Guidance for industry on corrections requests and the ‘no wrong door’ approach to corrections

Publication date: 27 September 2023

Correction requests and correction complaints

What is a correction request?

Under the Privacy Act 1988 (Privacy Act), an individual has the right to request the correction of credit information which is also their personal information. This is referred to as a correction request.

There are obligations set out in Part IIIA of the Privacy Act and the CR Code which credit reporting bodies (CRBs) and credit providers (CPs) must follow when considering correction requests.

With regard to the interaction with the Australian Privacy Principles (APPs), some of the requirements in Part IIIA of the Privacy Act apply in addition to the APPs, while at other times the requirements of Part IIIA apply instead of the APPs. For the correction request timeframes set out in Part IIIA, in most cases the Part IIIA timeframe of 30 days applies instead of APP 13 (see s 20A and 21A of the Privacy Act).

Timeframes for processing correction requests

When an individual makes a correction request, the CRB or CP that the individual approaches first with the request has an obligation to handle the request.

Where a CRB or CP is satisfied that credit related personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, the CRB or CP must take reasonable steps to correct the information within 30 days of the correction request being made, or such longer period agreed to by the individual in writing (see ss 20T and 21V of the Privacy Act).

Where necessary to resolve a correction request, the CRB or CP must consult with other CRBs or CPs. These consultation requirements are set out at ss 20T(3) and 21V(3) of the Privacy Act. Further requirements are set out in paragraph 20 of the CR Code.

The general 30-day correction timeframe in the Privacy Act is a maximum period and should not be interpreted by CRBs and CPs as the standard timeframe for processing correction requests. It is important to recognise that this period is intended to cover all types of correction requests, including those that are more complicated or require consultation.
The OAIC generally expects most correction requests to be resolved well within the 30-day period. Consultation with other CRBs or CPs, or conducting internal dispute resolution (IDR), is not a reason for not meeting this timeframe. The 30-day timeframe should only be exceeded in unusual cases.

CRBs and CPs also need to consider the timeframes and requirements set out under ss 20U and 21W of the Privacy Act for giving notice of a correction. Notice of a correction must be provided to the individual who requested it, where a correction has been made or a correction request has been refused. Paragraph 20.7 of the CR Code requires that the notice provided under ss 20U and 21W be provided within 5 business days of the decision.

The ‘no wrong door’ approach to correction requests

Where an individual makes a request to correct their personal information, the Privacy Act requires the CP or CRB that the individual first approaches to handle the request. This includes a requirement to consult with (as required) and provide notification about a correction made to (see ss 20U, 20T and 21V, 21W of the Privacy Act and paragraph 20.1 of the CR Code):

• other CRBs or CPs relevant to the request, or
• other CRBs or CPs that also hold the information.

This allows an individual to approach any CRB or CP that holds their credit information regarding a correction and is referred to as the ‘no wrong door’ approach to corrections.

Individuals can have their correction requests dealt with readily regardless of whether they approach the CRB or CP first and should not be unnecessarily ‘bounced’ between entities.

CRBs and CPs should ensure that they are aware of and comply with their correction obligations under Part IIIA and the CR Code, and in particular that they are:

• handling correction requests themselves when approached by the individual and not referring the individual to another CRB or CP, and
• meeting the general 30-day timeframe for processing correction requests.

If a CRB or CP is not meeting the above obligations, this would represent a breach of ss 21V and 21W or ss 20U and 20T of the Privacy Act and paragraph 20 of the CR Code.

Correction request complaints

It is important to note that the process for an individual seeking the correction of their credit information is separate to the process of an individual lodging a complaint about a correction request.

Under s 23A of the Privacy Act, an individual may complain to either a CRB or CP about an act or practice that may be a breach of either a provision of Part IIIA of the Privacy Act or a provision of the CR Code. There are also additional provisions for complaints set out at paragraph 21 of the CR Code.

The complaints process set out in Part IIIA of the Privacy Act ensures that the first CRB or CP to receive the individual’s complaint, referred to as the respondent, is responsible for taking action (see s 23B for dealing with complaints).

Section 23A provides that an individual may complain directly to either the Commissioner or a recognised External Dispute Resolution (EDR) scheme where a complaint relates to an alleged breach of the following provisions (or a provision of the CR Code which relates to the following provisions):

• s 20R - access to credit reporting information,
• s 20T - individual may request CRB to correct credit information,
• s 21T - access to credit eligibility information, and
• s 21V - individual may request CP to correct credit information).

For complaints about acts that may breach other provisions of Part IIIA, the individual may first complain to the CRB or CP. If an individual is not satisfied with the outcome of the CRB or CPs consideration of a complaint, they may approach the relevant EDR scheme or the OAIC.