by clicking the arrows at the side of the page, or by using the toolbar.
by clicking anywhere on the page.
by dragging the page around when zoomed in.
by clicking anywhere on the page when zoomed in.
web sites or send emails by clicking on hyperlinks.
Email this page to a friend
Search this issue
Index - jump to page or section
Archive - view past issues
Connexus : Issue 43
much of the operational detail supporting the privacy protection measures of the Act, and compliance with it will be mandatory for all credit providers. A key aspect of the reforms is that they will permit more comprehensive credit reporting than under the current 'negative' reporting regime, with fve new categories of ‘positive’ data permitted to be provided to, and made available by, credit reporting bodies such as Veda. These are the: • The type of each credit account. • The date on which each account was opened and closed. • The current limit of each open account. • The consumer’s repayment history for the preceding two years. • The name of the credit provider and whether they are licensed. Credit providers' capacity to access more comprehensive credit data will, however, depend on their ability and willingness to contribute data to the system, in accordance with a technical standard and other assurance requirements that ARCA is developing in conjunction with industry. Under what is known as the reciprocity principles, credit providers will only be able to obtain access to the level of data they contribute to the credit reporting system. Many Customer Owned Banking Association members are already considering when or whether they will move over to positive reporting, balancing the potential value of the additional data in making lending decisions with the development and ongoing system costs of providing data to the required standard. Overseas experience suggests that positive data exchange is likely to start slowly but to build momentum over time, and we would expect most association members to initially adopt a wait-and-see approach. Whatever approach is taken, all credit providers will still have new obligations to meet from March 12 next year under the revamped legislative provisions and CR Code. Changes include: • Additional notifcation requirements. • Enhanced access and correction processes. • A prohibition on reporting defaults of less than $150 and credit-related infor mation about people under 18 years of age. • An ability of individuals to seek a freeze on use and disclosure of credit infor mation in cases of suspected fraud. • Signifcantly increased record-keeping requirements. Mandatory breach reporting Unauthorised use of personal information may occur following a breach of data security caused by any one of a range of circumstances, including a malicious attack by a hacker, accidental loss of IT equipment or hard copy documents, and negligent or improper disclosure by a staff member. Responding to a number of high-profle security breaches in recent years, the gover nment recently introduced a bill into parliament to further amend the Privacy Act to require mandatory data breach reporting. While the bill was not passed by the Senate before the parliament rose ahead of the forthcoming federal election, it is likely to be reintroduced and probably passed by the new parliament. Affected individuals and the regulator, the Offce of the Australian Information Commissioner, will have to be notifed where a breach of personal information, credit-related infor mation or tax fle number information creates a "real risk of serious harm" to an affected individual. "Serious harm" includes reputational as well as economic and fnancial harm. Notifcation to the OAIC would need to include details of the breach and the remedial steps taken. While notifcation of most privacy breaches would continue to be voluntary under the amended legislation, there would be signifcant consequences for serious breaches, with the possibility of penalties and/or adverse publicity orders being imposed by the regulator. Regulator's powers increased The 2012 amendments to the Privacy Act have decisively strengthened the Privacy Commissioner's powers. Among other things, the commissioner now has the power to undertake 'own motion' investigations, accept and enforce undertakings, conduct privacy performance assessments and seek civil penalties for serious or repeated interferences with privacy, as well as breaches of a range of credit reporting provisions. In the case of corporations, civil penalties of up to $1.7 million may potentially be imposed. Compliance support The association's Legal & Compliance team is developing a range of new compliance manuals, training resources, precedent documents and checklists to assist member organisations' transition to the new regime. Please email firstname.lastname@example.org for details. Michael Funston is the Customer Owned Banking Association's senior manager, legal & compliance. ...there will be signi cant consequences for serious breaches... NEWS 18 Connexus