4.1 The collection and sharing of information by credit bureaus in most of the countries are generally governed by Common Law. The Common Law on disclosures is represented by the English Court decision in 1924 in the Tournier Vs. National Provincial and Union Bank of England case. It lays down four qualifications under which a banker could disclose the affairs of its customer:

4.2 In countries like Spain, the Bureau cannot share positive data. Similarly, the operations of Credit Reference Ltd., of Australia are limited to negative information. In Sri Lanka, the Act does not limit the operations of the Bureau; it empowers the Bureau to collect and share credit information among its members. In the absence of a specific legislation on the lines of the Sri Lanka Act, countries like USA, UK, Australia and New Zealand have enacted specific legislations in the form of Data Protection/Privacy Laws, which reinforce, guide and place a few restrictions on the collection and sharing of credit information.

4.3 The Credit Information Bureau in Sri Lanka has been empowered under the Act of Parliament with wide powers to collect credit information from all lending institutions and maintain a data base with the information so collected. All lending institutions, except the Central Bank, are statutorily obliged to provide whatever credit information the Bureau wishes to collect from them. Failure to comply with a request made by the Bureau for information attracts imposition of penalties. In a few countries like Belgium, Germany and France, it is mandatory for a bank to provide the information required by the Credit Risk Offices/Bureaus set up by the Central Banks of these countries. In countries where private bureaus operate, disclosure is optional. The rules of reciprocity, where the credit performance data is shared on the principle that subscribers receive the same level of credit performance data they contribute, apply.

4.4 In USA, there is comparative freedom of sharing of information. The principle of sharing of information on consumers has been enshrined in the Fair Credit Reporting Act, 1971 as amended by the Consumer Credit Reporting Reform Act of 1996. This Act which is administered by the Federal Trade Commission, lays down guidelines on permissible purposes on credit reports, and requirements relating to information contained in consumer reports, users of consumer reports, disclosure of investigative consumer reports, disclosure relating to Government agencies and disclosure to consumers. The responsibilities of furnishers of information to consumer reporting agencies has been laid down. In accordance with the provisions of the Act, Dun & Bradstreet follows Data Protection Practices which state that --

1. Data collected about owners or principals of business establishments should be limited to information of non personal nature and deemed relevant for business decision making.
2. Data quality should be ensured by undertaking quality review at the point of collection instead of exclusively at the end of the data collection process.
3. Prompt action should be taken to correct errors or misleading information whenever this comes to the notice of the bureau.
4. Technical, contractual and administrative steps should be taken to control data in order to protect against unauthorised access to, and disclosure of data.

4.5 In U.K., Credit Bureaus are licensed by the Office of Fair Trading under the Consumer Credit Act of 1974 and registered with the Office of the Data Protection Registrar. Data sharing between banks and lending institutions is bound by the principles outlined in the Tournier case. Information on bad debts is shared between banks by invoking the principle that it is in the interest of banks to have such disclosure, whereas the sharing of positive information on new accounts is done by invoking the customer consent clause. The Data Protection Act, 1984 provides for the appointment of a Data Protection Registrar whose duties include the creation and maintenance of a public register of automatically processed personal data systems, and the supervision of data users’ compliance with the data protection principles. Bureaus in U.K. must comply with the Data Protection Principle which requires that they take appropriate security measures against unauthorised access or disclosure of their personal data. The Data Protection Act, 1998 of U.K. conforms to the EC Directive 95/46/EC on data protection and will replace the earlier Act of 1984. The Act will be administered by the Data Protection Commissioner, instead of the Data Protection Registrar as hitherto.

4.6 In Australia and New Zealand, the sharing of information is done on the basis of the last principle of the Tournier case, that is, with the express or implied consent of the customer. The Commonwealth Privacy Act, 1988 of Australia lays down the requirements for disclosure of credit information by Credit Information Bureaus and the conditions which should be fulfilled by recipients of information from Credit Information Bureaus. This Act prevents banks and others in Australia from reporting positive credit information to a Credit Bureau. The Privacy Act, 1993 of New Zealand stipulates restrictions on sharing of personal information available with any agency, including banks.

4.7 The rights of borrowers with regard to credit information pertaining to them in the data base of a bureau are safeguarded by Statutes. The Fair Credit Reporting Act, of U.S.A. allows customers the right to knowledge on the nature, substance, and sources of information collected on him and have any corrected information on him re-investigated. Under the Commonwealth Privacy Act,1988 of Australia, the consumer can have access to a credit report covering that consumer, can challenge any information in a credit report and can complain to the Privacy Commissioner in case of any infringement. The Consumer Credit Act of 1974 of U.K. lays down the steps to be taken if a consumer wishes to query any of the information contained in the credit files. The Data Protection Act, 1984 of U.K. states that a data subject who has suffered damage by reason of any unlawful disclosure of personal data is entitled to compensation from the data user for that damage and for any distress suffered. In Belgium, the Privacy Protection Law (1992) allows the consumer the right of inspection and data rectification.

4.8 Credit Information on the potential borrower becomes sensitive when, on the basis of the information furnished by the Bureau, credit is denied to the borrower. The need for protecting the Bureau from liability arising from legal actions initiated by the aggrieved borrower or for bonafide mistakes in the process of furnishing the information, has therefore, been recognised in countries having Credit Information Bureaus. Under the Credit Information Bureau of Sri Lanka Act, the Bureau can only publish or communicate information collected by it from a lending institution which is a shareholder of the Bureau. The Act also provides legal protection to the Bureau for action taken by it under the provisions thereof.

4.9 The private Bureaus operating worldwide are required to adhere to the privacy laws governing consumer information of the countries in which they operate and are liable for penalties in case of non-compliance. In Australia, violation of the Commonwealth Privacy Act, 1988 by way of knowingly passing on personal information or false/misleading information is punishable by fine. Civil liabilities for wilful and negligent non-compliance have been clearly laid down in USA under the Fair Credit Reporting Act, 1971 as amended by the Consumer Credit Reporting Reform Act of 1996. The Data Protection Act, 1984 in the U.K. makes it a criminal offence for personal data to be disclosed to a person who is not registered as authorised to receive the information.

4.10. The existence of specific privacy laws as supplementary legislation imparts a sense of direction to the Bureau, enabling it to act within well defined parameters. On the other hand, the Sri Lanka model affords a great deal of protection to the Bureau from counter-claims. Ideally, there should be a legislation to protect the interests of the borrower with regard to the information collected by the Bureau and at the same time, also protect the Bureau from any liability for any bonafide use of the data furnished in the normal course of its business.

4.11 The Credit Information Bureaus, all over the world, function under a well defined regulatory framework. Where the Bureaus have been set up as part of the Central Bank, the regulatory framework for collection of information, access to that information, privacy of the data, etc., is provided by the Central Bank. Where Bureaus have been set up in the private sector, existence of separate laws ensure protection to the privacy and access to the data collected by the Bureau. In the U.S.A. where Credit Information Bureaus have been set up in the private sector, collection and sharing of information is governed by the provisions of the Fair Credit Reporting Act, 1971 (as amended by the Consumer Credit Reporting Reform Act of 1996). The Fair Credit Reporting Act is enforced by the Federal Trade Commission, a Federal Agency of the U.S. Govt. In the U.K., Credit Bureaus are licensed by the Office of the Fair Trading under the Consumer Credit Act of 1974. The Bureaus are also registered with the Office of the Data Protection Registrar, appointed under the Data Protection Act, 1984 (replaced by the Data Protection Commissioner under the new Act of 1998). In Australia, neither the Reserve Bank of Australia nor the Australian Prudential Regulation Authority (APRA) plays a role in promoting, developing, licensing or supporting Credit Bureaus. APRA holds annual meetings with the major Bureaus in Australia. The sharing of information relating to customers is regulated in Australia by the Privacy Act. This Act is administered by the Privacy Commissioner, who is vested with the responsibility of framing guidelines for protection of privacy principles and to ensure that Bureaus in Australia conform to these guidelines. In New Zealand, a situation similar to that of Australia exists. In Sri Lanka, the Bureau was formed by an Act of Parliament at the initiative of the Central Bank. A Deputy Governor of the Central Bank is the Chairman of the Bureau in Sri Lanka and the Bank is also represented on the Board of the Bureau by a senior officer. In Hong Kong, the Hong Kong Monetary Authority (HKMA), though not being directly involved in the setting up of a credit referencing agency has issued directions to all the authorised institutions recommending their full participation in the sharing and using of credit information through credit referencing agencies within the limits laid down by the Code of Practice on Consumer Credit Data formulated by the Privacy Commissioner. HKMA also monitors the effectiveness of the credit referencing services in Hong Kong, in terms of the amount of credit information disclosed to such agencies, and the level of participating in sharing credit information by authorised institutions.