Credit reporting information retention periods
On this page
Advice for credit reporting bodies about handling information retained past its normal retention period and their notification obligations.
Publication date: January 2015
Under the Privacy Act 1988 (Privacy Act) credit reporting bodies are given specific retention periods stating how long they may hold personal information and include it in a consumer credit report as credit reporting information.
There are some circumstances where a credit reporting body is permitted to keep credit reporting information beyond its retention period. These circumstances include when a credit reporting body is required by or under Australian law, or a court/tribunal order, to keep the information, or to resolve a pending correction request or dispute in relation to that information.
In particular, s 20Z sets out how a credit reporting body must deal with credit reporting information subject to a pending correction request or dispute. In these circumstances it would not be appropriate for the credit reporting information to be destroyed, as generally required by s 20V, at the end of the retention period. However, given the retention of the credit reporting information is contrary to the destruction obligations in s 20V, the Office of the Australian Information Commissioner (OAIC) must be notified of the situation.
The Privacy Act imposes an obligation on credit reporting bodies to notify the OAIC of a situation where any credit reporting information is kept past its retention period for the purpose of responding to a correction request or dispute. A failure to notify the OAIC attracts a civil penalty (s 20Z(2)).
A written notification must occur ‘as soon as is practicable’. The OAIC will accept a quarterly notification of situations where credit reporting information has been held past its retention period, for the purpose of responding to a correction request or dispute. This recognises that correction requests and complaints can be received on a daily basis, and there may be a practical difficulty in notifying the Commissioner with such frequency.
Format and content of a notification
A notification should, at minimum, contain the following information:
- the name of the credit reporting body and the contact person
- the date of the report
- the credit reporting body’s unique identifier for the individual and their name
- the date the retention period ended
- the reason for retaining the information (correction request or a dispute)
- whether the matter has been referred to the credit reporting body’s External Dispute Resolution (EDR) scheme and if so, the name of the EDR scheme, the date of referral and the reference number
- whether the matter has been referred to the OAIC and, if so, the date of the referral and the OAIC’s reference number
The OAIC expects that each quarterly report will provide a rolling list of outstanding matters where the information has still not been destroyed or de-identified.
How to notify the OAIC
Notifications should be sent by email to email@example.com.
Handling of information retained past its normal retention period
Credit reporting information held past its retention date under s 20Z cannot be used or disclosed by the credit reporting body except for the purposes of the pending correction request or dispute related to the information, or if the use or disclosure is required by or under an Australian law or a court/tribunal order (s 20Z(4)). A written note must be made by the credit reporting body if any such use or disclosure occurs (s 20Z(5)).
A credit reporting body will be permitted to disclose an individual’s credit reporting information to an external dispute resolution scheme or to the OAIC for the purposes of resolving a dispute about that information.
A credit reporting body must destroy or de-identify the credit reporting information in question as soon as practicable after it is no longer needed for the purposes of resolving the correction request or dispute.
Direction to destroy information
In appropriate circumstances, the Commissioner may, by legislative instrument, direct a credit reporting body to destroy the credit reporting information in question by a specified date (s 20Z(6)). This power may be exercised by the Commissioner, for example, to resolve a conflict about whether the information in question should be destroyed or retained.