Comply with credit reporting obligations (Part IIIA Privacy Act)
Credit providers and CRBs must adhere to the CR Code on collection, use, disclosure, hardship and dispute resolution.
Who must comply
Credit providers, credit reporting bodies, mortgage insurers, and trade insurers within the regime.
What triggers it
Providing or receiving consumer credit information.
When due
Continuous; specific notification triggers per Part IIIA.
Evidence required
CR Code compliance documentation, FHI procedures, notification templates, complaints register.
Max penalty
Same penalty regime as broader Privacy Act; CR Code breaches additionally enforceable
Summary
Part IIIA of the Privacy Act and the Privacy (Credit Reporting) Code 2014 govern handling of consumer credit information. Credit providers must give s 21D notices, observe permitted disclosures, treat repayment history information correctly, handle financial hardship requests under s 21D and the FHI regime (from 1 July 2022), and respond to corrections within statutory periods.
Enforced by
Source legislation
Industries
Topics
Related obligations
- CWLTHNotifiable Data Breach (NDB) schemeUnder the NDB scheme, APP entities must notify the OAIC and affected individuals of an eligible data breach likely to cause serious harm — assessed within 30 days.
- CWLTHAutomated Decision-Making transparency under Privacy Act (phased)From a phased commencement, APP entities using ADM must disclose in Privacy Policy.
- CWLTHAPP 3 collection of sensitive informationAPP 3 bars collecting sensitive information — health, race, religion, sexual orientation and more — without consent. What counts as sensitive, the exceptions and penalties.
- CWLTHPrepare for the proposed removal of the small business exemptionRemoving the Privacy Act small business exemption (<$3M turnover) is proposed for a future reform tranche — agreed in principle, not yet law.
- CWLTHPrivacy Act Reform — information controllers regime (proposed Tranche 2)Tranche 2 reforms in scoping — information controllers + processors regime.
- CWLTHPublish a Privacy Policy compliant with APP 1Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.
Frequently asked questions
- Who must comply with credit reporting obligations (Part IIIA Privacy Act)?
- Credit providers, credit reporting bodies, mortgage insurers, and trade insurers within the regime.
- What triggers credit reporting obligations (Part IIIA Privacy Act)?
- Providing or receiving consumer credit information.
- When is credit reporting obligations (Part IIIA Privacy Act) due?
- Continuous; specific notification triggers per Part IIIA.
- What is the maximum penalty for credit reporting obligations (Part IIIA Privacy Act)?
- Same penalty regime as broader Privacy Act; CR Code breaches additionally enforceable
- What evidence is required for credit reporting obligations (Part IIIA Privacy Act)?
- CR Code compliance documentation, FHI procedures, notification templates, complaints register.
Source: https://oaic.gov.au/privacy/credit-reporting. Rules Mate is not a law firm. Always verify against the live regulator source before acting.