Skip to main content

The Australian Information Commissioner (the Information Commissioner) is required to keep this register under s 26U of the Privacy Act 1988. The following codes are in force (any previous version is listed under the current version):

Privacy (Australian Government Agencies – Governance) APP Code 2017

Current version

Privacy (Australian Government Agencies – Governance) APP Code 2017 or see the Federal Register of Legislative Instruments entry

  • Type:  APP code
  • Registered: 27 October 2017
  • In force from 1 July 2018.

Previously known as

Australian Public Service (APS) Privacy Code

See also: the joint statement from Department of the Prime Minister and Cabinet and Office of the Australian Information Commissioner.

Privacy (Credit Reporting) Code 2024

Current version

Privacy (Credit Reporting) Code 2024 or see the Federal Register of Legislation entry.

  • Type: CR Code
  • Registered: 1 October 2024
  • In force from 1 October 2024.

This version followed an application by the Australian Retail Credit Association (Arca) on 19 December 2023 (and their amendments to their application dated 19 September 2024) to vary the registered CR Code in accordance with section 26T of the Privacy Act 1988. It implements the proposals from the OAIC’s 2021 Review of the CR Code.

Previous versions

Privacy (Credit Reporting) Code 2014 (Version 2.3) or see the Federal Register of Legislation entry

  • In force from 1 July 2022 to 1 October 2024.

This version followed an application by the Australian Retail Credit Association (ARCA) on 6 September 2021 (and amendments to their application dated 18 February 2022) to vary the registered CR Code in accordance with section 26T of the Privacy Act 1988. It contains the second tranche of amendments that relate to financial hardship reporting.

See also: Letter to ARCA - Hardship Variations Approval - 10 March 2022

Version 2.2

Privacy (Credit Reporting) Code 2014 (Version 2.2)

In force from 21 April 2022 to 30 June 2022.

This version followed an application by the Australian Retail Credit Association (ARCA) on 6 September 2021 (and amendments to their application dated 18 February 2022) to vary the registered CR Code in accordance with section 26T of the Privacy Act 1988. It incorporated some minor amendments regarding access to credit information.

Version 2.1

Privacy (Credit Reporting) Code 2014 (Version 2.1)

In force from 14 February 2020 to 21 April 2022.

The ARCA variation application was received on 18 April 2019, with subsequent amendments to the application received 15 May 2019, 8 July 2019, 19 November 2019 and 11 December 2019.

See also: the Privacy (Credit Reporting) Code 2014 (Version 2.1) — variation approval dated 11 February 2020, the Explanatory Memorandum and the application materials.

Version 2.0

Privacy (Credit Reporting) Code 2014 (Version 2.0) (archived on Trove)

In force from 1 July 2018 to 13 February 2020.

Version 1.2

Privacy (Credit Reporting) Code 2014 (Version 1.2) (archived on Trove)

In force from 24 April 2014 to 30 June 2018.

See also:  the ARCA variation application dated 26 April 2018 and the PwC report.

Version 1.1

Credit Reporting Privacy Code (CR code) (Version 1.1) (archived on Trove)

In force from 3 April 2014 to noon AEST 24 April 2014.

The only difference between this version and CR code v1.0 (the original CR code) was a to change the grace period in paragraph 8.1(b) from 5 to 14 days.

See also: the Registered Credit Reporting Privacy Code — application to vary clause 8.1(b) dated 3 April 2014 and the ARCA variation application dated 31 March 2014.

Version 1.0

Credit Reporting Privacy Code (CR code) (Version 1.0) (archived on Trove) or view the Federal Register of Legislation entry.

In force from 12 March 2014 to noon AEDT on 3 April 2014.

See also: the application materials.

Privacy (Market and Social Research) Code 2021

Current version

Privacy (Market and Social Research) Code 2021 or see a PDF version on the Australian Data and Insights Association's website.

  • Type: APP code
  • Registered: 1 March 2021
  • In force from  22 March 2021.

Previous version

Privacy (Market and Social Research) Code 2014

In force from 28 November 2014 to 21 March 2021.

See also: the Application for registration from AMSRO, received 12 September 2014, and the Code submitted for registration.

Part G of the Privacy (Market and Social Research) Code 2014 requires an independent reviewer to review the code at least every five years. The purpose of the independent review is to ensure that the code is meeting its objectives and remains effective and relevant. AMSRO commissioned Data Synergies Law Pty Ltd to undertake the review, which commenced in December 2019 and concluded in March 2020.

On 23 November 2020,  the Association of Market & Social Research Organisations (AMSRO) submitted an application for variation of the Privacy (Market and Social Research) Code 2014 in accordance with s 26J(1)(c) of the Privacy Act. Under s 26J(4) of the Privacy Act.

See the Privacy (Market and Social Research) Code 2020, which seeks to vary the Privacy (Market and Social Research) Code 2014, and the explanatory statement to the Privacy (Market and Social Research) Code 2020.

About privacy codes

Under Part IIIB of the Privacy Act, the Information Commissioner can approve and register enforceable codes which are developed by entities on their own initiative or on request from the Information Commissioner, or developed by the Information Commissioner directly.

The purpose of a code is to provide individuals with transparency about how their information will be handled. Codes do not replace the relevant provisions of the Privacy Act, but operate in addition to the requirements of the Privacy Act. A code cannot lessen the privacy rights of an individual provided for in the Privacy Act. Registered codes are disallowable legislative instruments.

An APP entity (or a body or association representing them) can develop a written code of practice for the handling of personal information, called an APP code. An APP code sets out how one or more of the APPs are to be applied or complied with, and the APP entities that are bound by the code.

The Privacy Act also requires the development of a code of practice about credit reporting, called the CR code. The CR code sets out how the Privacy Act’s credit reporting provisions are to be applied or complied with by credit reporting bodies, credit providers and other entities bound by Part IIIA.

An entity bound by a registered code must not do an act, or engage in a practice, that breaches that code (ss 26A (APP codes) and 26L (CR code)). A breach of a registered code will be an interference with the privacy of an individual under s 13 of the Privacy Act and subject to investigation by the Information Commissioner under Part V of the Privacy Act.

Draft code consultations

Before a code can be approved, the OAIC must be satisfied that members of the public have been given an adequate opportunity to comment on a draft of the code. Organisations developing codes can request the OAIC to provide a link to their website during their public consultation process.