Post on 14-Jun-2015
Credit Reporting Privacy Credit Reporting Privacy Code 2004Code 2004
New Zealand Credit & Finance Institute luncheon
Auckland, 21 February 2005
Presentation by
Blair Stewart, Assistant Privacy Commissioner
Outline
Presentation will cover• Quick overview• Origins of code, international
context• Changes to code following
industry submissions• Some of code’s main features
Quick overview
• Code generally starts on 1 April 2006
• 2 clauses – affecting only credit reporters – start on 1 April 2005 (free access, internal complaints processes)
So if you’re not a credit reporter, you can relax, you’ve got plenty of time in hand ….
Origins of code, international context
Timeline• 1991 Privacy of Information Bill,
provision made for codes• 1993 Privacy Act• 1996 industry proposals, initial
work, hiatus• 2000 work restarted, industry
discussions etc
• July 2003 proposed code publicly notified
Cont’d…
Timeline cont’d
• December 2004 code issued
International context
• Specific credit reporting regulation is quite usual
• Sometimes stand-alone with a consumer protection focus (e.g. USA), sometimes as part of a general privacy regime (e.g. Aust, HK)
• Objectives include granting rights, controlling behaviour, standardising compliance practices but also legitimising credit reporting which may otherwise be difficult to reconcile with, say, privacy law, banking confidentiality, defamation law
USA Example
• Fair Credit Reporting Act 1974• Updated by Fair and Accurate
Credit Transactions Act 2003
Hong Kong Example
• Code of Practice on Consumer Credit Data (issued 1998, revised 2003) adopted under Personal Data (Privacy) Ordinance 1996
Australian Example
• Part 3A of Privacy Act 1988 (enacted 1990) supplemented by Credit Reporting Code of Conduct 1996
• Relevance: ANZCER, 2 main consumer credit reporters having trans-Tasman presence, similar Privacy Acts
• A significant influence in development of code, observed benefits but also complexity and some rigidity
Australia/US/HK
Code draws on Australia, US and HK models:
• generally similar to key Australian approaches (e.g. negative reporting) and some specifics (e.g. serious credit infringement) but with notable differences in particular areas (e.g. broader access) and less complex and prescriptive
• US-style statement of consumer rights, disclosure statements on websites
• HK audit requirements
Changes to code following submissions
• “notified code” – July 2003…submission and consideration
period…
• “Issued code” – December 2004
Note: paper available outlining changes
Changes continued
• Scope (move away from direct applicability to credit providers)
• Permitted classes of subscribers expanded (from credit providers only to include e.g. prospective landlords, prospective employers in some circumstances)
• Commencement date• Dropping requirement to suppress
during correction checks, substituting flagging requirement
Some features of the code
Notes: • bear in mind the code’s definitions
and the definitions in the Privacy Act: e.g. “personal information”; s.7 savings
• papers available on website
Many of the code’s requirements focus upon:– Accuracy– Transparency– Control
Features cont’d
Free access from credit reporter (clause 7)
• Starts 1 April 2005• Reasonable charge can be made
where expedited access is requested (within 5 working days)
• Modeled upon Australian law
Removes barrier to access, can promote routine checking for accuracy before problems arise (subject as “first auditor”)
Features cont’d
Internal complaints processes (clause 8)• Credit reporters required, from 1 April
2005, to have internal complaints processes that meet certain standards
• enhance dispute resolution practices, low level, quick
• Any complaints escalated to external process (OPC) should at outset have issues identified, investigated and documented
Features cont’d
• All other aspects of code commence a year later on 1 April 2006
1 April 2006
A selection of features of note
• Title change reflects narrower application
• Review after 1 April 2008• “subscriber”: limited types,
subscriber agreement, obligations
• Summary of rights: modeled after FCRA and FTC approach
A selection of features of note cont’d
Limited information to be reported• Largely the Australian (+existing
NZ) “negative reporting” model• I.e. ID + public record +adverse
information • However, also allows some non-
negative data e.g. previous enquiries, amount of credit sought
A selection of features of note cont’d
• Controlled access
• Most access needs a subscriber agreement and authorisation of the subject
Withoutagreement orindividualauthorisationWith agreementbut withoutindividualauthorisationWith agreementand authorisation
A selection of features of note cont’d
Disclosure without subscriber agreement or individual authorisation:
• To individual concerned• Statutory demands (s.7)
A selection of features of note cont’d
Access with subscriber agreement but without specific individual authorisation:
• Debt collection• Law enforcement, including tax• Suspected insurance fraud
A selection of features of note cont’d
Access with subscriber agreement and individual authorisation
• Credit application• Prospective landlord*/prospective
tenant• Prospective employer*/prospective
employee for pre-employment check for position involving ‘significant financial risk’
• Prospective insurer* for underwriting credit transaction
*defined terms
A selection of features of note cont’d
Access and correction rights (rules 6 and 7)
• Free access• Details to be flagged as disputed
while correction request being actioned
A selection of features of note cont’d
Audit requirements (rules 5 and 8, Schedule 3)
• Credit reporter to implement a programme of compliance checks internally and with subscribers accessing database focusing upon:– Safeguarding against unauthorised
access or misuse– accuracy of information
• Will involve subscribers
A selection of features of note cont’d
Comparison controls• Standard imposed requiring
measures to be taken to minimise mis-matching
A selection of features of note cont’d
Retention• A default list of retention periods
that are deemed compliant: generally 5/7 years
• Departure permitted but must be justified in event of complaint
• Credit reporters to display retention periods on their website
The future
• OPC intends that the code bring benefits in relation to accuracy, transparency and compliance
• Benefits can flow to subscribers as well as individuals
• Intended to publish a version of code with some commentary later in year
• Code is law, but much easier to change than statute, feedback welcomed and a formal review will follow
Office of the Privacy CommissionerPO Box 466Auckland
Website: www.privacy.org.nz
Enquiries: Auckland 302 8655or 0800 803 909