Privacy business resource 3: Credit reporting — what has changed

pdfPDF version1.47 MB

June 2013

Contents

  1. Introduction
  2. New terminology
  3. Changes to the structure of the credit reporting provisions
  4. An 'Australian' credit reporting system
  5. Application of the APPs
    1. Credit reporting bodies
    2. Credit providers
    3. Affected information recipients
  6. New code of conduct and regulations
    1. The registered CR code
  7. Changes to the personal information that may be held in the credit reporting system
    1. Consumer credit
    2. New types of personal information permitted in the credit reporting system
    3. Publicly available information related to creditworthiness
    4. Serious credit infringements
  8. New categories of credit-related personal information
    1. Regulation of derived information
    2. De-identified information
  9. New obligations in relation to access and corrections
    1. Access
    2. Corrections
    3. Charges
    4. Notification obligations
  10. Changes to complaints handling procedures
    1. Complaints to a CRB or credit provider
    2. Complaints to a recognised EDR scheme
    3. Complaints to the Commissioner
  11. Changes to penalties for non-compliance – civil penalties
  12. Miscellaneous issues
    1. Fraud
    2. Direct marketing
  13. Table 1: Notification and response timeframes in relation to access and correction requests
  14. Information flows in the Credit Reporting System
  15. Credit Information
  16. Footnotes

Introduction

As part of the reforms to the Privacy Act 1988 (Privacy Act), credit reporting in Australia is regulated by a new Part IIIA.[1] The new Part IIIA[2] allows for more comprehensive credit reporting. This means that a limited number of new types of credit-related personal information are permitted to be held in the credit reporting system. The move to more comprehensive credit reporting is accompanied by enhanced privacy protections relating to notification, data quality, access and correction, and complaints.

The new Part IIIA also aims to simplify, clarify and update the credit reporting provisions, and restructures them to reflect the information flows in the credit reporting system. The new Part IIIA is supplemented by regulations and a new written code of practice about credit reporting, the registered credit reporting code (CR code).

This business resource only outlines the major changes to Australia's credit reporting framework. More detail about the obligations contained in the new Part IIIA and how these obligations are to be applied and complied with, are contained in the regulations and the registered CR code.

This business resource is intended to be read alongside the provisions of the new Part IIIA, the regulations and registered CR code.

Back to Contents

New terminology

The new Part IIIA adopts new terminology, including new terms for participants in the credit reporting system. The term 'credit reporting body' (CRB) replaces the term credit reporting agency, and the term 'affected information recipients' (AIRs) is used to refer to various third parties, such as mortgage insurers and trade insurers, to whom credit-related personal information is disclosed by CRBs and credit providers (s 6(1)).

The new Part IIIA also adopts new terminology for categories of credit-related personal information (see below) and discontinues the use of some concepts, such as a 'credit information file' and a 'credit report'. 

Back to Contents

Changes to the structure of the credit reporting provisions

The structure of the credit reporting provisions has changed significantly.

The various types and categories of credit-related personal information that are regulated under the new Part IIIA are defined in Part II of the Privacy Act.

Divisions 2, 3 and 4 of the new Part IIIA separately address the obligations that apply to the handling of credit-related personal information, and in certain instances de-identified information, by the different credit reporting participants. Such participants include credit providers, CRBs and AIRs.   

  • Division 2 sets out the obligations of CRBs
  • Division 3 sets out the obligations of credit providers
  • Division 4 sets out the obligations of AIRs.

The provisions within Divisions 2, 3 and 4 mirror the order and structure of the Australian Privacy Principles (APPs).[3]  Accordingly, the obligations contained in those Divisions are set out as follows:

  • open and transparent management of credit-related personal information
  • collection (solicited and unsolicited)
  • use and disclosure
  • quality
  • security
  • access
  • correction

Division 5 sets out procedures for CRBs and credit providers for the internal handling of complaints. Finally, Divisions 6 sets out offences and civil penalties for the unauthorised obtaining of credit-related personal information, and Division 7 provides for court orders in relation to offences or civil penalties.

Back to Contents

An 'Australian' credit reporting system

The new Part IIIA intends to create an 'Australian' credit reporting system. To achieve this intention, the system should not contain:

  • any foreign credit information, or
  • information provided by foreign credit providers (even if they have provided credit to an individual who is located in Australia).

In addition, information held in the Australian credit reporting system should not be available to foreign CRBs or foreign credit providers.[4]

Generally, this is achieved by including an appropriate limitation in each of the provisions of the new Part IIIA that deal with the collection, use and disclosure of credit-related personal information by CRBs and credit providers.

Nevertheless, credit providers are permitted to disclose some credit-related personal information to certain overseas entities (that are not otherwise bound by the obligations contained in the Privacy Act) where they have taken reasonable steps to ensure that the recipient entity does not breach specific provisions of the new Part IIIA in relation to that information (ss 21G(3), 21M(1), 21NA(1) and 21NA(3)). Such overseas entities include a related body corporate of the credit provider, a person who processes applications for credit made to the credit provider, a credit manager or a debt collector (ss 21G(3) and 21M(1)).

However, a credit provider that discloses credit-related personal information to such overseas entities will remain accountable for the subsequent handling of that information by those entities. This means that the credit provider will be liable for any acts or practices of those overseas entities that would be a breach of the specified provisions (ss 21NA(2) and (4)).

Back to Contents

Application of the APPs

In some circumstances the obligations on credit reporting participants in Divisions 2, 3 and 4 replace relevant APPs and in other circumstances apply in addition to relevant APPs.

Importantly, all the APPs will apply to all credit reporting participants that are APP entities (defined to include both agencies and organisations, s 6(1)) in relation to the handling of personal information not regulated under the new Part IIIA.

Credit reporting bodies

Division 2 of the new Part IIIA provides a complete set of rules that apply to CRBs in relation to their handling of defined categories of credit-related personal information. Specifically, the provisions in Division 2 replace the APPs for CRBs in relation to the handling of:

  • credit reporting information
  • CP derived information[5]
  • pre-screening assessments (s 20A).

Credit providers

Certain APPs may apply to credit providers that are also APP entities in addition to the provisions in Division 3 of the new Part IIIA in relation to the following categories of credit-related personal information:

  • credit information
  • credit eligibility information
  • CRB derived information (s 21A).

Where Division 3 deals with matters also covered by the APPs, it contains a provision that clarifies whether any relevant APPs also apply.

Affected information recipients

Certain APPs may apply to AIRs that are also APP entities in addition to the provisions in Division 4 in relation to the credit-related personal information disclosed to them by CRBs or credit providers.

Like Division 3, where Division 4 deals with matters also covered by the APPs, it contains a provision that clarifies whether any relevant APPs also apply.

Back to Contents

New code of conduct and regulations

The operation of the new Part IIIA will be supported by regulations and a new written code of practice about credit reporting, the registered CR code, which will replace the 1991 Credit Reporting Code of Conduct.

The registered CR code

The registered CR code will bind all CRBs and any specified credit providers and AIRs. The CR code will set out how certain provisions contained in the new Part IIIA are to be applied or complied. It may also deal with other matters, including by imposing additional requirements on entities bound by the CR code provided that they are not contrary to, or inconsistent with, the provisions of the new Part IIIA (s 26N).

A breach of the CR code by an entity that is bound by that code will be an interference with the privacy of an individual (s 13) and may be the subject of an investigation by the Commissioner (s 40). Serious or repeated interferences with privacy may attract a civil penalty (s 13G).  

Back to Contents

Changes to the personal information that may be held in the credit reporting system

Consumer credit

A new term 'consumer credit' has been included in the new Part IIIA. The definition of 'consumer credit' expands on the definition of 'credit' in the old Part IIIA, which limits the application of the credit reporting provisions to credit that an individual intends to use wholly or primarily for personal, family or household purposes. The new term extends the application of the provisions to credit that is intended to be used to acquire, maintain, renovate or improve residential property for investment purposes, or to refinance such credit (s 6(1)).

New types of personal information permitted in the credit reporting system

The new Part IIIA permits five new types of credit-related personal information to be held in the credit reporting system:

  • the type of consumer credit
  • the day on which the consumer credit is entered into and day on which it is terminated or otherwise ceases to be in force
  • the terms and conditions of the consumer credit that are prescribed by the regulations and that relate to the repayment of the amount of credit (ss 6N(b) and 6(1))
  • the maximum amount of credit available under the consumer credit 
  • repayment history information (RHI), which is information about:
    • whether or not an individual has met an obligation to make a monthly payment that is due and payable in relation to consumer credit
    • the day on which that payment is due
    • if an individual makes a payment after that day, the date on which that payment is made (s 6V). 

Importantly, a credit provider can only disclose RHI to a CRB if they hold an Australian credit licence under the National Consumer Credit Protection Act 2009 (ss 21D(3)(c)(i)). Similarly, a CRB can only disclose credit reporting information that is, or was derived from, RHI to a credit provider that is a licensee under that Act (s 20E(4)). Although the RHI may relate to payments missed since 12 December 2012,[6] credit providers will only be able to disclose that information to CRBs from 12 March 2014. For further information about RHI see: Privacy Factsheet 16 – Credit reporting: repayment history information.

Publicly available information related to creditworthiness

The new Part IIIA explicitly permits certain publicly available personal information to be held in the credit reporting system where it relates to the individual's activities in Australia (or the external Territories) and their creditworthiness (s 6N(k)).

Serious credit infringements

The credit-related personal information permitted to be held in the Australian credit reporting system includes the opinion of a credit provider that an individual has committed, in circumstances specified by the provider, a 'serious credit infringement' in relation to consumer credit provided by that provider. The term 'serious credit infringement' is defined in s 6(1) to include a number of acts done by an individual.

The new Part IIIA amends the definition of a serious credit infringement to require that, where a reasonable person would consider that an act done by an individual indicates an intention to no longer comply with that individual's obligations in relation to consumer credit provided by a credit provider, both the following elements are also present:

  • the credit provider has, after taking reasonable steps, been unable to contact the individual about the act
  • at least 6 months have passed since the credit provider last had contact with the individual (s 6(1)).

Back to Contents

New categories of credit-related personal information

Credit-related personal information is grouped into new categories, depending on the entity that holds the information and the purpose for which that information is used.

There are six key categories of credit-related personal information:

  • credit information (s 6N) – defined types of personal information. Generally, credit information is collected by a credit provider who may disclose it to a CRB in certain circumstances (for more information about credit information see Credit Information flow chart below)
  • CRB derived information (s 6(1)) – personal information (other than sensitive information) that is derived by a CRB from credit information about an individual, has any bearing on the individual's credit worthiness and is, has been or could be used in establishing the individual's eligibility for credit. CRB derived information is generally held by CRBs (for more information on what is meant by 'derived information' see discussion below)
  • credit reporting information (s 6(1)) – credit information or CRB derived information. Credit reporting information is generally held by CRBs and may be disclosed to credit providers and other entities in specific circumstances
  • CP derived information (s 6(1)) – personal information (other than sensitive information) that is derived by a credit provider from credit reporting information about an individual that was disclosed to the credit provider by a CRB, has any bearing on the individual's credit worthiness and is, has been or could be used in establishing the individual's eligibility for credit. CP derived information is generally held by credit providers (for more information on what is meant by 'derived information' see discussion below)
  • credit eligibility information (s 6(1)) – credit reporting information that was disclosed to the credit provider by a CRB, or CP derived information. Credit eligibility information is generally held by a credit provider and may be disclosed to AIRs and other entities in specific circumstances
  • regulated information (s 6(1)) – specified categories of personal information disclosed to AIRs by CRBs and credit providers. The meaning of regulated information is different for each AIR and is:
    • for a mortgage or trade insurer, personal information disclosed to the insurer under Division 2 or 3 of the new Part IIIA
    • for other AIRs, credit eligibility information disclosed by a credit provider under certain provisions in Division 3 of the new Part IIIA.

Obligations and rights under the new credit reporting provisions are expressed by reference to these different categories of credit-related personal information. This is in contrast to the old Part IIIA, under which rights and obligations were expressed by reference to credit information files and credit reports.

Regulation of derived information

The new categories of credit-related personal information, and the obligations of participants in the credit reporting system under the new Part IIIA, expressly extend to the handling of derived information. Such derived information includes a credit score or risk assessment that has a bearing on the individual's credit worthiness by indicating the CRB or credit provider's analysis of the individual's eligibility for consumer credit.  

De-identified information

Personal information that is de-identified is generally not regulated under the Privacy Act. However, the new Part IIIA regulates the use and disclosure of de-identified information by CRBs.  Under the new provisions, CRBs can only use or disclose credit reporting information that has been de-identified for the purpose of conducting research in relation to credit and where the CRB complies with rules made by the Commissioner (s 20M).

Back to Contents

New obligations in relation to access and corrections

The new Part IIIA sets out new procedures for providing access to and correcting credit-related personal information held by CRBs and credit providers.

The new Part IIIA also sets out requirements relating to charging, notification and timeframes for providing access or correcting information, and a requirement to substantiate listings if a correction request is refused.

Access

Under the new Part IIIA, a CRB or credit provider that holds credit-related personal information about an individual must, on request by an access-seeker (generally, the individual or a person authorised in writing who is assisting the individual)[7], give the access-seeker access to the information, subject to a limited number of exceptions (ss 20R and 21T). This is in contrast to the old Part IIIA, which only required a CRB or credit provider to take reasonable steps to ensure access was given.

Corrections

The new Part IIIA imposes additional obligations on CRBs and credit providers to correct credit-related personal information and to assist individuals to correct that information. The main feature of the new correction provisions is that a CRB or credit provider that receives a correction request is generally required to deal with that request. Correction requests can no longer be referred to another CRB or credit provider.

Corrections – no request

Like the old Part IIIA, the new Part IIIA requires a CRB or credit provider that holds credit-related personal information about an individual to take reasonable steps to correct the information where it is satisfied, having regard to the purpose for which the information is held, that it is inaccurate, out-of-date, incomplete, or misleading. The new Part IIIA also extends the obligation to correct personal information to situations where the CRB or credit provider is satisfied that the information is irrelevant, having regard to the purpose for which the information is held (ss 20S(1) and 21U(1)).

Corrections – on request

The new Part IIIA also gives individuals the express right to seek to have their credit-related personal information corrected by a CRB or credit provider (ss 20T(1) and 21V(1)).

The CRB or credit provider that first receives an individual's correction request must decide whether or not to correct the information that is the subject of the request. Importantly:

  • an individual may make a correction request to any CRB or credit provider that holds at least one item of credit-related personal information about them. This is the case even if the CRB or credit provider that receives the request does not hold the particular item of information that the individual is seeking to have corrected (ss 20T(1)(b) and 21V(1)(b))
  • the CRB or credit provider may be required to consult other CRBs or credit providers to satisfy itself whether or not the information needs to be corrected. Consultation may be required where, for example, the CRB or credit provider does not itself hold the relevant information or does not have evidence to substantiate the correctness of the information (ss 20T(3) and 21V(3)).   

Charges

Access

Under the new Part IIIA, a CRB must not charge an 'access seeker' for making an access request or for giving access, where an access request in relation to the individual has not been made to the CRB within the past 12 months (s 20R(5)).

Where an access request in relation to the individual has been made within the past 12 months, any amount charged by a CRB for providing access must not be excessive and the CRB must not charge for making the access request (s 20R(6)).

In contrast, a credit provider that is an agency must not charge an access seeker for making an access request or for giving access in any circumstances (s 21T(5)). All other credit providers may charge for access, as long as that charge is not excessive and does not apply to the making of the access request (s 21T(6)).

Charges for access were not explicitly regulated under the old Part IIIA, although the old Credit Reporting Code of Conduct addressed the charging of fees by CRBs (called 'credit reporting agencies' in that code).

Corrections

Under both the old and new Part IIIA, CRBs and credit providers are not permitted to charge an individual for making a correction request, or for the correction of the information (ss 20T(5) and 21V(5)).

Notification obligations

Notification of the access-seeker or individual

The new Part IIIA imposes new obligations on CRBs and credit providers to notify access-seekers or individuals of a decision that relates to a request for access or correction. A CRB or credit provider must provide written notice setting out:

  • where access is refused, the reasons for the refusal (unless it would be unreasonable to do so having regard to the reasons for refusal) and the avenues of redress available to the individual (ss 20R(7) and 21T(7))
  • where the correction is made, that correction (unless the CRB or credit provider is required by or under an Australian law, or a court/tribunal order, not to give notice) (ss 20U(2)(a) and 21W(2)(a))
  • where the correction is not made, that fact, the reasons for not correcting the information (including evidence substantiating the correctness of the information, see Requirement to substantiate listings below) and the avenues of redress available to the individual (unless the CRB or credit provider is required by or under an Australian law, or a court/tribunal order, not to give notice) (ss 20U(3) and 21W(3)).

Notification of third parties

Like under the old Part IIIA, where a CRB or credit provider corrects information in response to a correction request, they are generally required to notify any third parties to whom they have previously disclosed the information, or consulted in the process of dealing with the correction request, of the correction (ss 20U(2) and 21W(2)).

Importantly, it is the responsibility of the CRB or credit provider to identify the third party recipients to whom it has previously disclosed the information that is the subject of the correction request.  This is in contrast to the obligations in the old Credit Reporting Code of Conduct that only required notification to third party recipients nominated by the individual.

Requirement to substantiate listings

The new Part IIIA requires a CRB or credit provider that refuses a request to correct personal information to provide evidence to the individual substantiating the correctness of the information (ss 20U(3)(b) and 21W(3)(b)). Importantly, this places the onus on the CRB or credit provider to demonstrate that the information does not require correction.

Time frames

The new Part IIIA modifies the timeframes for dealing with an access or correction request. These were previously dealt with under the old Credit Reporting Code of Conduct.

Table 1: Notification and response timeframes in relation to access and correction requests provides detail about the timeframes prescribed in the new Part IIIA.

Back to Contents

Changes to complaints handling procedures

The Commissioner expects that complaints by individuals about a breach of the new Part IIIA or the new CR code by a CRB or credit provider will generally be dealt with via a three stage process:  

  1. an individual will first complain to a CRB or credit provider (s 23A)
  2. if the individual is not satisfied with the outcome, the individual may complain to an external dispute resolution (EDR) scheme that has been recognised by the Commissioner and of which the CRB or credit provider is a member
  3. if the individual is not satisfied with the outcome, the individual may complain to the Commissioner (s 36).  

Complaints to a CRB or credit provider

The obligations of CRBs and credit providers in relation to the internal handling of complaints are set out in Division 5 of the new Part IIIA.

Division 5 gives individuals an explicit right to complain to a CRB or a credit provider about most acts or practices engaged in by that CRB or credit provider that might breach the new Part IIIA or the CR code (s 23A).

Importantly, a complaint must relate to an act or practice of the CRB or credit provider to which the individual complains. This is in contrast to the correction provisions, where an individual can approach any CRB or credit provider that holds credit-related personal information about the individual.

A CRB or credit provider that receives such a complaint must investigate the matter (s 23B(1)(b)) and make a decision within 30 days (unless the individual has agreed to a longer period in writing); they cannot refer the complaint to another CRB or credit provider for resolution (ss 23B(4) and (5)). Further, the new Part IIIA imposes an additional obligation on CRBs and credit providers that receive a complaint to consult another CRB or credit provider about the complaint where they consider it necessary (s 23B(2)).

A CRB or credit provider must not charge an individual for the making of, or for dealing with, the complaint (s 23A(5)).

Complaint handling and access and correction requests

The obligations in Division 5, setting out procedures for the internal handling of complaints, do not apply to complaints about acts or practices of CRBs or credit providers that relate to the provision of access or a request to correct credit-related personal information (s 23A). In these circumstances, the individual may complain directly to a recognised EDR scheme or to the Commissioner without first complaining to the CRB or credit provider (40(1B)).

As discussed above, where a CRB or credit provider makes a decision not to correct information following the receipt of a correction request, the individual that made the request will generally be notified of that decision, the reasons for it (including evidence substantiating the correctness of the information) and their right to lodge a complaint with a recognised EDR scheme or with the Commissioner.

Notwithstanding the right of an individual to make a correction request, the new Part IIIA makes it clear that it is the responsibility of credit providers and CRBs to ensure the integrity of the credit-related personal information that they hold (ss 20S and 21U, see discussion above).

Notice requirements

The new Part IIIA imposes additional notice obligations on CRBs and credit providers that receive the complaint under Division 5. A respondent CRB or credit provider must give written notice:

  • within 7 days after the complaint is made, acknowledging receipt of a complaint and setting out how the respondent will deal with it (s 23B(1)(a))
  • after a decision about the complaint has been made, setting out the decision and indicating avenues of redress available to the individual if they are dissatisfied (s 23B(4)).

Notice requirements relating to correction complaints

Where an individual makes a complaint about a breach of ss 20S or 21U, there are additional notification requirements that apply to respondent CRBs and credit providers.

There may be instances where the information to which the complaint relates is held by another CRB or credit provider. In these circumstances, the respondent CRB or credit provider must still investigate the matter and make a decision within 30 days (s 23B). In addition, the respondent must generally notify the CRB or credit provider that holds the information to which the complaint relates of the complaint, and of any decision made in relation to it, as soon as practicable after each is made (ss 23C(2) and (3)).

Where the respondent CRB or credit provider discloses information to which the complaint relates and a decision about the complaint has not yet been made, the respondent must generally also notify any recipients of that information of the complaint at the time that the information is disclosed (ss 23C(4) and (5)).

Complaints to a recognised EDR scheme

The Commissioner has a new power to recognise EDR schemes for the purpose of handling privacy-related complaints (s 35A). All credit providers are generally required to be members of a recognised EDR scheme before they are permitted to disclose credit information to a CRB (ss 21D(2) and 20C(3)(a)).

If an individual is dissatisfied with the decision of a CRB or credit provider about their complaint, or about the outcome of a correction request, they may complain to a recognised EDR scheme of which the CRB or credit provider is a member.

Complaints to the Commissioner

Like under the old Part IIIA, an individual that is dissatisfied with the decision of a CRB or credit provider (or, where relevant, a recognised EDR scheme) may make a complaint to the Commissioner under Part V of the Privacy Act (s 36).

However, it is open to the Commissioner to decline to investigate a complaint on a number of grounds. These include that:

  • the Commissioner considers that the complaint is already being dealt with by a recognised EDR scheme (s 41(1)(dc))
  • the Commissioner considers the complaint would be more effectively or appropriately dealt with by a recognised EDR scheme of which the CRB or credit provider is a member (s 41(1)(dd)).

In addition, the Commissioner must not investigate a complaint where the individual did not first complain to the relevant CRB or credit provider (except where the complaint is in relation to an access or correction request – see discussion above) unless the Commissioner considers that it was not appropriate for the individual to complain to the respondent CRB or credit provider (s 40).

Back to Contents

Changes to penalties for non-compliance – civil penalties

The new Part IIIA introduces civil penalties for a breach of certain provisions of the new Part IIIA. Each civil penalty provision is identified by the words 'civil penalty' and one or more amounts in 'penalty units' set out at the foot of the provision (s 80U). A civil penalty may also be imposed for a serious or repeated breach of the new Part IIIA or the CR code (s 13G). 

The Commissioner has a new power to apply to the Federal Court or Federal Circuit Court of Australia for an order that a CRB or credit provider that is alleged to have contravened a civil penalty provision pay the Commonwealth a pecuniary penalty (s 80W).

Additionally, some acts or practices in the new Part IIIA are also offences and carry a criminal penalty. For example, acts or practices that relate to the unauthorised use and disclosure of false and misleading information (ss 20P and 21R).

Where a civil penalty order has been made, or the entity is found guilty of an offence, an individual may also apply to the Federal Court or Federal Circuit Court of Australia for a range of compensation orders (s 25).

Back to Contents

Miscellaneous issues

Fraud

The new Part IIIA contains mechanisms for individuals to deal with fraud, including identity fraud. An individual may request a CRB not to use or disclose their credit reporting information where they believe on reasonable grounds that they have been, or are likely to be, the victim of fraud (s 20K(1)).

'Ban period'

Generally, where a CRB receives such a request they must comply with the request for the duration of the 'ban period' (s 20K(1)). The ban period is a period that runs for 21 days after the day on which the individual makes the request (unless it has been extended) (s 20K(3)).

A CRB must extend the ban period for a reasonable period, following a request by an individual, where it believes on reasonable grounds that the individual has been, or is likely to be, the victim of fraud. The CRB must give the individual written notification of the extension (s 20K(4)).

Charges

A CRB must not charge an individual for making a request not to use or disclose their credit reporting information where they believe on reasonable grounds that they have been, or are likely to be, the victim of fraud, or to extend a ban period (s 20K(6)).

Other mechanisms to deal with fraud

The new Part IIIA also contains provisions in relation to the destruction of credit reporting information by CRBs in cases of fraud, and limitations on the disclosure of credit information by credit providers to CRBs during a ban period (ss 20Y and 21F).

Direct marketing

Under the new Part IIIA, a CRB is prohibited from using or disclosing credit reporting information for the purpose of direct marketing (s 20G(1)). Generally, this prohibition does not apply to the use of credit information for the purpose of pre-screening individuals to determine their eligibility to receive direct marketing by credit providers (s 20G(2)). That determination by a CRB is known as a 'pre-screening assessment' (s 6(1)).

There are a number of limitations on when a CRB can use credit information for the purpose of conducting a pre-screening assessment, including the types of credit information that may be used or disclosed (s 20G(2)(a) to (f)).

Additionally, an individual may request a CRB that holds credit information about them, not to use that information for the purposes of pre‑screening (s 20G(5)). A CRB must not charge the individual for the making of, or giving effect to, such a request (s 20G(6)). 

The new Part IIIA also contains provisions dealing with the use, disclosure and destruction of pre-screening assessments by CRBs and other recipients of pre-screening assessments (ss 20H and 20J).

For further information

telephone: 1300 363 992

email: enquiries@oaic.gov.au

write: GPO Box 2999, Canberra ACT 2601 GPO Box 5218, Sydney NSW 2001 or visit our website at www.oaic.gov.au

Back to Contents

Table 1: Notification and response timeframes in relation to access and correction requests

ObligationOld Part IIIANew Part IIIA
Credit providerCRACredit providerCRB
Deal with an access request
  • must, within 10 working days of receipt of the request, attempt to give access (Para 2.21 CRCC [8])
  • must, within 30 days of receipt of the request, give access (Para 2.21 CRCC)
  • must, within 10 working days of receipt of the request, give access (Para 1.11 CRCC)
  • must, within a reasonable period after the request is made, respond to the request (s 21T(3))
  • must, within a reasonable period, but not longer than 10 days after the request is made, respond to the request (s 20R(3))
Deal with a correction request

should, within 10 working days of receipt of request:

  • refer the request to a CRA
  • inform the individual of the referral, and
  • include a note in any credit reports in the possession of the credit provider noting the pending request (Para 2.23 of CRCC)
  • must, as soon as practicable, but within 5 working days after establishing an amendment is necessary, make the amendment (Para 3.8 CRCC)
  • shall, within 14 days of amending the information, provide the individual with a copy of the amended credit information file or report (Para 3.14 CRCC)
  • must, within 30 days of receipt of the request, notify the individual of a refusal  to amend and provide reasons (Para 3.10 CRCC)
  • must, within 30 days starting from the day the request is made, correct information (s 21V(2))
  • must, within a reasonable period of correcting the information, notify the individual of the correction (s 21W(2))
  • must, within a reasonable period of deciding not to correct the information, notify the individual of that decision and provide reasons (s 21W(3))
  • must, within 30 days starting from the day the request is made, correct information (s 20T(2))
  • must, within a reasonable period of correcting the information, notify the individual of the correction (s 20U(2))
  • must, within a reasonable period of deciding not to correct the information, notify the individual of that decision and provide reasons (s 21U(3))
Notify third party recipients of the information of the correction

N/A

  • must, within 14 days of amending the information, advise the individual that they may nominate certain persons whom they wish the CRA to notify of the amendment
  • must, within 30 days of the date of nomination, notify such persons of the amendment (Para 3.15 CRCC)
  • must, within a reasonable period of correcting the information, give each recipient of the information written notice of the correction (s 21W(2))
  • must, within a reasonable period of correcting the information, give each recipient of the information written notice of the correction (s20U(2))

Back to Contents

Information flows in the Credit Reporting System

Flowchart: information flows in credit reporting system. Link to long text description after image.

Link to long text description of 'Information Flows in the Credit Reporting System'

Back to Contents

Credit Information

Types of credit information. Link to long text description after image.

Link to long text description of 'Credit Information'

Back to Contents


Footnotes

[1] See Schedule 2 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the Privacy Amendment Act).

[2] For the purposes of this business resource, the term 'old Part IIIA' will be used to refer to the provisions contained in Part IIIA of the Privacy Act 1988 (Privacy Act) at the date of publication and the term 'new Part IIIA' will be used to refer to the provisions contained that Part following the commencement of the Privacy Amendment Act on 12 March 2014.

[3] Schedule 1 of the Privacy Amendment Act introduces a set of new, harmonised, privacy principles for both the public and private sector, called the Australian Privacy Principles (APPs). These new principles will replace the existing Information Privacy Principles that currently apply to the public sector and the National Privacy Principles that currently apply to the private sector.

[4] Explanatory Memorandum Privacy Amendment Act, p 92.

[5]CRBs cannot hold CP derived information but they have obligations in relation to making a correction to CP derived information if they hold credit information or CRB derived information; see s 20T.

[6] Repayment history information can only relate to payments that an individual has made or missed from 12 December 2012 (being the date of Royal Assent); see Part 3 of Schedule 6 of the Privacy Amendment Act, ss 4(6).

[7] Certain classes of entities (such as credit providers) cannot be authorised as an access seeker by an individual; see s 6(L)(2) of the new Part IIIA.

[8] For the purposes of Table 1, a reference to the 'CRCC' is a reference to the 1991 Credit Reporting Code of Conduct.

Back to Contents

Changes to privacy law from 12 March

Content found in this section or on this page may not reflect the current law. The Office of the Australian Information Commissioner is updating the information found in this section

> Read more: Privacy law reform

Share this page

Protecting information rights — advancing information policy