The Office of the Australian Information Commissioner (OAIC) has completed a major review of the Privacy (Credit Reporting) Code 2014 (the CR Code) to determine whether it remains fit for purpose and provides adequate privacy protections for individuals.
"Credit reporting information is a type of personal information that has a major impact on an individual's life," Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
"The ability to obtain credit affects our capacity to participate in the economy - our ability to buy property or obtain a loan."
The report on the 2021 Independent review of the Privacy (Credit Reporting) Code 2014 follows significant engagement with stakeholders including consumer advocates, banks and other credit providers, professional bodies and external dispute resolution schemes, along with code developer the Australian Retail Credit Association (ARCA).
The handling of credit reporting information is regulated by the Privacy Act 1988.
Part IIIA of the Privacy Act imposes obligations on banks and other credit providers, as well as credit reporting bodies, to protect an individual's personal information when they are seeking credit, and provides individuals with certain protections. The CR Code outlines how entities are to comply with Part IIIA of the Privacy Act when handling credit information.
The review sought stakeholder views on how the CR Code operates in practice and what improvements could be made to strengthen Australia's credit reporting system.
"This important review to ensure regulation of this sector is operating as intended found that change is required," Commissioner Falk said.
"The way Australians' personal information is collected, handled and stored remains a significant issue as the credit reporting landscape has expanded and shifted through a time of social, technological and regulatory change."
The introduction of comprehensive credit reporting and the rise of new products such as Buy Now Pay Later (BNPL) are among significant changes since the last review in 2017.
The review makes proposals to amend the CR Code to strengthen privacy protections and provide greater clarity for industry on their obligations.
These include proposals aimed at:
- streamlining processes for individuals, such as getting access to their credit reports and correcting their information, developing guidance pieces for individuals to explain their rights, including when a credit provider needs to provide notice that their information is being used or disclosed versus when they need to seek their consent
- introducing a 'soft enquiries' framework to allow people to 'shop around' for credit products and seek quotes, without this information being included on their credit report
- offering an automatic extension to people who have been subject to identity theft when they request a ban on their credit report to prevent fraud
- including domestic abuse as an example of circumstances beyond the individual's control to allow credit providers not to report default information about overdue payments
- requiring CRBs to remove statute-barred debts from an individual's credit report.
The OAIC plans to implement the proposals in the report over the next two years primarily through variations to the CR Code and OAIC guidance.
Where issues cannot be addressed through amendments to the CR Code or guidance, the OAIC intends to raise them with the Attorney-General so they can be considered in preparation for the review of Part IIIA of the Privacy Act required to be completed before 1 October 2024.
Report background
Download 2021 Independent review of Privacy (Credit Reporting) Code