Data Governance, Data Services, Privacy & Cyber

Increase text sizeDecrease text sizeDefault text size

Focus: Credit reporting and credit information

19 August 2008

In brief: The Australian Law Reform Commission has recommended changes to Australia's privacy laws that will have important implications for credit providers. Partners Catherine Parr and Peter Jones look at what will change.

How does it affect you?

  • If the ALRC recommendations on credit reporting are adopted, credit providers will have access to additional information when they conduct consumer credit checks. However, before that additional information includes repayment history information there will need to be an adequate legislative framework imposing responsible lending obligations.
  • Credit providers who are not currently members of an external dispute resolution scheme will need to join one before they can list overdue payment information with a credit reporting agency.
  • Application forms used by credit providers will need to be amended to include new information about credit reporting agencies.
  • Credit information other than information in, or derived from, a consumer credit report will no longer be subject to the current complex and highly restrictive rules – it will be regulated only by the new Unified Privacy Principles.

A new report

The Australian Law Reform Commission (the ALRC) report For Your Information: Australian Privacy Law and Practice released 11 August 2008 (the report), contains some significant recommendations for reform in relation to the regulation of credit reporting and the handling of credit information.

The report recommends repeal of Part IIIA of the Privacy Act 1988 (Cth), a recommendation which will be welcomed by credit providers. The ALRC recommends that the model Unified Privacy Principles (UPPs) proposed in the report should be:

  • the only regulation of credit information other than information in, or derived from, a credit report; and
  • the basis for the regulation of credit reporting, but supplemented by regulations imposing specific obligations on credit reporting agencies and credit providers with respect to the handling of credit reporting information.

There is no recommendation for any substantive change to the coverage of the credit reporting regulations, so that:

  • the regulations will regulate the handling of credit information which is maintained by a credit reporting agency carrying on a credit reporting business (with no material change to the definition of credit reporting business) or held by a credit provider and prepared by a credit reporting agency;
  • they will apply to personal information relating to credit intended to be used wholly or primarily for domestic family or household purposes (provided the debtor is not under the age of 18); and
  • all organisations that are currently credit providers for the purposes of the Privacy Act (including those who rely on determinations made by the Privacy Commissioner) will continue to be credit providers for the purposes of the new regulations (although the ALRC recommends a simplified definition of 'credit provider').

To supplement the UPPs and the new credit reporting regulations, the ALRC recommends that a credit reporting code should be developed by credit reporting agencies and credit providers, in consultation with consumer groups and regulators including the Office of the Privacy Commissioner. This should deal with a range of operational matters relevant to compliance. The ALRC has left open the question of the precise legal status of this code.

The credit reporting regulation will expressly exclude the reporting of personal information about foreign credit and the disclosure of credit reporting information to foreign credit providers unless the Privacy Commissioner approves of such reporting and disclosure applying criteria to be set out in the regulations (which will include the availability of effective enforcement and complaint handling in the foreign jurisdiction).

Credit reporting files

While the current approach of prescribing the information that may be held in a credit information file will continue, there will be some significant changes to the permitted content of a credit information file. A key change, which will be welcomed by the industry, is the inclusion of the following categories of personal information:

  • the type of each credit account opened (for example, mortgage, personal loan or credit card);
  • the date on which each credit account was opened;
  • the current limit of each opened credit account; and
  • the date on which each credit account was closed.

It is also recommended that, once there is an adequate legislative framework imposing responsible lending obligations, the regulations should also permit credit reporting information to include information indicating whether, over the prior two years, an individual was meeting their repayment obligations and, if not, the number of repayment cycles the individual was in arrears. Under this proposal, a credit provider could report, for example, whether a debtor was 30, 60 or 90 days late in making a payment, but could not report the current balance of a credit account or the amounts of repayments made or overdue. The ALRC suggests that procedures for reporting payment history, set within the parameters prescribed in the new regulations, should be set out in the code of conduct.

Another addition to the permitted content of credit information files will be personal insolvency information recorded on the National Personal Insolvency Index, provided the different forms of administration are identified and accurately reflected.

However, a credit information file will no longer be permitted to include:

  • information about presented and dishonoured cheques; or
  • information about overdue payments of less than a prescribed amount.

Subject to this threshold amount, overdue payment information will be the same as under the current Privacy Act – that is, the individual will need to be at least 60 days overdue and the credit provider will need to have taken steps to recover the whole, or any part, of the amount of credit outstanding. However:

  • before disclosing overdue payment information to a credit reporting agency, the credit provider will need to have taken reasonable steps to ensure that the individual concerned is aware of the intention to report the information; and
  • a credit provider will only be able to list overdue payment information if the credit provider is a member of an external dispute resolution scheme approved by the Privacy Commissioner.

Serious credit infringements will continue to be allowed to be listed, provided the credit provider has taken reasonable steps to contact the individual before making the listing. The ALRC recommends that the Privacy Commissioner should provide guidance on the criteria that need to be met before a serious credit infringement is listed.

Notification to applicants/debtors

The ALRC recommends that the new regulations should require, in addition to the other information required under the Notification UPP, that at, or before, the time personal information to be disclosed to a credit reporting agency is collected about an individual, a credit provider must take such steps as are reasonable, if any, to ensure that the individual is aware of:

  • the identity and contact details of the credit reporting agency;
  • rights of access to, and correction of, credit reporting information; and
  • the types of persons or entities to whom the credit reporting agency usually discloses credit reporting information.

This will take the place of the current requirement in section 18E(8)(c), which, as the ALRC suggests, lacks clarity in its application.

Use and disclosure of credit reporting information

The report recommends that the new regulations provide a simplified list of circumstances in which a credit reporting agency or credit provider may use or disclose credit reporting information. This list will be based on the current provisions in Part IIIA but will also permit use and disclosure of credit reporting information for a secondary purpose related to the assessment of an application for credit or the management of an existing credit account where the relevant individual would reasonably expect such use or disclosure.

The ALRC recommends continued access to the credit reporting system for mortgage and trade insurers and no change to existing rules on use and disclosure of credit reporting information for debt collection purposes. However it recommends:

  • an express prohibition on the use or disclosure of credit reporting information for the purposes of direct marketing, including the pre-screening of direct marketing lists; and
  • that the use and disclosure of credit reporting information for electronic identity verification for anti-money laundering and counter terrorism financing (AML/CTF) purposes should be specifically authorised under the AML/CTF legislation (so that it then falls within the 'authorised by law' exception in the Use and Disclosure UPP).

The ALRC also recommends that:

  • individuals should have a right to prohibit, for a specified period, the disclosure by a credit reporting agency of credit reporting information without the individual's express authority; and
  • a credit provider that advances credit during the period an individual has frozen access to their credit reporting information should not be able to list any information (including payment defaults) relating to that credit without the consent of the individual.

This recommendation is driven by, but is not limited in its operation to, identity theft.

Data quality and security

The ALRC recommendations designed to enhance the quality and security of credit reporting information include:

  • prohibiting the listing of any overdue payment if the credit provider is prevented by law from bringing proceedings to recover the amount due or where the relevant statutory limitation period has expired;
  • if an individual enters into a new arrangement to repay an existing debt, an overdue payment under the new arrangement may be listed, and remain part of the individual's file, for the full five-year period that will be permissible under the regulations;
  • credit reporting agencies must enter into agreements with credit providers that include obligations to ensure the quality and security of credit reporting information and must themselves establish and maintain controls to ensure that only credit reporting information that is accurate, complete and up-to-date is used or disclosed and that credit providers are complying with their agreements; and
  • the credit reporting code should promote data quality by setting out procedures to deal with matters such as timeliness of reporting of information, calculation of overdue payments, obligations to prevent multiple listings of the same debt and updating of information.

The ALRC recommends that retention periods should be based on those currently set out in the Privacy Act and that deletion should be mandatory after the expiry of the relevant period.

Access, correction and complaint handling

Relatively little change is recommended in relation to access and correction. In particular, the ALRC recommends that the current Privacy Act provisions relating to:

  • individuals obtaining access to their own credit reporting information and obtaining a free copy of their credit report; and
  • notifying when a refusal of an application for credit is based wholly or partly on credit reporting information,

should be mirrored in the new regulations.

However, there are some changes recommended in relation to complaints handling and in relation to providing individuals with information about available avenues of complaint. In particular, as indicated above, the ALRC recommends that credit providers should only be able to list overdue payments if they are a member of an external dispute resolution scheme recognised by the Privacy Commissioner.


The ALRC recommends removal of the current credit reporting offences and the substitution of civil penalties where there is a serious or repeated interference with the privacy of an individual.

The new rules for credit reporting and credit information are but some of numerous recommended changes to the current privacy laws. We will distribute a further publication focusing on other changes shortly.

For further information, please contact:

Share or Save for later

What are these?


To save this publication on your smartphone or
tablet for off-line reading (eg on a plane flight),
we recommend Pocket.



You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.

Comment Box is loading comments...