Part IIIA of the Privacy Act 1988 (Cth) (“PA 1988”) regulates the handling of certain types of personal information by credit providers and credit reporting bodies (as defined in PA 1988). The provisions in part IIIA are supplemented by the Privacy Regulation 2013 and the Privacy (Credit Reporting) Code 2014 (Version 1.2) (“CR Code”), a Code of Practice relating to credit reporting that is registered under the PA 1988 (together, “Credit Reporting Regime”).
Depending on the specific context, the Credit Reporting Regime applies to the collection, use or disclosure of credit-related information instead of, or in addition to, the Australian Privacy Principles (APPs) in part IIIA of the PA 1988.
The Credit Reporting Regime distinguishes between consumer and commercial credit (as defined in the PA 1988). It focuses on the regulation of information that has a bearing on an individual’s credit-worthiness in respect of consumer credit.
An example of the functions of the Credit Reporting Regime is where credit providers (e.g. banks, telcos and energy retailers) use information about an individual’s consumer creditworthiness when they assess an application for a consumer loan, credit card, or the supply of goods on deferred payment terms (e.g. an application for a post-paid mobile phone service). In some instances, a credit provider carrying out a “credit check” before entering into an arrangement to provide credit is mandated by applicable law (including under the National Credit Code, the Telecommunications Consumer Protection Code or the National Energy Retail Rules).
In order to participate in the Credit Reporting Regime, a credit provider must be a member of a recognised external dispute resolution scheme (see “Making a complaint”).
Credit reporting bodies are permitted to collect, use and disclose credit-related information about individuals. Credit reporting bodies provide such information on request to credit providers so they can assess applications for consumer credit. These requests are recorded and become part of the credit-related information held by the credit reporting body.
Key aspects of the Credit Reporting Regime are:
• restrictions on the types of information permitted to be exchanged;
• restrictions on the use and disclosure by credit providers and credit reporting bodies of credit-related information;
• obligations on credit providers and credit reporting bodies to notify individuals about certain matters in relation to their handling of credit-related information;
• rights for individuals to request access to the credit-related information about them, and to seek amendments or to submit complaints.
Broadly, the Credit Reporting Regime permits credit providers and credit reporting bodies to collect and disclose certain types of credit-related information, including information about:
• an individual’s identity;
• credit that the individual holds or has previously applied for, including the type and amount of credit, and the dates when the credit account was opened and terminated;
• an individual’s repayment history;
• credit defaults (that is, payments of $150 or more that are at least 60 days overdue);
• certain terms and conditions on which consumer credit is issued, and agreements by an individual to vary those terms; and
• court proceedings or personal insolvency, and information about serious credit infringements.
Information about an individual’s repayment history and consumer credit liability could not be disclosed under the credit reporting regime as it existed prior to 12 March 2014. Credit providers may disclose to credit reporting bodies repayment history information relating to payments an individual has made or missed since 12 December 2012.
Information about an individual’s repayment history can be quite detailed: it can include whether an individual has met monthly payments, including the day on which a payment was due and the day on which it was paid. A credit provider is permitted to disclose (and receive from a credit reporting body or another credit provider) repayment history information only if the credit provider holds an Australian credit licence under the National Consumer Credit Protection Act 2009 (Cth).
Credit reporting bodies can also use and disclose information that they derive from other credit-related information. For example, a credit reporting body might use other information it collects to give an individual a credit score or risk assessment, and may disclose this to a credit provider who has requested a credit report. A credit provider may in turn use this information (and other information they hold) to derive their own conclusions about credit eligibility.
The Credit Reporting Regime permits credit reporting bodies and credit providers to disclose credit-related information, but only for certain purposes.
For example, a credit reporting body may disclose credit-related information if it is requested by a credit provider for the purpose of assessing an individual’s application for consumer credit, or to collect payments that are overdue in relation to consumer credit. A credit reporting body may also disclose credit-related information to a credit provider for the purpose of assessing an application for commercial credit if the relevant individual has consented to the disclosure for that purpose.
Subject to some limitations, a credit provider can disclose to a credit reporting body credit-related information about an individual that the credit provider reasonably believes is over 18 years old, provided that the credit provider is a member of a recognised external dispute resolution scheme. Additional limitations apply to the disclosure of certain types of information, including information about repayments or credit defaults.
A credit provider is permitted to use or disclose credit-related information obtained from a credit reporting body (referred to in the Credit Reporting Regime as “credit eligibility information”) only for the purposes permitted under the Credit Reporting Regime.
There is a general prohibition on credit-related information being used or disclosed by a credit reporting body for the purposes of direct marketing. However, a credit reporting body is permitted to use certain types of credit-related information to make a “pre-screening assessment”: an assessment about specified individuals’ eligibility to receive direct marketing from credit providers for the purpose of eliminating ineligible individuals from a list provided by a credit provider. The credit provider can then use this pre-screening assessment to conduct direct marketing. Individuals have a right to request that credit reporting bodies not use information about them to make pre-screening assessments.
Credit reporting bodies are also prohibited from using or disclosing credit-related information if an individual reasonably believes that they have been a victim of fraud, and requests that the information not be disclosed during a ban period (of 21 days, unless extended) unless required to do so by law or if the individual consents. If a credit provider provides consumer credit to the relevant individual during a ban period, the credit provider is not permitted to disclose credit information relating to that consumer credit to a credit reporting body unless the credit provider has taken reasonable steps to identify the individual.
The Credit Reporting Regime imposes an obligation on credit providers and credit reporting bodies to notify individuals about certain uses and disclosures of their credit-related information.
A credit provider is required to notify an individual (at or before the time it collects credit-related information about that individual) of the information that it is likely to disclose to a credit reporting body. A credit provider is also required to notify the individual of certain additional matters under APP 5 (discussed above) if it collects credit-related information about that individual.
Significantly, a credit provider must notify the credit reporting body if – within 90 days of obtaining a credit report about an individual – it refuses a consumer credit application. The notice must be provided within 10 business days of the credit provider notifying the individual of the refusal.
A credit provider must also notify an individual before passing on information about their credit defaults to a credit reporting body. The individual must be given a written notice informing them that their payment is overdue by 60 days or more, and requesting that the overdue amount be paid. The credit provider must then give the individual a separate notice of their intention to disclose the information to a credit reporting body, and cannot disclose the information until 14 days after the second notice was given.
Credit providers and credit reporting bodies must also give notices of decisions about requests by individuals to access or correct their credit-related information.
An individual can request to access the credit-related information that a credit provider or credit reporting body holds about them. Credit providers and credit reporting bodies must provide access within a reasonable period (credit reporting bodies must provide access within 10 days; credit providers must provide access within 30 days, unless unusual circumstances apply).
Individuals are entitled to access information held by a credit reporting body at no charge:
• once every 12 months; or
• at any time within 90 days of being refused credit by a credit provider.
Otherwise, credit reporting bodies can impose access charges, so long as such charges are not excessive. Credit providers may impose a reasonable charge for providing access to credit information.
Credit providers and credit reporting bodies must present information to individuals in a clear and accessible way, and must provide reasonable explanations and summaries to assist the individual to understand how the information impacts on their credit worthiness.
Instructions on how to access information held by a credit reporting body or a credit provider must be included in the credit reporting body’s or credit provider’s credit reporting policy, which is usually available on the credit reporting body’s or credit provider’s website. Contact information for the main Australian credit reporting bodies is provided in “Contacts”.
A credit provider or credit reporting body that refuses an individual’s request to access credit-related information must give the individual a notice setting out their reasons for the refusal and how the individual can complain about this refusal.
An individual has the right to seek the correction of their credit-related information. Credit providers and credit reporting bodies must correct information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, within 30 days of receiving a correction request from an individual (or a longer period agreed to by the individual in writing).
A credit provider or credit reporting body is required to deal with a correction request themselves; they cannot refer the request to another credit provider or credit reporting body. A credit provider or credit reporting body is required to consult another credit provider or credit reporting body (if necessary) to determine whether the relevant information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
To meet their obligations to correct information, credit providers and credit reporting bodies must take reasonable steps to ensure that any derived information (e.g. credit scores or ratings) reflects the corrections.
Individuals have additional rights about their credit default information. For example, an individual can request a credit reporting body to destroy any default information where the limitation period for recovery of the debt (generally six years) has expired.
Credit providers and credit reporting bodies must notify an individual of their decision about a correction request, generally within five days of the decision. If a request is refused, they must provide the reasons for the refusal.
An individual can make a complaint about how credit providers and credit reporting bodies have handled their information or dealt with their requests.
First, an individual should complain to the relevant credit provider or credit reporting body.
Second, if the individual is not satisfied with the outcome, they can then complain to an external dispute resolution (EDR) scheme of which the credit provider or the credit reporting body is a member.
However, if a complaint relates to a decision about access to, or correction of, personal information, an individual can first complain to an EDR scheme.
EDR schemes that are recognised by the Australian Information Commissioner include:
• the Financial Ombudsman Service;
• the Credit and Investments Ombudsman;
• the Telecommunications Industry Ombudsman.
Credit providers and credit reporting bodies can advise which EDR scheme they are a member of, on request.
Contact details for the EDR schemes are listed at the end of this chapter.
If an individual is not satisfied with the outcome of EDR, they may complain to the Australian Information Commissioner (see “Contacts”).