Sarah Ghali
Assistant Commissioner, Regulation and Strategy
One of the objects of the Australian Privacy Act 1988 and a key focus area for the OAIC is ensuring individuals’ personal information is protected as it flows through the credit system. Credit reporting information is a type of personal information that has a major impact on an individual’s life.
Part of our role includes oversight of the Privacy (Credit Reporting) Code 2014 (CR Code), developed by the Australian Retail Credit Association (Arca). The CR Code outlines how entities must comply with the Privacy Act when handling credit information.
In recent years, the credit reporting landscape has expanded and shifted through a time of social, technological and regulatory change, for example, through new entities such as telecommunications and utility providers participating in the credit reporting system
In this context, the 2021 independent review of the CR Code made proposals to amend the CR Code to strengthen privacy protections and provide greater clarity for industry on their obligations.
To implement proposals in the independent review, Arca made an application to vary the CR Code, which the OAIC then sought feedback on through a public consultation process. We have been reviewing the submissions received and the valuable insights raised by stakeholders.
What we heard
Some of the key themes we heard from stakeholders were:
- whether the proposed changes to the definition of ‘account closed’ for consumer credit, which would clarify when credit can be ‘charged off’, are adequate
- whether amendments to clarify the definition of ‘month’ to more flexibly accommodate credit reporting practices reflect an individual’s expectations around their repayment obligations
- feedback on introducing a soft enquiries framework through the CR Code, which would mean enquiries such as a request for a quote are not recorded on an individual’s credit report.
What we are doing
It is important that any amendments to the CR Code adequately consider stakeholder views.
To address feedback received and to action these key themes, the OAIC has:
- taken steps to explore amending the definition of ‘account closed’ to explain how the date when credit can be ‘charged off’ is determined
- gathered and provided further information to explain why a reporting month may be as short as 26 days
- considered the opportunity to include more detailed explanation in the explanatory materials to the CR Code to help stakeholders understand the credit reporting provisions.
We have also postponed considering a soft enquiries framework until the report on the review of Australia’s credit reporting framework is released. This will allow this issue to be fully considered by the review, which is examining the broader credit reporting landscape, to ensure the impacts and issues raised by all stakeholders are explored holistically.
We anticipate revisiting the soft enquiries framework and whether it can be implemented in the CR Code by the second quarter of 2025, after the review has been finalised and any potential amendments to the Privacy Act have been considered. At that point, we will use the valuable information and feedback obtained through the 2021 independent review and consultation on the variation application to consider next steps.
Amended variation application
The OAIC has requested that Arca submit an amended variation application within the next 2 weeks. We consider the amendments we have proposed to Arca’s application will enhance the effectiveness of the CR Code and address stakeholder feedback.
Approval of the application to vary the CR Code will provide great benefits to industry and protection for individuals’ information, which will enhance the CR Code. Changes include:
- a free alert system to notify individuals when an attempt to access their credit report occurs when a credit ban is in place
- the introduction of a mechanism to correct multiple instances of incorrect information stemming from one event or incident (such as fraud)
- the inclusion of domestic abuse as an example of circumstances beyond an individual’s control for corrections that involve the destruction of default information
- greater visibility over compliance with the Privacy Act for credit reporting bodies and credit providers.
Next steps
Once the OAIC has received the amended application from Arca, we will assess and consider the application with a view to deciding whether to approve it.
Once approved, we will register a new CR Code.