Credit Reporting Privacy Code (New Zealand)
The Credit Reporting Privacy Code (CRPC) was issued by the Privacy Commissioner Marie Shroff on 6 December 2004. It is one of several Codes of Practice issued by the Privacy Commissioner under section 46 of the Privacy Act.
The Code has been amended 6 times, with a 7th amendment pending, with the amendments as follows:
- Amendment No 1 – 1 April 2006 (now expired)
- Amendment No 2 – 1 April 2006
- Amendment No 3 – 22 February 2010;
- Amendment No 4 – 1 October 2011 and 1 April 2012
- Amendment No 5 – 1 December 2011 and 1 April 2012
- Amendment No 6 – 1 April 2012
The Code replaces the Privacy Act’s 12 Privacy Principles, with 12 Privacy Rules specifically customised for credit reporting matters.
Summary of the Code
The Code regulates into law matters related to credit reporting. The Code is however only limited to credit reporters that actually sell credit information, so at current the Code only applies to 3 credit reporting firms, Veda Limited, Dun & Bradstreet Limited, and recent newcomer Centrix Group Limited.
One of the most important aspects of the Code is that individuals now have the right to a free copy of their credit record. Not only that, individuals also have a right to a copy of all their Credit Information, which includes not only includes the normal credit record, but also other things such as a copy of your credit score, access log, and even the credit reporters internal file notes.
Other things the Code covers is procedures to handle complaints, maintaining an access log to your credit record, maximum time frames to report bad debts, credit inquiries, etc., having adequate subscriber agreements, allowing certain inquiries to your credit record without a consent being required, prohibiting debt collection agencies from bad debt listing debts under their account, requiring credit suppression where a person is a victim of identity fraud, and most recently, allowing positive reporting.
The 12 Privacy Rules of the Code
Rule 1: Purpose of Collection of Credit Information Rule 2: Source of Credit Information Rule 3: Collection of Credit Information from Individual Rule 4: Manner of Collection of Credit Information Rule 5: Storage and Security of Credit Information Rule 6: Access to Credit Information Rule 7: Correction of Credit Information Rule 8: Accuracy, etc., of Credit Information Rule 9: Retention of Credit Information Rule 10: Limits on Use of Credit Information Rule 11: Limits on Disclosure of Credit Information Rule 12: Unique Identifiers
Rule 1: Purpose of Collection of Credit Information
Personal information must not be collected by a credit reporter unless the information is collected for a lawful purpose connected with a function or activity of the credit reporter and also that the collection of the information is necessary for that purpose.
Also a credit reporter must not collect personal information for the purpose of credit reporting unless it is Credit Information as defined under the Code, so such things as criminal records and ethnicity can not be included on a credit check.
Rule 2: Source of Credit Information
Where a credit reporter collects credit information, it must collect the information directly from the individual concerned, unless the credit reporter believes, on reasonable grounds: (a) that the information is publicly available information; (b) that the individual concerned authorises collection of the information from another source; (c) that it is required for any investigation under the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; (d) that it is required for the collection of fines or taxes (e) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); (f) the collection is from a debt collector that is enforcing a debt owed by the individual concerned
This Rule effectively lets the credit reporter to update someone’s new address if it is supplied by other sources than from a normal credit inquiry.
Rule 3: Collection of Credit Information from Individual
Where a credit reporter such as Veda collects credit information directly from the individual concerned, such as a request for a copy of your own credit report, the credit reporter must take such steps (if any) as are, in the circumstances, reasonable to ensure that the individual concerned is aware of:
(a) the fact that the information is being collected; (b) the purposes for which the information is being collected; (c) the intended recipients of the information; (d) the name and address of; (i) the agency that is collecting the information; and (ii) the agency that will hold the information; (e) whether or not the supply of the information is voluntary or mandatory and if mandatory the particular law (if any) under which it is required; (f) the consequences (if any) for that individual if all or any part of the requested information is not provided; and (g) the rights of access to, and correction of, credit information held by the credit reporter provided by rules 6 and 7.
A credit reporter must conspicuously display on the credit reporter’s website a statement that sets out the purposes for which it collects credit information and the purposes for which the information will be used and disclosed.
It is worth noting that the credit reporter can not update your credit record with information you supply (e.g. residential address) supplied by the individual in order to get a copy of your own credit record, unless the individual consents to this. However such a consent is hidden in most credit reporters official application forms.
Rule 4: Manner of Collection of Credit Information
This rule states that Credit information must not be collected by a credit reporter by either unlawful means, by means that, in the circumstances of the case, are unfair or intrude to an unreasonable extent upon the personal affairs of the individual concerned.
Rule 5: Storage and Security of Credit Information
A credit reporter that holds credit information must ensure that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, unauthorised access and use, as well as any other misuse, including misuse by anyone with authorised access such as a subscriber.
That if it is necessary for the information to be given to a person in connection with the provision of a service to the credit reporter, everything reasonably within the power of the credit reporter is done to prevent unauthorised use or unauthorised disclosure of the information.
A credit reporter must take the following measures to safeguard the credit information it holds against unauthorised access or misuse: (a) develop written policies and procedures to be followed by its employees, agents and contractors; (b) impose access authentication controls such as the use of passwords, credential tokens or other mechanisms; (c) provide information and training to ensure compliance with the policies, procedures and controls; (d) ensure that a subscriber agreement that complies with Schedule 3 is in place before disclosing information under rule 11(2); (e) monitor usage and regularly check compliance with the agreement, policies, procedures and controls and the requirements of this code; (f) identify and investigate possible breaches of the agreement, policies, procedures and controls; (g) take prompt and effective action in respect of any breaches that are identified; (h) systematically review the effectiveness of the policies, procedures and controls and promptly remedy any deficiencies; and (i) maintain an access log.
The access log required by subrule (2)(i) must include a record of the time, date, subscriber purpose in relation to each access and must identify, or provide a means to identify, the specific user and must also include a record of the time, date, subscriber purpose in relation to each access and must identify, or provide a means to identify, the specific user.
Rule 6: Access to Credit Information
This rules states that an individual has the right of access to all of their Credit Information held by a credit reporter, and when provided with this information, the credit reporter must advise the individual that under rule 7, the individual may request the correction of that information.
The Code and the Privacy Commissioner have made it quite clear that an individual has the right of access to ones Credit information, and not just merely one’s credit report, as Credit information (as defined under the Code) includes far more information, such as an access log, credit score, and even the credit reporters internal file notes.
While the Privacy Act does not allow a credit reporter to refuse an access request due to not using an official application form, unfortunately most creditor reporters do not abide by this. Legally, all they need is your full name, and your date of birth to identify your credit record, plus some ID to legally obtain your credit record.
Furthermore, section 7 of the Code states that the credit reporter is not able to charge for providing this information, unless the individual requests the information be provided within 5 working days, in which case a reasonable charge may be made.
Despite the Code expressly stating the 5 working days, credit reporter both Veda and Dun & Bradstreet instead use a time period of 20 working days contrary to this law.
Rule 7: Correction of Credit Information
Where a credit reporter holds credit information, the individual concerned is entitled to both request correction of the information; and to request that there be attached to the information a statement of the correction sought but not made.
A credit reporter that holds credit information must, if so requested by the individual concerned or on its own initiative, take such steps (if any) to correct that information as are, in the circumstances, reasonable to ensure that, having regard to the purposes for which the information may lawfully be used, the information is accurate, up to date, complete, and not misleading.
With regards to disputed debts, the Code requires the credit reporter at the very least flag it on its database as "disputed" (but still listed). Alternatively, the Credit reporter can remove the bad debt listing altogether. However the Privacy Commissioner has made it quite clear that if they merely flag it as "disputed", may mitigate the harm but does not constitute a correction under the law.
Rule 8: Accuracy, etc, of Credit Information
A credit reporter that holds credit information must not use or disclose that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used or disclosed, the information is accurate, up to date, complete, relevant, and not misleading.
A credit reporter must, when undertaking a comparison of personal information with other personal information for the purpose of producing or verifying information about an identifiable individual, take such measures as are reasonably practicable to avoid the incorrect matching of the information.
A credit reporter must ensure that a subscriber agreement that complies with Schedule 3 is in place before disclosing information under rule 11(2) as well as establish and maintain controls to ensure that, as far as reasonably practicable, only information that is accurate, up to date, complete, relevant, and not misleading is used or disclosed;
Rule 9: Retention of Credit Information
A credit reporter that holds credit information must not keep that information for longer than is required for the purposes for which the information may lawfully be used, with Schedule 1 of the Code effectively stating the maximum time periods that credit information can be included on credit records.
The main maximum time periods are:
Repayment History Information – 2 years (for positive credit reporting) Credit Applications – 5 years Previous Inquiries – 5 years Defaults / Collections – 5 years from the date of default Court Judgments – 5 years Bankruptcy – 5 years from the date of discharge, but where a person has been bankrupted more than once, it can be reported indefinitely
Rule 10: Limits on Use of Credit Information
Under Rule 10, a credit reporter that holds credit information that was obtained in connection with one purpose must not use the information for any other purpose unless the credit reporter believes, on reasonable grounds: (a) that the source of the information is a publicly available publication; (b) that the use of the information for that other purpose is authorised by the individual concerned; (c) that non-compliance is necessary to avoid prejudice to the maintenance of the law by any public sector agency, such as the Police, the IRD, or for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation)
Rule 11: Limits on Disclosure of Credit Information
Under Rule 11, a credit reporter that holds credit information must not disclose the information unless the credit reporter believes, on reasonable grounds that the disclosure is authorised by the individual concerned (e.g. such as in a credit agreement) and is made to only a credit provider for the purposes of making a credit decision, by a prospective landlord, by a prospective employer where the position involves significant financial risk, or by a prospective insurance company.
Authorisation must be express and fully informed. It is not sufficient for a subscriber to simply notify an individual that a credit check will be undertaken as part of a credit application process. The authorisation need not be in writing, but the absence of written evidence may present a problem if the credit reporter is later required to prove that it believed on reasonable grounds that an authorisation existed.
Also, a credit reporting agency can disclose credit information to the Police, any enforcing Government agency, the IRD, and if required for any court proceedings, without the requiring of the individuals consent.
Rule 12: Unique Identifiers
To allay "Big Brother" concerns, Rule 12 states that a credit reporter must not assign a unique identifier to an individual unless the assignment of that identifier is necessary to enable the credit reporter to carry out one or more of its functions efficiently (i.e. an internal reference number).
This reference number can not be the same used by any other organisation. However, the code has been since amended that a Credit reporter can now retain an individual’s drivers licence number.
Criticism of the Code
The Code has several shortfalls such as:
- If you pay for your credit record, and find incorrect information, there is no legal obligation whatsoever for the credit reporter to refund the fee.
- The credit reporters subscribers are not even required to take the simple step notify the individual that a bad listing has been listed on your credit record. This is particularly troublesome where an account is in dispute and you will only find out if it has been listed on your credit record, through applying for credit, or paying the credit reporter for a credit monitoring service. One would imagine this gives the credit reporter a financial incentive to not keep accurate or open records.
- Furthermore, also when a bad debt listing occurs, one would think it is prudent for the subscriber to also at least notify the individual what information has been listed on their credit record, such as the date of default and the amount claimed as owed, just in case it is incorrect.
- In cases where a bad listing has proven to have been wrongly listed, the Code does not even require that any money wrongly paid to the creditor due to the bad debt listing to be refunded.
- Furthermore, where a subscriber or credit reporter has proven to of wrongly listed credit information, the Code does not require any of the sometimes substantial costs the individual may incur to get this information corrected to be reimbursed.
- While the Code specifically covers Credit Information, and not merely just credit records, the Code does not prohibit credit providers misleading individuals that they are only entitled to a copy of their credit report, as exhibited by both Veda’s website and their application form.
The Privacy Commission is well aware of these shortfall’s, and whilst the Commissioner has made numerous amendments to this Code in the past, she has chosen not to rectify any of these shortfalls in the Code.