Federal Register of Legislation - Australian Government

Primary content

Privacy (Credit Related Research) Rule 2014

Authoritative Version
Rules/Other as made
This rule permits the use or disclosure of de-identified information by credit reporting bodies for credit related research when done in accordance with this rule.
Administered by: Attorney-General's
Registered 06 May 2014
Tabling HistoryDate
Tabled HR13-May-2014
Tabled Senate14-May-2014

Explanatory Statement

Privacy (Credit Related Research) Rule 2014

This explanatory statement has been prepared by the Privacy Commissioner, in accordance with the functions and powers conferred on him by section 12 of the Australian Information Commissioner Act 2010 (the AIC Act).

It explains the purpose and intended operation of the Privacy (Credit Related Research) Rule 2014 (the Rule) made under s 20M(3) of the Privacy Act 1988 (the Privacy Act).

Authority for the Rule

Section 20M of the Privacy Act provides:

 

Use or disclosure

(1)   If:

a.      a credit reporting body holds credit reporting information; and

b.      the information (the de-identified information) is de-identified; [sic]

the body must not use or disclose the de-identified information.

(2)   Subsection (1) does not apply to the use or disclosure of the de-identified information if:

a.      the use or disclosure is for the purposes of conducting research in relation to credit; and

b.      the credit reporting body complies with the rules made under subsection (3).

Commissioner may make rules

(3)   The Commissioner may, by legislative instrument, make rules relating to the use or disclosure by a credit reporting body of de-identified information for the purposes of conducting research in relation to credit.

 

(4)   Without limiting subsection (3), the rules may relate to the following matters:

a.      the kinds of de-identified information that may or may not be used or disclosed for the purposes of conducting the research;

b.      whether or not the research is research in relation to credit;

c.       the purposes of conducting the research;

d.      consultation about the research;

e.      how the research is conducted.

Section 6(1) of the Privacy Act defines:

‘Commissioner’ to mean the Information Commissioner within the meaning of the Australian Information Commissioner Act 2010

‘Credit reporting body’ to mean:

         (a)              an organisation; or

         (b)              an agency prescribed by the regulations;

that carries on a credit reporting business.

‘De-identified’ to mean personal information is de‑identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.

As a ‘privacy function’ the Rule can be made by the Privacy Commissioner in accordance with the functions and powers conferred in s 12 of the Australian Information Commissioner Act.

Purpose

In making this Rule, the Privacy Commissioner has had regard to the objects of the Privacy Act, in particular:

·                to promote the protection of the privacy of individuals (s 2A(a))

·                to recognise that the protection of privacy of individuals is balanced with the interests of entities carrying out their functions or activities (s 2A(b))

·                to promote responsible and transparent handling of personal information by entities (s 2A(d)).

The purpose of s 20M is to permit the use or disclosure of de-identified information in credit related research, where it is in the public interest. However, as noted in the Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Explanatory Memorandum), credit reporting bodies (CRB) conduct research in relation to credit to assess and manage the credit system in Australia. To ensure that research is consistent with policy objectives and appropriately limited in scope, the research will only be permitted where it complies with rules that the Privacy Commissioner may make under Section 20M(3).

The purpose of the Rule is to give effect to Section 20M(3) of the Privacy Act. CRBs must comply with the Rule. Although the Privacy Commissioner has a discretion to make the Rule, if the Rule is not made, CRBs will not be able to meet their requirements under s 20M(2). Therefore, the CRBs, will not be able to use or disclose de–identified information for research in relation to credit.

 

Operation of the Rule

The use or disclosure of de-identified information for the purposes of conducting credit related research must be in accordance with the Rule. Subsection 20M(4) of the Privacy Act provides a non-exhaustive list of matters which the Rule may consider.  The list identifies matters that are relevant to ensuring that the permitted research is for the general benefit of the public and in the public interest[1].

The Rule clearly states that the re-identification of de-identified information is prohibited except where required to do so by Australian law or a court/tribunal.

Detail of the Rule is set out in the Attachment.

Consultation

Consistent with the requirements of the Legislative Instruments Act 2003 (LI Act) and the recommendations set out in the Explanatory Memorandum, the Office of the Australian Information Commissioner (OAIC) undertook a three stage consultation process:

·                preliminary consultation with selected CRBs (Veda, Dun & Bradstreet and Experian)

·                targeted consultation on a draft rule with selected CRBs and the Attorney General’s Department (AGD) 

·                public consultation on the draft rule

As a legislative instrument, the Rule must be developed in accordance with the requirements in the LI Act. Part 3 of the LI Act generally requires the rule-maker to undertake ‘appropriate’ consultation, which draws on the ‘knowledge of persons having expertise in fields relevant to the proposed instrument’ and ensures that people likely to be ‘affected by the proposed instrument had an adequate opportunity to comment on its proposed content’[2].

The OAIC incorporated the information gained during preliminary consultation with CRBs and the feedback received during the targeted consultation, and released a draft rule for public consultation on 28 February 2014. Comment was invited from the public and specific notices were sent to the selected CRBs, AGD, the Australian Retail Credit Association, the Reserve Bank of Australia, the Australian Investments and Securities Commission and Consumer Action Groups. Consultation documents were made available on the OAIC’s website during the three week consultation period.

The OAIC received three written submissions in response to the public consultation documents. The submissions received in relation to the public consultation were considered and incorporated when finalising the Rule.


 

Statement of compatibility with human rights, prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Privacy (Credit Related Research) Rule 2014

This Legislative Instrument is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Legislative Instrument

The purpose of the Privacy (Credit Related Research) Rule 2014 is to give effect to s20M of the Privacy Act 1988 (the Privacy Act), which governs the use of de-identified credit reporting information by CRBs when conducting research in relation to credit. Under that section, CRBs must comply with any rules made by the Commissioner.

Human rights implications

The Rule engages Article 17 of the International Covenant on Civil and Political Rights (ICCPR), which provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation, and that everyone has the right to the protection of the law against such interference and attacks.

 

The Rule protects against the arbitrary interference with privacy, and advances the right to the protection of the law against such interference, by introducing a number of specific limitations on the use and disclosure of de-identified credit reporting information when used in credit related research, including: 

 

·                prohibiting the re-identification of de-identified credit reporting information

·                limiting the permitted purposes for conducting credit related research using de-identified credit reporting information

·                limiting the disclosure of de-identified information to entities with an Australian link

·                emphasising that de-identified information which is unintentionally re-identified must be destroyed

Further, the Rule supplements the provisions of Part IIIA of the Privacy Act, which implements the Australian Law Reform Commission’s (ALRC) recommendations in its Report 108 For Your Information: Australian Privacy Law and Practice (ALRC Report) and the subsequent commitment by the Australian Government (in its 2009 first stage response to the ALRC Report) to move to a more comprehensive credit reporting system.

Conclusion

The Rule is compatible with human rights because, in line with the new Part IIIA of the Privacy Act, it ensures that any limitations on the prohibition against arbitrary interference with privacy are reasonable, necessary and proportionate.  


 

Attachment

Details of the Privacy (Credit Related Research) Rule 2014

1.      Name of Rule

Section 1 provides that the title of the Rule is the Privacy (Credit related Research) Rule 2014.

2.      Commencement

Section 2 provides that the Rule commences on the day it is registered on the Federal Register of Legislative Instruments.

3.      Purpose

Section 3 sets out the purpose of the Rule.

4.      Definitions

Section 4 provides for the definitions of words and expressions used in the Rule, including a definition of ‘de-identified information’ and ‘aggregated results’.

The majority of definitions of words and expressions used in the Rule are the same as defined in Section 6(1) of the Privacy Act, in particular: Australian law; Australian link; Commissioner; court/tribunal order; credit; credit reporting body; credit reporting information; entity; personal information.

5.      Conducting research in relation to credit

Section 5 sets out the conditions under which a credit reporting body may use or disclose credit reporting information to conduct research in relation to credit.

Paragraph 5(a) requires that the credit reporting information be de-identified.

Paragraph 5(b) requires that the use and/or disclosure of the credit reporting information is for the purpose of the credit reporting body conducting research in relation to credit.

Paragraph 5(c) requires that the purpose for conducting the research in relation to credit be a permitted purpose as described in Section 6 of this Rule.

6.      Permitted purposes of conducting research

Section 6 sets out a list of permitted purposes under which a credit reporting body may use or disclose de-identified information for the purposes of conducting research in relation to credit.

Paragraph 6(a) allows research in relation to credit to assess and manage current, and the development of new, credit services.

Paragraph 6(b) allows research in relation to credit to develop methodologies to combat fraud, anti-money laundering, counter terrorism financing and other unlawful activity involving credit.

Paragraph 6(c) allows research in relation to credit to assist in the implementation of responsible lending obligations and other consumer protections.

Paragraph 6(d) allows research in relation to credit for any other purpose for the general benefit of the public.    

7.      De-identification of credit reporting information

Sub-section 7(1) sets out the provisions a credit reporting body must take to ensure credit reporting information is adequately de-identified.

Paragraph 7(1)(a) requires a credit reporting body to assess the risk of re-identification of the credit reporting information it intends to use or disclose for research purposes, either by itself or by the recipients of the de-identified information.

Paragraph 7(1)(b) requires a credit reporting body to use the risk assessment referred to in paragraph 7(1)(a) to determine the de-identification technique or techniques appropriate to the circumstances.

Sub-section 7(1)(c) requires a credit reporting body to take reasonable steps to ensure the de-identified information cannot be re-identified.

Sub-section 7(2) provides for a prohibition on the re-identification of de-identified information. Paragraph 7(2)(a) requires a credit reporting body not to re-identify or attempt to re-identify de-identified information. Paragraph 7(2)(b) requires a credit reporting body to destroy any information that it intentionally re-identifies.

Sub-section 7(3) provides for the only exception to the prohibition in sub-section 7(2). Sub-section 7(3) states sub-section 7(2) does not apply if the re-identification of de-identified information is required by Australian law or a court/tribunal order.

The terms Australian law and court/tribunal order are defined in the Privacy Act. 

8.      Disclosure of de-identified information

Sub-section 8(1) provides that a credit reporting body only disclose de-identified information for a permitted purpose if the receiving entity has an Australian link. Australian link is as defined in the Privacy Act. 

Sub-section 8(2) provides that before disclosing de-identified information, a credit reporting body must take reasonable steps to ensure the entity receiving the information meets several obligations. These obligations include that entity will not re-identify or attempt to re-identify de-identified information (paragraph 8(2)(a)), that the entity destroy any information that it unintentionally re-identifies (paragraph 8(2)(b)) and that the entity will not disclose the de-identified information to any other entity (paragraph 8(2)(c)).

Sub-section 8(3) clarifies that paragraph 8(2)(c) does not apply to the disclosure of the aggregated results of any analysis done on that de-identified information.

9.      Openness

Section 9 provides that a credit reporting body must include a statement on the management of de-identified information in its ‘credit reporting’ privacy policy (under s 20B(3) of the Privacy Act). The statement must specify that de-identified information is used or disclosed for the purposes of conducting credit related research.



[1] Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 p144

[2] Legislative Instruments Act 2003 (Cth), s 17. http://www.comlaw.gov.au/Details/C2013C00162/Html/Text#_Toc355692894