Privacy and Credit Reporting

Part IIIA of the Privacy Act 1988 (Cth) and the Credit Reporting Code of Conduct regulate the conduct of credit providers and credit reporting bodies and the ways in which a consumer’s credit history may be recorded, accessed by third parties, and corrected if inaccurate. There is also some protection in Part 4 of the Fair Trading Act 1987 (SA) .

The main credit reporting bodies in Australia are Equifax, Experian Credit Report and Dun & Bradstreet. Credit reporting bodies collate data about individuals including personal and financial information which is then made available to lenders and other businesses to assess a person’s creditworthiness. A person can be refused credit on the basis of the content of their credit report.

Credit reports should not be confused with a credit score, which is a number allocated by a credit reporting body based on that organisation’s criteria.

Credit providers

Under the Act, a credit provider is a bank, or another organisation that provides credit as a substantial part of their normal course of business (for example a credit union).

A business that supplies goods or services, or is in the business of leasing goods, and provides credit for a period of at least seven days is also considered to be a credit provider under the Act.

An important protection for consumers is that in order for a credit provider to record a payment default, the credit provider must be a member of an approved external dispute resolution scheme.

The types of credit providers that are members of external dispute resolution schemes include banks and credit unions and utilities providers. Any other type of credit provider cannot record a payment default (even if they fit within the legislative definition of credit provider).

For the list of approved external dispute resolution schemes see the Office of the Information Commissioner's website.

Recording a payment default

Before recording a consumer credit payment default, the credit provider must follow the procedure set out in Part IIIA of the Privacy Act 1988 (Cth) and the Credit Reporting Code of Conduct.

The credit provider must issue two separate written notices sent to the debtor’s last known address.

The first notice is issued under section 6Q of the Privacy Act 1988 (Cth), informing the debtor of the overdue payment and requesting payment. The credit provider can only issue a notice if the debt is:

The second notice is issued under section 21D(3)(d) of the Act. The credit provider must wait at least 30 days before sending the second notice to the debtor. After a further 14 days, the credit provider can provide the information to the credit reporting body.

A credit provider is not permitted to issue any notices against a debtor or provide information about a payment default if the debtor:

Debts under $150 cannot be recorded as a payment default.

If the provision of credit relates to a business, there are few protections for debtors and the credit provider does not need to be a member of an external dispute resolution scheme.