The Credit Reporting Privacy Code (CRPC) was issued by the Privacy Commissioner Marie Shroff on 6 December 2004. It is one of several Codes of Practice issued by the Privacy Commissioner under section 46 of the Privacy Act.[1]
The Code has been amended 6 times, with a 7th amendment pending, with the amendments as follows:
Amendment No 1 – 1 April 2006 (now expired)
Amendment No 2 – 1 April 2006
Amendment No 3 – 22 February 2010;
Amendment No 4 – 1 October 2011 and 1 April 2012
Amendment No 5 – 1 December 2011 and 1 April 2012
Amendment No 6 – 1 April 2012
The Code replaces the Privacy Act's 12 Privacy Principles, with 12 Privacy Rules specifically customised for credit reporting matters.
Summary of the Code
The Code regulates into law matters related to credit reporting. The Code is however only limited to credit reporters that actually sell credit information, so at current the Code only applies to 3 credit reporting firms, Veda Limited, Dun & Bradstreet Limited, and recent newcomer Centrix Group Limited.
One of the most important aspects of the Code is that individuals now have the right to a free copy of their credit record. Not only that, individuals also have a right to a copy of all their Credit Information, which includes not only includes the normal credit record, but also other things such as a copy of your credit score, access log, and even the credit reporters internal file notes.
Other things the Code covers is procedures to handle complaints, maintaining an access log to your credit record, maximum time frames to report bad debts, credit inquiries, etc., having adequate subscriber agreements, allowing certain inquiries to your credit record without a consent being required, prohibiting debt collection agencies from bad debt listing debts under their account, requiring credit suppression where a person is a victim of identity fraud, and most recently, allowing positive reporting.
The 12 Privacy Rules of the Code
Rule 1: Purpose of Collection of Credit Information Rule 2: Source of Credit Information Rule 3: Collection of Credit Information from Individual Rule 4: Manner of Collection of Credit Information Rule 5: Storage and Security of Credit Information Rule 6: Access to Credit Information Rule 7: Correction of Credit Information Rule 8: Accuracy, etc., of Credit Information Rule 9: Retention of Credit Information Rule 10: Limits on Use of Credit Information Rule 11: Limits on Disclosure of Credit Information Rule 12: Unique Identifiers
Rule 1: Purpose of Collection of Credit Information
Personal information must not be collected by a credit reporter unless the information is collected for a lawful purpose connected with a function or activity of the credit reporter and also that the collection of the information is necessary for that purpose.
Also a credit reporter must not collect personal information for the purpose of credit reporting unless it is Credit Information as defined under the Code, so such things as criminal records and ethnicity can not be included on a credit check.
Rule 2: Source of Credit Information
Where a credit reporter collects credit information, it must collect the information directly from the individual concerned, unless the credit reporter believes, on reasonable grounds: (a) that the information is publicly available information; (b) that the individual concerned authorises collection of the information from another source; (c) that it is required for any investigation under the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; (d) that it is required for the collection of fines or taxes (e) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); (f) the collection is from a debt collector that is enforcing a debt owed by the individual concerned
This Rule effectively lets the credit reporter to update someone's new address if it is supplied by other sources than from a normal credit inquiry.
Rule 3: Collection of Credit Information from Individual
Where a credit reporter such as Veda collects credit information directly from the individual concerned, such as a request for a copy of your own credit report, the credit reporter must take such steps (if any) as are, in the circumstances, reasonable to ensure that the individual concerned is aware of:
(a) the fact that the information is being collected; (b) the purposes for which the information is being collected; (c) the intended recipients of the information; (d) the name and address of; (i) the agency that is collecting the information; and (ii) the agency that will hold the information; (e) whether or not the supply of the information is voluntary or mandatory and if mandatory the particular law (if any) under which it is required; (f) the consequences (if any) for that individual if all or any part of the requested information is not provided; and (g) the rights of access to, and correction of, credit information held by the credit reporter provided by rules 6 and 7.
A credit reporter must conspicuously display on the credit reporter's website a statement that sets out the purposes for which it collects credit information and the purposes for which the information will be used and disclosed.
It is worth noting that the credit reporter can not update your credit record with information you supply (e.g. residential address) supplied by the individual in order to get a copy of your own credit record, unless the individual consents to this. However such a consent is hidden in most credit reporters official application forms.
Rule 4: Manner of Collection of Credit Information
This rule states that Credit information must not be collected by a credit reporter by either unlawful means, by means that, in the circumstances of the case, are unfair or intrude to an unreasonable extent upon the personal affairs of the individual concerned.
Rule 5: Storage and Security of Credit Information
A credit reporter that holds credit information must ensure that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, unauthorised access and use, as well as any other misuse, including misuse by anyone with authorised access such as a subscriber.
That if it is necessary for the information to be given to a person in connection with the provision of a service to the credit reporter, everything reasonably within the power of the credit reporter is done to prevent unauthorised use or unauthorised disclosure of the information.
A credit reporter must take the following measures to safeguard the credit information it holds against unauthorised access or misuse: (a) develop written policies and procedures to be followed by its employees, agents and contractors; (b) impose access authentication controls such as the use of passwords, credential tokens or other mechanisms; (c) provide information and training to ensure compliance with the policies, procedures and controls; (d) ensure that a subscriber agreement that complies with Schedule 3 is in place before disclosing information under rule 11(2); (e) monitor usage and regularly check compliance with the agreement, policies, procedures and controls and the requirements of this code; (f) identify and investigate possible breaches of the agreement, policies, procedures and controls; (g) take prompt and effective action in respect of any breaches that are identified; (h) systematically review the effectiveness of the policies, procedures and controls and promptly remedy any deficiencies; and (i) maintain an access log.
The access log required by subrule (2)(i) must include a record of the time, date, subscriber purpose in relation to each access and must identify, or provide a means to identify, the specific user and must also include a record of the time, date, subscriber purpose in relation to each access and must identify, or provide a means to identify, the specific user.
Rule 6: Access to Credit Information
This rules states that an individual has the right of access to all of their Credit Information held by a credit reporter, and when provided with this information, the credit reporter must advise the individual that under rule 7, the individual may request the correction of that information.
The Code and the Privacy Commissioner have made it quite clear that an individual has the right of access to ones Credit information, and not just merely one's credit report, as Credit information (as defined under the Code) includes far more information, such as an access log, credit score, and even the credit reporters internal file notes.
While the Privacy Act does not allow a credit reporter to refuse an access request due to not using an official application form, unfortunately most creditor reporters do not abide by this. Legally, all they need is your full name, and your date of birth to identify your credit record, plus some ID to legally obtain your credit record.
Furthermore, section 7 of the Code states that the credit reporter is not able to charge for providing this information, unless the individual requests the information be provided within 5 working days, in which case a reasonable charge may be made.
Despite the Code expressly stating the 5 working days, credit reporter both Veda and Dun & Bradstreet instead use a time period of 20 working days contrary to this law.
Rule 7: Correction of Credit Information
Where a credit reporter holds credit information, the individual concerned is entitled to both request correction of the information; and to request that there be attached to the information a statement of the correction sought but not made.
A credit reporter that holds credit information must, if so requested by the individual concerned or on its own initiative, take such steps (if any) to correct that information as are, in the circumstances, reasonable to ensure that, having regard to the purposes for which the information may lawfully be used, the information is accurate, up to date, complete, and not misleading.
With regards to disputed debts, the Code requires the credit reporter at the very least flag it on its database as "disputed" (but still listed). Alternatively, the Credit reporter can remove the bad debt listing altogether. However the Privacy Commissioner has made it quite clear that if they merely flag it as "disputed", may mitigate the harm but does not constitute a correction under the law.
Rule 8: Accuracy, etc, of Credit Information
A credit reporter that holds credit information must not use or disclose that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used or disclosed, the information is accurate, up to date, complete, relevant, and not misleading.
A credit reporter must, when undertaking a comparison of personal information with other personal information for the purpose of producing or verifying information about an identifiable individual, take such measures as are reasonably practicable to avoid the incorrect matching of the information.
A credit reporter must ensure that a subscriber agreement that complies with Schedule 3 is in place before disclosing information under rule 11(2) as well as establish and maintain controls to ensure that, as far as reasonably practicable, only information that is accurate, up to date, complete, relevant, and not misleading is used or disclosed;
Rule 9: Retention of Credit Information
A credit reporter that holds credit information must not keep that information for longer than is required for the purposes for which the information may lawfully be used, with Schedule 1 of the Code effectively stating the maximum time periods that credit information can be included on credit records.
The main maximum time periods are:
Repayment History Information – 2 years (for positive credit reporting) Credit Applications – 5 years Previous Inquiries – 5 years Defaults / Collections – 5 years from the date of default Court Judgments – 5 years Bankruptcy – 5 years from the date of discharge, but where a person has been bankrupted more than once, it can be reported indefinitely
Rule 10: Limits on Use of Credit Information
Under Rule 10, a credit reporter that holds credit information that was obtained in connection with one purpose must not use the information for any other purpose unless the credit reporter believes, on reasonable grounds: (a) that the source of the information is a publicly available publication; (b) that the use of the information for that other purpose is authorised by the individual concerned; (c) that non-compliance is necessary to avoid prejudice to the maintenance of the law by any public sector agency, such as the Police, the IRD, or for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation)
Rule 11: Limits on Disclosure of Credit Information
Under Rule 11, a credit reporter that holds credit information must not disclose the information unless the credit reporter believes, on reasonable grounds that the disclosure is authorised by the individual concerned (e.g. such as in a credit agreement) and is made to only a credit provider for the purposes of making a credit decision, by a prospective landlord, by a prospective employer where the position involves significant financial risk, or by a prospective insurance company.
Authorisation must be express and fully informed. It is not sufficient for a subscriber to simply notify an individual that a credit check will be undertaken as part of a credit application process. The authorisation need not be in writing, but the absence of written evidence may present a problem if the credit reporter is later required to prove that it believed on reasonable grounds that an authorisation existed.
Also, a credit reporting agency can disclose credit information to the Police, any enforcing Government agency, the IRD, and if required for any court proceedings, without the requiring of the individuals consent.
Rule 12: Unique Identifiers
To allay "Big Brother" concerns, Rule 12 states that a credit reporter must not assign a unique identifier to an individual unless the assignment of that identifier is necessary to enable the credit reporter to carry out one or more of its functions efficiently (i.e. an internal reference number).
This reference number can not be the same used by any other organisation. However, the code has been since amended that a Credit reporter can now retain an individual's drivers licence number.
Criticism of the Code
The Code has several shortfalls such as:
If you pay for your credit record, and find incorrect information, there is no legal obligation whatsoever for the credit reporter to refund the fee.
The credit reporters subscribers are not even required to take the simple step notify the individual that a bad listing has been listed on your credit record. This is particularly troublesome where an account is in dispute and you will only find out if it has been listed on your credit record, through applying for credit, or paying the credit reporter for a credit monitoring service. One would imagine this gives the credit reporter a financial incentive to not keep accurate or open records.
Furthermore, also when a bad debt listing occurs, one would think it is prudent for the subscriber to also at least notify the individual what information has been listed on their credit record, such as the date of default and the amount claimed as owed, just in case it is incorrect.
In cases where a bad listing has proven to have been wrongly listed, the Code does not even require that any money wrongly paid to the creditor due to the bad debt listing to be refunded.
Furthermore, where a subscriber or credit reporter has proven to of wrongly listed credit information, the Code does not require any of the sometimes substantial costs the individual may incur to get this information corrected to be reimbursed.
While the Code specifically covers Credit Information, and not merely just credit records, the Code does not prohibit credit providers misleading individuals that they are only entitled to a copy of their credit report, as exhibited by both Veda's website and their application form.
The Privacy Commission is well aware of these shortfall's, and whilst the Commissioner has made numerous amendments to this Code in the past, she has chosen not to rectify any of these shortfalls in the Code.
Related Research Articles
A search warrant is a court order that a magistrate or judge issues to authorize law enforcement officers to conduct a search of a person, location, or vehicle for evidence of a crime and to confiscate any evidence they find. In most countries, a search warrant cannot be issued in aid of civil process.
The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.
The Health Insurance Portability and Accountability Act of 1996 is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It aimed to alter the transfer of healthcare information, stipulated the guidelines by which personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and businesses called covered entities from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent. The bill does not restrict patients from receiving information about themselves. Furthermore, it does not prohibit patients from voluntarily sharing their health information however they choose, nor does it require confidentiality where a patient discloses medical information to family members, friends or other individuals not employees of a covered entity.
The Privacy Act of 1974, a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of information from a system of records absent of the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records and sets forth various agency record-keeping requirements. Additionally, with people granted the right to review what was documented with their name, they are also able to find out if the "records have been disclosed" and are also given the right to make corrections.
Hiibel v. Sixth Judicial District Court of Nevada, 542 U.S. 177 (2004), is a United States Supreme Court case in which the Court held that a statute requiring suspects to disclose their names during a valid Terry stop does not violate the Fourth Amendment if the statute first requires reasonable suspicion of criminal involvement, and does not violate the Fifth Amendment if there is no allegation that their names could have caused an incrimination.
The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., is federal legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It was intended to shield consumers from the willful and/or negligent inclusion of erroneous data in their credit reports. To that end, the FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit information. Together with the Fair Debt Collection Practices Act (FDCPA), the FCRA forms the foundation of consumer rights law in the United States. It was originally passed in 1970, and is enforced by the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau, and private litigants.
The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents. PIPEDA became law on 13 April 2000 to promote consumer trust in electronic commerce. The act was also intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens. In accordance with section 29 of PIPEDA, Part I of the Act must be reviewed by Parliament every five years. The first Parliamentary review occurred in 2007.
Privacy laws of the United States deal with several different legal concepts. One is the invasion of privacy, a tort based in common law allowing an aggrieved party to bring a lawsuit against an individual who unlawfully intrudes into their private affairs, discloses their private information, publicizes them in a false light, or appropriates their name for personal gain.
A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.
Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.
Public records are documents or pieces of information that are not considered confidential and generally pertain to the conduct of government.
Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.
The Telephone Preference Service (TPS) is the United Kingdom's official do not call list. It allows businesses and individuals to opt out of unsolicited marketing calls.
The Stored Communications Act is a law that addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party Internet service providers (ISPs). It was enacted as Title II of the Electronic Communications Privacy Act of 1986 (ECPA).
State v. Reid, 194 N.J. 386, 954 A.2d 503, was a criminal court case in which the New Jersey Supreme Court ruled that Internet service provider (ISP) subscribers have a reasonable expectation of privacy in the identifying information they provide to ISPs. This case has helped place New Jersey at the forefront of the states committed to providing their residents with broader privacy protections than those available under federal law.
Doe v. Shurtleff, 628 F.3d 1217, was a United States Court of Appeals for the Tenth Circuit case assessing the constitutionality of Utah Code Ann. § 77-27-21.5, a law that requires sex offenders to register their internet identifiers with the state in order to "assist in investigating kidnapping and sex-related crimes, and in apprehending offenders." In this case, a convicted sex offender, appearing anonymously as John Doe, appealed a decisionArchived January 4, 2014, at the Wayback Machine by the United States District Court for the District of Utah to vacate an order enjoining the enforcement of Utah Code Ann. § 77-27-21.5. Even though Doe did not dispute the state's interest in enacting such a statute, he believed that the statute's enforcement ran afoul of his:
R v Spencer, 2014 SCC 43 is a landmark decision of the Supreme Court of Canada on informational privacy. The Court unanimously held that internet users were entitled to a reasonable expectation of privacy in subscriber information held by Internet service providers. And as such, police attempts to access such data could be subject to section 8 of the Charter of Rights and Freedoms.
The Data Protection Act, 2012 is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals. It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protection principles. Non compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.
The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015(Cth) is an Act of the Parliament of Australia that amends the Telecommunications (Interception and Access) Act 1979 (original Act) and the Telecommunications Act 1997 to introduce a statutory obligation for Australian telecommunication service providers (TSPs) to retain, for a period of two years, particular types of telecommunications data (metadata) and introduces certain reforms to the regimes applying to the access of stored communications and telecommunications data under the original Act.
Financial privacy laws regulate the manner in which financial institutions handle the nonpublic financial information of consumers. In the United States, financial privacy is regulated through laws enacted at the federal and state level. Federal regulations are primarily represented by the Bank Secrecy Act, Right to Financial Privacy Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. Provisions within other laws like the Credit and Debit Card Receipt Clarification Act of 2007 as well as the Electronic Funds Transfer Act also contribute to financial privacy in the United States. State regulations vary from state to state. While each state approaches financial privacy differently, they mostly draw from federal laws and provide more stringent outlines and definitions. Government agencies like the Consumer Financial Protection Bureau and the Federal Trade Commission provide enforcement for financial privacy regulations.
This page is based on this Wikipedia article Text is available under the CC BY-SA 4.0 license; additional terms may apply. Images, videos and audio are available under their respective licenses.
