Business

Privacy Obligations to the Debtor and Third Parties

Bayazid Bostami August 25, 2018

The Office of the Australian Information Commissioner (OAIC) is responsible for privacy regulation and has set out rules for collection agencies and individual creditors on how personal information is to be collected, managed and used within the process of debt recovery. These principles must be complied with and under the Privacy Act 1988, which was designed to protect the privacy of a debtor and third parties, legal obligations were made concerning how to deal with personal information. Personal information means any confidential data that makes it possible to identify an individual, as the person in debt should be treated with respect and revealing his or her financial position can have far-reaching consequences.

The Australian Privacy Principles (APPs) regulate the handling of the debtor’s personal information by private sector organisations or individual creditors with certain key obligations. Personal data is not to be collected unless the information is necessary for the organisation to recover the debt. Such sensitive information might concern the debtor’s race, religion, health issues or criminal record. All this data must be retrieved directly from the debtor unless this is imprudent, and only by legal means. Once the data is collected directly by the creditor or collection agency, the debtor should be informed about the fact that personal information was collected, the name organisation that collected it, for what purpose and which consequences will appear if the information was not provided. Furthermore, the organisation’s contact number should be passed on to the debtor and the opportunity to find out which information was collected. The debtor should also be informed about how he or she can approach the APPs to file a complaint about the collection of personal data.

The creditor or collection agency Sydney is asked not to disclose the information to third parties such as the debtor’s partner or family unless the individual has consented to it. Personal information should also only be used for the purpose of retrieving debt and not passed on for direct marketing and messages such as voicemail or business cards not left behind for third parties to be heard or seen to not reveal the individual’s financial debt.

Against third parties, who they sometimes need to collect personal information from, creditors and debt collectors also have privacy obligations. Under APP 3 third parties may only be approached and their information also collected by the collector if necessary for the purpose of recovering the debt. These parties must also be notified if their data has been collected.

Once the personal information is collected, the creditor or debt collection agency should take any steps possible to make sure the debtor’s data is correct and timely. Under no circumstances should information be used that is not complete and relevant. Personal information should, by all means, be kept confidential and secure against misuse, loss, modification and especially not accessed unauthorized if kept over time. Once the personal information is no longer needed to recover the debt, or required by a court in case the creditor decided to take legal action, the data must be permanently eradicated and the record maybe even destroyed. All the time, the debtor has the right to access the personal information collected about him or her and correct it. Naturally, there have to be security settings for the debtor to access and correct the personal data to prevent the information from being deleted.

In part IIIA, the Privacy Act furthermore conducts the treatment of personal information contained in consumer credit reports. A credit report should not be handed out by the provider to an external collector unless it contains details about the certain debt, information that reveals the identity of the debtor such as name and address and personal insolvency information about the individual.