- solely liable for the credit
- jointly liable for the credit; or
- the guarantor in respect of the credit
- the number allocated by the CP for the consumer credit provided to the relevant individual;
- any previous number allocated by the CP for the consumer credit provided to the relevant individual; and
- where a transfer event has occurred – the number allocated by the previous CP for that consumer credit (the number to be truncated to the first six and the last four digits of the account number where the account is a credit card or debit card account).
- irretrievably omits the relevant information from the databases that it utilises for the purposes of making disclosures permitted under Part IIIA; and
- is not able to use, and will not attempt to use, the information, including for the purposes of deriving CRB derived information; and
- is not able to disclose, and will not attempt to disclose, the information;
- surrounds the information with appropriate technical and organisational security; and
- commits to irretrievably destroy the information if, or when, this becomes possible.
- is not able to use, and will not attempt to use, the information, including for the purpose of deriving CP derived information; and
- is not able to disclose, and will not attempt to disclose, the information; and
- surrounds the information with appropriate technical and organisational security; and
- commits to irretrievably destroy the information if, or when, this becomes possible.
- “Month” is a period:
- starting at the start of any day of one of the calendar months; and
- ending on any of the following days, as determined by the CP:
- immediately before the start of the corresponding day of the next calendar month; or
- where the day before the corresponding day of the next calendar month is a non-business day, the end of the next business day following that day; or
- if there is no such day – at the end of the next calendar month
Privacy Act Part IIIA Provisions
Sec 20N(3) and 20Q(2)
2. Credit reporting system arrangements
Part IIIA requires CRBs to enter into written contracts with CPs that require CPs to ensure that the credit information that they disclose to CRBs is accurate, up-to-date and complete and that credit reporting information provided by CRBs to CPs is reasonably protected.
2.1 An agreement entered into by a CRB with a CP to meet the requirements of Section 20N(3) and Section 20Q(2) must oblige both parties to comply, to the extent applicable from time to time, with Part IIIA, the Privacy Regulation 2013 (the Regulations) and the CR Code.
Para 4.1 of the pre-reform code
Hardship Ex Mem, p. 55
2.2 CRBs, CPs, mortgage insurers and trade insurers must take reasonable steps:
- to inform employees, who handle credit reporting information or credit eligibility information, of the requirements of Part IIIA, the Regulations and this CR code that relate to information of these types; and
- to train employees, who handle credit reporting information or credit eligibility information, in the practices, procedures and systems that are designed to achieve compliance with those requirements.
2.3 This CR code does not bind non-participating credit providers , other than paragraph 2.4.
2.4 For the purposes of the definition of non-participating credit provider in Subsection 6(1) of the Privacy Act, a CP is not a non-participating credit provider if the CP:
- has represented to an individual who has been provided credit by the CP that the CP may disclose credit reporting information or credit eligibility information about the individual to a CRB (unless the CP has subsequently advised the individual in writing that the CP will not make the disclosures and has, in fact, not made any such disclosures); or
- acquires the rights of another CP in relation to the repayment of an amount of credit and that second CP was not a non-participating credit provider .
Privacy Act Part IIIA Provisions
Sec 20B, Sec 21B, Sec 22A
3. Open and transparent management of credit reporting information
Part IIIA obliges each CRB, CP and affected information recipient to have a policy about their management of credit-related personal information including the kinds of information they collect, how they collect and hold that information, what they use that information for and to whom the information is disclosed. This policy must be made freely available. They must also take reasonable steps to implement practices, procedures and systems to ensure compliance with their credit reporting obligations under Part IIIA, the Regulations and this CR code.
Para 1.6 of the pre-reform code.
3.1 A CRB must publish on its website its policy about the management of credit reporting information that is required by Section 20B.
Privacy Act Part IIIA Provisions
4. Information collection procedures
Where a CP collects personal information that the CP is likely to disclose to a CRB, the CP is required by Part IIIA to notify or ensure the individual is aware of:
- the CRBs with which the CP deals; and
- other matters required by the CR code.
This must occur at or before the time of collection of the personal information.
Sec 21C, Explanatory Memorandum p.160
4.1 At or before the time a CP collects personal information about an individual that the CP is likely to disclose to a CRB, the CP must notify or otherwise ensure that the individual is made aware of the following matters in addition to the matters specified in Section 21C(1)(a):
- the CRB may include the information in reports provided to CPs to assist them to assess the individual’s credit worthiness;
- that if the individual fails to meet their payment obligations in relation to consumer credit or commits a serious credit infringement, the CP may be entitled to disclose this to the CRB;
- how the individual may obtain the CP’s policy about the management of credit-related personal information required by Section 21B and the CRB's policy about the management of credit-related personal information required by Section 20B;
- the individual's rights to access the information from the CP, to request the CP to correct the information and to make a complaint to the CP;
- the individual's right to request CRBs not to use their credit reporting information for the purposes of pre-screening of direct marketing by a CP; and
- the individual’s right to request the CRB not to use or disclose credit reporting information about the individual, if the individual believes on reasonable grounds that the individual has been, or is likely to be, a victim of fraud.
Sec 21C, Explanatory Memorandum p.160
4.2 A CP may comply with the obligations in Section 21C(1)(a) and paragraph 4.1 of this CR code to notify or ensure an individual is aware of specified matters (the notifiable matters) by:
- publishing a clearly expressed statement of the notifiable matters on its website; and
- at or before the time of collection of the personal information from the individual, notifying the individual or otherwise making the individual aware of the following:
- that the CP’s website includes information about credit reporting, including the CRBs to which the CP is likely to disclose the individual’s credit information; and
- a brief description of the key issues contained in the statement of notifiable matters; and
Privacy Act Part IIIA Provisions
5. Practices, procedures and systems
Part IIIA permits CRBs, subject to conditions, to collect and disclose the following types of credit information:
- identification information about the individual;
- consumer credit liability information about the individual;
- repayment history information about the individual;
- a statement that an information request has been made in relation to the individual by a CP, mortgage insurer or trade insurer;
- the type of consumer credit or commercial credit and amount of credit sought in an application to a CP and in connection with which the CP has made an information request;
- default information in relation to an individual;
- payment information about the individual;
- new arrangement information about the individual;
- court proceedings information about the individual;
- personal insolvency information about the individual;
- publicly available information as to the individual's credit worthiness (subject to some exceptions); or
- the CP's opinion that the individual has committed a serious credit infringement in relation to consumer credit provided by the CP to the individual.
- A CRB must not:
- collectpersonal information about an individual’s activities in relation to consumer credit that is not credit information
- use personal information about an individual’s activities in relation to consumer credit that is not credit information to derive CRB derived information
- disclose personal information about an individual’s activities in relation to consumer credit that is not credit information or credit reporting information unless the information is either credit ID information or capacity information and is collected or disclosed at the same time as the credit information or credit reporting information.
- disclose to a CRB or another CP (second CP) personal information about an individual’s activities in relation to consumer credit that:
- 1) was disclosed to the CP by a CRB and that is not credit reporting information; or
- 2) was derived (wholly or in part) from personal information about an individual’s activities in relation to consumer credit that was disclosed to the CP by a CRB and that is not credit reporting information unless that information is either credit ID information or capacity information and is disclosed at the same time as the credit information or credit reporting information. In this paragraph, the second CP includes a person who is a credit provider due to the operation of section 6H of the Privacy Act.
- the personal information is information:
- that a CRB lawfully holds immediately prior to the date of commencement of this CR code as permitted under section 18E of the Privacy Act prior to that date; or
- that a CP holds and that has been disclosed by a CRB to the CP or collected from a CRB under this paragraph, or under the law as in force immediately prior to the date of commencement of this CR code; and
- the personal information is not information about a payment that is overdue in relation to consumer credit, where the amount of the overdue payment is less than $150, and
- the relevant use or disclosure occurred on or before 12 March 2016 or the expiry of the relevant retention period, whichever is sooner; or
- the personal information is a file note entered at the request of the individual prior to the commencement date of this CR code, and the individual has not subsequently requested its removal.
5.2 CRBs and CPs must not agree or implement procedures to standardise CPs’ numbering conventions for consumer credit.
Para 2.4, 2.5 and 2.6 of the pre-reform code
5.3 A CP must have reasonable practices, procedures and systems, given the size and complexity of its business, that are designed to cover obligations under Part IIIA, the Regulations and the CR code, and in particular:
- ensure that it does not disclose information to a CRB that it is prohibited by Part IIIA, the Regulations or this CR code from disclosing;
- as soon as practicable, advise the relevant CRB if the CP becomes aware that it has disclosed information to the CRB that it is prohibited from disclosing by Part IIIA, the Regulations or this CR code;
- ensure that it only discloses credit information that is accurate, up-to-date and complete;
- if it identifies that credit information that it has disclosed to a CRB is not accurate, up-to-date and complete:
- as soon as practicable advise the CRB of this; and
- take reasonable steps to address this;
- take reasonable steps to review its credit-related personal information management practices, procedures and systems, to assess whether credit information it has disclosed to CRBs is accurate, up-to-date and complete;
- take reasonable steps to rectify any issues that are identified; and
- advise the CRB of the results of the review and action taken to rectify issues; and
Para 1.3 and 1.4 of the pre-reform code
5.4 A CRB must have reasonable practices, procedures and systems that are designed to cover the obligations under Part IIIA, the Regulations and the CR code and in particular enable the CRB to:
- use the information disclosed by CPs in relation to individuals’ dates of birth to identify any information disclosed by a CP that:
- relates to an act, omission, matter or thing that occurred or existed before the relevant individual turned 18; and
- that is prohibited by Part IIIA, the Regulations or this CR code from being disclosed by the CP to the CRB;
- take reasonable steps to review its credit information management practices, procedures and systems;
- rectify any issues that are identified; and
- advise the CRB of the results of the review; and
Privacy Act Part IIIA Provisions
6. Consumer credit liability information
The information that Part IIIA permits CRBs, subject to conditions, to collect and disclose includes consumer credit liability information – this is defined as information about:
- the name of the CP;
- whether the CP is a licensee;
- the type of consumer credit;
- the day on which the consumer credit is entered into;
- the terms or conditions of the consumer credit that relate to repayment of the amount of the credit; and that are prescribed by the Regulations;
- the maximum amount of credit available under the consumercredit;
- the day on which the consumer credit is terminated or otherwise ceases to be in force.
Explanatory Memorandum p.103
6.1 CRBs must develop and maintain in conjunction with CPs common descriptors of the types of consumer credit so that these descriptors can be used by CPs when disclosing to CRBs information about the type of consumer credit that they have provided to individuals.
Explanatory Memorandum p.103, 161
6.2 For the purposes of Part IIIA, the Regulations and the CR code:
- the day on which the consumer credit is entered into is:
- for consumer credit liability information disclosed up to and including 14 February 2021, the day that, under the terms and conditions of the consumer credit, the credit is made available to the individual; or
- for consumer credit liability information disclosed from 14 February 2020, the day that, the consumer credit is unconditionally approved by the credit provider, and the credit provider has generated the consumer credit account within its credit management system;
- where no credit limit applies to revolving credit, a charge card contract or the sale of goods or supply of services where credit is provided – no fixed limit;
- in the case of revolving credit with a credit limit - the credit limit that applies at the time the consumer credit liability information is disclosed to a CRB;
- in the case of credit where the principal amount is not repayable until a fixed date and, until that time, payments of interest only are required to be made - the principal amount of the credit;
- in the case of credit where payments of the principal amount must be made throughout the term of the credit - the amortised maximum principal amount of the credit, calculated on the basis that the individual makes the minimum only principal repayments throughout the term of the credit;
- for consumer credit liability information disclosed up to and including 30 June 2019:
- (i) in the case of credit provided for the purposes of the acquisition of particular goods or services, the applicable credit limit;
- (ii) in the case of credit provided by a supplier of goods or services where the contract specifies the amount of the credit or the credit limit – that amount;
- the day that the credit contract, arrangement or understanding is terminated; or
- if earlier, the day that the credit is no longer available to the individual under the terms of the contract, arrangement or understanding and the CP has irrevocably determined that the credit cannot be reinstated on those terms.
- the day that the debt owed under the credit is repaid and there is no ability to defer payment of further debt under the credit; or
- the earlier of:
- the day that either the CP determines or the individual and the CP agree that all outstanding payment obligations arising under the credit have been waived or otherwise discharged and the CP cannot undertake further enforcement action in respect to any outstanding debt owed by the individual under the credit; or
- the day that the CP charges off the full balance of the credit after deciding that the outstanding balance is a loss due to the likelihood that the amount may not be recoverable, although the CP maintains the legal ability to take enforcement action in respect to any outstanding debt owed by the individual under the credit.
6.3 Where a CP chooses to disclose to a CRB consumer credit liability information in relation to consumer credit provided by the CP to an individual, the CP must either:
- in a single disclosure, disclose all of the information contemplated by paragraphs (a) to (f) of the definition of consumer credit liability information, in relation to that credit, other than, in the case of information for the purposes of paragraphs (c) to (f) of that definition, information that is not then reasonably available; or
- in a single disclosure, disclose its name (paragraph (a) of the definition of consumer credit liability information) and the day the consumer credit is entered into (paragraph (d) of that definition unless that information is not then reasonably available) thereby disclosing that it has a CP relationship with the individual.
The pre-reform code para 2.3
6.4 Where a CP chooses to disclose to a CRB consumer credit liability information in relation to consumer credit provided to an individual, the CP must, once that credit is terminated or otherwise ceases to be in force, disclose this to the CRB within 45 days of that date.
Privacy Act Part IIIA Provisions
7. Information requests
The information that Part IIIA permits CRBs, subject to conditions, to collect includes information requests. Where a CP makes an information request , the CRB may also collect the type of consumer credit or commercial credit and, the amount of credit sought by the individual in the application to the CP to which the CP’s information request relates.
Paragraph 2.1 of the pre-reform code
7.1 Where a CP makes an information request to a CRB in connection with an application for consumer credit and the amount of credit sought is unknown or incapable of being specified, the credit information that the CRB may collect and disclose may include that an unspecified amount of consumer credit is being sought from the CP.
Privacy Act Part IIIA Provisions
8. Repayment history information
The information that Part IIIA permits CRBs, subject to conditions, to collect includes repayment history information. A CP is only permitted to disclose repayment history information to a CRB if the CP is a licensee or is prescribed by the Regulations. A CRB is only permitted to disclose repayment history information to a CP that is a licensee or is prescribed by the Regulations.
Repayment history information is information about:
- whether or not an individual has met an obligation to make a monthly payment that is due and payable in relation to the consumer credit;
- the day on which the monthly payment is due and payable;
- if the individual makes the monthly payment after the day on which the payment is due and payable – the day on which the individual makes that payment.
Explanatory Memorandum p.130
8.1 For the purposes of this paragraph and the definition of repayment history information in Section 6V of the Privacy Act:
- consumer credit is overdue if, after any payments made during that month are taken into account, on the last day of the month to which the repayment history information relates, there remained at least one overdue payment in relation to which the grace period has expired; and
- the grace period allowed by the CP for an overdue payment must be at least 14 days, beginning on the date that the CP's systems first classified the payment as being in arrears.
Explanatory Memorandum p.129-130
8.2 Where a CP discloses repayment history information about consumer credit provided to an individual, the CP must take reasonable steps to ensure that:
- it does not disclose repayment history information about that credit more frequently than once each month; and
- for each month, as defined in paragraph 1.2 of this CR code, after any payments made during that month are taken into account, it only discloses whichever of the following is applicable:
- that the consumer credit was not overdue for that month; or
- that there was an amount overdue in relation to the consumer credit for that month; and
- where the consumer credit is not overdue – “Current up to and including the grace period”; or
- where there is an amount overdue in relation to the consumer credit, the age of the oldest outstanding payment:
- 15 – 29 days overdue (this disclosure may only be made at day 15, as this allows for expiry of the 14-day grace period)
- 30 – 59 days overdue
- 60 – 89 days overdue
- 90 – 119 days overdue
- 120 – 149 days overdue
- 150 – 179 days overdue
- 180 + days overdue.
Privacy Act Part IIIA Provisions
9. Default information
The information that Part IIIA permits CRBs, subject to conditions, to collect and disclose includes default information. Preconditions to the disclosure of default information include – the consumer credit payment must be overdue by at least 60 days, the overdue amount must not be less than $150 (or if a higher amount is prescribed by the Regulations, that amount) and the CP must have met the notice obligations specified in Part IIIA, the Regulations and this CR code.
9.1 A CP must not disclose an overdue payment in relation to consumer credit to a CRB as default information :
- if the individual has made a hardship request (whether via a variation of the terms and conditions of the consumer credit or new consumer credit); and
- either:
- the CP is in the process of deciding the individual’s hardship request, including if the CP is waiting upon information from the individual for the purposes of making that decision; or
- if the CP decides to refuse the individual’s hardship request – until at least 14 days after the CP has notified the individual of this decision.
9.2 Paragraph 9.1 does not apply if:
- the hardship request is made on a basis that the CP reasonably believes is materially the same as the basis on which a previous hardship request was made; and
- the previous hardship request was made during the previous 4 months.
Sec 6Q, Sec 21D(3) Explanatory Memorandum p.126, 162, Para 2.7 of the pre-reform code
9.3 The following requirements must be met if a CP discloses default information about an individual to a CRB:
- the CP must give the Section 6Q notice and the Section 21D(3)(d) notice separately;
- the CP must give the Section 6Q notice before the Section 21D(3)(d) notice;
- the CP must not give the Section 21D(3)(d) notice less than 30 days after the giving of the Section 6Q notice;
- the CP must give the Section 6Q notice and Section 21D(3)(d) notice by sending them to the individual’s last known address at the time of despatch. The Section 6Q notice and Section 21D(3)(d) notice may be sent by electronic communication. Note: (1) Electronic communication should meet the requirements of the Electronic Transactions Act 1999. Section 88 of the National Credit Code in Schedule 1 of the National Consumer Credit Protection Act 2009 sets out requirements to be met before a credit provider can enforce a credit contract or mortgage against a defaulting debtor or mortgagor. Where the credit provider combines the Section 6Q notice or a Section 21D(3)(d) notice under the Privacy Act, with a default notice under section 88 of the National Credit Code, the requirements set out in section 88 of the National Credit Code apply.
- the amount that is disclosed by the CP to the CRB as the amount that is overdue:
- must not be more than the amount specified in the Section 21D(3)(d) notice,
- plus an additional amount to reflect interest, fees and other amounts that are owing as a result of the overdue payment, other than the acceleration of the entire liability for the consumer credit, which have accrued by the time of the disclosure,
- less any part payments received in cleared funds prior to the date of disclosure by the CP to the CRB; and
- at least 14 days after the date on which the Section 21D(3)(d) notice given by the CP to the individual; and
- no later than 3 months after that date; and
9.4 Where a CP discloses default information in relation to consumer credit to a CRB:
- the amount specified as overdue must not include an amount of an overdue payment that was previously disclosed as default information in relation to that consumer credit;
- the amount specified as overdue may be subsequently updated to reflect the accrual of interest, fees and other amounts that are owing as a result of the overdue payment, other than the acceleration of the entire liability for the consumer credit;
- where the amount of an overdue payment is the result of the acceleration of the entire liability for the consumer credit and includes an amount previously disclosed as default information, the CP must request the CRB to destroy the previously disclosed default information;
- where the CRB is requested under paragraph 9.4(c) to destroy default information, the CRB must destroy the default information;
- where the amount originally disclosed is updated under subparagraph 9.4(b), the original date of disclosure of default information remains the date from which the relevant retention period runs.
Privacy Act Part IIIA Provisions
10. Payment information
The information that Part IIIA permits CRBs, subject to conditions, to collect and disclose includes payment information – this is a statement that payment has been made of an overdue payment that has previously been disclosed by the CP to the CRB as default information.
Explanatory Memorandum p.128
10.1 For the purposes of the definition of payment information in Section 6T of the Privacy Act, the amount of the overdue payment to which the information relates is taken to be paid when:
- payment is received in cleared funds of the full amount of the overdue payment, including all interest, fees and other amounts that are included in the amount specified as overdue in the default information;
- payment is received in cleared funds of part of the amount of the overdue payment and the CP accepts this amount in full settlement of the overdue payment; or
- the CP waives the overdue payment..
Explanatory Memorandum p.163
10.2 Where a CP has an obligation under Section 21E or paragraph 10.3 of this CR code to disclose to a CRB payment information relating to an individual and the individual asks the CP to disclose this information to the CRB, the CP must take reasonable steps to disclose the payment information within 3 business days of the later of:
- the individual’s request; and
- the date when the overdue payment is taken to be made in accordance with paragraph 10.1, unless the CP has reasonable grounds for requiring a longer period of time to do this.
- a CP disclosed default information about an individual to a CRB before the date of commencement of this CR code; and
- after that date, the amount of the overdue payment to which the information relates is paid; the CP must, within a reasonable period after the amount is paid, disclose payment information about the amount to the CRB under Section 21D of the Privacy Act.
Privacy Act Part IIIA Provisions
11. Publicly available information
The information that Part IIIA permits CRBs, subject to conditions, to collect and disclose includes publicly available information (an undefined term in the Privacy Act) that relates to the individual’s credit worthiness and meets other requirements set out in Part IIIA.
Explanatory Memorandum p.124
11.1 A CRB must only collect publicly available information about an individual:
- from an agency or a state or territory authority; and
- if the content of the information that is collected is generally available to members of the public (whether in the form provided to the CRB or another form and whether or not a fee must be paid to obtain that information);
- if it relates to activities conducted within Australia or its external territories; and
- if it related to the individual’s creditworthiness.
11.2 For the avoidance of doubt publicly available information does not include:
- originating process issued by a Court or Tribunal; or
- any judgment or proceedings where the individual’s rights have been subrogated to an insurer; or
- any judgment or proceedings that is otherwise unrelated to credit; because this information does not relate to the individual’s creditworthiness.
Privacy Act Part IIIA Provisions
Sec 6(1) definition of “serious credit infringement”
12. Serious credit infringements
The information that Part IIIA permits CRBs, subject to conditions, to collect and disclose includes serious credit infringements – this is defined as:
- an act done by an individual that involves fraudulently obtaining consumer credit or attempting fraudulently to obtain consumer credit ;
- an act done by an individual that involves fraudulently evading the individual’s obligations in relation to consumer credit or attempting fraudulently to evade those obligations; or
- an act by an individual if:
- a reasonable person would consider that the act indicates an intention, on the part of the individual, to no longer comply with the individual’s obligations in relation to consumer credit provided by a CP;
- the CP has, after taking such steps as are reasonable in the circumstances, been unable to contact the individual about the act; and
- at least 6 months have passed since the CP last had contact with the individual.
Explanatory Memorandum p.116-117
- Where a CP discloses to a CRB that, in the CP's opinion, an individual has committed a serious credit infringement within paragraph (a) of the Section 6(1) definition of that term, the CP must be able to reasonably establish that:
- when obtaining or attempting to obtain consumer credit, the individual made, or arranged for someone else to make, a material false statement to the CP or knowingly allowed the CP to rely upon a material false statement or premise; and
- the individual did this knowing that the statement or premise was untrue and, with intent to deceive the CP, aware that the false statement or premise was likely to materially affect the CP's decision as to whether or not to provide credit to the individual.
Explanatory Memorandum p.116-117
- Where a CP discloses to a CRB that, in the CP's opinion, an individual has committed a serious credit infringement within paragraph (b) of the Section 6(1) definition of that term, the CP must be able to reasonably establish that:
- the individual made, or arranged for someone else to make, a material false statement to the CP or knowingly allowed the CP to rely upon a material false statement or premise; and
- the individual did this knowing that the statement or premise was untrue and with intent to evade the individual's obligations in relation to consumer credit by deceiving the CP as to a material fact.
Explanatory Memorandum p.116-117
- Before disclosing to a CRB that, in the CP’s opinion, an individual has committed a serious credit infringement on the basis of paragraph(c) of the Section 6(1) definition of that term , the CP must have disclosed an overdue payment to which the serious credit infringement relates to the CRB as default information. In order to establish that reasonable steps have been taken to contact the individual:
- the CP must attempt to make contact with the individual where possible by phone, email and mail;
- if these contact attempts suggest that any of those contact details are no longer current, the CP must take reasonable steps to ascertain new contact details and, where new contact details are ascertained, repeat the previous contact attempts using the new contact details;
- in phone messages (where these can be left with an automatic answering service or with an adult) and emails, the CP must take reasonable steps to provide its contact details and ask the individual to contact the CP as a matter of urgency;
- in mailed letters, the CP must:
- give particulars of the default; and
- state that if a period of 6 months elapses without contact with the individual about the default the CP intends to disclose the default to a CRB as a serious credit infringement and explain the effect of this;
- the date of the Section 6Q notice; or
- if more recent – the date of last contact with the individual; was given by the CP the 6 months period referred to in paragraph (c)(iii) of the definition of serious credit infringement recommences.
12.2 If a CP discloses payment information or new arrangement information to a CRB that relates to an overdue amount that is the subject of a serious credit infringement disclosure (based on paragraph(c) of the Section 6(1) definition of that term) , the CRB must destroy the information relating to the serious credit infringement.
Privacy Act Part IIIA Provisions
13. Transfer of rights of credit provider
The Privacy Act recognises that the repayment rights of a CP in relation to credit may be transferred and treats the acquirer as a CP for the purposes of the credit.
- an acquirer acquires the rights of a CP in relation to the repayment of an amount of consumer credit ;
- the original CP notifies the individual to whom that consumer credit was provided of the transfer event ; and
- prior to the transfer event, the original CP had disclosed to a CRB consumer credit liability information or default information about the consumer credit, both the original CP and the acquirer must ensure that disclosure is made to the CRB of:
- the transfer event within 45 days of its occurrence including the name of the acquirer; and
- any information that is thereafter required to be disclosed under Part IIIA, the Regulations or this CR code (and for the purposes of that subsequent disclosure the acquirer is taken to have made any disclosures by the original CP in relation to that credit that were made prior to the transfer event).
Privacy Act Part IIIA Provisions
Sec 20F and 21G
14. Permitted CRB disclosures
Part IIIA permits a CRB to disclose credit reporting information to CPs, mortgage insurers and trade insurers - but only for certain permitted purposes.
Paras 1.5, 2.2 and 2.15 of the pre-reform code
14.1 Where, in response to a request:
- a CRB discloses credit reporting information to a CP, mortgage insurer or trade insurer; or
- a CP discloses credit eligibility information to an entity to which a permitted CP disclosure may be made; and the CRB, CP, mortgage insurer or trade insurer (as applicable) subsequently becomes aware that the credit reporting information or credit eligibility information was about an individual other than the individual that is the subject of the request:
- in the case of a recipient of the information - it must:
- advise the disclosing CRB or CP (as applicable) of the mistake as to identity (unless it was the disclosing CRB or CP that identified the mistake); and
- destroy the disclosed information; and
- take reasonable steps to ensure that any derived information that is based on the disclosed information is not disclosed or used for the purpose of assessing the credit worthiness of the individual to whom the information relates; and
- advise the recipient of the information of the mistake as to identity (unless it was the recipient of the information that identified the mistake); and
- take reasonable steps to review its disclosure practices, procedures and systems so that similar mistakes are minimised in the future.
Para 1.15 of the pre-reform code
14.2 Before a CRB discloses credit reporting information to a CP, mortgage insurer or trade insurer, the CRB must have taken reasonable steps to ensure that the CP, mortgage insurer or trade insurer has been notified of the requirements of the Privacy Act, the Regulations and the CR code governing limitations on use and disclosure of credit reporting information.
Privacy Act Part IIIA Provisions
15. Security of credit reporting information
Part IIIA requires CRBs to take reasonable steps to maintain the security of credit reporting information. CRBs must enter into agreements with CPs requiring them to protect credit reporting information from misuse, interference and loss and unauthorised access, modification or disclosure.
Explanatory Memorandum p.146-7
15.1 CRBs and CPs must maintain reasonable practices, procedures and systems to ensure the security of electronic transmission and storage of credit reporting information and credit eligibility information.
Privacy Act Part IIIA Provisions
16. Use and disclosure of credit-related personal information by CPs and affected information recipients
Part IIIA places restrictions and conditions on the use and disclosure of credit information and credit eligibility information.
- Despite anything in this CR Code (other than paragraphs 16.1(b) and (c)), a CP or an affected information recipient must not use or disclose credit eligibility information or regulated information for the purposes of:
- assessing the likelihood that the individual to which the information relates may accept:
- an invitation to apply for, or an offer of:
- credit; or
- insurance in relation to mortgage credit or commercial credit; or
- credit is provided; or
- insurance in relation to mortgage credit or commercial credit is provided;
- credit: or
- insurance in relation to mortgage credit or commercial credit; or
- variation of the amount of or terms on which:
- credit is provided; or
- insurance in relation to mortgage credit or commercial credit is provided
- A CP or affected information recipient that has received an application for credit or insurance in relation to mortgage credit or commercial credit is not prevented by paragraph (a) from:
- using credit eligibility information or regulated information for the purposes of assessing the application; and
- in assessing the application, offering or inviting the applicant to apply for a different product where the original product is unsuitable.
Explanatory Memorandum p.104-5
16.2 A CRB must only disclose credit reporting information to a CP, for the purposes of enabling the CP to assist the individual to avoid defaulting on his or her obligations in relation to consumer credit provided by the CP to the individual where either:
- the CP confirms to the CRB that it is aware of circumstances that reasonably indicate that the individual may be at significant risk of defaulting in relation to those obligations; or
- the CRB is aware that an event has occurred in relation to the individual that is an event of the kind that the CP has identified could, if it were to occur, reasonably indicate that the individual may be at significant risk of defaulting in relation to those obligations.
Sec 21P, Explanatory Memorandum p.173-5
16.3 Where a CP obtains credit reporting information about an individual from a CRB and, within 90 days of obtaining that information, the CP refuses a consumer credit application made by the individual, whether alone or jointly with other applicants, the CP must provide a written notice of refusal that:
- meets the requirements of Section 21P(2);
- explains the individual’s right to access their credit reporting information without charge during the 90 days following the date of the CP’s notice of refusal and how to request the relevant CRBs to provide access to that information;
- is to the effect that it is important for individuals to be proactive in checking the accuracy of the credit reporting information that CRBs hold about them;
- states that the CP relies upon information from a number of sources when deciding whether to refuse consumer credit including information provided by the individual to the CP and credit reporting information disclosed to the CP by CRBs;
- provides information about factors that are often taken into account when refusing credit : these may include:
- the adequacy of the applicant’s level of income and other resources to meet repayments of credit;
- the extent of the applicant’s indebtedness and other commitments;
- the security of the applicant’s employment;
- the applicant’s credit history including previous bankruptcy, defaults, serious credit infringements, high number of credit applications and unsatisfactory repayment history; and
Privacy Act Part IIIA Provisions
17. Protections for victims of fraud
Where an individual has been a victim of fraud (including identity fraud), Part IIIA enables the individual to request a CRB to commence a ban period during which the CRB may not disclose or use the individual's credit reporting information unless the individual expressly consents in writing.
Explanatory Memorandum p.142, 164
17.1 Where an individual believes on reasonable grounds that the individual has been, or is likely to be, a victim of fraud and the individual requests a CRB not to use or disclose their credit reporting information, the CRB must immediately:
- include on the credit reporting information held in relation to the individual a notation about the individual’s request and retain this for the duration of the ban period;
- explain to the individual the effect and duration of the ban period, including that the individual may not be able to access credit during the ban period; and
- explain to the individual that they may request a ban period with other CRBs, and that the individual can consent to the CRB (the first CRB) notifying the CRBs nominated by the individual (the notified CRBs) that the individual has requested that the notified CRB/s not use or disclose the individual’s credit reporting information (additional ban period request). Where this additional ban period request is made by the individual:
- the first CRB must, as soon as reasonably practicable, provide the notified CRB/s with the ban period request provided by the individual to the first CRB;
- The notified CRB must treat the additional ban period request provided by the first CRB as if it had been provided by the individual directly to the notified CRB.
Explanatory Memorandum p.142, 164
17.2 Where a CRB receives a request from a CP, mortgage insurer or trade insurer for credit reporting information about an individual in relation to whose credit reporting information a ban period is in effect, the CRB must inform the CP, mortgage insurer or trade insurer of the ban period and its effect.
Explanatory Memorandum p.142, 173-4
17.3 Where a CRB has established a ban period in relation to credit reporting information about an individual, the CRB must notify the individual not less than 5 business days before the end of the ban period:
- of the date the ban period is due to finish;
- about the individual's rights under Part IIIA, the Regulations and this CR code to extend the ban period; and
- what, if any, information the CRB requires to support the individual's allegation of fraud.
17.4 For the purposes of paragraph 17.1(c), where an individual seeks to extend a ban period under paragraph 17.3, the individual can consent to the first CRB notifying the previously notified CRBs of the request to extend to the ban period and, where this ban period extension request is made by the individual:
- the first CRB must, as soon as reasonably practicable, provide the notified CRB/s with the ban period extension request and any supporting material provided by the individual to the first CRB;
- the notified CRB must treat the ban period extension request provided by the first CRB as if it has been provided by the individual directly to the notified CRB.
Privacy Act Part IIIA Provisions
18. Use by a CRB of credit reporting information to facilitate a CP’s direct marketing
Part IIIA restricts a CRB’s use of credit reporting information to facilitate a CP’s direct marketing. It does, however, permit a CRB at the request of a CP to undertake pre-screening of a list of individuals provided by the CP using eligibility requirements nominated by the CP.
18.1 Notwithstanding Section 20E(2), a CRB must not:
- use credit reporting information for the purpose of developing any tool or service for provision to a CP or affected information recipient for the purposes of assisting them:
- to assess the likelihood that an individual may accept:
- an invitation to apply for, or an offer of, credit or insurance in relation to mortgage credit or commercial credit; or
- an invitation to apply for a variation of, or an offer to vary, the amount of or terms on which credit or insurance in relation to mortgage credit or commercial credit is provided; or
- credit or insurance in relation to mortgage credit or commercial credit; or
- variation of the amount of, or terms on which, credit or insurance in relation to mortgage credit or commercial credit is provided; or
18.2 A CP must not nominate eligibility requirements to be used by a CRB to assess, in accordance with section 20G, whether or not an individual is eligible to receive the direct marketing communications of the CP, that indicate that the individual is experiencing, or may in the future experience, difficulty in meeting repayments under their existing credit unless it is to exclude such individuals from the direct market communication.
18.3 A CRB must give effect, as soon as practicable, to a request by an individual not to use their credit information for the purposes of direct marketing, whether that request is made of the CRB through the CRB’s website facility (if any), by telephone, mail, email or other means.
18.4 Each CRB must keep a confidential register of individuals who have made a request of the kind referred to in paragraph 18.3.
Privacy Act Part IIIA Provisions
Sec 20R and 21T
19. Access
Part IIIA obliges CRBs and CPs to provide access on request by an individual to credit reporting information held about the individual and to do so within a reasonable period (in the case of a CRB this cannot be longer than 10 days). A CRB is not permitted to charge for access if the individual (whether directly or through an agent) has not made a request for access within the preceding 3 months. If a request has been made within the preceding 3 months, the CRB may impose a charge but this must not be excessive. When providing access to credit reporting information held about the individual, the CRB must, if the credit reporting business of the CRB involves deriving credit ratings about individuals, also give the credit rating for the individual with an explanation. A CP (except a CP that is an agency ) may impose a reasonable charge for providing access to credit information .
Para 1.10, 2.17 and 2.18 of the pre-reform code
19.1 Where a person requests a CRB or CP to provide them with access to credit reporting information or credit eligibility information (as applicable), the CRB or CP (as applicable) must not provide access without first obtaining such evidence as is reasonable in the circumstances to satisfy itself as to the identity of the person making the request and that person's entitlement under Part IIIA, the Regulations and the CR code to the access.
The pre-reform code Para 1.7 and 1.8
19.2 Where an individual (whether personally or through another access seeker) requests a CRB to provide access to the individual’s credit reporting information, the CRB must not charge a fee for giving access to the information if the individual provides the CRB with evidence that, not more than 90 days previously, a CP refused a consumer credit application made by the individual. This is the case whether or not the CRB has provided the individual with access to credit reporting information free of charge at any time during the previous 3 months.
19.3 If a CRB has a service whereby an individual (whether personally or through another access seeker) may for a fee obtain their credit reporting information (fee-based service):
- the information made available by the CRB about the fee-based service must prominently state that individuals have a right under Part IIIA to obtain their credit reporting information, including their credit rating under paragraph 19.7, free of charge in the following circumstances:
- if the access request relates to a CP’s decision to refuse the individual’s consumer credit application;
- if the access request relates to a decision by a CRB or CP to correct credit reporting information or credit eligibility information about the individual; and
- once every 3 months (this is in addition to any access given in accordance with paragraphs 19.3(i) or (ii)).
Sec 20R, Explanatory Memorandum p.178
19.4 Where credit reporting information is provided to an access seeker free of charge by a CRB as required by Part IIIA, the Regulations or this CR code:
- the CRB must provide the access seeker with access to:
- all credit information in relation to the individual currently held in the databases that the CRB utilises for the purposes of making disclosures permitted under Part IIIA;
- all current CRB derived information about the individual that is available; and
- the individual’s credit rating as set out in paragraph 19.7;
Sec 21T, Para 2.21 of the pre-reform code
- must take reasonable steps to provide an accessible means for an individual to obtain access to credit eligibility information about them;
- should, unless unusual circumstances apply, provide access within 30 days of the request;
- must present the information clearly and accessibly and provide reasonable explanations and summaries of the information to assist the access seeker to understand the impact of the information on the individual’s credit worthiness; and
- must advise the individual that, in order to ensure that they have access to the most up-to-date information, they should additionally request access to the credit reporting information held by CRBs about them.
Explanatory Memorandum p.177
Hardship Supp Ex Mem, p.11 - 12
19.6 Where a CRB provides an access seeker with CRB derived information about the individual or a CP provides an access seeker with CP derived information about the individual, this may be done in a way that preserves the confidentiality of the methodology, data analysis methods, computer programs or other information that is used to produce the derived information.
19.7 For the purposes of Paragraph 19.4 and Section 20R of the Privacy Act and the meaning of ‘credit rating’ used in that section:
- if the business of a CRB involves deriving more than one form of credit rating or credit score for individuals (for example, where different credit ratings or scores are derived using calculations based on different sets of credit information):
- the credit rating required to be given under Section 20R is the rating that is derived from the calculation that is used to provide credit ratings or credit scores to CPs using the broadest range of information available to the CRB and, if there is more than one such calculation, the one most accurate, relevant and up to date; and
- if the CRB imposes a charge for giving a credit rating derived using a different calculation to that described in Subparagraph (i) to access seekers, the CRB must give the individual (whether directly or through an agent) the option to receive that credit rating for free once every 3 months .
- prominently state when referring to the third party service that the individual has a right to receive their credit rating free of charge under section 20R;
- take reasonable steps to ensure that the free service is as available and easy to identify and access as the referral to that other service;
- explain the nature and purpose of a credit score and how the credit rating provided under subparagraph 19.4(a)(iii) relates to that score;
- categorise the total scale into no less than five bands;
- describe those bands (including the credit score ranges that they represent) and use appropriate descriptors for those bands that relate to the credit worthiness of individuals who sit within each band;
- state which band the credit score for the individual sits within. For the avoidance of doubt, this does not require the CRB to include the credit score for the individual (although this does not prevent a CRB from proactively also providing a precise credit score to an access seeker);
- for the purposes of Paragraph 19.4 and Subparagraphs 20R(1A)(b) – (d) of the Privacy Act, give an explanation statement with the credit rating that includes (subject to Paragraph 19.6):
- an explanation of the types of credit information that is held by a CRB and the general impact of that information on an individual’s credit score. This explanation may be given by reference to another document that is reasonably accessible;
- in relation to the band in which the individual’s credit rating sits, a description of the particular types of credit information that the CRB reasonably believes are the most important for people who sit within that band and why that information may be important (which may include a description of the importance of the absence of the particular type of credit information to a credit score within that band). For the purposes of this subparagraph, the CRB would ordinarily describe 3 – 5 types of credit information which typically have the biggest impact on the credit score of individuals within that credit rating band (whether by their inclusion or absence in credit information held by the CRB);
- other than for the highest band, and based on the relative importance of the types of credit information , a statement as to the common things that people within the band can do to improve their credit rating;
- an explanation of how CPs may, and may not, access and use a credit rating or credit score in the assessment or management of credit, including how the credit rating or credit score relates to other elements of credit assessment or management (such as responsible lending assessments). This explanation may be given by reference to another document that is reasonably accessible; and
Privacy Act Part IIIA Provisions
20. Correction of information
Part IIIA provides an individual with correction of information rights. Where a CRB or CP is satisfied that credit-related personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, the CRB or CP (as applicable) must take reasonable steps to correct the information within 30 days or such longer period agreed to by the individual in writing. Where necessary to resolve the correction request, the CRB or CP ( as applicable) must consult with other CRBs or CPs.
Sec 21V, Explanatory Memorandum p.179
- a CP, that does not either disclose credit information to a CRB or request a CRB to disclose credit reporting information to it, receives a correction request from an individual in accordance with Part IIIA; and
- the correction request relates to information that the CP does not hold; the CP is able to meet the requirements of Sections 21V(3) and 21W(3) by:
- consulting with CRBs or CPs to identify an entity that holds the relevant information;
- giving the individual a written notice:
- explaining that it does not hold the relevant information and does not participate in the credit reporting system and so the correction has not been made;
- informing the individual of an entity that holds the information to which the correction request relates and providing contact details for that entity; and
- stating that if the individual is not satisfied with the response to the request the individual may access a recognised external dispute resolution scheme of which the CP is a member, or to which it is subject, or make a complaint to the Commissioner.
20.2 When a CRB or CP (the consulted CRB or CP) is consulted by another CRB or CP (the first responder CRB or CP):
- the first responder CRB or CP must take reasonable steps to provide the consultation request to the consulted CRB or CP within a time period of five business days of the correction request being made;
- when making the consultation request, the first responder CRB or CP must notify the consulted CRB or CP the date when the 30-day period to resolve the individual’s correction request ends (the correction period);
- the consulted CRB or CP must take reasonable steps to respond to the consultation request as soon as practicable, and not less than five business days before the end of the correction period (unless the consultation request is made less than five business days before the end of correction period, in which case the response must be provided as soon as practicable);
- where the consulted CRB or CP will be unable to respond to the consultation request by the end of the correction period, it must advise the first responder CRB or CP at least five business days before the end of the correction period of the delay (unless the consultation request is made less than five business days before the end of correction period, in which case the advice must be provided as soon as practicable), the reasons for this and the expected timeframe to respond to the consultation request. This timeframe must be reasonable.
Sec 20T, 21V, Explanatory Memorandum p.150, 180-1
20.3 If a CRB or CP forms the view that it will not be able to resolve an individual's correction request within the 30 day period required by Part IIIA, the CRB or CP (as applicable) must as soon as practicable:
- notify the individual of the delay, the reasons for this and the expected timeframe to resolve the matter;
- seek the individual’s agreement to an extension for a period that is reasonable in the circumstances;
- advise that the individual may complain to a recognised external dispute resolution scheme of which the CRB or CP (as applicable) is a member or to which it is subject – and provide the contact details for the scheme – or, in the case of a CP that is not a member of, or subject to, such a scheme, to the Commissioner ; and
- if the individual has not agreed to the requested extension, provide a response to the correction request within the timeframe sought for extension.
Sec 20S(1), 20T(2), 21U(1), 21V(2)
20.4 When correcting credit-related personal information:
- If a CRB or CP receives a correction request, they must determine whether the credit-related personal information needs to be corrected as soon as practicable.
- If a CRB or CP is satisfied that credit-related personal information needs to be corrected (whether in response to a correction request, or under section 20S or section 21U), the CRB’s or CP’s obligation to take reasonable steps to correct the information will be satisfied where the CRB or CP, or a CRB or CP consulted in relation to the correction request (as applicable):
- corrects the credit information, where this correction is in response to a correction request, within five business days of determining the correction should occur and otherwise as soon as practicable;
- takes reasonable steps to ensure that any future derived information is based on the corrected credit information; and
- takes reasonable steps to ensure that any derived information that is based on the uncorrected credit information is not disclosed or used for the purpose of assessing the credit worthiness of the individual to whom the information relates.
- If:
- an individual enters into a new arrangement with a CP of the kind referred to in Section 6S(1)(c) or a CP has disclosed payment information in relation to the individual; and
- the individual requests a CRB to correct the credit reporting information held by the CRB about the individual by removing default information that relates to an overdue payment that is the subject of that new arrangement or payment information ; and
- the request is made on the basis that the overdue payment occurred because of the unavoidable consequences of circumstances beyond the individual's control, such as natural disaster, bank error in processing a direct debit or fraud, the CRB must, in consultation with the CP that disclosed the relevant default information, consider whether the default information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to the purpose for which the information is held by the CRB .
20.6 On request by an individual, a CRB must correct the credit reporting information held by it in relation to the individual by destroying any default information that relates to a payment that the individual is overdue in making to a CP if, at the time of the correction request, the CP is prevented by a statute of limitations from recovering the amount of the overdue payment.
Para 1.14, 3.14, 3.15 of the pre-reform code
20.7 A CRB or CP must notify an individual of a decision about a correction request made by the individual under Section 20T or Section 21V within 5 business days of the decision. Where the decision is to correct the information, the notice must:
- include all relevant credit reporting information or credit eligibility information (as applicable) held by the CRB or CP (as applicable) so that the individual can check that the information has been appropriately corrected;
- explain:
- that the individual has a right under this CR code to obtain their credit reporting information from a CRB free of charge if the access request relates to a decision by a CRB or a CP to correct information about the individual; and
- how that right may be exercised; and
- explain what CRBs, CPs and affected information recipients the CRB or CP (as applicable) is intending to notify to fulfil its notification obligation under Part IIIA, the Regulations and this CR code; and
- ask the individual if there is any other CP or affected information recipient that the individual would like the CRB or CP (as applicable) to notify of the correction.
20.8 Where a CRB or CP corrects credit-related personal information by updating identification information about an individual, the CRB or CP (as applicable) is not obliged to notify any previous recipient of the information about the updating of that information, unless requested by the individual.
Section 20S(2), 20U(2), 21U(2) 21W(2), Explanatory Memorandum p.149, 179-80,
Para 1.14 of the pre-reform code,
Para 3.15 of the pre-reform code
20.9 Where a CRB or CP corrects credit-related personal information and this gives rise to an obligation under Part IIIA to give notice to a CRB, CP or affected information recipient, unless it is impracticable or illegal to give that notice, the notification obligation is taken to be met where:
- the correcting CRB or CP gives notice of the correction to:
- all CRBs to which it disclosed the pre-corrected information;
- all CPs and affected information recipients to which it disclosed the pre-corrected information within the previous 3 months; and
- any other CP or affected information recipient that has been nominated by the individual and to which it disclosed the pre-corrected information more than 3 months previously;
20.10 Where an individual makes a correction request under Section 20T or Section 21V the complaint handling provisions in Division 5 of Part IIIA will not apply to that request, even if the correction request includes an expression of dissatisfaction by the individual about an act or practice by the CRB or CP (as applicable).
Privacy Act Part IIIA Provisions
21. Complaints
Part IIIA enables an individual to complain either to a CRB or a CP about an act that may breach Part IIIA (other than certain provisions pertaining to access or corrections) or the CR code (other than an obligation that pertains to a Part IIIA excluded provision). The complaint must be acknowledged within 7 days, investigated and where necessary consultation with other CRBs or CPs must occur. A decision must be made in relation to the complaint within 30 days or longer period agreed to by the individual in writing.
Explanatory Memorandum p.189,
Para 3.1, 3.2, of the pre-reform code
21.1 Where a CRB or CP is required by Australian law, a condition of a licence issued by a regulatory authority or an enforceable Industry Code requirement to meet complaints handling requirements, the CRB or CP must comply with those requirements for the purposes of a complaint under Part IIIA. Any other CRB or CP must comply with the following sections of ISO 10002:2018(E) Quality management - Customer satisfaction - Guidelines for complaints handling in organisations for the purposes of a complaint under Part IIIA:
- Section 4 Guiding Principles ;
- Section 5.2 Leadership and Commitment ;
- Section 6.4 Resources ;
- Section 8.1 Collection of information ; and
- Section 8.2 Analysis and evaluation of complaints .
21.2 A CRB must be a member of, or be subject to, a recognised external dispute resolution scheme.
Sec 23B, Explanatory Memorandum p.191
21.3 A CRB or CP that is consulted by another CRB or CP about a complaint must take reasonable steps to respond to the consultation request as soon as practicable.
21.4 If a CRB or CP forms the view that it will not be able to resolve a complaint within the 30 day period required by Part IIIA, the CRB or CP (as applicable) must:
- inform the individual of this before the end of that period and provide the reason for the delay, the expected timeframe to resolve the complaint and seek their agreement to an extension for a period that is reasonable in the circumstances; and
- advise that the person may complain to the recognised external dispute resolution scheme of which the CRB or CP (as applicable) is a member, or to which it is subject – and provide the contact details for that scheme - or, in the case of a CP that is not a member of, or subject to, such a scheme, to the Commissioner.
21.5 Where a CRB has an obligation under Section 23C(2), unless it is impracticable or illegal to do so, to give notice to a CP about a complaint relating to a CRB's act or practice that may breach Section 20S, this obligation is taken to be met if the CRB gives notice as soon as practicable to:
- if the complaint relates to credit information that was disclosed to the CRB by a CP – that CP;
- any other CP to which the CRB disclosed the credit information to which the complaint relates in the previous 3 months; and
- any other CP that has been nominated by the individual for this purpose.
21.6 Where a CP has an obligation under Section 23C(3), unless it is impracticable or illegal to do so, to give notice to a CRB or CP about a complaint relating to a CP's act or practice that may breach Section 21U, this obligation is taken to be met if the CP gives notice as soon as practicable to:
- if the complaint relates to credit information that was disclosed to the CP by a CRB or another CP – that CRB or CP;
- any other CRB or CP to which the CP disclosed the credit information to which the complaint relates in the previous 3 months; and
- any other CP that has been nominated by the individual for this purpose.
Privacy Act Part IIIA Provisions
22. Record keeping
Part IIIA imposes various obligations on CRBs and CPs to keep records where credit information is used or disclosed.
Explanatory Memorandum p.139,
Para 1.17, 2.14, 2.14A, 2.19 of the pre-reform code
22.1 Each CRB and CP must maintain adequate records that evidence their compliance with Part IIIA, the Regulations and this CR code.
22.2 In particular, each CRB and CP must maintain the following records:
- where credit-related personal information is destroyed to meet obligations under Part IIIA, the Regulations and this CR code (but only if this is possible);
- in the case of a CP that receives credit eligibility information disclosed to it by another CP:
the date on which that information was disclosed;
the CP who disclosed the information;
a brief description of the type of information disclosed; and
the evidence relied upon that the consent requirements have been met;
- the date of the disclosure;
- a brief description of the type of information disclosed;
- the CP, affected information recipient or other person to whom the disclosure was made; and
- evidence that the disclosure was permitted under Part IIIA, the Regulations or the CR code;
- requests to establish or extend a ban period;
- requests for, or notifications of, corrections;
- complaints;
- pre-screening requests by a CP; and
- monitoring and auditing of CPs in accordance with Part IIIA, the Regulations and this CR code.
22.3 Records must be retained for a minimum period of 5 years from the date on which the record is made unless, in the case of a CRB, the record includes information that the CRB is required by Part IIIA, the Regulations or the CR code to destroy at the end of the applicable retention period, in which case the record must be retained for the duration of that retention period only.
Privacy Act Part IIIA Provisions
Sec 20N and 20Q
23. Credit reporting system integrity
Part IIIA includes measures to facilitate credit reporting system integrity including an obligation on CRBs to ensure that regular audits are conducted by an independent person to determine whether CPs are complying with aspects of their contractual obligations to the CRB.
Sec 20N and 20Q
Explanatory Memorandum p.30 and p.145
23.1 To ensure that CRBs are able to tailor the frequency and extent of the audits required by sections 20N and 20Q to the CPs that present the greatest risk of non-compliance, a CRB must establish a documented, risk based program to monitor CPs' compliance with their obligations under Part IIIA, incorporated in their agreements with the CRB, to ensure:
- that credit information that the CP discloses to the CRB is accurate, up-to-date and complete;
- that credit reporting information that the CRB discloses to the CP is protected by the CP from misuse, interference and loss and from unauthorised access, modification or disclosure; and
- that the CP takes the steps in relation to requests to correct credit-related personal information required by Part IIIA, the Regulations and this CR code.
Sec 20N and 20Q
23.2 The risk based program established by a CRB for the purposes of paragraph 23.1 must:
- identify and evaluate indicators of risk of non-compliance by CPs with the obligations referred to in paragraph 23.1;
- assess the risk posed by CPs of significant non-compliance with those obligations utilising those risk indicators and the range of information available to the CRB including correction requests and complaints;
- utilise a reasonable range of monitoring techniques to validate and update those risk assessments from time to time (which could, for example, include questionnaires or attestations);
- include an audit program for CPs to assess compliance with the obligations referred to in paragraph 23.1.
Sec 20N(3)(b), 20Q(2)(b)
23.3 To be independent and so eligible under Part IIIA to conduct an audit of a CP as part of the CRB’s auditing program referred to in paragraph 23.2:
- an auditor must not be a director or employee of the CP, have a significant financial interest in the CP or, at any time during the previous 12 months, had any such relationship or interest;
- if the auditor is an employee of the CRB – the CRB’s organisational structure and supervision arrangements must achieve functional independence for the auditor;
- if the auditor is an employee of an industry funded organisation – the organisation’s governance and supervision arrangements must achieve functional independence for the auditor; and
- the auditor must not have any other association that would impair the perception of the auditor’s independence, nor had any such association at any time during the previous 12 months .
23.4 A CRB must take reasonable steps to ensure that a person who conducts an audit of a CP as part of the CRB’s auditing program referred to in paragraph 23.2 has sufficient expertise for the role including:
- knowledge of the requirements of Part IIIA, the Regulations and this CR code;
- knowledge of audit methodology and previous experience in conducting audits; and
- credit reporting system experience.
23.5 Subject to paragraphs 23.3 and 23.4, a CRB's CP auditing program for the purposes of paragraph 23.2(d) may utilise as auditors:
- a CRB’s compliance or auditing team;
- consultants engaged by the CRB;
- consultants engaged by the CP where the CRB is satisfied as to the consultant’s independence and expertise; or
- an industry funded organisation where the CRB is satisfied as to that organisation's independence and expertise.
23.6 The CRB must take reasonable steps to ensure that its audit oversight, including reporting arrangements, is sufficient to enable the CRB to form a view as to whether the CP is complying with the obligations referred to in paragraph 23.1.
23.7 A CP must permit a person, who conducts an audit of a CP as part of the CRB’s auditing program referred to in paragraph 23.2, to have reasonable access to the CP's records for the purposes of carrying out the audit.
Sec 20N and 20Q
Explanatory Memorandum p.30 and p.145
23.8 A CP must take reasonable steps to rectify issues identified in the course of an audit undertaken pursuant to the CRB's auditing program referred to in paragraph 23.2.
23.9 Where a CP fails to meet its contractual obligations to a CRB to comply with Part IIIA, the Regulations and this CR Code and in particular fails to:
Explanatory Memorandum p.30 and p.146
- ensure that the credit information that the CP discloses to the CRB is accurate, up-to-date and complete; or
- protect credit reporting information disclosed to the CP by a CRB from misuse, interference or loss, or unauthorised access, modification or disclosure; the CRB will take such action as is reasonable in the circumstances, which may include termination of the agreement. However, termination may only occur if the CRB first provides the CP with reasonable notice of its intention to terminate the agreement and an opportunity to trigger the dispute resolution procedures in paragraph 23.10.
Explanatory Memorandum p.146
23.10 Where disputes arise between two or more CRBs, CPs and affected information recipients in relation to actions undertaken or required to fulfil their obligations under Part IIIA, the Regulations or this CR code, the parties to the dispute must endeavour to resolve the dispute in a fair and efficient way.
23.11 A CRB must publish on its website, by 31 August each year, a report for the financial year ending on 30 June of the same year (or in the case of the report provided in 2014, for the period beginning on the date of commencement of this CR code and ending on 30 June 2014) that includes information about the following:
- Individuals provided access without charge – the percentage calculated in accordance with the following formula: % = AI(WC)/ IND x 100 where: AI(WC) is the number individuals given access to their credit reporting information (without charge) by the CRB during the reporting period; and IND is the number of individuals about whom credit information is held at the end of the reporting period;
- Individuals provided access with a charge – the percentage calculated in accordance with the following formula: % = AI(C)/ IND x 100 where: AI(C) is the number of individuals given access to their credit reporting information by the CRB during the reporting period where the individual used a fee-based service; and IND is the number of individuals about whom credit information is held at the end of the reporting period;
- Correction requests received – the percentage calculated in accordance with the following formula: % = CR/ IND x 100 where: CR is the number of correction requests received by the CRB during the reporting period; and IND is the number of individuals about whom credit information is held at the end of the reporting period;
- Successful corrections requests – the percentage calculated in accordance with the following formula: % = SCR/ CR x 100 where: SCR is the number of successful correction requests, that is, correction requests received by the CRB during the reporting period where the CRB was satisfied that a correction should be made; and CR is the number of correction requests received by the CRB during the reporting period;
- Corrections finalisation period – the average number of days taken to finalise a correction calculated in accordance with the following formula: Average days = TD/ TC where: TD is the total number of calendar days taken from receipt to a finalisation for all correction requests finalised by the CRB during the reporting period; and TC is the total number of corrections finalised by the CRB during the reporting period;
- Other corrections made – the percentage calculated in accordance with the following formula: % = OCR/ IND x 100 where: OCR is the number of other corrections, that is, corrections made by the CRB during the reporting period that were not made in response to a correction request from the relevant individual; and IND is the number of individuals about whom credit information is held at the end of the reporting period
- Types of corrections made – information about
- the types of correction requests received and corrections made during the reporting period (including a % figure for each correction type against all types);
- the industry sectors from which the information that was corrected originated from.
- Complaints received – the percentage calculated in accordance with the following formula: % = C/ IND x 100 where: C is the number of complaints received by the CRB during the reporting period; and IND is the number of individuals about whom credit information is held at the end of the reporting period;
- Types of complaints – information about the types of complaints that were received by the CRB during the reporting period (including a % figure for each complaint type against all types)
- Complaints finalised – the percentage calculated in accordance with the following formula: % = F/ IND x 100 where:
- F is the number of complaints finalised by the CRB during the reporting period; and IND is the number of individuals about whom credit information is held at the end of the reporting period;
- Complaint finalisation period – the average number of days taken to finalise a complaint calculated in accordance with the following formula: Average days = TD/ TCP where: TD is the total number of calendar days taken from receipt to a finalisation for all complaints finalised by the CRB during the reporting period; and TCP is the total number of complaints finalised by the CRB during the reporting period;
- Complaint outcomes – information about the outcomes of the complaints finalised during the reporting period (including a % figure for each outcome type against all outcomes);
SERIOUS CREDIT INFRINGEMENTS
- Serious credit infringements disclosed – the percentage calculated in accordance with the following formula: % = SCI/ IND x 100 where: SCI is the total number of times during the reporting period that a CP disclosed an opinion to the CRB that an individual had, in circumstances specified by the provider, committed a serious credit infringements; and IND is the number of individuals about whom credit information is held at the end of the reporting period;
- Serious credit infringements by sector – the percentage calculated in accordance with the following formula: % = SCI(S)/SCI x 100 SCI(S) is the number of times during the reporting period that a CP from a particular sector disclosed an opinion to the CRB that an individual had, in circumstances specified by the provider, committed a serious credit infringements; and SCI is the total number of times during the reporting period that a CP disclosed an opinion to the CRB that an individual had, in circumstances specified by the provider, committed a serious credit infringements;
THE CRB’S MONITORING AND AUDITING ACTIVITY
- Information about the CRB’s monitoring and auditing activity during the reporting period including the number of audits conducted, any systemic issues identified and any action taken in response. This information does not require the identification of specific entities;
DISCLOSURE TO THE CRB OF CONSUMER CREDIT LIABILITY INFORMATION AND REPAYMENT HISTORY INFORMATION
- information about the take-up of the new types of credit-related personal information permitted to be held in the credit reporting system from 12 March 2014, including:
- Disclosure to the CRB of consumer credit liability information – the percentage calculated in accordance with the following formula; % = CCLI/ CP x 100 where: CCLI is the number of CPs that disclosed consumer credit liability information to the CRB during the reporting period; and CP is the total number of CPs that disclosed any credit information to the CRB during the reporting period;
- Disclosure to the CRB of repayment history information – the percentage calculated in accordance with the following formula; % = RHI/ CP x 100 where: RHI is the number of CPs that disclosed repayment history information to the CRB during the reporting period; and CP is the total number of CPs that disclosed any credit information to the CRB during the reporting period;
Privacy Act Part IIIA Provisions
24. Information Commissioner’s role
The Privacy Act specifies that this CR code may impose obligations on CRB, CP or affected information recipients to report matters to the Commissioner.
Para 4.2 of the pre-reform code
24.1 The Commissioner may, at the request of a CRB, CP or affected information recipient, agree to vary time limits imposed by the CR code where the CRB, CP or affected information recipient (as applicable) is unable to comply with the specified time limit due to circumstances such as technological failure or other practical or unforeseen difficulties.
24.2 Every 3 years, or more frequently if the Commissioner requests, a CRB must commission an independent review of its operations and processes to assess compliance by the CRB with its obligations under Part IIIA, the Regulations and this CR code. The CRB must consult with the Commissioner as to the choice of reviewer and scope of the review. The review report and the CRB's response to the review report must be provided to the Commissioner and made publicly available.
24.3 The Commissioner will initiate an independent review of the operation of this CR code within 4 years of the date of the commencement of the initial independent review, and thereafter, every 4 years (following commencement of each independent review).
- to assess the likelihood that an individual may accept:
- an invitation to apply for, or an offer of:
- assessing the likelihood that the individual to which the information relates may accept:
- must not be more than the amount specified in the Section 21D(3)(d) notice,