Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Review of Credit Provider Determinations: Consultation Paper No.2

Indigenous Business Australia

Closing date for comment 3 June 2011


The Office of the Australian Information Commissioner (OAIC) is reviewing Credit Provider Determinations. The OAIC has issued this paper to assist individuals, organisations, credit providers and credit reporting agencies to prepare comments for part of that review.

The determination discussed in this paper is:

The IBA Determination was issued by the then Privacy Commissioner under section 11B(1)(d) of the Privacy Act 1988 (Cth) and will expire on 30 October 2011.

The OAIC has also issued Consultation Paper No. 1 in relation to Credit Provider Determinations No. 2006-3 (Assignees) (Assignees Determination) and No. 2006-4 (Classes of Credit Providers) (Classes of Credit Providers Determination).

Both this Consultation Paper No. 2 and Consultation Paper No. 1 are available from the OAIC's web site at or in hard copy on request.

How to make comments

The Australian Information Commissioner invites your comments on the matters raised in this Consultation Paper. The closing date for comment is 3 June 2011.

Submissions can be made to, GPO Box 5218 Sydney NSW 2001 or TTY 1800 620 241 (no voice calls).  

Note: The OAIC intends to make all submissions publicly available. Please indicate when making your submission if your submission contains confidential information which you do not wish to make public. Requests for access to confidential comments will be determined in accordance with the Freedom of Information Act 1982 (Cth).

Privacy collection statement

The OAIC will use the personal information it collects in the course of this review only for the purpose of its review of Credit Provider Determinations.

Scope of the review

The review of Credit Provider Determinations is a general review of the Assignees Determination, the Classes of Credit Providers Determination and the IBA Determination.

The OAIC recognises that a review of the Credit Provider Determinations may raise other issues which are not directly related to the definition of ‘credit provider'. This consultation is focused on those matters covered by each of the Credit Provider Determinations.

Senate Inquiry

The OAIC notes that the Senate Finance and Public Administration Committee is currently conducting an inquiry into Exposure Drafts of Australian Privacy Amendment Legislation, including an Exposure Draft of proposed new credit reporting provisions (new credit reporting provisions). More information about that inquiry and the new credit reporting provisions can be found at:

If the new credit reporting provisions are passed in their current draft form, the three Credit Provider Determinations which are the subject of this review are likely to become redundant. This is because the Australian Government proposes to:

  • designate in the legislation itself those entities currently covered by Credit Provider Determinations as 'credit providers'[1]
  • remove the Australian Information Commissioner's determination power in relation to the 'credit provider' definition.[2]

The OAIC considers that the appropriate forum in which to debate the long-term merit of the substance of the Credit Provider Determinations is the Senate inquiry.

Preliminary View

Subject to the result of this consultation, the OAIC proposes renewing each Credit Provider Determination without substantive amendment for a period of 3 years.

Legislation overview and background

Part IIIA of the Privacy Act

Part IIIA of the Privacy Act provides safeguards for individuals in relation to consumer credit reporting. It regulates the handling of credit information files (credit files) and other credit worthiness information about individuals by credit reporting agencies (CRAs) and credit providers. While some provisions in Part IIIA relate to commercial credit information, in general Part IIIA regulates consumer credit reporting.

The key requirements of Part IIIA include:

  • limits on the type of information that a CRA can hold on an individual's credit file, and how long it can be held on file (for example, 5 years for defaults)
  • limits on who can obtaininformation from an individual's credit file held by a CRA, and for what purposes. (Generally only credit providers may obtain a credit report in connection with an individual's application for credit.)
  • a general prohibition on the disclosure of credit reports and other credit worthiness information by credit providers
  • rights of access and correction for individuals in relation to personal information in credit files and reports held by CRAs and credit providers.

To supplement Part IIIA, the Privacy Act requires the Australian Information Commissioner to issue a Credit Reporting Code of Conduct with which CRAs and credit providers must comply.[3]

The Australian Information Commissioner also has the power to:

  • investigate an infringement of the Code of Conduct or Part IIIA
  • conduct audits to verify the compliance of CRAs and credit providers with the Code of Conduct and Part IIIA.[4]

Credit providers

The term 'credit provider' is defined in section 11B of the Privacy Act to include finance organisations such as banks, building societies, credit unions and retail businesses which provide loans or issue credit cards. Persons doing tasks reasonably necessary for purchasing, funding or managing, or processing an application for a loan through a securitisation arrangement also fall within this definition.

In addition, the Privacy Act empowers the Australian Information Commissioner to determine that particular organisations or agencies are credit providers for the purposes of the Act. These powers are contained in sections 11B(1)(b)(v), 11B(1)(d) and 28A(1)(d) of the Privacy Act. These sections do not specify the duration of the determinations.

The IBA Determination was issued under section 11B(1)(d) for a period of 5 years.


Credit Provider Determination No. 2006-5 (Indigenous Business Australia)


Indigenous Business Australia (IBA) is a statutory authority established under Part 4 of the Aboriginal and Torres Strait Islander Act 2005 (Cth). As a federal government agency, it is also subject to the Privacy Act.

The functions of IBA include administration of the Home Ownership Program and Business Development and Assistance Program. Responsibility for these two programs was transferred to IBA from the Aboriginal and Torres Strait Islander Commission in 2005.

IBA first applied for a Credit Provider Determination in 2005 and a determination was issued in October 2005 for one year. Following a review and public consultation by the then Office of the Privacy Commissioner (OPC),[5] the IBA Determination was issued without substantive change in October 2006 for a period of five years.

Earlier related Credit Provider Determinations were made in 1999 (Aboriginal and Torres Strait Islander Commission), 2003 (Aboriginal and Torres Strait Islander Services) and 2004 (Department of Employment and Workplace Relations).

The IBA Determination states that IBA is a credit provider for the purposes of the Privacy Act. The effect of the IBA Determination is to permit IBA to participate in the credit reporting system, including by:

  • accessing a customer's credit report for the purposes of assessing a loan application
  • collecting an overdue payment on a loan
  • listing an overdue payment or serious credit infringement
  • correcting information previously reported in relation to a loan.

Issues raised in the 2006 Consultation Paper No.2 and submissions

In the public consultation on the IBA Determination conducted in 2006, the OPC  received submissions from industry organisations, consumer groups and other government agencies and statutory authorities. 

The issues raised in the consultation paper included whether:

  • the IBA Determination had operated effectively in its first year and whether IBA had acted in accordance with its Privacy Act obligations
  • there was any evidence demonstrating the effect of the IBA Determination on individuals' privacy.

Each submission received supported the existing IBA Determination and suggested renewal for either five years or an indefinite period.  As a result, the then Privacy Commissioner concluded that the IBA Determination had operated satisfactorily and should be renewed for a five year period. 

The then Privacy Commissioner also noted in the Explanatory Statement to the IBA Determination a number of public interest and other considerations which support the need for the IBA Determination.  These factors included:

  • that the timely provision of a customer's credit report to IBA assists a customer to quickly obtain credit and be able to compete on an equal footing with other buyers on the open market
  • the Commissioner's satisfaction that IBA had taken steps to implement recommendations from the Australian National Audit Office in relation to privacy issues.

The OAIC's experience

The OAIC's records show that the OAIC has not received any complaints against IBA.


  1. Is there any evidence demonstrating a reason not to renew the IBA Determination?
  2. (A) Is there any evidence demonstrating a reason to amend the IBA Determination?
    (B) If there is any such evidence:
    1. How could the IBA Determination be amended to reduce the problem?
    2. Is there any evidence to support the proposed amendment?
  3. (A) Do you agree with the OAIC's proposal to renew the IBA Determination for a period of 3 years?
    (B) If you disagree, please suggest an alternative period and provide supporting reasons.

Attachment A

Credit Provider Determination No. 2006-5 (Indigenous Business Australia)

Privacy Act 1988


Under s.11B(1)(d)(ii) of the Privacy Act 1988, I determine that:

  1. The Australian Government agency Indigenous Business Australia (IBA) is a credit provider for the purposes of the Privacy Act.
  2. This determination continues the effect of Determination 2005 No.1 Privacy Act 1988, s.11B(1)(d)(ii) concerning Indigenous Business Australia, which expires on 30 October 2006.
  3. This determination is effective from 31 October 2006 to 30 October 2011 (inclusive).

The background to, and reasons for, making this determination are set out in the explanatory statement lodged for registration, together with this determination, on the Federal Register of Legislative Instruments.




Privacy Commissioner

25 October 2006

[1] Specifically, in the new credit reporting provisions:

  • section 191 includes those entities currently covered by the Assignees Determination
  • subsections 188(2) and 188(3) include those entities currently covered by the Classes of Credit Providers Determination
  • subsection 188(1)(d) may include IBA. It provides that an agency is a credit provider if it carries on a business or undertaking that involves providing credit and it is prescribed by the regulations, which are yet to be released.

[2] See Enhancing National Privacy, Australian Government First Stage Response to the Australian Law Reform Commission Report 108 (October 2009) (Government Response), Recommendation 54-7, available via

[3] The current Credit Reporting Code of Conduct was issued by the then Privacy Commissioner under s 18A of the Privacy Act in 1991 (amended 1996) following consultation with industry.  It is available at

[4] See section 28A of the Privacy Act.

[5] The Privacy Commissioner and staff of the former OPC are now part of the OAIC.  The OAIC commenced operation on 1 November 2010 and is headed by the Information Commissioner, supported by two other statutory office holders, the Freedom of Information Commissioner and the Privacy Commissioner.