See our advice on the Latitude Financial data breach

10 March 2022

On 10 March 2022 the Australian Information Commissioner approved an application to vary the Privacy (Credit Reporting) Code 2014 (CR Code).

The variation to the CR Code submitted by the Code developer, the Australian Retail Credit Association (ARCA), addresses amendments made to the Privacy Act 1988 (Privacy Act) relating to financial hardship reporting and access to credit information under the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021 (the amending Act).

Based on the commencement date of the amendments to the Privacy Act, the variation will result in two tranches of amendments to the CR Code:

  • variations that will come into effect on 22 April 2022 (version 2.2 of the CR Code)
  • variations that will come into effect on 1 July 2022 (version 2.3 of the CR Code)

The approval of this variation application follows significant engagement with key consumer representatives, members of industry and government and between ARCA and Office of the Australian Information Commissioner (OAIC).

The introduction of financial hardship reporting is a significant change in Australia’s credit reporting system. The Amending Act sought to ensure that credit providers have a fuller picture of the financial situation of a consumer, including when they may be experiencing hardship. The variations to the CR Code provide further particularity to ensure consistency across industry in the collection, use and disclosure of financial hardship information. The variations also ensure that consumers can access their credit rating free of charge every three months, and provide protections for consumers around the use and disclosure of financial hardship information on a consumer’s credit report. These protections include a prohibition on the use of financial hardship information in calculating an individual’s credit score and restricted retention of financial hardship information to 12 months.

The OAIC will regulate compliance by credit reporting bodies and credit providers with the new provisions of the CR Code and monitor its operation.

As the independent regulator of credit reporting under the Privacy Act, the OAIC also has a role in independently assessing any application to vary the CR Code and in reviewing the CR Code’s operation every 4 years.

The CR Code is a mandatory Code that binds credit providers and credit reporting bodies. More information about the CR Code can be found here.