This alert is directed to those Valuer Members and their Corporate Employers who undertake mortgage valuations via the ValEx/CoreLogic system.  It is an update to previous alerts on this topic releases by the API on 11 March and 28 March 2019.

Copies of the previous alerts are available here.

The API continues to have discussions with CoreLogic, banks and our legal consultants, plus risk and IT security representatives from a number of valuation firms, as well as IT consultants, data security and cyber insurance experts regarding the privacy laws/regulations and data/information handling and protection regimes.

As advised on 28 March 2019, the API has engaged the services of legal counsel with experience in privacy law/regulation in Australia and the European Economic Area (EEA).  The API has today received the written advices, with a briefing expected within the next couple of days.

We have agreed to then consult with National Australia Bank (NAB) and CoreLogic in respect of its recommendations and will then proceed to issue the full advices, along with any updated agreement on terms and conditions, to our members and provide a copy of this on our website.

Of particular importance to note, is that the API can confirm that three (3) of the big 4 Australian banks have confirmed that the CoreLogic Data Processing and Security Terms (CL DPST) are not being sought on their behalf and are only in respect of NAB arrangements.

The Commonwealth Bank of Australia (CBA) has requested the API advise its Members in writing that they will not be adopting or implementing the CL DPST at this time and will work with the API once further requirements are understood to implement a reasonable transition.  Westpac have advised that they will be consulting with the API and their valuation firm partners directly as to future requirements.

API Valuer Members and their Corporate Employees undertaking work in Australia are subject to Australian Privacy Law including the Notifiable Data Breaches scheme which applies from 22 February 2018 and was established with the passage of the Privacy Amendment Act (Notifiable Data Breaches) Act 2017.

For further information on the Notifiable Data Breaches scheme refer to the Office of the Australian Information Commissioner at https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

The API provides the following advice to Valuer Members and their Corporate Employers in situations where they receive information (either in the instructions or supporting documentation provided) that contains ‘personal information’ of a third party (normally the borrower) that would most likely come under the Notifiable Data Breaches scheme.

‘Personal information’ is more than the address of the property that is the subject of the valuation instructions, the name(s) of the borrower(s) and/or the name(s) and contact details of the borrower(s) or the party to arrange access.  It is information that may be contained in a ‘loan application’ or financial details of the borrower(s) that is not necessary to be provided to the Valuer Member as it is not required for the valuation process.  In these instances, the Valuer Member, and or their Corporate Employer, has received an ‘unauthorised disclosure’ of ‘personal information’ by the lender or instructing party via the CoreLogic/ValEx system.

When ‘personal information’ is provided to the Valuer Member, or their Corporate Employer, via the ValEx/CoreLogic platform, the Valuer Member, or their Corporate Employer, should;

  • advise CoreLogic/ValEx their client may have cause to report an ‘eligible data breach’;
  • request CoreLogic/ValEx to provide a new instruction or supporting documentation which does not contain the ‘personal information’;
  • permanently delete from the Valuer Member’s and/or their Corporate Employer’s file/system all records of the ‘personal information’;
  • not complete the valuation request until the new instruction or supporting documentation which does not contain the ‘personal information’ is provided; and
  • ensure that a copy of the advice to CoreLogic/ValEx is permanently saved on the file/system.

An example of the advice to CoreLogic/ValEx is:

To CoreLogic/ValEx,

Thank you for your instructions in relation the valuation of <insert address> on behalf of <insert lender>.  We advise that some ‘personal information’ that may come under the examples of an ‘eligible data breach’ has been provided with the instructions and or supporting documentation received.

Your client, <insert lender> may be required to manage and report this under the Notifiable Data Breaches scheme.

Please provide a new/amended instruction and/or supporting documentation that does not contain the ‘personal information’.

We confirm that we have permanently deleted the ‘personal information’ that may be an example of an ‘eligible data breach’ and request that you do the same in the CoreLogic/ValEx system.

We await your new/amended instructions and/or supporting documentation and advise that we are unable to proceed or complete this request until the above is complied with.

Regards,

<valuation firm details>

The above outlines a process which should ensure that the Valuer Member and their Corporate Employer are able to comply with their obligations under Australian Privacy Law in relation to the ‘eligible data breaches’ where ‘personal information is mistakenly provided to the wrong person’.

If you have any questions or concerns regarding this recommendations and proposed process contained within this alert, please do not hesitate to contact:

Related articles