Financial Services Privacy Update (Part One): Credit Reporting Information
Financial Services Privacy Update (Part One): Credit Reporting Information

Contained within the Privacy Act 1988 and the Privacy (Credit Reporting) Code 2014 is a regime concerning the collection, storage and use of data relating to an individual’s credit’s history and credit worthiness information.

The Office of the Australian Information Commissioner (‘OAIC’) recently conducted a review of the Code and made several recommendations for change, providing a timely reminder of the nature of the Code and the obligations on all parties involved in requests for credit reporting information.


The Privacy Act 1988 and the concept of credit reporting

Many financial services providers, including both credit providers under the National Consumer Credit Protection Act 2009 and unregulated credit providers, rely heavily on credit history reports for individuals to determine whether credit should be extended.

There are credit reporting bodies that gather and make available to credit providers information concerning:

  1. when and how often an individual has applied for credit;
  2. when and how often that individual may have defaulted on payments in a prior credit arrangement; and
  3. whether any such default remains outstanding or whether it has been rectified.

Additionally, credit reporting bodies operate businesses by using credit and personal information to assist credit providers in marketing their products. Credit reporting bodies may also provide pre-screening services, enabling credit providers to offer unsolicited credit.


The privacy legislation

The Privacy Act 1988 contains a lengthy and detailed Part 3A which deals with the privacy concerns arising in this credit reporting.  This is supported by the Privacy (Credit Reporting) Code 2014, which provides guidance to credit reporting bodies, credit providers and their agents regarding:

  • how and in what manner they can receive information;
  • what they can do with it; and
  • how they can provide it others.

The legislation provides mechanisms by which individuals can seek information from credit reporting bodies and credit providers in relation to what information they hold and whether it is correct.

The legislation also provides a mechanism to ban the release of information held if there is a suggestion it may have been created fraudulently.


Credit reporting body obligations

The credit reporting body (i.e. the entity that gathers and holds the information), is obligated to prepare detailed and transparent management policies covering how it holds and uses the information. 

The information gathered may not be disclosed except in very limited circumstances, as detailed within the legislation. Such circumstances include:

  • disclosure to credit providers when assessing applications for consumer credit or commercial credit;
  • when a credit provider considers there has been a default or serious credit infringement by the individual; or
  • to mortgage insurers and trade insurers (in certain circumstances).

The legislation obliges credit reporting bodies to ensure that information obtained is up to date and accurate, or if it is not, that it be deleted and removed. 

Credit reporting bodies may de-identify information and use that de-identified information for the purpose of conducting research in compliance with the rules. 


Information held by credit providers

The legislation also sets out a regime by which credit providers (i.e. providers of consumer credit under the National Consumer Credit Protection Act 2009, as well as providers of commercial credit), may seek and use credit-related information of consumers.

The legislation allows use of the information in certain, limited circumstances.  Generally, the legislation allows use for the purpose of assessing applications for credit, and in some cases, to assist in enforcement of debts. 

Credit providers are obligated to disclose “default” information to a credit reporting body if there is a default by a consumer in payment. “Default” refers to circumstances where a payment (greater than $150) is more than 60 days overdue.  However, reporting this information must not occur in cases where there is a financial hardship application.


Agency issues

Credit providers do not always carry out all tasks associated with assessing credit by themselves – they often use agents, software providers, and other individuals to assist them.  In doing so, the legislation permits agents to receive and give information in circumstances that would otherwise breach the Privacy Act 1988.

There are numerous provisions which attempt to resolve these points, to protect agents who process applications for credit made to the credit provider, or manage their credit, or otherwise deal with the credit information. 

Credit reporting bodies, credit providers, and their agents must carefully analyse and ensure that they satisfy the requirements relating to their entitlement to receive and disclose information, and that they comply with the terms of the legislation. 


Privacy (Credit Reporting) Code 2014

The Privacy (Credit Reporting) Code 2014 assists credit reporting bodies, credit providers and agents in determining and ensuring they meet their obligations under the legislation.  The Code has been updated on a number of occasions (it is currently in Version 2.3).

The Code attempts to set out and precisely clarify the obligations on individuals within the scheme, so they can understand and comply with those obligations.

The Code recently came under review by the OAIC.  The OAIC has identified several changes which should be made to the Code to make it more workable, and to ensure that it protects the interests of consumers.

In its 20 September 2022 media release, the OAIC identified the proposed changes to the Code, which include:

  1. streamlining processes for individuals to obtain their own credit reports and credit history, and to enable them to correct information wrongly recorded;
  2. to address and introduce the concept of a “soft enquiry,” where an individual makes tentative enquires about the availability of credit (in order to ‘shop around’), without that enquiry being registered on their credit history as a request for credit which is not pursued;
  3. an extension to banning periods and the processes of obtaining a banning order where the person believes that their credit history has been wrongly recorded because of identity theft;
  4. requiring that credit reporting bodies remove statute barred debts from an individual’s credit report; and
  5. extending circumstances in which a credit history is removed where it has arisen because of a domestic violence related situation.

The next step is for review of the formal Code, with potential for a revised by Code by about 1 October 2024.

See Financial Services Privacy Update (Part Two): Consumer Data Right Requests and Process for information concerning:

  • What is Consumer Data?
  • Requests relevant to the financial services industry
  • Trusted Advisor status and process
  • All subject to consent
  • Accredited Data Recipients
  • CDR Representatives
  • Other agents status

If you have a query relating to any of the information in this article, or you would like to speak with someone in respect of a matter of your own, please don’t hesitate to get in touch with Nick Maley, Partner within Holman Webb’s Banking & Finance Group.


Recent Posts