Credit reporting privacy code boosts NZers’ rights
New credit reporting privacy code boosts NZers’ rights
A new credit reporting privacy code will give New Zealanders free access to their own credit reports and strengthen their credit check rights, Privacy Commissioner Marie Shroff said today.
“Credit reporting raises many privacy issues,” she said. “It involves pooling financial and other data on individuals into huge databases that are accessed by thousands of people. Inaccuracies can really harm people.”
“The new Credit Reporting Privacy Code sets out to build greater transparency, accuracy and fairness, and this will help both individuals and businesses.”
“Accuracy is particularly important,” Mrs Shroff said. “Reliability of information is vital for the people credit reports are written about and also those who buy the reports.”
Key features of the new code include:
• free access by individuals to their own credit reports from 1 April next year;
• steps to ensure people know what happens to their personal information when they apply for a loan or make a credit purchase;
• a plain language summary of rights;
• obligations on credit reporters to maintain high standards in all aspects of their work;
• Improving standards of reporting accuracy through:
o requiring businesses supplying information for credit reports to ensure it is accurate and updated as necessary;
o requiring credit reporters to maintain an audit programme that may make subscribers subject to spot checks on the reliability of information they have supplied;
o requiring credit reporters to flag disputed records while they are being checked;
o requirements to ensure that information on one individual is not wrongly attributed to another.
Mrs Shroff said the new code struck a careful balance between consumer privacy and business needs.
“We developed the code over several years and after a very intensive consultation process that included a large number of submissions from the industry and the public.”
“I believe the Credit Reporting Privacy Code will bring about an orderly, fair, transparent and accurate credit reporting system,” Mrs Shroff said. “My colleagues and I will keep it under careful review and we welcome comments at any time.”
Questions and answers
What is a credit reporter?
A credit reporter is a company that collects credit and personal information from credit providers and publicly available sources and then sells the information to third parties. These third parties are commonly but not always credit providers seeking to establish if a potential client is a good or bad credit risk.
Why is a privacy code needed?
Credit reporting is a fast growing industry, reflecting the fast growth in New Zealanders’ use of credit. New Zealanders’ indebtedness levels are increasing quickly. Credit reporters may hold large amounts of personal information, very little of it acquired directly from those being reported on. Most people are not aware of the information that is held about them, yet this information may affect their credit reputation for many years. There are relatively few formal controls over the information held and its use, and people generally have no opportunity to verify data before it is listed.
The new Credit Reporting Privacy Code 2004 has been developed to address these issues. Privacy Commissioner Marie Shroff believes it will promote a more orderly, fair, transparent and accurate credit reporting system.
What does the code do for ordinary New Zealanders?
The code requires that credit reporters: provide individuals with free copies of any information held about them; regularly update credit information; have systems to ensure new information is linked to the correct individual; have systems and audits to ensure information is accurate; flag disputed debts while they are being checked; limit the range of agencies and individuals to which credit information can be disclosed; have clear, fast and effective complaints resolution procedures.
The rights of individuals are to be spelled out in a Summary of Rights document.
Credit providers (such as banks and retailers offering hire purchase credit) must clearly explain to their customers what happens to personal information when a credit check is done. This will be a requirement of subscriber agreements as the code only applies directly to credit reporters.
What effects will the code have on credit reporters?
The code will assist credit reporters by: enabling them to market a more accurate product; developing greater public understanding and goodwill; reducing opportunities for misuse by fraudsters by having better identification systems; allowing compliance in a non-prescriptive manner; providing a flexible form of regulation; focusing on self-auditing and contract-based compliance, with external regulation being used only as a backstop; allowing self-management of complaints procedures; spelling out clearer compliance standards; bringing about greater trans-Tasman regulatory alignment.
The overall effect of the code on credit reporters, and the costs they may face, will depend upon their current compliance with the Privacy Act and the extent to which they will need to change their computer systems.
What effect will the code have on business users of credit information?
The code will assist business users by:
improving the accuracy of information they obtain; minimising compliance costs by having relatively light-handed regulation, but added certainty about the rules governing credit information; less risk of identity theft by more accurate identification of individuals; better and lower-level dispute handling processes.
Any agency that currently uses the database for non credit-related purposes will be likely to find such practices challenged if undertaken in the future. Existing users will be denied access in the future if their access is not permitted under the code.
On balance the code is expected to have positive impacts for businesses in terms of promoting accuracy of information and customer trust.
Is the code compulsory and who is covered?
The code is compulsory and it applies to all credit reporting agencies.
A code of practice issued under the Privacy Act 1993 is essentially delegated legislation that modifies the Privacy Act’s information privacy principles where the code applies. The code is legally enforceable in the same way that the Act itself is. The code is subject to review by the Regulations Review Committee of Parliament.
Why have internal complaints processes?
An internal complaints process allows the complainant and the agency to resolve disputes speedily, without undue legalism and with a degree of flexibility about what is appropriate in the circumstances.
This needs to occur, however, with full knowledge of the parties’ respective rights and responsibilities. To make this process work effectively, it is therefore vital that individuals have adequate information, such as the Summary of Rights, reflecting the rights and obligations in the code.
When was the code of practice issued?
Monday 6 December 2004.
When does the code come into force?
Most of the code commences on 1 April 2006. This long lead-in time is to enable credit reporters to make changes to their computer systems in order to become compliant. This takes some time to plan and implement.
From 1 April 2005, individuals will be able to get free access to information about themselves. The clause dealing with internal complaints processes also comes into force on 1 April 2005. These clauses do not require computer systems changes.
How will individuals be able to get free access to information about themselves?
Individuals can request access to information about themselves. That information must generally be provided free of charge. Credit reporters are permitted to make reasonable charges if an individual wants the information within 5 working days.
Who was consulted in the development of the code?
The Office of the Privacy Commissioner spent several years researching the issues and talking with interested people. Drafts of possible codes were released for comment and a session was devoted to the subject at a conference hosted by the Commissioner.
In July 2003 the Commissioner formally began the statutory process for issuing a code of practice. This began with public notices in newspapers and a mail-out to organisations and individuals who might be interested. About 60 written submissions were received.
The Commissioner convened meetings in Auckland and Wellington to hear those who wished to speak to their submission. There were also many follow-up discussions and meetings.
A refined version of the code was prepared and circulated in 2004 to people who made submissions. Further submissions were received and considered before the code was issued.
Has the Commissioner issued codes of practice before?
Yes. There are two sectoral codes issued under the Privacy Act, one covering the health and disabilities sector (the Health Information Privacy Code 1994) and the other covering the telecommunications sector (the Telecommunications Information Privacy Code 2003).
A number of other narrowly focused codes have been issued such as the Superannuation Scheme Unique Identifier Code 1995, Justice Sector Unique Identifier Code 1998 and the Post-Compulsory Education Unique Identifier Code 2001.
What other countries have issued similar privacy codes dealing with credit reporters?
There are statutory credit reporting codes of practice in Australia and Hong Kong. The former is issued under the Australian Privacy Act 1988 and the latter under the Hong Kong Personal Data (Privacy) Ordinance.
Is it unusual for countries to specifically regulate credit reporting for privacy reasons?
A number of countries regulate credit reporting. For example, the USA legislated privacy protections in a Fair Credit Reporting Act 1974 (recently updated by the Fair and Accurate Credit Transactions Act 2003). Australia enacted a specific law dealing with privacy and credit reporting in 1990.
In countries that have laws governing privacy, there have often been questions about whether to let these operate to provide appropriate credit reporting protection or to tailor specific controls. Both the Hong Kong and New Zealand Commissioners have developed tailored controls.
How does the code compare with the Australian credit reporting law?
The Australian law was a consideration when developing this code of practice. The two main New Zealand consumer credit reporting agencies also have Australian operations.
The Australian law is a complex mix of statute, code of practice and determinations. However, many of the fundamentals of the New Zealand code are similar to the Australian law. The New Zealand code is simpler to understand and less detailed than the Australian law.
Does the code allow “positive” credit reports?
No. “Negative” information typically refers to a default in meeting a credit obligation. A default has a clear relevance to subsequent credit decisions and is the kind of fact that may not be volunteered by people seeking credit.
Positive information might be seen as all other information, for example an individual’s track record in keeping up credit payments. There is other information that is neutral in itself but may bear upon creditworthiness (such as whether an individual has moved frequently or is long settled in the same place).
A key influence has been the Australian situation, in which positive credit reporting is generally prohibited. The rationale is that individuals who have met their legal obligations in respect of credit should not be forced to reveal their private financial dealings into a widely accessible database.
The code does allow the reporting of some non-negative data, such as the amount of credit sought. It also allows, for example, reporting of identification information and previous enquiry record information.
Why does the code only cover credit reporters and not credit providers?
The objective of the code is to deal with credit reporting privacy issues. It is difficult to deal with those completely without also addressing the practices of credit providers and so the Commissioner originally proposed to also cover those agencies by the code. However, as pointed out in submissions, having the code so broad brought difficulties of its own in areas unconnected with credit reporting. Accordingly, the Commissioner decided finally to apply the code only to credit reporters; but to deal indirectly with the credit provider part of the equation by requiring that certain obligations be inserted into every subscriber access agreement.