Your business may have privacy obligations in relation to consumer credit reporting if you are a credit reporting body or a credit provider under the Privacy Act 1988. You may also have obligations if your business involves handling individuals’ credit reports. For example, if you process applications for credit on behalf of a credit provider.

The laws regulating the handling of personal information for consumer credit reporting in Australia that are contained in the Privacy Act (principally in Part IIIA), the Privacy (Credit Reporting) Code 2014 (Version 2.3) (CR code) and the Privacy Regulation 2013.

What is a credit reporting body?

A credit reporting body (or CRB) is an organisation whose business involves handling personal information in order to provide another entity with information about the credit worthiness of an individual. Importantly, it doesn’t matter whether or not the entity provides the information for:

  • a profit or reward, or
  • for the purpose of assessing an application for credit

There are three main credit reporting bodies in Australia: Equifax, illion and Experian.

What is a credit provider?

The following entities are included as credit providers for the purposes of the Privacy Act:

  • a bank
  • an organisation or small business operator if a substantial part of its business is the provision of credit, such as a building society, finance company or a credit union
  • a retailer that issues credit cards in connection with the sale of goods or services
  • an organisation or small business operator that supplies goods and services where payment is deferred for 7 days or more, such as a telecommunications carriers and energy and water utilities
  • certain organisations or small business operators that provide credit in connection with the hiring, leasing or renting of goods

Other businesses like debt collectors may also be considered credit providers.

Real estate agents, general insurers and employers are not credit providers.