1 Name of Rule
This Rule is the Privacy (Credit Related Research) Rule 2014.
This Rule commences on [date to be inserted].
This Rule applies for the purposes of s 20M of the Privacy Act 1988 which prohibits a credit reporting body from using or disclosing de-identified credit reporting information (s 20M(1)). Sections 20M(2)–(3) provide that this prohibition does not apply if the use or disclosure is for the purpose of conducting research in relation to credit and the credit reporting body complies with rules made by the Commissioner by legislative instrument.
(1) Unless this Rule states otherwise, any word or expression used in this Rule which is defined in the Privacy Act, has the same meaning as in that Act.
(2) In this Rule:
De-identified information means credit reporting information that is no longer about an identifiable individual or an individual who is reasonably identifiable
Privacy Act means the Privacy Act 1988
Rule means the Privacy (Credit Related Research) Rule 2014
Note: The following expressions are defined in Section 6(1) of the Privacy Act: Australian law; Australian link; Commissioner; court/tribunal order; credit; credit reporting body; credit reporting information; entity; personal information
5. Conducting research in relation to credit
A credit reporting body may use or disclose credit reporting information if:
- the credit reporting information has been de-identified
- the use and/or disclosure of the credit reporting information is for the purpose of conducting research in relation to credit, and
- the purpose for conducting the research in relation to credit is a permitted purpose as described in section 6 of this Rule.
6. Permitted purposes of conducting research
A credit reporting body may only use or disclose de-identified information for the purposes of conducting research in relation to credit, if the purpose of the research is for:
- conducting statistical modelling and data analytics related to credit
- the assessment of current and development of new credit services, or
- developing methodologies to combat fraud, anti-money laundering, counter terrorism financing and other unlawful activity involving credit.
7. De-identification of credit reporting information
- When de-identifying credit reporting information, a credit reporting body must:
- assess the risk of re-identification of the credit reporting information either by itself or by the recipients of the de-identified information
- use that risk assessment to determine the de-identification technique or techniques appropriate to the circumstances, and
- take such steps as are reasonable in the circumstances to ensure the de-identified information cannot be re-identified.
- If a credit reporting body de-identifies credit reporting information, the credit reporting body must:
- not re-identify or attempt to re-identify the de-identified information, and
- destroy the information if it is re-identified unintentionally.
- Sub-section 7(2)(a) does not apply if the re-identification of de-identified information is required by Australian law or a court/tribunal order.
8. Disclosure of de-identified information
- A credit reporting body must only disclose de-identified information for a permitted purpose if the entity receiving the information has an Australian link.
- Before disclosing de-identified information, a credit reporting body must take such steps as are reasonable in the circumstances to ensure the entity receiving the information:
- does not re-identify or attempt to re-identify the de-identified information
- destroys the information if it is re-identified unintentionally, and
- does not disclose the de-identified information to any other entity.
A credit reporting body must include a statement in its policy on the management of de-identified information, in accordance with s 20B(3), that de-identified information is used or disclosed by that credit reporting body for the purpose of conducting research in relation to credit.