New credit reporting privacy code boosts NZers’ rights
A new credit reporting privacy code will give New Zealanders free access to their own credit reports and strengthen
their credit check rights, Privacy Commissioner Marie Shroff said today.
“Credit reporting raises many privacy issues,” she said. “It involves pooling financial and other data on individuals
into huge databases that are accessed by thousands of people. Inaccuracies can really harm people.”
“The new Credit Reporting Privacy Code sets out to build greater transparency, accuracy and fairness, and this will help
both individuals and businesses.”
“Accuracy is particularly important,” Mrs Shroff said. “Reliability of information is vital for the people credit
reports are written about and also those who buy the reports.”
Key features of the new code include:
• free access by individuals to their own credit reports from 1 April next year;
• steps to ensure people know what happens to their personal information when they apply for a loan or make a credit
purchase;
• a plain language summary of rights;
• obligations on credit reporters to maintain high standards in all aspects of their work;
• Improving standards of reporting accuracy through:
o requiring businesses supplying information for credit reports to ensure it is accurate and updated as necessary;
o requiring credit reporters to maintain an audit programme that may make subscribers subject to spot checks on the
reliability of information they have supplied;
o requiring credit reporters to flag disputed records while they are being checked;
o requirements to ensure that information on one individual is not wrongly attributed to another.
Mrs Shroff said the new code struck a careful balance between consumer privacy and business needs.
“We developed the code over several years and after a very intensive consultation process that included a large number
of submissions from the industry and the public.”
“I believe the Credit Reporting Privacy Code will bring about an orderly, fair, transparent and accurate credit
reporting system,” Mrs Shroff said. “My colleagues and I will keep it under careful review and we welcome comments at
any time.”
Questions and answers
What is a credit reporter?
A credit reporter is a company that collects credit and personal information from credit providers and publicly
available sources and then sells the information to third parties. These third parties are commonly but not always
credit providers seeking to establish if a potential client is a good or bad credit risk.
Why is a privacy code needed?
Credit reporting is a fast growing industry, reflecting the fast growth in New Zealanders’ use of credit. New
Zealanders’ indebtedness levels are increasing quickly. Credit reporters may hold large amounts of personal information,
very little of it acquired directly from those being reported on. Most people are not aware of the information that is
held about them, yet this information may affect their credit reputation for many years. There are relatively few formal
controls over the information held and its use, and people generally have no opportunity to verify data before it is
listed.
The new Credit Reporting Privacy Code 2004 has been developed to address these issues. Privacy Commissioner Marie Shroff
believes it will promote a more orderly, fair, transparent and accurate credit reporting system.
What does the code do for ordinary New Zealanders?
The code requires that credit reporters: provide individuals with free copies of any information held about them;
regularly update credit information; have systems to ensure new information is linked to the correct individual; have
systems and audits to ensure information is accurate; flag disputed debts while they are being checked; limit the range
of agencies and individuals to which credit information can be disclosed; have clear, fast and effective complaints
resolution procedures.
The rights of individuals are to be spelled out in a Summary of Rights document.
Credit providers (such as banks and retailers offering hire purchase credit) must clearly explain to their customers
what happens to personal information when a credit check is done. This will be a requirement of subscriber agreements as
the code only applies directly to credit reporters.
What effects will the code have on credit reporters?
The code will assist credit reporters by: enabling them to market a more accurate product; developing greater public
understanding and goodwill; reducing opportunities for misuse by fraudsters by having better identification systems;
allowing compliance in a non-prescriptive manner; providing a flexible form of regulation; focusing on self-auditing and
contract-based compliance, with external regulation being used only as a backstop; allowing self-management of
complaints procedures; spelling out clearer compliance standards; bringing about greater trans-Tasman regulatory
alignment.
The overall effect of the code on credit reporters, and the costs they may face, will depend upon their current
compliance with the Privacy Act and the extent to which they will need to change their computer systems.
What effect will the code have on business users of credit information?
The code will assist business users by:
improving the accuracy of information they obtain; minimising compliance costs by having relatively light-handed
regulation, but added certainty about the rules governing credit information; less risk of identity theft by more
accurate identification of individuals; better and lower-level dispute handling processes.
Any agency that currently uses the database for non credit-related purposes will be likely to find such practices
challenged if undertaken in the future. Existing users will be denied access in the future if their access is not
permitted under the code.
On balance the code is expected to have positive impacts for businesses in terms of promoting accuracy of information
and customer trust.
Is the code compulsory and who is covered?
The code is compulsory and it applies to all credit reporting agencies.
A code of practice issued under the Privacy Act 1993 is essentially delegated legislation that modifies the Privacy
Act’s information privacy principles where the code applies. The code is legally enforceable in the same way that the
Act itself is. The code is subject to review by the Regulations Review Committee of Parliament.
Why have internal complaints processes?
An internal complaints process allows the complainant and the agency to resolve disputes speedily, without undue
legalism and with a degree of flexibility about what is appropriate in the circumstances.
This needs to occur, however, with full knowledge of the parties’ respective rights and responsibilities. To make this
process work effectively, it is therefore vital that individuals have adequate information, such as the Summary of
Rights, reflecting the rights and obligations in the code.
When was the code of practice issued?
Monday 6 December 2004.
When does the code come into force?
Most of the code commences on 1 April 2006. This long lead-in time is to enable credit reporters to make changes to
their computer systems in order to become compliant. This takes some time to plan and implement.
From 1 April 2005, individuals will be able to get free access to information about themselves. The clause dealing with
internal complaints processes also comes into force on 1 April 2005. These clauses do not require computer systems
changes.
How will individuals be able to get free access to information about themselves?
Individuals can request access to information about themselves. That information must generally be provided free of
charge. Credit reporters are permitted to make reasonable charges if an individual wants the information within 5
working days.
Who was consulted in the development of the code?
The Office of the Privacy Commissioner spent several years researching the issues and talking with interested people.
Drafts of possible codes were released for comment and a session was devoted to the subject at a conference hosted by
the Commissioner.
In July 2003 the Commissioner formally began the statutory process for issuing a code of practice. This began with
public notices in newspapers and a mail-out to organisations and individuals who might be interested. About 60 written
submissions were received.
The Commissioner convened meetings in Auckland and Wellington to hear those who wished to speak to their submission.
There were also many follow-up discussions and meetings.
A refined version of the code was prepared and circulated in 2004 to people who made submissions. Further submissions
were received and considered before the code was issued.
Has the Commissioner issued codes of practice before?
Yes. There are two sectoral codes issued under the Privacy Act, one covering the health and disabilities sector (the
Health Information Privacy Code 1994) and the other covering the telecommunications sector (the Telecommunications
Information Privacy Code 2003).
A number of other narrowly focused codes have been issued such as the Superannuation Scheme Unique Identifier Code 1995,
Justice Sector Unique Identifier Code 1998 and the Post-Compulsory Education Unique Identifier Code 2001.
What other countries have issued similar privacy codes dealing with credit reporters?
There are statutory credit reporting codes of practice in Australia and Hong Kong. The former is issued under the
Australian Privacy Act 1988 and the latter under the Hong Kong Personal Data (Privacy) Ordinance.
Is it unusual for countries to specifically regulate credit reporting for privacy reasons?
A number of countries regulate credit reporting. For example, the USA legislated privacy protections in a Fair Credit
Reporting Act 1974 (recently updated by the Fair and Accurate Credit Transactions Act 2003). Australia enacted a
specific law dealing with privacy and credit reporting in 1990.
In countries that have laws governing privacy, there have often been questions about whether to let these operate to
provide appropriate credit reporting protection or to tailor specific controls. Both the Hong Kong and New Zealand
Commissioners have developed tailored controls.
How does the code compare with the Australian credit reporting law?
The Australian law was a consideration when developing this code of practice. The two main New Zealand consumer credit
reporting agencies also have Australian operations.
The Australian law is a complex mix of statute, code of practice and determinations. However, many of the fundamentals
of the New Zealand code are similar to the Australian law. The New Zealand code is simpler to understand and less
detailed than the Australian law.
Does the code allow “positive” credit reports?
No. “Negative” information typically refers to a default in meeting a credit obligation. A default has a clear relevance
to subsequent credit decisions and is the kind of fact that may not be volunteered by people seeking credit.
Positive information might be seen as all other information, for example an individual’s track record in keeping up
credit payments. There is other information that is neutral in itself but may bear upon creditworthiness (such as
whether an individual has moved frequently or is long settled in the same place).
A key influence has been the Australian situation, in which positive credit reporting is generally prohibited. The
rationale is that individuals who have met their legal obligations in respect of credit should not be forced to reveal
their private financial dealings into a widely accessible database.
The code does allow the reporting of some non-negative data, such as the amount of credit sought. It also allows, for
example, reporting of identification information and previous enquiry record information.
Why does the code only cover credit reporters and not credit providers?
The objective of the code is to deal with credit reporting privacy issues. It is difficult to deal with those completely
without also addressing the practices of credit providers and so the Commissioner originally proposed to also cover
those agencies by the code. However, as pointed out in submissions, having the code so broad brought difficulties of its
own in areas unconnected with credit reporting. Accordingly, the Commissioner decided finally to apply the code only to
credit reporters; but to deal indirectly with the credit provider part of the equation by requiring that certain
obligations be inserted into every subscriber access agreement.