As part of the reforms to the Privacy Act 1988 Update on the Australian Privacy Principle Guidelines and Changes to the Privacy Act - Ensuring the fine print is not forgotten, credit reporting in Australia will be regulated by a new Part IIIA of the Privacy Act. This will be accompanied by a new Credit Reporting Code which will replace the existing Credit Reporting Code of Conduct.
This new regime comes into effect on 12 March 2014 with the aim to simplify, clarify and update the current credit reporting provisions. The new regime will affect most industries.
The changes will introduce more comprehensive credit reporting for businesses in Australia which entails greater privacy protection relating to notification, data quality, access and complaints for consumers. Similar to what is currently used in the US, the new regime will initiate a more positive credit reporting structure in Australia.
The new regime addresses the following issues:
- open and transparent management of credit related personal information;
- solicited and unsolicited collection;
- use and disclosure;
- access; and
Whilst these changes will launch a more positive credit reporting structure in Australia, the changes also mean businesses need to comply with more stringent requirements under the new regime in order to avoid penalties.
Who does the Code apply to?
The Code has broadened the scope of what has traditionally been regarded as a credit provider and is likely to catch most non-cash businesses. The definition includes:
- financial institutions and similar businesses that are involved in the provision of credit; or
- businesses that provide goods or services to individuals on deferred payment terms of more than seven days.
The Code also applies to credit reporting bodies. Credit reporting bodies are those that carry on a business or undertaking that involves providing credit.
Complying with the Code
As a result of the broader application of the Code and the amendments to the Privacy Act, all businesses should review whether they are a credit provider or credit reporting body.
If the Code applies, at a minimum, businesses should review existing credit policies or prepare a credit policy together with taking reasonable steps to implement practices, procedures and systems to ensure compliance with credit reporting obligations.
The Explanatory Memorandum envisages credit providers and credit reporting bodies to be actively “developing and maintaining training programs, staff manuals, standard procedures and any other relevant documents that demonstrate awareness of, and compliance with, their obligations under the Division and the registered CR code.”
Generally, the changes will affect how businesses can:
- handle and process a consumers personal information;
- use personal information for direct marketing; and
- disclose personal information to people overseas.
Failing to comply with the Privacy Act or the Code
The Code increases the powers of the Australian Information Commissioner to permit the following:
- investigate possible breaches without a complaint;
- request information;
- pursue civil penalties for serious or repeated breaches of privacy; and
- assess the privacy compliance and performance for Australian government agencies and businesses.
The amendments introduce a new civil penalty regime. Specific new powers given to the Australian Information Commissioner under the new regime allow pecuniary penalties to be imposed on business in certain circumstances. The penalties can be as high as $340,000 for an individual and $1,700,000 for corporations.
In addition, some acts or practices under the new regime are considered offences and carry a criminal penalty. An example of a potential criminal offence is repeated unauthorised use and disclosure of false and misleading information.
Download a PDF version of this article: Comprehensive credit reforms