Data Governance, Data Services, Privacy & Cyber

Increase text sizeDecrease text sizeDefault text size

Focus: ALRC proposes overhaul of credit reporting rules

29 October 2007

In brief: Partner Catherine Parr , Special Counsel Karin Clark and Articled Clerk Kelly Griffiths report on proposals in the Australian Law Reform Commission's recent discussion paper for the reform of Australian privacy laws as they relate to credit reporting.

How does it affect you?

The discussion paper proposes that:

  • the current credit reporting rules should be repealed and replaced by a regulation dealing only with credit reports (and not other credit information, which would be handled according to revised general privacy principles);
  • the new rules for credit reports should apply to commercial credit as well as consumer credit;
  • limited 'positive' credit information be recorded on credit reporting files; and
  • a number of other changes be made to what can be included on a credit reporting file, including a minimum amount for reportable payment defaults.

Overhaul of credit reporting provisions

The Australian Law Reform Commission's (the ALRC) discussion paper, Review of Australian Privacy Law (the Review) (see and AAR Privacy News proposes reforms of privacy law across a range of topics. We focus on some of the proposals affecting credit reporting.

The Review proposes that Part IIIA of the Privacy Act 1988 (Cth) (the Act), which currently regulates credit reporting and credit information, be repealed and that credit reporting and credit information be regulated under the general provisions of the Act and a new set of Uniform Privacy Principles (UPPs). This proposal for overhaul is likely to be widely applauded by industry groups who have submitted that the current system creates unnecessary duplication and complexity.

The Review proposes the introduction of new regulations imposing obligations relating to how credit reporting agencies and credit providers handle credit reports. The proposed Privacy (Credit Reporting Information) Regulations (the Regulations) would be drafted to contain only those requirements that are different, or more specific, than those provided for in the proposed UPPs. 

No distinction between consumer and commercial credit

The Review also proposes that the new regulations would extend to cover an individual's use of credit for any purpose, and not just for domestic, family or household purposes (as is currently the case), on the basis that the distinction between consumer and commercial credit creates needless complexity and is inconsistent with the general approach of the Privacy Act. However, the ALRC also states that it remains interested in the commercial implications of this proposal, particularly given the Consumer Credit Code does distinguish between consumer and other credit contracts.

Access to the credit reporting system

At present, some organisations are recognised as 'credit providers' for the purposes of the credit reporting provisions of the Act (with the result that they can access the credit reporting system), but are not 'credit providers' for the purposes of compliance with the Consumer Credit Code. For example, under the current Credit Provider Determination No 2006 (Classes of Credit Provider) (the Determination), corporations are deemed to be credit providers if they provide goods or services on terms that allow for the deferral of payment for at least seven days. This has led to a position where service providers such as telecommunications companies, utilities and builders may access their customers' credit information, while not being required to comply with the Consumer Credit Code because, while they provide credit, they do not make a charge for doing so.

The ALRC notes a range of arguments for and against this position (including the need of the telecommunications industry to obtain credit information to evaluate potential customers' credit risk). It proposes a simplified definition of a credit provider in the new Regulations that would ensure that individuals and organisations who are currently credit providers for the purpose of the Act would continue to be credit providers.

However, the ALRC remains concerned about the need to tighten the definition of 'credit providers'. As such, the Review has queried whether the definition should be changed to cover only those businesses who provide goods or services on a deferred basis for at least thirty days.

Dispute resolution schemes

The Review proposes that if a credit provider provides information on defaults to a credit reporting agency, that credit provider must be a member of an external dispute resolution scheme. The objective of this proposal is to ensure that a customer has access to an independent avenue for the resolution of any complaints relating to the recording of a default on the individual's credit file.

Data quality

Under the current system, credit reporting agencies are not required to check the accuracy of information provided to them by credit providers. The Review proposes introducing a requirement that credit reporting agencies monitor the quality of the data received by them for inclusion on an individual's credit file, to ensure that the data is complete, accurate, current and relevant.

The Review also makes several other proposals that will change the kind of data available in credit reports. These proposals include:

  • provisions within the Regulations that would not allow information about presented and dishonoured cheques to be reported;
  • that credit reporting agencies should only be permitted to list overdue payments that are over a minimum prescribed amount; and
  • that credit reporting information about individuals under the age of 18 should be prohibited.

Comprehensive or 'positive' credit reporting

The Review proposes permitting the inclusion of certain 'positive' personal information in credit reports. This information would be limited to particulars of the type of credit account opened (eg mortgage, personal loan, credit card), the date on which the account was opened, the limit of each current credit account and the date on which each credit account was closed. Such information would only be available to credit providers on a reciprocal basis. Accordingly, only those credit providers who provide such information to the credit reporting agency would have access to this information in individual credit reports. The Review also recommends, that after five years, there should be a review of the impact of allowing more comprehensive credit reporting of this kind.

Identity theft

The Review proposes allowing individuals to report to credit reporting agencies when they have been the subject of identity theft. Similarly, the Review proposes that agencies and organisations be required to notify individuals when there has been unauthorised access to their personal information. There is currently no requirement of this nature.


Credit providers and credit reporting agencies need to be aware of the proposed amendments to Australia's privacy laws for the collection, use and disclosure of credit information. Allens Arthur Robinson is happy to assist clients with preparing submissions to the ALRC, which must be made by 7 December 2007. The ALRC proposes to deliver its final report and recommendations to the Attorney-General by March 2008.

For further information, please contact:

Share or Save for later

What are these?


To save this publication on your smartphone or
tablet for off-line reading (eg on a plane flight),
we recommend Pocket.



You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.

Comment Box is loading comments...