The handling of credit reports by records management
Shared by: Diditfit
The handling of credit reports by records management agents and other contractors Advice for credit providers and credit reporting agencies when contracting out record management functions Privacy Commissioner, May 1996 Foreword It is the practice of credit providers and credit reporting agencies to contract out the management of records, including credit reports. In auditing credit providers for compliance with the Commonwealth Privacy Act 1988, I have found that contracts with other firms, especially record management agents, often do not include clauses which would help to protect the information against loss, unauthorised access and other misuses. These are clauses which it would be reasonable to include in the circumstances of a typical contract. Omission of such safeguards places the credit provider at risk of breaching the provisions in Part IIIA for protection of information. The clauses set out in this paper are suggested for inclusion in contracts between credit providers and records management agents or other contractors, such as information technology companies, where the contract services include the handling of credit reports. I have a responsibility under Section 28A(1)(e) of the Privacy Act 1988 to “prepare and publish ... Guidelines for the avoidance of acts or practices of a credit reporting agency or credit provider that may or might be interferences with the privacy of individuals.” These guidelines have been published as part of that responsibility. They are advisory only, and should be read in conjunction with the provisions of Part IIIA of the Act and the legally binding Code of Conduct that I issue pursuant to the Act. Kevin O’Connor Privacy Commissioner May 1996 Introduction Purpose of this advice In 1990, Parliament passed (and the Governor-General assented to) Part IIIA of the Privacy Act, which extends a range of protections to the handling of consumer credit information by credit providers and credit reference agencies. Together with a legally binding code of conduct issued by the Privacy Commissioner, Part IIIA regulates the way consumer credit information may be collected, used, disclosed, amended or destroyed. In particular, section 18G(b) of the Privacy Act provides: A credit reporting agency in possession or control of a credit information file or a credit provider or credit reporting agency in possession or control of a credit report, must: ... (b) ensure that the file or report is protected by such security safeguards as are reasonable in the circumstances, against loss, against unauthorised access, use, modification or disclosure, and against other misuse;... In auditing credit providers for compliance with this requirement, the Privacy Commissioner has found that contracts with other firms, especially record management agents, often do not include clauses setting out obligations of the record management agent in relation to security and other privacy issues, which would help to protect the information and which it would be reasonable to include in the circumstances of a typical contract. Omission of such safeguards places the credit provider at risk of breaching the provisions quoted above. The clauses set out below are suggested for inclusion in contracts between credit providers and records management agents or other contractors, such as information technology companies, where the contract services include the handling of credit reports. They are similar in many respects to the clauses recommended in the Privacy Commissioner‟s advice Outsourcing and Privacy directed to Commonwealth government agencies considering contracting out information technology and other functions. The clauses presented here, however, cover only credit reporting information and are more limited in scope, to reflect the normal range of functions performed by records management agents. Is contracting out desirable? When a contractor provides a service to a client, there is necessarily a substantial reduction in the client‟s control over how the service is delivered on a day-to-day basis. While including clauses like those presented below in contracts, and monitoring performance, will usually satisfy a client‟s legal obligations in relation to the security of credit reporting information, there may be cases where the sensitivity of the information held is great enough to raise doubts about the desirability of outsourcing some record management functions. This applies especially where a proposed contract arrangement would involve the contractor exercising discretion in the way personal information is handled. Clients should consider whether privacy considerations weigh so heavily as to make contracting out inappropriate. Different clauses for different sorts of contract The recommended clauses have been arranged in two groups: clauses that would be appropriate in contracts for standard record management services; and clauses that may be appropriate in contracts for the provision of more complex services. In particular, a record management contract that involves storing boxes of documents for a specified period and then either destroying them or returning them, but forbids the contractor to access the information in the documents, are unlikely to need to contain clauses: limiting uses of information to contract uses (clause 5); or obliging thecontractor to ensure high data quality (clause 13). Other circumstances may mean that particular clauses or parts of clauses are not relevant, for instance: where both contractor and client operate only in Australia, it may be reasonable to omit clause 6 (no overseas transfer), since this is covered by clause 4 (no unauthorised disclosure) and is not a serious risk in the context of that particular contract; and where the contract prohibits the contractor from using sub-contractors, references to subcontractors in the clauses are unnecessary. The structure of a particular contract may make it appropriate for some of the clauses to be accommodated in a schedule rather than in the contract proper. Use of terms in this document The text of this document refers: only to „credit reports‟ (as defined in the Privacy Act), but the same legal requirements and advice would apply to „credit information files‟ in the control of a credit reporting agency like the Credit Reference Association of Australia; and e to the r cord management agent as „the contractor‟ and the organisation that contracts with the record management agent as „the client‟. Monitoring the performance of the contract The contract should include a clause which gives the client access (with appropriate notice and at reasonable times), to the contractor‟s premises, the records that are being managed and other relevant materials so that the client can ensure that the contractor is complying with its obligations under the agreement as to security of credit reports. Compensation for interference with an individual's privacy by a contractor and client indemnity Where a complaint is investigated by the Privacy Commissioner, the client‟s responsibility for any breach of the credit reporting provisions of the Privacy Act may be determined by the Commissioner under section 52 of the Privacy Act (though experience has been that most complaints can be resolved by negotiation). The Commissioner may also make a determination that a person who has complained about an interference with his or her privacy (including a breach of the credit reporting provisions of the Privacy Act or the credit reporting Code of Conduct) is entitled to a specified amount by way of compensation for loss or damage suffered. If it is not possible to reach a negotiated settlement between client and complainant, the Privacy Commissioner may launch proceedings in the Federal Court to enforce the payment of compensation. In all cases the legal obligation to pay compensation will fall on the client but in some situations the contractor alone may be responsible for the breach (for example, if the contractor leaves boxes of credit reports at a public tip). In other cases, client and contractor may both have a share of responsibility for the breach (for example, if the contractor makes an unauthorised disclosure but the client has also failed to ensure there were adequate clauses in the contract to protect against this). Provisions for the contractor to indemnify the client for loss or expense incurred by the client as a result of the contractor failing to fulfill the privacy clauses in the contract will need to be negotiated in the context of each particular contract. Consistency with general confidentiality clauses Clients should take care to see that there are no inconsistencies between general confidentiality clauses and clauses relating specifically to credit reports. For example, a confidentiality clause may state that all information exchanged between the parties is confidential and may not be disclosed except in certain situations. Those exceptions may be broader than is appropriate in relation to credit reports. Any reference to credit reports in general confidentiality clauses should include a reference to, and defer to,the specific clauses about credit reports. Contracts with sub-contractors Most agreements will have clauses that prevent sub-contracting without the consent of the client. If a client considers it appropriate to allow sub- contracting, before giving consent it should ensure that all clauses relating to protection of personal information are required to be included in any agreement between the contractor and a sub-contractor. The client should ensure, by the inclusion of these clauses, that the level of protection that the contractor is required to afford credit reports is also required of sub- contractors. Otherwise, the provisions in the contract between client and contractor could be rendered ineffective. Where a contractor becomes aware of a breach of any of the privacy protection clauses by a subcontractor, the contractor must immediately notify the client of this breach (see clause 8). Tax file numbers The same sort of requirements in regard to security apply to Tax File Numbers as well as credit reports, although it is unlikely that the same contract would cover both credit reports and Tax File Number information. Legally binding guidelines issued by the Privacy Commissioner under section 17 of the Privacy Act provide at paragraph 6.1(a) that: Tax File Number recipients shall ensure: (a) that Tax File Number information is protected by such security safeguards as it is reasonable in the circumstances to take, to prevent loss, unauthorised access, use, modification or disclosure, and other misuse; ... However, if financial institutions or other organisations contract out services that include the handling of Tax File Number information, it is not strictly necessary for contracts to include clauses to ensure adequate protection of Tax File Number information, since section 11 of the Privacy Act 1988 provides that „a person who is (whether lawfully or unlawfully) in possession or control of a record that contains Tax File Number information shall be regarded, for the purposes of this Act, as a file number recipient.‟ Consequently, records management agents or other contractors who come into possession or control of tax file number information are directly subject to the requirements of the Act and the guidelines. It would, nonetheless, be prudent for firms that engage a contractor to handle Tax File Number information to make sure that the contractor understands its obligations under the Tax File Number guidelines; the inclusion in the contract of privacy clauses along the lines of those suggested here for credit reports would be an effective way of doing this. Disclaimer While the Privacy Commissioner has taken all due care in the preparation of this advice, it is meant only as a guide and it should not be relied upon as the sole source of advice in the preparation of any contract. Legal advice should be sought if in any doubt about specific clauses relating to privacy for individual contracts. Clauses appropriate in standard records management contracts Definition of ‘credit report’ Suggested clause: 1 For the purposes of this agreement, ‘credit report’ means any record or information, whether in a written, oral or other form, that: (a) is being or has been prepared by a credit reporting agency; and (b) has any bearing on an individual’s: (i) eligibility to be provided with credit; or (ii) history in relation to credit; or (iii) capacity to repay credit; and (c) is used, has been used, or has the capacity to be used, for the purpose of serving as a factor in establishing an individual’s eligibility for credit. This is the definition of „credit report‟ in section 6 of the Privacy Act 1988. Security Suggested clauses: 2 The contractor shall take all reasonable measures to ensure that credit reports held in connection with this agreement are protected against loss, and against unauthorised access, use, modification, disclosure or other misuse in accordance with the procedures set out in Schedule ..., and that only authorised personnel with a legitimate role in fulfilling the terms of this contract have access to the data. 3 The contractor shall not vary the security procedures set out in Schedule ... without the prior written approval of the client. A schedule should be attached setting out agreed security procedures. The nature and extent of these will depend on the nature of the contract. Disclosure Suggested clause: 4 The contractor shall not disclose any credit reports obtained in connection with this agreement without the written authority of the client. The contractor shall immediately notify the client where it becomes aware that a disclosure of credit reports may be required by law. In the large majority of cases, any legal obligation to disclose credit reports will fall upon the client rather than the contractor: the client, as owner of the records, will be advised of the legal obligation and will ask the contractor to return the relevant records. However, the second sentence of this clause acknowledges that the contractor may have a direct legal obligation to disclose credit reports and requires the contractor to let the client know as soon as possible whenever it becomes aware that such an obligation may exist, so that the client may offer advice about the validity of the obligation or intervene in any proceedings before disclosure is made. Use Suggested clause: 5 The contractor shall use any credit reports held in connection with the agreement only for the purposes of fulfilling its obligations under this agreement. Clients should ensure that any obligations that the contractor has under the agreement do not go beyond a „use‟ that the client itself would be permitted under the credit reporting provisions of the Privacy Act. Transfer of personal information outside Australia Suggested clause: 6 The contractor shall not transfer credit reports held in connection with this agreement outside Australia, or allow parties outside Australia to have access to them, without the prior approval of the client. While this form of disclosure would be covered by clause 4, there may sometimes be value in stating this restriction specifically because of the high risk associated with trans-border flows of information. Generally, once information goes beyond Australia's borders, it will be either impractical or impossible for a client to prevent unauthorised use or disclosure. Employee awareness of privacy requirements and undertakings Suggested clause: 7 The contractor shall ensure that any employee of the contractor, requiring access to any credit reports held in connection with this agreement: (a) makes an undertaking in writing in accordance with Schedule [...] not to access, use, disclose or retain credit reports except in performing his or her duties of employment; and (b) is informed that failure to comply with this undertaking may lead the contractor to take disciplinary action against the employee. Where the contractor is providing more complex services than just storage and disposal, this undertaking may not be sufficient to make employees fully aware of their responsibilities. Clients should consider offering advice on privacy requirements to the staff of contractors, as contractors may not have in-house expertise in this area. Consideration could be given to including this in the contract as a formal obligation of the client. Advising the client of any breach of the privacy clauses Suggested clause: 8 The contractor shall in respect of any credit report held in connection with this agreement immediately notify the client where the contractor becomes aware of a breach of clauses [all privacy clauses] by itself or any sub- contractor. The contractor has an obligation to notify the client as soon as it becomes aware that, through one of its employees, it (or any sub-contractor) has breached the contractual provisions relating to security, unauthorised use, transfer and disclosure, or that an employee has had access to contract materials without having signed the necessary undertaking. Complaint handling Suggested clause: 9 A complaint alleging an interference with the privacy of an individual in respect of any services performed under this agreement shall be handled by the client and in accordance with the following procedures: (a) where the contractor receives a complaint alleging an interference with the privacy of an individual by the contractor or any sub-contractor, it shall immediately notify the client of the nature of the complaint; (b) where the client receives a complaint alleging an interference with the privacy of an individual by the contractor or any sub-contractor, it shall immediately notify the contractor but shall only release to the contractor those details of the complaint that are necessary to minimise any interference or prevent further interferences; and (c) after the client has been given or has given notice in accordance with (a) or (b), it shall keep the contractor informed of all progress with the complaint as it relates to the actions of the contractor in connection with the allegation of an interference with the privacy of an individual. In these clauses „complaint‟ is used in its plain meaning; it does not refer only to complaints made to the Privacy Commissioner under section 36(1) of the Privacy Act. The restriction in (a) on what information may be passed from the client to the contractor has been included to protect the privacy of the complainant: it is not possible to be confident that the complainant will be happy to have additional personal information provided in making the complaint disclosed to the contractor (or the client). Ensuring clauses have effect after the contract has ended Suggested clause: 10 Clauses [all privacy clauses] shall continue to have effect after the termination or completion of the agreement. Even though contracts should normally provide for all credit reports to be returned at the end of the agreement or be destroyed (see clause 3), it would be prudent to ensure that, if any credit reports inadvertently remain with the contractor, the protection that existed during the agreement continues after the agreement has ended. In addition, where a breach comes to light after the agreement has ended, the relevant clauses should also continue to apply. Clauses appropriate in contracts for more complex services The clauses set out in the preceding section will suffice for the majority of records management contracts. There may, however, be contracts for the provision of more complex services that involve the contractor using or amending the credit reports in some way. Clause 12 aims to ensure that the contractor will comply with any reasonable requests by the client that arise from the exercise of the Privacy Commissioner‟s powers. While inclusion of this clause would not be needed to ensure the client‟s compliance with section 18G(b) of the Privacy Act, its inclusion is recommended as a matter of good privacy practice. Clauses 11, 13 and 14 aim to help the client (the credit provider) protect credit reports against unauthorised use or modification. Disclosure by contractor In some contracts for more complex services, it may be necessary for the contractor to have the authority to disclose credit reports under certain circumstances. Giving a contractor this sort of discretion can bring with it increased privacy risks. Clients need to take this into account when considering the advisability of such contracts. If such a contract is entered into, a clause along the following lines would be appropriate: 11 The contractor shall only disclose credit reports in connection with this agreement as directed by the client or specified in Schedule [...] to this agreement, and shall disclose it in accordance with the procedures specified in Schedule [...] to this agreement. To meet its obligations under the Privacy Act, the client will need to ensure that the schedule includes an exact specification of: what information may be disclosed; to whom disclosures may be made; under what circumstances this may be done; when it is necessary for the client to approve of a disclosure and what form of approval is required; and adequate recording of any dis closures made. The schedule will need to be particularly precise if any discretion is extended to the contractor about whether or not to make disclosures of credit reports: the extent of the discretion needs to be clearly set out. Reasonable requests, codes of conduct and advice Suggested clause: 12 The contractor shall in respect of any credit reports held in connection with this agreement cooperate with any reasonable requests or directions of the client arising directly from, or in connection with, the exercise of the functions of the Privacy Commissioner under the Privacy Act 1988 and the Credit Reporting Code of Conduct. This clause is unlikely to be necessary in a basic record management contract, where the only request or direction likely to arise from the exercise of the functions of the Privacy Commissioner is a request by the client for the return of certain boxes of records. However, if the contract services are more complex, the Privacy Commissioner could request or direct the client to change its information handling arrangements in a particular way that would require changes to be made by the contractor. A contractor‟s actions cannot be directly bound by determinations of the Privacy Commissioner under the Privacy Act: this clause allows the client to ensure that the contractor does anything that the Privacy Commissioner may have required the client to do if the client had not outsourced the relevant record management functions. (This could include giving a person access to credit reports, amending records, or changing the way in which they are handled.) Accurate recording and storage of data Clauses relating to the accurate storage and recording of data may be necessary where the contractor is storing credit reports on electronic media or in other ways which may allow corruption or amendment of the data. Normally, the contractor's obligation will be limited to ensuring that the data provided to it is accurately recorded and stored and it will be the client's responsibility to review and amend the data to ensure accuracy. In this situation, the following clause is suggested: 13 The contractor shall take all reasonable steps to ensure that personal information provided to it in connection with this agreement is accurately recorded and is not amended except as directed by the client. Access and amendment In most cases where contractors are responsible for the medium or long-term storage of a database, requests for access to and amendment of credit reports will be received and dealt with by the client, which will either require the contractor to return the reports for access and amendment or instruct the contractor to amend the reports as appropriate. In this case, it is not necessary to include provisions relating to access and amendment in the contract, providing it is clear that the contractor is obliged to return credit reports held in connection with the contract to the client on request, or to amend the reports at the client's direction. Where decisions on access and amendment are made by the client, but requests from individuals maybe received in the first instance by the contractor, the following clause is suggested: 14 The contractor shall, if it receives a request from an individual for access to or amendment of personal information about the individual held by the contractor in connection with this agreement, promptly [or within a set period] inform the client of the request.
Shared by: Fit Fittington