2021 Review of CR Code – What we heard and what we are doing

The Australian Information Commissioner has released a report outlining findings in relation to the 2021 Independent review of the Privacy (Credit Reporting) Code 2014 (CR Code).

Under Paragraph 24.3 of the CR Code, the Australian Information Commissioner is required to conduct an independent review of the operation of the CR Code every 4 years.

The review heard from stakeholders about how CR Code operates in practice and ways it may be improved. This involved significant consultation by the OAIC which took place throughout late 2021 and into early 2022.

OAIC consultation

The OAIC hosted 3 roundtable events, which were attended by representatives from 25 organisations, and we received 17 written submissions from stakeholders. These submissions were from industry members, consumer advocates, external dispute resolution schemes, regulators and individuals.

Key themes that emerged from the consultation included:

  • issues with getting credit information corrected in a timely manner
  • issues with ease of access by individuals to their credit reports
  • complexity of the CR code
  • lack of clarity for industry and consumers around certain concepts, such as the level of notice required to disclose personal information
  • governance provisions, including the CR Code variation development process
  • monitoring and enforcement of industry’s compliance with the Privacy Act and the CR Code.

The report resolves a number of issues raised by stakeholders. It also contains proposals for amendments to the CR Code, targeted guidance by the OAIC for the public and industry and increasing the profile of the OAIC’s compliance and monitoring activities.

We have outlined the key issues that the OAIC heard about from stakeholders during the review and what we are doing in response below.

What we heard

What we are doing

Consumers need guidance and information about making complaints, notice and consent, and seeking corrections.

The OAIC will provide guidance for individuals on:

  • the complaints process including who to approach (Proposal 42)
  • notice and consent requirements in the credit reporting space (Proposal 26)
  • the process for correcting their credit reports (Proposal 36)

Industry needs guidance on when court proceedings information and publicly available information can be collected and disclosed.

The OAIC will provide guidance to industry on court proceedings information and publicly available information, including when it can be collected and/or used and disclosed (Proposal 23).

Currently all enquiries are being recorded on an individual’s credit report including requests for quotes where the individual just wants to shop around for a new product (also known as a soft enquiry)

The OAIC proposes that the CR Code be amended to state that a note of a ‘soft enquiry’ must not be recorded on an individual’s credit report (Proposal 43).

Consumers are being asked by their landlords and real estate agents to access their credit report, or real estate agents and employers are approaching CRBs on an individual’s behalf.

The OAIC will provide guidance for individuals on their rights with respect to supplying credit reports to employers, landlords, real estate agents (Proposal 35).

The OAIC has outlined its position that real estate agents and employers must not seek access to an individual’s credit reporting information (OAIC resolution 7).

The OAIC will write to the Attorney-General about the current practice of real estate agents, landlords and employers accessing credit reports so that this issue can be considered in preparation for the review of Part IIIA (Proposal 34).

The CR Code needs to consider how domestic abuse impacts an individual and recognise it as an example of circumstances beyond the individual’s control

The OAIC has included a resolution that CRBs and CPs should make individuals aware of their options, such as where individual account-based reporting may be available, when experiencing domestic abuse (OAIC resolution 10).

The OAIC also proposes to amend the CR Code to:

  • expand the categories of information that can be corrected (Proposal 41)
  • include domestic abuse as an example of circumstances beyond the individual’s control when listing defaults (Proposal 39).

People who have been the victim of identity theft or fraud often find it hard to get bans on their credit information imposed and extended

The OAIC proposes that the CR Code be amended to require CRBs to offer individuals an automatic extension to the ban period when they make their initial request that a ban be put in place (Proposal 28).

The OAIC will develop guidance for individuals to clarify the process for credit ban applications and extensions (Proposal 30).

People find it hard to get multiple incorrect entries on their credit report corrected, for example, where they are a victim of fraud

The OAIC proposes that the CR Code be amended to include a mechanism to enable multiple incorrect entries removed from their credit report stemming from one event, including where this is a result of fraud (Proposal 37).

Many people don’t know there are 3 CRBs in Australia and that each one could use different data to create your credit report

The OAIC proposes that the CR Code be amended to require CRBs to provide information on how individuals can access their credit report from other CRBs (Proposal 32).

The CR Code is complex and people need to read it in conjunction with Part IIIA of the Privacy Act and the Privacy Regulation to understand it.

The OAIC will review and update its existing credit reporting guidance to help individuals and their advocates understand certain aspects of the CR Code – especially those that relate to their rights and protections (Proposal 1).

The OAIC proposes a number of amendments to the CR Code to improve clarity, including amending the blue row in the CR Code which should clearly outline what each paragraph of the CR Code means (see Proposal 4).

The CR Code doesn’t cater to new participants such as telcos and utility providers which have different practices from banks.

The OAIC notes that currently these sectors can participate under Part IIIA of the Privacy Act but amendments to the CR Code can be made to provide clarity.

The OAIC will write to the Attorney-General to seek consideration of the operation of telcos and utility providers in preparation for the review of Part IIIA (Proposal 7).

It’s unclear whether BNPL products are operating in the credit reporting system and how they are regulated.

Many new finance providers appear to meet the definition of a CP, but are operating as ‘non-participating credit providers’ and are therefore not using or disclosing credit information. This means that Part IIIA of the Privacy Act and the CR Code does not apply to them.

BNPL products have the potential to disrupt the credit reporting industry and may result in inconsistency of reporting of individuals that are in similar financial situations based on the type of product they are accessing. Further consideration may need to be given to appropriate regulation of the provision of these newer finance models to ensure consumers are protected.

The OAIC will write to the relevant Ministers to raise the issue of emerging finance products, such as BNPL, operating in the credit reporting system (Proposal 8).

Stakeholders are not consulted early enough in the process for developing applications to vary the CR Code.

The OAIC will update our Guidelines for Developing Codes to outline expectations on how variation applications will be developed including a requirement that stakeholders are given the opportunity for early input prior to drafting variation applications (Proposal 10).

There is a lack of visibility over the compliance of CRBs and CPs with Part IIIA and the CR Code.

The OAIC will raise the visibility of our compliance and monitoring activities in the credit reporting space (Proposal 11).

The OAIC will publish links to CRB audit reports on our website. These reports can be redacted as needed for publication to ensure they do not include personal or commercially sensitive information (Proposal 14).

The OAIC also proposes that the CR Code be amended to require CRBs to publish their CP audits to increase visibility and transparency for the public and the OAIC (Proposal 13).

CRBs often do not remove debts after they become statute-barred and this means they can stay on an individual’s credit report indefinitely

The OAIC proposes that the CR Code be amended to place a positive obligation on CRBs to remove statute-barred debts and on CPs to inform CRBs when a debt is, or will become, statute-barred (Proposal 19).

Next steps

The OAIC will work with the CR Code developer regarding improvements to the CR Code and implementing the proposals outlined in the report.

We have outlined a roadmap of the next 2 years to incorporate proposals outlined in the report.

View roadmap

OAIC_CR Code Roadmap_2022