Credit reporting regime under the Privacy Act has a new bite

As of 12 March 2014, significant changes to the credit reporting regime under the Privacy Act 1998 (Cth) will impact on how dentists handle patients’ credit related information [1].

Are dentists credit providers?

Do you provide credit in full or in part for at least seven days?
Do you offer structured payment plans for your patients?
Do you arrange treatment finance for your patients?

If the response is “yes” to any of the above, then you are considered to be a “credit provider” under the Act.[2] Situations that trigger the credit provider obligations include:

orthodontists who customarily ask for a substantial deposit and subsequent monthly payments over an extended period;
dental practices that offer patients staged payment options with or without a plan fee; and
dental practices that offer standard payment terms for 14 days or more.

Dentists simply introducing patients to treatment financing organisations (e.g. Mediplan) are not acting as agents of a credit provider unless dentists process or manage credit on their behalf. [3] Dentists processing credit card payments or using HICAPS are not agents, whereas dentists who are Mediplan representatives and process credit applications on its behalf will be.

Dentists who are recognised as credit providers must comply with the new credit reporting regime under the Act and the Credit Reporting Privacy Code (CR Code).

Managing credit related information

Under the new privacy reforms, dentists who are credit providers must:

have a clearly expressed and up-to-date policy about the management of credit related information.[4] This can be incorporated into their privacy policy or in a separate policy.
adopt practices, procedures and systems that comply with the Act and the CR Code. Dentists must ensure the credit related information is accurate, up-to-date and complete and protected from misuse, interference and unauthorised access. Patients must have access to the credit information and dentists must have procedures in place that allow corrections to be made within 30 days or a longer period agreed in writing to the patient.
have in place a complaints handling process which enables patients to report non-compliance with the credit reporting regime. Dentists need to acknowledge the complaint within seven days and provide a response within 30 days.[5]

The above obligations to a large extent replace the new Australian Privacy Principles (APPs), which deal with personal information. Dentists who are credit providers under the Act should revise their practices and procedures for managing credit related information to ensure they comply with the Act and the CR Code.

Handling credit related information

Dentists may use credit reporting bodies (e.g. Veda Advantage, Dunn & Bradstreet, Experian) to obtain credit eligibility information about a patient to determine whether to allow the patient to enter into a structured payment plan, without being a member of a recognised external dispute resolution scheme (EDR scheme) (e.g. Credit Ombudsman Services Limited).[6]

However, the disclosure by a dentist of credit related information is more strictly regulated.

For example, if a patient is defaulting on payment,[7] a dentist may threaten to report the default information directly to a credit reporting body. Any such disclosure cannot take place unless the dentist is a member of a recognised EDR scheme and the patient is provided with written notice of the disclosure beforehand.[8] However, a dentist does not need to be a member of a recognised EDR scheme to disclose default information to a debt collection agency for the purposes of collecting the overdue payment on behalf of the dentist.

Further, dentists and dental specialists (e.g. orthodontists) who carry on separate practices in a clinic must take great care with disclosing credit eligibility information to one another. A dentist who refers a patient to another dentist and discloses the patient’s payment information to assist with assessing whether to allow that patient to enter into a structured payment plan, does not need to be a member of a recognised EDR scheme, but must obtain express consent from the patient to the disclosure for that purpose.[9]

When or before a dentist collects personal information about a patient, if that information is likely to be disclosed to a credit reporting body, the dentist must notify the patient of the credit reporting body’s name and contact details. This is in addition to complying with the obligations under APP 5, which relate to notification requirements for collecting personal information.

According to the CR Code, a public expressed statement of notifiable matters in relation to credit related information on the dentist’s website will suffice.

If dentists disclose such information for improper purposes, they can face a civil penalty of up to $340,000.

Unfair contract terms

Patients often enter into a service agreement with dentists under standard terms and conditions contemplating the provision of credit. Dentists need to ensure that their standard terms, particularly the interest charged for overdue payments and penalty type provisions, are fair and reasonable and do not breach the unfair contract terms regime under the Australian Consumer Law.

Take action

Dentists who are credit providers must review their practices, procedures and systems to ensure compliance with the new credit reporting regime and the CR Code. We urge dentists to have:

revised privacy policies in relation to credit related information complying with the prescribed requirements under the Act and the CR Code;
set procedures that satisfy the notification requirements, access and correcting obligations and complaints mechanism under the Act and the CR Code; and
training programs for staff about the changes in the collection, use and disclosure of credit related information.

Indeed, the new credit reporting regime has a new bite to it. The Privacy Commissioner has greater investigative and enforcement powers, and the civil penalties for non-compliance are too onerous for dentists to ignore these changes. We encourage dentists to take action!

Watch out

Dentists may also need to be an authorised credit representative or obtain an Australian credit licence from ASIC if they provide credit to their patients in certain circumstances, or arrange for the provision of credit by a medical finance company to their patients.

For more information, please contact Principal Mark Fitzgerald. This article was published in the May 2014 edition of NSW Dentist.

Footnotes

[1] Credit related information for the purposes of this article means credit information, credit eligibility information and CP derived information. Credit information is defined under subsection 6N of the Act. It includes identification information, consumer credit liability, repayment history information, default information, payment information, personal insolvency, publicly available information about the individual’s credit worthiness, or opinion of a serious credit infringement. Credit eligibility information is defined under subsection 6(1). Broadly, this relates to credit reporting information about the individual that was disclosed to a credit provider by credit reporting body (e.g. Veda Advantage) or CP derived information about the individual. CP derived information is defined under subsection 6(1) which broadly relates to personal information (other than sensitive information) that was disclosed to a credit provider by a credit reporting body (e.g. Veda Advantage) and it has bearing on the individual’s credit worthiness and it is used, has been used or could be used in establishing the individual’s eligibility for consumer credit.

[2] Definition of “credit providers” is under subsection 6G(2) of the Act. Broadly, dentists are “credit providers” if they provide credit in connection with dental services or sale of goods, and repayment in full or in part of the credit amount is deferred for at least seven days.

[3] Refer to section 6H of the Act.

[4] The policy must satisfy the prescribed requirements under subsection 21B(4) of the Act.

[5] Refer to sections 23A and 23B of the Act.

[6] Refer to sections 21G and 21H of the Act.

[7] Default information is defined under section 6Q of the Act. Broadly, it relates to payment that is overdue for at least 60 days, the credit provider has given a written notice to the individual about the overdue payment and requests the individual to pay, the provider is not prevented by a statute of limitations, and the amount is at least $150.

[8] Refer to section 21D of the Act. For the disclosure of default information, a credit provider must provide the individual with a notice in writing stating that the provider intends to disclose the information to the credit reporting body and must ensure that at least 14 days have passed since the giving of the notice before the provider can disclose the default information. For the disclosure of repayment history information, the credit provider must hold an Australian Credit Licence.

[9] Refer to section 21J of the Act. The express consent from the individual must be in writing unless the disclosure is for the purpose of assessing an application for consumer credit and the application has not been made in writing.

INSIGHTS: Credit reporting regime under the Privacy Act has a new bite