Part 2: Changes to Australia’s privacy law and the impact on credit reporting

Changes to the Privacy Act 1988 (Cth) (“Privacy Act”) implemented on 12 March 2014 could mean new or increased obligations for your business with respect to credit reporting.

1. Do the changes to the Privacy Act with respect to credit reporting apply to my business?

If your business is classified as a “credit provider” or “credit reporting body” and your business collects credit related information about individuals then you will be affected by the changes to the credit reporting provisions in the Privacy Act.

An entity is a “credit provider” under the Privacy Act if the entity is, among other things:

  • a bank;
  • a corporation, a substantial part of whose business or undertaking is the provision of loans;
  • a corporation that carries on a retail business in the course of which it issues credit cards;
  • a corporation that provides loans and is included in a class of corporations determined by the Privacy Commissioner to be credit providers for the purposes of the Privacy Act.

If your business provides goods or services on credit to individuals or to sole traders your business may also be affected by the changes to the Privacy Act.

A “credit reporting body” (“CRB”) is defined as such if it carries on a credit reporting business, which is a business or undertaking that involves collecting, holding, using or disclosing personal information about individuals for the purpose of, or for purposes including the purpose of, providing an entity with information about the credit worthiness of an individual.

2. What are the key changes?

Amendments to the Privacy Act have included changes to the credit reporting laws, including but not limited to:

  • greater comprehensive credit reporting, allowing the reporting of information about an individual’s current credit commitments and their repayment history information over the previous two years;
  • the inclusion of additional information in collection notices and privacy policies of an APP entity where it is a participant in the credit system;
  • a simplified and enhanced correction and complaints process;
  • specific rules to deal with pre-screening of credit offers, including permitting individuals to freeze access to their credit related personal information in cases of suspected identity theft or fraud.

These changes are supplemented by a new Credit Reporting Code which binds all CRBs, credit providers and affected information recipients.

3. What does my business need to do?

To ensure that your business complies with the changes to the Privacy Act with respect to credit reporting, the following should occur:

  • amend or replace your privacy policy, such that it complies with the changes to the Privacy Act and implements the changes to the Australian Privacy Principles (“APPs”);1
  • introduce a new credit reporting policy, this can form part of your new APP privacy policy, or a separate policy;
  • amend or replace the privacy form signed by your customers;
  • notify customers of the matters that you must notify them of before you report information to a CRB;
  • amend or replace the notice that you give to customers about credit reporting when you refuse an application for credit;
  • change your procedures so that the credit refusal letter is always sent when credit is declined (whether or not it is based on a credit report) if a credit report was obtained on the individual in the last 90 days.
  • if you will list the whole balance when you list a default send a section 6Q notice after the default notice;
  • send a section 21D notice at least 30 days after the section 6Q notice before you list a default;
  • update your practices, procedures and systems to reflect the changes to the Privacy Act; and
  • train and educate staff on the changes to the Privacy Act, the operation of the Credit Reporting Code and the changes to your business policies and practices.

4. Are there penalties for not complying with the Privacy Act?

The Commissioner now has the ability to:

  • conduct assessments of privacy compliance for agencies and some organisations;
  • make determinations that include declarations that an act or practice not be repeated or continued, that a respondent should redress any loss or damage suffered by a complainant or that a respondent pay compensation to the complainant;
  • accept enforceable undertakings; and
  • seek civil penalties in cases of serious or repeated privacy breaches.

Under the changes to the Privacy Act, a civil penalty order may require an individual to pay a maximum of $340,000 and a body corporate a maximum of $1,700,000 for a breach of the Act.

If you would like more information, please contact Victoria Mezhvinsky on (08) 8360 8344 or via email

This publication is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Readers should take legal advice before applying the information contained in this publication to specific issues or transactions. For more information please contact us.

1 For more information on APP privacy policies, please see our factsheet “Changes to Australia’s privacy law and the Australian Privacy Principles (APPs).”

Posted on September 4, 2015 in Blog

Share the Story