Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy business resource 7: Credit reporting — information held beyond its retention period

pdfPrintable version496.78 KB

January 2015

Under the Privacy Act 1988 (Privacy Act) credit reporting bodies (CRBs) are given specific retention periods stating how long they may hold personal information and include it in a consumer credit report as credit reporting information. There are some circumstances where CRBs are permitted to keep credit reporting information beyond its retention period. These circumstances include when a CRB is required by or under Australian law, or a court/tribunal order, to keep the information, or to resolve a pending correction request or dispute in relation to that information.

In particular, s 20Z sets out how CRBs must deal with credit reporting information subject to a pending correction request or dispute. In these circumstances it would not be appropriate for the credit reporting information to be destroyed, as generally required by s 20V, at the end of the retention period. However, given the retention of the credit reporting information is contrary to the destruction obligations in s 20V, the Office of the Australian Information Commissioner (OAIC) must be notified of the situation.

This resource assists CRBs in complying with the notification requirement of s 20Z, the handling and destruction or de-identification of credit reporting information held beyond its retention period for the purpose of responding to a correction request or dispute.

Notification

The Privacy Act imposes an obligation on CRBs to notify the OAIC of a situation where any credit reporting information is kept past its retention period for the purpose of responding to a correction request or dispute. A failure to notify the OAIC attracts a civil penalty (s 20Z(2)).

A written notification must occur ‘as soon as is practicable’. The OAIC will accept a quarterly notification of situations where credit reporting information has been held by a CRB, past its retention period, for the purpose of responding to a correction request or dispute. This recognises that correction requests and complaints can be received by CRBs on a daily basis, and the practical difficulty for CRBs to notify the Commissioner with such frequency.

Format and content of a notification

A notification should, at minimum, contain the following information:

  • the name of the CRB and the contact person
  • the date of the report
  • the credit reporting body’s unique identifier for the individual and their name
  • the date the retention period ended
  • the reason for retaining the information (correction request or a dispute)
  • whether the matter has been referred to the CRB’s External Dispute Resolution (EDR) scheme and if so, the name of the EDR scheme, the date of referral and the reference number
  • whether the matter has been referred to the OAIC and, if so, the date of the referral and the OAIC’s reference number.

The OAIC expects that each quarterly report will provide a rolling list of outstanding matters where the information has still not been destroyed or de-identified.

How to notify the OAIC

xlsDownload the notification form36 KB

Notifications should be sent by email to enquiries@oaic.gov.au.

Handling of information retained past its normal retention period

Credit reporting information held past its retention date under s 20Z cannot be used or disclosed by the CRB except for the purposes of the pending correction request or dispute related to the information, or if the use or disclosure is required by or under an Australian law or a court/tribunal order (s 20Z(4)). A written note must be made by the CRB if any such use or disclosure occurs (s 20Z(5)).

A CRB will be permitted to disclose an individual’s credit reporting information to an external dispute resolution scheme or to the OAIC for the purposes of resolving a dispute about that information.

A CRB must destroy or de-identify the credit reporting information in question as soon as practicable after it is no longer needed for the purposes of resolving the correction request or dispute.

Direction to destroy information

In appropriate circumstances, the Commissioner may, by legislative instrument, direct a CRB to destroy the credit reporting information in question by a specified date (s 20Z(6)). This power may be exercised by the Commissioner, for example, to resolve a conflict about whether the information in question should be destroyed or retained.

Review of quarterly notification period

The OAIC will conduct a review 12 months after the publication of this resource to assess, amongst other matters, the suitability of the quarterly notification period.  

The information provided in this resource is of a general nature. It is not a substitute for legal advice.