Division 1 - General definitions
6 - Interpretation6AA - Meaning of responsible person6A - Breach of an Australian Privacy Principle6B - Breach of a registered APP code6BA - Breach of the registered CR code6C - Organisations6D - Small business and small business operators6DA - What is the annual turnover of a business?6E - Small business operator treated as organisation6EA - Small business operators choosing to be treated as organisations6F - State instrumentalities etc. treated as organisations6FA - Meaning of health information6FB - Meaning of health serviceDivision 2 - Key definitions relating to credit reporting
Subdivision A - Credit provider
6G - Meaning of credit provider6H - Agents of credit providers6J - Securitisation arrangements etc.6K - Acquisition of the rights of a credit providerSubdivision B - Other definitions
6L - Meaning of access seeker6M - Meaning of credit and amount of credit6N - Meaning of credit information6P - Meaning of credit reporting business6Q - Meaning of default information6R - Meaning of information request6S - Meaning of new arrangement information6T - Meaning of payment information6U - Meaning of personal insolvency information6V - Meaning of repayment history informationDivision 3 - Other matters
7 - Acts and practices of agencies, organisations etc.7A - Acts of certain agencies treated as acts of organisation7B - Exempt acts and exempt practices of organisations7C - Political acts and practices are exempt8 - Acts and practices of, and disclosure of information to, staff of agency, organisation etc.10 - Agencies that are taken to hold a record11 - File number recipients12A - Act not to apply in relation to State banking or insurance within that State12B - Severability—additional effect of this ActDivision 1 - Interferences with privacy
13 - Interferences with privacy13B - Related bodies corporate13C - Change in partnership because of change in partners13D - Overseas act required by foreign law13E - Effect of sections 13B, 13C and 13D13F - Act or practice not covered by section 13 is not an interference with privacy13G - Serious and repeated interferences with privacyDivision 2 - Australian Privacy Principles
14 - Australian Privacy Principles15 - APP entities must comply with Australian Privacy Principles16 - Personal, family or household affairs16A - Permitted general situations in relation to the collection, use or disclosure of personal information16B - Permitted health situations in relation to the collection, use or disclosure of health information16C - Acts and practices of overseas recipients of personal informationDivision 4 - Tax file number information
17 - Rules relating to tax file number information18 - File number recipients to comply with rulesDivision 1 - Introduction
19 - Guide to this PartDivision 2 - Credit reporting bodies
Subdivision A - Introduction and application of this Division etc.
20 - Guide to this Division20A - Application of this Division and the Australian Privacy Principles to credit reporting bodiesSubdivision B - Consideration of information privacy
20B - Open and transparent management of credit reporting informationSubdivision C - Collection of credit information
20C - Collection of solicited credit information20D - Dealing with unsolicited credit informationSubdivision D - Dealing with credit reporting information etc.
20E - Use or disclosure of credit reporting information20F - Permitted CRB disclosures in relation to individuals20G - Use or disclosure of credit reporting information for the purposes of direct marketing20H - Use or disclosure of pre screening assessments20J - Destruction of pre screening assessment20K - No use or disclosure of credit reporting information during a ban period20L - Adoption of government related identifiers20M - Use or disclosure of credit reporting information that is de identifiedSubdivision E - Integrity of credit reporting information
20N - Quality of credit reporting information20P - False or misleading credit reporting information20Q - Security of credit reporting informationSubdivision F - Access to, and correction of, information
20R - Access to credit reporting information20S - Correction of credit reporting information20T - Individual may request the correction of credit information etc.20U - Notice of correction etc. must be givenSubdivision G - Dealing with credit reporting information after the retention period ends etc.
20V - Destruction etc. of credit reporting information after the retention period ends20W - Retention period for credit information—general20X - Retention period for credit information—personal insolvency information20Y - Destruction of credit reporting information in cases of fraud20Z - Dealing with information if there is a pending correction request etc.20ZA - Dealing with information if an Australian law etc. requires it to be retainedDivision 3 - Credit providers
Subdivision A - Introduction and application of this Division
21 - Guide to this Division21A - Application of this Division to credit providersSubdivision B - Consideration of information privacy
21B - Open and transparent management of credit information etc.Subdivision C - Dealing with credit information
21C - Additional notification requirements for the collection of personal information etc.21D - Disclosure of credit information to a credit reporting body21E - Payment information must be disclosed to a credit reporting body21F - Limitation on the disclosure of credit information during a ban periodSubdivision D - Dealing with credit eligibility information etc.
21G - Use or disclosure of credit eligibility information21H - Permitted CP uses in relation to individuals21J - Permitted CP disclosures between credit providers21K - Permitted CP disclosures relating to guarantees etc.21L - Permitted CP disclosures to mortgage insurers21M - Permitted CP disclosures to debt collectors21N - Permitted CP disclosures to other recipients21NA - Disclosures to certain persons and bodies that do not have an Australian link21P - Notification of a refusal of an application for consumer creditSubdivision E - Integrity of credit information and credit eligibility information
21Q - Quality of credit eligibility information21R - False or misleading credit information or credit eligibility information21S - Security of credit eligibility informationSubdivision F - Access to, and correction of, information
21T - Access to credit eligibility information21U - Correction of credit information or credit eligibility information21V - Individual may request the correction of credit information etc.21W - Notice of correction etc. must be givenDivision 4 - Affected information recipients
22 - Guide to this DivisionSubdivision A - Consideration of information privacy
22A - Open and transparent management of regulated informationSubdivision B - Dealing with regulated information
22B - Additional notification requirements for affected information recipients22C - Use or disclosure of information by mortgage insurers or trade insurers22D - Use or disclosure of information by a related body corporate22E - Use or disclosure of information by credit managers etc.22F - Use or disclosure of information by advisers etc.Division 5 - Complaints
23 - Guide to this Division23A - Individual may complain about a breach of a provision of this Part etc.23B - Dealing with complaints23C - Notification requirements relating to correction complaintsDivision 6 - Unauthorised obtaining of credit reporting information etc.
24 - Obtaining credit reporting information from a credit reporting body24A - Obtaining credit eligibility information from a credit providerDivision 7 - Court orders
25 - Compensation orders25A - Other orders to compensate loss or damageDivision 1 - Introduction
26 - Guide to this PartDivision 2 - Registered APP codes
Subdivision A - Compliance with registered APP codes etc.
26A - APP entities to comply with binding registered APP codes26B - What is a registered APP code26C - What is an APP code26D - Extension of Act to exempt acts or practices covered by registered APP codesSubdivision B - Development and registration of APP codes
26E - Development of APP codes by APP code developers26F - Application for registration of APP codes26G - Development of APP codes by the Commissioner26H - Commissioner may register APP codesSubdivision C - Variation and removal of registered APP codes
26J - Variation of registered APP codes26K - Removal of registered APP codesDivision 3 - Registered CR code
Subdivision A - Compliance with the registered CR code
26L - Entities to comply with the registered CR code if bound by the code26M - What is the registered CR code26N - What is a CR codeSubdivision B - Development and registration of CR code
26P - Development of CR code by CR code developers26Q - Application for registration of CR code26R - Development of CR code by the Commissioner26S - Commissioner may register CR codeSubdivision C - Variation of the registered CR code
26T - Variation of the registered CR codeDivision 4 - General matters
26U - Codes Register26V - Guidelines relating to codes26W - Review of operation of registered codesDivision 1 - Introduction
26WA - Simplified outline of this Part26WB - Entity26WC - Deemed holding of information26WD - Exception—notification under the My Health Records Act 2012Division 2 - Eligible data breach
26WE - Eligible data breach26WF - Exception—remedial action26WG - Whether access or disclosure would be likely, or would not be likely, to result in serious harm—relevant mattersDivision 3 - Notification of eligible data breaches
Subdivision A - Suspected eligible data breaches
26WH - Assessment of suspected eligible data breach26WJ - Exception—eligible data breaches of other entitiesSubdivision B - General notification obligations
26WK - Statement about eligible data breach26WL - Entity must notify eligible data breach26WM - Exception—eligible data breaches of other entities26WN - Exception—enforcement related activities26WP - Exception—inconsistency with secrecy provisions26WQ - Exception—declaration by CommissionerSubdivision C - Commissioner may direct entity to notify eligible data breach
26WR - Commissioner may direct entity to notify eligible data breach26WS - Exception—enforcement related activities26WT - Exception—inconsistency with secrecy provisionsDivision 2 - Functions of Commissioner
27 - Functions of the Commissioner28 - Guidance related functions of the Commissioner28A - Monitoring related functions of the Commissioner28B - Advice related functions of the Commissioner29 - Commissioner must have due regard to the objects of the ActDivision 3 - Reports by Commissioner
30 - Reports following investigation of act or practice31 - Report following examination of proposed enactment32 - Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.33 - Exclusion of certain matters from reportsDivision 3A - Assessments by, or at the direction of, the Commissioner
33C - Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.33D - Commissioner may direct an agency to give a privacy impact assessmentDivision 4 - Miscellaneous
34 - Provisions relating to documents exempt under the Freedom of Information Act 198235 - Direction where refusal or failure to amend exempt document35A - Commissioner may recognise external dispute resolution schemesDivision 1A - Introduction
36A - Guide to this PartDivision 1 - Investigation of complaints and investigations on the Commissioner’s initiative
36 - Complaints37 - Principal executive of agency38 - Conditions for making a representative complaint38A - Commissioner may determine that a complaint is not to continue as a representative complaint38B - Additional rules applying to the determination of representative complaints38C - Amendment of representative complaints39 - Class member for representative complaint not entitled to lodge individual complaint40 - Investigations40A - Conciliation of complaints41 - Commissioner may or must decide not to investigate etc. in certain circumstances42 - Preliminary inquiries43 - Conduct of investigations43A - Interested party may request a hearing44 - Power to obtain information and documents45 - Power to examine witnesses46 - Directions to persons to attend compulsory conference47 - Conduct of compulsory conference48 - Complainant and certain other persons to be informed of various matters49 - Investigation under section 40 to cease if certain offences may have been committed49A - Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened50 - Reference of matters to other authorities50A - Substitution of respondent to complaint51 - Effect of investigation by Auditor GeneralDivision 2 - Determinations following investigation of complaints
52 - Determination of the Commissioner53 - Determination must identify the class members who are to be affected by the determination53A - Notice to be given to outsourcing agency53B - Substituting an agency for a contracted service providerDivision 3 - Enforcement
54 - Application of Division55 - Obligations of organisations and small business operators55A - Proceedings in the Federal Court or Federal Circuit Court to enforce a determination55B - Evidentiary certificateDivision 4 - Review and enforcement of determinations involving Commonwealth agencies
57 - Application of Division58 - Obligations of agencies59 - Obligations of principal executive of agency60 - Compensation and expenses62 - Enforcement of determination against an agencyDivision 5 - Miscellaneous
63 - Legal assistance64 - Commissioner etc. not to be sued65 - Failure to attend etc. before Commissioner66 - Failure to give information etc.67 - Protection from civil actions68 - Power to enter premises68A - Identity cards70 - Certain documents and information not required to be disclosed70B - Application of this Part to former organisationsDivision 1 - Public interest determinations
71 - Interpretation72 - Power to make, and effect of, determinations73 - Application by APP entity74 - Publication of application etc.75 - Draft determination76 - Conference77 - Conduct of conference78 - Determination of application79 - Making of determinationDivision 2 - Temporary public interest determinations
80A - Temporary public interest determinations80B - Effect of temporary public interest determination80D - Commissioner may continue to consider applicationDivision 3 - Register of determinations
80E - Register of determinationsDivision 1 - Object and interpretation
80F - Object80G - Interpretation80H - Meaning of permitted purposeDivision 2 - Declaration of emergency
80J - Declaration of emergency—events of national significance80K - Declaration of emergency—events outside Australia80L - Form of declarations80M - When declarations take effect80N - When declarations cease to have effectDivision 3 - Provisions dealing with the use and disclosure of personal information
80P - Authorisation of collection, use and disclosure of personal informationDivision 4 - Other matters
80Q - Disclosure of information—offence80R - Operation of Part80S - Severability—additional effect of Part80T - Compensation for acquisition of property—constitutional safety netDivision 1 - Civil penalties
80U - Civil penalty provisionsDivision 2 - Enforceable undertakings
80V - Enforceable undertakingsDivision 3 - Injunctions
80W - Injunctions95 - Medical research guidelines95A - Guidelines for Australian Privacy Principles about health information95AA - Guidelines for Australian Privacy Principles about genetic information95B - Requirements for Commonwealth contracts95C - Disclosure of certain provisions of Commonwealth contracts96 - Review by the Administrative Appeals Tribunal98A - Treatment of partnerships98B - Treatment of unincorporated associations98C - Treatment of trusts99A - Conduct of directors, employees and agents100 - Regulations
Part 1 - Consideration of personal information privacy
1 - Australian Privacy Principle 1—open and transparent management of personal information2 - Australian Privacy Principle 2—anonymity and pseudonymityPart 2 - Collection of personal information
3 - Australian Privacy Principle 3—collection of solicited personal information4 - Australian Privacy Principle 4—dealing with unsolicited personal information5 - Australian Privacy Principle 5—notification of the collection of personal informationPart 3 - Dealing with personal information
6 - Australian Privacy Principle 6—use or disclosure of personal information7 - Australian Privacy Principle 7—direct marketing8 - Australian Privacy Principle 8—cross border disclosure of personal information9 - Australian Privacy Principle 9—adoption, use or disclosure of government related identifiersPart 4 - Integrity of personal information
10 - Australian Privacy Principle 10—quality of personal information11 - Australian Privacy Principle 11—security of personal informationPart 5 - Access to, and correction of, personal information
12 - Australian Privacy Principle 12—access to personal information13 - Australian Privacy Principle 13—correction of personal information(e) to facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected; and
It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction or disclosure of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.
amount of credit has the meaning given by subsection 6M(2).
commercial credit means credit (other than consumer credit) that is applied for by, or provided to, a person.
commercial credit related purpose of a credit provider in relation to a person means the purpose of:
(a) assessing an application for commercial credit made by the person to the provider; or
(b) collecting payments that are overdue in relation to commercial credit provided by the provider to the person.
consumer credit means credit:
(a) for which an application has been made by an individual to a credit provider, or that has been provided to an individual by a credit provider, in the course of the provider carrying on a business or undertaking as a credit provider; and
(iii) to refinance consumer credit that has been provided wholly or primarily to acquire, maintain, renovate or improve residential property for investment purposes.
consumer credit liability information: if a credit provider provides consumer credit to an individual, the following information about the consumer credit is consumer credit liability information about the individual:
(c) the type of consumer credit;
(d) the day on which the consumer credit is entered into;
(e) the terms or conditions of the consumer credit:
(i) that relate to the repayment of the amount of credit; and
(f) the maximum amount of credit available under the consumer credit;
(g) the day on which the consumer credit is terminated or otherwise ceases to be in force.
consumer credit related purpose of a credit provider in relation to an individual means the purpose of:
(a) assessing an application for consumer credit made by the individual to the provider; or
(b) collecting payments that are overdue in relation to consumer credit provided by the provider to the individual.
(b) that relates to any credit that has been provided to, or applied for by, the individual.
(a) that is derived from credit reporting information about the individual that was disclosed to a credit provider by a credit reporting body under Division 2 of Part IIIA; and
(b) that has any bearing on the individual’s credit worthiness; and
(c) that is used, has been used or could be used in establishing the individual’s eligibility for consumer credit.
(a) that is derived by a credit reporting body from credit information about the individual that is held by the body; and
(b) that has any bearing on the individual’s credit worthiness; and
(c) that is used, has been used or could be used in establishing the individual’s eligibility for consumer credit.
credit has the meaning given by subsections 6M(1) and (3).
credit card means any article of a kind commonly known as a credit card, charge card or any similar article intended for use in obtaining cash, goods or services by means of credit, and includes any article of a kind commonly issued by persons carrying on business to customers or prospective customers of those persons for use in obtaining goods or services from those persons by means of credit.
credit eligibility information about an individual means:
(a) credit reporting information about the individual that was disclosed to a credit provider by a credit reporting body under Division 2 of Part IIIA; or
credit enhancement, in relation to credit, means:
(a) the process of insuring risk associated with purchasing or funding the credit by means of a securitisation arrangement; or
(b) any other similar process related to purchasing or funding the credit by those means.
credit guarantee purpose of a credit provider in relation to an individual means the purpose of assessing whether to accept the individual as a guarantor in relation to:
(a) credit provided by the provider to a person other than the individual; or
(b) credit for which an application has been made to the provider by a person other than the individual.
credit information has the meaning given by section 6N.
credit provider has the meaning given by sections 6G to 6K, and, for the purposes of sections 7 and 8 and Parts III, IIIB, IV and V, is taken to include a mortgage insurer and a trade insurer.
credit reporting body means:
that carries on a credit reporting business.
credit reporting business has the meaning given by section 6P.
credit reporting complaint means a complaint about an act or practice that, if established, would be an interference with the privacy of an individual because:
credit reporting information about an individual means credit information, or CRB derived information, about the individual.
credit worthiness of an individual means the individual’s:
(a) eligibility to be provided with consumer credit; or
(b) history in relation to consumer credit; or
(c) capacity to repay an amount of credit that relates to consumer credit.
guarantee includes an indemnity given against the default of a person in making a payment in relation to credit that has been applied for by, or provided to, the person.
licensee has the meaning given by the National Consumer Credit Protection Act 2009.
managing credit does not include the act of collecting overdue payments in relation to credit.
mortgage credit means consumer credit:
(a) whether to provide insurance to, or the risk of providing insurance to, a credit provider in relation to mortgage credit:
(b) the risk of the individual defaulting on mortgage credit in relation to which the insurer has provided insurance to a credit provider; or
(c) the risk of the individual being unable to meet a liability that might arise under a guarantee provided, or proposed to be provided, in relation to mortgage credit provided by a credit provider to another person.
mortgage insurer means an organisation, or small business operator, that carries on a business or undertaking that involves providing insurance to credit providers in relation to mortgage credit provided by providers to other persons.
pending correction request in relation to credit information or CRB derived information means:
(i) the credit reporting body referred to in subsection 20V(3) has been consulted about the request under subsection 21V(3); and
pending dispute in relation to credit information or CRB derived information means:
purchase, in relation to credit, includes the purchase of rights to receive payments relating to the credit.
(b) if the recipient is a body corporate referred to in paragraph 21G(3)(b)—credit eligibility information disclosed to the recipient under that paragraph; or
(c) if the recipient is a person referred to in paragraph 21G(3)(c)—credit eligibility information disclosed to the recipient under that paragraph; or
(d) if the recipient is an entity or adviser referred to in paragraph 21N(2)(a)—credit eligibility information disclosed to the recipient under subsection 21N(2).
residential property has the meaning given by section 204 of the National Credit Code (within the meaning of the National Consumer Credit Protection Act 2009).
respondent for a complaint made under section 23A means the credit reporting body or credit provider to which the complaint is made.
(i) credit that has been, or is to be, provided by a credit provider; or
(ii) the purchase of credit by a credit provider;
(b) under which payments to investors in respect of such instruments or entitlements are principally derived, directly or indirectly, from such credit.
securitisation related purpose of a credit provider in relation to an individual is the purpose of:
(a) assessing the risk in purchasing, by means of a securitisation arrangement, credit that has been provided to, or applied for by:
(b) assessing the risk in undertaking credit enhancement in relation to credit:
serious credit infringement means:
(a) an act done by an individual that involves fraudulently obtaining consumer credit, or attempting fraudulently to obtain consumer credit; or
(b) an act done by an individual that involves fraudulently evading the individual’s obligations in relation to consumer credit, or attempting fraudulently to evade those obligations; or
(i) a reasonable person would consider that the act indicates an intention, on the part of the individual, to no longer comply with the individual’s obligations in relation to consumer credit provided by a credit provider; and
(a) whether to provide insurance to, or the risk of providing insurance to, a credit provider in relation to commercial credit provided by the provider to the individual or another person; or
(b) the risk of a person defaulting on commercial credit in relation to which the insurer has provided insurance to a credit provider.
trade insurer means an organisation, or small business operator, that carries on a business or undertaking that involves providing insurance to credit providers in relation to commercial credit provided by providers to other persons.
(b) being both a file number complaint and a credit reporting complaint; or
(e) being both a code complaint and a credit reporting complaint; or
(f) being both an APP complaint and a credit reporting complaint; or
(10) For the purposes of this Act, a reference to family in the definition of consumer credit in subsection 6(1), and in sections 6D and 16, in relation to any individual is taken to include the following (without limitation):
(f) is a credit reporting body.
(1) Each of the following is a credit provider:
(ii) a substantial part of the business or undertaking is the provision of credit;
(ii) that, in the course of the business, issues credit cards to individuals in connection with the sale of goods, or the supply of services, by the organisation or operator (as the case may be);
(i) that carries on a business or undertaking that involves providing credit; and
Other credit providers
(a) an organisation or small business operator (the supplier) carries on a business or undertaking in the course of which the supplier provides credit in connection with the sale of goods, or the supply of services, by the supplier; and
(b) the repayment, in full or in part, of the amount of credit is deferred for at least 7 days; and
(c) the supplier is not a credit provider under subsection (1);
then the supplier is a credit provider but only in relation to the credit.
(a) an organisation or small business operator (the lessor) carries on a business or undertaking in the course of which the lessor provides credit in connection with the hiring, leasing or renting of goods; and
(b) the credit is in force for at least 7 days; and
(d) the lessor is not a credit provider under subsection (1);
then the lessor is a credit provider but only in relation to the credit.
(4) An organisation or small business operator is a credit provider if subsection 6H(1), 6J(1) or 6K(1) provides that the organisation or operator is a credit provider.
is not a credit provider while acting in that capacity.
(6) Despite subsections (1) to (4) of this section, an organisation or small business operator is not a credit provider if it is included in a class of organisations or operators prescribed by the regulations.
(1) If an organisation or small business operator (the agent) is acting as an agent of a credit provider (the principal) in performing, on behalf of the principal, a task that is reasonably necessary:
(a) in processing an application for credit made to the principal; or
(b) in managing credit provided by the principal;
then, while the agent is so acting, the agent is a credit provider.
(2) Subsection (1) does not apply if the principal is an organisation or small business operator that is a credit provider because of a previous application of that subsection.
(3) If subsection (1) applies in relation to credit that has been provided by the principal, the credit is taken, for the purposes of this Act, to have been provided by both the principal and the agent.
(4) If subsection (1) applies in relation to credit for which an application has been made to the principal, the application is taken, for the purposes of this Act, to have been made to both the principal and the agent.
(ii) managing credit that is the subject of a securitisation arrangement; and
(i) purchasing, funding or managing, or processing an application for, credit by means of a securitisation arrangement; or
(ii) undertaking credit enhancement in relation to credit; and
(c) the credit has been provided by, or is credit for which an application has been made to, a credit provider (the original credit provider);
then, while the securitisation entity performs such a task, the securitisation entity is a credit provider.
(2) Subsection (1) does not apply if the original credit provider is an organisation or small business operator that is a credit provider because of a previous application of that subsection.
(3) If subsection (1) applies in relation to credit that has been provided by the original credit provider, the credit is taken, for the purposes of this Act, to have been provided by both the original credit provider and the securitisation entity.
(4) If subsection (1) applies in relation to credit for which an application has been made to the original credit provider, the application is taken, for the purposes of this Act, to have been made to both the original credit provider and the securitisation entity.
(a) an organisation or small business operator (the acquirer) acquires, whether by assignment, subrogation or any other means, the rights of a credit provider (the original credit provider) in relation to the repayment of an amount of credit; and
(b) the acquirer is not a credit provider under subsection 6G(1);
then the acquirer is a credit provider but only in relation to the credit.
(2) If subsection (1) of this section applies in relation to credit that has been provided by the original credit provider, the credit is taken, for the purposes of this Act, to have been provided by the acquirer.
(3) If subsection (1) of this section applies in relation to credit for which an application has been made to the original credit provider, the application is taken, for the purposes of this Act, to have been made to the acquirer.
(1) An access seeker in relation to credit reporting information, or credit eligibility information, about an individual is:
(i) who is assisting the individual to deal with a credit reporting body or credit provider; and
(a) a credit provider; or
(d) a person who is prevented from being a credit provider by subsection 6G(5) or (6).
(1) Credit is a contract, arrangement or understanding under which:
(2) The amount of credit is the amount of the debt that is actually deferred, or that may be deferred, but does not include any fees or charges payable in connection with the deferral of the debt.
(3) Without limiting subsection (1), credit includes:
Credit information about an individual is personal information (other than sensitive information) that is:
(b) consumer credit liability information about the individual; or
(d) a statement that an information request has been made in relation to the individual by a credit provider, mortgage insurer or trade insurer; or
(e) the type of consumer credit or commercial credit, and the amount of credit, sought in an application:
(i) that has been made by the individual to a credit provider; and
(i) that relates to the individual’s activities in Australia or the external Territories and the individual’s credit worthiness; and
(l) the opinion of a credit provider that the individual has committed, in circumstances specified by the provider, a serious credit infringement in relation to consumer credit provided by the provider to the individual.
(1) A credit reporting business is a business or undertaking that involves collecting, holding, using or disclosing personal information about individuals for the purpose of, or for purposes including the purpose of, providing an entity with information about the credit worthiness of an individual.
(2) Subsection (1) applies whether or not the information about the credit worthiness of an individual is:
(b) provided, or intended to be provided, for the purposes of assessing an application for consumer credit.
(3) In determining whether a business or undertaking carried on by a credit provider is a credit reporting business, disregard the provision of information about the credit worthiness of an individual to a related body corporate by the provider.
(4) Despite subsection (1), a business or undertaking is not a credit reporting business if the business or undertaking is included in a class of businesses or undertakings prescribed by the regulations.
Consumer credit defaults
(1) Default information about an individual is information about a payment (including a payment that is wholly or partly a payment of interest) that the individual is overdue in making in relation to consumer credit that has been provided by a credit provider to the individual if:
(2) Default information about an individual is information about a payment that the individual is overdue in making as a guarantor under a guarantee given against any default by a person (the borrower) in repaying all or any of the debt deferred under consumer credit provided by a credit provider to the borrower if:
Credit provider
(1) A credit provider has made an information request in relation to an individual if the provider has sought information about the individual from a credit reporting body:
(a) in connection with an application for consumer credit made by the individual to the provider; or
(b) in connection with an application for commercial credit made by a person to the provider; or
(c) for a credit guarantee purpose of the provider in relation to the individual; or
(a) the insurer has sought information about the individual from a credit reporting body; and
(b) the information was sought in connection with the provision of insurance to a credit provider in relation to mortgage credit provided by the provider to:
(a) the insurer has sought information about the individual from a credit reporting body; and
(b) the information was sought in connection with the provision of insurance to a credit provider in relation to commercial credit provided by the provider to the individual or another person.
Consumer credit defaults
(a) a credit provider has disclosed default information about an individual to a credit reporting body; and
(b) the default information relates to a payment that the individual is overdue in making in relation to consumer credit (the original consumer credit) that has been provided by the provider to the individual; and
(i) the terms or conditions of the original consumer credit that relate to the repayment of the amount of credit are varied; or
(ii) the individual is provided with other consumer credit (the new consumer credit) by a credit provider that relates, wholly or in part, to that amount of credit;
then new arrangement information about the individual is a statement that those terms or conditions of the original consumer credit have been varied, or that the individual has been provided with the new consumer credit.
Serious credit infringements
(a) a credit provider is of the opinion that an individual has committed a serious credit infringement in relation to consumer credit (the original consumer credit) provided by the provider to the individual; and
(b) the provider has disclosed the opinion to a credit reporting body; and
(i) the terms or conditions of the original consumer credit that relate to the repayment of the amount of credit are varied; or
(ii) the individual is provided with other consumer credit (the new consumer credit) by a credit provider that relates, wholly or in part, to that amount of credit;
then new arrangement information about the individual is a statement that those terms or conditions of the original consumer credit have been varied, or that the individual has been provided with the new consumer credit.
(a) a credit provider has disclosed default information about an individual to a credit reporting body; and
(a) the presentation of a creditor’s petition against the individual; or
(1) If a credit provider provides consumer credit to an individual, the following information about the consumer credit is repayment history information about the individual:
(a) whether or not the individual has met an obligation to make a monthly payment that is due and payable in relation to the consumer credit;
(a) whether or not an individual has met an obligation to make a monthly payment that is due and payable in relation to consumer credit; and
(a) an act done, or a practice engaged in, as the case may be, by an agency (other than an eligible hearing service provider), a file number recipient, a credit reporting body or a credit provider other than:
(a) an act done or practice engaged in by, or information disclosed to, a person employed by, or in the service of, an agency, organisation, file number recipient, credit reporting body or credit provider in the performance of the duties of the person’s employment shall be treated as having been done or engaged in by, or disclosed to, the agency, organisation, recipient, credit reporting body or credit provider;
Credit reporting
In general, this Part deals with the privacy of information relating to credit reporting.
Divisions 2 and 3 contain rules that apply to credit reporting bodies and credit providers in relation to their handling of information relating to credit reporting.
Division 5 deals with complaints to credit reporting bodies or credit providers about acts or practices that may be a breach of certain provisions of this Part or the registered CR code.
Division 6 deals with entities that obtain credit reporting information or credit eligibility information by false pretence, or when they are not authorised to do so under this Part.
This Division sets out rules that apply to credit reporting bodies in relation to their handling of the following:
(a) credit reporting information;
(c) credit reporting information that is de identified;
(1) This Division applies to a credit reporting body in relation to the following:
(a) credit reporting information;
(c) credit reporting information that is de identified;
(2) The Australian Privacy Principles do not apply to a credit reporting body in relation to personal information that is:
(a) credit reporting information; or
Note: The Australian Privacy Principles apply to the credit reporting body in relation to other kinds of personal information.
(1) The object of this section is to ensure that credit reporting bodies manage credit reporting information in an open and transparent way.
(2) A credit reporting body must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the credit reporting business of the body that:
Policy about the management of credit reporting information
(3) A credit reporting body must have a clearly expressed and up to date policy about the management of credit reporting information by the body.
(4) Without limiting subsection (3), the policy of the credit reporting body must contain the following information:
(a) the kinds of credit information that the body collects and how the body collects that information;
(b) the kinds of credit reporting information that the body holds and how the body holds that information;
(c) the kinds of personal information that the body usually derives from credit information that the body holds;
(d) the purposes for which the body collects, holds, uses and discloses credit reporting information;
(f) how an individual may access credit reporting information about the individual that is held by the body and seek the correction of such information;
(g) information about the effect of section 20T (which deals with individuals requesting the correction of credit information etc.);
(5) A credit reporting body must take such steps as are reasonable in the circumstances to make the policy available:
Note: A credit reporting body will usually make the policy available on the body’s website.
(6) If a person or body requests a copy, in a particular form, of the policy of a credit reporting body, the credit reporting body must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
(1) A credit reporting body must not collect credit information about an individual.
(2) Subsection (1) does not apply if the collection of the credit information is required or authorised by or under an Australian law or a court/tribunal order.
(a) the credit reporting body collects the credit information about the individual from a credit provider who is permitted under section 21D to disclose the information to the body; and
(b) the body collects the information in the course of carrying on a credit reporting business; and
(c) if the information is identification information about the individual—the body also collects from the provider, or already holds, credit information of another kind about the individual.
(a) the credit reporting body:
(i) collects the credit information about the individual from an entity (other than a credit provider) in the course of carrying on a credit reporting business; and
(c) if the information relates to consumer credit or commercial credit—the credit is or has been provided, or applied for, in Australia; and
(d) if the information is identification information about the individual—the body also collects from the entity, or already holds, credit information of another kind about the individual; and
(e) if the information is repayment history information about the individual—the body collects the information from another credit reporting body that has an Australian link.
(6) Despite paragraph (4)(b), consumer credit liability information about the individual may relate to consumer credit that was entered into on a day before the individual turned 18, so long as the consumer credit was not terminated, or did not otherwise cease to be in force, on a day before the individual turned 18.
(7) A credit reporting body must collect credit information only by lawful and fair means.
Solicited credit information
(8) This section applies to the collection of credit information that is solicited by a credit reporting body.
(a) a credit reporting body receives credit information about an individual; and
(2) The credit reporting body may use or disclose the credit information for the purposes of making the determination under subsection (1).
(3) If the credit reporting body determines that it could have collected the credit information, sections 20E to 20ZA apply in relation to the information as if the body had collected the information under section 20C.
(4) If the credit reporting body determines that it could not have collected the credit information, the body must, as soon as practicable, destroy the information.
(5) Subsection (4) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit information.
(1) If a credit reporting body holds credit reporting information about an individual, the body must not use or disclose the information.
(2) Subsection (1) does not apply to the use of credit reporting information about the individual if:
(a) the credit reporting body uses the information in the course of carrying on the body’s credit reporting business; or
(3) Subsection (1) does not apply to the disclosure of credit reporting information about the individual if:
(b) the disclosure is to another credit reporting body that has an Australian link; or
(ii) a credit reporting body or credit provider is a member of the scheme; or
(ii) the credit reporting body is satisfied that the body, or another enforcement body, believes on reasonable grounds that the individual has committed a serious credit infringement; or
(4) However, if the credit reporting information is, or was derived from, repayment history information about the individual, the credit reporting body must not disclose the information under paragraph (3)(a) or (f) unless the recipient of the information is:
(a) a credit provider who is a licensee or is prescribed by the regulations; or
(5) If a credit reporting body discloses credit reporting information under this section, the body must make a written note of that disclosure.
(6) This section does not apply to the use or disclosure of credit reporting information for the purposes of direct marketing.
Note: Section 20G deals with the use or disclosure of credit reporting information for the purposes of direct marketing.
(1) A disclosure by a credit reporting body of credit reporting information about an individual is a permitted CRB disclosure in relation to the individual if:
Permitted CRB disclosures | ||
---|---|---|
Item | If the disclosure is to ... | the condition or conditions are ... |
1 | a credit provider | the provider requests the information for a consumer credit related purpose of the provider in relation to the individual. |
2 | a credit provider | (a) the provider requests the information for a commercial credit related purpose of the provider in relation to a person; and (b) the individual expressly consents to the disclosure of the information to the provider for that purpose. |
3 | a credit provider | (a) the provider requests the information for a credit guarantee purpose of the provider in relation to the individual; and (b) the individual expressly consents, in writing, to the disclosure of the information to the provider for that purpose. |
4 | a credit provider | the credit reporting body is satisfied that the provider, or another credit provider, believes on reasonable grounds that the individual has committed a serious credit infringement. |
5 | a credit provider | (a) the credit reporting body holds consumer credit liability information that relates to consumer credit provided by the provider to the individual; and (b) the consumer credit has not been terminated, or has not otherwise ceased to be in force. |
6 | a credit provider under subsection 6J(1) | the provider requests the information for a securitisation related purpose of the provider in relation to the individual. |
7 | a mortgage insurer | the insurer requests the information for a mortgage insurance purpose of the insurer in relation to the individual. |
8 | a trade insurer | (a) the insurer requests the information for a trade insurance purpose of the insurer in relation to the individual; and (b) the individual expressly consents, in writing, to the disclosure of the information to the insurer for that purpose. |
(a) the credit provider referred to in that item requests the information for the purpose of assessing an application for commercial credit made by a person to the provider; and
(1) If a credit reporting body holds credit reporting information about an individual, the body must not use or disclose the information for the purposes of direct marketing.
(2) Subsection (1) does not apply to the use by the credit reporting body of credit information about the individual for the purposes of direct marketing by, or on behalf of, a credit provider if:
(b) the direct marketing is about consumer credit that the provider provides in Australia; and
(c) the information is not consumer credit liability information, or repayment history information, about the individual; and
(d) the body uses the information to assess whether or not the individual is eligible to receive the direct marketing communications of the credit provider; and
(3) In assessing under paragraph (2)(d) whether or not the individual is eligible to receive the direct marketing communications of the credit provider, the credit reporting body must have regard to the eligibility requirements nominated by the provider.
(4) An assessment under paragraph (2)(d) is not credit reporting information about the individual.
(5) An individual may request a credit reporting body that holds credit information about the individual not to use the information under subsection (2).
(6) If the individual makes a request under subsection (5), the credit reporting body must not charge the individual for the making of the request or to give effect to the request.
(7) If a credit reporting body uses credit information under subsection (2), the body must make a written note of that use.
Use or disclosure by credit reporting bodies
(1) If a credit reporting body makes a pre screening assessment in relation to direct marketing by, or on behalf of, a credit provider, the body must not use or disclose the assessment.
(a) the credit reporting body discloses the pre screening assessment for the purposes of the direct marketing by, or on behalf of, the credit provider; and
(3) If the credit reporting body discloses the pre screening assessment under subsection (2), the body must make a written note of that disclosure.
(4) If the credit reporting body discloses the pre screening assessment under subsection (2), the recipient must not use or disclose the assessment.
(5) Subsection (4) does not apply if the recipient uses the pre screening assessment for the purposes of the direct marketing by, or on behalf of, the credit provider.
(2) If the entity is an APP entity but not a credit reporting body, Australian Privacy Principle 11.2 does not apply to the entity in relation to the pre screening assessment.
(a) a credit reporting body holds credit reporting information about an individual; and
(a) the individual expressly consents, in writing, to the use or disclosure of the credit reporting information under this Division; or
(b) the use or disclosure of the credit reporting information is required by or under an Australian law or a court/tribunal order.
(3) The ban period for credit reporting information about an individual is the period that:
(a) there is a ban period for credit reporting information about an individual that is held by a credit reporting body; and
(5) A ban period for credit reporting information may be extended more than once under subsection (4).
(6) If an individual makes a request under paragraph (1)(c) or (4)(b), a credit reporting body must not charge the individual for the making of the request or to give effect to the request.
(a) a credit reporting body holds credit reporting information about an individual; and
(a) a credit reporting body holds credit reporting information; and
(a) the use or disclosure is for the purposes of conducting research in relation to credit; and
(b) the credit reporting body complies with the rules made under subsection (3).
(3) The Commissioner may, by legislative instrument, make rules relating to the use or disclosure by a credit reporting body of de identified information for the purposes of conducting research in relation to credit.
(b) whether or not the research is research in relation to credit;
(1) A credit reporting body must take such steps as are reasonable in the circumstances to ensure that the credit information the body collects is accurate, up to date and complete.
(2) A credit reporting body must take such steps as are reasonable in the circumstances to ensure that the credit reporting information the body uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
(3) Without limiting subsections (1) and (2), a credit reporting body must:
(a) enter into agreements with credit providers that require the providers to ensure that credit information that they disclose to the body under section 21D is accurate, up to date and complete; and
(1) A credit reporting body commits an offence if:
(a) the body uses or discloses credit reporting information under this Division (other than subsections 20D(2) and 20T(4)); and
(2) A credit reporting body must not use or disclose credit reporting information under this Division (other than subsections 20D(2) and 20T(4)) if the information is false or misleading in a material particular.
(1) If a credit reporting body holds credit reporting information, the body must take such steps as are reasonable in the circumstances to protect the information:
(2) Without limiting subsection (1), a credit reporting body must:
(a) enter into agreements with credit providers that require the providers to protect credit reporting information that is disclosed to them under this Division:
(1) If a credit reporting body holds credit reporting information about an individual, the body must, on request by an access seeker in relation to the information, give the access seeker access to the information.
(2) Despite subsection (1), the credit reporting body is not required to give the access seeker access to the credit reporting information to the extent that:
(3) The credit reporting body must respond to the request within a reasonable period, but not longer than 10 days, after the request is made.
(4) If the credit reporting body gives access to the credit reporting information, the access must be given in the manner set out in the registered CR code.
(5) If a request under subsection (1) in relation to the individual has not been made to the credit reporting body in the previous 12 months, the body must not charge the access seeker for the making of the request or for giving access to the information.
(6) If subsection (5) does not apply, any charge by the credit reporting body for giving access to the information must not be excessive and must not apply to the making of the request.
(7) If the credit reporting body refuses to give access to the information because of subsection (2), the body must give the access seeker a written notice that:
(a) a credit reporting body holds credit reporting information about an individual; and
(a) the credit reporting body corrects credit reporting information under subsection (1); and
(a) it is impracticable for the credit reporting body to give the notice under that subsection; or
(b) the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
(1) An individual may request a credit reporting body to correct personal information about the individual if:
(i) credit information about the individual; or
(2) If the credit reporting body is satisfied that the personal information is inaccurate, out of date, incomplete, irrelevant or misleading, the body must take such steps (if any) as are reasonable in the circumstances to correct the information within:
(3) If the credit reporting body considers that the body cannot be satisfied of the matter referred to in subsection (2) in relation to the personal information without consulting either or both of the following (the interested party):
(a) another credit reporting body that holds or held the information and that has an Australian link;
(b) a credit provider that holds or held the information and that has an Australian link;
(5) The credit reporting body must not charge the individual for the making of the request or for correcting the information.
(1) This section applies if an individual requests a credit reporting body to correct personal information under subsection 20T(1).
(2) If the credit reporting body corrects the personal information under subsection 20T(2), the body must, within a reasonable period:
(3) If the credit reporting body does not correct the personal information under subsection 20T(2), the body must, within a reasonable period, give the individual written notice that:
(4) Paragraph (2)(c) does not apply if it is impracticable for the credit reporting body to give the notice under that paragraph.
(5) Subsection (2) or (3) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
(a) a credit reporting body holds credit information about an individual; and
Note: There is no retention period for identification information or credit information of a kind referred to in paragraph 6N(k).
Destruction etc. of credit information
(2) The credit reporting body must destroy the credit information, or ensure that the information is de identified, within 1 month after the retention period for the information ends.
(3) Despite subsection (2), the credit reporting body must neither destroy the credit information nor ensure that the information is de identified, if immediately before the retention period ends:
(4) Subsection (2) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit information.
(5) The credit reporting body must destroy any CRB derived information about the individual that was derived from the credit information, or ensure that the CRB derived information is de identified:
(i) the CRB derived information was derived from 2 or more kinds of credit information; and
(ii) the body is required to do a thing referred to in subsection (2) to one of those kinds of credit information;
at the same time that the body does that thing to that credit information; or
(b) otherwise—at the same time that the body is required to do a thing referred to in subsection (2) to the credit information from which the CRB derived information was derived.
(6) Despite subsection (5), the credit reporting body must neither destroy the CRB derived information nor ensure that the information is de identified, if immediately before the retention period ends:
(7) Subsection (5) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the CRB derived information.
The following table sets out the retention period for credit information:
(b) that is held by a credit reporting body.
Retention period | ||
---|---|---|
Item | If the credit information is ... | the retention period for the information is ... |
1 | consumer credit liability information | the period of 2 years that starts on the day on which the consumer credit to which the information relates is terminated or otherwise ceases to be in force. |
2 | repayment history information | the period of 2 years that starts on the day on which the monthly payment to which the information relates is due and payable. |
3 | information of a kind referred to in paragraph 6N(d) or (e) | the period of 5 years that starts on the day on which the information request to which the information relates is made. |
4 | default information | the period of 5 years that starts on the day on which the credit reporting body collects the information. |
5 | payment information | the period of 5 years that starts on the day on which the credit reporting body collects the default information to which the payment information relates. |
6 | new arrangement information within the meaning of subsection 6S(1) | the period of 2 years that starts on the day on which the credit reporting body collects the default information referred to in that subsection. |
7 | new arrangement information within the meaning of subsection 6S(2) | the period of 2 years that starts on the day on which the credit reporting body collects the information about the opinion referred to in that subsection. |
8 | court proceedings information | the period of 5 years that starts on the day on which the judgement to which the information relates is made or given. |
9 | information of a kind referred to in paragraph 6N(l) | the period of 7 years that starts on the day on which the credit reporting body collects the information. |
(a) a credit reporting body holds credit reporting information about an individual; and
(b) the information relates to consumer credit that has been provided by a credit provider to the individual, or a person purporting to be the individual; and
(ii) the consumer credit was provided as a result of that fraud.
Destruction of credit reporting information
(2) The credit reporting body must:
(a) destroy the credit reporting information; and
(ii) give the credit provider a written notice that states that the information has been destroyed.
(3) Subsection (2) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit reporting information.
(a) a credit reporting body destroys credit reporting information about an individual under subsection (2); and
(5) Subsection (4) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notification.
(1) This section applies if a credit reporting body holds credit reporting information about an individual and either:
(2) The credit reporting body must, as soon as practicable, notify in writing the Commissioner of the matter referred to in paragraph (1)(a) or (b) of this section.
(3) The credit reporting body must not use or disclose the information under Subdivision D of this Division.
(4) However, the credit reporting body may use or disclose the information under this subsection if:
(5) If the credit reporting body uses or discloses the information under subsection (4), the body must make a written note of the use or disclosure.
(6) The Commissioner may, by legislative instrument, direct the credit reporting body to destroy the information, or ensure that the information is de identified, by a specified day.
(7) If the Commissioner gives a direction under subsection (6) to the credit reporting body, the body must comply with the direction.
(8) To avoid doubt, section 20M applies in relation to credit reporting information that is de identified as a result of the credit reporting body complying with the direction.
(1) This section applies if a credit reporting body is not required:
(a) to do a thing referred to in subsection 20V(2) to credit information because of subsection 20V(4); or
(c) to destroy credit reporting information under subsection 20Y(2) because of subsection 20Y(3).
(2) The credit reporting body must not use or disclose the information under Subdivision D of this Division.
(3) However, the credit reporting body may use or disclose the information under this subsection if the use or disclosure of the information is required by or under an Australian law or a court/tribunal order.
(4) If the credit reporting body uses or discloses the information under subsection (3), the body must make a written note of the use or disclosure.
Note: Section 20Q deals with the security of credit reporting information.
This Division sets out rules that apply to credit providers in relation to their handling of the following:
(a) credit information;
(b) credit eligibility information;
If a credit provider is an APP entity, the rules apply in relation to that information in addition to, or instead of, any relevant Australian Privacy Principles.
(1) This Division applies to a credit provider in relation to the following:
(a) credit information;
(b) credit eligibility information;
(2) If the credit provider is an APP entity, this Division may apply to the provider in relation to information referred to in subsection (1) in addition to, or instead of, the Australian Privacy Principles.
(1) The object of this section is to ensure that credit providers manage credit information and credit eligibility information in an open and transparent way.
(2) A credit provider must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the provider’s functions or activities as a credit provider that:
Policy about the management of credit information etc.
(3) A credit provider must have a clearly expressed and up to date policy about the management of credit information and credit eligibility information by the provider.
(4) Without limiting subsection (3), the policy of the credit provider must contain the following information:
(a) the kinds of credit information that the provider collects and holds, and how the provider collects and holds that information;
(b) the kinds of credit eligibility information that the provider holds and how the provider holds that information;
(c) the kinds of CP derived information that the provider usually derives from credit reporting information disclosed to the provider by a credit reporting body under Division 2 of this Part;
(d) the purposes for which the provider collects, holds, uses and discloses credit information and credit eligibility information;
(e) how an individual may access credit eligibility information about the individual that is held by the provider;
(f) how an individual may seek the correction of credit information or credit eligibility information about the individual that is held by the provider;
(i) whether the provider is likely to disclose credit information or credit eligibility information to entities that do not have an Australian link;
(j) if the provider is likely to disclose credit information or credit eligibility information to such entities—the countries in which those entities are likely to be located if it is practicable to specify those countries in the policy.
(5) A credit provider must take such steps as are reasonable in the circumstances to make the policy available:
Note: A credit provider will usually make the policy available on the provider’s website.
(6) If a person or body requests a copy, in a particular form, of the policy of a credit provider, the provider must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
(7) If a credit provider is an APP entity, Australian Privacy Principles 1.3 and 1.4 do not apply to the provider in relation to credit information or credit eligibility information.
(1) At or before the time a credit provider collects personal information about an individual that the provider is likely to disclose to a credit reporting body, the provider must:
(2) If a credit provider is an APP entity, subsection (1) applies to the provider in relation to personal information in addition to Australian Privacy Principle 5.
(3) If a credit provider is an APP entity, then the matters for the purposes of Australian Privacy Principle 5.1 include the following matters to the extent that the personal information referred to in that principle is credit information or credit eligibility information:
(a) that the policy (the credit reporting policy) of the provider that is referred to in subsection 21B(3) contains information about how an individual may access the credit eligibility information about the individual that is held by the provider;
(b) that the credit reporting policy of the provider contains information about how an individual may seek the correction of credit information or credit eligibility information about the individual that is held by the provider;
(c) that the credit reporting policy of the provider contains information about how an individual may complain about a failure of the provider to comply with this Division or the registered CR code if it binds the provider;
(d) that the credit reporting policy of the provider contains information about how the provider will deal with such a complaint;
(e) whether the provider is likely to disclose credit information or credit eligibility information to entities that do not have an Australian link;
(f) if the provider is likely to disclose credit information or credit eligibility information to such entities—the countries in which those entities are likely to be located if it is practicable to specify those countries in the credit reporting policy.
(1) A credit provider must not disclose credit information about an individual to a credit reporting body (whether or not the body’s credit reporting business is carried on in Australia).
(2) Subsection (1) does not apply to the disclosure of credit information about the individual if:
(a) the credit provider:
(b) the credit reporting body is:
Note: Section 21F limits the disclosure of credit information if there is a ban period for the information.
(3) Credit information about an individual meets the requirements of this subsection if:
(b) if the information relates to consumer credit or commercial credit—the credit is or has been provided, or applied for, in Australia; and
(i) the credit provider is a licensee or is prescribed by the regulations; and
(ii) the consumer credit to which the information relates is consumer credit in relation to which the provider also discloses, or a credit provider has previously disclosed, consumer credit liability information about the individual to the credit reporting body; and
(i) the credit provider has given the individual a notice in writing stating that the provider intends to disclose the information to the credit reporting body; and
(5) Despite paragraph (3)(a), consumer credit liability information about the individual may relate to consumer credit that was entered into on a day before the individual turned 18, so long as the consumer credit was not terminated, or did not otherwise cease to be in force, on a day before the individual turned 18.
(6) If a credit provider discloses credit information under this section, the provider must make a written note of that disclosure.
(7) If a credit provider is an APP entity, Australian Privacy Principles 6 and 8 do not apply to the disclosure by the provider of credit information to a credit reporting body.
(a) a credit provider has disclosed default information about an individual to a credit reporting body under section 21D; and
(a) a credit reporting body holds credit reporting information about an individual; and
(b) a credit provider requests the body to disclose the information to the provider for the purpose of assessing an application for consumer credit made to the provider by the individual, or a person purporting to be the individual; and
(d) during the ban period, the provider provides the consumer credit to which the application relates to the individual, or the person purporting to be the individual.
(2) If the credit provider holds credit information about the individual that relates to the consumer credit, the provider must not, despite sections 21D and 21E, disclose the information to a credit reporting body.
(3) Subsection (2) does not apply if the credit provider has taken such steps as are reasonable in the circumstances to verify the identity of the individual.
(1) If a credit provider holds credit eligibility information about an individual, the provider must not use or disclose the information.
(2) Subsection (1) does not apply to the use of credit eligibility information about the individual if:
(a) the use is for a consumer credit related purpose of the credit provider in relation to the individual; or
(i) the credit provider believes on reasonable grounds that the individual has committed a serious credit infringement;
(3) Subsection (1) does not apply to the disclosure of credit eligibility information about the individual if:
(b) the disclosure is to a related body corporate of the credit provider; or
(i) a person for the purpose of processing an application for credit made to the credit provider; or
(ii) a person who manages credit provided by the credit provider for use in managing that credit; or
(i) the credit provider believes on reasonable grounds that the individual has committed a serious credit infringement;
(ii) the provider discloses the information to another credit provider that has an Australian link, or to an enforcement body; or
(ii) a credit provider or credit reporting body is a member of the scheme; or
Note: See section 21NA for additional rules about the disclosure of credit eligibility information under paragraph (3)(b) or (c).
(4) However, if the credit eligibility information about the individual is, or was derived from, repayment history information about the individual, the credit provider must not disclose the information under subsection (3).
(a) the recipient of the credit eligibility information is another credit provider who is a licensee; or
(c) the credit provider discloses the credit eligibility information under paragraph (3)(b), (c), (e) or (f); or
(d) the credit provider discloses the credit eligibility information under paragraph (3)(d) to an enforcement body.
(6) If a credit provider uses or discloses credit eligibility information under this section, the provider must make a written note of that use or disclosure.
(7) If a credit provider is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the provider in relation to credit eligibility information.
(a) a credit provider is an APP entity; and
(b) the credit eligibility information is a government related identifier of the individual;
A use by a credit provider of credit eligibility information about an individual is a permitted CP use in relation to the individual if:
(a) the relevant credit reporting information was disclosed to the provider under a provision specified in column 1 of the table for the purpose (if any) specified in that column; and
(b) the provider uses the credit eligibility information for the purpose specified in column 2 of the table.
Permitted CP uses | ||
---|---|---|
Column 1 | Column 2 | |
Item | The relevant credit reporting information was disclosed to the credit provider under ... | The credit provider uses the credit eligibility information for ... |
1 | item 1 of the table in subsection 20F(1) for the purpose of assessing an application for consumer credit made by the individual to the provider. | (a) a securitisation related purpose of the provider in relation to the individual; or (b) the internal management purposes of the provider that are directly related to the provision or management of consumer credit by the provider. |
2 | item 2 of the table in subsection 20F(1) for a particular commercial credit related purpose of the provider in relation to the individual. | that particular commercial credit related purpose. |
3 | item 2 of the table in subsection 20F(1) for the purpose of assessing an application for commercial credit made by a person to the provider. | the internal management purposes of the provider that are directly related to the provision or management of commercial credit by the provider. |
4 | item 3 of the table in subsection 20F(1) for a credit guarantee purpose of the provider in relation to the individual. | (a) the credit guarantee purpose; or (b) the internal management purposes of the provider that are directly related to the provision or management of any credit by the provider. |
5 | item 5 of the table in subsection 20F(1). | the purpose of assisting the individual to avoid defaulting on his or her obligations in relation to consumer credit provided by the provider to the individual. |
6 | item 6 of the table in subsection 20F(1) for a particular securitisation related purpose of the provider in relation to the individual. | that particular securitisation related purpose. |
(1) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to another credit provider (the recipient) for a particular purpose; and
(i) the disclosure of the information to the recipient is for the purpose of assessing an application for consumer credit or commercial credit made to the recipient; and
(b) must be given to the credit provider or recipient.
Agents of credit providers
(3) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the provider is acting as an agent of another credit provider that has an Australian link; and
(b) while the provider is so acting, the provider is a credit provider under subsection 6H(1); and
(c) the provider discloses the information to the other credit provider in the provider’s capacity as such an agent.
(4) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the provider is a credit provider under subsection 6J(1) in relation to credit; and
(b) the credit has been provided by, or is credit for which an application has been made to, another credit provider (the original credit provider) that has an Australian link; and
(c) the original credit provider is not a credit provider under that subsection; and
(i) the original credit provider; or
(ii) another credit provider that is a credit provider under that subsection in relation to the credit and that has an Australian link; and
(i) purchasing, funding or managing, or processing an application for, the credit by means of a securitisation arrangement; or
(ii) undertaking credit enhancement in relation to the credit.
Mortgage credit secured by the same real property
(5) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to another credit provider that has an Australian link; and
(b) both credit providers have provided mortgage credit to the individual in relation to which the same real property forms all or part of the security; and
(c) the individual is at least 60 days overdue in making a payment in relation to the mortgage credit provided by either provider; and
(1) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(i) the provider has provided credit to the individual; or
(ii) the individual has applied to the provider for credit; and
(i) to offer to act as a guarantor in relation to the credit; or
(ii) to offer property as security for the credit; and
(a) if subparagraph (1)(a)(i) applies—the application for the credit was not made in writing; or
(b) if subparagraph (1)(a)(ii) applies—the application for the credit has not been made in writing.
(3) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(i) is a guarantor in relation to credit provided by the provider to the individual; or
(ii) has provided property as security for such credit; and
(4) The consent of the individual under subparagraph (3)(c)(i) must be given in writing unless the application for the credit was not made in writing.
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if the disclosure is to a mortgage insurer that has an Australian link for:
(1) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(i) consumer credit provided by the provider to the individual; or
(ii) commercial credit provided by the provider to a person; and
Note: See section 21NA for additional rules about the disclosure of credit eligibility information under this subsection.
(i) the information relates to a payment that the individual is overdue in making in relation to consumer credit that has been provided by the credit provider to the individual; and
Mortgage credit assistance schemes
(1) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(i) giving assistance (directly or indirectly) that facilitates the provision of mortgage credit to individuals; or
(i) to determine the extent of the assistance (if any) to give in relation to the provision of mortgage credit to the individual; or
Assignment of debts owed to credit providers etc.
(2) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(3) This subsection applies to the credit eligibility information if the recipient proposes to use the information:
(i) accept an assignment of a debt owed to the credit provider; or
(ii) accept a debt owed to the provider as security for credit provided to the provider; or
Related bodies corporate and credit managers etc.
(1) Before a credit provider discloses credit eligibility information under paragraph 21G(3)(b) or (c) to a related body corporate, or person, that does not have an Australian link, the provider must take such steps as are reasonable in the circumstances to ensure that the body or person does not breach the following provisions (the relevant provisions) in relation to the information:
(a) a credit provider discloses credit eligibility information under paragraph 21G(3)(b) or (c) to a related body corporate, or person, that does not have an Australian link; and
(3) Before a credit provider discloses credit eligibility information under subsection 21M(1) to a person or body that does not have an Australian link, the provider must take such steps as are reasonable in the circumstances to ensure that the person or body does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
(a) a credit provider discloses credit eligibility information under subsection 21M(1) to a person or body that does not have an Australian link; and
(a) a credit provider refuses an application for consumer credit made in Australia:
(b) the refusal is based wholly or partly on credit eligibility information about one or more of the following:
(ii) a person who is proposing to act as a guarantor in relation to the consumer credit;
(c) a credit reporting body disclosed the relevant credit reporting information to the provider for the purposes of assessing the application.
(2) The credit provider must, within a reasonable period after refusing the application, give the individual a written notice that:
(b) states that the refusal is based wholly or partly on credit eligibility information about one or more of the persons referred to in paragraph (1)(b); and
(i) the name and contact details of the credit reporting body that disclosed the relevant credit reporting information to the provider; and
(1) A credit provider must take such steps (if any) as are reasonable in the circumstances to ensure that the credit eligibility information the provider collects is accurate, up to date and complete.
(2) A credit provider must take such steps (if any) as are reasonable in the circumstances to ensure that the credit eligibility information the provider uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
(3) If a credit provider is an APP entity, Australian Privacy Principle 10 does not apply to the provider in relation to credit eligibility information.
(1) A credit provider commits an offence if:
(a) the provider discloses credit information under section 21D; and
(2) A credit provider commits an offence if:
(a) the provider uses or discloses credit eligibility information under this Division; and
(3) A credit provider must not disclose credit information under section 21D if the information is false or misleading in a material particular.
(4) A credit provider must not use or disclose credit eligibility information under this Division if the information is false or misleading in a material particular.
(1) If a credit provider holds credit eligibility information, the provider must take such steps as are reasonable in the circumstances to protect the information:
(a) a credit provider holds credit eligibility information about an individual; and
(3) If a credit provider is an APP entity, Australian Privacy Principle 11 does not apply to the provider in relation to credit eligibility information.
(1) If a credit provider holds credit eligibility information about an individual, the provider must, on request by an access seeker in relation to the information, give the access seeker access to the information.
(2) Despite subsection (1), the credit provider is not required to give the access seeker access to the credit eligibility information to the extent that:
(3) The credit provider must respond to the request within a reasonable period after the request is made.
(4) If the credit provider gives access to the credit eligibility information, the access must be given in the manner set out in the registered CR code.
(5) If the credit provider is an agency, the provider must not charge the access seeker for the making of the request or for giving access to the information.
(6) If a credit provider is an organisation or small business operator, any charge by the provider for giving access to the information must not be excessive and must not apply to the making of the request.
(8) If a credit provider is an APP entity, Australian Privacy Principle 12 does not apply to the provider in relation to credit eligibility information.
(a) a credit provider holds credit information or credit eligibility information about an individual; and
(a) the credit provider corrects credit information or credit eligibility information under subsection (1); and
(a) it is impracticable for the credit provider to give the notice under that subsection; or
(b) the credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
(4) If a credit provider is an APP entity, Australian Privacy Principle 13:
(a) applies to the provider in relation to credit information or credit eligibility information that is identification information; but
(b) does not apply to the provider in relation to any other kind of credit information or credit eligibility information.
(1) An individual may request a credit provider to correct personal information about the individual if:
(i) credit information about the individual; or
(2) If the credit provider is satisfied that the personal information is inaccurate, out of date, incomplete, irrelevant or misleading, the provider must take such steps (if any) as are reasonable in the circumstances to correct the information within:
(3) If the credit provider considers that the provider cannot be satisfied of the matter referred to in subsection (2) in relation to the personal information without consulting either or both of the following (the interested party):
(a) a credit reporting body that holds or held the information and that has an Australian link;
(b) another credit provider that holds or held the information and that has an Australian link;
(5) The credit provider must not charge the individual for the making of the request or for correcting the information.
(6) If a credit provider is an APP entity, Australian Privacy Principle 13:
(1) This section applies if an individual requests a credit provider to correct personal information under subsection 21V(1).
(2) If the credit provider corrects personal information about the individual under subsection 21V(2), the provider must, within a reasonable period:
(3) If the credit provider does not correct the personal information under subsection 21V(2), the provider must, within a reasonable period, give the individual written notice that:
(4) Paragraph (2)(c) does not apply if it is impracticable for the credit provider to give the notice under that paragraph.
(5) Subsection (2) or (3) does not apply if the credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
(a) that the policy (the credit reporting policy) of the recipient that is referred to in subsection 22A(3) contains information about how an individual may access the regulated information about the individual that is held by the recipient, and seek the correction of such information;
(b) that the credit reporting policy of the recipient contains information about how an individual may complain about a failure of the recipient to comply with this Division or the registered CR code if it binds the recipient; and
(c) that the credit reporting policy of the recipient contains information about how the recipient will deal with such a complaint.
(b) the information was disclosed to the insurer by a credit reporting body or credit provider under Division 2 or 3 of this Part;
(ii) any purpose arising under a contract for mortgage insurance that has been entered into between the credit provider and the insurer; or
(a) a body corporate holds or held credit eligibility information about an individual; and
(b) the information was disclosed to the body by a credit provider under paragraph 21G(3)(b);
(2) Subsection (1) does not apply to the use or disclosure of the information by the body corporate if the body would be permitted to use or disclose the information under section 21G if the body were the credit provider.
(a) the credit provider that has provided the relevant credit to the individual;
(b) the credit provider to which the relevant application for credit was made by the individual.
(a) a person holds or held credit eligibility information about an individual; and
(b) the information was disclosed to the person by a credit provider under paragraph 21G(3)(c);
(a) the disclosure is to the credit provider; or
(a) any of the following (the recipient) holds or held credit eligibility information about an individual:
(b) the information was disclosed to the recipient by a credit provider under subsection 21N(2);
This Division deals with complaints about credit reporting bodies or credit providers.
Individuals may complain to credit reporting bodies or credit providers about acts or practices that may be a breach of certain provisions of this Part or the registered CR code.
(1) An individual may complain to a credit reporting body about an act or practice engaged in by the body that may be a breach of either of the following provisions in relation to the individual:
(2) An individual may complain to a credit provider about an act or practice engaged in by the provider that may be a breach of either of the following provisions in relation to the individual:
(b) a provision of the registered CR code (other than a provision that relates to that section) if it binds the credit provider.
(5) The credit reporting body or credit provider must not charge the individual for the making of the complaint or for dealing with the complaint.
(2) If the respondent for the complaint considers that it is necessary to consult a credit reporting body or credit provider about the complaint, the respondent must consult the body or provider.
(1) This section applies if an individual makes a complaint under section 23A about an act or practice that may breach section 20S or 21U (which deal with the correction of personal information by credit reporting bodies and credit providers).
(a) the respondent for the complaint is a credit reporting body; and
(b) the complaint relates to credit information or credit eligibility information that a credit provider holds;
(a) the respondent for the complaint is a credit provider; and
(i) credit reporting information that a credit reporting body holds; or
(ii) credit information or credit eligibility information that another credit provider holds;
(a) a credit reporting body discloses credit reporting information to which the complaint relates under Division 2 of this Part; and
(a) a credit provider discloses personal information to which the complaint relates under Division 3 of this Part or under the Australian Privacy Principles; and
(a) it is impracticable for the credit reporting body or credit provider to give the notification under that subsection; or
(b) the credit reporting body or credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notification under that subsection.
(a) the entity obtains credit reporting information; and
(b) the information is obtained from a credit reporting body; and
(a) the entity obtains credit reporting information; and
(b) the information is obtained from a credit reporting body; and
(3) An entity must not obtain credit reporting information from a credit reporting body if the entity is not:
(4) An entity must not obtain, by false pretence, credit reporting information from a credit reporting body.
(a) the entity obtains credit eligibility information; and
(b) the information is obtained from a credit provider; and
(a) the entity obtains credit eligibility information; and
(b) the information is obtained from a credit provider; and
(3) An entity must not obtain credit eligibility information from a credit provider if the entity is not:
(4) An entity must not obtain, by false pretence, credit eligibility information from a credit provider.
Division 3 deals with a code of practice about credit reporting, called a CR code. CR code developers or the Commissioner may develop a CR code, which:
(1) A CR code is a written code of practice about credit reporting.
(c) bind all credit reporting bodies; and
(d) specify the credit providers that are bound by the code, or a way of determining which credit providers are bound; and
(b) specified classes of credit information, credit reporting information or credit eligibility information; and
(b) specify the credit providers, or a class of credit providers, that should be bound by the code; and
(i) a credit provider has disclosed, under paragraph 21G(3)(b) or (c), credit eligibility information about one or more individuals to a related body corporate, or person, that does not have an Australian link; or
(ii) a credit provider has disclosed, under subsection 21M(1), credit eligibility information about one or more individuals to a body or person that does not have an Australian link; and
(b) the related body corporate, body or person holds the credit eligibility information;
(c) the credit eligibility information were held by the credit provider; and
(d) the credit provider were required to comply with subsection 21S(1) in relation to the credit eligibility information.
(i) a credit reporting body holds credit reporting information relating to one or more individuals; and
(ii) the credit reporting body is required to comply with section 20Q in relation to the credit reporting information; or
(i) a credit provider holds credit eligibility information relating to one or more individuals; and
(ii) the credit provider is required to comply with subsection 21S(1) in relation to the credit eligibility information; or
(c) the access or disclosure covered by paragraph (a), or the loss covered by paragraph (b), is an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; and
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the access or disclosure; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so before the access or disclosure results in serious harm to any of the individuals to whom the information relates; and
(e) an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; or
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the access or disclosure; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so before the access or disclosure results in serious harm to a particular individual to whom the information relates; and
(e) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; or
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the loss; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so before there is unauthorised access to, or unauthorised disclosure of, the information; and
(e) an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; or
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the loss; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so:
(e) an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; or
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the loss; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so:
(e) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; or
Credit reporting and tax file number information
(3) Where, after an investigation of an act or practice of an agency, file number recipient, credit reporting body or credit provider that is an interference with the privacy of an individual under subsection 13(1), (2) or (4), the Commissioner is required by virtue of paragraph (1)(b) of this section to report to the Minister about the act or practice, the Commissioner:
(d) shall serve a copy of the report on the agency, file number recipient, credit reporting body or credit provider concerned and the Minister (if any) responsible for the agency, recipient, credit reporting body or credit provider; and
(4) Where, at the end of 60 days after a copy of a report about an act or practice of an agency, file number recipient, credit reporting body or credit provider was served under subsection (3), the Commissioner:
(c) incorporates the first mentioned report and any document that the Commissioner has received, in response to the first mentioned report, from the agency, file number recipient, credit reporting body or credit provider;
and shall serve a copy of the report on the Minister (if any) responsible for the agency, recipient, credit reporting body or credit provider.
(a) section 20R, 20T, 21T or 21V (which are about access to, and correction of, credit reporting information etc.); or
(1) Where, in the course of an investigation under section 40, the Commissioner forms the opinion that a tax file number offence, a healthcare identifier offence, an AML/CTF verification offence or a credit reporting offence may have been committed, the Commissioner shall:
credit reporting offence means:
(ii) becomes bankrupt or insolvent, commences to be wound up, applies to take the benefit of a law for the relief of bankrupt or insolvent debtors, compounds with creditors or makes an assignment of any property for the benefit of creditors.
(ii) becomes bankrupt or insolvent, commences to be wound up, applies to take the benefit of a law for the relief of bankrupt or insolvent debtors, compounds with creditors or makes an assignment of any property for the benefit of creditors; and
(1) Subject to subsection (3), for the purposes of the performance by the Commissioner of his or her functions under this Act, a person authorised by the Commissioner in writing for the purposes of this section may, at any reasonable time of the day, enter premises occupied by an agency, an organisation, a file number recipient, a credit reporting body or a credit provider and inspect any documents that are kept at those premises and that are relevant to the performance of those functions, other than documents in respect of which the Attorney General has furnished a certificate under subsection 70(1) or (2).
(a) becomes bankrupt, applies to take the benefit of any law for the relief of bankrupt or insolvent debtors, compounds with the member’s creditors or makes an assignment of the member’s remuneration for their benefit;