Privacy and your rights

Part IIIA of the Privacy Act 1988 (Cth) (‘PA 1988’) regulates the handling of certain types of personal information by credit providers and credit-reporting bodies (as defined in PA 1988).

The provisions in Part IIIA of the PA 1988 are supplemented by the Privacy Regulation 2013 and the Privacy (Credit Reporting) Code 2014 (‘CR Code 2014‘), which is a Code of Practice that relates to credit reporting that is registered under the PA 1988 (together, ‘credit-reporting regime’).

On 10 March 2022, the Information Commissioner approved a variation to the CR Code 2014, which has resulted in two tranches of amendments:

• the CR Code 2014 (Version 2.2) commenced on 22 April 2022;
• the CR Code 2014 (Version 2.3) commenced on 1 July 2022.

The CR Code 2014 (Version 2.3) enhances protection for consumers who agree to a financial hardship agreement with their lender, with their repayment history safeguarded through a special payment arrangement.

Depending on the specific context, the credit-reporting regime applies to the collection, use or disclosure of credit-related information instead of, or in addition to, the Australian Privacy Principles (APPs) in Part IIIA of the PA 1988.

The credit-reporting regime distinguishes between consumer and commercial credit (as defined in the PA 1988). It focuses on the regulation of information that has a bearing on an individual’s credit-worthiness in respect of consumer credit.

An example of the functions of the credit-reporting regime is where credit providers (e.g. banks, telcos and energy retailers) use information about an individual’s consumer credit-worthiness when they assess an application for a consumer loan, credit card, or the supply of goods on deferred payment terms (e.g. an application for a post-paid mobile phone service).

In some instances, a credit provider carrying out a ‘credit check’ before entering into an arrangement to provide credit is mandated by applicable law (including under the National Credit Code, the Telecommunications Consumer Protection Code or the National Energy Retail Rules).

In order to participate in the credit-reporting regime, a credit provider must be a member of a recognised external dispute resolution scheme (see ‘Making a complaint’, below).

Credit-reporting bodies are permitted to collect, use and disclose credit-related information about individuals. Credit-reporting bodies provide such information on request to credit providers so they can assess applications for consumer credit. These requests are recorded and become part of the credit-related information held by the credit-reporting body.

Key aspects of the credit-reporting regime are:

• restrictions on the types of information permitted to be exchanged;
• restrictions on the use and disclosure by credit providers and credit-reporting bodies of credit-related information;
• obligations on credit providers and credit-reporting bodies to notify individuals about their handling of credit-related information;
• rights for individuals to request access to the credit-related information about them, and to seek amendments or to submit complaints.

Broadly, the credit-reporting regime permits credit providers and credit-reporting bodies to collect and disclose certain types of credit-related information.

This includes information about:

• an individual’s identity;
• credit that the individual holds or has previously applied for, including the type and amount of credit, and the dates when the credit account was opened and terminated;
• an individual’s repayment history;
• credit defaults (that is, payments of $150 or more that are at least 60 days overdue); 
• certain terms and conditions on which consumer credit is issued, and agreements by an individual to vary those terms; and
• court proceedings or personal insolvency, and information about serious credit infringements.

Information about an individual’s repayment history and consumer credit liability could not be disclosed under the credit-reporting regime as it existed before 12 March 2014. Now, credit information generally appears on a credit report as a number (from zero to seven), showing the age, in months, of the oldest missed payment. This information remains on the credit report for two years.

Information about an individual’s repayment history can be quite detailed: it can include whether an individual has met monthly payments, the day on which a payment was due and the day on which it was paid. A credit provider can disclose (and receive from a credit-reporting body or another credit provider) repayment history information only if the credit provider holds an Australian credit licence under the National Consumer Credit Protection Act 2009 (Cth).

Credit-reporting bodies can also use and disclose information that they derive from other credit-related information. For example, a credit-reporting body might use other information it collects to give an individual a credit score or risk assessment, and may disclose this to a credit provider who has requested a credit report. A credit provider may in turn use this information (and other information they hold) to derive their own conclusions about credit eligibility.

The credit-reporting regime permits credit-reporting bodies and credit providers to disclose credit-related information, but only for certain purposes. For example, a credit-reporting body may disclose credit-related information requested by a credit provider for the purpose of assessing an individual’s application for consumer credit, or to collect repayments. A credit-reporting body may also disclose credit-related information to a credit provider for the purpose of assessing an application for commercial credit if the relevant individual has consented to the disclosure for that purpose.

Subject to some limitations, a credit provider can disclose to a credit-reporting body credit-related information about an individual that the credit provider reasonably believes is over 18 years old, provided that the credit provider is a member of a recognised external dispute resolution scheme. Additional limitations apply to the disclosure of certain types of information, including information about repayments or credit defaults.

A credit provider is permitted to use or disclose credit-related information obtained from a credit-reporting body (called ‘credit-eligibility information’ in the credit-reporting regime) only for the purposes permitted under the credit-reporting regime.

There is a general prohibition on credit-related information being used or disclosed by a credit-reporting body for the purposes of direct marketing. However, a credit-reporting body is permitted to use certain types of credit-related information to make a ‘pre-screening assessment’: an assessment about specified individuals’ eligibility to receive direct marketing from credit providers for the purpose of eliminating ineligible individuals from a list provided by a credit provider. The credit provider can then use this pre-screening assessment to conduct direct marketing. Individuals have a right to request that credit-reporting bodies not use information about them to make pre-screening assessments.

Credit-reporting bodies are also prohibited from using or disclosing credit-related information if an individual reasonably believes that they have been a victim of fraud, and requests that the information not be disclosed during a ban period (of 21 days, unless extended) unless required to do so by law or if the individual consents. 

If a credit provider provides consumer credit to the relevant individual during a ban period, the credit provider is not permitted to disclose credit information relating to that consumer credit to a credit-reporting body unless the credit provider has taken reasonable steps to identify the individual.

The credit-reporting regime imposes an obligation on credit providers and credit-reporting bodies to notify individuals about certain uses and disclosures of their credit-related information.

A credit provider is required to notify an individual (at or before the time it collects credit-related information about that individual) of the information that it is likely to disclose to a credit-reporting body. A credit provider is also required to notify the individual of certain additional matters under APP 5 if it collects credit-related information about that individual.

Significantly, a credit provider must notify the credit-reporting body if – within 90 days of obtaining a credit report about an individual – it refuses a consumer credit application. The notice must be provided within 10 business days of the credit provider notifying the individual of the refusal. 

A credit provider must notify an individual before passing on information about their credit defaults to a credit-reporting body. The individual must be given a written notice informing them that their payment is overdue by 60 days or more, and requesting that the overdue amount be paid. The credit provider must then give the individual a separate notice of their intention to disclose the information to a credit-reporting body, and cannot disclose the information until 14 days after the second notice was given.

Credit providers and credit-reporting bodies must give notices of decisions about requests by individuals to access/correct their credit-related information.

An individual can request to access the credit-related information that a credit provider or credit-reporting body holds about them. Credit providers and credit-reporting bodies must provide access within a reasonable period (credit-reporting bodies must provide access within 10 days; credit providers must provide access within 30 days, unless unusual circumstances apply).

Individuals are entitled to access information held by a credit-reporting body at no charge:

• once every 12 months; or
• at any time within 90 days of being refused credit by a credit provider.

Otherwise, credit-reporting bodies can impose access charges, so long as such charges are not excessive. Credit providers may impose a reasonable charge for providing access to credit information.

Credit providers and credit-reporting bodies must present information to individuals in a clear and accessible way, and must provide reasonable explanations and summaries to assist the individual to understand how the information impacts on their credit worthiness.

Instructions on how to access information held by a credit-reporting body or a credit provider must be included in the credit-reporting body’s or credit provider’s credit-reporting policy, which is usually available on the credit-reporting body’s or credit provider’s website. Contact information for the main Australian credit-reporting bodies is provided in ‘Contacts’ at the end of this chapter.

A credit provider or credit-reporting body that refuses an individual’s request to access credit-related information must give the individual a notice setting out their reasons for the refusal and how the individual can complain about this refusal.

An individual has the right to seek the correction of their credit-related information. Credit providers and credit-reporting bodies must correct information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, within 30 days of receiving a correction request from an individual (or a longer period agreed to by the individual in writing).

A credit provider or credit-reporting body is required to deal with a correction request themselves; they cannot refer the request to another credit provider or credit-reporting body. A credit provider or credit-reporting body is required to consult another credit provider or credit-reporting body (if necessary) to determine whether the relevant information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

To meet their obligations to correct information, credit providers and credit-reporting bodies must take reasonable steps to ensure that any derived information (e.g. credit scores or ratings) reflects the corrections.

Individuals have additional rights about their credit default information. For example, an individual can request a credit-reporting body to destroy any default information where the limitation period for recovery of the debt (generally six years) has expired.

Credit providers and credit-reporting bodies must notify an individual of their decision about a correction request, generally within five days of the decision. If a request is refused, they must provide the reasons for the refusal.

An individual can make a complaint about how credit providers and credit-reporting bodies have handled their information or dealt with their requests.

First, an individual should complain to the relevant credit provider or credit-reporting body. Second, if the individual is not satisfied with the outcome, they can complain to an external dispute resolution (EDR) scheme of which the credit provider or the credit-reporting body is a member. Credit providers and credit-reporting bodies can advise whether they are a member of the EDR scheme on request.

However, if a complaint relates to a decision about access to, or correction of, personal information, an individual can first complain to an EDR scheme.

Since November 2018, the EDR scheme recognised by the Information Commissioner is the Australian Financial Complaints Authority.

If a person is not satisfied with the EDR outcome, they may complain to the Australian Information Commissioner.

More information about the credit-reporting regime is available on the Office of the Australian Information Commissioner’s website.

Also, the Australian Retail Credit Association maintains an information website (https://creditsmart.org.au) to help consumers understand the effects of the PA 1988 on credit reporting.