Credit Reporting Code review proposes strengthened privacy protections

20 September 2022

The Office of the Australian Information Commissioner (OAIC) has completed a major review of the Privacy (Credit Reporting) Code 2014 (the CR Code) to determine whether it remains fit for purpose and provides adequate privacy protections for individuals.

“Credit reporting information is a type of personal information that has a major impact on an individual’s life,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“The ability to obtain credit affects our capacity to participate in the economy - our ability to buy property or obtain a loan.”

The report on the 2021 Independent review of the Privacy (Credit Reporting) Code 2014 follows significant engagement with stakeholders including consumer advocates, banks and other credit providers, professional bodies and external dispute resolution schemes, along with code developer the Australian Retail Credit Association (ARCA).

The handling of credit reporting information is regulated by the Privacy Act 1988.

Part IIIA of the Privacy Act imposes obligations on banks and other credit providers, as well as credit reporting bodies, to protect an individual’s personal information when they are seeking credit, and provides individuals with certain protections. The CR Code outlines how entities are to comply with Part IIIA of the Privacy Act when handling credit information.

The review sought stakeholder views on how the CR Code operates in practice and what improvements could be made to strengthen Australia’s credit reporting system.

“This important review to ensure regulation of this sector is operating as intended found that change is required,” Commissioner Falk said.

“The way Australians’ personal information is collected, handled and stored remains a significant issue as the credit reporting landscape has expanded and shifted through a time of social, technological and regulatory change.”

The introduction of comprehensive credit reporting and the rise of new products such as Buy Now Pay Later (BNPL) are among significant changes since the last review in 2017.

The review makes proposals to amend the CR Code to strengthen privacy protections and provide greater clarity for industry on their obligations.

These include proposals aimed at:

  • streamlining processes for individuals, such as getting access to their credit reports and correcting their information, developing guidance pieces for individuals to explain their rights, including when a credit provider needs to provide notice that their information is being used or disclosed versus when they need to seek their consent
  • introducing a ‘soft enquiries’ framework to allow people to ‘shop around’ for credit products and seek quotes, without this information being included on their credit report
  • offering an automatic extension to people who have been subject to identity theft when they request a ban on their credit report to prevent fraud
  • including domestic abuse as an example of circumstances beyond the individual’s control to allow credit providers not to report default information about overdue payments
  • requiring CRBs to remove statute-barred debts from an individual’s credit report.

The OAIC plans to implement the proposals in the report over the next two years primarily through variations to the CR Code and OAIC guidance.

Where issues cannot be addressed through amendments to the CR Code or guidance, the OAIC intends to raise them with the Attorney-General so they can be considered in preparation for the review of Part IIIA of the Privacy Act required to be completed before 1 October 2024.

Report background

Download 2021 Independent review of Privacy (Credit Reporting) Code

Notes for media

The 2021 Independent review of the Privacy (Credit Reporting) Code examined Version 2.1.

Subsequently the CR Code has been varied and the current version in force is Version 2.3.

Under Paragraph 24.3 of the CR Code, the Australian Information Commissioner is required to conduct an independent review of the operation of the CR Code every 4 years.

Under s 25B of the Privacy Act 1988, the Attorney-General must cause an independent review to be conducted of the operation of Part IIIA which must be completed before 1 October 2024.

See the Review of the Privacy (Credit Reporting) Code 2014 Consultation Paper published on 7 December 2021.

Credit reporting terms

For brief explanations of common credit reporting terms, please see Credit reporting terms

A credit provider is defined in the Privacy Act as:

  • a bank
  • an organisation or small business operator, if a substantial part of its business is the supply of credit e.g. a building society, finance company or a credit union
  • a retailer that issues a credit card for the sale of goods or services
  • an organisation or small business operator that supplies goods and services where payment is deferred for 7 days or more e.g. a telecommunications carrier, an energy utility or a water utility
  • an organisation or small business operator that supplies credit for the hiring, leasing or renting of goods.

Note that real estate agents, general insurers and employers are specifically excluded from the definition of a credit provider in the Privacy Act.

A credit reporting body is an organisation whose business involves handling personal information to give another organisation information about the creditworthiness of an individual.

There are 3 credit reporting bodies in Australia: