Credit%20Reporting%20Privacy%20Code%202004

1
Credit Reporting Privacy Code 2004

• New Zealand Credit Finance Institute luncheon
• Auckland, 21 February 2005

Presentation by Blair Stewart, Assistant Privacy
Commissioner
2
Outline

• Presentation will cover
• Quick overview
• Origins of code, international context
• Changes to code following industry submissions
• Some of codes main features

3

4
Quick overview

• Code generally starts on 1 April 2006
• 2 clauses affecting only credit reporters
  start on 1 April 2005 (free access, internal
  complaints processes)
• So if youre not a credit reporter, you can
  relax, youve got plenty of time in hand .

5
Origins of code, international context

• Timeline
• 1991 Privacy of Information Bill, provision made
  for codes
• 1993 Privacy Act
• 1996 industry proposals, initial work, hiatus
• 2000 work restarted, industry discussions etc
• July 2003 proposed code publicly notified
• Contd

6
Timeline contd

• December 2004 code issued

7
International context

• Specific credit reporting regulation is quite
  usual
• Sometimes stand-alone with a consumer protection
  focus (e.g. USA), sometimes as part of a general
  privacy regime (e.g. Aust, HK)
• Objectives include granting rights, controlling
  behaviour, standardising compliance practices but
  also legitimising credit reporting which may
  otherwise be difficult to reconcile with, say,
  privacy law, banking confidentiality, defamation
  law

8
USA Example

• Fair Credit Reporting Act 1974
• Updated by Fair and Accurate Credit Transactions
  Act 2003

9
Hong Kong Example

• Code of Practice on Consumer Credit Data (issued
  1998, revised 2003) adopted under Personal Data
  (Privacy) Ordinance 1996

10
Australian Example

• Part 3A of Privacy Act 1988 (enacted 1990)
  supplemented by Credit Reporting Code of Conduct
  1996
• Relevance ANZCER, 2 main consumer credit
  reporters having trans-Tasman presence, similar
  Privacy Acts
• A significant influence in development of code,
  observed benefits but also complexity and some
  rigidity

11
Australia/US/HK

• Code draws on Australia, US and HK models
• generally similar to key Australian approaches
  (e.g. negative reporting) and some specifics
  (e.g. serious credit infringement) but with
  notable differences in particular areas (e.g.
  broader access) and less complex and prescriptive
• US-style statement of consumer rights, disclosure
  statements on websites
• HK audit requirements

12
Changes to code following submissions

• notified code July 2003
• submission and consideration period
• Issued code December 2004
• Note paper available outlining changes

13
Changes continued

• Scope (move away from direct applicability to
  credit providers)
• Permitted classes of subscribers expanded (from
  credit providers only to include e.g. prospective
  landlords, prospective employers in some
  circumstances)
• Commencement date
• Dropping requirement to suppress during
  correction checks, substituting flagging
  requirement

14
Some features of the code

• Notes
• bear in mind the codes definitions and the
  definitions in the Privacy Act e.g. personal
  information s.7 savings
• papers available on website
• Many of the codes requirements focus upon
• Accuracy
• Transparency
• Control

15
Features contd

• Free access from credit reporter (clause 7)
• Starts 1 April 2005
• Reasonable charge can be made where expedited
  access is requested (within 5 working days)
• Modeled upon Australian law
• Removes barrier to access, can promote routine
  checking for accuracy before problems arise
  (subject as first auditor)

16
Features contd

• Internal complaints processes (clause 8)
• Credit reporters required, from 1 April 2005, to
  have internal complaints processes that meet
  certain standards
• enhance dispute resolution practices, low level,
  quick
• Any complaints escalated to external process
  (OPC) should at outset have issues identified,
  investigated and documented

17
Features contd

• All other aspects of code commence a year later
  on 1 April 2006

1 April 2006
18
A selection of features of note

• Title change reflects narrower application
• Review after 1 April 2008
• subscriber limited types, subscriber
  agreement, obligations
• Summary of rights modeled after FCRA and FTC
  approach

19
A selection of features of note contd

• Limited information to be reported
• Largely the Australian (existing NZ) negative
  reporting model
• I.e. ID public record adverse information
• However, also allows some non-negative data e.g.
  previous enquiries, amount of credit sought

20
A selection of features of note contd

• Controlled access
• Most access needs a subscriber agreement and
  authorisation of the subject

21
A selection of features of note contd

• Disclosure without subscriber agreement or
  individual authorisation
• To individual concerned
• Statutory demands (s.7)

22
A selection of features of note contd

• Access with subscriber agreement but without
  specific individual authorisation
• Debt collection
• Law enforcement, including tax
• Suspected insurance fraud

23
A selection of features of note contd

• Access with subscriber agreement and individual
  authorisation
• Credit application
• Prospective landlord/prospective tenant
• Prospective employer/prospective employee for
  pre-employment check for position involving
  significant financial risk
• Prospective insurer for underwriting credit
  transaction
• defined terms

24
A selection of features of note contd

• Access and correction rights (rules 6 and 7)
• Free access
• Details to be flagged as disputed while
  correction request being actioned

25
A selection of features of note contd

• Audit requirements (rules 5 and 8, Schedule 3)
• Credit reporter to implement a programme of
  compliance checks internally and with subscribers
  accessing database focusing upon
• Safeguarding against unauthorised access or
  misuse
• accuracy of information
• Will involve subscribers

26
A selection of features of note contd

• Comparison controls
• Standard imposed requiring measures to be taken
  to minimise mis-matching

27
A selection of features of note contd

• Retention
• A default list of retention periods that are
  deemed compliant generally 5/7 years
• Departure permitted but must be justified in
  event of complaint
• Credit reporters to display retention periods on
  their website

28
The future

• OPC intends that the code bring benefits in
  relation to accuracy, transparency and compliance
• Benefits can flow to subscribers as well as
  individuals
• Intended to publish a version of code with some
  commentary later in year
• Code is law, but much easier to change than
  statute, feedback welcomed and a formal review
  will follow

29

• Office of the Privacy Commissioner
• PO Box 466
• Auckland
• Website www.privacy.org.nz
• Enquiries Auckland 302 8655
• or 0800 803 909