Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy (Credit Reporting) Code 2014 (Version 1.2)

1   Name of CR code

(1)  This CR code is the Privacy (Credit Reporting) Code 2014 (Version 1.2).
(2)  This CR code may also be cited as CR code v1.2.

2   Commencement

This CR code v1.2 commences when it is included on the Codes Register kept under s 26U(1) of the Privacy Act 1988 (Privacy Act).

3    Authority

This CR code v1.2 is the CR code that is included on the Codes Register under paragraph 26T(5)(b) of the Privacy Act, thereby being the ‘registered CR code’ under section 26M of that Act.

4    Repeal

(1)  The Credit Reporting Privacy Code (CR code) included on the Codes Register under subsection 26S(1) of the Privacy Act on 22 January 2014 (Federal Register of Legislative Instruments No. F2014L00170) is repealed when this CR code v1.2 commences.
(2)  The Credit Reporting Privacy Code (CR code) v1.1 included on the Codes Register under subsection 26T(5)(b) of the Privacy Act on 3 April 2014 is repealed when this CR code v1.2 commences.

5   Overview

This CR code is a written code of practice about credit reporting under s 26N(1) of the Privacy Act as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the reform Act). The CR code is an important part of the regulatory framework for the comprehensive credit reporting system in Australia introduced by the reform Act. That system is intended to increase the efficiency of Australia’s consumer credit market. However, more comprehensive reporting necessitates improved privacy protections. This CR code adds to aspects of the credit reporting obligations imposed by Part IIIA of the Privacy Act and the Privacy Regulation 2013.  This CR code does not encompass all aspects of Part IIIA and so compliance with this CR code alone will not achieve full compliance with Part IIIA.

6   Reading the table

(1)  The white rows in the table that follows are the mandatory CR code provisions.  The blue rows in the table constitute a high level summary of the provisions of Part IIIA of the Privacy Act that provide the context for the CR code obligations. Whilst the summary is intended to assist readers and serve to link the CR code obligations to the Privacy Act provisions, the summary should not be relied upon as a comprehensive statement of those provisions.
(2)  Terms in bold are defined in the Privacy Act or in this CR code (for ease of reading the often-used defined terms CRB, CP and individual are not bolded).
(3)  The terms “Explanatory Memorandum” or “Ex Mem” mean the Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012.
(4)  The term “pre-reform code” means the repealed Credit Reporting Code of Conduct (Federal Register of Legislative Instruments F2009B00170) which was in force until 12 March 2014.

7.    Referencing

The numbering in the table below, after ‘CONTENTS’, should be referred to as ‘paragraph 1’, ‘paragraph 1.1’ etc. The provisions above and before ‘CONTENTS’ should be referred to as ‘section 1, subsection 1(1) etc’.

Contents

  1. Introduction
  2. Credit reporting system arrangements
  3. Open and transparent management of credit reporting information
  4. Information collection procedures
  5. Credit information handling practices, procedures and systems
  6. Consumer credit liability information
  7. Information requests
  8. Repayment history information
  9. Default information
  10. Payment information
  11. Publicly available information
  12. Serious credit infringements
  13. Transfer of rights of credit provider
  14. Permitted CRB disclosures
  15. Security of credit reporting information
  16. Use and disclosure of credit-related personal information by CPs and affected information recipients
  17. Protections for victims of fraud
  18. Use by a CRB of credit reporting information to facilitate a CP's direct marketing
  19. Access
  20. Correction of information
  21. Complaints
  22. Record keeping
  23. Credit reporting system integrity
  24. Information Commissioner's role

(Source Notes are related legislative provisions / Ex Mem references / other sources where particularly applicable)

1. Introduction

The Privacy Act 1988 (Privacy Act) sets out in Part IIIA (Part IIIA) requirements applicable to credit reporting. Among other things, Part IIIA restricts the types of credit information that may be disclosed to Credit Reporting Bodies (CRBs), the circumstances in which that information may be disclosed by a CRB to Credit Providers (CPs) and affected information recipients and their handling of that disclosed information.  The Privacy Act contemplates that a registered CR code will further define CRBs', CPs', and affected information recipients' obligations.  CR code obligations are binding — a breach of the CR code is a breach of the Privacy Act.  The CR code is registered and enforced by the Information Commissioner.

Source Notes: Part IIIA, Part IIIB Div 3

Code Obligations

1.1 This CR code binds all CRBs, CPs and affected information recipients.

Source Notes: Sec 26N(2), Explanatory Memorandum p. 208

1.2 In this CR code:

  1. A term that is used in this CR code and is defined in the Privacy Act has the meaning given to it in the Privacy Act and other grammatical forms of defined words or expressions have corresponding meanings.
  2. A reference to a Section is a reference to a section of the Privacy Act.
  3. "Capacity information" means information as to whether the relevant individual is:
    1. solely liable for the credit;
    2. jointly liable for the credit; or
    3. the guarantor in respect of the credit.
  4. "Credit ID information" comprises:
    1. the number allocated by the CP for the consumer credit provided to the relevant individual;
    2. any previous number allocated by the CP for the consumer credit provided to the relevant individual; and
    3. where a transfer event has occurred – the number allocated by the previous CP for that consumer credit

    (the number to be truncated to the first six and the last four digits of the account number where the account is a credit card or debit card account).

  5. "Credit-related personal information" means credit information, credit reporting information, credit eligibility information or regulated information as applicable in the context.
  6. An obligation on a CRB to "destroy" credit information or credit reporting information requires the CRB to ensure that it irretrievably destroys the information. Where it is not possible for a CRB to irretrievably destroy credit-related personal information held in electronic format, the CRB should take steps to put the information 'beyond use'. Information is 'beyond use' if the CRB:
    1. irretrievably omits the relevant information from the databases that it utilises for the purposes of making disclosures permitted under Part IIIA; and
    2. is not able to use, and will not attempt to use, the information, including for the purposes of deriving CRB derived information; and
    3. is not able to disclose, and will not attempt to disclose, the information;
    4. surrounds the information with appropriate technical and organisational security; and
    5. commits to irretrievably destroy the information if, or when, this becomes possible.
  7. An obligation on a CP to "destroy" credit reporting information or credit eligibility information requires the CP to take reasonable steps to ensure that it irretrievably destroys the information. Where it is not possible for a CP to irretrievably destroy credit-related personal information held in electronic format, the CP should take steps to put the information 'beyond use'. Information is 'beyond use' if the CP:
    1. is not able to use, and will not attempt to use, the information, including for the purpose of deriving CP derived information; and
    2. is not able to disclose, and will not attempt to disclose, the information; and
    3. surrounds the information with appropriate technical and organisational security; and
    4. commits to irretrievably destroy the information if, or when, this becomes possible.
  8. A "hardship request" means a financial hardship or payment difficulties notification or request that is regulated by legislation or an industry code. This does not include a once-off, short term payment extension that is not so regulated.
  9. "Month" has the meaning given to that term in the Acts Interpretation Act 1901.
  10. A "Section 21D(3) notice" is a written notice that is given by a CP to an individual pursuant to Section 21D(3) stating that the CP intends to disclose default information to a CRB.
  11. A "Section 6Q notice" is a written notice that is given by a CP to an individual pursuant to the definition of default information in Section 6Q, informing the individual of the overdue payment and requesting that the individual pay the amount of the overdue payment.
  12. A "transfer event" is an event whereby the rights of a CP in relation to the repayment of an amount of consumer credit are acquired by an acquirer.

Source Notes: Para 4.4 of pre-reform Code

Back to top

2. Credit reporting system arrangements

Part IIIA requires CRBs to enter into written contracts with CPs that require CPs to ensure that the credit information that they disclose to CRBs is accurate, up-to-date and complete and that credit reporting information provided by CRBs to CPs is reasonably protected.

Source Notes: Sec 20N(3) and 20Q(2)

Code Obligations

2.1 An agreement entered into by a CRB with a CP to meet the requirements of Section 20N(3) and Section 20Q(2) must oblige both parties to comply, to the extent applicable from time to time, with Part IIIA, the Privacy Regulation 2013 (the Regulations) and the CR Code.

2.2 CRBs, CPs, mortgage insurers and trade insurers must take reasonable steps:

  1. (a) to inform employees, who handle credit reporting information or credit eligibility information, of the requirements of Part IIIA, the Regulations and this CR code that relate to information of these types; and
  2. (b) to train employees, who handle credit reporting information or credit eligibility information, in the practices, procedures and systems that are designed to achieve compliance with those requirements.

Source Notes: Para 4.1 of pre-reform Code

Back to top

3. Open and transparent management of credit reporting information

Part IIIA obliges each CRB, CP and affected information recipient to have a policy about their management of credit-related personal information including the kinds of information they collect, how they collect and hold that information, what they use that information for and to whom the information is disclosed. This policy must be made freely available. They must also take reasonable steps to implement practices, procedures and systems to ensure compliance with their credit reporting obligations under Part IIIA, the Regulations and this CR code.

Source Notes: Sec 20B, Sec 21B, Sec 22A

Code Obligations

3.1 A CRB must publish on its website its policy about the management of credit reporting information that is required by Section 20B.

Source Notes: Sec 20B(5) & (6) Ex Mem p.131 Para 1.6 of pre-reform Code.

Back to top

4. Information collection procedures

Where a CP collects personal information that the CP is likely to disclose to a CRB, the CP is required by Part IIIA to notify or ensure the individual is aware of:

  1. the CRBs with which the CP deals; and
  2. other matters required by the CR code.

This must occur at or before the time of collection of the personal information.

Source Notes: Sec 21C

Code Obligations

4.1 At or before the time a CP collects personal information about an individual that the CP is likely to disclose to a CRB, the CP must notify or otherwise ensure that the individual is made aware of the following matters in addition to the matters specified in Section 21C(1)(a):

  1. the CRB may include the information in reports provided to CPs to assist them to assess the individual's credit worthiness;
  2. that if the individual fails to meet their payment obligations in relation to consumer credit or commits a serious credit infringement, the CP may be entitled to disclose this to the CRB;
  3. how the individual may obtain the CP's policy about the management of credit-related personal information required by Section 21B and the CRB's policy about the management of credit-related personal information required by Section 20B;
  4. the individual's rights to access the information from the CP, to request the CP to correct the information and to make a complaint to the CP;
  5. the individual's right to request CRBs not to use their credit reporting information for the purposes of pre- screening of direct marketing by a CP; and
  6. the individual's right to request the CRB not to use or disclose credit reporting information about the individual, if the individual believes on reasonable grounds that the individual has been, or is likely to be, a victim of fraud.

4.2 A CP may comply with the obligations in Section 21C(1)(a) and paragraph 4.1 of this CR code to notify or ensure an individual is aware of specified matters (the notifiable matters) by:

  1. publishing a clearly expressed statement of the notifiable matters on its website; and
  2. at or before the time of collection of the personal information from the individual, notifying the individual or otherwise making the individual aware of the following:
    1. that the CP's website includes information about credit reporting, including the CRBs to which the CP is likely to disclose the individual's credit information; and
    2. a brief description of the key issues contained in the statement of notifiable matters; and
  3. providing details of the CP's website and ensuring that the notifiable matters are prominently displayed on the website; and
  4. making it clear to the individual that they can request to have the statement of notifiable matters (available on the website) provided in an alternative form – such as a hard copy.

Source Notes: Sec 21C, Explanatory Memorandum p.160

Back to top

5. Practices, procedures and systems

Part IIIA permits CRBs, subject to conditions, to collect and disclose the following types of credit information:

  1. identification information about the individual;
  2. consumer credit liability information about the individual;
  3. repayment history information about the individual;
  4. a statement that an information request has been made in relation to the individual by a CP, mortgage insurer or trade insurer;
  5. the type of consumer credit or commercial credit and amount of credit sought in an application to a CP and in connection with which the CP has made an information request;
  6. default information in relation to an individual;
  7. payment information about the individual;
  8. new arrangement information about the individual;
  9. court proceedings information about the individual;
  10. personal insolvency information about the individual;
  11. publicly available information as to the individual's credit worthiness (subject to some exceptions); or
  12. the CP's opinion that the individual has committed a serious credit infringement in relation to consumer credit provided by the CP to the individual.

Source Notes: Sec 6N

Code Obligations

5.1

  1. A CRB must not:
    1. collect personal information about an individual's activities in relation to consumer credit that is not credit information
    2. use personal information about an individual's activities in relation to consumer credit that is not credit information to derive CRB derived information
    3. disclose personal information about an individual's activities in relation to consumer credit that is not credit information or credit reporting information

    unless the information is either credit ID information or capacity information and is collected or disclosed at the same time as the credit information or credit reporting information.

  2. A CP must not:
    1. disclose to a CRB or another CP (second CP) personal information about an individual's activities in relation to consumer credit that:
      1. was disclosed to the CP by a CRB and that is not credit reporting information; or
      2. was derived (wholly or in part) from personal information about an individual's activities in relation to consumer credit that was disclosed to the CP by a CRB and that is not credit reporting information

      unless that information is either credit ID information or capacity information and is disclosed at the same time as the credit information or credit reporting information.

      In this paragraph, the second CP includes a person who is a credit provider due to the operation of section 6H of the Privacy Act.

  3. Subparagraphs (a) and (b) do not apply if:
    1. the personal information is information:
      1. that a CRB lawfully holds immediately prior to the date of commencement of this CR code as permitted under section 18E of the Privacy Act prior to that date; or
      2. that a CP holds and that has been disclosed by a CRB to the CP or collected from a CRB under this paragraph, or under the law as in force immediately prior to the date of commencement of this CR code; and
    2. the personal information is not information about a payment that is overdue in relation to consumer credit, where the amount of the overdue payment is less than $150, and
    3. the relevant use or disclosure occurred on or before 12 March 2016 or the expiry of the relevant retention period, whichever is sooner; or
    4. the personal information is a file note entered at the request of the individual prior to the commencement date of this CR code, and the individual has not subsequently requested its removal.
  4. Personal information to which subparagraph (c) applies, must be handled in accordance with the obligations in Part IIIA, the Regulations and the CR code as if it were credit information.

5.2 CRBs and CPs must not agree or implement procedures to standardise CPs' numbering conventions for consumer credit.

5.3 A CP must have reasonable practices, procedures and systems, given the size and complexity of its business, that are designed to cover obligations under Part IIIA, the Regulations and the CR code, and in particular:

  1. ensure that it does not disclose information to a CRB that it is prohibited by Part IIIA, the Regulations or this CR code from disclosing;
  2. as soon as practicable, advise the relevant CRB if the CP becomes aware that it has disclosed information to the CRB that it is prohibited from disclosing by Part IIIA, the Regulations or this CR code;
  3. ensure that it only discloses credit information that is accurate, up-to-date and complete;
  4. if it identifies that credit information that it has disclosed to a CRB is not accurate, up-to-date and complete:
    1. as soon as practicable advise the CRB of this; and
    2. take reasonable steps to address this;
  5. as soon as practicable advise the relevant CRB if the CP becomes aware that credit reporting information disclosed to it by the CRB is not accurate, up-to-date, complete and relevant, having regard to the purpose of the disclosure;
  6. where requested by a CRB:
    1. take reasonable steps to review its credit-related personal information management practices, procedures and systems,  to assess whether credit information it has disclosed to CRBs is accurate, up-to-date and complete;
    2. take reasonable steps to rectify any issues that are identified; and
    3. advise the CRB of the results of the review and action taken to rectify issues; and
  7. otherwise, take reasonable steps to assist CRBs to ensure that its credit reporting information is accurate, up-to-date, complete and relevant, having regard to the purposes for which it is used or disclosed, and to rectify any issues that are detected.

Source Notes: Section 20N, Para 2.4, 2.5 and 2.6 of pre-reform Code

5.4 A CRB must have reasonable practices, procedures and systems that are designed to cover the obligations under Part IIIA, the Regulations and the CR code and in particular enable the CRB to:

  1. use the information disclosed by CPs in relation to individuals' dates of birth to identify any information disclosed by a CP that:
    1. relates to an act, omission, matter or thing that occurred or existed before the relevant individual turned 18; and
    2. that is prohibited by Part IIIA, the Regulations or this CR code from being disclosed by the CP to the CRB;
  2. as soon as practicable identify whether collected information includes information that the CRB is prohibited by Part IIIA, the Regulations or this CR code from collecting and, if so, to destroy the prohibited information;
  3. as soon as practicable, notify the relevant CP where the CRB destroys information on the basis that Part IIIA, the Regulations or this CR code prohibits the CRB from collecting that information;
  4. undertake regular testing of the credit information and credit reporting information that the CRB uses and discloses to ensure that it is accurate, up-to-date, complete and relevant, having regard to the purpose for which it is used or disclosed;
  5. take reasonable steps to initiate, as soon as practicable, targeted testing of its credit reporting information, where a CRB is informed, or identifies, that credit reporting information in relation to an individual is not accurate, up-to-date, complete and relevant, having regard to the purpose for which it is used or disclosed;
  6. rectify the situation where the CRB identifies that credit reporting information in relation to an individual is not accurate, up-to-date, complete and relevant, having regard to the purpose for which the information is used or disclosed, including by destroying any information in accordance with its obligations in Part IIIA, the Regulations and the CR code;
  7. where the CRB identifies  credit information that is not accurate, up-to-date and complete, raise this, where reasonable, with the CP that disclosed the information and request the CP to:
    1. take reasonable steps to review its credit information management practices, procedures and systems;
    2. rectify any issues that are identified; and
    3. advise the CRB of the results of the review; and
  8. report about its testing, undertaken in accordance with paragraph (d), and any material findings or material changes to procedures, to CPs with which it has an agreement of the kind referred to in Section 20N(3) or Section 20Q(2).

Source Notes: Sec 20N, Para 1.3 and 1.4 of pre-reform Code

Back to top

6. Consumer credit liability information

The information that Part IIIA permits CRBs, subject to conditions, to collect and disclose includes consumer credit liability information — this is defined as information about:

  1. the name of the CP;
  2. whether the CP is a licensee;
  3. the type of consumer credit;
  4. the day the consumer credit is entered into;
  5. the terms or conditions of the consumer credit relating to repayment of the amount of the credit that are prescribed by the Regulations;
  6. the maximum amount of available credit;
  7. the day on which the consumer credit is terminated or otherwise ceases to be in force.

Source Notes: Sec 6(1)

Code Obligations

6.1 CRBs must develop and maintain in conjunction with CPs common descriptors of the types of consumer credit so that these descriptors can be used by CPs when disclosing to CRBs information about the type of consumer credit that they have provided to individuals.

Source Notes: Explanatory Memorandum p.103

6.2 For the purposes of Part IIIA, the Regulations and the CR code:

  1. "the day the consumer credit is entered into" is the day that, under the terms and conditions of the consumer credit, the credit is made available to the individual;
  2. "the maximum amount of credit available" is:
    1. where no credit limit applies to revolving credit, a charge card contract or the sale of goods or supply of services where credit is provided – no fixed limit;
    2. in the case of revolving credit with a credit limit - the credit limit that applies at the time the consumer credit liability information is disclosed to a CRB;
    3. in the case of credit where the principal amount is not repayable until a fixed date and, until that time, payments of interest only are required to be made - the principal amount of the credit;
    4. in the case of credit where payments of the principal amount must be made throughout the term of the credit - the amortised maximum principal amount of the credit, calculated on the basis that the individual makes the minimum only principal repayments throughout the term of the credit;
    5. in the case of credit provided for the purposes of the acquisition of particular goods or services – the applicable credit limit;
    6. in the case of credit provided by a supplier of goods and services where the contract specifies the amount of the credit or the credit limit - that amount;
  3. "the day credit is terminated or otherwise ceases to be in force" is:
    1. the day that the credit contract, arrangement or understanding is terminated; or
    2. if earlier, the day that the credit is no longer available to the individual under the terms of the contract, arrangement or understanding and the CP has irrevocably determined that the credit cannot be reinstated on those terms.

Source Notes: Explanatory Memorandum p.103, 161

6.3 Where a CP chooses to disclose to a CRB consumer credit liability information in relation to consumer credit provided by the CP to an individual, the CP must either:

  1. in a single disclosure, disclose all of the information contemplated by paragraphs (a) to (f) of the definition of consumer credit liability information, in relation to that credit, other than, in the case of information for the purposes of paragraphs (c) to (f) of that definition, information that is not then reasonably available; or
  2. in a single disclosure, disclose its name (paragraph (a) of the definition of consumer credit liability information) and the day the consumer credit is entered into (paragraph (d) of that definition unless that information is not then reasonably available) thereby disclosing that it has a CP relationship with the individual.

6.4 Where a CP chooses to disclose to a CRB consumer credit liability information in relation to consumer credit provided to an individual, the CP must, once that credit is terminated or otherwise ceases to be in force, disclose this to the CRB within 45 days of that date.

Source Notes: Pre-reform Code para 2.3

Back to top

7. Information requests

The information that Part IIIA permits CRBs, subject to conditions, to collect includes information requests.  Where a CP makes an information request, the CRB may also collect the type of consumer credit or commercial credit and, the amount of credit sought by the individual in the application to the CP to which the CP's information request relates. 

Source Notes: Section 6N(e)

Code Obligations

7.1 Where a CP makes an information request to a CRB in connection with an application for consumer credit and the amount of credit sought is unknown or incapable of being specified, the credit information that the CRB may collect and disclose may include that an unspecified amount of consumer credit is being sought from the CP.

Source Notes: Paragraph 2.1 of pre-reform Code

Back to top

8. Repayment history information

The information that Part IIIA permits CRBs, subject to conditions, to collect includes repayment history information. A CP is only permitted to disclose repayment history information to a CRB if the CP is a licensee or is prescribed by the Regulations. A CRB is only permitted to disclose repayment history information to a CP that is a licensee or is prescribed by the Regulations. 

Repayment history information is information about:

  1. whether or not an individual has met an obligation to make a monthly payment that is due and payable in relation to consumer credit;
  2. the day the monthly payment is due and payable;
  3. if late payment is made — the day on which the individual makes that payment.

Source Notes: Sec 6V

Code obligations

8.1 For the purposes of this paragraph and the definition of repayment history information in Section 6V of the Privacy Act:

  1. consumer credit is overdue if, on the last day of the month to which the repayment history information relates, there was at least one overdue payment in relation to which the grace period has expired; and
  2. the grace period allowed by the CP for an overdue payment must be at least 14 days, beginning on the date that the CP's systems first classified the payment as being in arrears.

Source Notes: Explanatory Memorandum p.130

8.2 Where a CP discloses repayment history information about consumer credit provided to an individual, the CP must take reasonable steps to ensure that:

  1. it does not disclose repayment history information about that credit more frequently than once each month; and
  2. for each month, as defined in paragraph 1.2 of this CR code, it only discloses whichever of the following is applicable:
    1. that the consumer credit was not overdue for that month; or
    2. that there was an amount overdue in relation to the consumer credit for that month; and
  3. after any payments made during that month are taken into account, the disclosure is expressed as a code representing the following:
    1. where the consumer credit is not overdue — "Current up to and including the grace period"; or
    2. where there is an amount overdue in relation to the consumer credit, the age of the oldest outstanding payment:
      1. Up to 29 days overdue (after the grace period has been applied)
      2. 30 – 59 days overdue
      3. 60 – 89 days overdue
      4. 90 – 119 days overdue
      5. 120 – 149 days overdue
      6. 150 – 179 days overdue
      7. 180 + days overdue.

Source Notes: Explanatory Memorandum p.129-130

Back to top

9. Default information

The information that Part IIIA permits CRBs, subject to conditions, to collect and disclose includes default information.  Preconditions to the disclosure of default information include — the consumer credit payment must be overdue by at least 60 days, the overdue amount must not be less than $150 (or if a higher amount is prescribed by the Regulations, that amount) and the CP must have met the notice obligations specified in Part IIIA, the Regulations and this CR code.

Source Notes: Sec 6Q

Code obligations

9.1 A CP must not disclose an overdue payment in relation to consumer credit to a CRB as default information:

  1. if the individual has made a hardship request (whether via a variation of the terms and conditions of the consumer credit or new consumer credit); and
  2. either:
    1. the CP is in the process of deciding the individual's hardship request, including if the CP is waiting upon information from the individual for the purposes of making that decision; or
    2. if the CP decides to refuse the individual's hardship request  — until at least 14 days after the CP has notified the individual of this decision.

9.2 Paragraph 9.1 does not apply if:

  1. the hardship request is made on a basis that the CP reasonably believes is materially the same as the basis on which a previous hardship request was made; and
  2. the previous hardship request was made during the previous 4 months.

9.3 The following requirements must be met if a CP discloses default information about an individual to a CRB:

  1. the CP must issue the Section 6Q notice and the Section 21D(3)(d) notice separately;
  2. the CP must issue the Section 6Q notice before the Section 21D(3)(d) notice;
  3. the CP must not issue the Section 21D(3)(d) notice less than 30 days after the issue of the Section 6Q notice;
  4. the CP must issue the Section 6Q notice and Section 21D(3)(d) notice by sending them to the individual's last known address at the time of despatch;
  5. the amount that is disclosed by the CP to the CRB as the amount that is overdue:
    1. must not be more than the amount specified in the Section 21D(3) notice,
      1. plus an additional amount to reflect interest, fees and other amounts that are owing as a result of the overdue payment, other than the acceleration of the entire liability for the consumer credit, which have accrued by the time of the disclosure,
      2. less any part payments received in cleared funds prior to the date of disclosure by the CP to the CRB; and
    2. all components of that amount, other than the interest, fees and other amounts mentioned in sub-paragraph 1), must have been overdue for at least 60 days.
  6. the default information must not be disclosed by the CP to the CRB:
    1. earlier than 14 days after the date on which the Section 21D(3) notice is issued by the CP to the individual; or
    2. later than 3 months after that date; and
  7. the CP must meet the other requirements relating to default information that are set out in Part IIIA, the Regulations and this CR code.

Source Notes: Sec 6Q, Sec 21D(3), Explanatory Memorandum p.126, 162, Para 2.7 of pre-reform Code

9.4 Where a CP discloses default information  in relation to consumer credit to a CRB:

  1. the amount specified as overdue must not include an amount of an overdue payment that was previously disclosed as default information in relation to that consumer credit;
  2. the amount specified as overdue may be subsequently updated to reflect the accrual of interest, fees and other amounts that are owing as a result of the overdue payment, other than the acceleration of the entire liability for the consumer credit
  3. where the amount of an overdue payment is the result of the acceleration of the entire liability for the consumer credit and includes an amount previously disclosed as default information, the CP must request the CRB to destroy the previously disclosed default information;
  4. where the CRB is requested under paragraph 9.4(c) to destroy default information, the CRB must destroy the default information;
  5. where the amount originally disclosed is updated under subparagraph 9.4(b), the original date of disclosure of default information remains the date from which the relevant retention period runs.

Back to top

 

10. Payment information

The information that Part IIIA permits CRBs, subject to conditions, to collect and disclose includes payment information — this is a statement that payment has been made of an overdue payment that has previously been disclosed by the CP to the CRB as default information.

Source Notes: Section 6T

Code obligations

10.1 For the purposes of the definition of payment information in Section 6T of the Privacy Act, the amount of the overdue payment to which the information relates is taken to be paid when:

  1. payment is received in cleared funds of the full amount of the overdue payment, including all interest, fees and other amounts that are included in the amount specified as overdue in the default information;
  2. payment is received in cleared funds of part of the amount of the overdue payment and the CP accepts this amount in full settlement of the overdue payment;
  3. the CP waives the overdue payment; or
  4. the CP agrees to terminate the consumer credit provided to the individual to which the overdue payment relates and replace it with new consumer credit.

Source Notes: Explanatory Memorandum p.128

10.2 Where a CP has an obligation under Section 21E or paragraph 10.3 of this CR code to disclose to a CRB payment information relating to an individual and the individual asks the CP to disclose this information to the CRB, the CP must take reasonable steps to disclose the payment information within 3 business days of the later of:

  1. the individual's request; and
  2. the date when the overdue payment is taken to be made in accordance with paragraph 10.1,

unless the CP has reasonable grounds for requiring a longer period of time to do this.

Source Notes: Explanatory Memorandum p.163

10.3 If:

  1. a CP disclosed default information about an individual to a CRB before the date of commencement of this CR code; and
  2. after that date, the amount of the overdue payment to which the information relates is paid;

the CP must, within a reasonable period after the amount is paid, disclose payment information about the amount to the CRB under Section 21D of the Privacy Act.

Back to top

11. Publicly available information

The information that Part IIIA permits CRBs, subject to conditions, to collect and disclose includes publicly available information (an undefined term in the Privacy Act) that relates to the individual's credit worthiness and meets other requirements set out in Part IIIA.

Source Notes: Sec 6N(k)

Code obligations

11.1 A CRB must only collect publicly available information about an individual:

  1. from an agency or a state or territory authority; and
  2. if the content of the information that is collected is generally available to members of the public (whether in the form provided to the CRB or another form and whether or not a fee must be paid to obtain that information); and
  3. if the other requirements of Section 6N(k) are met.

Source Notes: Explanatory Memorandum p.124

Back to top

12. Serious credit infringements

The information that Part IIIA permits CRBs, subject to conditions, to collect and disclose includes serious credit infringements — this is defined as:

  1. an act by an individual that involves fraudulently obtaining consumer credit or attempting to do this;
  2. an act by an individual that involves fraudulently evading the individual's obligations in relation to consumer credit or attempting to do this; or
  3. an act by an individual if:
    1. a reasonable person would consider the act indicates an intention by the individual to no longer comply with the individual's obligations in relation to consumer credit provided by a CP;
    2. the CP has taken reasonable steps to contact the individual about the act; and
    3. at least 6 months have passed since the CP last had contact with the individual.

Source Notes: Sec 6(1) definition of "serious credit infringement"

Code obligations

12.1

  1. Where a CP discloses to a CRB that, in the CP's opinion, an individual has committed a serious credit infringement within paragraph (a) of the Section 6(1) definition of that term, the CP must be able to reasonably establish that:
    1. when obtaining or attempting to obtain consumer credit, the individual made, or arranged for someone else to make, a material false statement to the CP or knowingly allowed the CP to rely upon a material false statement or premise; and
    2. the individual did this knowing that the statement or premise was untrue and, with intent to deceive the CP, aware that the false statement or premise was likely to materially affect the CP's decision as to whether or not to provide credit to the individual.
  2. Where a CP discloses to a CRB that, in the CP's opinion, an individual has committed a serious credit infringement within paragraph (b) of the Section 6(1) definition of that term, the CP must be able to reasonably establish that:
    1. the individual made, or arranged for someone else to make, a material false statement to the CP or knowingly allowed the CP to rely upon a material false statement or premise; and
    2. the individual did this knowing that the statement or premise was untrue and with intent to evade the individual's obligations in relation to consumer credit by deceiving the CP as to a material fact.
  3. Before disclosing to a CRB that, in the CP's opinion, an individual has committed a serious credit infringement on the basis of paragraph(c) of the Section 6(1) definition of that term, the CP must have disclosed an overdue payment to which the serious credit infringement relates to the CRB as default information.  In order to establish that reasonable steps have been taken to contact the individual:
    1. the CP must attempt to make contact with the individual where possible by phone, email and mail;
    2. if these contact attempts suggest that any of those contact details are no longer current, the CP must take reasonable steps to ascertain new contact details and, where new contact details are ascertained, repeat the previous contact attempts using the new contact details;
    3. in phone messages (where these can be left with an automatic answering service or with an adult) and emails, the CP must take reasonable steps to provide its contact details and ask the individual to contact the CP as a matter of urgency;
    4. in mailed letters, the CP must:
      1. give particulars of the default; and
      2. state that if a period of 6 months elapses without contact with the individual about the default the CP intends to disclose the default to a CRB as a serious credit infringement and explain the effect of this;
    5. the CP must retain such evidence of attempts to contact the individual as is reasonable in the circumstances; and
    6. if the individual makes contact with the CP at any time during the 6 month period beginning on:
      1. the date of the Section 6Q notice; or
      2. if more recent – the date of last contact with the individual;

      the 6 months period referred to in paragraph (c)(iii) of the definition of serious credit infringement recommences.

Source Notes: Explanatory Memorandum p.116-117

12.2 If a CP discloses payment information to a CRB that relates to an overdue amount that is the subject of a serious credit infringement disclosure (based on paragraph(c) of the Section 6(1) definition of that term), the CRB must destroy the information relating to the serious credit infringement.

Back to top

13. Transfer of rights of credit provider

The Privacy Act recognises that the repayment rights of a CP in relation to credit may be transferred and treats the acquirer as a CP for the purposes of the credit.

Source Notes: Sect 6K

Code obligations

13.1 If:

  1. an acquirer acquires the rights of a CP in relation to the repayment of an amount of consumer credit;
  2. the original CP notifies the individual to whom that consumer credit was provided of the transfer event; and
  3. prior to the transfer event, the original CP had disclosed to a CRB consumer credit liability information or default information about the consumer credit,

both the original CP and the acquirer must ensure that disclosure is made to the CRB of:

  1. the transfer event within 45 days of its occurrence including the name of the acquirer; and
  2. any information that is thereafter required to be disclosed under Part IIIA, the Regulations or this CR code (and for the purposes of that subsequent disclosure the acquirer is taken to have made any disclosures by the original CP in relation to that credit that were made prior to the transfer event).

Back to top

14. Permitted CRB disclosures

Part IIIA permits a CRB to disclose credit reporting information to CPs, mortgage insurers and trade insurers — but only for certain permitted purposes.

Source Notes: Sec 20F and 21G

Code obligations

14.1 Where, in response to a request:

  1. a CRB discloses credit reporting information to a CP, mortgage insurer or trade insurer; or
  2. a CP discloses credit eligibility information to an entity to which a permitted CP disclosure may be made; and

the CRB, CP, mortgage insurer or trade insurer (as applicable) subsequently becomes aware that the credit reporting information or credit eligibility information was about an individual other than the individual that is the subject of the request:

  1. in the case of a recipient of the information — it must:
    1. advise the disclosing CRB or CP (as applicable) of the mistake as to identity (unless it was the disclosing CRB or CP that identified the mistake); and
    2. destroy the disclosed information; and
    3. take reasonable steps to ensure that any derived information that is based on the disclosed information is not disclosed or used for the purpose of assessing the credit worthiness of the individual to whom the information relates; and
  2. in the case of a CRB or CP that disclosed the information - it must:
    1. advise the recipient of the information of the mistake as to identity (unless it was the recipient of the information that identified the mistake); and
    2. take reasonable steps to review its disclosure practices, procedures and systems so that similar mistakes are minimised in the future.

Source Notes: Paras 1.5, 2.2 and 2.15 of pre-reform Code

14.2 Before a CRB discloses credit reporting information to a CP, mortgage insurer or trade insurer, the CRB must have taken reasonable steps to ensure that the CP, mortgage insurer or trade insurer has been notified of the requirements of the Privacy Act, the Regulations and the CR code governing limitations on use and disclosure of credit reporting information.

Source Notes: Para 1.15 of pre-reform Code

Back to top

15. Security of credit reporting information

Part IIIA requires CRBs to take reasonable steps to maintain the security of credit
reporting information
. CRBs must enter into agreements with CPs requiring them to protect credit reporting information from misuse, interference and loss and unauthorised access, modification or disclosure.

Source Notes: Section 20Q

Code obligations

15.1 CRBs and CPs must maintain reasonable practices, procedures and systems to ensure the security of electronic transmission and storage of credit reporting information and credit eligibility information.

Source Notes: Explanatory Memorandum p.146-147

Back to top

16. Use and disclosure of credit-related personal information by CPs and affected information recipients

Part IIIA places restrictions and conditions on the use and disclosure of credit information and credit eligibility information.

Source Notes: Div 3, Subdiv D

Code obligations

16.1

  1. Despite anything in this CR Code (other than paragraphs 16.1(b) and (c)), a CP or an affected information recipient must not use or disclose credit eligibility information or regulated information for the purposes of:
    1. assessing the likelihood that the individual to which the information relates may accept:
      1. an invitation to apply for, or an offer of:
        1. credit; or
        2. insurance in relation to mortgage credit or commercial credit; or
      2. an invitation to apply for a variation of, or an offer to vary, the amount of or terms on which:
        1. credit is provided; or
        2. insurance in relation to mortgage credit or commercial credit is provided;
    2. targeting or inviting an individual to apply, or accept an offer, for:
      1. credit: or
      2. insurance in relation to mortgage credit or commercial credit; or
      3. variation of the amount of or terms on which:
        1. credit is provided; or
        2. insurance in relation to mortgage credit or commercial credit is provided
    3. direct marketing.
  2. A CP or affected information recipient that has received an application for credit or insurance in relation to mortgage credit or commercial credit is not  prevented by paragraph (a) from:
    1. using credit eligibility information or regulated information for the purposes of assessing the application; and
    2. in assessing the application, offering or inviting the applicant to apply for a different product where the original product is unsuitable.
  3. A CP or affected information recipient is not prevented by paragraph (a) from using credit eligibility information or regulated information for the purposes of excluding an individual from receiving a direct marketing communication on the basis that the individual is at significant risk of defaulting in relation to credit into which the individual has entered.

16.2 A CRB must only disclose credit reporting information to a CP, for the purposes of enabling the CP to assist the individual to avoid defaulting on his or her obligations in relation to consumer credit provided by the CP to the individual where either:

  1. the CP confirms to the CRB that it is aware of circumstances that reasonably indicate that the individual may be at significant risk of defaulting in relation to those obligations; or
  2. the CRB is aware that an event has occurred in relation to the individual that is an event of the kind that the CP has identified could, if it were to occur, reasonably indicate that the individual may be at significant risk of defaulting in relation to those obligations.

Source Notes: Sec 21H Item 5, Explanatory Memorandum p.104-5

16.3 Where a CP obtains credit reporting information about an individual from a CRB and, within 90 days of obtaining that information, the CP refuses a consumer credit application made by the individual, whether alone or jointly with other applicants, the CP must provide a written notice of refusal that:

  1. meets the requirements of Section 21P(2);
  2. explains the individual's right to access their credit reporting information without charge during the 90 days following the date of the CP's notice of refusal and how to request the relevant CRBs to provide access to that information;
  3. is to the effect that it is important for individuals to be proactive in checking the accuracy of the credit reporting information that CRBs hold about them;
  4. states that the CP relies upon information from a number of sources when deciding whether to refuse consumer credit including information provided by the individual to the CP and credit reporting information disclosed to the CP by CRBs;
  5. provides information about  factors that are often taken into account when refusing credit: these may include:
    1. the adequacy of the applicant's level of income and other resources to meet repayments of credit;
    2. the extent of the applicant's indebtedness and other commitments;
    3. the security of the applicant's employment;
    4. the applicant's credit history including previous bankruptcy, defaults, serious credit infringements, high number of credit applications and unsatisfactory repayment history; and
  6. refers to the CP's credit eligibility information access and correction processes and its complaints process.

The written notice must be given to the individual either at the time the CP notifies the individual of the refusal decision or within 10 business days of that date.

Source Notes: Sec 21P, Explanatory Memorandum p.173-5

Back to top

17. Protections for victims of fraud

Where an individual has been a victim of fraud (including identity fraud), Part IIIA enables the individual to request a CRB to commence a ban period during which the CRB may not disclose or use the individual's credit reporting information unless the individual expressly consents in writing. 

Source Notes: Sec 20K

Code obligations

17.1 Where an individual believes on reasonable grounds that the individual has been, or is likely to be, a victim of fraud and the individual requests a CRB not to use or disclose their credit reporting information, the CRB must immediately:

  1. include on the credit reporting information held in relation to the individual a notation about the individual's request and retain this for the duration of the ban period; and
  2. explain to the individual the effect and duration of the ban period, including that the individual may not be able to access credit during the ban period.

Source Notes: Explanatory Memorandum p.142, 164

17.2 Where a CRB receives a request from a CP, mortgage insurer or trade insurer for credit reporting information about an individual in relation to whose credit reporting information a ban period is in effect, the CRB must inform the CP, mortgage insurer or trade insurer of the ban period and its effect.

Source Notes: Explanatory Memorandum p.142, 164

17.3 Where a CRB has established a ban period in relation to credit reporting information about an individual, the CRB must notify the individual not less than 5 business days before the end of the ban period:

  1. of the date the ban period is due to finish;
  2. about the individual's rights under Part IIIA, the Regulations and this CR code to extend the ban period; and
  3. what, if any, information the CRB requires to support the individual's allegation of fraud.

Source Notes: Explanatory Memorandum p.142, 173-4

Back to top

18. Use by a CRB of credit reporting information to facilitate a CP's direct marketing

Part IIIA restricts a CRB's use of credit reporting information to facilitate a CP's direct marketing. It does, however, permit a CRB at the request of a CP to undertake pre-screening of a list of individuals provided by the CP using eligibility requirements nominated by the CP. 

Source Notes: Sec 20G

Code obligations

18.1 Notwithstanding Section 20E(2), a CRB must not:

  1. use credit reporting information for the purpose of developing any tool for provision to a CP or affected information recipient for the purposes of assisting them:
    1. to assess the likelihood that an individual may accept:
      1. an invitation to apply for, or an offer of, credit or insurance in relation to mortgage credit or commercial credit; or
      2. an invitation to apply for a variation of, or an offer to vary, the amount of or terms on which credit or insurance in relation to mortgage credit or commercial credit is provided; or
    2. to target or invite an individual to apply, or accept an offer, for:
      1. credit or insurance in relation to mortgage credit or commercial credit; or
      2. variation of the amount of, or terms on which, credit or insurance in relation to mortgage credit or commercial credit is provided; or
  2. provide any such tool that uses credit reporting information to a CP or affected information recipient.

18.2 A CP must not nominate eligibility requirements to be used by a CRB to assess, in accordance with section 20G, whether or not an individual is eligible to receive the direct marketing communications of the CP, that indicate that the individual is experiencing, or may in the future experience, difficulty in meeting repayments under their existing credit unless it is to exclude such individuals from the direct market communication.

Source Notes: Sec 20G(3)

18.3 A CRB must give effect, as soon as practicable, to a request by an individual not to use their credit information for the purposes of direct marketing, whether that request is made of the CRB through the CRB's website facility (if any), by telephone, mail, email or other means.

Source Notes: Sec 20G(5)

18.4 Each CRB must keep a confidential register of individuals who have made a request of the kind referred to in paragraph 18.3

Source Notes: Sec 20G(5)

Back to top

19. Access

Part IIIA obliges CRBs and CPs to provide access on request by an individual to credit reporting information held about the individual and to do so within a reasonable period (in the case of a CRB this cannot be longer than 10 days). A CRB is not permitted to charge for access if the individual (whether directly or through an agent) has not made a request for access within the preceding 12 months. If a request has been made within the preceding 12 months, the CRB may impose a charge but this must not be excessive. A CP (except a CP that is a agency) may impose a reasonable charge for providing access to credit information.

Source Notes: Sec 20R and 21T

Code obligations

19.1 Where a person requests a CRB or CP to provide them with access to credit reporting information or credit eligibility information (as applicable), the CRB or CP (as applicable) must not provide access without first obtaining such evidence as is reasonable in the circumstances to satisfy itself as to the identity of the person making the request and that person's entitlement under Part IIIA, the Regulations and the CR code to the access.

Source Notes: Para 1.10, 2.17 and 2.18 of pre-reform Code

19.2 Where an individual (whether personally or through another access seeker)requests a CRB to provide access to the individual's credit reporting information, the CRB must not charge a fee for giving access to the information if the individual provides the CRB with evidence that, not more than 90 days previously, a CP refused a consumer credit application made by the individual. This is the case whether or not the CRB has provided the individual with access to credit reporting information free of charge at any time during the previous 12 months.

Source Notes: Pre-reform Code Para 1.7 and 1.8

19.3 If a CRB has a service whereby an individual (whether personally or through another access seeker) may for a fee obtain their credit reporting information (fee-based service):

  1. the information made available by the CRB about the fee-based service must prominently state that individuals have a right under Part IIIA to obtain their credit reporting information free of charge in the following circumstances:
    1. if the access request relates to a CP's decision to refuse the individual's consumer credit application;
    2. if the access request relates to a decision by a CRB or CP to correct credit reporting information or credit eligibility information about the individual; and
    3. once every 12 months (this is in addition to any access given in accordance with paragraphs 19.3(i) or (ii)).
  2. the CRB must take reasonable steps to ensure that its service, whereby individuals may obtain their credit reporting information free of charge, is as available and easy to identify and access as its fee-based service.

Source Notes: Sec 20R, 21T

19.4 Where credit reporting information is provided to an access seeker free of charge by a CRB as required by Part IIIA, the Regulations or this CR code:

  1. the CRB must provide the access seeker with access to:
    1. all credit information in relation to the individual currently held in the databases that the CRB utilises for the purposes of making disclosures permitted under Part IIIA; and
    2. all current CRB derived information about the individual that is available;
  2. the CRB must present the information clearly and accessibly and provide reasonable explanation and summaries of the information to assist the access seeker to understand the impact of the information on the individual's credit worthiness; and
  3. if the CRB does not provide the information to the access seeker in the manner requested by the access seeker, the CRB must take reasonable steps to provide access in a way that meets the needs of the CRB and the individual.

Source Notes: Sec 20R, Explanatory Memorandum p.178

19.5 A CP:

  1. must take reasonable steps to provide an accessible means for an individual to obtain access to credit eligibility information about them;
  2. should, unless unusual circumstances apply, provide access within 30 days of the request;
  3. must present the information clearly and accessibly and provide reasonable explanations and summaries of the information to assist the access seeker to understand the impact of the information on the individual's credit worthiness; and 
  4. must advise the individual that, in order to ensure that they have access to the most up-to-date information, they should additionally request access to the credit reporting information held by CRBs about them.

Source Notes: Sec 21T, Para 2.21 of pre-reform Code

19.6 Where a CRB provides an access seeker with CRB derived information about the individual or a CP provides an access seeker with CP derived information about the individual, this may be done in a way that preserves the confidentiality of the methodology, data analysis methods, computer programs or other information that is used to produce the derived information.

Source Notes: Explanatory Memorandum p.177

Back to top

20. Correction of information

Part IIIA provides an individual with correction of information rights.  Where a CRB or CP is satisfied that credit-related personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, the CRB or CP (as applicable) must take reasonable steps to correct the information within 30 days or such longer period agreed to by the individual in writing.  Where necessary to resolve the correction request, the CRB or CP ( as applicable) must consult with other CRBs or CPs.

Source Notes: Sec 20T, 21V

Code obligations

20.1 Where:

  1. a CP, that does not either disclose credit information to a CRB or request a CRB to disclose credit reporting information to it, receives a correction request from an individual in accordance with Part IIIA; and
  2. the correction request relates to information that the CP does not hold;

the CP is able to meet the requirements of Sections 21V(3) and 21W(3) by:

  1. consulting with CRBs or CPs to identify an entity that holds the relevant information;
  2. giving the individual a written notice:
    1. explaining that it does not hold the relevant information and does not participate in the credit reporting system and so the correction has not been made;
    2. informing the individual of an entity that holds the information to which the correction request relates and providing contact details for that entity; and
    3. stating that if the individual is not satisfied with the response to the request the individual may access a recognised external dispute resolution scheme of which the CP is a member or make a complaint to the Commissioner
  3. complying with the requirements of paragraphs 20.1(c) and (d) within 30 days of the individual's request.

Source Notes: Sec 21V, Explanatory Memorandum p.179

20.2 A CRB or CP consulted by another CRB or CP about a correction request must take reasonable steps to respond to the consultation request as soon as practicable.

Source Notes: Sec 20T, 21V

20.3 If a CRB or CP forms the view that it will not be able to resolve an individual's correction request within the 30 day period required by Part IIIA, the CRB or CP (as applicable) must as soon as practicable:

  1. notify the individual of the delay, the reasons for this and the expected timeframe to resolve the matter;
  2. seek the individual's agreement to an extension for a period that is reasonable in the circumstances; and
  3. advise that the individual may complain to a recognised external dispute resolution scheme of which the CRB or CP (as applicable) is a member – and provide the contact details for that scheme — or, in the case of a CP that is not a member of one, to the Commissioner; and
  4. if the individual has not agreed to the requested extension, provide a response to the correction request within the timeframe sought for extension.

Source Notes: Sec 20T, 21V, Explanatory Memorandum p.150, 180-1

20.4 If a CRB or CP is satisfied that credit-related personal information needs to be corrected, the CRB's or CP's obligation to take reasonable steps to correct the information will be satisfied where the CRB or CP, or a CRB or CP consulted in relation to the correction request (as applicable):

  1. corrects the credit information; and
  2. takes reasonable steps to ensure that any future derived information is based on the corrected credit information; and
  3. takes reasonable steps to ensure that any derived information that is based on the uncorrected credit information is not disclosed or used for the purpose of assessing the credit worthiness of the individual to whom the information relates.

Source Notes: Sec 21S(1), 20T(2), 21U(1), 21V(2)

20.5

  1. If:
    1. an individual enters into a new arrangement with a CP of the kind referred to in Section 6S(1)(c) or a CP has disclosed payment information in relation to the individual; and
    2. individual requests a CRB to correct the credit reporting information held by the CRB about the individual by removing default information that relates to an overdue payment that is the subject of that new arrangement or payment information; and
    3. the request is made on the basis that the overdue payment occurred because of the unavoidable consequences of circumstances beyond the individual's control, such as natural disaster, bank error in processing a direct debit or fraud,

    the CRB must, in consultation with the CP that disclosed the relevant default information, consider whether the default information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to the purpose for which the information is held by the CRB.

  2. Where, under paragraph 20.5(a), the CRB and CP are satisfied that the default information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to the purpose for which the information is held by the CRB, the CRB must agree to correct the credit reporting information about the individual by destroying the default information.

20.6 On request by an individual, a CRB must correct the credit reporting information held by it in relation to the individual by destroying any default information that relates to a payment that the individual is overdue in making to a CP if, at the time of the correction request, the CP is prevented by a statute of limitations from recovering the amount of the overdue payment.

20.7 A CRB or CP must notify an individual of a decision about a correction request made by the individual under Section 20T or Section 21V within 5 business days of the decision. Where the decision is to correct the information, the notice must:

  1. include all relevant credit reporting information or credit eligibility information (as applicable) held by the CRB or CP (as applicable) so that the individual can check that the information has been appropriately corrected;
  2. explain:
    1. that the individual has a right under this CR code to obtain their credit reporting information from a CRB free of charge if the access request relates to a decision by a CRB or a CP to correct information about the individual; and
    2. how that right may be exercised; and
  3. if the CRB or CP (as applicable) is proposing to rely upon paragraph 20.9 of this CR code:
    1. explain what CRBs, CPs and affected information recipients the CRB or CP (as applicable) is intending to notify to fulfil its notification obligation under Part IIIA, the Regulations and this CR code; and
    2. ask the individual if there is any other CP or affected information recipient that the individual would like the CRB or CP (as applicable) to notify of the correction.

Source Notes: Sec 20U, 21W, Para 1.14,3.14, 3.15 of pre-reform Code

20.8 Where a CRB or CP corrects credit-related personal information by updating identification information about an individual, the CRB or CP (as applicable) is not obliged to notify any previous recipient of the information about the updating of that information, unless requested by the individual.

20.9 Where a CRB or CP corrects credit-related personal information and this gives rise to an obligation under Part IIIA to give notice to a CRB, CP or affected information recipient, unless it is impracticable or illegal to give that notice, the notification obligation is taken to be met where:

  1. the correcting CRB or CP gives notice of the correction to:
    1. all CRBs to which it disclosed the pre-corrected information;
    2. all CPs and affected information recipients to which it disclosed the pre-corrected information within the previous 3 months; and
    3. any other CP or affected information recipient that has been nominated by the individual and to which it disclosed the pre-corrected information more than 3 months previously;
  2. if notice is given (in accordance with paragraph 20.9(a)) to a CP or affected information recipient that previously received CRB derived information or CP derived information that is no longer correct by reason of the correction, the notice includes revised CRB derived information or CP derived information (as applicable) that has been derived using the corrected information; and
  3. the notice is given within 7 business days of the correction.

Source Notes: Sec 20S(2), 20U(2), 21U(2), 21W(2), Explanatory Memorandum p.149, 179-80, Paras 1.14, 3.15 of pre-reform Code

20.10 Where an individual makes a correction request under Section 20T or Section 21V the complaint handling provisions in Division 5 of Part IIIA will not apply to that request, even if the correction request includes an expression of dissatisfaction by the individual about an act or practice by the CRB or CP (as applicable). 

Back to top

21. Complaints 

Part IIIA enables an individual to complain either to a CRB or a CP about an act that may breach Part IIIA (other than certain provisions pertaining to access or corrections) or the CR code (other than an obligation that pertains to a Part IIIA excluded provision).  The complaint must be acknowledged within 7 days, investigated and where necessary consultation with other CRBs or CPs must occur.  A decision must be made in relation to the complaint within 30 days or longer period agreed to by the individual in writing.

Source Notes: Div 5

Code obligations

21.1 Where a CRB or CP is required by Australian law, a condition of a licence issued by a regulatory authority or an enforceable Industry Code requirement to meet complaints handling requirements, the CRB or CP must comply with those requirements for the purposes of a complaint under Part IIIA.  Any other CRB or CP must comply  with the following sections of ISO 10002-2006 Customer satisfaction — Guidelines for complaints handling in organisations for the purposes of a complaint under Part IIIA:

  1. Section 4 Guiding Principles;
  2. Section 5.1 Commitment;
  3. Section 6.4 Resources;
  4. Section 8.1 Collection of information; and
  5. Section 8.2 Analysis and evaluation of complaints.

Source Notes: Explanatory Memorandum p.189, Para 3.1, 3.2 of pre-reform Code

21.2 A CRB must be a member of a recognised external dispute resolution scheme.

21.3 A CRB or CP that is consulted by another CRB or CP about a complaint must take reasonable steps to respond to the consultation request as soon as practicable.

Source Notes: Sec 23B, Explanatory Memorandum p.191

21.4 If a CRB or CP forms the view that it will not be able to resolve a complaint within the 30 day period required by Part IIIA, the CRB or CP (as applicable) must:

  1. inform the individual of this before the end of that period and provide the reason for the delay, the expected timeframe to resolve the complaint and seek their agreement to an extension for a period that is reasonable in the circumstances; and
  2. advise that the person may complain to the recognised external dispute resolution scheme of which the CRB or CP (as applicable) is a member – and provide the contact details for that scheme — or, in the case of a CP that is not a member of such a scheme, to the Commissioner.

Source Notes: Sec 23B(5)

21.5 Where a CRB has an obligation under Section 23C(2), unless it is impracticable or illegal to do so, to give notice to a CP about a complaint relating to a CRB's act or practice that may breach Section 20S, this obligation is taken to be met if the CRB gives notice as soon as practicable to:

  1. if the complaint relates to credit information that was disclosed to the CRB by a CP – that CP;
  2. any other CP to which the CRB disclosed the credit information to which the complaint relates in the previous 3 months; and
  3. any other CP that has been nominated by the individual for this purpose.

Source Notes: Sec 23B(6)

21.6 Where a CP has an obligation under Section 23C(3), unless it is impracticable or illegal to do so, to give notice to a CRB or CP about a complaint relating to a CP's act or practice that may breach Section 21U, this obligation is taken to be met if the CP gives notice as soon as practicable to:

  1. if the complaint relates to credit information that was disclosed to the CP by a CRB or another CP – that CRB or CP;
  2. any other CRB or CP to which the CP disclosed the credit information to which the complaint relates in the previous 3 months; and
  3. any other CP that has been nominated by the individual for this purpose.

Source Notes: Sec 23B(6)

Back to top

22. Record keeping

Part IIIA imposes various obligations on CRBs and CPs to keep records where credit information is used or disclosed.

22.1 Each CRB and CP must maintain adequate records that evidence their compliance with Part IIIA, the Regulations and this CR code.

22.2 In particular, each CRB and CP must maintain the following records:

  1. where credit-related personal information is destroyed to meet obligations under Part IIIA, the Regulations and this CR code (but only if this is possible);
  2. in the case of a CP that receives credit eligibility information disclosed to it by another CP:
    1. the date on which that information was disclosed;
    2. the CP who disclosed the information;
    3. a brief description of the type of information disclosed; and
    4. the evidence relied upon that the consent requirements have been met;
  3. for each disclosure that a CRB or CP makes of credit reporting information or credit eligibility information (as applicable):
    1. the date of the disclosure;
    2. a brief description of the type of information disclosed;
    3. the CP, affected information recipient or other person to whom the disclosure was made; and
    4. evidence that the disclosure was permitted under Part IIIA, the Regulations or the CR code;
  4. records of any consent provided by an individual for the purposes of Part IIIA, the Regulations or the CR code;\
  5. in the case of a CP – records of any written notice given to an individual stating that a consumer credit application has been refused within 90 days of disclosure by a CRB to the CP of credit reporting information in relation to that individual; and
  6. records of correspondence and actions taken in relation to:
    1. requests to establish or extend a ban period;
    2. requests for, or notifications of, corrections;
    3. complaints;
    4. pre-screening requests by a CP; and
    5. monitoring and auditing of CPs in accordance with Part IIIA, the Regulations and this CR code.

22.3 Records must be retained for a minimum period of 5 years from the date on which the record is made unless, in the case of a CRB, the record includes information that the CRB is required by Part IIIA, the Regulations or the CR code to destroy at the end of the applicable retention period, in which case the record must be retained for the duration of that retention period only.

Source Notes: Explanatory Memorandum p.139. Para 1.17, 2.14, 2.14A, 2.19 of pre-reform Code

Back to top

23. Credit reporting system integrity

Part IIIA includes measures to facilitate credit reporting system integrity including an obligation on CRBs to ensure that regular audits are conducted by an independent person to determine whether CPs are complying with aspects of their contractual obligations to the CRB.

Source Notes: Sec 20N and 20Q.

Code obligations

23.1 To ensure that CRBs are able to tailor the frequency and extent of the audits required by sections 20N and 20Q to the CPs that present the greatest risk of non-compliance, a CRB must establish a documented, risk based program to monitor CPs' compliance with their obligations under Part IIIA, incorporated in their agreements with the CRB, to ensure:

  1. that credit information that the CP discloses to the CRB is accurate, up-to-date and complete;
  2. that credit reporting information that the CRB discloses to the CP is protected by the CP from misuse, interference and loss and from unauthorised access, modification or disclosure; and
  3. that the CP takes the steps in relation to requests to correct credit-related personal information required by Part IIIA, the Regulations and this CR code.

Source Notes: Sec 20N and 20Q. Explanatory Memorandum p.30 and p.145

23.2 The risk based program established by a CRB for the purposes of paragraph 23.1 must:

  1. identify and evaluate indicators of risk of non-compliance by CPs with the obligations referred to in paragraph 23.1;
  2. assess the risk posed by CPs of significant non-compliance with those obligations utilising those risk indicators and the range of information available to the CRB including correction requests and complaints;
  3. utilise a reasonable range of monitoring techniques to validate and update those risk assessments from time to time (which could, for example, include questionnaires or attestations);
  4. include an audit program for CPs to assess compliance with the obligations referred to in paragraph 23.1.

Source Notes: Sec 20N and 20Q

23.3 To be independent and so eligible under Part IIIA to conduct an audit of a CP as part of the CRB's auditing program referred to in paragraph 23.2:

  1. an auditor must not be a director or employee of the CP, have a significant financial interest in the CP or, at any time during the previous 12 months, had any such relationship or interest;
  2. if the auditor is an employee of the CRB – the CRB's organisational structure and supervision arrangements must achieve functional independence for the auditor;
  3. if the auditor is an employee of an industry funded organisation – the organisation's governance and supervision arrangements must achieve functional independence for the auditor; and
  4. the auditor must not have any other association that would impair the perception of the auditor's independence, nor had any such association at any time during the previous 12 months.

Source Notes: Sec 20N(3)(b), 20Q(2)(b)

23.4 A CRB must take reasonable steps to ensure that a person who conducts an audit of a CP as part of the CRB's auditing program referred to in paragraph 23.2 has sufficient expertise for the role including:

  1. knowledge of the requirements of Part IIIA, the Regulations and this CR code;
  2. knowledge of audit methodology and previous experience in conducting audits; and
  3. credit reporting system experience.

23.5 Subject to paragraphs 23.3 and 23.4, a CRB's CP auditing program for the purposes of paragraph 23.2(d) may utilise as auditors:

  1. a CRB's compliance or auditing team;
  2. consultants engaged by the CRB;
  3. consultants engaged by the CP where the CRB is satisfied as to the consultant's independence and expertise; or
  4. an industry funded organisation where the CRB is satisfied as to that organisation's independence and expertise.

23.6 The CRB must take reasonable steps to ensure that its audit oversight, including reporting arrangements, is sufficient to enable the CRB to form a view as to whether the CP is complying with the obligations referred to in paragraph 23.1.

23.7 A CP must permit a person, who conducts an audit of a CP as part of the CRB's auditing program referred to in paragraph 23.2, to have reasonable access to the CP's records for the purposes of carrying out the audit.

23.8 A CP must take reasonable steps to rectify issues identified in the course of an audit undertaken pursuant to the CRB's auditing program referred to in paragraph 23.2.

Source Notes: Sec 20N and 20Q, Explanatory Memorandum p.30 and p.145

23.9 Where a CP fails to meet its contractual obligations to a CRB to comply with Part IIIA, the Regulations and this CR code and in particular fails to:

  1. ensure that the credit information that the CP discloses to the CRB is accurate, up-to-date and complete; or
  2. protect credit reporting information disclosed to the CP by a CRB from misuse, interference or loss, or unauthorised access, modification or disclosure;

the CRB will take such action as is reasonable in the circumstances, which may include termination of the agreement. However, termination may only occur if the CRB first provides the CP with reasonable notice of its intention to terminate the agreement and an opportunity to trigger the dispute resolution procedures in paragraph 23.10.

Source Notes: Explanatory Memorandum p.30 and p.146

23.10 Where disputes arise between two or more CRBs, CPs and affected information recipients in relation to actions undertaken or required to fulfil their obligations under Part IIIA, the Regulations or this CR code, the parties to the dispute must endeavour to resolve the dispute in a fair and efficient way.

Source Notes: Explanatory Memorandum p.146

23.11 A CRB must publish on its website, by 31 August each year, a report for the financial year ending on 30 June of the same year (or in the case of the report provided in 2014, for the period beginning on the date of commencement of this CR code and ending on 30 June 2014) that includes information about the following:

ACCESS

  1. Individuals provided access without charge – the percentage calculated in accordance with the following formula:
    %  = AI(WC)/ IND x 100 where:
    AI(WC) is the number individuals given access to their credit reporting information (without charge) by the CRB during the reporting period; and IND is the number of individuals about whom credit information is held at the end of the reporting period;
  2. Individuals provided access with a charge – the percentage calculated in accordance with the following formula:
    %  = AI(C)/ IND x 100 where:
    AI(C) is the number of individuals given access to their credit reporting information by the CRB during the reporting period where the individual used a fee-based service; and IND is the number of individuals about whom credit information is held at the end of the reporting period;

CORRECTIONS

  1. Correction requests received – the percentage calculated in accordance with the following formula:>
    %  = CR/ IND x 100 where:
    CR is the number of correction requests received by the CRB during the reporting period; and IND is the number of individuals about whom credit information is held at the end of the reporting period;
  2. Successful corrections requests – the percentage calculated in accordance with the following formula:
    %  = SCR/ CR x 100 where:
    SCR is the number of successful correction requests, that is, correction requests received by the CRB during the reporting period where the CRB was satisfied that a correction should be made; and CR is the number of correction requests received by the CRB during the reporting period;
  3. Corrections finalisation period – the average number of days taken to finalise a correction calculated in accordance with the following formula:
    Average days  = TD/ TC where:
    TD is the total number of calendar days taken from receipt to a finalisation for all correction requests finalised by the CRB during the reporting period; and TC is the total number of corrections finalised by the CRB during the reporting period;
  4. Other corrections made – the percentage calculated in accordance with the following formula:
    %  = OCR/ IND x 100 where:
    OCR is the number of other corrections, that is, corrections made by the CRB during the reporting period that were not made in response to a correction request from the relevant individual; and IND is the number of individuals about whom credit information is held at the end of the reporting period
  5. Types of corrections made – information about
    1. the types of correction requests received and corrections made during the reporting period (including a % figure for each correction type against all types);
    2. the industry sectors from which the information that was corrected originated from.

COMPLAINTS

  1. Complaints received – the percentage calculated in accordance with the following formula:
    %  = C/ IND x 100 where:
    C is the number of complaints received by the CRB during the reporting period; and IND is the number of individuals about whom credit information is held at the end of the reporting period;
  2. Types of complaints – information about the types of complaints that were received by the CRB during the reporting period (including a % figure for each complaint type against all types)
  3. Complaints finalised – the percentage calculated in accordance with the following formula:
    %  = F/ IND x 100 where:
    F is the number of complaints finalised by the CRB during the reporting period; and IND is the number of individuals about whom credit information is held at the end of the reporting period;
  4. Complaint finalisation period – the average number of days taken to finalise a complaint calculated in accordance with the following formula:
    Average days  = TD/ TCP where:
    TD is the total number of calendar days taken from receipt to a finalisation for all complaints finalised by the CRB during the reporting period; and TCP is the total number of complaints finalised by the CRB during the reporting period;
  5. Complaint outcomes – information about the outcomes of the complaints finalised during the reporting period (including a % figure for each outcome type against all outcomes);

SERIOUS CREDIT INFRINGEMENTS

  1. Serious credit infringements disclosed – the percentage calculated in accordance with the following formula:
    %  = SCI/ IND x 100 where:
    SCI is the total number of times during the reporting period that a CP disclosed an opinion to the CRB that an individual had, in circumstances specified by the provider, committed a serious credit infringements; and IND is the number of individuals about whom credit information is held at the end of the reporting period;
  2. Serious credit infringements by sector – the percentage calculated in accordance with the following formula:
    %  = SCI(S)/SCI x 100
    SCI(S) is the number of times during the reporting period that a CP from a particular sector disclosed an opinion to the CRB that an individual had, in circumstances specified by the provider, committed a serious credit infringements; and SCI is the total number of times during the reporting period that a CP disclosed an opinion to the CRB that an individual had, in circumstances specified by the provider, committed a serious credit infringements;

THE CRB'S MONITORING AND AUDITING ACTIVITY

  1. Information about the CRB's monitoring and auditing activity during the reporting period including the number of audits conducted, any systemic issues identified and any action taken in response. This information does not require the identification of specific entities;

DISCLOSURE TO THE CRB OF CONSUMER CREDIT LIABILITY INFORMATION AND REPAYMENT HISTORY INFORMATION

  1. information about the take-up of the new types of credit-related personal information permitted to be held in the credit reporting system from 12 March 2014, including:
    1. Disclosure to the CRB of consumer credit liability information — the percentage calculated in accordance with the following formula;
      %  = CCLI/ CP x 100 where:
      CCLI is the number of CPs that disclosed consumer credit liability information to the CRB during the reporting period; and CP is the total number of CPs that disclosed any credit information to the CRB during the reporting period;
    2. Disclosure to the CRB of repayment history information – the percentage calculated in accordance with the following formula;
      %  = RHI/ CP x 100 where:
      RHI is the number of CPs that disclosed repayment history information to the CRB during the reporting period; and CP is the total number of CPs that disclosed any credit information to the CRB during the reporting period;

OTHER INFORMATION

  1. Any other information requested by the Commissioner from time to time.

Back to top

24. Information Commissioner's role

The Privacy Act specifies that this CR code may impose obligations on CRB, CP or affected information recipients to report matters to the Commissioner.

Code obligations

24.1 The Commissioner may, at the request of a CRB, CP or affected information recipient, agree to vary time limits imposed by the CR code where the CRB, CP or affected information recipient (as applicable) is unable to comply with the specified time limit due to circumstances such as technological failure or other practical or unforeseen difficulties.

Source Notes: Para 4.2 of pre-reform Code

24.2 Every 3 years, or more frequently if the Commissioner requests, a CRB must commission an independent review of its operations and processes to assess compliance by the CRB with its obligations under Part IIIA, the Regulations and this CR code.  The CRB must consult with the Commissioner as to the choice of reviewer and scope of the review.  The review report and the CRB's response to the review report must be provided to the Commissioner and made publicly available.

24.3 The Commissioner will initiate an independent review of the operation of this CR code within 3 years of the date of the commencement of this CR code. 

Back to top

 

 

 

 

 

 

 

 

 

 

 

This page makes up a part of the OAIC Information Publication Scheme IPS