We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us
Privacy

Privacy legislation

  • On this page

Last updated:  

Part IIIA of the Privacy Act 1988 (Privacy Act) regulates consumer credit reporting in Australia. Part IIIA is supported by the Privacy Regulation 2013 and the Privacy (Credit Reporting) Code 2024 (CR Code).

One of the objects of the Privacy Act is to facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected. In recognition of that objective, the laws about credit reporting are intended to balance individuals’ interest in protecting their personal information with the need to ensure that credit providers have sufficient information available to assist them to decide whether to provide an individual with credit. The Australian credit reporting system also helps ensure that credit providers are able to comply with their responsible lending obligations under the National Consumer Credit Protection Act 2009 administered by the Australian Securities and Investment Commission (ASIC).

To achieve this intention, Part IIIA of the Privacy Act regulates the handling of personal information about individuals’ activities in relation to consumer credit. In particular, Part IIIA outlines:

  • the types of personal information that credit providers can disclose to a credit reporting body (CRB), for the purpose of that information being included in an individual’s credit report
  • what entities can handle that information, and
  • the purposes for which that information may be handled.

For example, when an individual makes an application for credit to a credit provider, the provider can access a copy of the individual’s credit report from a CRB to help them to make a decision about whether or not to grant the application.

The registered CR Code

The Privacy (Credit Reporting) Code 2024 (CR Code) is a mandatory code that binds credit providers and CRBs. The CR code supplements the provisions contained in Part IIIA of the Privacy Act and the Privacy Regulation 2013.

Importantly, a breach of the CR code is a breach of the Privacy Act.

For more information see Privacy codes register.

CR Code recent history

On 27 September 2024, the Australian Privacy Commissioner approved a variation to the CR Code. This version of the CR Code addresses amendments to the Privacy Act to implement the proposals from the OAIC’s 2021 Review of the CR Code.

  • The CR Code 2024 commenced on 1 October 2024.
  • Read the media release.

Independent reviews

Under paragraph 24.3, the Australian Information Commissioner is required to initiative an independent review of the operation of the CR Code every 4 years.

2021 Review

On 26 March 2021, the Australian Information Commissioner initiated the second independent review of the CR Code.

2017 Review

The 2017 independent review was conducted by PricewaterhouseCoopers (PwC) and the report was published on 8 December 2017. Read the Review of Privacy (Credit Reporting) Code 2014 (v1.2) report.

Related pages

2021 Review of CR Code

Read the report of our review

Review of CR Code: what we heard and what we are doing

Key issues we heard about from stakeholders

Privacy (Credit Reporting) Code 2024

Read the latest version of the CR Code
OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia