Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Credit reporting changes

Presentation by Timothy Pilgrim, Privacy Commissioner, to the Australian Retail Credit Association 'New era of credit' forum, Sydney, 18 March 2014.

Good afternoon. I’d like firstly to acknowledge the Traditional owners of the land that we meet on today, the Gadigal peoples or the Eora nation, and pay my respects to their elders, both past and present.

Well, the last week has been a big one for us! Among the many changes to the Privacy Act 1988 (Privacy Act), we now have new credit reporting provisions that include:

  • the introduction of more comprehensive credit reporting
  • a simplified and enhanced correction and complaints process
  • the introduction of civil penalties for breaches of certain credit reporting provisions
  • a requirement for credit providers to be a member of an external dispute resolution scheme, recognised under the Privacy Act, to be able to participate in the credit reporting system.

There’s been a lot of media attention on the Office of the Australian Information Commissioner (OAIC) over the last few weeks, for all sorts of reasons including changes to credit reporting, and we have been working at full steam getting everything ready for the reforms.

You may have seen several new consultations go up on our website, our eAlerts providing updates on our guidance, as well as the broader updating of all our website content to reflect the reforms. This is of course an ongoing process.

In the last 14 months we have been working on over 50 different types of guidance, including:

  • the comprehensive APP guidelines
  • the APP quick reference tool
  • checklists for both agencies and organisations
  • Comparison guides between the new and old principles
  • A privacy business resource on Credit reporting — what’s changed
  • Credit FAQs
  • Guidelines around external dispute resolution schemes and developing codes
  • and, not to forget the credit reporting privacy code.

CR code

In January, the Credit reporting privacy code, the CR Code as it is termed was approved. It was particularly pleasing to see that this was an industry driven and developed code. Now, regardless of all the best will in the world, these processes are by their very nature ‘challenging’ to say the least. And in that regard I would like to thank ARCA for taking the lead and for working so closely with industry and consumers on the code and engaging with all relevant stakeholders.

The resulting CR code I hope establishes a good balance between the necessary protection of individuals’ personal information and businesses’ need for an efficient credit reporting system. The OAIC worked closely with ARCA to ensure that an appropriate balance was reached, and as a result of this we now, naturally, expect compliance with Part IIIA of the Privacy Act and the CR code.

Remember that a breach of Part IIIA or the CR code is a breach of the Privacy Act 1988 (Privacy Act).

It’s also important to also recognise that in some circumstances the obligations on credit reporting participants in Part IIIA of the Privacy Act replace relevant Australian Privacy Principles (APPs) and in other circumstances apply in addition to relevant APPs.

Importantly, all the APPs will apply to all credit reporting participants that are APP entities in relation to the handling of personal information not regulated under the new Part IIIA.  

I wanted to speak briefly about some of the changes to credit reporting under the new laws, starting with changes to access and correction provisions in the Privacy Act and the CR code.

Access and correction

I first want to touch on changes to individuals’ rights to access and correction of their credit file under the new Part IIIA of the Privacy Act and the CR code.


Individuals have the right to access their credit report, as well as any other information derived from their credit report, such as their credit score, from a credit reporting body.

Credit reporting bodies must provide free access (on request) once in a 12 month period and, in addition, if

  • an individual has applied for, and been refused credit, within the past 90 days, or
  • an individual’s request for access relates to a decision by a CRB or a credit provider to correct information included on their credit report.

In other circumstances credit providers may charge for access to a credit report, as long as the charge is not excessive.

Under the new laws, credit reporting bodies must provide an individual with access to their credit report within 10 days of the request being made. Credit providers may take up to, but not more than, 30 days to give access.

Credit reporting bodies are also required to make their free access service as available and easy to identify and use as their fee-based access service.


Under the new laws and the CR code, individuals can approach any credit reporting body to seek to have their personal information correction. Credit reporting bodies are not allowed to charge for making this request, or for correcting the information held in the file.

Except in certain special circumstances, a credit reporting body or credit provider must make a decision about the requested correction within 30 days, and they must notify an individual within 5 days of making that decision.

There are also notification requirements in relation to corrections, whereby a credit reporting body or credit provider must notify certain third parties of the corrected information. This includes:

  • for credit reporting bodies, any third parties to whom they disclosed the information
  • for credit providers, any third parties to whom they disclosed the information within the last 3 months
  • and any other third parties nominated by you, to whom they disclosed the information.

The OAIC also receives a lot of questions about credit repair organisations, and whether people should pay to have their credit information corrected. The simple answer that we always give to this is ‘no’. The new laws seek to make it easier to seek corrections to a credit report, and we hope to see a decrease in the number of people contacting us with questions about credit repair organisations.

The OAIC has developed a series of 12 credit reporting fact sheets for consumers, which we will be releasing very shortly. These fact sheets outlines access and correction provisions under the new laws, as well as complaints processes, default information, credit reports, fraud and a number of other key issues.

CRB statistics

In the move to a model of greater co-regulation, in order for our oversight role to be as effective as possible it is important that we collect information to assess the effectiveness of the system.

To this end, credit reporting bodies will be required to provide statistics in their annual reports.

Under clause 23.11 of the CR code, credit reporting bodies will be required to provide information on:

  • Access:
    • The percentage of individuals provided with access with a charge
    • and without a charge being applied
  • Correction
    • requests received
    • successful correction requests
    • the corrections finalisation period
    • Type of corrections made
    • Other corrections made
  • Complaints:
    • Complaints received
    • Types of complaints
    • Complaints finalisation period
    • Complaint outcomes
  • Serious credit infringements
    • The percentage of serious infringements disclosed
    • The percentage of serious credit infringements by sector
  • CRB monitoring and auditing activity
  • Consumer credit liability and repayment history information that has been disclosed to the CRB
  • As well as any other information requested by the Commissioner.

EDR schemes and complaints

As you would know, all credit reporting bodies who wish to access the credit reporting system must be a member of a recognised external dispute resolution scheme.

There are now five recognised external dispute resolution schemes:

There are also two applications that are pending approval from the NSW and Victorian Energy and Water Ombudsman schemes.

However, the Privacy Regulations now include a 12 month exemption from being a member of a recognised EDR schemes for water & energy utilities providers, and commercial credit providers. However, COSL, a recognised EDR scheme, is now accepting membership from commercial credit providers, and we strongly encourage commercial credit providers to join.

In the next few months will be also be providing answers to FAQs to EDR schemes, to assist them with those issues where they need additional information.

We will also be strengthening our working relationship with the Schemes to ensure consistency in the application of the credit provisions.

Transition into new laws

The changes to the credit reporting system under privacy law reform are extensive and we acknowledge that there may be some hiccups in this period of transition. This is to be expected. However, the OAIC has worked closely with ARCA and with the credit reporting industry to ensure that they are well supported and, as such, we expect responsiveness to any problems that do come up in the next few months — I would expect that they would be dealt with quickly and effectively.

I would also like to acknowledge to good work that ARCA have done in developing their CreditSmart website. This is an excellent tool for consumers and we have been directing a lot of people to it.

New enforcement powers

As of last Wednesday, the OAIC now has a range of new powers and remedies. These new powers give us a bigger tool kit in resolving complaints, conducting investigations, and promoting privacy compliance. The changes will also strengthen the Commissioners’ enforcement powers.

The OAIC previously had the power to conduct audits of Government agencies and credit reporting agencies and providers — these audits are now called ‘assessments’, and we can now assess private sector organisations, to determine whether they are handling personal information in accordance with the new APPs, the new credit reporting provisions and other rules and codes.

These assessments may be conducted at any time, whether the organisation has had a previous privacy breach or not, so businesses need to have their systems and processes in place to be ready at all times for an assessment.

The Commissioners will also now be able to make a determination on a Commissioner initiated investigation (as can already be done with a complaint lodged by an individual), accepting written undertakings that will be enforceable through the courts, or applying for civil penalty orders of up to $340,000 for individuals and up to $1.7 million for companies.

Over the last 14 months a lot has been made of the potential $1.7 million penalty, especially in media coverage. But adhering to the law is not just about penalties, it is about building in a culture of compliance, about knowing what is expected of your business and making sure that others know what to expect from you.

The OAIC recognises that agencies and businesses have been working hard to implement the changes — our focus over the next 12 months is on working with you to ensure compliance.

We will continue to follow the escalation model that has always been our approach — we will always attempt conciliation of complaints in the first instance. However, where conciliation is not effective we may use our other enforcement tools.

We recently released a consultation draft of the OAICPrivacy regulatory action policy. We have developed this policy to outline and explain our approach to using out privacy regulatory action powers. The policy covers both existing powers and the new powers conferred on the Information Commissioner under privacy law reform. The regulatory action policy will be supported a Guide to the OAIC’s privacy regulatory action, which will give more detailed and practical guidance on how the OAIC will exercise their powers.

Consultation on the OAIC Privacy regulatory action policy is designed to find out if the policy is clearly expressed and comprehensive — we would like it to be as useful as possible to stakeholders.

Credit reporting questions

To wrap up today I thought I might take a few minutes to talk about the credit questions and complaints that we are seeing coming in through our Enquiries line. These kinds of questions can help inform the guidance that we put out, but they might also help you in any education and awareness that you are doing. 

  • The OAIC has always received a lot of calls about credit repair organisations, and continues to get these kinds of calls. There are a lot of consumers out there who are under the impression that if they have paid their fee with the credit repair organisation, or that it’s been more than 30 days since they lodged a complaint, that their default will automatically be removed. As outlined earlier, the OAIC will continue to educate individuals about their access and correction rights, and you all play an important role in this task as well.
  • In the last week, we have received a number of calls from credit advocacy bodies with questions about the removal of explanatory notes from individuals’ credit file. Under the new Part IIIA explanatory notes are no longer able to be entered into the credit reporting system but the CR code enables notes already entered to be kept for up to 2 years unless the individual requests their removal. 
  • We are already receiving a lot of calls about wait times for access to credit reports from credit reporting bodies, and about the ‘free credit report’ option being very difficult to find. This is an area that we are keeping an eye on. However, we are pleased to see some early improvement in this area.
  • We are also receiving calls about whether commercial credit providers need to be a member of an EDR scheme.

These are obviously areas where there is still some work to do in improving understanding of the credit reporting system. I hope that we will all be able to work together to improve understanding and awareness of how the credit reporting system works.  

This is increasingly important as the recent reforms are making the community more aware of their privacy rights and in particular the need to be across what is on their credit file. On top of all the work we have been doing in terms of producing guidance material and the like we have seen a surge in complaints and enquires as people exercise these rights.

By way of example, in the previous financial year we received 1496 complaints. These complaints contained roughly 403 credit-related issues. In the year to date we have already received over 2,000 complaints, in which there are approximately 1200 credit-related issues.

Privacy Awareness Week (PAW)

Now, on that sobering note, I want to finish up today by talking about Privacy Awareness Week.

Over the last few weeks and months there has been a considerable amount of media attention focussed on credit reporting, and the change to a positive credit reporting system. Some of the information out there is accurate, some of it is not so accurate, but certainly there is a lot of attention being given to it, and consumers are nervous and a lot of them are confused.

Our 2013 Community attitudes to privacy survey shows that only a quarter of Australians are aware that they are able to access their credit report for free — nearly 50% think that they have to pay for access, and 17% of people think that they cannot access it at all, even if they pay.

With such a high level of growing public awareness around credit reporting, and changes to credit reporting, this is the perfect time for your organisations to sign up as a PAW partner — make a public commitment to privacy by putting a PAW partner button on your website, and having your logo listed on ours. PAW is also an excellent opportunity to promote privacy to internal and external stakeholders through newsletters, events and online promotion. And it’s free!

With the public already focussed on your industry, you have a captive audience, already listening to what you have to say about your commitment to privacy.

Thank you.