The Office of the Australian Information Commissioner (OAIC) has completed a major review of the Privacy (Credit Reporting) Code 2014 (the CR Code) to determine whether it remains fit for purpose and provides adequate privacy protections for individuals.
“Credit reporting information is a type of personal information that has a major impact on an individual’s life,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
“The ability to obtain credit affects our capacity to participate in the economy – our ability to buy property or obtain a loan.”
The report on the 2021 Independent review of the Privacy (Credit Reporting) Code 2014 follows significant engagement with stakeholders including consumer advocates, banks and other credit providers, professional bodies and external dispute resolution schemes, along with code developer the Australian Retail Credit Association (ARCA).
The handling of credit reporting information is regulated by the Privacy Act 1988.
Part IIIA of the Privacy Act imposes obligations on banks and other credit providers, as well as credit reporting bodies, to protect an individual’s personal information when they are seeking credit, and provides individuals with certain protections. The CR Code outlines how entities are to comply with Part IIIA of the Privacy Act when handling credit information.
The review sought stakeholder views on how the CR Code operates in practice and what improvements could be made to strengthen Australia’s credit reporting system.
“This important review to ensure regulation of this sector is operating as intended found that change is required,” Commissioner Falk said.
“The way Australians’ personal information is collected, handled and stored remains a significant issue as the credit reporting landscape has expanded and shifted through a time of social, technological and regulatory change.”
The introduction of comprehensive credit reporting and the rise of new products such as Buy Now Pay Later (BNPL) are among significant changes since the last review in 2017.
The review makes proposals to amend the CR Code to strengthen privacy protections and provide greater clarity for industry on their obligations.
