OAIC submission to the Attorney-General’s Department – Review of Australia’s Credit Reporting Framework

Summary of recommendations

The Office of the Australian Information Commissioner (OAIC) provides the following recommendations to enhance privacy protections of Part IIIA of the Privacy Act 1988 (Privacy Act) and to provide clarity on matters that have been brought to the OAIC’s attention:

Recommendation 1: The OAIC recommends that the Review consider whether the objects of the Privacy Act that relate to Part IIIA should be amended, and whether a fairness principle ought to be included.

Recommendation 2: The OAIC recommends that the Review consider the points raised by the OAIC following the 2021 Review of the CR Code.

Recommendation 3: The OAIC recommends that if reforms are proposed following the Review to the OAIC’s regulatory role, careful consideration is given to ensuring close alignment with the OAIC’s role and its focus on protection of personal information.

Recommendation 4: The OAIC recommends that the Review consider the treatment of information where the statute of limitations has been reached in relation to a debt, including whether amendments to Part IIIA are required in order to ensure that default information does not continue to be listed on an individual’s credit report after the debt has become statute-barred.

Recommendation 5: The OAIC recommends that the Review consider and clarify how RHI and CCLI should be reported after a debt becomes statute-barred.

Recommendation 6: The OAIC recommends that the Review consider the credit ban framework as a whole in Part IIIA of the Privacy Act, noting contemporary uses, including whether the timeframes for initial credit bans are appropriate in the circumstances.

Recommendation 7: The OAIC recommends that the Review consider whether amendments are required to Part IIIA of the Privacy Act to adequately reflect the policy intent that disclosure of FHI by CRBs to CPs be limited to circumstances where the individual is seeking access to new credit.

Recommendation 8: The OAIC recommends that the Review consider the notice and consent framework in Part IIIA of the Privacy Act to ensure it is operating as intended, and that any reform aligns with the Government response to the Privacy Act Review.

Recommendation 9: The OAIC recommends that the Review note the strong public policy reasons for restricting access to credit reporting information, and maintain restrictions surrounding real estate agents, employers and insurers.

If the Review considers expansion is appropriate and there are strong public interest reasons for doing so, it will need to ensure data minimisation is prioritised, that any collection of credit reporting information is reasonable, necessary and proportionate; and that appropriate storage, retention and destruction requirements are provided in the legislation.

Recommendation 10: The OAIC recommends that the Review consider the recommendation in the Privacy Act Review to remove the small business exemption to ensure that entities including for example, real estate agents who are currently captured under the exemption, fall within the OAIC’s regulatory remit where they are seeking to access credit reporting information.

Recommendation 11: The OAIC recommends that the Review ensure that there is a strong policy rationale for facilitating the flow of credit reporting information to and from foreign credit providers, and that any such disclosures and collections occur only through adequacy or whitelisting, taking into account the relevant recommendations from the Privacy Act Review and APP 8.

Recommendation 12: The OAIC recommends that the Review consider whether the definition of ‘publicly available information’ in Part IIIA of the Privacy Act be amended to clarify that court judgments cannot be considered ‘publicly available information’.

Recommendation 13: The OAIC recommends that the Review consider the data minimisation principle in determining any amendments to Part IIIA of the Privacy Act and that any retention periods for information collected, are appropriate in the circumstances.

Recommendation 14: The OAIC recommends that the Review consider the Government response to the Privacy Act Review with regards to APP 11 and ensure that any relevant amendments to APP 11 are reflected in Part IIIA of the Privacy Act.

Recommendation 15: The OAIC recommends that the Review consider whether amendments may be required to Part IIIA of the Privacy Act around CRB independent audits and CP audit requirements, which set out clear standards for reports and choice of independent reviewer.

Recommendation 16: The OAIC recommends the Review consider whether amendments are required to Part IIIA to specify that extensions for resolving individual corrections requests under ss 20T and 21V should be for exceptional circumstances only, and whether further clarity should be provided around circumstances that would warrant an extension.

Recommendation 17: The OAIC recommends that the Review consider how the CR Code operates alongside Part IIIA of the Privacy Act and its content. We also recommend that the Review consider whether amendments may be required to provide more certainty around the variation and approval process.

Introduction

1. The Office of the Australian Information Commissioner welcomes the opportunity to make a submission to the independent review of Australia’s Credit Reporting Framework (the Review).
2. The OAIC is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act) and other legislation), freedom of information (FOI) functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act)), and information management functions (as set out in the Australian Information Commissioner Act 2010 (Cth)).
3. Under Part IIIA of the Privacy Act, the OAIC has regulatory responsibility for the privacy protections relating to credit reporting in Australia, including the use and disclosure of credit reporting information. Part IIIA of the Privacy Act is supported by the Privacy (Credit Reporting) Code 2014 (CR Code), which provides further particularisation to regulated entities as to how they should comply with their obligations under Part IIIA of the Privacy Act.[1]
4. Strong data protection and privacy rights are necessary to uphold our human right to dignity in the digital age and are a precondition for consumer confidence and economic growth. They are also critical to achieving other societal objectives such as the protection of health, safety and security. Effective and proportionate privacy regulation is essential to achieving these objectives.
5. Credit information is a significant type of personal information that continues to have real impacts on individuals’ lives. It is clear from recent large scale data breaches that fraudulent activities can be perpetrated on individuals through the credit sphere where identity information is compromised.
6. This is the first significant review of Part IIIA of the Privacy Act to take place since major reforms came into effect in March 2014 and we welcome it.[2] There have been considerable digital and technological advancements affecting the provision of credit in Australia since Part IIIA’s introduction. These changes have resulted in a regulatory landscape which is markedly different from that which was in place at the time, with products and stakeholders in the framework constantly evolving.
7. One thing that remains certain is that Australians continue to express concerns about their personal privacy, as well as an interest in strengthening measures to protect their personal information.[3] The OAIC’s recent Australian Community Attitudes to Privacy Survey (ACAPS), noted that 62% of Australians view protecting their personal information as a major concern in their life, while 84% want more control and choice over the collection and use of their information.
8. The OAIC notes that Australia’s credit reporting framework can be difficult for individuals to navigate given its breadth and the co-regulatory framework which currently exists, alongside separate pieces of legislation. The OAIC has heard concerns from stakeholders in relation to this complexity and the multitude of entities involved, including departments and regulators. This Review provides a unique opportunity to consider not only whether the framework can be streamlined in order to provide clear guardrails for industry whilst ensuring appropriate privacy protections are in place to safeguard the personal information of Australians, but also to consider the regulatory oversight landscape.
9. Data protection of credit reporting information is crucial, and into the future it will be important to consider how the OAIC’s role can be strengthened and enhanced, whilst recognising how this role operates alongside other objectives of a functioning credit framework. It is important that any framework focus on the overarching principles important in protecting privacy: data minimisation, security and transparency and an assurance that credit reporting information is protected as it flows through the system. Whilst consideration should be given to how the framework is operating holistically, it is important that privacy and the protection of individuals’ credit reporting information is paramount, especially as we enter an age of data breaches in Australia, with Australians' ever-growing online presence and personal information being more accessible than ever.
10. This submission highlights specific issues that the OAIC has identified with Part IIIA of the Privacy Act through our activities as privacy regulator (for example through our 2021 review of the CR Code) and our experience with the credit reporting framework as a whole. The OAIC makes a number of observations and recommendations throughout, for the Review’s consideration. These recommendations are made with a view to enhancing the privacy protections of Part IIIA and providing clarity on matters that have been brought to the OAIC’s attention.

Credit reporting in Australia

The OAIC’s role

11. The consumer credit reporting regulatory framework in Australia is a co-regulatory one, with the OAIC and the Australian Securities and Investment Commission (ASIC) acting as regulators of the Privacy Act and the Credit Act respectively.
12. The privacy aspects relating to Australia’s consumer credit reporting laws are contained in Part IIIA of the Privacy Act and in the CR Code. These laws set out an exhaustive list of the types of information that may be collected by a credit reporting body (CRB) for inclusion in an individual’s credit report, as well as entities that can access these reports and the purposes for which access can be sought.
13. As the independent regulator the OAIC has a range of regulatory responsibilities and powers to ensure compliance with obligations under the Privacy Act and the CR Code. Under the Privacy Act, it is the role of the Commissioner to appoint the CR code developer, approve the CR Code and, importantly, review and approve any subsequent variations to the CR Code. The Commissioner is required to initiate an independent review of the CR Code every four years.
14. The Privacy Act confers on the Commissioner a range of regulatory powers. These include powers to conduct assessments, undertake voluntary investigations, make enquiries, accept enforceable undertakings, make determinations, seek injunctions and apply to a Court for civil penalties. The CR Code also provides for the OAIC’s ongoing compliance monitoring of CRBs and credit providers (CPs) which are in addition to the OAIC’s general oversight of organisations under the Privacy Act.
15. The OAIC can receive and investigate complaints about CPs and CRBs. We receive a large volume of complaints regarding Part IIIA of the Privacy Act each year (see Appendix B for relevant data). These include enquiries, complaints and requests for policy advice. Complaints are also handled by external dispute resolution (EDR) schemes recognised by the Commissioner.[4]
16. As discussed in the Review Issues Paper (the Issues Paper), Australia shares many credit reporting characteristics with other international jurisdictions, including New Zealand, however, the division of responsibilities, and split between different regulators and policy departments, is somewhat unique to Australia.[5]

The objects of the Privacy Act and credit reporting

17. The objects of the Privacy Act are set out in s 2A of the Act. Section 2A(e) states that one of the objects of the Privacy Act is ‘to facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected’.
18. Privacy is a fundamental human right recognised in Article 12 of the UN Declaration of Human Rights and in Article 17 of the International Covenant on Civil and Political Rights (ICCPR). It is also said that the right to privacy is not an absolute right. While not explicit, Article 17 of the ICCPR recognises that entities may have legitimate reasons to undertake projects that may limit or interfere with privacy, provided that any impacts are reasonable, necessary and proportionate to achieve a legitimate objective.
19. The current objects in the Privacy Act in relation to credit reporting seek to reflect this balance. The objects recognise both the protection of the privacy of individuals and the need to facilitate an efficient credit reporting system. These interests are sometimes in tension but should not be viewed as a zero-sum game. Importantly, while there is reference to an efficient credit reporting scheme in the objects of the Privacy Act, there is no explicit reference to the effectiveness or the fairness of the credit reporting scheme. We note that the terms of reference for the Review is to consider both the efficiency of the scheme, as well as the effectiveness of the scheme, and in particular to have regard to contemporary community expectations. There are mutual benefits to individuals and regulated entities if the rights and responsibilities in the Privacy Act, and Part IIIA, are in the correct proportion.
20. Accordingly, there may be benefit in considering Part IIIA of the Privacy Act from a first principles approach, including what it is seeking to achieve and contemporary community expectations around how individual’s credit information is handled. The OAIC has received feedback from external dispute resolution (EDR) schemes that when handling complaints under Part IIIA, it may be helpful if the overarching objects of the Act included a principle around fairness, or that entities act in good faith. Including a fairness principle in the objects of the Act would ensure that interpretations of the provisions of Part IIIA that best achieves that purpose (e.g. acting fairly and in good faith with respect to individuals’ personal information in the credit reporting systems) is preferred over other interpretations.
21. The Review provides an opportunity to consider such a principle to ensure entities can be held accountable from a regulator perspective, and that the Australian community maintains trust that their credit reporting information is being handled fairly and reasonably, in line with contemporary community expectations regarding information handling.
22. We recommend that the Review consider the object of Part IIIA and its intention, including whether it may benefit from noting the objective to facilitate not only an efficient credit reporting system, but a fair one.

Recommendation 1: The OAIC recommends that the Review consider whether the objects of the Privacy Act that relate to Part IIIA should be amended, and whether a fairness principle ought to be included.

2021 independent review of the Credit Reporting Code

23. Under the CR Code, the OAIC is required to commence an independent review of the practical operation of the CR Code every 4 years to ensure it remains fit for purpose.[6] The OAIC undertook a review of the CR Code in 2021 (2021 Review).[7]
24. The 2021 Review made a number of proposals for consideration in this Review (see Appendix A). In December 2022, the Information Commissioner also wrote to the Attorney-General, the Treasurer and Assistant-Treasurer to raise these issues. We reiterate the main points here for the Review to consider:
    • · A holistic review of the notice framework within Part IIIA
    • · Accommodating entities such as telecommunications and utility providers, and emerging finance products operating in the credit reporting system
    • · Access by real estate agents, landlords and employers to credit reports
    • · Requiring CPs to list default information within a reasonable time and that the retention period should apply from the date of default
    • · Whether mortgage brokers are to be able to receive credit eligibility information (CEI) under s 21G(3)(c)(i) of the Privacy Act, and
    • · Whether CPs should be subject to similar requirements to CRBs regarding direct marketing, noting some may not be considered APP entities and therefore would not be subject to Australian Privacy Principle (APP) 7.
25. The 2021 Review also noted that, given the increased participation of different entities in the credit space and the evolving credit landscape, consideration may need to be given to whether the credit reporting framework needs to be updated to be more accessible and fit for purpose. In particular, the 2021 Review noted that stakeholders were concerned about the regulation of new and emerging finance products, such as Buy Now, Pay Later.
26. The OAIC is supportive of considering such regulation. Building on the outcomes of the 2021 Review, in May 2024, the OAIC made a submission to Treasury’s consultation on the ‘Buy Now, Pay Later regulatory reforms’.[8] In that submission, we outlined our view that similar amendments may need to be considered for Part IIIA of the Privacy Act, considering the proposed reforms to the Credit Act to bring these providers under regulation.
27. More broadly, we note that the OAIC’s 2021 Review of the CR Code raised questions beyond the requirement of merely data protection, some of which related to the issue of how a credit reporting system in Australia should operate and whether the credit reporting framework as currently constituted in Part IIIA, should appropriately sit within the Privacy Act. This is a unique position for a privacy regulator to be in, noting the OAIC’s area of expertise and regulatory focus. Noting that this issue has also been identified by other stakeholders, the OAIC suggests that it may benefit from consideration in the Review. It is crucial that if reforms are proposed following the Review, including to the OAIC’s regulatory role, careful consideration is given to ensuring close alignment with the OAIC's data protection focus and core regulatory objectives.

28. In addition to the 2021 Review findings, this submission raises two further issues for consideration by the Review, both of which may be more effectively addressed through this process, than by amendment to the CR Code. These include the issue of how statute-barred debts are recorded, and the current credit ban framework, both of which were topics the subject of extensive debate by stakeholders during the OAIC’s 2021 Review of the CR Code.

Recording of statute-barred debts

29. The 2021 Review considered the issue of default information being listed on an individual’s credit report after a credit provider is prevented from recovering the payment due to the statute of limitations.
30. Currently, where defaults continue to be listed, the only redress for an individual is to request removal under paragraph 20.6 of the CR Code. However, the OAIC understands that in practice, defaults are sometimes listed just prior to being statute-barred and are not subsequently removed. This means that the information may continue to negatively impact an individual’s credit score beyond the date when it should have been removed. Many individuals do not have a sophisticated understanding of credit reporting and may not be aware of the issue in order to request removal.
31. The 2021 Review proposed that the CR Code be amended to address this imbalance of power by requiring CRBs to remove debts where it is reasonable for them to have been aware of the statute of limitations, and for CPs to take reasonable steps to inform CRBs when a debt has or will become statute-barred.
32. The OAIC is currently considering the Australian Retail Credit Association’s (Arca) application to vary the CR Code to give effect to the 2021 Review and submissions made during a public consultation process. However, we note that the initial view of stakeholders is that this issue would be better considered through the current review of Part IIIA rather than through amendments to the CR Code.
33. In addition to the matters raised in the 2021 Review, the OAIC has also seen several cases where CPs are not pursuing the default process and are instead reporting repayment history information (RHI) or consumer credit liability information (CCLI), after a debt would otherwise be considered statute-barred.
34. For example, in a complaint made to the OAIC, an individual stated that negative CCLI was being reported for a debt which was statute-barred. It transpired that the CP had sold the debt to a debt collector who, upon purchasing the debt, reported a negative event from a credit relationship with a ‘specialty finance provider’ to a CRB. While the OAIC found that there was no breach of the Privacy Act, which does not prohibit the disclosure of CCLI on an open credit account where a debt would otherwise be statute-barred, this practice can have the same impact on an individual as a default, with RHI and CCLI essentially remaining on their credit report until it is resolved.

Credit ban framework

35. The timeframes for credit bans and the process for requesting an extension was a common issue raised by stakeholders in the 2021 Review of the CR Code.[9] Australia has recently experienced a number of large scale data breaches that have involved significant amounts of personal information and information about identity credentials. The OAIC’s notifiable data breaches report for July to December 2023, [10] noted that cyber incidents continue to be the leading cause of large scale data breaches. The report stated that contact and identity information also continued to be the most common kind of personal information involved in data breaches, with most breaches involving contact information (88%) and identity information (63%).
36. The loss of this information significantly increases the risk of fraud and scams for individuals, including through the loan process. As a result of these breaches, individuals promptly took steps to minimise their risk of harm and there was increased utilisation of the credit ban framework outlined in Part IIIA of the Privacy Act.
37. In response to these events, the OAIC produced guidance to individuals to explain the current credit ban application and extension process.[11] Further, the 2021 Review proposed an amendment to the CR Code to offer individuals an automatic extension to the ban period when they make their initial request, where appropriate.[12]
38. The OAIC is considering an application from Arca to vary the CR Code, however, this issue may be more effectively addressed through amendments to Part IIIA of the Privacy Act.[13]
39. The OAIC’s view is that the credit ban process needs to be fit for purpose. We acknowledge that there are many reasons why an individual may seek a credit ban that need to be taken into consideration. For example, in situations relating to family violence, or in relation to problematic gambling as a way to avoid impacting a person’s credit report.
40. Where possible, the OAIC considers that the credit ban process should be readily and easily accessible for individuals in order to provide adequate protections, especially where personal or identity information may have been compromised in a data breach.
41. The OAIC recommends that the Review take into consideration contemporary uses for credit bans, and consider the timeframes which currently apply, including whether the initial ban period should be extended.

Recommendation 6: The OAIC recommends that the Review consider the credit ban framework as a whole in Part IIIA of the Privacy Act, noting contemporary uses, including whether the timeframes for initial credit bans are appropriate in the circumstances.

Financial Hardship Information

Disclosure of FHI to Credit Providers

42. The introduction of Financial Hardship Information (FHI) into the credit reporting system from 1 July 2022 represented a significant change in Australia’s credit reporting landscape.
43. FHI is a particularly sensitive type of credit reporting information. As such, the policy intent behind the introduction of these provisions was that its use and disclosure should be limited. This included limiting disclosure by CRBs to CPs in circumstances where the consumer is seeking access to new credit. This provided greater protection for consumers and acted as an assurance that existing credit-arrangements with CPs would not be impacted when an individual entered into a Financial Hardship Arrangement.[14]
44. However, we note that this policy intent may not be clearly reflected in Part IIIA of the Privacy Act. Under Part IIIA, a CRB could disclose FHI to a CP where the CP has a current consumer credit arrangement with the individual (i.e. before 1 July 2022). [15]
45. The OAIC recommends that the Review consider whether Part IIIA of the Privacy Act needs to be amended to adequately reflect the policy intent that disclosure of FHI by CRBs to CPs be limited to circumstances where the individual is seeking access to new credit.

Recommendation 7: The OAIC recommends that the Review consider whether amendments are required to Part IIIA of the Privacy Act to adequately reflect the policy intent that disclosure of FHI by CRBs to CPs be limited to circumstances where the individual is seeking access to new credit.

Access to credit reporting information

Consent versus notification

46. Currently Part IIIA of the Privacy Act provides a notice-based framework for handling credit information, rather than being consent focussed.[16] However, consent is required in some circumstances, such as under the access seeker provisions provided in s 20R of the Privacy Act.
47. Where consent is required in Part IIIA, it is important that the consent sought is valid. The current definition of consent in the Privacy Act states that consent can be ‘express or implied’ but does not provide further clarification on the elements of valid consent. In its response to the Privacy Act Review report, the Government has agreed in principle to amend the definition of consent to provide that it must be voluntary, informed, current, specific, and unambiguous, which effectively elevates the OAIC’s existing non-binding guidance provided in the APP Guidelines, into law. [17]
48. We recommend that the Review ensure Part IIIA is aligned with any reforms recommended to the Privacy Act around consent to strengthen protections afforded to individuals and ensure regulatory clarity and consistency.
49. Further, the OAIC is aware of instances where the access seeker provisions may be being utilised inappropriately to circumvent Part IIIA of the Privacy Act and seek access to credit reporting information. This is often done by entities that are excluded from accessing credit reporting information under Part IIIA of the Privacy Act. The OAIC recommends that the Review consider the consent framework surrounding the access seeker provisions in Part IIIA to ensure they are clear and are operating as intended.

Recommendation 8: The OAIC recommends that the Review consider the notice and consent framework in Part IIIA of the Privacy Act to ensure it is operating as intended, and that any reform aligns with the Government response to the Privacy Act Review.

Who can access credit information?

Real estate agents, employers and insurers

50. The Privacy Act currently incudes strict restrictions on who can access credit reporting information about an individual. This reflects the policy intent that the credit reporting framework be a closed system, accessible only in certain circumstances.
51. This closed system was in recognition that credit reporting information is a particularly significant kind of personal information and community expectations that it be sufficiently protected within the credit reporting framework. We note from the OAIC ACAPS that these expectations have continued to grow, and Australians more now than ever, expect that their personal information is protected by businesses and government.[18]
52. Currently, the Privacy Act specifically excludes real estate agents, general insurers, and employers from the definition of a credit provider who can access credit reporting information.[19] The Issues Paper raises questions around who can, and should, have access to credit reporting information, including the flexibility provided in other international jurisdictions around access by these bodies.[20]
53. The OAIC notes that there is a noticeable power imbalance that exists within such relationships, particularly between an individual and a real estate agent or an employer. In our view, it is inappropriate for individuals to be required to provide excessive and significant amounts of personal information in order to gain employment, or secure appropriate rental accommodation. The OAIC is aware that in some cases, individuals are being asked to hand over large amounts of personal information and credit reporting information in order to secure basic housing.[21]
54. It is crucial that where personal information, including credit reporting information, is being sought, there is a strong need for that information, and it is necessary for an entity or body to perform their role. It is not sufficient that this information would merely be convenient or would make an assessment easier or quicker. In most cases, other information can be adequately relied upon to make an assessment as to an individual’s character and/or their ability to make repayments which would have a lesser privacy impact on individuals. It is important that the Review consider what information is required, and who requires this, in considering whether there are policy reasons for extending the current closed framework.
55. If the Review considers that there is evidence of strong public policy reasons that demonstrate that expansion to real estate agents or similar bodies is needed, this must be carefully considered and framed.
56. The Review will need to consider the principle of data minimisation and ensure that any expansion of the current bodies allowed access to credit reporting information is reasonable, necessary and proportionate to achieving a legitimate purpose or policy aim. Further, having regard to the significant risk of harm from mishandling of the information or data breaches, appropriate storage, retention and destruction requirements would need to be provided for in the legislation.
57. The Review should also consider whether entities permitted to access credit reporting information are covered by the Privacy Act and would fall within the jurisdiction of the OAIC as the regulator. Currently, many real estate agents are not covered by the Privacy Act and fall within the small business exemption.
58. The OAIC considers there is a strong argument for real estate agents to be covered by the Privacy Act. The Privacy Act Review recommended that the small business exemption be removed in recognition of the increasing privacy risks posed by small businesses and the benefits of improved privacy protection for Australians and the economy.[22] The Government agreed in principle to remove the small business exemption, in light of the privacy risks applicable in the digital environment. However, this will not occur until further consultation has been undertaken with regards to the impacts the removal of the small business exemption will have.[23] In the event the small business exemption is removed, this would mean that real estate agents who currently fall under the exemption would be covered by the Privacy Act.

Foreign credit providers

59. The Issues Paper raises questions around disclosing credit reporting information to foreign credit providers in certain circumstances.[24] It is important that Australians’ personal information is adequately protected wherever it flows, including beyond Australia’s borders, and that consideration is given to the impact and effect of such a proposal on Australia’s credit reporting framework and economy.
60. The Privacy Act currently creates a framework for the cross-border disclosure of personal information through the operation of APP 8 and s 16C of the Privacy Act. The framework generally requires an APP entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs and makes the APP entity accountable if the overseas recipient mishandles the information.[25] This accountability approach facilitates the free flow of information across borders while ensuring that the privacy of individuals is respected. It is important that any such proposal under Part IIIA of the Privacy Act adheres to the same principles outlined elsewhere in the Privacy Act.
61. If the Review considers that there are strong public policy reasons to allow the disclosure of credit reporting information internationally, and that the Australian community supports this, it must ensure that Part IIIA reflects the accountability framework in APP8 and s 16C of the Privacy Act.
62. We note that one of the current exceptions in APP 8.2 allows the disclosure of personal information to an overseas recipient if they are subject to a law with substantially similar protections to that of Australia.[26] Currently, the onus is on entities to make this assessment in order to enliven this exception. The range of legal regimes in other countries across the world is vast. It may be beneficial for the Review to consider the establishment of a whitelist of countries that satisfy the requirements of APP 8.2(a) if this proposal were to manifest.
63. The Government agreed in its response to the Privacy Act Review to introduce a mechanism to prescribe certain countries and certification schemes as providing substantially similar protections to the APPs under APP 8.2(a).[27] Such transfers would be similar to those facilitated through adequacy agreements under the General Data Protection Regulation (GDPR). Internationally, New Zealand has also introduced a similar mechanism to enable countries with privacy laws that provide comparable safeguards, to be prescribed. It would be appropriate for the Review to consider similar mechanisms here, if such a proposal were to proceed.
64. The Issues Paper also includes questions around the ability of CRBs to collect credit reporting information from foreign credit providers about foreign loans. If this were to manifest, it is important that the Review consider how the integrity of the Australian credit reporting system will be maintained and whether foreign credit information should only be included from countries with comparable credit reporting schemes. We note that it would be appropriate for the necessary policy Department to assess which of these countries would have adequate and comparable credit frameworks and would be appropriate in the circumstances for information to be collected from.

Recommendation 11: The OAIC recommends that the Review ensure that there is a strong policy rationale for facilitating the flow of credit reporting information to and from foreign credit providers, and that any such disclosures and collections occur only through adequacy or whitelisting, taking into account the relevant recommendations from the Privacy Act Review and APP 8.

What is Credit Reporting Information?

Court judgments and publicly available information

65. Under the Privacy Act, credit information includes a number of different types of personal information (other than sensitive information) as set out under s 6N of the Privacy Act. Each information type provides different insights into an individual’s overall credit worthiness and is subject to unique requirements. In the 2021 Review, stakeholders noted confusion regarding the definition of ‘publicly available information’ in s 6N(k) of the Privacy Act and what would be captured. For example, some stakeholders questioned when a court judgment that is not ‘court proceedings information’ may be considered ‘publicly available information’ and be able to be collected on this basis.
66. Based on the current provisions in Part IIIA of the Privacy Act and the CR Code, it is the OAIC’s view, as outlined in our guidance for industry,[28] that the practical effect of Part IIIA and the CR Code is that a court judgment cannot be collected as ‘publicly available information’. This is consistent with the policy intent that court proceedings information specifically be excluded from what is publicly available information which can be collected and used. In our view, it follows naturally that court judgments would fall within this category, and be excluded from collection, however, this is not apparent on the face of Part IIIA.
67. Given this feedback from stakeholders, and to aid the OAIC’s regulatory role, the Review may benefit from considering whether the definition of ‘publicly available information’ should be amended to specifically clarify that it does not include court judgments.

Recommendation 12: The OAIC recommends that the Review consider whether the definition of ‘publicly available information’ in Part IIIA of the Privacy Act be amended to clarify that court judgments cannot be considered ‘publicly available information’.

Data minimisation, retention and security

68. The volume and granularity of credit information that is being collected by entities is increasing. Alongside other practices such as the likelihood of cyber-attacks and the unnecessary retention of data, the risk to privacy and security of credit reporting information is amplified. It is therefore important that entities that handle credit reporting information, have well considered and robust policies and practices with regards to data minimisation, retention and security.

The data minimisation principle

69. The data minimisation principle is an important measure for participants in Australia’s credit reporting system and provides that the collection, processing, and retention of information, in particular personal information, is limited to what is directly relevant and necessary for a legitimate and specific purpose. Under this principle, this information should also be retained only for as long as is necessary, and then destroyed.
70. Credit reporting information is a particularly sensitive type of information. Unauthorised access, modification, disclosure or use of credit reporting information may lead to an individual being at risk of serious harm, whether that is harm to their physical or mental well-being, financial loss, or damage to their reputation.
71. Unfortunately, as personal information becomes increasingly available to malicious actors through data breaches, the likelihood of other attacks, such as impersonation fraud and scams, increases. The increased incidence of large scale data breaches in Australia has elevated the likelihood of a mosaic effect, which is when separate pieces of personal information become significant when combined with other types of information, leading to harm to individuals.
72. The Review should ensure that the data minimisation principle is considered and upheld when considering any proposed amendments to Part IIIA of the Privacy Act and consider the appropriate retention periods for information collected.

Recommendation 13: The OAIC recommends that the Review consider the data minimisation principle in determining any amendments to Part IIIA of the Privacy Act and that any retention periods for information collected, are appropriate in the circumstances.

Data security and APP 11

73. Recent high-profile data breaches have focused attention on the potential impacts of a cyber security incident. The recent data breach involving utility provider, Sumo, which involved credit scores highlights the importance of robust and secure information-handling practices and a strong privacy framework in Australia which affords adequate privacy protections.[29]
74. In the OAIC’s Notifiable Data Breaches (NDB) Report for July to December 2023, the finance sector remained one of the top reporters of data breaches, reporting 49 breaches (10%).[30] Finance, along with Health Service Providers, have consistently reported the most data breaches of all sectors since the NDB scheme began. For the July to December 2023 period, malicious or criminal attacks was the leading cause (67%) of data breaches reported for the finance sector. Further, 193 of the total data breaches reported for the period involved personal information that involved financial details, representing the fourth most common kind of personal information affected.
75. While the OAIC and government play an important role in providing support, information and resources to assist entities to have robust and secure information-handling practices, the primary responsibility for protecting data in accordance with the Privacy Act, rests with the entities themselves.
76. Sections 20Q and 21S of the Privacy Act set out data security requirements that generally reflect the provisions of Australian Privacy Principle (APP) 11. In its response to the Privacy Act Review, the Government committed to strengthening APP 11 by:
    • Proposal 21.1 – Amending APP 11.1 to state that ‘reasonable steps’ include technical and organisational measures (agreed)
    • Proposal 21.2 – Including a set of baseline privacy outcomes under APP 11 and consulting further with industry and government to determine these outcomes, informed by the development of the Government’s 2023-2030 Australian Cyber Security Strategy (agreed-in-principle), and
    • Proposal 21.7 – Amending APP 11 to require APP entities to establish their own maximum and minimum retention periods in relation to the personal information they hold which take into account the type, sensitivity and purpose of that information, as well as the entity’s organisational needs and any obligations they may have under other legal frameworks. APP 11 would also specify that the retention periods should be periodically reviewed (agreed-in-principle).
77. The OAIC recommends that the review consider reflecting any amendments made to uplift APP 11, where relevant, in Part IIIA of the Privacy Act to ensure consistency and that non-APP entities that are subject to Part IIIA have security requirements that are in line with the APPs around credit reporting information.

Recommendation 14: The OAIC recommends that the Review consider the Government response to the Privacy Act Review with regards to APP 11 and ensure that any relevant amendments to APP 11 are reflected in Part IIIA of the Privacy Act.

The importance of transparency

CRB and CP audit requirements

78. Transparency over compliance with the safeguards in Part IIIA of the Privacy Act is a key measure in assuring the Australian community that participants in Australia’s credit reporting system are handling their credit reporting information in accordance with the law.
79. Under paragraph 24.2 of the CR Code, every 3 years, or more frequently if the Commissioner requests, CRBs are required to commission an independent review of their compliance with the Part IIIA of the Privacy Act, the Privacy Regulations and the CR Code. As part of this process, CRBs are required to consult with the Australian Information Commissioner regarding the scope of the review and the choice of reviewer. There are no clear requirements regarding the standard of the report or what experience the independent reviewer ought to have in order to assess appropriate compliance.
80. Under s 20N(3) of the Privacy Act, to ensure the quality of information that a CRB collects and discloses, there are requirements with regards to CP audits, whereby CRBs must:
    • Enter into agreements with CPs that require the CP to ensure that the credit information it discloses to the CRB is accurate, up-to-date and complete
    • Ensure that regular audits are conducted by an independent person to determine whether those agreements are being complied with, and
    • Identify and deal with suspected breaches of those agreements.
81. Ensuring visibility over CRB and CP compliance with Part IIIA of the Privacy Act is an important step in promoting transparency, compliance, and alerting regulators to any non-compliant activities.
82. Currently, there is limited visibility over CP audits, given they are provided to CRBs alone, and are not currently publicly available. Some stakeholders have raised with the OAIC that this arrangement also creates a conflict of interest, given it is a paid agreement under which the entities engage.
83. The OAIC considers that both the CRB independent review requirements and CP audit requirements would benefit from being articulated in Part IIIA of the Privacy Act, rather than in the CR Code alone. We also recommend that the Review consider the transparency requirements of the framework as they are currently operating, and whether amendments are required.
84. The Review provides an important opportunity to assess the requirements of a CRB audit, including whether clearer requirements could be set out as to the standard expected for a report, and the regulator’s involvement in this process. Similar requirements exist under other regimes. For example, under the Consumer Data Right (CDR) Rules regarding accreditation and ongoing compliance, reference is made to assurance reports being conducted in line with particular standards and by suitably experienced, qualified and independent auditors. Part IIIA may also wish to specify the experience that an independent reviewer should have, including expertise and knowledge of the Australian credit reporting system.
85. In our view, these changes would provide a clearer regulatory framework, and would assist in ensuring transparency over compliance with Part IIIA of the Privacy Act and instilling public trust.

Recommendation 15: The OAIC recommends that the Review consider whether amendments may be required to Part IIIA of the Privacy Act around CRB independent audits and CP audit requirements, which set out clear standards for reports and choice of independent reviewer.

Corrections and complaints

Timeframes for processing correction requests

86. One of the main complaint areas to the OAIC and to external dispute resolution (EDR) schemes relates to the correction of credit information.[31] As the privacy regulator, the OAIC also receives a significant number of requests for advice in navigating the corrections framework. Data showing further complaints to the OAIC is included at Appendix B.
87. Currently, under ss 20T and 21V of the Privacy Act, where an individual requests correction of their credit information, the entity must resolve the request within 30 days, unless an extension is agreed with the individual.
88. The Explanatory Memorandum[32] states that most requests are expected to be resolved within the legislated timeframe, which has been specified to allow adequate consultation to occur. Accordingly, where consultation is not required, the request is expected to be considered and resolved well within the 30-day timeframe. An extension is intended to be sought only in exceptional circumstances in accordance with the procedure at paragraph 20.3 of the CR Code.
89. The OAIC notes that in practice, the extension process appears to be engaged more commonly than intended. Further, there are varying ideas of what may warrant such an extension. The Review may benefit from considering whether the policy intent from the Explanatory Memorandum of extensions only being sought in ‘exceptional circumstances’ should be clarified and provided for in Part IIIA of the Privacy Act to ensure timely resolution of correction requests, given the significance of credit information for individuals.
90. We recommend that consideration be given to whether the corrections framework can be streamlined to make it easier for individuals to navigate and that consideration be given to including a point about extensions only being sought in exceptional circumstances in the legislation.

Recommendation 16: The OAIC recommends the Review consider whether amendments are required to Part IIIA to specify that extensions for resolving individual corrections requests under ss 20T and 21V should be for exceptional circumstances only, and whether further clarity should be provided around circumstances that would warrant an extension.

Part IIIB CR code issues

Development and variation of the CR Code

91. Part IIIB of the Privacy Act creates a framework for the development, registration and variation of codes of practice about information privacy, called APP codes. Part IIIB requires the development of a code of practice about credit reporting, called the CR code which particularises how the provisions in Part IIIA are to be applied or complied with and may also impose additional requirements.[33]. Unlike other APP codes, the Commissioner must ensure that there is always a registered CR Code in place.[34]
92. To develop a CR Code, the Commissioner may, in writing, request a code developer to develop a CR code. The request may specify one or more matters that the CR code must deal with, the credit providers, or class of credit providers, that should be bound by the code and the other entities, or class of entities, that should be bound by the code.[35]
93. The Review may benefit from taking a first principles approach and considering how the CR Code operates alongside Part IIIA of the Privacy Act considering its content, and the role that it plays in particularising compliance for industry.
94. As noted elsewhere in this submission, issues relating to the framing and requirements of the CR Code often go beyond the scope of data protection and can concern matters relating to the credit reporting system as a whole in Australia, and what products should and should not be available. Given the OAIC’s role as privacy regulator, these issues can be difficult to traverse and require it to lean on the expertise of other government agencies. It may be beneficial for the Review to consider the appropriateness of the current arrangements surrounding the CR Code, and how best to achieve its purpose and effect.
95. Currently, the OAIC does not have strong powers to direct a code maker to take certain action, or otherwise amend an application where necessary. In practice, this means that there is extensive engagement between the OAIC and the Code developer ahead of an application being developed. This can lead to issues of transparency and the misconception that the OAIC simply approves any application made to it. The Review may wish to consider how Part IIIB of the Privacy Act is operating, and whether amendments may be required to strengthen and provide the Commissioner with greater flexibility in relation to the approval process for the CR Code.

Recommendation 17: The OAIC recommends that the Review consider how the CR Code operates alongside Part IIIA of the Privacy Act and its content. We also recommend that the Review consider whether amendments may be required to provide more certainty around the variation and approval process.

Appendix A

Proposals relating to Part IIIA from 2021 Review

The Information Commissioner wrote to the Attorney-General and the Treasurer and Assistant Treasurer about the findings from the 2021 Review in December 2022 relating to provisions in Part IIIA, to be raised in the current review of Part IIIA. These are extracted below:

Additionally, the Information Commissioner raised further issues for consideration as part of this Review in her letter, including:

• Consideration of the operation of s 26M(2) of the Privacy Act, which states that the CR Code is a legislative instrument, with s 26N(5), which states that the CR Code is not a legislative instruments, as it has led to consumer confusion
• Whether mortgage brokers are to be able to receive CEI under s 21G(3)(c)(i), and
• Whether CPs should be subject to similar requirements to CRBs with regard to direct marketing under Part IIIA, as some may not be considered APP entities and therefore would not be subject to APP 7.

Appendix B

OAIC complaints and enquiries data

In total, since 12 March 2014, the OAIC received approximately the following complaints and enquiries relating to Part IIIA of the Privacy Act:

• 2,627 total complaints
• 8,573 total enquiries

The table below provides a break-down of total complaints received for the main respondents to complaints to the OAIC, which include:

• Financial sector (including Credit Providers)
• Credit Reporting Bodies (CRBs)
• Utilities providers, and
• Telecommunications providers.

Note: This table does not represent the total complaints received as we have only included the 5 main sectors in this table. Data is as of 26 February 2024.

The Financial sector, which includes Credit Providers (CPs) and CRBs are the two top sectors for both complaints and enquiries that the OAIC has received relating to credit reporting.

Complaints and enquiries data – break-down per year

The table below provides a break-down of complaints and enquiries for each year between 2014 and 2024:

Note: data is for the financial year unless specified otherwise. Data is as of 26 February 2024. The total enquiries figure for 12 March 2014 to 30 June 2014 comprises of enquiries regarding both pre and post 12 March 2014 provisions. Due to OAIC system limitations, we are unable to separate this data.