Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Does my business have privacy obligations in relation to consumer credit reporting under the Privacy Act?

Your business may have privacy obligations in relation to consumer credit reporting if you are a credit reporting body or a credit provider under the Privacy Act 1988 (Privacy Act). You may also have obligations if your business involves handling individuals’ credit reports (for example, because you process applications for credit on behalf of a credit provider).

The laws regulating the handling of personal information for consumer credit reporting in Australia that are contained in the Privacy Act (principally in Part IIIA), the Privacy (Credit Reporting) Code 2014 (CR code) and the Privacy Regulation 2013.

What is a credit reporting body (CRB)

A credit reporting body (CRB) is an organisation whose business involves handling personal information in order to provide another entity with information about the credit worthiness of an individual. Importantly, it doesn’t matter whether or not the entity provides the information for:

  • a profit or reward, or
  • for the purpose of assessing an application for credit.  

There are three main CRBs in Australia:

Back to Contents

What is a credit provider?

The following entities are included as credit providers for the purposes of the Privacy Act:

  • a bank
  • an organisation or small business operator if a substantial part of its business is the provision of credit, such as a building society, finance company or a credit union
  • a retailer that issues credit cards in connection with the sale of goods or services
  • an organisation or small business operator that supplies goods and services where payment is deferred for 7 days or more, such as a telecommunications carriers and energy and water utilities
  • certain organisations or small business operators that provide credit in connection with the hiring, leasing or renting of goods.

Importantly, the following entities are not credit providers:

  • real estate agents
  • general insurers
  • employers.

Back to Contents

What are my privacy obligations?

If your business is a credit provider you have obligations under the Privacy Act, the CR code and the Privacy Regulation 2013. More information about the consumer credit system can be found on this website in the following sections:

  • Credit reporting — This page provides information about credit law and Part IIIA of the Privacy Act
  • Credit reporting fact sheets — These fact sheets outline information about the credit reporting system for individuals but also provide a good overview
  • Privacy business resource 3: Credit reporting — what’s changed — This resource outlines important changes and information about the credit reporting system
  • CR code — the CR code is an enforceable code of practice for the credit reporting industry
  • Privacy Regulation 2013 — This regulation applies to various part of the Privacy Act, including the definition of various terms relevant to the credit reporting provisions in Part IIIA.

Back to Contents