the energy of data processors, legislators, and enforcement authorities has been squandered on notices and often meaningless consent opportunities, rather than on enhancing privacy. Compliance with data protection laws is increasingly focused on providing required notices in proper form and at the right time, rather than on ensuring that personal information is protected.⁴¹

Added to this very pertinent observation is that personal information is protected and put to “fair use”. As identified in the caseworker surveys, it is not always the accuracy of the information that is in question, but its relevance to the decision to grant credit and the proportionality of the consequence. This is explored more fully in the following sections.

Crompton suggests that the solution may consist of a strong framework of audit, continuous disclosure and clear civil and criminal penalties. He suggests the introduction of laws that could “redress any imbalances by internalising risks of failure and misuse to the organisation through such combinations as requiring greater transparency, regular published audit in a complete information governance framework, allocation of a greater proportion of risks of failure to the organisation including through private class action,”⁴² or in other words, forcing credit reporting agencies and credit providers to take greater responsibility for compliance. In contrast the current system could be characterised as an honesty system, dependent for compliance on ill-engaged and ill-informed consumers with almost no business risk attaching to the exposure of errors even when they are identified.