NOTE: Significant changes to the credit reporting provisions of the Privacy Act start on 12 March 2014. More information is available on our Credit reporting reform page. The information below covers the law up until that date.
Part IIIA of the Privacy Act 1988 (Privacy Act) provides safeguards for individuals in relation to consumer credit reporting. In particular, Part IIIA governs the handling of credit reports and other credit worthiness information about individuals by credit reporting agencies (CRAs), credit providers and a limited number of other recipients.
The Privacy Act ensures that the use of this information is restricted to assessing applications for credit made to a credit provider and other legitimate activities involved with providing credit. Generally, commercial credit information is not regulated by Part IIIA of the Privacy Act. However it is regulated by the National Privacy Principles where a CRA or credit provider is bound by them.
Key requirements of Part IIIA
Key requirements of Part IIIA include:
- strict limits on the type of information that can be held on a person's credit information file by a CRA. There are also limits on how long the information can be held on file
- limits on who can obtain access to your credit file held by a CRA. Generally only credit providers may obtain access and only for specified purposes. Real estate agents, debt collectors, employers and general insurers are barred from obtaining access
- limits on the purposes for which a credit provider can use a credit report obtained from a CRA. These include:
- to assess an application for consumer credit or commercial credit (but they must seek consent if they are using your consumer credit report to assess an application for commercial credit, or using your commercial report to assess an application for consumer credit)
- to assess whether to accept a person as guarantor for a loan applied for by someone else
- to collect overdue payments
- a prohibition on disclosure by credit providers of credit worthiness information about an individual, including a credit report received from a CRA, except in specified circumstances. These include:
- where the disclosure is to another credit provider and the individual has given consent
- to a mortgage insurer
- to a debt collector (but credit providers can only give limited information contained in or derived from a credit report issued by a CRA)
- rights of access and correction for individuals in relation to their own personal information contained in credit reports held by CRAs and credit providers.
Credit code of conduct
The Privacy Commissioner has issued a legally binding code of conduct for credit reporting under section 18A of the Privacy Act.
Credit provider determinations
The Privacy Commissioner has issued a number of credit provider determinations in accordance with the Privacy Act. These determinations allow certain organisations and government agencies to access the credit reporting system for particular purposes. Determinations no longer in force can be found in the privacy archive. Determinations currently in force are:
- Credit Provider Determination No. 2011-1 (Assignees)
- Credit Provider Determination No. 2011-2 (Classes of Credit Providers)
- Credit Provider Determination No. 2011-3 (Indigenous Business Australia)
Credit reporting determinations
The Privacy Commissioner has issued a number of credit reporting determinations in accordance with the Privacy Act. Determinations no longer in force can be found in the privacy archive. Credit reporting determinations currently in force are:
- Credit Reporting Determination: 1991-2 s18E(3) - concerning identifying particulars permitted to be included in a credit information file
Credit information audits
The Privacy Commissioner has power to audit credit information files and credit reports held by CRAs and credit providers pursuant to section 28A(1)(g) of the Act. More information about auditing is available from the Privacy audits page.
Additional information is also available on the Privacy Topics — Credit and finance page, including information about how an individual can obtain a free copy of their credit report/s, and the Privacy Topics — Business page.
Additional information can also be found in the Credit reporting fact sheets and the Credit Reporting Advice Summaries. The summaries are from written advices provided by the former Office of the Privacy Commissioner in response to practical examples concerning the application of Part IIIA of the Privacy Act.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Reform Act) was introduced into Parliament on 23 May 2012 and was passed with amendments on 29 November 2012. The Reform Act introduces many significant changes to the Privacy Act. These include a new Part IIIA that permits more comprehensive credit reporting, which will allow the reporting of information about an individual’s current credit commitments and their repayment history information over the previous two years. The move to more comprehensive credit reporting is accompanied by enhanced privacy protections for individual’s credit-related information. These include:
- a simplified and enhanced correction and complaints process
- a prohibition on the reporting of credit-related information about children
- a prohibition on the reporting of defaults of less than $150
- the introduction of specific rules to deal with pre-screening of credit offers
- the introduction of specific provisions that allow an individual to freeze access to their credit related personal information in cases of suspected identity theft or fraud
- the introduction of civil penalties for breaches of certain credit reporting provisions.
The new Part IIIA will be underpinned by a new credit reporting code (called the CR code) to be developed by industry, and subject to approval by the Privacy Commissioner.
While these changes will not commence until March 2014, Australian, ACT and Norfolk Island government agencies and businesses should start preparing now. Individuals should also be aware that from December 2012 if they fail to make loan or credit card payments on time, it may affect their ability to obtain credit in the future.
The Office of the Australian Information Commissioner (OAIC) has also developed Privacy fact sheet 16 — Credit reporting: repayment history information that explains this in more detail.
More information on the changes to the Privacy Act can be found on the Privacy law reform page.