In brief

  • A Senate committee has reported on the draft credit reporting amendments to the Privacy Act, taking into account 40 submissions received from a variety of parties representing the interests of credit providers, credit reporting agencies and consumers. 
  • The Senate committee made 30 recommendations in its report, many of which related to policy consideration in the substantive credit reporting areas of identity theft, credit fraud, consumer complaints, hardship and enforcement.


The Senate Finance and Public Administration Legislation Committee has released a report1 on the exposure draft credit reporting provisions2 (Exposure Draft) proposed to amend the Privacy Act.

The report followed a consultation period during which the committee received 40 submissions from banks and other traditional credit providers, trade credit providers such as utilities, credit reporting agencies, regulators, consumer advocates and bodies representing parts of the finance, communications, insurance, insolvency and legal sectors3.

Unlike the recommendations made by the committee in relation to the draft Australian Privacy Principles4 (which predominately related only to matters of drafting and interpretation), a number of recommendations in this report deal with policy. These substantive recommendations relate to six key issues identified by the committee from the submissions, namely:

  • clarifying key terms and policies
  • serious credit infringements not arising from intentional fraud
  • the prevention of identity theft 
  • whether or not hardship flags should be disclosed in credit reports 
  • the separate ‘correction’ and ‘complaints’ processes, and
  • compliance and enforcement.

Clarifying key terms and policies

The committee recommended that the legislature consider revising some key definitions and increasing the consistency of their use throughout the entire credit reporting regime.

A number of submissions indicated that many organisations, agencies and consumer advocates felt the Exposure Draft was overly complicated. The committee noted that credit information data flow was a complicated process and legislation seeking to regulate it would necessarily be complex. The committee also felt that the provision of an explanatory memorandum as well as the new Credit Reporting Code of Conduct—which is being developed separately to complement the Exposure Draft—would help to alleviate complexity concerns.

In addition to recommending that several key definitions be revised, the committee also recommended that the Office of the Australian Information Commissioner consult with industry and consumer advocates to provide guidance on any consumer education campaigns in relation to the new credit reporting system.5

Serious credit infringements

The committee considered a number of submissions which indicated the current approach to the listing of serious credit infringements was unsatisfactory. It was submitted to the committee that the seven year listing for serious credit infringement should be limited to cases of intentional fraud. Consumer advocates submitted that many serious credit infringement listings occur in circumstances where the debtor is unaware of the debt where, say, they have inadvertently neglected to notify the credit provider of a change of address.

The committee acknowledged the consumer advocate concerns and recommended that further consideration be given to a change of approach in dealing with serious credit infringements to allow for those listings not relating to intentional fraud to be dealt with in a different manner.6 However, the committee stopped short of recommending a new approach nor did it fully endorse any of the alternatives suggested in the submissions.

The committee noted that the requirement in the Exposure Draft that a credit provider take ‘reasonable steps’ to contact the debtor prior to listing a serious credit infringement may prevent a number of erroneous, unwarranted or unfair listings. The Committee also pointed out that guidance on the meaning of taking 'reasonable steps' was to be addressed in the binding industry code and would help to ensure a consistent approach by credit providers.7

Identity theft and fraud

Under section 113 of the Exposure Draft, an individual may, if they believe on reasonable grounds that they have been or are likely to be the victim of fraud, request a credit reporting agency not to use or disclose credit reporting information held by that agency. Several submissions expressed the view that the proposed system of banning the use or disclosure of credit information by credit reporting agencies should be replaced by a system where credit information about that individual is merely ‘flagged’ as being subject to identity theft concerns.

The committee considered the Australian Law Reform Commission’s recommendation8 and a response from the Department of the Prime Minister and Cabinet on the issue and agreed that on balance the security offered by the system of ‘freezing’ an individual’s credit information outweighed any inconvenience to credit providers and reporters. As such, the committee supported the relevant provisions of the Exposure Draft.

The committee did however recommend that the Exposure Draft be reviewed to ensure that credit reporting agencies advise credit providers that the reason they are unable to release information is because the relevant individual has raised concerns about possible fraud. It also recommended that the time for the initial ban period be extended from 14 days to 21 days.9

While some credit providers have concerns about the practical difficulties associated with a requirement to notify prior recipients of fraudulent information where the information is destroyed, the committee recommends consideration be given to extending the requirement to apply in all cases, not only where the individual requests.


Competing submissions were received from credit providers, on the one hand, and from consumer advocate groups, on the other, as to whether repayment information should disclose when repayments had been affected by ‘hardship applications’, even in the absence of default.

Credit providers suggested that ‘flagging’ hardship applications was necessary to assist with responsible lending obligations under the National Consumer Credit Protection Act 2009 (NCCPA). Consumer advocates objected to hardship applications being ‘flagged’ in credit reports as the applications are a statutory right and individuals should not be discouraged from exercising their rights. On balance, the committee supported the views of consumer advocates: that if a person has not defaulted and enters a new arrangement for existing credit, no hardship flag should be recorded on their credit file.

The committee also recommended that consideration be given to the inclusion of provisions for grace periods in relation to information in repayment histories to ensure that payment system delays and minor oversights are not captured in the reporting system.

Corrections and complaints handling

A number of organisations making submissions felt that the complaints handling system detailed in the exposure draft was overly complicated. Further some expressed the view that it was unnecessary to separate the ‘corrections’ procedure from the ‘complaints’ process. However, the committee considered that the separation was desirable because the two tiered approach allows uncomplicated corrections to be handled quickly. Should the consumer be unhappy with the decision they are able to proceed to the complaints process.

The committee also recommended that administrative issues, such as applications for extensions of time to respond to requests for correction of records should be addressed in the Credit Reporting Code of Conduct.

Compliance and enforcement

The committee also recommended that consideration be given to:

  • increasing funding for the Information Commissioner to investigate breaches
  • requiring the Information Commissioner to conduct a regular audit of a randomly selected credit reporting agency and credit provider,10 and
  • introducing a consumer remedies regime (including rights to compensation) similar to the NCCPA.  

Next steps

The Department of the Prime Minister and Cabinet will now take the report into account in revising the Exposure Draft, as they are also doing for the committee’s report on the Australian Privacy Principles.

Brendan O’Connor, Minister for Privacy and FOI, previously outlined a reform timetable which would have had a bill introduced by late this year and legislation passed by mid-2012.11 That timing now appears ambitious, although credit reporting agency Veda is still calling for it to be followed.12

As first announced in 2009,13 the Department is continuing work on draft provisions regarding health privacy and the powers and functions of the Information Commissioner. These will also be responded to in turn by the committee.

In addition, the government appears to now be fast-tracking a proposed statutory cause of action for serious invasions of privacy, a reform about which they had previously deferred consideration.14