Federal Register of Legislation - Australian Government

Primary content

Privacy (Credit Reporting) Code 2014 (Version 2.1)

Authoritative Version
Codes & Codes of Practice as made
This instrument is a written code of practice about credit reporting under s 26N(1) of the Privacy Act 1988 as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012.
Administered by: Attorney-General's
Registered 14 Feb 2020
Tabling HistoryDate
Tabled HR24-Feb-2020
Tabled Senate24-Feb-2020

EXPLANATORY STATEMENT

Issued by the Authority of the Australian Information Commissioner

Privacy Act 1988

Privacy (Credit Reporting) Code 2014 (Version 2.1)

 

This explanatory statement relates to the Privacy (Credit Reporting) Code 2014 (Version 2.1) (the CR Code V2.1), which replaces the Privacy (Credit Reporting) Code 2014 (Version 2.0) (the Previous Code) varied under subsection 26T(5) of the Privacy Act 1988 (Privacy Act).

The CR Code V2.1 repeals and replaces the Previous Code to clarify obligations under the Previous Code, reflect current industry practice and ensure consistency with the provisions in the Privacy Act.

Authority for registration of the CR Code V2.1

Subsection 26T(1) of the Privacy Act enables the Australian Information Commissioner (Commissioner) to approve a variation of the registered CR Code. Subsection 26T(5) of the Privacy Act requires the Commissioner to register the CR Code, as varied, on the Codes Register kept by the Commissioner in accordance with section 26U of the Privacy Act. Section 26M of the Privacy Act provides that the CR Code, as varied, is a legislative instrument once included on the Codes Register.

On 18 April 2019, the Australian Retail Credit Association (ARCA), the code developer, submitted an application for variation of the Previous Code under paragraph 26T(1)(c), and, following further consultations, further amended applications were received on 15 May 2019, 8 July 2019, 19 November 2019 and 11 December 2019 . All applications were published on the Office of the Australian Information Commissioner (OAIC) website.

The Commissioner, having regard to subsection 26T(3) of the Privacy Act and the OAIC’s Guidelines for developing codes, approved the variations to the Previous Code on 13 December 2019. The CR Code V2.1 will be included on the Codes Register from 14 February 2020 and the Previous Code will be removed at the same time. Upon its inclusion on the Codes Register, CR Code V2.1 will become the registered CR Code.

Purpose and operation of the CR Code

A Credit Reporting Code (a CR Code), defined by section 26N of the Privacy Act, is a written code of practice about credit reporting. The CR Code that is included on the Codes Register by the Commissioner under section 26U of the Privacy Act is called the ‘registered CR code’. The Codes Register is available on the OAIC website. Subsection 26S(4) of the Privacy Act requires the Commissioner to ensure that there is one, and only one, registered CR Code at all times. The purpose of the registered CR Code is to supplement the provisions of Part IIIA of the Privacy Act and the Privacy Regulation 2013.

Under section 26N of the Privacy Act, a CR Code must perform the following functions:

·         set out how one or more of the credit reporting provisions in Part IIIA of the Privacy Act are to be applied or complied with (s 26N(2)(a))

·         make provision for, or in relation to, matters required or permitted by Part IIIA to be provided for by the registered CR code (s 26N(2)(b))

·         bind all credit reporting bodies (s 26N(2)(c))

·         specify the credit providers that are bound by the CR code, or a way of determining which credit providers are bound (s 26N(2)(d))

·         specify any other entities subject to Part IIIA of the Privacy Act that are bound by the CR code, or a way of determining which of those entities are bound (s 26N(2)(e)).

In addition, a CR code may perform the following functions:

·         impose additional requirements that are not contrary to, or inconsistent with the requirements of Part IIIA of the Privacy Act (s 26N(3)(a))

·         deal with the internal handling of complaints (s 26N(3)(b))

·         provide for the reporting to the Commissioner about complaints (s 26N(3)(c))

·         deal with any other relevant matters (s 26N(3)(d)).

The CR Code V2.1 differs from the Previous Code by:

·         altering the definition of ‘the day on which the consumer credit is entered into’ under paragraph 6.2(a) to ensure consistent practice across industry

·         ensuring that the assessment of repayment history information about an individual under paragraph 8.1 – 8.2 must take account of any payments made by an individual during the relevant month

·         altering the code for reporting repayment history information under paragraph 8.2(c)(ii) where a payment is 180 days or more overdue

·         amending paragraphs 10.1 and 12.2 to clarify that new arrangement information should be disclosed in accordance with the Privacy Act and not the CR Code V2.1

·         clarifying that a credit reporting body can only collect publicly available information under paragraph 11.2 if the information is about activities conducted in Australia or its external territories that relate to an individual’s creditworthiness

·         introducing an obligation on credit reporting bodies under paragraph 17.1 to notify an individual’s ban period request (or extension of ban period) to other credit reporting bodies where requested by that individual

·         clarifying that a pre-ticked consent box does not constitute opting into direct marketing under paragraph 19.4 when individuals access free credit reports

·         clarifying the timeframes for credit reporting bodies to respond to correction requests under paragraphs 20.2 and 20.4

·         updating paragraph 21 to refer to the most recent International Organisation for Standardization (ISO) standards for complaint handling

·         requiring an ongoing review of the CR Code every four years under paragraph 24.3.

Reasons for decision to approve variations to the Previous Code and register the CR Code V2.1

In deciding to approve the CR Code V2.1, the Commissioner has had regard to subsections 26T(3) and 26T(4) of the Privacy Act and the OAIC’s Guidelines for developing codes.

The Commissioner also had regard to the recommendations and observations made in the report, titled Review of Privacy (Credit Reporting) Code 2014 (V1.2) Report dated 8 December 2017 by PricewaterhouseCoopers (PwC). This report was drafted as a result of the independent review of the Privacy (Credit Reporting) Code 2014 (Version 1.2) initiated by the former Commissioner as required by paragraph 24.3 of that code.

In making the decision, the Commissioner considered that:

·         The requirement set out in paragraph 26T(3)(a) of the Privacy Act had been met as ARCA’s application documentation was published on the OAIC’s website from 24 May 2019.

·         The requirements set out in paragraph 26T(3)(b) of the Privacy Act, the Guidelines for developing codes and section 17 of the Legislation Act 2003 have been met as sufficient consultation had taken place; noting that ARCA consulted with stakeholders including industry representative groups, consumer representative groups, external dispute resolution (EDR) schemes, the Attorney-General’s Department, the Australian Securities and Investments Commission (ASIC) and ARCA members about its variation. During the review of the CR Code in 2017, PwC consulted stakeholders. The OAIC received submissions directly from some stakeholders.

·         The requirement set out in paragraph 26T(3)(c) of the Privacy Act had been met as the public had the opportunity to comment throughout the PwC review process and a public consultation process conducted by ARCA in February 2019.

·         The list of matters set out in the Guidelines for developing codes in deciding whether to approve a variation to a CR Code have been addressed.

Documents incorporated by reference

Paragraph 21.1 of the CR Code V2.1 incorporates into the law by reference, ISO 10002:2018(E) Quality management - Customer satisfaction - Guidelines for complaints handling in organisations in the form in which it exists on 14 February 2020 and not in the form in which it may exist from time to time. Section 26M and subsection 26T(5) of the Privacy Act provide the authority, consistent with section 14 of the Legislation Act 2003, to incorporate ISO 10002:2018 into the law by reference.

The incorporated document is available for inspection, upon request, at: Office of the Australian Information Commissioner (NSW Office), 175 Pitt St, Sydney. Phone: 1300 363 992. It is also available at the National Library of Australia and at a number of public libraries, such as the State Libraries of New South Wales and Victoria. It is available for a fee, by visiting the SAI Global web shop at www.saiglobal.com.

Consultation

Consistent with the requirements of section 17 of the Legislation Act 2003, the Commissioner has considered the consultation process undertaken by ARCA as the code developer.

Subsection 26T(3) of the Privacy Act requires that, before deciding whether to approve a variation of the registered CR Code, the Commissioner must:

·         make a draft of the variation publicly available (s 26T(3)(a))

·         consult any person the Commissioner considers appropriate about the variation (s 26T(3)(b)

·         consider the extent to which members of the public have been given an opportunity to comment on the variation (s 26T(3)(c)).

The Commissioner has also considered the relevant matters set out in the Appendix of the OAIC’s Guidelines for developing codes under subsection 26T(4) in relation to variation of a registered code.

Changes made to the CR Code V2.1 were made having regard to the following:

·         From 23 August 2018 to 28 February 2019, in preparation for its variation application, ARCA conducted public consultation with stakeholders including industry representative groups, consumer representative groups, External Dispute Resolution (EDR) schemes, the Attorney-General’s Department, ASIC, and ARCA members about its variation. Stakeholders were given an opportunity to comment on the draft variation published on the ARCA website from 30 January 2019 to 28 February 2019. During the review of the CR Code between 20 September 2017 to 17 October 2017, PwC also consulted stakeholders.

·         On 24 May 2019, the OAIC published the variation application on its website. The OAIC, through ARCA, advised relevant stakeholders that the variation application had been published and also specifically notified the Financial Rights Legal Centre and the Attorney-General’s Department of the variation application.

·         The OAIC subsequently received submissions directly from the Financial Rights Legal Centre, and credit reporting bodies Equifax, Experian and illion writing jointly.

The information submitted to the OAIC by ARCA on 18 April 2019 in support of its application included correspondence showing that ARCA members that will be bound by the CR Code V2.1 were notified about the public consultation. Further, ARCA provided the OAIC with copies of the consultation material, detailing their consultation with relevant stakeholders, and submissions that they had received as part of the consultation process. ARCA detailed their response to concerns raised in the application for variation.

The Commissioner is satisfied, for the reasons set out above, that the consultation process undertaken by ARCA adequately addresses the statutory criteria required by section 26T of the Privacy Act and section 17 of the Legislation Act 2003.

The Office of Best Practice Regulation (OBPR) was consulted and advised that a Regulation Impact Statement is not required. The OBPR reference is ID: 23885.

The CR Code V2.1 commences on 14 February 2020.

The CR Code V2.1 is a legislative instrument for the purposes of the Legislation Act 2003.

 

Authority:           Section 26T
Privacy Act 1988

 


 

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

 

Privacy (Credit Reporting) Code 2014 (Version 2.1)

This legislative instrument is compatible with the human rights and freedoms recognised or declared in international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Legislative Instrument

The Privacy (Credit Reporting) Code 2014 (Version 2.1) (CR Code V2.1) is a binding written code of practice about credit reporting. The purpose of the CR Code V2.1 is to supplement the provisions of Part IIIA of the Privacy Act 1988 (Privacy Act) and the Privacy Regulation 2013.

The CR Code V2.1 repeals and replaces the Privacy (Credit Reporting) Code 2014 (Version 2) (the Previous Code) to clarify obligations under the Previous Code, reflect current industry practice and ensure consistency with the provisions in the Privacy Act.

The CR Code V2.1 differs from the Previous Code by:

·         altering the definition of ‘the day on which the consumer credit is entered into’ under paragraph 6.2(a) to ensure consistent practice across industry

·         ensuring that the assessment of repayment history information about an individual under paragraph 8.1 – 8.2 must take account of any payments made by an individual during the relevant month

·         altering the code for reporting repayment history information under paragraph 8.2(c)(ii) where a payment is 180 days or more overdue

·         amending paragraphs 10.1 and 12.2 to clarify that new arrangement information should be disclosed in accordance with the Privacy Act and not the CR Code V2.1

·         clarifying that a credit reporting body can only collect publicly available information under paragraph 11.2 if the information is about activities conducted in Australia or its external territories that relate to an individual’s creditworthiness

·         introduces an obligation on credit reporting bodies under paragraph 17.1 to notify an individual’s ban period request (or extension of ban period) to other credit reporting bodies where requested by that individual

·         clarifying that a pre-ticked consent box does not constitute opting into direct marketing under paragraph 19.4 when individuals access free credit reports

·         clarifying the timeframes for credit reporting bodies to respond to correction requests under paragraphs 20.2 and 20.4

·         updating paragraph 21 to refer to the most recent International Organisation for Standardization (ISO) standards for complaint handling

·         requiring an ongoing review of the CR Code every four years under paragraph 24.3.

Human rights implications

The CR Code V2.1 engages Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Article 17 provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation, and that everyone has the right to the protection of the law against such interference or attacks.

The CR Code V2.1 has no implication for the prohibition against arbitrary interference with privacy because the variations from the Previous Code are technical in nature, do not reduce the privacy protections afforded to individuals by the Previous Code and maintain the privacy protections set out in the Privacy Act.

The CR Code V2.1 supplements and strengthens the provisions in the Previous Code through the introduction of additional, privacy enhancing requirements for the handling of credit information by the entities that it binds.

Conclusion

The CR Code V2.1 engages the right to privacy. It is compatible with human rights because it promotes the protection of privacy.

 

Angelene Falk
Australian Information Commissioner
Office of the Australian Information Commissioner