• Introduction
• Overview
• NPPs & codes
• Complying
• Legislation & links
• Industries
  • Credit providers
    • General law
    • Code of Banking Practice
    • Credit Union & Building Society Codes of Conduct
    • EFT Code of Conduct
    • Part IIIA of the Privacy Act
    • Checklist
  • Government work
  • Health
  • Insurance
  • Media
  • Superannuation
  • Telecommunications
  • Telemarketing
• News
• Contacts
• Glossary

Part IIIA of the Privacy Act

Part IIIA of the Privacy Act 1988 and the Credit Reporting Code of Conduct together regulate the use of credit information by credit providers throughout Australia.

• Introduction
• What does Part IIIA of the Privacy Act control?
• Consumer credit and commercial credit - do you need to know the difference?
• Credit reports
• Other information
• Serious credit infringments

Introduction

Both Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct aim to protect the privacy of individuals and to restrict the way in which credit information can be used and disclosed by credit providers and credit reporting agencies.

Part IIIA of the Act and the Code of Conduct cover a number of areas including the following:

• the obtaining, use and disclosure of credit reports by credit providers;
• the collection, use and disclosure by credit providers of any other information with a bearing on an individual's credit worthiness, credit standing, credit history or credit capacity that is not publicly available information;
• ensuring credit information collected is accurate, up-to-date and complete;
• ensuring proper security of credit information;
• allowing people to access records of credit information held about them; and
• allowing people to update credit information about them.

The Code of Conduct supplements Part IIIA, supplying details on matters not addressed by the Act itself. The Code of Conduct, like Part IIIA of the Act, is legally binding.

Part IIIA largely deals with consumer credit.

What does Part IIIA of the Privacy Act control?

As a general principle, only credit providers may obtain credit reports or report payment defaults to a credit reporting agency.

For the purpose of the Act, credit providers are:

• banks, building societies and credit unions;
• retail businesses that issue credit cards;
• businesses where a substantial part of the business is providing loans;
• businesses offering hire-purchase agreements;
• businesses offering arrangements where customers are given a specific time to pay for goods or services received;
• businesses offering hire arrangements, unless the deposit paid for the return of the goods is greater than or equal to the value of the goods hired;
• businesses determined by the Privacy Commissioner to be credit providers for the purposes of the Act, including:

• businesses providing loans to customers, and allowing them to defer payments for 7 days or more. The business will be a credit provider only in relation to those transactions; 
• a corporation that has acquired the rights of a credit provider with respect to the repayment of a loan. 

• The agents of credit providers, to the extent that they are carrying out some function in relation to assessing a loan application or managing a loan, but only in relation to the performance of those functions. 

Loan is defined to include a contract, arrangement or understanding under which a person is permitted to defer payment of a debt, or to incur a debt and defer its payment. The definition includes:

• hire-purchase agreements
• contracts, arrangements or understandings for the hire, lease or renting of goods or services unless full payment is made before or at the time the goods or services are supplied. 

If the goods are hired, leased or rented the arrangement will not fall within the definition of a loan if the deposit paid for the return of the goods is greater or equal to the value of the goods.

Note that the rules relating to use and disclosure of information in a credit report are different from (and generally tougher than) the rules which relate to use or disclosure of other credit information.

Consumer credit and commercial credit - do you need to know the difference?

Credit is defined in the Privacy Act 1988 to mean consumer credit, that is, a loan obtained by an individual from a credit provider for domestic, household or family purposes.

Part IIIA of the Act regulates the collection, use and disclosure of consumer credit information. Generally commercial credit information, and its circulation, is unaffected. However, the National Privacy Principles apply to both.

There are limited circumstances, for example, where consumer credit information relating to an individual is disclosed in the context of a commercial credit application, where Part IIIA applies. Here, the specific agreement of the individual concerned must be obtained.

Likewise, where commercial credit information is used to assess an application for consumer credit, the specific agreement of the individual to disclosure of the commercial credit information must be obtained.

Trade references

Part IIIA does not affect the practice of credit providers giving and receiving trade references. This means that information concerning an individual's business or commercial credit worthiness can be disclosed to another credit provider in connection with the giving of commercial credit.

The disclosure by a credit provider of information relating to an individual's commercial credit worthiness would only be affected by the Privacy Act if the information was disclosed in a consumer credit context, such as to another credit provider assessing an application by the individual for consumer credit.

In that case the individual's specific written consent to the disclosure would need to obtained.

Credit reports

What is a credit report?

A credit report is defined in the Privacy Act 1988 to mean any record or information, in whatever form, whether written, oral or other, that:

• is being used or has been prepared by a credit reporting agency;
• has any impact on an individual's:

• eligibility to be provided with credit;
• credit history; or
• capacity to repay credit ; and

• has been used, or is used or has the capacity to be used, for the purposes of serving as a factor in establishing an individual's eligibility for credit. 

Credit report Q&A

What information is in a credit report? Answer 
What customer consents are needed in obtaining or disclosing credit information? Answer 
When can a credit report be accessed and what can it be used for? Answer 
What if there's a  mistake? Answer 
If a loan's rejected because of a report, must the customer be told? Answer 
What should credit providers do with credit reports after an application has been assessed? Answer 
What obligations do credit providers have to update information? Answer 
Do customers have a right to access their credit report? Answer 
How should disputes and complaints be handled? Answer 
When may a credit provider report a default to a credit reporting agency? Answer 
Can a mercantile agent see a credit report? Answer 

What information is in a credit report?

Consumer credit information files maintained by a credit reporting agency can contain only the following categories of personal information:

• identity information - a person's name, sex, date of birth, address (current and up to 2 previous addresses), name of current or last known employer and drivers licence number;
• details of an individual's current credit provider(s);
• details of credit provided to an individual where the individual is at least 60 days overdue in payment and recovery action has commenced;
• details of applications for a credit report on the individual by credit providers, mortgage insurers, trade insurers and certain other entities;
• the fact that a cheque for over $100 drawn by an individual has been presented and dishonoured twice;
• where the individual is a guarantor, certain information in relation to overdue payment under the guarantee (but only if specified steps have been taken in relation to the overdue payment);
• court judgments and bankruptcy orders made against the individual;
• a record of any report by a credit provider that, in its opinion, the individual has, in the circumstances specified, committed a serious credit infringement;
• a statement provided by the individual describing a correction, deletion or addition he or she sought to have made to personal information contained in his/her credit information file;
• a record of any disclosures made by a credit reporting agency of personal information contained in the individual's credit information file;
• a note to the effect that the individual is no longer overdue in making the payment, or that the individual contends that he or she is not overdue, as the case may be. 

There are rules about how long this information can be retained. For example, information on defaults and dishonoured cheques must be removed once it is five years old. Information on bankruptcies and serious credit infringements must be removed once it is seven years old.

A credit report must not contain any information about:

• political, social or religious beliefs;
• criminal record;
• medical history or physical handicaps;
• race, ethnic or national origin;
• sexual preferences or practices; or
• lifestyle, character or reputation. 

A credit provider must not give any information relating to any of these matters to a credit reporting agency.

What customer consents are needed in obtaining or disclosing credit information?

Part IIIA specifies a number of circumstances in which a credit provider needs the customer's agreement or consent before it obtains or discloses credit information about the customer. These include when it: 

• assesses an application for consumer credit or commercial credit;
• assesses the credit worthiness of a guarantor in connection with another individual's application for credit;
• discloses information to a potential or existing guarantor;
• collects overdue payments in respect of commercial credit; and
• exchanges references with other credit providers about an individual's credit worthiness. 

Where a credit provider intends to obtain a credit report to assess a credit application, it must first notify the individual that it will disclose personal information to the credit reporting agency. This is usually done on a Privacy Consent Form.

There are other occasions during the life of the individual's loan contract, where the credit provider may wish to disclose personal information to a credit reporting agency. The credit provider will not be permitted to do this unless the individual has previously been notified the disclosure will be made.

When can a credit report be accessed and what can it be used for?

Only a credit provider can obtain a credit report. And even a credit provider must only request a credit report from a credit reporting agency and use the personal information it contains:

• for the purpose of assessing an application for consumer or personal credit;
• for the purpose of assessing an application for commercial or business credit where the customer has specifically agreed to the use of consumer or personal credit information;
• in assessing the suitability of a proposed guarantor for a loan where the person who has agreed to act as guarantor has given written consent to such a use;
• if the credit provider is listed as a current credit provider and receives new relevant information from the credit reporting agency about payments at least 60 days over due, it may use this information to assist a customer to avoid default on his or her credit obligations;
• to collect overdue payments in respect of consumer or personal credit owed by the customer;
• to collect overdue payments in respect of commercial credit owed by the customer, provided the customer has specifically consented to the use of personal or consumer credit information. (This can be the consent obtained at the time of application for commercial credit - it need not be a separate consent obtained at the time of default);
• for certain purposes in connection with securitisation of a loan;
• for a use required or authorised by or under law; or
• in connection with a serious credit infringement if the credit provider believes on reasonable grounds that the customer has committed such an infringement. 

Reports obtained for assessing applications for consumer or commercial credit, or the suitability of guarantors, can be used for internal management purposes such as statistical analysis of customer defaults, score card building and development of credit policy.

The contents of a credit report must not be used for any other purpose. In particular, they must not be used to solicit further business from the customer.

What if there's a mistake?

If there's an error - perhaps the wrong customer's name is entered - and a credit provider accesses the wrong credit report it must:

• immediately advise the credit reporting agency of the mistake;
• advise any other persons who were given a copy of the credit report, or information derived from the credit report, of the mistake and of the need to destroy the report or the information; and
• destroy the credit report. 

If a credit provider becomes aware that:

• it has given to a credit reporting agency information which was incorrect; or
• it has given to a credit reporting agency information of a type not permitted to be included in a credit information file,

it must immediately tell the credit reporting agency.

If a loan is rejected because of a report, must the customer be told?

If a credit provider rejects a loan application wholly or partly due to a credit report, it must write to the applicant, informing them:

• that refusal was based wholly or partly on the credit report;
• that they have rights to access to their credit information file held by the credit reporting agency; and
• of the name and address of the credit reporting agency. 

If an application is turned down as a result of an adverse credit report in relation to a proposed guarantor, the credit provider must advise the loan applicant that the application has been turned down for this reason.

What should credit providers do with credit reports after an application has been assessed?

When you are in possession or control of a credit report, you must ensure that the file or report is protected, by such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure and against other misuse. 

You may retain out of date reports for score card building or other statistical purposes. If you do, they should be clearly marked as out of date. They must not be used for future credit decisions.

What obligations do credit providers have to update information?

A credit provider in possession or control of a credit report or information extracted from a credit information file must take reasonable steps to ensure that the personal information contained in the file or report is accurate, up to date, complete and not misleading.

If a credit provider receives a request from a customer or a guarantor to amend information or to include a statement in a credit report, it must:

• refer the request to the relevant credit reporting agency together with any view it has as to appropriateness of the amendment sought;
• inform the individual, in writing, of the referral including the name and address of the credit reporting agency; and
• include in any credit report in its possession a note to the effect that information is subject to a request for amendment and detailing the nature of that request 

within 10 working days of receiving the request.

If a credit provider ceases to be an individual's current provider it must, as soon as practicable (but in any event within 45 days) tell any credit reporting agency that was previously informed that it was a current credit provider to the individual.

If, however, it did not notify the credit reporting agency that it was a current credit provider in relation to an individual, then there is no requirement to notify the credit reporting agency of the change.

For more, see updating default information.

Do customers have a right to access their credit report?

While a credit provider is in possession or control of a credit report containing personal information about a customer, it must take all reasonable steps to ensure that the customer can access that credit report.

It must have available information advising customers about how they can access credit reports.

If a customer or guarantor asks in writing for access to his or her credit report, the credit provider must attempt to give them access within 10 working days and in any event must give access within 30 calendar days.

If a credit provider no longer has the report it must tell the customer or guarantor to contact the credit reporting agency. Where a credit provider does give a customer access to a credit report in its possession it must tell the person concerned that, in order to ensure that they have the most up-to-date information, they should also view their current file at the credit reporting agency.

Any person (other than a credit provider, mortgage insurer or trade insurer) may, if authorised by a customer in writing, exercise those rights of access on the customer's behalf in connection with an application, or a proposed application, by the customer for a loan, or the customer having sought advice in relation to a loan.

How should disputes and complaints be handled?

If a dispute with a customer arises concerning the contents of a credit report it must be handled in a fair, efficient and timely manner. Generally the dispute will be referred to the credit reporting agency which issued the relevant credit report.

If a credit provider receives a request in writing from an individual seeking resolution of a dispute concerning one of its acts or practices in relation to credit reporting it must investigate the matter and respond to the person who has complained, in writing, within 30 days of receipt of the request.

This response will advise the individual of his or her right to complain to the Privacy Commissioner if dissatisfied with the action taken by it.

A credit provider must maintain a record of all disputes for at least 12 months after the customer has been notified of the outcome of the dispute. That record must include:

• correspondence and documentary evidence relating to the dispute;
• records of interviews and telephone conversations; and
• details of actions taken and the reasons for the action. 

Credit providers are obliged to provide to the Privacy Commissioner on request statistics in relation to disputes.

When may a credit provider report a default to a credit reporting agency? 

A credit provider may only report a default to a credit reporting agency if:

• the customer is at least 60 days overdue in making a payment and a credit provider has taken enforcement steps in relation to the payment default. In this case, the credit provider cannot report the default until it has sent a written notice to the last known address. This notice should advise the customer of the overdue payment and request payment of the amount outstanding (where there are joint debtors who live at different addresses a notice must be sent to each of them separately); or
• a cheque, for $100 or more, has been presented twice and dishonoured both times. 

No other defaults should be reported to a credit reporting agency and no threats should be made to report any default of any other kind to a credit reporting agency.

Updating previous reports to credit reporting agency

If an overdue debt reported to a credit reporting agency is later paid off, the credit provider must, as soon as practicable, inform the credit reporting agency that the individual has ceased to be overdue in making the payment. If the individual claims that he/she is not overdue in making the payment, this must also be reported to the credit reporting agency. The credit reporting agency must note this in the individual's credit information file.

If a credit provider reaches agreement with a customer to pay off an overdue amount by instalments, and it has previously notified the amount as overdue, it may (but is not obliged to) tell the credit reporting agency about the arrangement so that they can put a note on their file.

Can a mercantile agent see a credit report?

A mercantile agent is not permitted to have direct access to consumer credit reports for collecting overdue payments on behalf of a credit provider. A credit provider must never give a mercantile agent a copy of a credit report. 

But where a credit provider uses a mercantile agent to collect an overdue consumer debt, it may disclose certain information derived from a consumer credit report obtained from a credit reporting agency. Such information is limited to:

• information identifying the individual;
• information about overdue payments; and
• information about court judgments and bankruptcy orders (publicly available information). 

It may disclose to the mercantile agent other information in its possession as long as the information was not originally contained in, or derived from, a credit report, and the information is provided only for the purpose of collecting overdue payments.

When collecting an overdue commercial debt, a credit provider may only provide a mercantile agent with information contained in a credit report that is identifying information and information about court judgments and bankruptcy orders.

Other information

There are special rules for credit reports and the information they contain - see our Credit reports section for more. Other personal information relating to the credit worthiness, credit standing, credit history or credit capacity of a customer or guarantor may be disclosed by a credit provider only:

• To another credit provider if the individual has specifically agreed to the disclosure in writing.
• To a credit reporting agency to create or maintain a credit information file in relation to the individual.
• Where the individual has specifically agreed to the disclosure of the report or information to another credit provider for that particular purpose.
• To the guarantor of a loan and for any purpose related to the enforcement or proposed enforcement of the guarantee.
• To a person considering whether to act as guarantor of a loan provided: 
  • the disclosure is to give the person information that is relevant to the amount or possible amount of the person's liability under the guarantee; and 
  • the customer has specifically agreed to the disclosure. 
• To a person or body generally recognised and accepted in the community as being appointed, or established, for the purpose of settling disputes between credit providers and their customers.
• To a debt collection agency for the purpose of collecting overdue payments if the payment is at least 60 days overdue and recovery steps have been taken.
• To a corporation (including its legal advisers and professional financial advisers) for the purpose of considering whether to accept an assignment of the debt owed to the credit provider or whether it will purchase an interest in the credit provider.
• To a related corporation of the credit provider (but see the Code of Banking Practice and Building Society and Credit Union Codes).
• To a person for a particular purpose required or authorised by or under law.
• To the individual or a person (other than a credit provider, mortgage insurer or trade insurer) who is authorised in writing, by the individual, to seek access to the report or information.
• Where the credit provider believes on reasonable grounds that the individual concerned has committed a serious credit infringement and the report or information is given to another credit provider or a law enforcement authority. 

Even the fact that a customer is a customer or has applied to be a customer is information which goes to credit standing or credit history.

If a credit provider is verifying income information with an employer, it can tell the employer that the applicant has applied for credit. But it must never say what sort of credit they have applied for or how much, and it must never disclose any other information provided by the customer on the application form.

Arguably the disclosure of just name and address information of customers, even if unaccompanied by any other information, is still information which relates to credit standing or credit history because the credit provider may have no relationship with its customers other than a debtor/creditor relationship. The Privacy Commissioner has indicated that he does not generally regard disclosure of just that information as in breach of the Act. However if there is any other information from which inferences about credit history or credit worthiness can be drawn (for example if disclosure were made of a list of all customers who have a credit card) then the disclosure would be in breach.

Persons who obtain information from credit providers

Disclosure and use limits are also imposed on other persons who obtain personal information from a credit provider.

For example, a related corporation of a credit provider which obtains information from the credit provider is subject to the same limitations on use and disclosure as the credit provider.

Information from another financier

If, with the specific written consent of a customer or guarantor, a credit provider obtains from another credit provider a report about the individual's consumer credit worthiness, it must make a record of:

• the date on which the report was obtained;
• the name of the credit provider from whom the report was obtained;
• a brief description of the contents of the report; and
• details of the individual's specific agreement to the disclosure (and in particular whether that consent is held by it or by the other credit provider). 

This information must be retained for at least 12 months.

If a credit provider has obtained information from another credit provider, and it subsequently becomes aware that the report given by the other credit provider related to someone other than the person about whom it was enquiring, it must:

• tell the other credit provider of the mistake as to identity; and
• destroy the information or report. 

Serious credit infringements

A serious credit infringement is defined in the Act to mean an act done by a person:

• that involves fraudulently obtaining credit or attempting to fraudulently obtain credit;
• that involves fraudulently evading the person's obligations in relation to credit, or attempting fraudulently to evade those obligations; or
• that a reasonable person would consider indicates an intention, on the part of a person, no longer to comply with that person's obligations in relation to credit. 

Examples of what could reasonably be considered an intention on the part of an individual no longer to comply with credit obligations include:

• the individual has stopped making payments or breached a credit contract in some other serious way, and the creditor provider has made reasonable efforts to contact the individual either in person or in writing, but has been unsuccessful in establishing contact; or
• a credit provider has made contact with the individual and the individual has unlawfully refused to meet his or her credit obligations by resuming payments; or
• the individual does not comply with the terms of a debt judgment. 

Overdue payment alone is not sufficient grounds for reporting a serious credit infringement.

You need to consider all the circumstances of a particular case, and exercise reasonable business judgment in determining whether the circumstances justify the conclusion that an individual has committed a serious credit infringement.

Serious credit infringements may be notified to:

• a credit reporting agency;
• other credit providers; and
• law enforcement authorities. 

Where a credit provider has reported a serious credit infringement in respect of an amount owed by joint debtors, and is subsequently satisfied that one of the debtors was released from the obligation to repay the outstanding amount by an order or a court or by legal agreement, it must advise the credit reporting agency that this serious credit infringement listing should be removed from that individual's credit information file.

A credit provider is not legally required to notify an individual immediately before reporting a serious credit infringement to a credit reporting agency. The privacy consent form signed by customers at the time they make application to the credit provider should warn customers a notification may be made in the future.