Privacy Awareness Week Day 5 – dealing with credit information

Credit providers should review their processes and procedures to make sure credit information is managed in line with their obligations under the Privacy Act.

Who is a credit provider?

Last year’s reforms to the Privacy Act have broadened the definition of a ‘credit provider’ to include businesses that allow clients more than seven days to pay invoices.

The definition extends beyond ‘traditional’ credit providers such as banks and other financiers. This means that virtually every business that has payment terms of more than a week are now caught as a credit provider.

What are their obligations?

Credit providers have a general obligation to take ‘reasonable steps’ to implement practices, procedures and systems to comply with their credit information handling obligations.

Credit providers must have a clearly expressed and up-to-date policy that sets out information about:

• the kinds of credit information they collect and hold;
• how credit information is collected and held;
• the purposes for which credit information is collected, held, used and disclosed;
• how an individual may access crediting information and seek the correction of such information; and
• how an individual may complain about a failure of the credit provider to comply with their obligations.

Credit providers must also take reasonable steps to ensure credit information collected, used or disclosed is accurate, up-to-date and complete.

Additional obligations are imposed on credit providers that disclose information to credit reporting bodies. For instance, before a credit provider collects personal information about an individual, the credit provider must notify the individual that their personal information may be disclosed to a credit reporting body. The name and contact details of the credit reporting body and any other matter specified in a credit reporting code (CR Code) must be provided.

Credit providers must also comply with prescribed limitations on disclosing credit information to credit reporting bodies. In many circumstances, credit providers must not disclose information about an individual to a credit reporting body unless the credit provider is a member of an external dispute resolution scheme.

What are the consequences of non-compliance?

Credit providers that fail to comply with their obligations can be penalised with fines of up to $1.7 million (for corporations) and $340,000 (for individuals).

How can credit providers comply with these obligations?

Credit providers should:

• update their policies and procedures;
• update their privacy statements in their credit applications, especially if conducting credit checks on sole traders and guarantors;
• seek advice on their obligations to comply with the Privacy Act and CR Code; and
• review any arrangements with credit reporting bodies and be aware of the new requirements when disclosing information to these bodies.

Privacy Awareness Week

This article is the last article in our series on handling personal information as part of Privacy Awareness Week. For more information on Privacy Awareness Week, see the Office of the Australian Information Commissioner’s website. As a partner of the Office of the Australian Information Commissioner’s privacy awareness campaign, this week Cooper Grace Ward published a series of articles relating to:

• how to ensure your privacy policy is appropriate;
• dealing with unsolicited information;
• the consequences of sending personal information overseas; and
• dealing with data breaches.

If you would like further information about how to deal with credit information, or privacy issues generally, please contact a member of our team.