Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Credit Reporting

Part IIIA of the Privacy Act 1988 (Privacy Act) regulates consumer credit reporting in Australia. Part IIIA is supported by the Privacy Regulation 2013 and the Privacy (Credit Reporting) Code 2014 (CR code).

One of the objects of the Privacy Act is to facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected. In recognition of that objective, the laws about credit reporting are intended to balance individuals’ interest in protecting their personal information with the need to ensure that credit providers have sufficient information available to assist them to decide whether to provide an individual with credit. The Australian credit reporting system also helps ensure that credit providers are able to comply with their responsible lending obligations under the National Consumer Credit Protection Act 2009 administered by the Australian Securities and Investment Commission (ASIC).

To achieve this intention, Part IIIA of the Privacy Act regulates the handling of personal information about individuals’ activities in relation to consumer credit. In particular, Part IIIA outlines:

  • the types of personal information that credit providers can disclose to a credit reporting body (CRB), for the purpose of that information being included in an individual’s credit report
  • what entities can handle that information, and
  • the purposes for which that information may be handled.

For example, when an individual makes an application for credit to a credit provider, the provider can access a copy of the individual’s credit report from a CRB to help them to make a decision about whether or not to grant the application.

The registered CR code

The Privacy (Credit Reporting) Code 2014 (CR Code) is a mandatory code that binds credit providers and CRBs. The CR code supplements the provisions contained in Part IIIA of the Privacy Act and the Privacy Regulation 2013.

Importantly, a breach of the CR code is a breach of the Privacy Act.

In April 2017, in accordance with paragraph 24.3 of the registered CR Code, the Australian Information Commissioner initiated an independent review of the CR Code. The review was conducted by PricewaterhouseCoopers (PwC). PwC’s report is available here: pdfReport — Review of Privacy (Credit Reporting) Code 2014 (V1.2)337.76 KB

CR Code application — April 2019

On 18 April 2019, the Australian Information Commissioner received an application from the Australian Retail Credit Association (ARCA) to vary the CR Code in accordance with section 26T of the Privacy Act 1988. An amendment to the application was submitted to the OAIC on 15 May 2019.

If you would like to provide feedback on the CR Code application, please send your comments to

If you require any of the following documents in an another format, please send your request to

Application materials

CR Code variation approval — May 2018

 On 29 May 2018, the Acting Australian Information Commissioner approved a variation to the CR Code. This follows an application by the ARCA on 26 April 2018 (and an amendment to the application dated 28 May 2018), for variation of the registered CR Code in accordance with section 26T of the Privacy Act 1988.

The application materials for this variation have been archived on the OAIC website.

Additional information

Additionally, the ARCA has developed an information website (CreditSmart) to help consumers understand the effects of the Privacy Act reforms on how credit reporting will operate in Australia.

Pre 12 March 2014 credit reporting law