Revised Code of Practice on Consumer Credit Data

The revised Code of Practice on Consumer Credit Data ("the Code") took effect on 2 June 2003. The revision sets a new regulatory regime in respect of the sharing of "positive" and "negative" credit data amongst credit providers through the use of a central credit database operated by a credit reference agency.

The revised Code contains stringent data protection safeguards to ensure that the greater sharing of credit data is subject to commensurate levels of protection of the individual's personal data. In anticipation of the impact the implementation of the revised Code would have up on existing credit consumers, a twenty-four month transitional period was imposed prior to credit providers being able to make full use of the shared positive credit data in June 2005. During the transition period, new positive data may only be used in restricted circumstances e.g. in conjunction with new credit applications. This measure was designed to ensure that a reliable picture of a borrowers¡¦ creditworthiness could be derived from the new data, made available during the twenty-four month period, prior to their being used for other purposes in relation to the provision of consumer credit.

Privacy Commissioner Mr. Raymond Tang met the press to explain details of the revised Code of Practice on Consumer Credit Data.

Another important safeguard is the provision requiring the credit reference agency to submit its operating practices and related systems to an independent privacy compliance audit, to be conducted on an annual basis. The audit will focus on the way in which the credit reference agency provides consumer credit reference services. More specifically, it will scrutinize the security of consumer credit data held by the consumer credit agency in its database, and the adequacy and efficiency of the measures taken by it to comply with the requirements of the revised Code. The first compliance audit addressing, in particular, the adequacy of the data handling system, was completed in early 2004. The audit report has since been submitted to the PCPD and was subsequently approved by the Privacy Commissioner in April 2004.

Since the launch of the revised Code the PCPD has been compiling statistics on enquiries received from the public. By March, the PCPD has received approximately 800 enquiries from the public on different aspects of the Code. The two most important issues on the minds of enquirers relate to the circumstances under which they may obtain access to their credit report and the conditions under which credit providers may make access to the database operated by the credit reference agency.

Guidelines on Monitoring and Personal Data Privacy at Work

The PCPD held a press briefing on 18 December 2003 to release the report on the public consultation exercise undertaken in conjunction with the Draft Code of Practice on Monitoring and Personal Data Privacy at Work.

In December 2003 the PCPD released the report on the public consultation exercise undertaken in conjunction with the Draft Code of Practice on Monitoring and Personal Data Privacy at Work. As the report indicates there was, in general, a good measure of support for this initiative that sought to offer practical guidelines in circumstances where employers use monitoring devices to collect the personal data of their employees in the workplace.

In keeping with the general sentiment expressed in submissions made in response to the consultation exercise the PCPD has concluded that, at this stage, it would be prudent to take a measured response to the issues pertaining to monitoring and personal data privacy at work. After careful reflection it was decided to formulate "best practice" guidelines as the preferred initial approach towards promoting compliance among employers. This decision was influenced by a number of factors.

	Guidelines would offer an optimal solution in terms of balancing the legitimate interests of employers and the personal data privacy rights of employees.
	Guidelines would offer employers greater flexibility and discretion in the monitoring of any abuses committed by employees, or in investigating any wrongdoing in the workplace, including the domestic household.
	Guidelines permit employers to take a self-regulatory approach towards compliance issues when managing workplace relationships with their employees.
	Guidelines enable employers to comply with other regulatory demands made upon them, thereby reducing the prospect of any inconsistency or conflict with those demands.

The guidelines are currently being drafted and it is intended that the guidelines would offer some consistency and continuity to workplace monitoring practices and hold employers accountable for developing unambiguous policies. To that extent employees should feel more secure in the knowledge that their employers have used the guidelines as a benchmark to protect their personal data privacy rights. The success of these guidelines will ultimately depend upon the commitment and cooperation of employers. The PCPD believes that all responsible employers will react positively to the interests the guidelines seek to promote.