EXPLANATORY STATEMENT

 

Issued by the Authority of the Australian Information Commissioner

Privacy Act 1988

Privacy (Credit Reporting) Code 2014 (Version 2.2)

 

This explanatory statement relates to the Privacy (Credit Reporting) Code 2014 (Version 2.2) (the CR Code V2.2), which replaces the Privacy (Credit Reporting) Code 2014 (Version 2.1) (the Previous Code) varied under subsection 26T(5) of the Privacy Act 1988 (Privacy Act).

 

The CR Code V2.2 repeals and replaces the Previous Code to implement provisions relating to accessing credit information introduced under the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and other Measurements) Bill 2019 (amending Bill), in Schedule 2, Part 3 which commenced on 17 February 2021.

 

The Explanatory Memorandum[1] to the amending Bill notes at paragraph 2.18 that variations to the CR Code will be progressed by the OAIC and industry, to provide detailed guidance on the implementation of new credit reporting obligations. Further, Section 26N(2) of the Privacy Act requires the CR Code make provision for, or in relation to, matters required or permitted by Part IIIA of the Privacy Act.

 

This explanatory statement supports the introduction of, and amendment to the following paragraphs of the CR Code:

·         Amendments to paragraphs 1.1, 19.2, 19.3, 19.4, 20.1, 20.3, 21.2 and 21.4

·         Introduction of paragraphs 2.3, 2.4, 19.7

 

Version 2.2 of the CR Code maintains all of the substantive provisions outlining the rights and obligations of organisations and individuals that were included in Version 2.1 of the CR Code.

 

Version 2.2 of the CR Code outlines the purpose and effect of each paragraph in the blue rows of the table that is the CR Code. This outline constitutes a high-level summary explanation of the provisions of Part IIIA of the Privacy Act that provide the context for the CR code obligations and requirements. 

 

There are also ‘notes’ included in relation to certain provisions of the CR Code to aid in the interpretation of particular concepts and their application.

 

Authority for registration of the CR Code V2.2

 

Subsection 26T(1) of the Privacy Act enables the Australian Information Commissioner (Commissioner) to approve a variation of the registered CR Code. Subsection 26T(5) of the Privacy Act requires the Commissioner to register the CR Code, as varied, on the Codes Register kept by the Commissioner in accordance with section 26U of the Privacy Act. Section 26M of the Privacy Act provides that the CR Code, as varied, is a legislative instrument once included on the Codes Register.

 

On 6 September 2021, the Code developer, the Australian Retail Credit Association (ARCA), submitted an application to the Commissioner to vary version 2.1 of the Privacy (Credit Reporting) Code 2014 (the CR Code) in accordance with section 26T of the Privacy Act. The application was published on the Office of the Australian Information Commissioner (OAIC) website.

 

The application followed consultation conducted by ARCA between 5 July 2021 – August 2021 and is intended to implement the access provisions and other minor amendments introduced under the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and other Measurements) Bill 2019 which came into effect in February 2021.

 

The Commissioner conducted her own consultation in relation to this variation application between 13 September and 13 October 2021. The OAIC also engaged with key stakeholders during November and December 2021. On 18 February 2022, ARCA submitted an amended application to vary the CR Code following further consultation with key stakeholders and engagement with the OAIC. This application included further amendments to clarify meaning in the changes to the CR Code and improve readability. The amended application was published on the OAIC’s website.

 

Having regard to subsection 26T(3) of the Privacy Act and the OAIC’s Guidelines for developing codes, the Commissioner approved the variation to Version 2.1 of the CR Code on 10 March 2022.

 

The CR Code V2.2 will be included on the Codes Register from 22 April 2022 and the Previous Code will be removed at the same time. Upon its inclusion on the Codes Register, CR Code V2.2 will become the registered CR Code.

 

Purpose and operation of the CR Code

 

A Credit Reporting Code (a CR Code), defined by section 26N of the Privacy Act, is a written code of practice about credit reporting. The CR Code is included on the Codes Register by the Commissioner under section 26U of the Privacy Act and is called the ‘registered CR code’.

 

The Codes Register is available on the OAIC website. Subsection 26S(4) of the Privacy Act requires the Commissioner to ensure that there is one, and only one, registered CR Code at all times. The purpose of the registered CR Code is to supplement the provisions of Part IIIA of the Privacy Act and the Privacy Regulation 2013.

 

Under section 26N of the Privacy Act, a CR Code must perform the following functions:

 

·         set out how one or more of the credit reporting provisions in Part IIIA of the Privacy Act are to be applied or complied with (s 26N(2)(a))

·         make provision for, or in relation to, matters required or permitted by Part IIIA to be provided for by the registered CR code (s 26N(2)(b))

·         bind all credit reporting bodies (s 26N(2)(c))

·         specify the credit providers that are bound by the CR code, or a way of determining which credit providers are bound (s 26N(2)(d))

·         specify any other entities subject to Part IIIA of the Privacy Act that are bound by the CR code, or a way of determining which of those entities are bound (s 26N(2)(e)).

In addition, a CR code may perform the following functions:

 

·         impose additional requirements that are not contrary to, or inconsistent with the requirements of Part IIIA of the Privacy Act (s 26N(3)(a))

·         deal with the internal handling of complaints (s 26N(3)(b))

·         provide for the reporting to the Commissioner about complaints (s 26N(3)(c))

·         deal with any other relevant matters (s 26N(3)(d)).

The Amending Bill introduced provisions which came into effect the day after Royal Assent. These amendments to the Privacy Act cause an independent review to be undertaken of Part IIIA of the Privacy Act, place additional security requirements on the storage of credit information, reduce regulatory burden on business and allow more credit providers to participate in the credit reporting system.[2]

 

As noted above, the Explanatory Memorandum to the Amending Bill stated that variation to the CR Code would be required to provide detailed guidance on the implementation of these new provisions. In line with this, the CR Code V2.2 differs from the Previous Code by:

 

·         Amending paragraph 1.1, and introducing paragraphs 2.3 and 2.4 to clarify that the CR Code does not bind ‘non-participating credit providers’ as defined in s 6(1) of the Privacy Act. These changes reflect amendments to ss 21U(5) and 21V(7) of the Privacy Act.

·         Amending paragraph 19.2 and 19.3(a)(iii) of the CR Code to reflect the change to s 20R of the Privacy Act under which the credit reporting body must give free access to the individual to the credit reporting information held by the credit reporting body every 3 months (instead of every 12 months).

·         Amending paragraph 19.3 and 19.4 to reflect the requirement to also give the access seeker the credit rating under amendment to s 20R of the Privacy Act.

·         Introducing paragraph 19.7(a) to clarify the meaning of a credit rating used in s 20R of the Privacy Act. This paragraph states that the credit rating provided with an individual’s credit report should be the one that includes the broadest range of information available to the credit reporting body. Paragraph 19.7(a)(ii) is also intended to recognise that an individual can receive free access to a rating every 3 months.

·         Introducing paragraph 19.7(b) to note that if a credit reporting body refers an individual to a third party to give access to the individual’s credit rating or score, they must prominently state that the individual has a right to free access to their credit rating and ensure this free service is as available and easy to identify. This change ensures that a consumer’s legislative right to access their credit rating free of charge is upheld.

·         Introducing paragraph 19.7(c) to address amendments to s 20R(2) of the Privacy Act. This subparagraph requires that, where a credit reporting body does not hold enough credit information about an individual to derive a credit rating, the credit reporting body must explain why. They must also include an explanation of the information that the credit reporting body must hold to be able to derive the rating.

·         Introducing paragraphs 19.7(d)(i) – (iv) which will: require a credit reporting body to provide a basic explanation of the purpose of credit scores and how the credit rating given to the individual relates to those credit scores; require a credit reporting body to use at least 5 bands when giving the individual their credit rating; and require the credit reporting body to state which band the credit score for the individual sits within.

·         Introducing paragraphs 19.7(d)(v) – (vi) to clarify the minimum information that a credit reporting body must provide with a credit rating to clarify their obligations under s 20R of the Privacy Act.

·         Updating paragraphs 20.1, 20.3, 21.2 and 21.4 to recognise that a credit provider may be ‘subject to’ a recognised external dispute resolution scheme in accordance with amendments to ss 20 and 21 of the Privacy Act.  

Reasons for decision to approve variations to the Previous Code and register the CR Code V2.2

 

In deciding to approve the CR Code V2.2, the Commissioner has had regard to subsections 26T(3) and 26T(4) of the Privacy Act and the OAIC’s Guidelines for developing codes.

 

The Commissioner also had regard to the access provisions and other minor amendments introduced under the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and other Measurements) Bill 2019, which came into effect on 17 February 2021.

 

In making the decision, the Commissioner considered that:

 

·         The requirement set out in paragraph 26T(3)(a) of the Privacy Act had been met as ARCA’s original application documentation was published on the OAIC’s website on 13 September 2021 and the amended application was published on 22 February 2022.

 

·         The requirements set out in paragraph 26T(3)(b) of the Privacy Act, the Guidelines for developing codes and s 17 of the Legislation Act 2003 have been met as sufficient consultation has taken place; noting that ARCA consulted with stakeholders including industry representative groups, consumer representative groups, external dispute resolution (EDR) schemes, the Attorney-General’s Department, the Australian Securities and Investments Commission (ASIC) and ARCA members about its application between 5 July – 11 August 2021.

 

·         The requirement set out in paragraph 26T(3)(c) of the Privacy Act has been met as the OAIC conducted its own public consultation between 13 September – 13 October 2021 and the public had an opportunity to comment on the draft changes to the CR Code. The OAIC also conducted targeted consultation throughout November and December 2021.

 

·         The list of matters set out in the Guidelines for developing codes in deciding whether to approve a variation to a CR Code have been addressed.

Documents incorporated by reference

 

Existing paragraph 21.1 of the CR Code V2.2 incorporates into the law by reference, ISO 10002:2018(E) Quality management - Customer satisfaction - Guidelines for complaints handling in organisations in the form in which it exists on 14 February 2020 and not in the form in which it may exist from time to time.

 

Section 26M and subsection 26T(5) of the Privacy Act provide the authority, consistent with section 14 of the Legislation Act 2003, to incorporate ISO 10002:2018 into the law by reference.

 

The incorporated document is available for inspection, upon request, at: Office of the Australian Information Commissioner (NSW Office), 175 Pitt St, Sydney. Phone: 1300 363 992. It is also available at the National Library of Australia and at a number of public libraries, such as the State Libraries of New South Wales and Victoria. It is available for a fee, by visiting the SAI Global web shop at www.saiglobal.com

 

Consultation

 

Consistent with the requirements of section 17 of the Legislation Act 2003, the Commissioner has considered the consultation process undertaken by ARCA as the code developer.

 

Subsection 26T(3) of the Privacy Act requires that, before deciding whether to approve a variation of the registered CR Code, the Commissioner must:

 

•        make a draft of the variation publicly available (s 26T(3)(a))

•        consult any person the Commissioner considers appropriate about the variation (s 26T(3)(b))

•        consider the extent to which members of the public have been given an opportunity to comment on the variation (s 26T(3)(c)).

The Commissioner has also considered the relevant matters set out in the Appendix of the OAIC’s Guidelines for developing codes under subsection 26T(4) in relation to variation of a registered code.

 

Changes made to the CR Code V2.2 were made having regard to the following:

 

·         The CR Code amendments address legislative amendments to the Privacy Act under the amending Bill which were subject to extensive consultation with relevant stakeholders.

 

·         From 1 February – 1 July 2021, ARCA conducted early engagement with stakeholders, including industry representative groups, consumer representative groups, External Dispute Resolution (EDR) schemes, and ARCA members, to seek input on the key issues to be included in a draft variation for public consultation.

 

·         From 5 July – 11 August 2021, in preparation for its variation application, ARCA conducted public consultation with stakeholders including industry representative groups, consumer representative groups, External Dispute Resolution (EDR) schemes, the Attorney General’s Department, ASIC, and ARCA members about its variation. Stakeholders were given an opportunity to comment on the draft variation published on the ARCA website from 5 July – 11 August 2021.

 

·         On 6 September 2021, ARCA submitted its application to vary the CR Code to the OAIC and on 13 September 2021, the OAIC published the variation application on its website. The OAIC provided the public until 13 October 2021 to comment on the application. The OAIC, advised relevant stakeholders that the variation application had been published and specifically notified the Attorney General’s Department, the Treasury, Financial Rights Legal Centre, the Australian Banking Association (ABA), IDCARE, Legal Aid Queensland and the Australian Securities and Investments Commission (ASIC) of the application.

 

·         The OAIC subsequently received submissions directly from the Financial Rights Legal Centre, Legal Aid Queensland and the Australian Banking Association.

 

·         Through December and January 2022, the OAIC engaged in further consultation with key stakeholders and discussions with ARCA. Following these discussions, ARCA submitted an amended variation application to the OAIC on 18 February 2022.

 

·         On 22 February 2022, the OAIC published a copy of ARCA’s amended variation application on its website.

The information submitted to the OAIC by ARCA on 6 September 2021 in support of its application included correspondence showing that ARCA members that will be bound by the CR Code V2.2 were notified about the public consultation. Further, ARCA provided the OAIC with copies of the consultation material, detailing their consultation with relevant stakeholders, and submissions that they had received as part of the consultation process. ARCA detailed their response to concerns raised in the application for variation.

 

The Commissioner is satisfied, for the reasons set out above, that the consultation process undertaken by ARCA adequately addresses the statutory criteria required by section 26T of the Privacy Act and section 17 of the Legislation Act 2003.

 

The Office of Best Practice Regulation (OBPR) was consulted and advised that a Regulation Impact Statement is not required. The OBPR reference is ID: 44598.

 

The CR Code V2.2 commences on 22 April 2022.

 

The CR Code V2.2 is a legislative instrument for the purposes of the Legislation Act 2003.

 

Authority: Section 26T
Privacy Act 1988

 

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

 

Privacy (Credit Reporting) Code 2014 (Version 2.2)

This legislative instrument is compatible with the human rights and freedoms recognised or declared in international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Legislative Instrument

The Privacy (Credit Reporting) Code 2014 (Version 2.2) (CR Code V2.2) is a binding written code of practice about credit reporting. The purpose of the CR Code V2.2 is to supplement the provisions of Part IIIA of the Privacy Act 1988 (Privacy Act) and the Privacy Regulation 2013.

The CR Code V2.2 repeals and replaces the Privacy (Credit Reporting) Code 2014 (Version 2.1) (the Previous Code) to implement provisions relating to accessing credit information introduced under the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and other Measurements) Bill 2019 (amending Bill), which came into effect on 17 February 2021.

 

The CR Code V2.2 differs from the Previous Code by:

 

·         Amending paragraph 1.1, and introducing paragraphs 2.3 and 2.4 to clarify that the CR Code does not bind ‘non-participating credit providers’ as defined in s 6(1) of the Privacy Act. These changes reflect amendments to ss 21U(5) and 21V(7) of the Privacy Act.

·         Amending paragraph 19.2 and 19.3(a)(iii) of the CR Code to reflect the change to s 20R of the Privacy Act under which the credit reporting body must give free access to the individual to the credit reporting information held by the credit reporting body every 3 months (instead of every 12 months).

·         Amending paragraph 19.3 and 19.4 to reflect the requirement to also give the access seeker the credit rating under amendment to s 20R of the Privacy Act.

·         Introducing paragraph 19.7(a) to clarify the meaning of a credit rating used in s 20R of the Privacy Act. This paragraph states that the credit rating provided with an individual’s credit report should be the one that includes the broadest range of information available to the credit reporting body. Paragraph 19.7(a)(ii) is also intended to recognise that an individual can receive free access to a rating every 3 months.

·         Introducing paragraph 19.7(b) to note that if a credit reporting body refers an individual to a third party to give access to the individual’s credit rating or score, they must prominently state that the individual has a right to free access to their credit rating and ensure this free service is as available and easy to identify. This change ensures that a consumer’s legislative right to access their credit rating free of charge is upheld.

·         Introducing paragraph 19.7(c) to address amendments to s 20R(2) of the Privacy Act. This subparagraph requires that, where a credit reporting body does not hold enough credit information about an individual to derive a credit rating, the credit reporting body must explain why. They must also include an explanation of the information that the credit reporting body must hold to be able to derive the rating.

·         Introducing paragraphs 19.7(d)(i) – (iv) which will: require a credit reporting body to provide a basic explanation of the purpose of credit scores and how the credit rating given to the individual relates to those credit scores; require a credit reporting body to use at least 5 bands when giving the individual their credit rating; and require the credit reporting body to state which band the credit score for the individual sits within.

·         Introducing paragraphs 19.7(d)(v) – (vi) to clarify the minimum information that a credit reporting body must provide with a credit rating to clarify their obligations under s 20R of the Privacy Act.

·         Updating paragraphs 20.1, 20.3, 21.2 and 21.4 to recognise that a credit provider may be ‘subject to’ a recognised external dispute resolution scheme in accordance with amendments to ss 20 and 21 of the Privacy Act.  

Human rights implications

The CR Code V2.2 engages Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Article 17 provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence, nor to unlawful attacks on his or her honour and reputation, and that everyone has the right to the protection of the law against such interference or attacks.

The CR Code V2.2 has negligible implication for the prohibition against arbitrary interference with privacy as it operationalises the new credit reporting obligations under the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021, which has been declared to be compatible with human rights.

The framework is intended to allow for the use and disclosure of personal information where it is directly relevant to an individual’s credit worthiness, and to provide an individual with free access to credit reporting information relevant to them. The framework also requires credit providers to provide certain explanations to individuals, including around the purpose of credit scores. Together, the Privacy Act and CR Code provide necessary safeguards that ensure credit information is only used and disclosed for certain permitted purposes, and is retained for a limited period of time. The safeguards help to ensure that the CR Code V2.2 provides a reasonable, necessary and proportionate approach to this particular handling of personal information  as part of an effective credit reporting system.

The CR Code V2.2 does not reduce the privacy protections afforded to individuals by the Previous Code and maintains the privacy protections set out in the Privacy Act.

Conclusion

The CR Code V2.2 engages the right to privacy. It is compatible with human rights because it promotes the protection of privacy.

 

 

Angelene Falk

Australian Information Commissioner

Office of the Australian Information Commissioner