Publication date: 20 September 2022

The report on the 2021 Independent review of the Privacy (Credit Reporting) Code 2014 was released on 20 September 2022. The Review resolves a number of practice issues and makes 45 recommendations.

Download the print version

Foreword from the Commissioner

Credit reporting in Australia is fundamental to a functioning economy. The credit reporting system has been subject to significant changes over the past two years including through the introduction of mandatory comprehensive credit reporting, and amendments to Part IIIA of the Privacy Act 1988 (the Privacy Act).

Protecting the way Australian’s personal information is collected, handled and stored is more than ever, an important objective as the credit reporting landscape has expanded and shifted.

As a contemporary regulator, the OAIC seeks to respond to government and community public expectations when exercising our regulatory responsibilities and powers under the Privacy Act.

The OAIC has undertaken a major review of the Privacy (Credit Reporting) Code 2014 (the CR Code) to ensure it remains fit for purpose – that it provides appropriate guardrails for regulated entities in complying with Part IIIA of the Privacy Act and that it provides adequate privacy protections for individuals. Under the CR Code the OAIC is required to commence an independent review of the practical operation of the CR Code every 4 years.

I am pleased to present the outcomes of the review in this report. These findings are the result of significant engagement by the OAIC with informed and committed stakeholders on how the CR Code is operating in practice, and ways in which it can be improved to ensure the privacy of individuals is respected, while facilitating an efficient credit reporting system in Australia. Regular review of the CR Code provisions, and their operation is fundamental to ensuring the CR Code is achieving these important objectives.

The Review resolved a number of issues occurring within industry now and found that further changes need to be made. It makes proposals to better protect the rights and interests of consumers and provide greater clarity for industry on their obligations.

The OAIC plans to implement the proposals outlined in this report in the next 2 years and to take proactive steps to ensure issues identified with Part IIIA of the Privacy Act are brought to the attention of the Attorney-General for the independent review required by statute to be completed in 2024. The OAIC looks forward to continued engagement from stakeholders in the implementation of these proposals for the benefit of all Australians.

Angelene Falk
Australian Information Commissioner
Privacy Commissioner

20 September 2022

Executive summary

The Privacy (Credit Reporting) Code 2014 (the CR Code) is a legislative instrument under the Privacy Act 1988 (the Privacy Act). Its objective is to provide further particularisation to regulated entities as to how they should comply with their obligations set out in Part IIIA of the Act. The CR Code includes an important governance mechanism, which requires the OAIC to commence an independent review of the practical operation of the CR Code every 4 years. In 2021, the OAIC commenced its second independent review (the Review) of the CR Code.

The Review presented an important opportunity to reflect on the practical operation and effect of the CR Code, and to evaluate whether it continues to deliver its intended objective. It also provided an opportunity to consider the operation of the CR Code amid social, technological, and regulatory developments. The Review sought stakeholders’ feedback on their practical experiences with the CR Code, including what is working well and what could be improved. The Review also sought stakeholders’ views on whether there were any opportunities to improve the operation of the CR Code more broadly, and if so, how those could be implemented.

In finalising the Review, the OAIC gave significant consideration to the views provided by stakeholders during the consultation process. We thank all stakeholders for their robust engagement in this process. This engagement has allowed the OAIC to holistically consider the operation of the CR Code. The OAIC recognises that credit reporting information is a significant kind of personal information that has real impacts on an individual’s life – their ability to obtain credit affects livelihoods and the ability to engage in society.[1] The OAIC is committed to fulfilling its role in regulating the credit reporting provisions of the Privacy Act to ensure the privacy of individuals is respected.

This report seeks to deliver real, tangible outcomes to address the issues raised by stakeholders. As a result, we focused on steps that can be taken now to resolve issues raised in the review. We consider that the implementation of the remaining issues fell into 4 categories:

  • proposals which require an amendment to the CR Code
  • proposals to increase education and awareness
  • proposals focused on compliance and monitoring, and
  • proposals where legislative amendment to Part IIIA of the Privacy Act would be needed to address the issues raised. The Attorney-General is required to cause an independent review to be conducted of the operation of Part IIIA by October 2024.[2]

All issue resolutions and proposals are summarised, by category, in the tables below.

A roadmap of how and when these proposals will be implemented can be found here.

OAIC resolution of practice issues

A number of issues raised by stakeholders could be resolved through amendments to the CR Code. These amendments range from minor adjustments to ensure the smooth functioning of the CR Code, through to significant changes that enhance individual rights (e.g. expanded correction provisions) and the operation of credit reporting (e.g. introduction of ‘soft enquiries’).

Where proposals relate to CR Code amendments, these amendments will be subject to further consultation from all stakeholders in accordance with the variation process.

The Review has also presented a complementary proposal that the OAIC will review and update its Guidelines to Developing Codes to provide further particularity and clarity around the OAIC’s expectations on how variations to the CR Code will be developed. This includes consideration of the need for all stakeholder groups to have early input on the framing of issues before drafting commences. It is expected that the CR Code amendments proposed in this report will follow these updated guidelines.

Proposals to amend the CR Code

A number of issues raised by stakeholders could be resolved through amendments to the CR Code. These amendments range from minor adjustments to ensure the smooth functioning of the CR Code, through to significant changes that enhance individual rights (e.g. expanded correction provisions) and the operation of credit reporting (e.g. introduction of ‘soft enquiries’).

Where proposals relate to CR Code amendments, these amendments will be subject to further consultation from all stakeholders in accordance with the variation process.

The Review has also presented a complementary proposal that the OAIC will review and update its Guidelines to Developing Codes to provide further particularity and clarity around the OAIC’s expectations on how variations to the CR Code will be developed. This includes consideration of the need for all stakeholder groups to have early input on the framing of issues before drafting commences. It is expected that the CR Code amendments proposed in this report will follow these updated guidelines.

Proposals to improve overall education and awareness

The Review recognises that the OAIC plays an important role in providing education and guidance to the Australian community. To achieve this, the OAIC has published a number of resources related to credit reporting on its website. However, feedback from the Review has indicated that there is a need among consumers for further education and clarity about the operation of the CR Code, particularly when it comes to advocating for their privacy rights.

To address this, the report presents a series of proposals aimed at education for individuals and their advocates. In particular, the Review proposes that the OAIC review its existing material, and where appropriate, develop additional targeted resources on the issues identified in this Review. The OAIC will also consider changes that can be made to how it provides materials to stakeholders and the form of this material, to ensure that they are promoted and easily accessible.

Proposals focused on compliance and monitoring

Stakeholders raised concerns about industry compliance with the credit reporting system, along with the importance of the OAIC being appropriately resourced to undertake monitoring and enforcement activities. The report presents proposals which are focused on the Information Commissioner’s role in regulating credit reporting and are aimed at most effectively and efficiently utilise the tools currently available in the OAIC’s regulatory toolkit. The Review notes that the broader ongoing review of the Privacy Act may present opportunities to further enhance these proposals.

Proposals to raise Part IIIA issues with Government

Stakeholders raised concerns about the operation of certain regulatory provisions, as well as aspects of credit reporting more broadly, which are beyond the scope of the CR Code because they require amendments to Part IIIA of the Privacy Act. In these circumstances, the OAIC will write to the Attorney-General about these issues, so that they can be considered by the reviewer in the required independent review of Part IIIA of the Privacy Act due to be completed by 1 October 2024.[3]

OAIC resolutions of practice issues

OAIC resolution

Report reference

Resolution of practice issue  

Resolution 1 – CRBs should have appropriate controls in place to quarantine information from future use or disclosure, where necessary

3.2.2

Resolution 2 – CRBs should only disclose current information when disclosing CCLI

4.1.4

Resolution 3 – CRBs can collect and use personal information for the purposes of communicating with individuals regarding credit bans

5.2.2

Resolution 4 – CRBs must provide access seekers with a copy of credit reports free of charge, once every 3 months

5.3.3

Resolution 5 – CRBs should recognise standard authorities from advocates

5.3.4

Resolution 6 – CRBs must provide access to advocates during a ban period where consent provided

5.3.4

Resolution 7 – Real estate agencies and employers must not seek access to an individual’s credit reporting information

5.3.5

Resolution 8 – CRBs and CPs can share contact information for the purposes of actioning a correction request

5.4.1

Resolution 9 – CRBs and CPs should actively resolve correction requests as soon as practicable

5.4.5

Resolution 10 – CPs and CRBs should make individuals aware of their options, such as where customer-based reporting may be available, when experiencing domestic abuse

5.6.2

Resolution 11 – Mortgage brokers should use the access seeker provisions to access CEI on behalf of an individual

6.2

Resolution 12 – Acquiring CPs must not access credit information where they are not permitted to do so

6.4

OAIC proposals by category

Proposal

Report reference

CR Code amendments

 

Proposal 4 – Amend CR Code source notes column and blue row lines

2.1

Proposal 6 – Amend CR code to accommodate other entities reporting CCLI (paragraph 6)

2.3.1

Proposal 13 – Amend CR Code to require CRBs to publish their CP audits and submit these to the OAIC (paragraph 23)

3.2.1

Proposal 15 – Amend CR Code to clarify the definition of ‘account close’ in respect of CCLI (paragraph 6)

4.1.2

Proposal 17 – Amend CR Code to clarify definition of ‘month’ to more flexibly accommodate CP reporting practices (paragraph 1)

4.2.1

Proposal 19 – Amend CR Code to introduce positive obligations on CRBs to remove statute barred debts and on CPs to inform CRBs when a debt has or will become statute barred (paragraph 20)

4.3.1

Proposal 21 – Amend CR Code to specify that s 21D(3)(d) notice must be a standalone notice (paragraph 9)

4.3.3

Proposal 24 – Amend CR Code regarding notification obligations (paragraph 4)

5.1

Proposal 28 – Amend CR Code to allow CRBs to offer individuals an automatic extension to the ban period when they make their initial request, where appropriate (paragraph 17)

5.2.1

Proposal 29 – Amend CR Code to provide further clarity on the expected level of evidence that a CRB needs to implement a ban and/or extension (paragraph 17)

5.2.2

Proposal 31 – Amend CR Code to require a CRB to record and alert an individual of access requests during a ban period (paragraph 17)

5.2.3

Proposal 32 – Amend CR Code to require CRBs to provide information to individuals on how they can access their credit reports held by other CRBs (paragraph 19)

5.3.1

Proposal 33 – Amend CR Code to specify that CRBs must provide physical copies of credit reports upon request (paragraph 19)

5.3.2

Proposal 37 – Amend CR Code to introduce a mechanism to correct multiple instances of incorrect information stemming from one event (paragraph 20)

5.4.2

Proposal 39 – Amend CR Code to include domestic abuse as an example of circumstances beyond the individual’s control (paragraph 20.5)

5.4.4

Proposal 40 – Amend CR Code to extend correction requests to include CPs (paragraph 20.5)

5.4.4

Proposal 41 – Amend CR Code to expand the categories of information that can be corrected (paragraph 20.5)

5.4.4

Proposal 43 – Amend CR Code to introduce soft enquiries framework

6.1.1

Proposal 44 – Amend definition of ‘capacity information’ to include an individual in their capacity as a trustee (paragraph 1.2)

6.2

Education and awareness

 

Proposal 1 – OAIC to review and update existing credit guidance with a particular focus on guidance for individuals and their advocates

2.1

Proposal 2 – OAIC to consider mechanisms to promote its credit resources

2.1

Proposal 23 – OAIC to develop guidance about ‘court proceedings information’ and ‘publicly available information’

4.4

Proposal 26 – OAIC to provide guidance to individuals on which circumstances require notice and which require consent

5.1

Proposal 30 – OAIC to develop guidance for individuals to explain the credit ban application and extension process

5.2.2

Proposal 35 – OAIC to provide guidance to individuals on their rights with respect to supplying credit reports to landlords and real estate agents

5.3.5

Proposal 36 – OAIC to provide guidance to individuals on their correction rights and how to exercise them

5.4.1

Proposal 38 – OAIC to provide guidance to industry on the ‘no wrong door’ approach to corrections, and will consider the need for future compliance activity

5.4.3

Proposal 42 – OAIC to provide guidance for individuals on the complaints process and who to approach to make a complaint

5.5

Compliance and monitoring

 

Proposal 10 – OAIC to update the Guidelines for Developing Codes regarding processes for the development of variation applications

3.1.1

Proposal 11 – OAIC to raise visibility of its credit reporting compliance and monitoring activities

3.1.2

Proposal 14 – OAIC to publish a link to CRB audit reports on its website

3.2.1

Issues for review of Part IIIA

 

Proposal 3 – Write to the Attorney-General about the suggestion of including overarching principles in Part IIIA

2.1

Proposal 5 – Write to the relevant Ministers to raise the issue of interactions between Part IIIA and the mandatory CCR regime

2.2

Proposal 7 – Write to the Attorney-General about how to best accommodate other entities such as telco and utility providers operating in the credit reporting system

2.3.1

Proposal 8 – Write to the relevant Ministers to raise the issue of emerging finance products, such as BNPL, operating in the credit reporting system

2.3.2

Proposal 9 – Write to the relevant Ministers to raise the issue of whether an ACL should be a requirement to participating in the credit reporting system

2.3.3

Proposal 12 – Write to the Attorney-General to raise the issue of exploring alternative funding avenues to support the OAIC’s credit reporting functions

3.1.2

Proposal 16 – Write to the Attorney-General to raise the issue of disclosing ‘historic’ CCLI

4.1.4

Proposal 18 – Write to the Attorney-General about the suggestion that CPs must notify an individual when they disclose RHI relating to missed payments

4.2.3

Proposal 20 – Write to the Attorney-General about the suggestion that CPs must list default information within a reasonable time and retention period should apply from date of default

4.3.2

Proposal 22 – Write to the Attorney-General about the ongoing application of new arrangement information

4.3.4

Proposal 25 – Write to the Attorney-General about the suggestion that the notice framework within Part IIIA be reviewed

5.1

Proposal 27 – Write to the Attorney-General to raise concerns around the length of the initial credit ban period provided in Part IIIA

5.2.1

Proposal 34 – Write to the Attorney-General to raise the issue of real estate agents, landlords and employers accessing credit reports

5.3.5

Proposal 45 – Write to the Attorney-General to raise the issue of additional uses and disclosures of credit reporting information

6.2

About this Review

This independent review[4] considers the operation of the Privacy (Credit Reporting) Code 2014 (Version 2.1) (the CR Code). This is the second independent review of the CR Code, following an initial review in 2017.

The registered CR Code is a legislative instrument approved by the Australian Information Commissioner (the Commissioner).[5] The CR Code supplements the provisions contained in Part IIIA of the Privacy Act 1988 (Privacy Act) and the Privacy Regulation 2013 (Privacy Regulation) with respect to the handling of personal information about individuals’ activities in relation to consumer credit. Importantly, a breach of the CR Code is an interference with privacy and a breach of the Privacy Act.

Purpose of the Review

The CR Code requires the Commissioner to initiate an independent review of the CR Code every four years.[6] This is an important governance provision which ensures that the CR Code is subject to regular and independent scrutiny. The review process provides an opportunity for stakeholders to comment on their engagement and practical experience with the CR Code, and explores whether there are opportunities to address any issues.

The review process also provides an opportunity to consider the operation of the CR Code amid social, technological and regulatory developments. Since the last independent review in 2017, there have been a number of developments in Australia’s credit reporting landscape, including the introduction of mandatory comprehensive credit reporting, and the development of financial credit products such as Buy Now Pay Later products.

This Review considered whether the CR Code, in its current form, achieves its purpose – that is whether it further particularises how the requirements in Part IIIA should be adhered to by regulated entities. The Review focused on the operation of the CR Code in practice and whether it requires any changes.

Scope of the Review

As noted above, this Review considered Version 2.1 of the CR Code, as this was the version in force at the commencement of the Review in 2021. As such, more recent amendments to the CR Code which addressed changes to the Privacy Act have not been considered as part of this Review. This includes amendments to introduce a new type of information into the credit reporting system, known as ‘financial hardship information’.[7]

The Review is not a broader review of Part IIIA of the Privacy Act. Therefore, issues identified with Part IIIA and how it applies to credit reporting bodies (CRBs), credit providers (CPs) and affected information recipients (AIRs) are out of scope, except to the extent that there is any inconsistency between the drafting of the CR Code and the requirements of Part IIIA.

The Attorney-General must cause an independent review of Part IIIA to be completed before 1 October 2024.[8] Where stakeholders have raised pertinent issues that would benefit from consideration in the Part IIIA review, this Review has noted them throughout the report. The OAIC will raise these issues with the Attorney-General so they may be considered as part of that review.

Consultation process

In December 2021, the OAIC published a Consultation Paper which canvassed all aspects of the CR Code, such as the governance of the CR Code, the code provisions applying to certain types of information, the protections and rights for individuals, and the permitted activities by regulated entities. The OAIC invited comment from interested individuals, agencies and organisations.

See Consultation Paper: Review of the Privacy (Credit Reporting) Code 2014 Consultation Paper

See the submissions we received: Independent review of the Privacy (Credit Reporting) Code 2014 submissions

See our roadmap: OAIC credit reporting roadmap

Footnotes

[1] See Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 under ‘Clause 20R’.

[2] See Privacy Act, s 25B.

[3] Privacy Act, s 25B.

[4] From this point forward, ‘review’ is capitalised when referring to the review conducted for this report.

[5] Privacy Act, s 26M(2).

[6] Paragraph 24.3 of the CR Code.

[7] See amendments introduced through the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2019.

[8] Privacy Act, s 25B.