Acting Australian Information Commissioner and acting Privacy Commissioner approves variations to the Privacy (Credit Reporting) Code 2014

30 May 2018
Tags: statement

On 29 May 2018, the acting Australian Information Commissioner and acting Privacy Commissioner approved a variation of the registered Privacy (Credit Reporting) Code 2014 Version 1.2 (CR Code Version 1.2). The variation was approved following an application by the Australian Retail Credit Association (ARCA) on 26 April 2018 (and an amendment to the application dated 28 May 2018), for variation of the registered CR Code Version 1.2 under section 26T of the Privacy Act 1988 (Cth) (the Privacy Act).

In summary, the variation amends:

  • the definition of ‘month’ for the purposes of reporting repayment history information (RHI) (para 1.2(g)(i))
  • certain categories in the definition of the ‘maximum amount of credit available’ (para 6.2(b))
  • the definition of ‘the day credit is terminated or otherwise ceases to be in force’ (para 6.2(c)–(e))
  • the application of a ‘grace period’ to the disclosure of RHI (para 8.2(c))
  • notification requirements, providing that notices under s 21D of the Privacy Act may be sent to an individual’s last known address, which may include an electronic address (para 9.3(d))
  • the timing of issuing a notice under section 21D of the Privacy Act (para 9.3(f))
  • the prohibition on a credit reporting body developing a ‘tool’ to facilitate a credit provider’s direct marketing, to extend to a ‘service’ (para 18.1(b))
  • certain mechanisms for correcting information (para 20.9(b)).

The variations are proposed to commence on 1 July 2018. A new version of the Privacy (Credit Reporting) Code will be included on the OAIC’s Codes Register shortly, along with the acting Commissioner’s decision and reasons for decision.

The OAIC would like to thank ARCA and the stakeholders who contributed time, effort and expertise in making these variations.

The varied CR Code, approval letter and application materials can be found on the Credit Reporting page.


Part IIIA of the Privacy Act regulates consumer credit reporting in Australia. Part IIIA is supported by the Privacy Regulation 2013 and the CR Code.

The CR Code is a mandatory code that binds credit providers and credit reporting bodies. The CR Code commenced on 12 March 2014. Importantly, a breach of the CR Code is a breach of the Privacy Act.

Under section 26T of the Privacy Act, the Commissioner may, in writing, approve a variation of the registered CR Code:

  • on his or her own initiative; or
  • on application by an entity that is bound by the code; or
  • on application by a body or association representing one or more entities that are bound by the code.

If the Commissioner approves a variation of the registered CR Code, the Commissioner must:

  • remove the original code from the Codes Register; and
  • register the CR Code, as varied, by including it on the Codes Register.

A variation comes into effect on the day specified in the approval.

Paragraph 24.3 of the CR Code requires the Commissioner to initiate an independent review of the operation of the CR Code within 3 years of the date of its commencement.

A review of the CR Code was undertaken by PricewaterhouseCoopers (PwC) and was completed in December 2017. The PwC review made recommendations and gave feedback on each of the CR Code provisions that will be varied following the acting Commissioner’s approval.

The OAIC acknowledges that some recommendations and important observations in the PwC review, have not been addressed in the approved variations. The OAIC intends to consider these matters further in the 2018–19 financial year. More information will be provided on the OAIC website and through our PPN newsletter.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at