Privacy and credit reporting

The handling of certain types of personal information by credit providers and credit-reporting bodies is regulated under Privacy Act. (A credit-reporting body is defined in the Privacy Act).

The provisions in Part IIIA are supplemented by the Privacy Regulation 2013 and the CR Code 2014, which is a credit reporting Code of Practice registered under the Privacy Act (together, the ‘credit-reporting regime’). The latest amendments, CR Code 2014 (Version 2.3), enhance protection for consumers who agree to a financial hardship agreement with their lender, with their repayment history safeguarded through a special payment arrangement.

Depending on the specific context, the credit-reporting regime applies to the collection, use or disclosure of credit-related information instead of, or in addition to, the APPs in Part IIIA of the Privacy Act.

This regime distinguishes between ‘consumer’ and ‘commercial’ credit (as defined in the Privacy Act). It focuses on the regulation of information that has a bearing on an individual’s credit-worthiness in respect of consumer credit.

A credit provider may carry out a ‘credit check’ to confirm a consumer’s credit-worthiness when they assess an application for a consumer loan, credit card, or the supply of goods on deferred payment terms (e.g. an application for a post-paid mobile phone service). The credit provider may be mandated by applicable law (including under the National Credit Code, the Telecommunications Consumer Protection Code or the National Energy Retail Rules).

A credit provider must be a member of a recognised EDR scheme to participate in the credit-reporting regime (see ‘Making a complaint’, below).

Credit-reporting bodies are permitted to collect, use and disclose credit-related information about individuals. Credit-reporting bodies provide such information on request to credit providers so they can assess applications for consumer credit. These requests are recorded and become part of the credit-related information held by the credit-reporting body.

Key aspects of the credit-reporting regime are:

• restrictions on the types of information permitted to be exchanged;

• restrictions on the use and disclosure by credit providers and credit-reporting bodies of credit-related information;

• obligations on credit providers and credit-reporting bodies to notify individuals about their handling of credit-related information; and

• rights for individuals to request access to the credit-related information about them, and to seek amendments or to submit complaints.

In September 2022, the OAIC completed a major review of the CR Code 2014 to determine whether it remains fit for purpose and provides adequate privacy protections for individuals. The OAIC plans to implement the proposals in its report over the next two years, primarily through further variations to the CR Code 2014 and OAIC guidance.

Where issues cannot be addressed through amendments to the CR Code 2014 or guidance, the OAIC intends to raise them with government for consideration in preparation for the review of Part IIIA of the Privacy Act, required to be completed before 1 October 2024.

Broadly, the credit-reporting regime permits credit providers and credit-reporting bodies to collect and disclose certain types of credit-related information. This includes information about:

• an individual’s identity;

• credit that the individual holds or has previously applied for, including the type and amount of credit, and the dates when the credit account was opened and terminated;

• an individual’s repayment history;

• credit defaults (that is, payments of $150 or more that are at least 60 days overdue); 

• certain terms and conditions on which consumer credit is issued, and agreements by an individual to vary those terms; and

• court proceedings or personal insolvency, and information about serious credit infringements.

Credit information generally appears on a credit report as a number (from zero to seven), showing the age, in months, of the oldest missed payment. This information remains on the credit report for two years.

Information about an individual’s repayment history can be quite detailed: it can include whether an individual has met monthly payments, the day on which a payment was due and the day on which it was paid. A credit provider can disclose (and receive from a credit-reporting body or another credit provider) repayment history information only if the credit provider holds an Australian credit licence under the National Consumer Credit Protection Act 2009 (Cth).

Credit-reporting bodies can also use and disclose information that they derive from other credit-related information. For example, a credit-reporting body might use other information it collects to give an individual a credit score or risk assessment, and may disclose this to a credit provider who has requested a credit report. A credit provider may in turn use this information (and other information they hold) to derive their own conclusions about credit eligibility.

The credit-reporting regime permits credit-reporting bodies and credit providers to disclose credit-related information, but only for certain purposes. 

Subject to some limitations, a credit provider can disclose to a credit-reporting body credit-related information about an individual that the credit provider reasonably believes is over 18 years old, provided that the credit provider is a member of a recognised EDR scheme. Additional limitations apply to the disclosure of certain types of information, including information about repayments or credit defaults.

A credit provider is permitted to use or disclose credit-related information obtained from a credit-reporting body (called ‘credit-eligibility information’ in the credit-reporting regime) only for the purposes permitted under the credit-reporting regime.

There is a general prohibition on credit-related information being used or disclosed by a credit-reporting body for the purposes of direct marketing. However, a credit-reporting body is permitted to use certain types of credit-related information to make a ‘pre-screening assessment’: an assessment about specified individuals’ eligibility to receive direct marketing from credit providers for the purpose of eliminating ineligible individuals from a list provided by a credit provider. 

The credit provider can then use this pre-screening assessment to conduct direct marketing. Individuals have a right to request that credit-reporting bodies not use information about them to make pre-screening assessments.

Credit-reporting bodies are also prohibited from using or disclosing credit-related information if an individual reasonably believes that they have been a victim of fraud, and requests that the information not be disclosed during a ban period (of 21 days, unless extended) unless required to do so by law or if the individual consents.

If a credit provider provides consumer credit to the relevant individual during a ban period, the credit provider is not permitted to disclose credit information relating to that consumer credit to a credit-reporting body unless the credit provider has taken reasonable steps to identify the individual.

The credit-reporting regime imposes an obligation on credit providers and credit-reporting bodies to notify individuals about certain uses and disclosures of their credit-related information.

A credit provider is required to notify an individual (at or before the time it collects credit-related information about that individual) of the information that it is likely to disclose to a credit-reporting body. A credit provider is also required to notify the individual of certain additional matters under APP 5 (discussed above) if it collects credit-related information about that individual.

Significantly, a credit provider must notify the credit-reporting body if – within 90 days of obtaining a credit report about an individual – it refuses a consumer credit application. The notice must be provided within 10 business days of the credit provider notifying the individual of the refusal. 

A credit provider must notify an individual before passing on information about their credit defaults to a credit-reporting body. 

The individual must be given a written notice informing them that their payment is overdue by 60 days or more, and requesting that the overdue amount be paid. 

The credit provider must then give the individual a separate notice of their intention to disclose the information to a credit-reporting body, and cannot disclose the information until 14 days after the second notice was given. 

Credit providers and credit-reporting bodies must give notices of decisions about requests by individuals to access/correct their credit-related information.

An individual can request to access the credit-related information that a credit provider or credit-reporting body holds about them. Credit providers and credit-reporting bodies must provide access within a reasonable period (credit-reporting bodies must provide access within 10 days; credit providers must provide access within 30 days, unless unusual circumstances apply).

Individuals are entitled to access information held by a credit-reporting body at no charge:

• once every 12 months; or

• at any time within 90 days of being refused credit by a credit provider.

Otherwise, credit-reporting bodies can impose access charges, so long as such charges are not excessive. Credit providers may impose a reasonable charge for providing access to credit information.

Credit providers and credit-reporting bodies must present information to individuals in a clear and accessible way, and must provide reasonable explanations and summaries to assist the individual to understand how the information impacts on their credit worthiness.

Instructions on how to access information held by a credit-reporting body or a credit provider must be included in the credit-reporting body’s or credit provider’s credit-reporting policy, which is usually available on the credit-reporting body’s or credit provider’s website. Contact information for the main Australian credit-reporting bodies is provided in ‘Contacts’ at the end of this chapter.

A credit provider or credit-reporting body that refuses an individual’s request to access credit-related information must give the individual a notice setting out their reasons for the refusal and how the individual can complain about this refusal.

An individual has the right to seek the correction of their credit-related information. Credit providers and credit-reporting bodies must correct information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, within 30 days of receiving a correction request from an individual (or a longer period agreed to by the individual in writing).

A credit provider or credit-reporting body is required to deal with a correction request themselves; they cannot refer the request to another credit provider or credit-reporting body. A credit provider or credit-reporting body is required to consult another credit provider or credit-reporting body (if necessary) to determine whether the relevant information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

To meet their obligations to correct information, credit providers and credit-reporting bodies must take reasonable steps to ensure that any derived information (e.g. credit scores or ratings) reflects the corrections.

Individuals have additional rights about their credit default information. 

Credit providers and credit-reporting bodies must notify an individual of their decision about a correction request, generally within five days of the decision. If a request is refused, they must provide the reasons for the refusal.

An individual can make a complaint about how credit providers and credit-reporting bodies have handled their information or dealt with their requests.

First, an individual should complain to the relevant credit provider or credit-reporting body. If not satisfied with the outcome, the individual can complain to an EDR scheme of which the credit provider or the credit-reporting body is a member. Credit providers and credit-reporting bodies can advise whether they are a member of the EDR scheme on request.

However, if a complaint relates to a decision about access to, or correction of, personal information, an individual can first complain to an EDR scheme.

Since November 2018, the EDR scheme recognised by the Information Commissioner for the financial services sector has been the Australian Financial Complaints Authority. Complaints about credit providers that are not financial service providers may be made to another EDR provider (if applicable) or to the OAIC directly. If a person is not satisfied with the EDR outcome, they may complain to the Information Commissioner.

More information about the credit-reporting regime is available on OAIC’s website (www.oaic.gov.au/privacy). Also, the Australian Retail Credit Association maintains an information website (www.creditsmart.org.au) to help consumers understand the application of the Privacy Act to credit reporting.