The handling of credit reports by records management

							The handling of credit reports by records
management
agents and other contractors

Advice for credit providers and credit reporting
agencies when contracting out record management
functions

Privacy Commissioner, May 1996

Foreword

It is the practice of credit providers and credit reporting agencies to contract
out the management of records, including credit reports.

In auditing credit providers for compliance with the Commonwealth Privacy
Act 1988, I have found that contracts with other firms, especially record
management agents, often do not include clauses which would help to protect
the information against loss, unauthorised access and other misuses.
These are clauses which it would be reasonable to include in the
circumstances of a typical contract. Omission of such safeguards places the
credit provider at risk of breaching the provisions in Part IIIA for protection of
information.

The clauses set out in this paper are suggested for inclusion in contracts
between credit providers and records management agents or other
contractors, such as information technology companies, where the contract
services include the handling of credit reports.

I have a responsibility under Section 28A(1)(e) of the Privacy Act 1988 to
“prepare and publish ... Guidelines for the avoidance of acts or practices of a
credit reporting agency or credit provider that may or might be interferences
with the privacy of individuals.” These guidelines have been published as part
of that responsibility. They are advisory only, and should be read in
conjunction with the provisions of Part IIIA of the Act and the legally binding
Code of Conduct that I issue pursuant to the Act.

Kevin O’Connor
Privacy Commissioner
May 1996

Introduction

Purpose of this advice
In 1990, Parliament passed (and the Governor-General assented to) Part IIIA
of the Privacy Act, which extends a range of protections to the handling of
consumer credit information by credit providers and credit reference agencies.
Together with a legally binding code of conduct issued by the Privacy
Commissioner, Part IIIA regulates the way consumer credit information may
be collected, used, disclosed, amended or destroyed.

In particular, section 18G(b) of the Privacy Act provides:

A credit reporting agency in possession or control of a credit information file or
a credit provider or credit reporting agency in possession or control of a credit
report, must: ...

(b) ensure that the file or report is protected by such security safeguards as
are reasonable in the circumstances, against loss, against unauthorised
access, use, modification or disclosure, and against other misuse;...

In auditing credit providers for compliance with this requirement, the Privacy
Commissioner has found that contracts with other firms, especially record
management agents, often do not include clauses setting out obligations of
the record management agent in relation to security and other privacy issues,
which would help to protect the information and which it would be reasonable
to include in the circumstances of a typical contract. Omission of such
safeguards places the credit
provider at risk of breaching the provisions quoted above.

The clauses set out below are suggested for inclusion in contracts between
credit providers and records management agents or other contractors, such
as information technology companies, where the contract services include the
handling of credit reports. They are similar in many respects to the clauses
recommended in the Privacy Commissioner‟s advice Outsourcing and Privacy
directed to Commonwealth government agencies considering contracting out
information technology and other
functions. The clauses presented here, however, cover only credit reporting
information and are more limited in scope, to reflect the normal range of
functions performed by records management agents.

Is contracting out desirable?

When a contractor provides a service to a client, there is necessarily a
substantial reduction in the client‟s control over how the service is delivered
on a day-to-day basis. While including clauses like those presented below in
contracts, and monitoring performance, will usually satisfy a client‟s legal
obligations in relation to the security of credit reporting information, there may
be cases where the sensitivity of the information held is great enough to raise
doubts about the desirability of outsourcing some record management
functions. This applies especially where a proposed contract arrangement
would involve the contractor exercising discretion in the way personal
information is handled. Clients should consider whether privacy
considerations weigh so heavily as to make contracting out inappropriate.

Different clauses for different sorts of contract
The recommended clauses have been arranged in two groups: clauses that
would be appropriate in contracts for standard record management services;
and clauses that may be appropriate in contracts for the provision of more
complex services.

In particular, a record management contract that involves storing boxes of
documents for a specified
period and then either destroying them or returning them, but forbids the
contractor to access the
information in the documents, are unlikely to need to contain clauses:

limiting uses of information to contract uses (clause 5); or
obliging thecontractor to ensure high data quality (clause 13).

Other circumstances may mean that particular clauses or parts of clauses are
not relevant, for instance:

where both contractor and client operate only in Australia, it may be
reasonable to omit clause 6 (no overseas transfer), since this is covered by
clause 4 (no unauthorised disclosure) and is not a serious risk in the context
of that particular contract; and
where the contract prohibits the contractor from using sub-contractors,
references to subcontractors in the clauses are unnecessary.

The structure of a particular contract may make it appropriate for some of the
clauses to be accommodated in a schedule rather than in the contract proper.

Use of terms in this document

The text of this document refers:

only to „credit reports‟ (as defined in the Privacy Act), but the same legal
requirements and advice would apply to „credit information files‟ in the control
of a credit reporting agency like the Credit Reference Association of Australia;
and

         e
to the r cord management agent as „the contractor‟ and the organisation
that contracts with the record management agent as „the client‟.

Monitoring the performance of the contract

The contract should include a clause which gives the client access (with
appropriate notice and at reasonable times), to the contractor‟s premises, the
records that are being managed and other relevant materials so that the client
can ensure that the contractor is complying with its obligations under the
agreement as to security of credit reports.

Compensation for interference with an individual's privacy by
a contractor and client indemnity

Where a complaint is investigated by the Privacy Commissioner, the client‟s
responsibility for any breach of the credit reporting provisions of the Privacy
Act may be determined by the Commissioner under section 52 of the Privacy
Act (though experience has been that most complaints can be resolved by
negotiation). The Commissioner may also make a determination that a person
who has complained about an interference with his or her privacy (including a
breach of the credit reporting provisions of the Privacy Act or the credit
reporting Code of Conduct) is entitled to a specified amount by way of
compensation for loss or damage suffered.

If it is not possible to reach a negotiated settlement between client and
complainant, the Privacy Commissioner may launch proceedings in the
Federal Court to enforce the payment of compensation. In all cases the legal
obligation to pay compensation will fall on the client but in some situations the
contractor alone may be responsible for the breach (for example, if the
contractor leaves boxes of credit reports at a public tip). In other cases, client
and contractor may both have a share of responsibility for the breach (for
example, if the contractor makes an unauthorised disclosure but the client has
also failed to ensure there were adequate clauses in the contract to protect
against this).

Provisions for the contractor to indemnify the client for loss or expense
incurred by the client as a result of the contractor failing to fulfill the privacy
clauses in the contract will need to be negotiated in the context of each
particular contract.

Consistency with general confidentiality clauses

Clients should take care to see that there are no inconsistencies between
general confidentiality clauses and clauses relating specifically to credit
reports. For example, a confidentiality clause may state that all information
exchanged between the parties is confidential and may not be disclosed
except in certain situations. Those exceptions may be broader than is
appropriate in relation to credit reports. Any reference to credit reports in
general confidentiality clauses should include a reference to, and defer to,the
specific clauses about credit reports.

Contracts with sub-contractors

Most agreements will have clauses that prevent sub-contracting without the
consent of the client. If a client considers it appropriate to allow sub-
contracting, before giving consent it should ensure that all clauses relating to
protection of personal information are required to be included in any
agreement between the contractor and a sub-contractor. The client should
ensure, by the inclusion of these clauses, that the level of protection that the
contractor is required to afford credit reports is also required of sub-
contractors. Otherwise, the provisions in the contract between client and
contractor could be rendered ineffective.

Where a contractor becomes aware of a breach of any of the privacy
protection clauses by a subcontractor, the contractor must immediately notify
the client of this breach (see clause 8).

Tax file numbers
The same sort of requirements in regard to security apply to Tax File
Numbers as well as credit reports, although it is unlikely that the same
contract would cover both credit reports and Tax File Number information.
Legally binding guidelines issued by the Privacy Commissioner under section
17 of the Privacy Act provide at paragraph 6.1(a) that:

Tax File Number recipients shall ensure: (a) that Tax File Number information
is protected by such security safeguards as it is reasonable in the
circumstances to take, to prevent loss, unauthorised access, use, modification
or disclosure, and other misuse; ...

However, if financial institutions or other organisations contract out services
that include the handling of Tax File Number information, it is not strictly
necessary for contracts to include clauses to ensure adequate protection of
Tax File Number information, since section 11 of the Privacy Act 1988
provides that „a person who is (whether lawfully or unlawfully) in possession
or control of a record that contains Tax File Number information shall be
regarded, for the purposes of this Act, as a file number recipient.‟
Consequently, records management agents or other contractors who come
into possession or control of tax file number information are directly subject to
the requirements of the Act and the guidelines. It would, nonetheless, be
prudent for firms that engage a contractor to handle Tax File Number
information to make sure that the contractor understands its obligations under
the Tax File Number guidelines; the inclusion in the contract of privacy
clauses along the lines of those suggested here for credit reports would be an
effective way of doing this.

Disclaimer

While the Privacy Commissioner has taken all due care in the preparation of
this advice, it is meant only as a guide and it should not be relied upon as the
sole source of advice in the preparation of any contract. Legal advice should
be sought if in any doubt about specific clauses relating to privacy for
individual contracts.

Clauses appropriate in standard records management
contracts
Definition of ‘credit report’

Suggested clause:

1 For the purposes of this agreement, ‘credit report’ means any record or
information, whether in a written, oral or other form, that:

(a) is being or has been prepared by a credit reporting agency; and

(b) has any bearing on an individual’s:
(i) eligibility to be provided with credit; or
(ii) history in relation to credit; or
(iii) capacity to repay credit; and

(c) is used, has been used, or has the capacity to be used, for the purpose of
serving as a factor in establishing an individual’s eligibility for credit.

This is the definition of „credit report‟ in section 6 of the Privacy Act 1988.

Security

Suggested clauses:

2 The contractor shall take all reasonable measures to ensure that credit
reports held in connection with this agreement are protected against loss, and
against unauthorised access, use, modification, disclosure or other misuse in
accordance with the procedures set out in Schedule ..., and that only
authorised personnel with a legitimate role in fulfilling the terms of this
contract have access to the data.

3 The contractor shall not vary the security procedures set out in Schedule ...
without the prior written approval of the client.

A schedule should be attached setting out agreed security procedures. The
nature and extent of these will depend on the nature of the contract.

Disclosure

Suggested clause:

4 The contractor shall not disclose any credit reports obtained in connection
with this agreement without the written authority of the client. The contractor
shall immediately notify the client where it becomes aware that a disclosure of
credit reports may be required by law.

In the large majority of cases, any legal obligation to disclose credit reports
will fall upon the client rather than the contractor: the client, as owner of the
records, will be advised of the legal obligation and will ask the contractor to
return the relevant records. However, the second sentence of this clause
acknowledges that the contractor may have a direct legal obligation to
disclose credit reports and requires the contractor to let the client know as
soon as possible whenever it becomes aware that such an obligation may
exist, so that the client may offer advice about the validity of the obligation or
intervene in any proceedings before disclosure is made.

Use

Suggested clause:

5 The contractor shall use any credit reports held in connection with the
agreement only for the purposes of fulfilling its obligations under this
agreement.

Clients should ensure that any obligations that the contractor has under the
agreement do not go beyond a „use‟ that the client itself would be permitted
under the credit reporting provisions of the Privacy Act.

Transfer of personal information outside Australia

Suggested clause:
6 The contractor shall not transfer credit reports held in connection with this
agreement outside Australia, or allow parties outside Australia to have access
to them, without the prior approval of the client.

While this form of disclosure would be covered by clause 4, there may
sometimes be value in stating this restriction specifically because of the high
risk associated with trans-border flows of information. Generally, once
information goes beyond Australia's borders, it will be either impractical or
impossible for a client to prevent unauthorised use or disclosure.

Employee awareness of privacy requirements and
undertakings

Suggested clause:

7 The contractor shall ensure that any employee of the contractor, requiring
access to any credit reports held in connection with this agreement:

(a) makes an undertaking in writing in accordance with Schedule [...] not to
access, use, disclose or retain credit reports except in performing his or her
duties of employment; and

(b) is informed that failure to comply with this undertaking may lead the
contractor to take disciplinary action against the employee.

Where the contractor is providing more complex services than just storage
and disposal, this undertaking may not be sufficient to make employees fully
aware of their responsibilities. Clients should consider offering advice on
privacy requirements to the staff of contractors, as contractors may not have
in-house expertise in this area. Consideration could be given to including this
in the contract as a formal obligation of the client.

Advising the client of any breach of the privacy clauses

Suggested clause:

8 The contractor shall in respect of any credit report held in connection with
this agreement immediately notify the client where the contractor becomes
aware of a breach of clauses [all privacy clauses] by itself or any sub-
contractor.

The contractor has an obligation to notify the client as soon as it becomes
aware that, through one of its employees, it (or any sub-contractor) has
breached the contractual provisions relating to security, unauthorised use,
transfer and disclosure, or that an employee has had access to contract
materials without having signed the necessary undertaking.

Complaint handling

Suggested clause:

9 A complaint alleging an interference with the privacy of an individual in
respect of any services performed under this agreement shall be handled by
the client and in accordance with the following procedures:

(a) where the contractor receives a complaint alleging an interference with the
privacy of an individual by the contractor or any sub-contractor, it shall
immediately notify the client of the nature of the complaint;

(b) where the client receives a complaint alleging an interference with the
privacy of an individual by the contractor or any sub-contractor, it shall
immediately notify the
contractor but shall only release to the contractor those details of the
complaint that are necessary to minimise any interference or prevent further
interferences; and

(c) after the client has been given or has given notice in accordance with (a)
or (b), it shall keep the contractor informed of all progress with the complaint
as it relates to the actions of the contractor in connection with the allegation of
an interference with the privacy of an individual.

In these clauses „complaint‟ is used in its plain meaning; it does not refer only
to complaints made to the Privacy Commissioner under section 36(1) of the
Privacy Act.
The restriction in (a) on what information may be passed from the client to the
contractor has been included to protect the privacy of the complainant: it is not
possible to be confident that the complainant will be happy to have additional
personal information provided in making the complaint disclosed to the
contractor (or the client).

Ensuring clauses have effect after the contract has ended

Suggested clause:

10 Clauses [all privacy clauses] shall continue to have effect after the
termination or completion of the agreement.

Even though contracts should normally provide for all credit reports to be
returned at the end of the agreement or be destroyed (see clause 3), it would
be prudent to ensure that, if any credit reports inadvertently remain with the
contractor, the protection that existed during the agreement continues after
the agreement has ended. In addition, where a breach comes to light after the
agreement has ended, the relevant clauses should also continue to apply.

Clauses appropriate in contracts for more complex
services

The clauses set out in the preceding section will suffice for the majority of
records management contracts. There may, however, be contracts for the
provision of more complex services that involve the contractor using or
amending the credit reports in some way.

Clause 12 aims to ensure that the contractor will comply with any reasonable
requests by the client that arise from the exercise of the Privacy
Commissioner‟s powers. While inclusion of this clause would not be needed
to ensure the client‟s compliance with section 18G(b) of the Privacy Act, its
inclusion is recommended as a matter of good privacy practice.

Clauses 11, 13 and 14 aim to help the client (the credit provider) protect credit
reports against unauthorised use or modification.

Disclosure by contractor

In some contracts for more complex services, it may be necessary for the
contractor to have the authority to disclose credit reports under certain
circumstances. Giving a contractor this sort of discretion can bring with it
increased privacy risks. Clients need to take this into account when
considering the advisability of such contracts. If such a contract is entered
into, a clause along the following lines would be appropriate:

11 The contractor shall only disclose credit reports in connection with this
agreement as directed by the client or specified in Schedule [...] to this
agreement, and shall disclose it in accordance with the procedures specified
in Schedule [...] to this agreement.
To meet its obligations under the Privacy Act, the client will need to ensure
that the schedule includes an exact specification of:

what information may be disclosed;
to whom disclosures may be made;
under what circumstances this may be done;
when it is necessary for the client to approve of a disclosure and what form
of approval is required; and
adequate recording of any dis closures made.

The schedule will need to be particularly precise if any discretion is extended
to the contractor about whether or not to make disclosures of credit reports:
the extent of the discretion needs to be clearly set out.

Reasonable requests, codes of conduct and advice

Suggested clause:

12 The contractor shall in respect of any credit reports held in connection with
this agreement cooperate with any reasonable requests or directions of the
client arising directly from, or in connection with, the exercise of the functions
of the Privacy Commissioner under the Privacy Act 1988 and the Credit
Reporting Code of Conduct.

This clause is unlikely to be necessary in a basic record management
contract, where the only request or direction likely to arise from the exercise of
the functions of the Privacy Commissioner is a request by the client for the
return of certain boxes of records.

However, if the contract services are more complex, the Privacy
Commissioner could request or direct the client to change its information
handling arrangements in a particular way that would require changes to be
made by the contractor. A contractor‟s actions cannot be directly bound by
determinations of the Privacy Commissioner under the Privacy Act: this
clause allows the client to ensure that the contractor does anything that the
Privacy Commissioner may have required the client
to do if the client had not outsourced the relevant record management
functions. (This could include giving a person access to credit reports,
amending records, or changing the way in which they are handled.)

Accurate recording and storage of data

Clauses relating to the accurate storage and recording of data may be
necessary where the contractor is storing credit reports on electronic media or
in other ways which may allow corruption or amendment of the data.
Normally, the contractor's obligation will be limited to ensuring that the data
provided to it is accurately recorded and stored and it will be the client's
responsibility to review and amend the data to ensure accuracy. In this
situation, the following clause is suggested:
13 The contractor shall take all reasonable steps to ensure that personal
information provided to it in connection with this agreement is accurately
recorded and is not amended except as directed by the client.

Access and amendment
In most cases where contractors are responsible for the medium or long-term
storage of a database, requests for access to and amendment of credit
reports will be received and dealt with by the client, which will either require
the contractor to return the reports for access and amendment or instruct the
contractor to amend the reports as appropriate. In this case, it is not
necessary to include provisions relating to access and amendment in the
contract, providing it is clear that the contractor is obliged to return credit
reports held in connection with the contract to the client on request, or to
amend the reports at the client's direction.

Where decisions on access and amendment are made by the client, but
requests from individuals maybe received in the first instance by the
contractor, the following clause is suggested:

14 The contractor shall, if it receives a request from an individual for access to
or amendment of personal information about the individual held by the
contractor in connection with this agreement, promptly [or within a set period]
inform the client of the request.