In April 2017, the Australian Information and Privacy Commissioner will tender for an independent review of the Privacy (Credit Reporting) Code 2014 (the CR Code). This review is an opportunity to explore how the CR Code, which commenced on 12 March 2014, is operating in practice.
The CR Code review will be conducted in two stages:
- Stage 1, anticipated to commence in May 2017, will explore the interaction between the CR Code and the Privacy Act 1988 and significant issues or concerns about the practical operation of the CR Code.
- Stage 2, anticipated to commence in July 2017, will explore requirements in the CR Code that have not been complied with in practice (including issues of systemic non-compliance).
There will be an opportunity for stakeholders interested in the review to contribute to this process.
The successful tenderer will lead the consultation process and will publish a report outlining issues and concerns about the operation of the CR Code in late 2017.
Part IIIA of the Privacy Act regulates consumer credit reporting in Australia. Part IIIA is supported by the Privacy Regulation 2013 and the CR Code.
The CR Code is a mandatory code that binds credit providers and credit reporting bodies. The Code commenced on 12 March 2014. Importantly, a breach of the Code is a breach of the Privacy Act.
Paragraph 24.3 of the CR Code requires the Commissioner to initiate an independent review of the operation of the Code within 3 years of the date of its commencement.
Paragraph 24.2 of the CR Code requires credit reporting bodies (CRBs) to commission an independent review of their operations and practices to assess compliance by the CRB with its obligations under Part IIIA, the Regulations and the CR Code.
The outcomes of the CRB reviews will be considered as part of stage 2 of the CR Code review.
For more information about the CR Code and credit reporting under the Privacy Act see the Credit Reporting page.