Businesses have a lot of financial information on you, and now some of them want even more. WARREN GAMBLE looks at where your details are stored, who uses them, and how.
The credit industry has a deal for you: let your credit card, hire purchase, telephone and other payment records be stored on a central database and you could be offered cheaper interest rates.
The industry's argument is that if credit providers can see your good payment history - not just negative information, as is the present practice - you will get better rates.
But Privacy Commissioner Bruce Slane is not buying. He is concerned that sensitive information about your spending behaviour will be available to people who can use it for the wrong reasons.
The issue has come to a head as Slane prepares a privacy code for credit information - something industry leaders say is unnecessary because abuse and complaints are rare.
It illustrates one of the biggest privacy issues we all face: the volume of personal information collected and stored by big businesses is second only to that collected by the Government.
The privacy trade-off we all have to consider is how much information we should give to bankers, financiers, and insurers for the goods and services we want? And if we hand it over who will see it?
Banks hold most of our financial lives in their grasp, but with security and trust as their bottom-line business, they are strongly motivated to keep customer information safe.
The banking sector accounted for 25 complaints to the Privacy Commissioner in the past financial year, or just over 3 per cent of the total. A handful of reported cases have involved mistaken disclosure of account information by bank staff. But with increased telephone and internet banking, and barriers such as passwords and pin numbers, unauthorised access is unusual.
Insurance companies hold sensitive personal and health information and can check your claims on central databases, but this sector also has attracted few complaints - 20 last year.
That compares with 11 complaints against New Zealand's only consumer credit reporting agency, Baycorp, putting it eighth on the individual complaint list, behind six Government agencies and Telecom.
Baycorp data business manager, Adam Feeley, said a business that helped to deny people credit inevitably provoked anger, but the complaints were minimal when you considered that the company processed five million transactions a year.
Incorrect information was posted on its database for only a tiny proportion of people, he said.
Baycorp holds records on almost everyone in New Zealand. Every time you sign up for credit you also approve, often without realising it, a clause allowing information to be sent to a credit reporting agency.
At present Baycorp gives its clients - which include banks, finance houses, retail chains, and motor vehicle dealers - only adverse information on your credit history, such as payments you have defaulted on, or court judgments and bankruptcy declarations against you.
To find out what they had on me, I applied for my own file (costing between $5 and $20, depending on delivery time and binding). The report was thankfully brief, two pages listing banks, a mortgage broker, insurance company and retail stores that had made credit checks in the past seven years.
The summary was almost a disappointment: "No adverse information could be found on the subject."
But Baycorp now wants to move to "positive reporting," recording individuals' broad account histories before any defaults - which usually occur 90 days after payment is due.
Details have not been finalised, but it is likely that positive reporting will broadly show your credit sources - banks, retail stores, telephone or electricity companies - without naming them.
It will show each account's status, including whether you pay by direct debt, and whether you are overdue, possibly in blocks of 30, 60 and 90 days. The amount owing is unlikely to be included.
Positive reporting would be positive for everyone, said Feeley.
"Only about 10 per cent of the population default, so for the remaining 90 per cent there is no grading of the credit risk.
"If you paid by a cheque posted in on the 89th day and I was to pay by direct debit on the day it fell due, the banks would offer me more. Retail finance companies would offer different types of credit to us based on that information. Trouble is, they don't get that information."
Instead, he said, credit providers relied on negative information, no matter how old or relevant, such as whether you had defaulted on the old broadcasting fee.
"It's a little bit like if you were up on a charge and you had one criminal offence in your past, but you had an otherwise fantastic record as a citizen and that could not be disclosed."
Feeley did not see any privacy threat because people would have to consent to positive information being stored for credit checks.
However, Privacy Commissioner Bruce Slane said positive reporting had run into public opposition overseas and was banned in Australia.
"It worries me that people don't think there are privacy issues with it, when it is collecting information about people's lifestyle and behaviour," he said.
His main concern is over access to an expanded Baycorp database and its potential to be used in ways unconnected to the purpose for which it was collected - a key privacy principle.
For example, at present the Baycorp database is open to the news media, which are exempt from the Privacy Act.
"Does it become a nosy parkers' database for anyone who would like to look?" Slane asked. "If positive reporting comes in, all sorts of gossipy stuff will become available."
Slane's draft code for the industry proposes that only negative information should be collected. The code would limit access to credit reporting agencies, credit providers, and in some circumstances, insurers, landlords and prospective employers. It would exclude the news media.
Slane acknowledged there were legitimate arguments for positive reporting, such as the ability to offer lower rates for prompt-paying consumers.
"The more information you provide, the better. It's possible to make a judgment in many cases, but how much that [information] would in fact be used is another issue."
But Feeley said that not giving people the choice to disclose such information would be a "draconian step." As the credit industry became more competitive, its inability to grade risks would mean people with poorer credit records were being subsidised by good payers.
He added that the major credit providers had backed Baycorp's push for positive reporting.
And it was not true that the availability of more credit information would lead to poorer sections of the community missing out, he said. Two big lenders told him recently that they never turned people down for credit, they just wanted to know their risks.
The catch, though, is that higher risks attract extra interest charges.
Feeley cannot recall any cases of clients misusing Baycorp's database, but said the industry had no problem with tightening up access.
Clients have to sign a contract stating they will comply with the Privacy Act, but Feeley acknowledged there was a risk that the information could be used unlawfully, for example for marketing purposes or to track down individuals.
He said public opposition in the United States strengthened when access to credit reporting databases was not controlled and people were bombarded with direct marketing by credit card and other companies.
If a code was introduced here, he would prefer that it did not exclude organisations but rather ruled out information being used for certain purposes, such as marketing or debt collection.
If Baycorp's rules were breached, (assuming you realised it) you could complain to the company and the Privacy Commissioner. Ultimately, Baycorp could remove the offending client from its system.
Police and agencies such as Inland Revenue have access to Baynet, Baycorp's computer system, because of their law enforcement roles.
In the rest of the commercial world, the big five banks all said they were confident that their information technology and storage of customer files were highly secure.
All five said they did not sell customer information or databases, although some do send their own promotional material to customers, who can opt not to receive it.
Customers can also get a copy of their personal banking file, for fees ranging from $4 for copies of statements to between $20 and $60 an hour for processing larger inquiries.
The banks said they were required by law to store customer details for seven years after an account was closed - the information was then destroyed.
However, even the most stringent safeguards cannot eliminate human error. The National Bank's faxed response to questions asked for this story inadvertently included a copy of internal staff e-mails, including a discussion about "how much to communicate."
Banking Ombudsman Liz Brown said she received few complaints about banks infringing privacy.
The most serious case happened in 1996 when a bank mistakenly gave a woman's violent former husband her account information.
The woman told her bank to close her joint account and change the names on other accounts to her maiden name when she moved away after the marriage break-up.
She was then distressed to find her statements had been redirected to a Post Office box opened by her former husband. The woman, who had a protection order against her husband, was so concerned for her safety that she moved again.
Brown's investigation found that the bank had no record of forms authorising the change of address for the woman's statements.
Given the serious breach of privacy and the woman's distress, Brown ordered the bank to pay her the maximum $1000 compensation, plus $200 toward her relocation expenses.
Chris Ryan, the Insurance Council's chief executive officer, said his industry's main privacy issue was the introduction of a central insurance claims register in 1998. It allows insurers to check for fraud, for example to see if someone has made the same claim to other insurers.
Ryan said register access was limited to nominated officers in subscriber companies, and was available only for specific searches.
Customers can obtain their own file from the register through their insurer or the council.
As part of its self-regulatory approach the council was looking at creating its own industry-wide privacy code, as the Australian industry had done, he said.
Competition was the prime motivator for insurers to keep their customers' details private, Ryan said. "Insurers are really sensitive about the issue because if customers feel compromised by data being released they tend to shift companies quick."
Herald Online feature: Privacy
What big business has on you
AdvertisementAdvertise with NZME.
