Final piece of privacy reform jigsaw

Cybersecurity & Privacy Risk & Compliance Technology

In brief

In important news for any Australian business that provides goods or services to individuals on deferred payment terms, the long-awaited Credit Reporting Privacy Code has been registered. Partner Michael Pattison and Senior Associate Matt Vitins report on the implications of the credit reporting reforms for businesses generally, and give an update on the status of the related Privacy Act reforms that are soon to take effect.

How does it affect you?

  • The Credit Reporting Privacy Code (the CR Code) was registered on 22 January 2014 and represents the final piece of the reforms to the Privacy Act 1988 (Cth) (the Privacy Act).
  • The CR Code will primarily affect financial institutions and other similar businesses that are involved in the provision of credit, but will also be relevant to any business in Australia that provides goods or services to individuals on terms that allow payment to be deferred by seven days or more. Such businesses will now have to prepare and maintain a credit reporting policy.
  • If those businesses wish to report payment defaults to credit reporting bodies, they will also need to join a recognised external dispute resolution scheme.
  • The registration of the CR Code serves as a useful reminder that companies should by now be well advanced in preparing the documentation and implementing the practices, procedures and systems that are necessary to ensure they comply with the amended Privacy Act with effect from 12 March 2014.


We have previously advised clients (please see our Focus: Major Privacy Reforms passed) on the extent of changes required in order for companies to comply with the amended Privacy Act. Since that publication, the Privacy Commissioner has released a number of draft Guidelines, which are of great assistance in understanding how he interprets the new legislation and how he will exercise the additional powers he has been given. However, the full package of reforms was not complete until the Credit Reporting Code had been registered. Now that has occurred, Australian companies are fully equipped with the information they need to make the necessary changes to their business to comply with the new privacy regime.

Application of credit reporting provisions to Australian businesses

Credit providers

The credit reporting provisions in the Privacy Act are principally of interest to companies, such as banks, whose businesses involve the supply of finance. However, the credit reporting provisions have broader application, as a result of the definition of 'credit provider' in the amended Privacy Act. The effect of section 6G(2)is that any business that provides goods or services to individuals for personal, family or household purposes on terms that allow payment to be deferred for at least seven days will be taken to be a credit provider for the purposes of the Privacy Act. This has a number of implications for companies that would not normally have considered themselves to be credit providers. One is the obligation to have a policy dealing with how the company manages credit information and credit eligibility information. From the wording of the CR Code, it seems clear that this policy must be in addition to the privacy policy the company maintains on the treatment of personal information generally.

Credit reporting policy

The credit reporting policy needs to deal with a number of prescribed matters, including:

  • the kinds of credit information the company collects and how it collects it;
  • how credit eligibility information about the individual will be used;
  • how individuals can access and seek correction of credit information on them;
  • how individuals can complain about a failure to comply with applicable credit reporting rules and how those complaints will be handled; and
  • the purposes for which the company discloses credit information.

The company must make the policy available free of charge, and this will normally be done by making the policy available on the company's website.

Disclosures to credit reporting bodies – external dispute resolution

Companies that provide services and goods on terms allowing for deferred payment often want to report payment defaults to credit reporting bodies. Under the new s21D of the Privacy Act, a company will only be able to report payment defaults if it is a member of a recognised external dispute resolution scheme. As at the date of this Focus, many of the schemes that are proposed to be recognised are restricted to particular industries, such as telecommunications, financial services and energy. Companies will need to investigate whether any of the general dispute resolution schemes (such as the Credit Ombudsman Service) will be applicable to their circumstances.

The Privacy Act will require that companies tell individuals at least 14 days before such notification is made that they propose to notify a credit reporting body of a payment default. The new provisions also include requirements for 'positive' payment information. A company that reports default information under s21D must also report (within a reasonable period of time) when the overdue amount has been paid.

Obtaining information from credit reporting bodies

Further provisions will apply if a company wants to obtain information from a credit reporting body before agreeing to provide goods or services to a customer on deferred payment terms. The Privacy Act contains strict requirements about the types of information that must be provided to the individual before any credit checks are done on them. The required disclosures include notifying the individual of the name of the credit reporting body and about how the individual can obtain information on the company's credit reporting practices. The CR Code contains some useful guidance on how such disclosures can be made, including allowing some to be made by cross-reference to the company's website.

Next steps

As previously advised, the privacy reforms take effect on 12 March 2014.

We know from our work for a number of our clients that many companies are already well advanced in preparing for the commencement of these new laws. It is important to remember that having a compliant privacy policy is just the tip of the iceberg in terms of complying with the new regime.

The Privacy Act contains a new requirement on companies to take reasonable steps to implement practices, procedures and systems that will ensure they comply with the Australian Privacy Principles. This obligation enshrines in Australian law the principle of 'privacy by design', which effectively requires companies to embed privacy protection into their systems from their inception. Although the concept is not new, Australia is the first country to mandate it as part of national law.

While the full implications of the privacy by design approach are still to be determined, it will extend to, among other things:

  • ensuring that all staff receive appropriate training in relation to information handling;
  • designing the company's information technology systems so that they support privacy principles, such as mandating appropriate data segregation and audit trails and the deletion of data that is no longer needed;
  • updating internal company documentation to incorporate relevant privacy principles; and
  • ensuring that new projects that involve the treatment of personal information begin with an assessment of what information is being collected and how it will be treated in all stages of the life of the project, including on termination of the project.

Allens' Privacy team can assist you with assessing the likely impact of the CR Code and the Australian Privacy Principles on your organisation, and advise on any amendments that may be required to your organisation's privacy, marketing and information technology practices, policies and agreements.