Introduction

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (the Bill) that was passed by Parliament on 29th November 2012, amends the Privacy Act 1988 (Cth) (Privacy Act) and one of the major areas of reform is to allow more comprehensive credit reporting in Australia for the first time. The Bill is awaiting Royal Assent and the commencement period is 15 months from Royal Assent.

New credit reporting provisions under Part IIIA of the Privacy Act

The Bill introduces more comprehensive credit reporting with improved privacy protection. At the same time it purports to rewrite the credit reporting provisions to achieve greater logical consistency, simplicity and clarity. It updates those provisions to more effectively address the significant developments in the operation of the credit reporting system since the provisions were first enacted in 1990.

It is expected that the comprehensive credit reporting is likely to lower levels of indebtedness through more accurate assessments of an individual’s creditworthiness.

The Bill also introduces new provisions on a credit reporting code (called the CR code) which will replace the current Credit Reporting Code of Conduct. The draft CR code is yet to be released.

The significant changes under the Bill in relation to credit reporting include:

  1. The definition of consumer credit liability information includes 4 types of personal information about an individual that are permitted in the more comprehensive credit reporting system as follows:
    • date credit account opened
    • date account closed
    • type of credit
    • maximum credit limit.
  2. The 5th new type of information allowed in the new comprehensive system is the inclusion of repayment history information over that previous 2 years (this category of information is only applicable for credit providers which are Australian credit licensees (ACL holder). Mortgage insurers are also permitted to access such information.
  3. A credit reporting agency is renamed as a credit reporting body which will also be allowed to collect information on whether a credit provider is an ACL holder and also information on the terms and conditions of the consumer credit that relate to repayment and as prescribed by regulations (only those terms and conditions that would assist in determining an individual’s credit worthiness are intended to be included (e.g. interest only or principal and interest, fixed or variable interest, secured or unsecured credit)). On commencement of the Bill, repayment history information that is disclosed by a credit provider to a credit reporting body can relate to repayment history in the period between Royal assent and commencement.
  4. The definition of consumer credit is extended to include credit intended to be used wholly or predominantly to acquire, maintain, renovate or improve residential property for investment purposes or to refinance such credit (investment home loans are treated as commercial credit under current regime).
  5. Before credit providers disclose default information about an individual to a credit reporting body, they must notify the individual in writing and at least 14 days must have passed since giving the notice.
  6. De-identified information can be used or disclosed for the purpose of conducting research in relation to credit.
  7. Credit reporting bodies can only disclose information to credit providers with an Australian link.
  8. Credit providers are required to take reasonable steps to implement practices, procedures and systems in relation to their functions or activities as credit providers that will ensure compliance with the credit reporting provisions and the CR code – this requires a clearly expressed and up-to-date policy dealing with their management of credit information and credit eligibility information.
  9. Credit providers are permitted to make disclosures to overseas recipients (including a related body corporate) for a range of credit assessment and management purposes, including offshore call centres and data processing facilities. However, an Australian credit provider must comply with certain requirements and remains responsible for acts or practices of any overseas entity to which the credit provider discloses credit eligibility information.
  10. A credit provider’s privacy policy needs to provide information about possible cross-border disclosures and the location of the overseas recipients, where it is practicable to specify those countries and to notify an individual at or before the time of collection of their personal information of these matters.
  11. Introducing specific rules to deal with pre-screening of credit offers and the freezing of access to an individual’s personal information in cases of suspected identity theft or fraud.
  12. Providing additional consumer protections by enhancing obligations and processes dealing with notification, data quality, access and correction and complaints.

Who is a credit provider?

A credit provider includes a bank, entity where a substantial part of its business is provision of credit, a retailer that issues a credit card in connection with sale of goods or supply of services, a supplier which provides credit in relation to sale of goods or supply of services where repayment of credit is deferred for at least 7 days and a lessor who provides credit in connection with hiring, leasing or renting of goods and credit is in force for at least 7 days.

What does a credit provider need to do?

  • Review and update its privacy policy, credit reporting procedures, customer privacy consent and credit documentation.
  • Revise its policy in outsourcing to overseas entities.
  • Revise and update its agreement with a credit reporting body.
  • Have a clearly expressed and up-to-date policy dealing with management of credit information and credit eligibility information in place that complies with the requirements.
  • Review current complaint policy and procedures in order to incorporate new processes required for compliance.
  • Develop and maintain training programs, staff manuals, standard procedures and any relevant documentation that demonstrate awareness of and compliance with its obligations under the new credit reporting provisions and CR code and ensure that its business systems, such as its data management systems are compliant.
  • A credit provider’s system will need the ability to record and produce repayment history information for the period between Royal Assent and commencement date.