While direct selling companies (DSOs) offering credit to customers do not attract generally the credit laws under the National Consumer Credit Protection Act 2009, they may be a credit provider for the purposes of the Privacy Act 1988 (Cth).

Australian DSOs do not generally offer credit in a manner that will attract the responsible lending laws under the National Consumer Credit Protection Act 2009 and the associated code. However, any DSOs offering credit should be aware that the recent changes to the Privacy Act 1988 (Cth) (the Privacy Act) include credit reporting reforms which may apply.

Are you a credit provider?

That a DSO’s credit facilities do not fall under the National Credit Code is irrelevant to the question of whether that DSO would be considered a credit provider for the purpose of the Privacy Act.

Under the recent Privacy Act reforms, any organisation who offers goods or services to individuals on terms where, for example:

  • payment is deferred for more than seven days; or
  • there is an arrangement in place in respect of the leasing, renting or hiring of goods, will be considered a credit provider.

In other words, these provisions apply to parties other than traditional credit providers (such as banks and finance companies).

This means that DSOs who provide credit facilities for example:

  • to customers, even if credit is provided for only a small amount (if  repayment is deferred for more than seven days); or
  • to its independent representatives to permit the leasing of products, will be considered credit providers.

What do you need to do to comply with the Privacy Act credit reporting reforms?

Broadly speaking, if your business is considered a “credit provider”, you must have in place practices, procedures and systems which are reasonable, given the size and complexity of the business, that are designed to meet your obligations under the Privacy Act, the Privacy Regulations 2013 (the Regulations) and the Privacy (Credit Reporting) Code (the CR Code).

Any DSO which is a “credit provider” is required to:

  • have a credit reporting policy (this may form  part of their Privacy Policy or be a separate document);
  • have a statement of notifiable matters (only where there is likely to be disclosure of personal information to a credit reporting body, for instance to obtain a credit report);
  • address additional matters concerning credit information in their privacy collection statements when collecting personal information; and
  • be a member of an external dispute resolution scheme (where it wishes to disclose credit information about an individual to a credit reporting body):
    • when providing consumer credit – now; and
    • when providing commercial credit – with effect from 11 March 2015 (although this target date may be delayed).1 Commercial credit is, for example, credit provided by DSOs to its independent representatives for the purchase, lease, rental or hire of tools for their independent business (and not for a personal, family or household purpose) 

Credit Reporting Policy

Credit reporting policies must contain the following information (among others):

  • the kinds of credit information (as well as credit eligibility information and credit provider derived information2) collected and held by a DSO;
  • the purpose for which a DSO collects, holds, uses and discloses credit information and credit eligibility information;
  • how an individual may access and seek correction of this information;
  • how an individual may complain about a failure by a DSO to comply with the Privacy Act, the Regulations and/or the CR Code; and
  • whether a DSO is likely to disclose credit information or credit-eligibility information to entities that do not have an Australian link, and if so (and if practicable) – the countries in which those entities are located.

Further, your credit reporting policy must be readily and freely available on your website.

Statement of Notifiable Matters

If your business is likely to disclose personal information to a credit reporting body (CRB), you must also have a statement of notifiable matters. The statement of notifiable matters must include (among others):

  • the name and contact details of the CRBs used by your business;
  • that the CRBs may include the information in reports to other credit providers to assist them to assess the individual’s credit worthiness;
  • that, if the individual fails to meet their repayment obligations in relation to consumer credit, or commits a serious credit infringement, you may be entitled to disclose this to the CRB;
  • how the individual may obtain your credit reporting policy;
  • the individual’s rights to:
    • access and seek correction of the credit information that you hold about them; and
    • make a complaint to you.

The statement of notifiable matters must be displayed prominently on your website, and it must be made clear to any individual that they can request a copy of the statement in an alternative form, such as a hard copy.

Collection Notification Requirements

If your DSO is a credit provider, you must set out additional matters in your privacy collection statements including the following (among other matters):

  • that your credit reporting policy contains information about:
    • how the individual may seek access  to and/or the correction of credit-related information that you hold;
    • how the individual can make a complaint about a failure to comply with your obligations under the Privacy Act or CR Code and how you will deal with the complaint; and 
  • whether you are likely to disclose credit information or credit-eligibility information to entities that do not have an Australian link, and if so (and if practicable), the countries in which those entities are likely to be located.

If your business is required to have a statement of notifiable matters, you must also at or before the time of collection of the personal information, notify or otherwise make the individual aware of the following:

  • that your website includes information about credit reporting, including the CRBs to which, you are likely to disclose the individual’s credit information;
  • a brief description of the key issues contained in the statement of notifiable matters;
  • details of the website (on which the statement of notifiable matters is prominently displayed); and
  • that the individual may request a copy of the statement of notifiable matters to be provided in an alternative form, such as hard copy.

External Dispute Resolution Scheme

If your business wishes to disclose credit information about an individual to a CRB, and therefore be part of the consumer credit reporting system, it must be a member of an external dispute resolution scheme before it discloses credit information.3

However, DSOs must not disclose credit eligibility information about an individual to a CRB if that information is derived from the individual’s repayment history. Only bodies holding an Australian credit licence under the National Consumer Credit Protection Act are permitted to disclose this information to CRBs.

For a list of the currently available and recognised external dispute resolution schemes, please see the Office of the Australian Information Commissioner’s website at www.oaic.gov.au.

Next Steps

If you are providing credit to consumers or your independent representatives, you must:

  • have a credit reporting policy;
  • address various credit related matters in your collection statements;
  • if likely to disclose personal information to a CRB, have a statement of notifiable matters; and
  • if disclosing credit information about an individual to a CRB, be a member of an external dispute resolution scheme.

If you do not comply with the above requirements, you should take immediate steps to do so.