1 Before section 6
Insert:
Division 1 -- General definitions
2 Subsection 6(1)
Insert:
"access seeker" has the meaning given by subsection 6L (1).
3 Subsection 6(1)
Insert:
"affected information recipient" means:
(a) a mortgage insurer; or
(b) a trade insurer; or
(c) a body corporate referred to in paragraph 21G (3)(b); or
(d) a person referred to in paragraph 21G (3)(c); or
(e) an entity or advise r referred to in paragraph 21N (2)(a).
4 Subsection 6(1)
Insert:
"amount of credit" has the meaning given by subsection 6M (2).
5 Subsection 6(1)
Insert:
"Bankruptcy Act" means the Bankruptcy Act 1966 .
6 Subsection 6(1)
Insert:
"ban period" has the meaning given by subsection 20K (3).
7 Subsection 6(1) (definition of commercial credit )
Repeal the definition, substitute:
"commercial credit" means credit (other than consumer credit) that is applied for by, or provided to, a person.
8 Subsection 6(1)
Insert:
"commercial credit related purpose" of a credit provider in relation to a person means the purpose of:
(a) assessing an application for commercial credit made by the person to the provider; or
(b) collecting payments that are overdue in relation to commercial credit provided by the provider to the person.
9 Subsection 6(1)
Insert:
"consumer credit" means credit:
(a) for which an application has been made by an individual to a credit provider, or that has been provided to an individual by a credit provider, in the course of the provider carrying on a business or undertaking as a credit provider; and
(b) that is intended to be used wholly or primarily:
(i) for personal, family or household purposes; or
(ii) to acquire, maintain, renovate or improve residential property for investment purposes; or
(iii) to refinance consumer credit that has been provided wholly or primarily to acquire, maintain, renovate or improve residential property for investment purposes.
10 Subsection 6(1)
Insert:
"consumer credit liability information" : if a credit provider provides consumer credit to an individual, the following information about the consumer credit is consumer credit liability information about the individual:
(a) the name of the provider;
(b) whether the provider is a licensee;
(c) the type of consumer credit;
(d) the day on which the consumer credit is entered into;
(e) the terms or conditions of the consumer credit:
(i) that relate to the repayment of the amount of credit; and
(ii) that are prescribed by the regulations;
(f) the maximum amount of credit available under the consumer credit;
(g) the day on which the consumer credit is terminated or otherwise ceases to be in force.
11 Subsection 6(1)
Insert:
"consumer credit related purpose" of a credit provider in relation to an individual means the purpose of:
(a) assessing an application for consumer credit made by the individual to the provider; or
(b) collecting payments that are overdue in relation to consumer credit provided by the provider to the individual.
12 Subsection 6(1)
Insert:
"court proceedings information" about an individual means information about a judgement of an Australian court:
(a) that is made, or given, against the individual in proceedings (other than criminal proceedings); and
(b) that relates to any credit that has been provided to, or applied for by, the individual.
13 Subsection 6(1)
Insert:
"CP derived information" about an individual means any personal information (other than sensitive information) about the individual:
(a) that is derived from credit reporting information about the individual that was disclosed to a credit provider by a credit reporting body under Division 2 of Part IIIA; and
(b) that has any bearing on the individual's credit worthiness; and
(c) that is used, has been used or could be used in establishing the individual's eligibility for consumer credit.
14 Subsection 6(1)
Insert:
"CRB derived information" about an individual means any personal information (other than sensitive information) about the individual:
(a) that is derived by a credit reporting body from credit information about the individual that is held by the body; and
(b) that has any bearing on the individual's credit worthiness; and
(c) that is used, has been used or could be used in establishing the individual's eligibility for consumer credit.
15 Subsection 6(1) (definition of credit )
Repeal the definition, substitute:
"credit" has the meaning given by subsections 6M (1) and (3).
16 Subsection 6(1) (definition of credit card )
Omit "loans" (wherever occurring), substitute "credit".
17 Subsection 6(1)
Insert:
"credit eligibility information" about an individual means:
(a) credit reporting information about the individual that was disclosed to a credit provider by a credit reporting body under Division 2 of Part IIIA; or
(b) CP derived information about the individual.
18 Subsection 6(1) (definition of credit enhancement )
Omit "a loan", substitute "credit".
19 Subsection 6(1) ( paragraphs ( a) and (b) of the definition of credit enhancement )
Omit "the loan", substitute "the credit".
20 Subsection 6(1)
Insert:
"credit guarantee purpose" of a credit provider in relation to an individual means the purpose of assessing whether to accept the individual as a guarantor in relation to:
(a) credit provided by the provider to a person other than the individual; or
(b) credit for which an application has been made to the provider by a person other than the individual.
21 Subsection 6(1)
Insert:
"credit information" has the meaning given by section 6N .
22 Subsection 6(1) (definition of credit information file )
Repeal the definition.
23 Subsection 6(1) (definition of credit provider )
Omit "section 11B", substitute "sections 6G to 6K ".
24 Subsection 6(1) (definition of credit report )
Repeal the definition.
25 Subsection 6(1) (definition of credit reporting agency )
Repeal the definition.
26 Subsection 6(1)
Insert:
"credit reporting body" means:
(a) an organisation; or
(b) an agency prescribed by the regulations;
that carries on a credit reporting business.
27 Subsection 6(1) (definition of credit reporting business )
Repeal the definition, substitute:
"credit reporting business" has the meaning given by section 6P .
28 Subsection 6(1)
Insert:
"credit reporting information" about an individual means credit information, or CRB derived information, about the individual.
29 Subsection 6(1)
Insert:
"credit worthiness" of an individual means the individual's:
(a) eligibility to be provided with consumer credit; or
(b) history in relation to consumer credit; or
(c) capacity to repay an amount of credit that relates to consumer credit.
30 Subsection 6(1) (definition of current credit provider)
Repeal the definition.
31 Subsection 6(1)
Insert:
"default information" has the meaning given by section 6Q .
32 Subsection 6(1) (definition of eligible communications service)
Repeal the definition.
33 Subsection 6(1) (definition of guarantee)
Repeal the definition, substitute:
"guarantee" includes an indemnity given against the default of a person in making a payment in relation to credit that has been applied for by, or provided to, the person.
34 Subsection 6(1)
Insert:
"identification information" about an individual means:
(a) the individual's full name; or
(b) an alias or previous name of the individual; or
(c) the individual's date of birth; or
(d) the individual's sex; or
(e) the individual's current or last known address, and 2 previous addresses (if any); or
(f) the name of the individual's current or last known employer; or
(g) if the individual holds a driver's licence--the individual's driver's licence number.
35 Subsection 6(1)
Insert:
"information request" has the meaning given by section 6R .
36 Subsection 6(1)
Insert:
"interested party" has the meaning given by subsections 20T (3) and 21V (3).
37 Subsection 6(1)
Insert:
"licensee" has the meaning given by the National Consumer Credit Protection Act 2009 .
38 Subsection 6(1) (definition of loan)
Repeal the definition.
39 Subsection 6(1)
Insert:
"managing credit" does not include the act of collecting overdue payments in relation to credit.
40 Subsection 6(1) (definition of mortgage credit )
Repeal the definition, substitute:
"mortgage credit" means consumer credit:
(a) that is provided in connection with the acquisition, maintenance, renovation or improvement of real property; and
(b) in relation to which the real property is security.
41 Subsection 6(1)
Insert:
"mortgage insurance purpose" of a mortgage insurer in relation to an individual is the purpose of assessing:
(a) whether to provide insurance to, or the risk of providing insurance to, a credit provider in relation to mortgage credit:
(i) provided by the provider to the individual; or
(ii) for which an application to the provider has been made by the individual; or
(b) the risk of the individual defaulting on mortgage credit in relation to which the insurer has provided insurance to a credit provider; or
(c) the risk of the individual being unable to meet a liability that might arise under a guarantee provided, or proposed to be provided, in relation to mortgage credit provided by a credit provider to another person.
42 Subsection 6(1) (definition of mortgage insurer )
Repeal the definition, substitute:
"mortgage insurer" means an organisation, or small business operator, that carries on a business or undertaking that involves providing insurance to credit providers in relation to mortgage credit provided by providers to other persons.
43 Subsection 6(1)
Insert:
"National Personal Insolvency Index" has the meaning given by the Bankruptcy Act.
44 Subsection 6(1)
Insert:
"new arrangement information" has the meaning given by section 6S .
45 Subsection 6(1)
Insert:
"payment information" has the meaning given by section 6T .
46 Subsection 6(1)
Insert:
"penalty unit" has the meaning given by section 4AA of the Crimes Act 1914 .
47 Subsection 6(1)
Insert:
"pending correction request" in relation to credit information or CRB derived information means:
(a) a request made under subsection 20T (1) in relation to the information if a notice has not been given under subsection 20U (2) or (3) in relation to the request; or
(b) a request made under subsection 21V (1) in relation to the information if:
(i) the credit reporting body referred to in subsection 20V (3) has been consulted about the request under subsection 21V (3); and
(ii) a notice has not been given under subsection 21W (2) or (3) in relation to the request.
48 Subsection 6(1)
Insert:
"pending dispute" in relation to credit information or CRB derived information means:
(a) a complaint made under section 23A that relates to the information if a decision about the complaint has not been made under subsection 23B (4); or
(b) a matter that relates to the information and that is still being dealt with by a recognised external dispute resolution scheme; or
(c) a complaint made to the Commissioner under Part V that relates to the information and that is still being dealt with.
49 Subsection 6(1)
Insert:
"permitted CP disclosure" has the meaning given by sections 21J to 21N .
50 Subsection 6(1)
Insert:
"permitted CP use" has the meaning given by section 21H .
51 Subsection 6(1)
Insert:
"permitted CRB disclosure" has the meaning given by section 20F .
52 Subsection 6(1)
Insert:
"personal insolvency information" has the meaning given by section 6U .
53 Subsection 6(1)
Insert:
"pre-screening assessment" means an assessment made under paragraph 20G (2)(d).
54 Subsection 6(1)
Insert:
"purchase" , in relation to credit, includes the purchase of rights to receive payments relating to the credit.
55 Subsection 6(1)
Insert:
"regulated information" of an affected information recipient means:
(a) if the recipient is a mortgage insurer or trade insurer--personal information disclosed to the recipient under Division 2 or 3 of Part IIIA; or
(b) if the recipient is a body corporate referred to in paragraph 21G (3)(b)--credit eligibility information disclosed to the recipient under that paragraph; or
(c) if the recipient is a person referred to in paragraph 21G (3)(c)--credit eligibility information disclosed to the recipient under that paragraph; or
(d) if the recipient is an entity or advise r referred to in paragraph 21N (2)(a)--credit eligibility information disclosed to the recipient under subsection 21N (2).
56 Subsection 6(1)
Insert:
"repayment history information" has the meaning given by subsection 6V (1).
57 Subsection 6(1)
Insert:
"residential property" has the meaning given by section 204 of the National Credit Code (within the meaning of the National Consumer Credit Protection Act 2009 ).
58 Subsection 6(1)
Insert:
"respondent" for a complaint made under section 23A means the credit reporting body or credit provider to which the complaint is made.
59 Subsection 6(1)
Insert:
"retention period" has the meaning given by sections 20W and 20X .
60 Subsection 6(1) ( subparagraphs ( a)(i) and (ii) of the definition of securitisation arrangement )
Repeal the subparagraphs, substitute:
(i) credit that has been, or is to be, provided by a credit provider; or
(ii) the purchase of credit by a credit provider;
61 Subsection 6(1) ( paragraph ( b) of the definition of securitisation arrangement )
Omit "loans", substitute "credit".
62 Subsection 6(1)
Insert:
"securitisation related purpose" of a credit provider in relation to an individual is the purpose of:
(a) assessing the risk in purchasing, by means of a securitisation arrangement, credit that has been provided to, or applied for by:
(i) the individual; or
(ii) a person for whom the individual is, or is proposing to be, a guarantor; or
(b) assessing the risk in undertaking credit enhancement in relation to credit:
(i) that is, or is proposed to be, purchased or funded by means of a securitisation arrangement; and
(ii) that has been provided to, or applied for by, the individual or a person for whom the individual is, or is proposing to be, a guarantor.
63 Subsection 6(1) (definition of serious credit infringement )
Repeal the definition, substitute:
"serious credit infringement" means:
(a) an act done by an individual that involves fraudulently obtaining consumer credit, or attempting fraudulently to obtain consumer credit; or
(b) an act done by an individual that involves fraudulently evading the individual's obligations in relation to consumer credit, or attempting fraudulently to evade those obligations; or
(c) an act done by an individual if:
(i) a reasonable person would consider that the act indicates an intention, on the part of the individual, to no longer comply with the individual's obligations in relation to consumer credit provided by a credit provider; and
(ii) the provider has, after taking such steps as are reasonable in the circumstances, been unable to contact the individual about the act; and
(iii) at least 6 months have passed since the provider last had contact with the individual.
64 Subsection 6(1)
Insert:
"trade insurance purpose" of a trade insurer in relation to an individual is the purpose of assessing:
(a) whether to provide insurance to, or the risk of providing insurance to, a credit provider in relation to commercial credit provided by the provider to the individual or another person; or
(b) the risk of a person defaulting on commercial credit in relation to which the insurer has provided insurance to a credit provider.
65 Subsection 6(1) (definition of trade insurer )
Repeal the definition, substitute:
"trade insurer" means an organisation, or small business operator, that carries on a business or undertaking that involves providing insurance to credit providers in relation to commercial credit provided by providers to other persons.
66 Subsections 6(5A) to (5D)
Repeal the subsections.
67 Subsection 6(10)
Omit " credit ", substitute " consumer credit ".
68 At the end of subsection 6D(4)
Add:
; or (f) is a credit reporting body.
69 After section 6F
Insert:
Division 2 -- Key definitions relating to credit reporting
Subdivision A -- Credit provider
General
(1) Each of the following is a credit provider :
(a) a bank;
(b) an organisation or small business operator if:
(i) the organisation or operator carries on a business or undertaking; and
(ii) a substantial part of the business or undertaking is the provision of credit;
(c) an organisation or small business operator:
(i) that carries on a retail business; and
(ii) that, in the course of the business, issues credit cards to individuals in connection with the sale of goods, or the supply of services, by the organisation or operator (as the case may be);
(d) an agency, organisation or small business operator:
(i) that carries on a business or undertaking that involves providing credit; and
(ii) that is prescribed by the regulations.
Other credit providers
(2) If:
(a) an organisation or small business operator (the supplier ) carries on a business or undertaking in the course of which the supplier provides credit in connection with the sale of goods, or the supply of services, by the supplier; and
(b) the repayment, in full or in part, of the amount of credit is deferred for at least 7 days; and
(c) the supplier is not a credit provider under subsection ( 1);
then the supplier is a credit provider but only in relation to the credit.
(3) If:
(a) an organisation or small business operator (the lessor ) carries on a business or undertaking in the course of which the lessor provides credit in connection with the hiring, leasing or renting of goods; and
(b) the credit is in force for at least 7 days; and
(c) no amount, or an amount less than the value of the goods, is paid as a deposit for the return of the goods; and
(d) the lessor is not a credit provider under subsection ( 1);
then the lessor is a credit provider but only in relation to the credit.
(4) An organisation or small business operator is a credit provider if subsection 6H (1), 6J (1) or 6K (1) provides that the organisation or operator is a credit provider.
Exclusions
(5) Despite subsections ( 1) to (4) of this section, an organisation or small business operator acting in the capacity of:
(a) a real estate agent; or
(b) a general insurer (within the meaning of the Insurance Act 1973 ); or
(c) an employer of an individual;
is not a credit provider while acting in that capacity.
(6) Despite subsections ( 1) to (4) of this section, an organisation or small business operator is not a credit provider if it is included in a class of organisations or operators prescribed by the regulations.
(1) If an organisation or small business operator (the agent ) is acting as an agent of a credit provider (the principal ) in performing, on behalf of the principal, a task that is reasonably necessary:
(a) in processing an application for credit made to the principal; or
(b) in managing credit provided by the principal;
then, while the agent is so acting, the agent is a credit provider .
(2) Subsection ( 1) does not apply if the principal is an organisation or small business operator that is a credit provider because of a previous application of that subsection.
(3) If subsection ( 1) applies in relation to credit that has been provided by the principal, the credit is taken, for the purposes of this Act, to have been provided by both the principal and the agent.
(4) If subsection ( 1) applies in relation to credit for which an application has been made to the principal, the application is taken, for the purposes of this Act, to have been made to both the principal and the agent.
6J Securitisation arrangements etc.
(1) If:
(a) an organisation or small business operator (the securitisation entity ) carries on a business that is involved in either or both of the following:
(i) a securitisation arrangement;
(ii) managing credit that is the subject of a securitisation arrangement; and
(b) the securitisation entity performs a task that is reasonably necessary for:
(i) purchasing, funding or managing, or processing an application for, credit by means of a securitisation arrangement; or
(ii) undertaking credit enhancement in relation to credit; and
(c) the credit has been provided by, or is credit for which an application has been made to, a credit provider (the original credit provider );
then, while the securitisation entity performs such a task, the securitisation entity is a credit provider .
(2) Subsection ( 1) does not apply if the original credit provider is an organisation or small business operator that is a credit provider because of a previous application of that subsection.
(3) If subsection ( 1) applies in relation to credit that has been provided by the original credit provider, the credit is taken, for the purposes of this Act, to have been provided by both the original credit provider and the securitisation entity.
(4) If subsection ( 1) applies in relation to credit for which an application has been made to the original credit provider, the application is taken, for the purposes of this Act, to have been made to both the original credit provider and the securitisation entity.
6K Acquisition of the rights of a credit provider
(1) I f:
(a) an organisation or small business operator (the acquirer ) acquires, whether by assignment, subrogation or any other means, the rights of a credit provider (the original credit provider ) in relation to the repayment of an amount of credit; and
(b) the acquirer is not a credit provider under subsection 6G (1);
then the acquirer is a credit provider but only in relation to the credit.
(2) If subsection ( 1) of this section applies in relation to credit that has been provided by the original credit provider, the credit is taken, for the purposes of this Act, to have been provided by the acquirer.
(3) If subsection ( 1) of this section applies in relation to credit for which an application has been made to the original credit provider, the application is taken, for the purposes of this Act, to have been made to the acquirer.
Subdivision B -- Other definitions
(1) An access seeker in relation to credit reporting information, or credit eligibility information, about an individual is:
(a) the individual; or
(b) a person:
(i) who is assisting the individual to deal with a credit reporting body or credit provider; and
(ii) who is authorised, in writing, by the individual to make a request in relation to the information under subsection 20R (1) or 21T (1).
(2) An individual must not authorise a person under subparagraph ( 1)(b)(ii) if the person is:
(a) a credit provider; or
(b) a mortgage insurer; or
(c) a trade insurer; or
(d) a person who is prevented from being a credit provider by subsection 6G (5) or (6).
(3) Subparagraph ( 1)(b)(ii) does not apply to a person who provides the National Relay Service or a person prescribed by the regulations .
6M Meaning of credit and amount of credit
(1) Credit is a contract, arrangement or understanding under which:
(a) payment of a debt owed by one person to another person is deferred; or
(b) one person incurs a debt to another person and defers the payment of the debt.
(2) The amount of credit is the amount of the debt that is actually deferred, or that may be deferred, but does not include any fees or charges payable in connection with the deferral of the debt.
(3) Without limiting subsection ( 1), credit includes:
(a) a hire - purchase agreement; and
(b) a contract, arrangement or understanding of a kind referred to in that subsection that is for the hire, lease or rental of goods, or for the supply of services, other than a contract, arrangement or understanding under which:
(i) full payment is made before, or at the same time as, the goods or services are provided; and
(ii) in the case of goods--an amount greater than, or equal to, the value of the goods is paid as a deposit for the return of the goods.
6N Meaning of credit information
Credit information about an individual is personal information (other than sensitive information) that is:
(a) identification information about the individual; or
(b) consumer credit liability information about the individual; or
(c) repayment history information about the individual; or
(d) a statement that an information request has been made in relation to the individual by a credit provider, mortgage insurer or trade insurer; or
(e) the type of consumer credit or commercial credit, and the amount of credit, sought in an application:
(i) that has been made by the individual to a credit provider; and
(ii) in connection with which the provider has made an information request in relation to the individual; or
(f) default information about the individual; or
(g) payment information about the individual; or
(h) new arrangement information about the individual; or
(i) court proceedings information about the individual; or
(j) personal insolvency information about the individual; or
(k) publicly available information about the individual:
(i) that relates to the individual's activities in Australia or the external Territories and the individual's credit worthiness; and
(ii) that is not court proceedings information about the individual or information about the individual that is entered or recorded on the National Personal Insolvency Index; or
(l) the opinion of a credit provider that the individual has committed, in circumstances specified by the provider, a serious credit infringement in relation to consumer credit provided by the provider to the individual.
6P Meaning of credit reporting business
(1) A credit reporting business is a business or undertaking that involves collecting, holding, using or disclosing personal information about individuals for the purpose of, or for purposes including the purpose of, providing an entity with information about the credit worthiness of an individual.
(2) Subsection ( 1) applies whether or not the information about the credit worthiness of an individual is:
(a) provided for profit or reward; or
(b) provided, or intended to be provided, for the purposes of assessing an application for consumer credit.
(3) In determining whether a business or undertaking carried on by a credit provider is a credit reporting business, disregard the provision of information about the credit worthiness of an individual to a related body corporate by the provider.
(4) Despite subsection ( 1), a business or undertaking is not a credit reporting business if the business or undertaking is included in a class of businesses or undertakings prescribed by the regulations.
6Q Meaning of default information
Consumer credit defaults
(1) Default information about an individual is information about a payment (including a payment that is wholly or partly a payment of interest) that the individual is overdue in making in relation to consumer credit that has been provided by a credit provider to the individual if:
(a) the individual is at least 60 days overdue in making the payment; and
(b) the provider has given a written notice to the individual informing the individual of the overdue payment and requesting that the individual pay the amount of the overdue payment; and
(c) the provider is not prevented by a statute of limitations from recovering the amount of the overdue payment; and
(d) the amount of the overdue payment is equal to or more than:
(i) $150 ; or
(ii) such higher amount as is prescribed by the regulations.
Guarantor defaults
(2) Default information about an individual is information about a payment that the individual is overdue in making as a guarantor under a guarantee given against any default by a person (the borrower ) in repaying all or any of the debt deferred under consumer credit provided by a credit provider to the borrower if:
(a) the provider has given the individual written notice of the borrower's default that gave rise to the individual's obligation to make the overdue payment; and
(b) the notice requests that the individual pay the amount of the overdue payment; and
(c) at least 60 days have passed since the day on which the notice was given; and
(d) in addition to giving the notice, the provider has taken other steps to recover the amount of the overdue payment from the individual; and
(e) the provider is not prevented by a statute of limitations from recovering the amount of the overdue payment.
6R Meaning of information request
Credit provider
(1) A credit provider has made an information request in relation to an individual if the provider has sought information about the individual from a credit reporting body:
(a) in connection with an application for consumer credit made by the individual to the provider; or
(b) in connection with an application for commercial credit made by a person to the provider; or
(c) for a credit guarantee purpose of the provider in relation to the individual; or
(d) for a securitisation related purpose of the provider in relation to the individual.
Mortgage insurer
(2) A mortgage insurer has made an information request in relation to an individual if:
(a) the insurer has sought information about the individual from a credit reporting body; and
(b) the information was sought in connection with the provision of insurance to a credit provider in relation to mortgage credit provided by the provider to:
(i) the individual; or
(ii) a person for whom the individual is, or is proposing to be, a guarantor.
Trade insurer
(3) A trade insurer has made an information request in relation to an individual if:
(a) the insurer has sought information about the individual from a credit reporting body; and
(b) the information was sought in connection with the provision of insurance to a credit provider in relation to commercial credit provided by the provider to the individual or another person.
6S Meaning of new arrangement information
Consumer credit defaults
(1) If:
(a) a credit provider has disclosed default information about an individual to a credit reporting body; and
(b) the default information relates to a payment that the individual is overdue in making in relation to consumer credit (the original consumer credit ) that has been provided by the provider to the individual; and
(c) because of the individual being so overdue:
(i) the terms or conditions of the original consumer credit that relate to the repayment of the amount of credit are varied; or
(ii) the individual is provided with other consumer credit (the new consumer credit ) by a credit provider that relates, wholly or in part, to that amount of credit;
then new arrangement information about the individual is a statement that those terms or conditions of the original consumer credit have been varied, or that the individual has been provided with the new consumer credit.
Serious credit infringements
(2) If:
(a) a credit provider is of the opinion that an individual has committed a serious credit infringement in relation to consumer credit (the original consumer credit ) provided by the provider to the individual; and
(b) the provider has disclosed the opinion to a credit reporting body; and
(c) because of the provider having that opinion:
(i) the terms or conditions of the original consumer credit that relate to the repayment of the amount of credit are varied; or
(ii) the individual is provided with other consumer credit (the new consumer credit ) by a credit provider that relates, wholly or in part, to that amount of credit;
then new arrangement information about the individual is a statement that those terms or conditions of the original consumer credit have been varied, or that the individual has been provided with the new consumer credit.
6T Meaning of payment information
If:
(a) a credit provider has disclosed default information about an individual to a credit reporting body; and
(b) on a day after the default information was disclosed, the amount of the overdue payment to which the information relates is paid;
then payment information about the individual is a statement that the amount of the overdue payment has been paid on that day.
6U Meaning of personal insolvency information
(1) Personal insolvency information about an individual is information:
(a) that is entered or recorded in the National Personal Insolvency Index; and
(b) that relates to:
(i) a bankruptcy of the individual; or
(ii) a debt agreement proposal given by the individual; or
(iii) a debt agreement made by the individual; or
(iv) a personal insolvency agreement executed by the individual; or
(v) a direction given, or an order made, under section 50 of the Bankruptcy Act that relates to the property of the individual; or
(vi) an authority signed under section 188 of that Act that relates to the property of the individual.
(2) Despite subparagraph ( 1)(b)(i), personal insolvency information about an individual must not relate to:
(a) the presentation of a creditor's petition against the individual; or
(b) an administration under Part XI of the Bankruptcy Act of the individual's estate.
(3) An expression used in paragraph ( 1)(b) or (2)(a) that is also used in the Bankruptcy Act has the same meaning in that paragraph as it has in that Act.
6V Meaning of repayment history information
(1) If a credit provider provides consumer credit to an individual, the following information about the consumer credit is repayment history information about the individual:
(a) whether or not the individual has met an obligation to make a monthly payment that is due and payable in relation to the consumer credit;
(b) the day on which the monthly payment is due and payable;
(c) if the individual makes the monthly payment after the day on which the payment is due and payable--the day on which the individual makes that payment.
(2) The regulations may make provision in relation to:
(a) whether or not an individual has met an obligation to make a monthly payment that is due and payable in relation to consumer credit; and
(b) whether or not a payment is a monthly payment.
70 Paragraphs 7(1)(a) and 8(1)(a)
Omit "credit reporting agency" (wherever occurring), substitute "credit reporting body".
71 Sections 11A and 11B
Repeal the sections.
72 Part IIIA
Repeal the Part, substitute:
In general, this Part deals with the privacy of information relating to credit reporting.
Divisions 2 and 3 contain rules that apply to credit reporting bodies and credit providers in relation to their handling of information relating to credit reporting.
Division 4 contains rules that apply to affected information recipients in relation to their handling of their regulated information.
Division 5 deals with complaints to credit reporting bodies or credit providers about acts or practices that may be a breach of certain provisions of this Part or the registered CR code.
Division 6 deals with entities that obtain credit reporting information or credit eligibility information by false pretence, or when they are not authorised to do so under this Part.
Division 7 provides for compensation orders, and other orders, to be made by the Federal Court or Federal Magistrates Court.
Division 2 -- Credit reporting bodies
Subdivision A -- Introduction and application of this Division etc.
This Division sets out rules that apply to credit reporting bodies in relation to their handling of the following:
(a) credit reporting information;
(b) CP derived information;
(c) credit reporting information that is de - identified;
(d) a pre - screening assessment.
The rules apply in relation to that kind of information or assessment instead of the Australian Privacy Principles.
2 0A Application of this Division and the Australian Privacy Principles to credit reporting bodies
(1) This Division applies to a credit reporting body in relation to the following:
(a) credit reporting information;
(b) CP derived information;
(c) credit reporting information that is de - identified;
(d) a pre - screening assessment.
(2) The Australian Privacy Principles do not apply to a credit reporting body in relation to personal information that is:
(a) credit reporting information; or
(b) CP derived information; or
(c) a pre - screening assessment.
Note: The Australian Privacy Principles apply to the credit reporting body in relation to other kinds of personal information.
Subdivision B -- Consideration of information privacy
20B Open and transparent management of credit reporting information
(1) The object of this section is to ensure that credit reporting bodies manage credit reporting information in an open and transparent way.
Compliance with this Division etc.
(2) A credit reporting body must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the credit reporting business of the body that:
(a) will ensure that the body complies with this Division and the registered CR code; and
(b) will enable the body to deal with inquiries or complaints from individuals about the body's compliance with this Division or the registered CR code.
Policy about the management of credit reporting information
(3) A credit reporting body must have a clearly expressed and up - to - date policy about the management of credit reporting information by the body.
(4) Without limiting subsection ( 3), the policy of the credit reporting body must contain the following information:
(a) the kinds of credit information that the body collects and how the body collects that information;
(b) the kinds of credit reporting information that the body holds and how the body holds that information;
(c) the kinds of personal information that the body usually derives from credit information that the body holds;
(d) the purposes for which the body collects, holds, uses and discloses credit reporting information;
(e) information about the effect of section 20G (which deals with direct marketing) and how the individual may make a request under subsection ( 5) of that section;
(f) how an individual may access credit reporting information about the individual that is held by the body and seek the correction of such information;
(g) information about the effect of section 20T (which deals with individuals requesting the correction of credit information etc.);
(h) how an individual may complain about a failure of the body to comply with this Division or the registered CR code and how the body will deal with such a complaint.
Availability of policy etc.
(5) A credit reporting body must take such steps as are reasonable in the circumstances to make the policy available:
(a) free of charge; and
(b) in such form as is appropriate.
Note: A credit reporting body will usually make the policy available on the body's website.
(6) If a person or body requests a copy, in a particular form, of the policy of a credit reporting body, the credit reporting body must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
Subdivision C -- Collection of credit information
20C Collection of solicited credit information
Prohibition on collection
(1) A credit reporting body must not collect credit information about an individual.
Civil penalty: 2,000 penalty units.
Exceptions
(2) Subsection ( 1) does not apply if the collection of the credit information is required or authorised by or under an Australian law or a court/tribunal order.
(3) Subsection ( 1) does not apply if:
(a) the credit reporting body collects the credit information about the individual from a credit provider who is permitted under section 21D to disclose the information to the body; and
(b) the body collects the information in the course of carrying on a credit reporting business; and
(c) if the information is identification information about the individual--the body also collects from the provider, or already holds, credit information of another kind about the individual.
(4) Subsection ( 1) does not apply if:
(a) the credit reporting body:
(i) collects the credit information about the individual from an entity (other than a credit provider) in the course of carrying on a credit reporting business; and
(ii) knows, or believes on reasonable grounds, that the individual is at least 18 years old; and
(b) the information does not relate to an act, omission, matter or thing that occurred or existed before the individual turned 18; and
(c) if the information relates to consumer credit or commercial credit--the credit is or has been provided, or applied for, in Australia; and
(d) if the information is identification information about the individual--the body also collects from the entity, or already holds, credit information of another kind about the individual; and
(e) if the information is repayment history information about the individual--the body collects the information from another credit reporting body that has an Australian link.
(5) Paragraph ( 4)(b) does not apply to identification information about the individual.
(6) Despite paragraph ( 4)(b), consumer credit liability information about the individual may relate to consumer credit that was entered into on a day before the individual turned 18, so long as the consumer credit was not terminated, or did not otherwise cease to be in force, on a day before the individual turned 18.
Means of collection
(7) A credit reporting body must collect credit information only by lawful and fair means.
Solicited credit information
(8) This section applies to the collection of credit information that is solicited by a credit reporting body.
20D Dealing with unsolicited credit information
(1) If:
(a) a credit reporting body receives credit information about an individual; and
(b) the body did not solicit the information;
the body must,
within a reasonable period after receiving the information, determine whether
or not the body could have collected the information under section
20C if the
body had solicited the information.
(2) The credit reporting body may use or disclose the credit information for the purposes of making the determination under subsection ( 1).
(3) If the credit
reporting body determines that it could have collected the credit information,
sections 20E to 20ZA apply in relation to the information as if the
body had collected the information under section
20C .
(4) If the credit reporting body determines that it could not have collected the credit information, the body must, as soon as practicable, destroy the information.
Civil penalty: 1,000 penalty units.
(5) Subsection ( 4) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit information.
Subdivision D -- Dealing with credit reporting information etc.
20E Use or disclosure of credit reporting information
Prohibition on use or disclosure
(1) If a credit reporting body holds credit reporting information about an individual, the body must not use or disclose the information.
Civil penalty: 2,000 penalty units.
Permitted uses
(2) Subsection ( 1) does not apply to the use of credit reporting information about the individual if:
(a) the credit reporting body uses the information in the course of carrying on the body's credit reporting business; or
(b) the use is required or authorised by or under an Australian law or a court/tribunal order; or
(c) the use is a use prescribed by the regulations.
Permitted disclosures
(3) Subsection ( 1) does not apply to the disclosure of credit reporting information about the individual if:
(a) the disclosure is a permitted CRB disclosure in relation to the individual; or
(b) the disclosure is to another credit reporting body that has an Australian link; or
(c) both of the following apply:
(i) the disclosure is for the purposes of a recognised external dispute resolution scheme;
(ii) a credit reporting body or credit provider is a member of the scheme; or
(d) both of the following apply:
(i) the disclosure is to an enforcement body;
(ii) the credit reporting body is satisfied that the body, or another enforcement body, believes on reasonable grounds that the individual has committed a serious credit infringement; or
(e) the disclosure is required or authorised by or under an Australian law or a court/tribunal order; or
(f) the disclosure is a disclosure prescribed by the regulations.
(4) However, if the credit reporting information is, or was derived from, repayment history information about the individual, the credit reporting body must not disclose the information under paragraph ( 3)(a) or (f) unless the recipient of the information is:
(a) a credit provider who is a licensee or is prescribed by the regulations; or
(b) a mortgage insurer.
Civil penalty: 2,000 penalty units.
(5) If a credit reporting body discloses credit reporting information under this section, the body must make a written note of that disclosure.
Civil penalty: 500 penalty units.
Note: Other Acts may provide that the note must not be made (see for example the Australian Crime Commission Act 2002 and the Law Enforcement Integrity Commissioner Act 2006 ).
No use or disclosure for the purposes of direct marketing
(6) This section does not apply to the use or disclosure of credit reporting information for the purposes of direct marketing.
Note: Section 20G deals with the use or disclosure of credit reporting information for the purposes of direct marketing.
20F Permitted CRB disclosures in relation to individuals
(1) A disclosure by a credit reporting body of credit reporting information about an individual is a permitted CRB disclosure in relation to the individual if:
(a) the disclosure is to an entity that is specified in an item of the table and that has an Australian link; and
(b) such conditions as are specified for the item are satisfied.
Permitted CRB disclosures | ||
Item | If the disclosure is to ... | the condition or conditions are ... |
1 | a credit provider | the provider requests the information for a consumer credit related purpose of the provider in relation to the individual. |
2 | a credit provider | (a) the provider requests the information for a commercial credit related purpose of the provider in relation to a person; and (b) the individual expressly consents to the disclosure of the information to the provider for that purpose. |
3 | a credit provider | (a) the provider requests the information for a credit guarantee purpose of the provider in relation to the individual; and (b) the individual expressly consents, in writing, to the disclosure of the information to the provider for that purpose. |
4 | a credit provider | the credit reporting body is satisfied that the provider, or another credit provider, believes on reasonable grounds that the individual has committed a serious credit infringement. |
5 | a credit provider | (a) the credit reporting body holds consumer credit liability information that relates to consumer credit provided by the provider to the individual; and (b) the consumer credit has not been terminated, or has not otherwise ceased to be in force. |
6 | a credit provider under subsection 6J (1) | the provider requests the information for a securitisation related purpose of the provider in relation to the individual. |
7 | a mortgage insurer | the insurer requests the information for a mortgage insurance purpose of the insurer in relation to the individual. |
8 | a trade insurer | (a) the insurer requests the information for a trade insurance purpose of the insurer in relation to the individual; and (b) the individual expressly consents, in writing, to the disclosure of the information to the insurer for that purpose. |
(2) The consent of the individual under paragraph ( b) of item 2 of the table in subsection ( 1) must be given in writing unless:
(a) the credit provider referred to in that item requests the information for the purpose of assessing an application for commercial credit made by a person to the provider; and
(b) the application has not been made in writing.
20G Use or disclosure of credit reporting information for the purposes of direct marketing
Prohibition on direct marketing
(1) If a credit reporting body holds credit reporting information about an individual, the body must not use or disclose the information for the purposes of direct marketing.
Civil penalty: 2,000 penalty units.
Permitted use for pre - screening
(2) Subsection ( 1) does not apply to the use by the credit reporting body of credit information about the individual for the purposes of direct marketing by, or on behalf of, a credit provider if:
(a) the provider has an Australian link and is a licensee; and
(b) the direct marketing is about consumer credit that the provider provides in Australia; and
(c) the information is not consumer credit liability information, or repayment history information, about the individual; and
(d) the body uses the information to assess whether or not the individual is eligible to receive the direct marketing communications of the credit provider; and
(e) the individual has not made a request under subsection ( 5); and
(f) the body complies with any requirements that are set out in the registered CR code.
(3) In assessing under paragraph ( 2)(d) whether or not the individual is eligible to receive the direct marketing communications of the credit provider, the credit reporting body must have regard to the eligibility requirements nominated by the provider.
(4) An assessment under paragraph ( 2)(d) is not credit reporting information about the individual.
Request not to use information for pre - screening
(5) An individual may request a credit reporting body that holds credit information about the individual not to use the information under subsection ( 2).
(6) If the individual makes a request under subsection ( 5), the credit reporting body must not charge the individual for the making of the request or to give effect to the request.
Written note of use
(7) If a credit reporting body uses credit information under subsection ( 2), the body must make a written note of that use.
Civil penalty: 500 penalty units.
20H Use or disclosure of pre - screening assessments
Use or disclosure by credit reporting bodies
(1) If a credit reporting body makes a pre - screening assessment in relation to direct marketing by, or on behalf of, a credit provider, the body must not use or disclose the assessment.
Civil penalty: 2,000 penalty units.
(2) Subsection ( 1) does not apply if:
(a) the credit reporting body discloses the pre - screening assessment for the purposes of the direct marketing by, or on behalf of, the credit provider; and
(b) the recipient of the assessment is an entity (other than the provider) that has an Australian link.
(3) If the credit reporting body discloses the pre - screening assessment under subsection ( 2), the body must make a written note of that disclosure.
Civil penalty: 500 penalty units.
Use or disclosure by recipients
(4) If the credit reporting body discloses the pre - screening assessment under subsection ( 2), the recipient must not use or disclose the assessment.
Civil penalty: 1,000 penalty units.
(5) Subsection ( 4) does not apply if the recipient uses the pre - screening assessment for the purposes of the direct marketing by, or on behalf of, the credit provider.
(6) If the recipient uses the pre - screening assessment under subsection ( 5), the recipient must make a written note of that use.
Civil penalty: 500 penalty units.
Interaction with the Australian Privacy Principles
(7) If the recipient is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the recipient in relation to a pre - screening assessment.
20J Destruction of pre - screening assessment
(1) If an entity has possession or control of a pre - screening assessment, the entity must destroy the assessment if:
(a) the entity no longer needs the assessment for any purpose for which it may be used or disclosed under section 20H ; and
(b) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the assessment.
Civil penalty: 1,000 penalty units.
(2) If the entity is an APP entity but not a credit reporting body, Australian Privacy Principle 11.2 does not apply to the entity in relation to the pre - screening assessment.
20K No use or disclosure of credit reporting information during a ban period
(1) If:
(a) a credit reporting body holds credit reporting information about an individual; and
(b) the individual believes on reasonable grounds that the individual has been, or is likely to be, a victim of fraud (including identity fraud); and
(c) the individual requests the body not to use or disclose the information under this Division;
then, despite any other provision of this Division, the body must not use or disclose the information during the ban period for the information.
Civil penalty: 2,000 penalty units.
(2) Subsection ( 1) does not apply if:
(a) the individual expressly consents, in writing, to the use or disclosure of the credit reporting information under this Division; or
(b) the use or disclosure of the credit reporting information is required by or under an Australian law or a court/tribunal order.
Ban period
(3) The ban period for credit reporting information about an individual is the period that:
(a) starts when the individual makes a request under paragraph ( 1)(c); and
(b) ends:
(i) 21 days after the day on which the request is made; or
(ii) if the period is extended under subsection ( 4)--on the day after the extended period ends.
(4) If:
(a) there is a ban period for credit reporting information about an individual that is held by a credit reporting body; and
(b) before the ban period ends, the individual requests the body to extend that period; and
(c) the body believes on reasonable grounds that the individual has been, or is likely to be, a victim of fraud (including identity fraud);
the body must:
(d) extend the ban period by such period as the body considers is reasonable in the circumstances; and
(e) give the individual written notification of the extension.
Civil penalty: 1,000 penalty units.
(5) A ban period for credit reporting information may be extended more than once under subsection ( 4).
No charge for request etc.
(6) If an individual makes a request under paragraph ( 1)(c) or (4)(b), a credit reporting body must not charge the individual for the making of the request or to give effect to the request.
20L Adoption of government related identifiers
(1) If:
(a) a credit reporting body holds credit reporting information about an individual; and
(b) the information is a government related identifier of the individual;
the body must not adopt the government related identifier as its own identifier of the individual.
Civil penalty: 2,000 penalty units.
(2) Subsection ( 1) does not apply if the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order.
20M Use or disclosure of credit reporting information that is de - identified
Use or disclosure
(1) If:
(a) a credit reporting body holds credit reporting information; and
(b) the information (the de - identified information ) is de - identified;
the body must not use or disclose the de - identified information.
(2) Subsection ( 1) does not apply to the use or disclosure of the de - identified information if:
(a) the use or disclosure is for the purposes of conducting research in relation to credit ; and
(b) the credit reporting body complies with the rules made under subsection ( 3).
Commissioner may make rules
(3) The Commissioner may, by legislative instrument, make rules relating to the use or disclosure by a credit reporting body of de - identified information for the purposes of conducting research in relation to credit .
(4) Without limiting subsection ( 3), the rules may relate to the following matters:
(a) the kinds of de - identified information that may or may not be used or disclosed for the purposes of conducting the research;
(b) whether or not the research is research in relation to credit ;
(c) the purposes of conducting the research;
(d) consultation about the research;
(e) how the research is conducted.
Subdivision E -- Integrity of credit reporting information
20N Quality of credit reporting information
(1) A credit reporting body must take such steps as are reasonable in the circumstances to ensure that the credit information the body collects is accurate, up - to - date and complete.
(2) A credit reporting body must take such steps as are reasonable in the circumstances to ensure that the credit reporting information the body uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up - to - date, complete and relevant.
(3) Wit h out limiting subsections ( 1) and (2), a credit reporting body must:
(a) enter into agreements with credit providers that require the providers to ensure that credit information that they disclose to the body under section 21D is accurate, up - to - date and complete; and
(b) ensure that regular audits are conducted by an independent person to determine whether those agreements are being complied with; and
(c) identify and deal with suspected breaches of those agreements.
20P False or misleading credit reporting information
Offence
(1) A credit reporting body commits an offence if:
(a) the body uses or discloses credit reporting information under this Division (other than subsections 20D (2) and 20T (4)); and
(b) the information is false or misleading in a material particular.
Penalty: 200 penalty units.
Civil penalty
(2) A credit reporting body must not use or disclose credit reporting information under this Division (other than subsections 20D (2) and 20T (4)) if the information is false or misleading in a material particular.
Civil penalty: 2,000 penalty units.
20Q Security of credit reporting information
(1) If a credit reporting body holds credit reporting information, the body must take such steps as are reasonable in the circumstances to protect the information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.
(2) Without limiting subsection ( 1), a credit reporting body must:
(a) enter into agreements with credit providers that require the providers to protect credit reporting information that is disclosed to them under this Division:
(i) from misuse, interference and loss; and
(ii) from unauthorised access, modification or disclosure; and
(b) ensure that regular audits are conducted by an independent person to determine whether those agreements are being complied with; and
(c) identify and deal with suspected breaches of those agreements.
Subdivision F -- Access to, and correction of, information
20R Access to credit reporting information
Access
(1) If a credit reporting body holds credit reporting information about an individual, the body must, on request by an access seeker in relation to the information, give the access seeker access to the information.
Exceptions to access
(2) Despite subsection ( 1), the credit reporting body is not required to give the access seeker access to the credit reporting information to the extent that:
(a) giving access would be unlawful; or
(b) denying access is required or authorised by or under an Australian law or a court/tribunal order; or
(c) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Dealing with requests for access
(3) The credit reporting body must respond to the request within a reasonable period, but not longer than 10 days, after the request is made.
Means of access
(4) If the credit reporting body gives access to the credit reporting information, the access must be given in the manner set out in the registered CR code.
Access charges
(5) If a request under subsection ( 1) in relation to the individual has not been made to the credit reporting body in the previous 12 months, the body must not charge the access seeker for the making of the request or for giving access to the information.
(6) If subsection ( 5) does not apply, any charge by the credit reporting body for giving access to the information must not be excessive and must not apply to the making of the request.
Refusal to give access
(7) If the credit reporting body refuses to give access to the information because of subsection ( 2), the body must give the access seeker a written notice that:
(a) sets out the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and
(b) states that, if the access seeker is not satisfied with the response to the request, the access seeker may:
(i) access a recognised external dispute resolution scheme of which the body is a member; or
(ii) make a complaint to the Commissioner under Part V.
20S Correction of credit reporting information
(1) If:
(a) a credit reporting body holds credit reporting information about an individual; and
(b) the body is satisfied that, having regard to a purpose for which the information is held by the body, the information is inaccurate, out - of - date, incomplete, irrelevant or misleading;
the body must take such steps (if any) as are reasonable in the circumstances to correct the information to ensure that, having regard to the purpose for which it is held, the information is accurate, up - to - date, complete, relevant and not misleading.
(2) If:
(a) the credit reporting body corrects credit reporting information under subsection ( 1); and
(b) the body has previously disclosed the information under this Division (other than subsections 20D (2) and 20T (4));
the body must, within a reasonable period, give each recipient of the information written notice of the correction.
(3) Subsection ( 2) does not apply if:
(a) it is impracticable for the credit reporting body to give the notice under that subsection; or
(b) the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
20T Individual may request the correction of credit information etc.
Request
(1) An individual may request a credit reporting body to correct personal information about the individual if:
(a) the personal information is:
(i) credit information about the individual; or
(ii) CRB derived information about the individual; or
(iii) CP derived information about the individual; and
(b) the body holds at least one kind of the personal information referred to in paragraph ( a).
Correction
(2) If the credit reporting body is satisfied that the personal information is inaccurate, out - of - date, incomplete, irrelevant or misleading, the body must take such steps (if any) as are reasonable in the circumstances to correct the information within:
(a) the period of 30 days that starts on the day on which the request is made; or
(b) such longer period as the individual has agreed to in writing.
Consultation
(3) If the credit reporting body considers that the body cannot be satisfied of the matter referred to in subsection ( 2) in relation to the personal information without consulting either or both of the following (the interested party ):
(a) another credit reporting body that holds or held the information and that has an Australian link;
(b) a credit provider that holds or held the information and that has an Australian link;
the body must consult that interested party, or those interested parties, about the individual's request.
(4) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
No charge
(5) The credit reporting body must not charge the individual for the making of the request or for correcting the information.
20U Notice of correction etc. must be given
(1) This section applies if an individual requests a credit reporting body to correct personal information under subsection 20T (1).
Notice of correction etc.
(2) If the credit reporting body corrects the personal information under subsection 20T (2), the body must, within a reasonable period:
(a) give the individual written notice of the correction; and
(b) if the body consulted an interested party under subsection 20T (3) about the individual's request--give the party written notice of the correction; and
(c) if the correction relates to information that the body has previously disclosed under this Division (other than subsections 20D (2) and 20T (4))--give each recipient of the information written notice of the correction.
(3) If the credit reporting body does not correct the personal information under subsection 20T (2), the body must, within a reasonable period, give the individual written notice that:
(a) states that the correction has not been made; and
(b) sets out the body's reasons for not correcting the information (including evidence substantiating the correctness of the information); and
(c) states that, if the individual is not satisfied with the response to the request, the individual may:
(i) access a recognised external dispute resolution scheme of which the body is a member; or
(ii) make a complaint to the Commissioner under Part V.
Exceptions
(4) Paragraph ( 2)(c) does not apply if it is impracticable for the credit reporting body to give the notice under that paragraph.
(5) Subsection ( 2) or (3) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
Subdivision G -- Dealing with credit reporting information after the retention period ends etc.
20V Destruction etc. of credit reporting information after the retention period ends
(1) This section applies if:
(a) a credit reporting body holds credit information about an individual; and
(b) the retention period for the information ends.
Note: There is no retention period for identification information or credit information of a kind referred to in paragraph 6N (k).
Destruction etc. of credit information
(2) The credit reporting body must destroy the credit information, or ensure that the information is de - identified, within 1 month after the retention period for the information ends.
Civil penalty: 1,000 penalty units.
(3) Despite subsection ( 2), the credit reporting body must neither destroy the credit information nor ensure that the information is de - identified, if immediately before the retention period ends:
(a) there is a pending correction request in relation to the information; or
(b) there is a pending dispute in relation to the information.
Civil penalty: 500 penalty units.
(4) Subsection ( 2) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit information.
Destruction etc. of CRB derived information
(5) The credit reporting body must destroy any CRB derived information about the individual that was derived from the credit information, or ensure that the CRB derived information is de - identified:
(a) if:
(i) the CRB derived information was derived from 2 or more kinds of credit information; and
(ii) the body is required to do a thing referred to in subsection ( 2) to one of those kinds of credit information;
at the same time that the body does that thing to that credit information; or
(b) otherwise--at the same time that the body is required to do a thing referred to in subsection ( 2) to the credit information from which the CRB derived information was derived.
Civil penalty: 1,000 penalty units.
(6) Despite subsection ( 5), the credit reporting body must neither destroy the CRB derived information nor ensure that the information is de - identified, if immediately before the retention period ends:
(a) there is a pending correction request in relation to the information; or
(b) there is a pending dispute in relation to the information.
Civil penalty: 500 penalty units.
(7) Subsection ( 5) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the CRB derived information.
20W Retention period for credit information--general
The following table sets out the retention period for credit information:
(a) that is information of a kind referred to in an item of the table; and
(b) that is held by a credit reporting body.
Retention period | ||
Item | If the credit information is ... | the retention period for the information is ... |
1 | consumer credit liability information | the period of 2 years that starts on the day on which the consumer credit to which the information relates is terminated or otherwise ceases to be in force. |
2 | repayment history information | the period of 2 years that starts on the day on which the monthly payment to which the information relates is due and payable. |
3 | information of a kind referred to in paragraph 6N (d) or (e) | the period of 5 years that starts on the day on which the information request to which the information relates is made. |
4 | default information | the period of 5 years that starts on the day on which the credit reporting body collects the information. |
5 | payment information | the period of 5 years that starts on the day on which the credit reporting body collects the default information to which the payment information relates. |
6 | new arrangement information within the meaning of subsection 6S (1) | the period of 2 years that starts on the day on which the credit reporting body collects the default information referred to in that subsection. |
7 | new arrangement information within the meaning of subsection 6S (2) | the period of 2 years that starts on the day on which the credit reporting body collects the information about the opinion referred to in that subsection. |
8 | court proceedings information | the period of 5 years that starts on the day on which the judgement to which the information relates is made or given. |
9 | information of a kind referred to in paragraph 6N (l) | the period of 7 years that starts on the day on which the credit reporting body collects the information. |
20X Retention period for credit information--personal insolvency information
(1) The following table has effect:
Item | If personal insolvency information relates to ... | the retention period for the information is whichever of the following periods ends later ... |
1 | a bankruptcy of an individual | (a) the period of 5 years that starts on the day on which the individual becomes a bankrupt; (b) the period of 2 years that starts on the day the bankruptcy ends. |
2 | a personal insolvency agreement to which item 3 of this table does not apply | (a) the period of 5 years that starts on the day on which the agreement is executed; (b) the period of 2 years that starts on the day the agreement is terminated or set aside under the Bankruptcy Act. |
3 | a personal insolvency agreement in relation to which a certificate has been signed under section 232 of the Bankruptcy Act | (a) the period of 5 years that starts on the day on which the agreement is executed; (b) the period that ends on the day on which the certificate is signed. |
4 | a debt agreement to which item 5 of this table does not apply | (a) the period of 5 years that starts on the day on which the agreement is made; (b) the period of 2 years that starts on the day: (i) the agreement is terminated under the Bankruptcy Act; or (ii) an order declaring that all the agreement is void is made under that Act. |
5 | a debt agreement that ends under section 185N of the Bankruptcy Act | (a) the period of 5 years that starts on the day on which the agreement is made; (b) the period that ends on the day on which the agreement ends. |
Debt agreement proposals
(2) If personal insolvency information relates to a debt agreement proposal, the retention period for the information is the period that ends on the day on which:
(a) the proposal is withdrawn; or
(b) the proposal is not accepted under section 185EC of the Bankruptcy Act; or
(c) the acceptance of the proposal for processing is cancelled under section 185ED of that Act; or
(d) the proposal lapses under section 185G of that Act.
Control of property
(3) If personal insolvency information relates to a direction given, or an order made, under section 50 of the Bankruptcy Act, the retention period for the information is the period that ends on the day on which the control of the property to which the direction or order relates ends.
Note: See subsection 50(1B) of the Bankruptcy Act for when the control of the property ends.
(4) If the personal insolvency information relates to an authority signed under section 188 of the Bankruptcy Act, the retention period for the information is the period that ends on the day on which the property to which the authority relates is no longer subject to control under Division 2 of Part X of that Act.
Interpretation
(5) An expression used in this section that is also used in the Bankruptcy Act has the same meaning in this section as it has in that Act.
20Y Destruction of credit reporting information in cases of fraud
(1) This section applies if:
(a) a credit reporting body holds credit reporting information about an individual; and
(b) the information relates to consumer credit that has been provided by a credit provider to the individual, or a person purporting to be the individual; and
(c) the body is satisfied that:
(i) the individual has been a victim of fraud (including identity fraud); and
(ii) the consumer credit was provided as a result of that fraud.
Destruction of credit reporting information
(2) The credit reporting body must:
(a) destroy the credit reporting information; and
(b) within a reasonable period after the information is destroyed:
(i) give the individual a written notice that states that the information has been destroyed and sets out the effect of subsection ( 4); and
(ii) give the credit provider a written notice that states that the information has been destroyed.
Civil penalty: 1,000 penalty units.
(3) Subsection ( 2) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit reporting information.
Notification of destruction to third parties
(4) If:
(a) a credit reporting body destroys credit reporting information about an individual under subsection ( 2); and
(b) the body has previously disclosed the information to one or more recipients under Subdivision D of this Division;
the body must, within a reasonable period after the destruction, notify those recipients of the destruction and the matters referred to in paragraph ( 1)(c).
Civil penalty: 500 penalty units.
(5) Subsection ( 4) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notification.
20Z Dealing with information if there is a pending correction request etc.
(1) This section applies if a credit reporting body holds credit reporting information about an individual and either:
(a) subsection 20V (3) applies in relation to the information; or
(b) subsection 20V (6) applies in relation to the information.
Notification of Commissioner
(2) The credit reporting body must, as soon as practicable, notify in writing the Commissioner of the matter referred to in paragraph ( 1)(a) or (b) of this section.
Civil penalty: 1,000 penalty units.
Use or disclosure
(3) The credit reporting body must not use or disclose the information under Subdivision D of this Division.
Civil penalty: 2,000 penalty units.
(4) However, the credit reporting body may use or disclose the information under this subsection if:
(a) the use or disclosure is for the purposes of the pending correction request, or pending dispute, in relation to the information; or
(b) the use or disclosure of the information is required by or under an Australian law or a court/tribunal order.
(5) If the credit reporting body uses or discloses the information under subsection ( 4), the body must make a written note of the use or disclosure.
Civil penalty: 500 penalty units.
Direction to destroy information etc.
(6) The Commissioner may, by legislative instrument, direct the credit reporting body to destroy the information, or ensure that the information is de - identified, by a specified day.
(7) If the Commissioner gives a direction under subsection ( 6) to the credit reporting body, the body must comply with the direction.
Civil penalty: 1,000 penalty units.
(8) To avoid doubt, section 20M applies in relation to credit reporting information that is de - identified as a result of the credit reporting body complying with the direction.
20ZA Dealing with information if an Australian law etc. requires it to be retained
(1) This section applies if a credit reporting body is not required:
(a) to do a thing referred to in subsection 20V (2) to credit information because of subsection 20V (4); or
(b) to do a thing referred to in subsection 20V (5) to CRB derived information because of subsection 20V (7); or
(c) to destroy credit reporting information under subsection 20Y (2) because of subsection 20Y (3).
Use or disclosure
(2) The credit reporting body must not use or disclose the information under Subdivision D of this Division.
Civil penalty: 2,000 penalty units.
(3) However, the credit reporting body may use or disclose the information under this subsection if the use or disclosure of the information is required by or under an Australian law or a court/tribunal order.
(4) If the credit reporting body uses or discloses the information under subsection ( 3), the body must make a written note of the use or disclosure.
Civil penalty: 500 penalty units.
Other requirements
(5) Subdivision E of this Division (other than section 20Q ) does not apply in relation to the use or disclosure of the information.
Note: Section 20Q deals with the security of credit reporting information.
(6) Subdivision F of this Division does not apply in relation to the information.
Division 3 -- Credit providers
Subdivision A -- Introduction and application of this Division
This Division sets out rules that apply to credit providers in relation to their handling of the following:
(a) credit information;
(b) credit eligibility information;
(c) CRB derived information.
If a credit provider is an APP entity, the rules apply in relation to that information in addition to, or instead of, any relevant Australian Privacy Principles.
21A Application of this Division to credit providers
(1) This Division applies to a credit provider in relation to the following:
(a) credit information;
(b) credit eligibility information;
(c) CRB derived information.
(2) If the credit provider is an APP entity, this Division may apply to the provider in relation to information referred to in subsection ( 1) in addition to, or instead of, the Australian Privacy Principles.
Subdivision B -- Consideration of information privacy
21B Open and transparent management of credit information etc.
(1) The object of this section is to ensure that credit providers manage credit information and credit eligibility information in an open and transparent way.
Compliance with this Division etc.
(2) A credit provider must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the provider's functions or activities as a credit provider that:
(a) will ensure that the provider complies with this Division and the registered CR code if it binds the provider; and
(b) will enable the provider to deal with inquiries or complaints from individuals about the provider's compliance with this Division or the registered CR code if it binds the provider.
Policy about the management of credit information etc.
(3) A credit provider must have a clearly expressed and up - to - date policy about the management of credit information and credit eligibility information by the provider.
(4) Without limiting subsection ( 3), the policy of the credit provider must contain the following information:
(a) the kinds of credit information that the provider collects and holds, and how the provider collects and holds that information;
(b) the kinds of credit eligibility information that the provider holds and how the provider holds that information;
(c) the kinds of CP derived information that the provider usually derives from credit reporting information disclosed to the provider by a credit reporting body under Division 2 of this Part;
(d) the purposes for which the provider collects, holds, uses and discloses credit information and credit eligibility information;
(e) how an individual may access credit eligibility information about the individual that is held by the provider;
(f) how an individual may seek the correction of credit information or credit eligibility information about the individual that is held by the provider;
(g) how an individual may complain about a failure of the provider to comply with this Division or the registered CR code if it binds the provider;
(h) how the provider will deal with such a complaint;
(i) whether the provider is likely to disclose credit information or credit eligibility information to entities that do not have an Australian link;
(j) if the provider is likely to disclose credit information or credit eligibility information to such entities--the countries in which those entities are likely to be located if it is practicable to specify those countries in the policy.
Availability of policy etc.
(5) A credit provider must take such steps as are reasonable in the circumstances to make the policy available:
(a) free of charge; and
(b) in such form as is appropriate.
Note: A credit provider will usually make the policy available on the provider's website.
(6) If a person or body requests a copy, in a particular form, of the policy of a credit provider, the provider must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
Interaction with the Australian Privacy Principles
(7) If a credit provider is an APP entity, Australian Privacy Principles 1.3 and 1.4 do not apply to the provider in relation to credit information or credit eligibility information.
Subdivision C -- Dealing with credit information
21C Additional notification requirements for the collection of personal information etc.
(1) At or before the time a credit provider collects personal information about an individual that the provider is likely to disclose to a credit reporting body, the provider must:
(a) notify the individual of the following matters:
(i) the name and contact details of the body;
(ii) any other matter specified in the registered CR code; or
(b) otherwise ensure that the individual is aware of those matters.
(2) If a credit provider is an APP entity, subsection ( 1) applies to the provider in relation to personal information in addition to Australian Privacy Principle 5.
(3) If a credit provider is an APP entity, then the matters for the purposes of Australian Privacy Principle 5.1 include the following matters to the extent that the personal information referred to in that principle is credit information or credit eligibility information:
(a) that the policy (the credit reporting policy ) of the provider that is referred to in subsection 21B (3) contains information about how an individual may access the credit eligibility information about the individual that is held by the provider;
(b) that the credit reporting policy of the provider contains information about how an individual may seek the correction of credit information or credit eligibility information about the individual that is held by the provider;
(c) that the credit reporting policy of the provider contains information about how an individual may complain about a failure of the provider to comply with this Division or the registered CR code if it binds the provider;
(d) that the credit reporting policy of the provider contains information about how the provider will deal with such a complaint;
(e) whether the provider is likely to disclose credit information or credit eligibility information to entities that do not have an Australian link;
(f) if the provider is likely to disclose credit information or credit eligibility information to such entities--the countries in which those entities are likely to be located if it is practicable to specify those countries in the credit reporting policy.
21D Disclosure of credit information to a credit reporting body
Prohibition on disclosure
(1) A credit provider must not disclose credit information about an individual to a credit reporting body (whether or not the body's credit reporting business is carried on in Australia).
Civil penalty: 2,000 penalty units.
Permitted disclosure
(2) Subsection ( 1) does not apply to the disclosure of credit information about the individual if:
(a) the credit provider:
(i) is a member of a recognised external dispute resolution scheme or is prescribed by the regulations ; and
(ii) knows, or believes on reasonable grounds, that the individual is at least 18 years old; and
(b) the credit reporting body is:
(i) an agency; or
(ii) an organisation that has an Australian link; and
(c) the information meets the requirements of subsection ( 3).
Note: Section 21F limits the disclosure of credit information if there is a ban period for the information.
(3) Credit information about an individual meets the requirements of this subsection if:
(a) the information does not relate to an act, omission, matter or thing that occurred or existed before the individual turned 18; and
(b) if the information relates to consumer credit or commercial credit--the credit is or has been provided, or applied for, in Australia; and
(c) if the information is repayment history information about the individual:
(i) the credit provider is a licensee or is prescribed by the regulations ; and
(ii) the consumer credit to which the information relates is consumer credit in relation to which the provider also discloses, or a credit provider has previously disclosed, consumer credit liability information about the individual to the credit reporting body; and
(iii) the provider complies with any requirements relating to the disclosure of the information that are prescribed by the regulations; and
(d) if the information is default information about the individual:
(i) the credit provider has given the individual a notice in writing stating that the provider intends to disclose the information to the credit reporting body; and
(ii) at least 14 days have passed since the giving of the notice.
(4) Paragraph ( 3)(a) does not apply to identification information about the individual.
(5) Despite paragraph ( 3)(a), consumer credit liability information about the individual may relate to consumer credit that was entered into on a day before the individual turned 18, so long as the consumer credit was not terminated, or did not otherwise cease to be in force, on a day before the individual turned 18.
Written note of disclosure
(6) If a credit provider discloses credit information under this section, the provider must make a written note of that disclosure.
Civil penalty: 500 penalty units.
Interaction with the Australian Privacy Principles
(7) If a credit provider is an APP entity, Australian Privacy Principles 6 and 8 do not apply to the disclosure by the provider of credit information to a credit reporting body.
21E Payment information must be disclosed to a credit reporting body
If:
(a) a credit provider has disclosed default information about an individual to a credit reporting body under section 21D ; and
(b) after the default information was disclosed, the amount of the overdue payment to which the information relates is paid;
the provider must, within a reasonable period after the amount is paid, disclose payment information about the amount to the body under that section.
Civil penalty: 500 penalty units.
21F Limitation on the disclosure of credit information during a ban period
(1) This section applies if:
(a) a credit reporting body holds credit reporting information about an individual; and
(b) a credit provider requests the body to disclose the information to the provider for the purpose of assessing an application for consumer credit made to the provider by the individual, or a person purporting to be the individual; and
(c) the body is not permitted to disclose the information because there is a ban period for the information; and
(d) during the ban period, the provider provides the consumer credit to which the application relates to the individual, or the person purporting to be the individual.
(2) If the credit provider holds credit information about the individual that relates to the consumer credit, the provider must not, despite sections 21D and 21E , disclose the information to a credit reporting body.
Civil penalty: 2,000 penalty units.
(3) Subsection ( 2) does not apply if the credit provider has taken such steps as are reasonable in the circumstances to verify the identity of the individual.
Subdivision D -- Dealing with credit eligibility information etc.
21G Use or disclosure of credit eligibility information
Prohibition on use or disclosure
(1) If a credit provider holds credit eligibility information about an individual, the provider must not use or disclose the information.
Civil penalty: 2,000 penalty units.
Permitted uses
(2) Subsection ( 1) does not apply to the use of credit eligibility information about the individual if:
(a) the use is for a consumer credit related purpose of the credit provider in relation to the individual; or
(b) the use is a permitted CP use in relation to the individual; or
(c) both of the following apply:
(i) the credit provider believes on reasonable grounds that the individual has committed a serious credit infringement;
(ii) the provider uses the information in connection with the infringement; or
(d) the use is required or authorised by or under an Australian law or a court/tribunal order; or
(e) the use is a use prescribed by the regulations.
Permitted disclosures
(3) Subsection ( 1) does not apply to the disclosure of credit eligibility information about the individual if:
(a) the disclosure is a permitted CP disclosure in relation to the individual; or
(b) the disclosure is to a related body c orporate of the credit provider ; or
(c) the disclosure is to:
(i) a person for the purpose of processing an application for credit made to the credit provider; or
(ii) a person who manages credit provided by the credit provider for use in managing that credit; or
(d) both of the following apply:
(i) the credit provider believes on reasonable grounds that the individual has committed a serious credit infringement;
(ii) the provider discloses the information to another credit provider that has an Australian link, or to an enforcement body; or
(e) both of the following apply:
(i) the disclosure is for the purposes of a recognised external dispute resolution scheme;
(ii) a credit provider or credit reporting body is a member of the scheme; or
(f) the disclosure is required or authorised by or under an Australian law or a court/tribunal order; or
(g) the disclosure is a disclosure prescribed by the regulations.
Note: See section 21NA for additional rules about the disclosure of credit eligibility information under paragraph (3)(b) or (c).
(4) However, if the credit eligibility information about the individual is, or was derived from, repayment history information about the individual, the credit provider must not disclose the information under subsection ( 3).
Civil penalty: 2,000 penalty units.
(5) Subsection ( 4) does not apply if:
(a) the recipient of the credit eligibility information is another credit provider who is a licensee; or
(b) the disclosure is a permitted CP disclosure within the meaning of section 21L ; or
(c) the credit provider discloses the credit eligibility information under paragraph (3)(b), (c), (e) or (f); or
(d) the credit provider discloses the credit eligibility information under paragraph (3)(d) to an enforcement body.
Written note of use or disclosure
(6) If a credit provider uses or discloses credit eligibility information under this section, the provider must make a written note of that use or disclosure.
Civil penalty: 500 penalty units.
Interaction with the Australian Privacy Principles
(7) If a credit provider is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the provider in relation to credit eligibility information.
(8) If:
(a) a credit provider is an APP entity; and
(b) the credit eligibility information is a government related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the provider in relation to the information.
21H Permitted CP uses in relation to individuals
A use by a credit provider of credit eligibility information about an individual is a permitted CP use in relation to the individual if:
(a) the relevant credit reporting information was disclosed to the provider under a provision specified in column 1 of the table for the purpose (if any) specified in that column; and
(b) the provider uses the credit eligibility information for the purpose specified in column 2 of the table.
Permitted CP uses | ||
| Column 1 | Column 2 |
Item | The relevant credit reporting information was disclosed to the credit provider under ... | The credit provider uses the credit eligibility information for ... |
1 | item 1 of the table in subsection 20F (1) for the purpose of assessing an application for consumer credit made by the individual to the provider. | (a) a securitisation related purpose of the provider in relation to the individual; or (b) the internal management purposes of the provider that are directly related to the provision or management of consumer credit by the provider. |
2 | item 2 of the table in subsection 20F (1) for a particular commercial credit related purpose of the provider in relation to the individual. | that particular commercial credit related purpose.
|
3 | item 2 of the table in subsection 20F (1) for the purpose of assessing an application for commercial credit made by a person to the provider. | the internal management purposes of the provider that are directly related to the provision or management of commercial credit by the provider. |
4 | item 3 of the table in subsection 20F (1) for a credit guarantee purpose of the provider in relation to the individual. | (a) the credit guarantee purpose; or (b) the internal management purposes of the provider that are directly related to the provision or management of any credit by the provider. |
5 | item 5 of the table in subsection 20F (1). | the purpose of assisting the individual to avoid defaulting on his or her obligations in relation to consumer credit provided by the provider to the individual. |
6 | item 6 of the table in subsection 20F (1) for a particular securitisation related purpose of the provider in relation to the individual. | that particular securitisation related purpose. |
21J Permitted CP disclosures between credit providers
Consent
(1) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to another credit provider (the recipient ) for a particular purpose; and
(b) the recipient has an Australian link; and
(c) the individual expressly consents to the disclosure of the information to the recipient for that purpose.
(2) The consent of the individual under paragraph ( 1)(c):
(a) must be given in writing unless:
(i) the disclosure of the information to the recipient is for the purpose of assessing an application for consumer credit or commercial credit made to the recipient; and
(ii) the application has not been made in writing; and
(b) must be given to the credit provider or recipient.
Agents of credit providers
(3) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the provider is acting as an agent of another credit provider that has an Australian link; and
(b) while the provider is so acting, the provider is a credit provider under subsection 6H (1); and
(c) the provider discloses the information to the other credit provider in the provider's capacity as such an agent.
Securitisation arrangements etc.
(4) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the provider is a credit provider under subsection 6J (1) in relation to credit; and
(b) the credit has been provided by, or is credit for which an application has been made to, another credit provider (the original credit provider ) that has an Australian link; and
(c) the original credit provider is not a credit provider under that subsection; and
(d) the information is disclosed to:
(i) the original credit provider; or
(ii) another credit provider that is a credit provider under that subsection in relation to the credit and that has an Australian link; and
(e) the disclosure of the information is reasonably necessary for:
(i) purchasing, funding or managing, or processing an application for, the credit by means of a securitisation arrangement; or
(ii) undertaking credit enhancement in relation to the credit.
Mortgage credit secured by the same real property
(5) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to another credit provider that has an Australian link; and
(b) both credit providers have provided mortgage credit to the individual in relation to which the same real property forms all or part of the security; and
(c) the individual is at least 60 days overdue in making a payment in relation to the mortgage credit provided by either provider; and
(d) the information is disclosed for the purpose of either provider deciding what action to take in relation to the overdue payment.
21K Permitted CP disclosures relating to guarantees etc.
Offer to act as a guarantor etc.
(1) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) either:
(i) the provider has provided credit to the individual; or
(ii) the individual has applied to the provider for credit; and
(b) the disclosure is to a person for the purpose of that person considering whether:
(i) to offer to act as a guarantor in relation to the credit; or
(ii) to offer property as security for the credit; and
(c) the person has an Australian link; and
(d) the individual expressly consents to the disclosure of the information to the person for that purpose.
(2) The consent of the individual under paragraph ( 1)(d) must be given in writing unless:
(a) if subparagraph ( 1)(a)(i) applies--the application for the credit was not made in writing; or
(b) if subparagraph ( 1)(a)(ii) applies--the application for the credit has not been made in writing.
Guarantors etc.
(3) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to a person who:
(i) is a guarantor in relation to credit provided by the provider to the individual; or
(ii) has provided property as security for such credit; and
(b) the person has an Australian link; and
(c) either:
(i) the individual expressly consents to the disclosure of the information to the person; or
(ii) if subparagraph ( a)(i) applies--the information is disclosed to the person for a purpose related to the enforcement, or proposed enforcement, of the guarantee.
(4) The consent of the individual under subparagraph ( 3)(c)(i) must be given in writing unless the application for the credit was not made in writing.
21L Permitted CP disclosures to mortgage insurers
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if the disclosure is to a mortgage insurer that has an Australian link for:
(a) a mortgage insurance purpose of the insurer in relation to the individual; or
(b) any purpose arising under a contract for mortgage insurance that has been entered into between the provider and the insurer.
21M Permitted CP disclosures to debt collectors
(1) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to a person or body that carries on a business or undertaking that involves the collection of debts on behalf of others; and
(c) the information is disclosed to the person or body for the primary purpose of the person or body collecting payments that are overdue in relation to:
(i) consumer credit provided by the provider to the individual; or
(ii) commercial credit provided by the provider to a person; and
(d) the information is information of a kind referred to in subsection ( 2).
Note: See section 21NA for additional rules about the disclosure of credit eligibility information under this subsection.
(2) The information for the purposes of paragraph ( 1)(d) is:
(a) identification information about the individual; or
(b) court proceedings information about the individual; or
(c) personal insolvency information about the individual; or
(d) if subparagraph ( 1)(c)(i) applies--default information about the individual if:
(i) the information relates to a payment that the individual is overdue in making in relation to consumer credit that has been provided by the credit provider to the individual; and
(ii) the provider does not hold, or has not held, payment information about the individual that relates to that overdue payment.
21N Permitted CP disclosures to other recipients
Mortgage credit assistance schemes
(1) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to a State or Territory authority; and
(b) the functions or responsibilities of the authority include:
(i) giving assistance (directly or indirectly) that facilitates the provision of mortgage credit to individuals; or
(ii) the management or supervision of schemes or arrangements under which such assistance is given; and
(c) the information is disclosed for the purpose of enabling the authority:
(i) to determine the extent of the assistance (if any) to give in relation to the provision of mortgage credit to the individual; or
(ii) to manage or supervise such a scheme or arrangement.
Assignment of debts owed to credit providers etc.
(2) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to one or more of the following (the recipient ):
(i) an entity;
(ii) a professional legal adviser of the entity;
(iii) a professional financial adviser of the entity; and
(b) the recipient has an Australian link; and
(c) subsection ( 3) applies to the information.
(3) This subsection applies to the credit eligibility information if the recipient proposes to use the information:
(a) in the process of the entity considering whether to:
(i) accept an assignment of a debt owed to the credit provider; or
(ii) accept a debt owed to the provider as security for credit provided to the provider; or
(iii) purchase an interest in the provider or a related body corporate of the provider; or
(b) in connection with exercising rights arising from the acceptance of such an assignment or debt, or the purchase of such an interest.
21NA Disclosures to certain persons and bodies that do not have an Australian link
Related bodies corporate and credit managers etc.
(1) Before a credit provider discloses credit eligibility information under paragraph 21G(3)(b) or (c) to a related body corporate, or person, that does not have an Australian link, the provider must take such steps as are reasonable in the circumstances to ensure that the body or person does not breach the following provisions (the relevant provisions ) in relation to the information:
(a) for a disclosure under paragraph 21G(3)(b)--section 22D;
(b) for a disclosure under paragraph 21G(3)(c)--section 22E;
(c) in both cases--the Australian Privacy Principles (other than Australian Privacy Principles 1, 6, 7, 8 and 9.2).
(2) If:
(a) a credit provider discloses credit eligibility information under paragraph 21G(3)(b) or (c) to a related body corporate, or person, that does not have an Australian link; and
(b) the relevant provisions do not apply, under this Act, to an act done, or a practice engaged in, by the body or person in relation to the information; and
(c) the body or person does an act, or engages in a practice, in relation to the information that would be a breach of the relevant provisions if those provisions applied to the act or practice;
the act done, or the practice engaged in, by the body or person is taken, for the purposes of this Act, to have been done, or engaged in, by the provider and to be a breach of those provisions by the provider.
Debt collectors
(3) Before a credit provider discloses credit eligibility information under subsection 21M(1) to a person or body that does not have an Australian link, the provider must take such steps as are reasonable in the circumstances to ensure that the person or body does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
(4) If:
(a) a credit provider discloses credit eligibility information under subsection 21M(1) to a person or body that does not have an Australian link; and
(b) the Australian Privacy Principles do not apply, under this Act, to an act done, or a practice engaged in, by the person or body in relation to the information; and
(c) the person or body does an act, or engages in a practice, in relation to the information that would be a breach of the Australian Privacy Principles (other than Australian Privacy Principle 1) if those Australian Privacy Principles applied to the act or practice;
the act done, or the practice engaged in, by the person or body is taken, for the purposes of this Act, to have been done, or engaged in, by the provider and to be a breach of those Australian Privacy Principles by the provider.
21P Notification of a refusal of an application for consumer credit
(1) This section applies if:
(a) a credit provider refuses an application for consumer credit made in Australia:
(i) by an individual; or
(ii) jointly by an individual and one or more other persons (the other applicants ); and
(b) the refusal is based wholly or partly on credit eligibility information about one or more of the following:
(i) the individual;
(ii) a person who is proposing to act as a guarantor in relation to the consumer credit;
(iii) if the application is an application of a kind referred to in subparagraph ( a)(ii)--one of the other applicants; and
(c) a credit reporting body disclosed the relevant credit reporting information to the provider for the purposes of assessing the application.
(2) The credit provider must, within a reasonable period after refusing the application, give the individual a written notice that:
(a) states that the application has been refused; and
(b) states that the refusal is based wholly or partly on credit eligibility information about one or more of the persons referred to in paragraph ( 1)(b); and
(c) if that information is about the individual--sets out:
(i) the name and contact details of the credit reporting body that disclosed the relevant credit reporting information to the provider; and
(ii) any other matter specified in the registered CR code.
Subdivision E -- Integrity of credit information and credit eligibility information
21Q Quality of credit eligibility information
(1) A credit provider must take such steps (if any) as are reasonable in the circumstances to ensure that the credit eligibility information the provider collects is accurate, up - to - date and complete.
(2) A credit provider must take such steps (if any) as are reasonable in the circumstances to ensure that the credit eligibility information the provider uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up - to - date, complete and relevant.
(3) If a credit provider is an APP entity, Australian Privacy Principle 10 does not apply to the provider in relation to credit eligibility information.
21R False or misleading credit information or credit eligibility information
Offences
(1) A credit provider commits an offence if:
(a) the provider discloses credit information under section 21D ; and
(b) the information is false or misleading in a material particular.
Penalty: 200 penalty units.
(2) A credit provider commits an offence if:
(a) the provider uses or discloses credit eligibility information under this Division; and
(b) the information is false or misleading in a material particular.
Penalty: 200 penalty units.
Civil penalties
(3) A credit provider must not disclose credit information under section 21D if the information is false or misleading in a material particular.
Civil penalty: 2,000 penalty units.
(4) A credit provider must not use or disclose credit eligibility information under this Division if the information is false or misleading in a material particular.
Civil penalty: 2,000 penalty units.
21S Security of credit eligibility information
(1) If a credit provider holds credit eligibility information, the provider must take such steps as are reasonable in the circumstances to protect the information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.
(2) If:
(a) a credit provider holds credit eligibility information about an individual; and
(b) the provider no longer needs the information for any purpose for which the information may be used or disclosed by the provider under this Division; and
(c) the provider is not required by or under an Australian law, or a court/tribunal order, to retain the information;
the provider must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de - identified.
Civil penalty: 1,000 penalty units.
(3) If a credit provider is an APP entity, Australian Privacy Principle 11 does not apply to the provider in relation to credit eligibility information.
Subdivision F -- Access to, and correction of, information
21T Access to credit eligibility information
Access
(1) If a credit provider holds credit eligibility information about an individual, the provider must, on request by an access seeker in relation to the information, give the access seeker access to the information.
Exceptions to access
(2) Despite subsection ( 1), the credit provider is not required to give the access seeker access to the credit eligibility information to the extent that:
(a) giving access would be unlawful; or
(b) denying access is required or authorised by or under an Australian law or a court/tribunal order; or
(c) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Dealing with requests for access
(3) The credit provider must respond to the request within a reasonable period after the request is made.
Means of access
(4) If the credit provider gives access to the credit eligibility information, the access must be given in the manner set out in the registered CR code.
Access charges
(5) If the credit provider is an agency, the provider must not charge the access seeker for the making of the request or for giving access to the information.
(6) If a credit provider is an organisation or small business operator, any charge by the provider for giving access to the information must not be excessive and must not apply to the making of the request.
Refusal to give access
(7) If the provider refuses to give access to the information because of subsection ( 2), the provider must give the access seeker a written notice that:
(a) sets out the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and
(b) states that, if the access seeker is not satisfied with the response to the request, the access seeker may:
(i) access a recognised external dispute resolution scheme of which the provider is a member; or
(ii) make a complaint to the Commissioner under Part V.
Interaction with the Australian Privacy Principles
(8) If a credit provider is an APP entity, Australian Privacy Principle 12 does not apply to the provider in relation to credit eligibility information.
21U Correction of credit information or credit eligibility information
(1) If:
(a) a credit provider holds credit information or credit eligibility information about an individual; and
(b) the provider is satisfied that, having regard to a purpose for which the information is held by the provider, the information is inaccurate, out - of - date, incomplete, irrelevant or misleading;
the provider must take such steps (if any) as are reasonable in the circumstances to correct the information to ensure that, having regard to the purpose for which it is held, the information is accurate, up - to - date, complete, relevant and not misleading.
Notice of correction
(2) If:
(a) the credit provider corrects credit information or credit eligibility information under subsection ( 1); and
(b) the provider has previously disclosed the information under:
(i) this Division (other than subsection 21V (4)); or
(ii) the Australian Privacy Principles (other than Australian Privacy Principle 4.2);
the provider must, within a reasonable period, give each recipient of the information written notice of the correction.
(3) Subsection ( 2) does not apply if:
(a) it is impracticable for the credit provider to give the notice under that subsection; or
(b) the credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
Interaction with the Australian Privacy Principles
(4) If a credit provider is an APP entity, Australian Privacy Principle 13:
(a) applies to the provider in relation to credit information or credit eligibility information that is identification information; but
(b) does not apply to the provider in relation to any other kind of credit information or credit eligibility information.
Note: Identification information may be corrected under this section or Australian Privacy Principle 13.
21V Individual may request the correction of credit information etc.
Request
(1) An individual may request a credit provider to correct personal information about the individual if:
(a) the personal information is:
(i) credit information about the individual; or
(ii) CRB derived information about the individual; or
(iii) CP derived information about the individual; and
(b) the provider holds at least one kind of the personal information referred to in paragraph ( a).
Correction
(2) If the credit provider is satisfied that the personal information is inaccurate, out - of - date, incomplete, irrelevant or misleading, the provider must take such steps (if any) as are reasonable in the circumstances to correct the information within:
(a) the period of 30 days that starts on the day on which the request is made; or
(b) such longer period as the individual has agreed to in writing.
Consultation
(3) If the credit provider considers that the provider cannot be satisfied of the matter referred to in subsection ( 2) in relation to the personal information without consulting either or both of the following (the interested party ):
(a) a credit reporting body that holds or held the information and that has an Australian link;
(b) another credit provider that holds or held the information and that has an Australian link;
the provider must consult that interested party, or those interested parties, about the individual's request.
(4) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
No charge
(5) The credit provider must not charge the individual for the making of the request or for correcting the information.
Interaction with the Australian Privacy Principles
(6) If a credit provider is an APP entity, Australian Privacy Principle 13:
(a) applies to the provider in relation to personal information referred to in paragraph ( 1)(a) that is identification information; but
(b) does not apply to the provider in relation to any other kind of personal information referred to in that paragraph.
Note: Identification information may be corrected under this section or Australian Privacy Principle 13.
21W Notice of correction etc. must be given
(1) This section applies if an individual requests a credit provider to correct personal information under subsection 21V (1).
Notice of correction etc.
(2) If the credit provider corrects personal information about the individual under subsection 21V (2), the provider must, within a reasonable period:
(a) give the individual written notice of the correction; and
(b) if the provider consulted an interested party under subsection 21V (3) about the individual's request--give the party written notice of the correction; and
(c) if the correction relates to information that the provider has previously disclosed under:
(i) this Division (other than subsection 21V (4)); or
(ii) the Australian Privacy Principles (other than Australian Privacy Principle 4.2);
give each recipient of the information written notice of the correction.
(3) If the credit provider does not correct the personal information under subsection 21V (2), the provider must, within a reasonable period, give the individual written notice that:
(a) states that the correction has not been made; and
(b) sets out the provider's reasons for not correcting the information (including evidence substantiating the correctness of the information); and
(c) states that, if the individual is not satisfied with the response to the request, the individual may:
(i) access a recognised external dispute resolution scheme of which the provider is a member; or
(ii) make a complaint to the Commissioner under Part V.
Exceptions
(4) Paragraph ( 2)(c) does not apply if it is impracticable for the credit provider to give the notice under that paragraph.
(5) Subsection ( 2) or (3) does not apply if the credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
Division 4 -- Affected information recipients
This Division sets out rules that apply to affected information recipients in relation to their handling of their regulated information.
If an affected information recipient is an APP entity, the rules apply in relation to the regulated information of the recipient in addition to, or instead of, any relevant Australian Privacy Principles.
Subdivision A -- Consideration of information privacy
22A Open and transparent management of regulated information
(1) The object of this section is to ensure that an affected information recipient manages the regulated information of the recipient in an open and transparent way.
Compliance with this Division etc.
(2) An affected information recipient must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the recipient's functions or activities that:
(a) will ensure that the recipient complies with this Division and the registered CR code if it binds the recipient; and
(b) will enable the recipient to deal with inquiries or complaints from individuals about the recipient's compliance with this Division or the registered CR code if it binds the recipient.
Policy about the management of regulated information
(3) An affected information recipient must have a clearly expressed and up - to - date policy about the recipient's management of the regulated information of the recipient.
(4) Without limiting subsection ( 3), the policy of the affected information recipient must contain the following information:
(a) the kinds of regulated information that the recipient collects and holds, and how the recipient collects and holds that information;
(b) the purposes for which the recipient collects, holds, uses and discloses regulated information;
(c) how an individual may access regulated information about the individual that is held by the recipient and seek the correction of such information;
(d) how an individual may complain about a failure of the recipient to comply with this Division or the registered CR code if it binds the recipient;
(e) how the recipient will deal with such a complaint.
Availability of policy etc.
(5) An affected information recipient must take such steps as are reasonable in the circumstances to make the policy available:
(a) free of charge; and
(b) in such form as is appropriate.
Note: An affected information recipient will usually make the policy available on the recipient's website.
(6) If a person or body requests a copy, in a particular form, of the policy of an affected information recipient, the recipient must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
Interaction with the Australian Privacy Principles
(7) If an affected information recipient is an APP entity, Australian Privacy Principles 1.3 and 1.4 do not apply to the recipient in relation to the regulated information of the recipient.
Subdivision B -- Dealing with regulated information
22B Additional notification requirements for affected information recipients
If an affected information recipient is an APP entity, then the matters for the purposes of Australian Privacy Principle 5.1 include the following matters to the extent that the personal information referred to in that principle is regulated information of the recipient:
(a) that the policy (the credit reporting policy ) of the recipient that is referred to in subsection 22A (3) contains information about how an individual may access the regulated information about the individual that is held by the recipient, and seek the correction of such information;
(b) that the credit reporting policy of the recipient contains information about how an individual may complain about a failure of the recipient to comply with this Division or the registered CR code if it binds the recipient; and
(c) that the credit reporting policy of the recipient contains information about how the recipient will deal with such a complaint.
22C Use or disclosure of information by mortgage insurers or trade insurers
Prohibition on use or disclosure
(1) If:
(a) a mortgage insurer or trade insurer holds or held personal information about an individual; and
(b) the information was disclosed to the insurer by a credit reporting body or credit provider under Division 2 or 3 of this Part;
the insurer must not use or disclose the information, or any personal information about the individual derived from that information.
Civil penalty: 2,000 penalty units.
Permitted uses
(2) Subsection ( 1) does not apply to the use of the information if:
(a) for a mortgage insurer--the use is for:
(i) a mortgage insurance purpose of the insurer in relation to the individual; or
(ii) any purpose arising under a contract for mortgage insurance that has been entered into between the credit provider and the insurer; or
(b) for a trade insurer--the use is for a trade insurance purpose of the insurer in relation to the individual; or
(c) the use is required or authorised by or under an Australian law or a court/tribunal order.
Permitted disclosure
(3) Subsection ( 1) does not apply to the disclosure of the information if the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
Interaction with the Australian Privacy Principles
(4) If the mortgage insurer or trade insurer is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the insurer in relation to the information.
(5) If:
(a) the mortgage insurer or trade insurer is an APP entity; and
(b) the information is a government related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the insurer in relation to the information.
22D Use or disclosure of information by a related body corporate
Prohibition on use or disclosure
(1) If:
(a) a body corporate holds or held credit eligibility information about an individual; and
(b) the information was disclosed to the body by a credit provider under paragraph 21G (3)(b);
the body must not use or disclose the information, or any personal information about the individual derived from that information.
Civil penalty: 1,000 penalty units.
Permitted use or disclosure
(2) Subsection ( 1) does not apply to the use or disclosure of the information by the body corporate if the body would be permitted to use or disclose the information under section 21G if the body were the credit provider.
(3) In determining whether the body corporate would be permitted to use or disclose the information under section 21G , assume that the body is whichever of the following is applicable:
(a) the credit provider that has provided the relevant credit to the individual;
(b) the credit provider to which the relevant application for credit was made by the individual.
Interaction with the Australian Privacy Principles
(4) If the body corporate is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the body in relation to the information.
(5) If:
(a) the body corporate is an APP entity; and
(b) the information is a government related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the body in relation to the information.
22E Use or disclosure of information by credit managers etc.
Prohibition on use or disclosure
(1) If:
(a) a person holds or held credit eligibility information about an individual; and
(b) the information was disclosed to the person by a credit provider under paragraph 21G (3)(c);
the person must not use or disclose the information, or any personal information about the individual derived from that information.
Civil penalty: 1,000 penalty units.
Permitted uses
(2) Subsection ( 1) does not apply to the use of the information if:
(a) the person uses the information for the purpose for which it was disclosed to the person under paragraph 21G(3)(c) ; or
(b) the use is required or authorised by or under an Australian law or a court/tribunal order.
Permitted disclosure
(3) Subsection ( 1) does not apply to the disclosure of the information if:
(a) the disclosure is to the credit provider; or
(b) the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
Interaction with the Australian Privacy Principles
(4) If the person is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the person in relation to the information.
(5) If:
(a) the person is an APP entity; and
(b) the information is a government related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the person in relation to the information.
22F Use or disclosure of information by advisers etc.
Prohibition on use or disclosure
(1) If:
(a) any of the following (the recipient ) holds or held credit eligibility information about an individual:
(i) an entity;
(ii) a professional legal adviser of the entity;
(iii) a professional financial adviser of the entity; and
(b) the information was disclosed to the recipient by a credit provider under subsection 21N (2);
the recipient must not use or disclose the information, or any personal information about the individual derived from that information.
Civil penalty: 1,000 penalty units.
Permitted uses
(2) Subsection ( 1) does not apply to the use of the information if:
(a) for a recipient that is the entity--the information is used for a matter referred to in subsection 21N (3); or
(b) for a recipient that is the professional legal adviser, or professional financial adviser, of the entity--the information is used:
(i) in the adviser's capacity as an adviser of the entity; and
(ii) in connection with advising the entity about a matter referred to in subsection 21N (3); or
(c) the use is required or authorised by or under an Australian law or a court/tribunal order.
Permitted disclosure
(3) Subsection ( 1) does not apply to the disclosure of the information if the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
Interaction with the Australian Privacy Principles
(4) If the recipient is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the recipient in relation to the information.
(5) If:
(a) the recipient is an APP entity; and
(b) the information is a government related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the recipient in relation to the information.
This Division deals with complaints about credit reporting bodies or credit providers.
Individuals may complain to credit reporting bodies or credit providers about acts or practices that may be a breach of certain provisions of this Part or the registered CR code.
If a complaint is made, the respondent for the complaint must investigate the complaint and make a decision about the complaint.
23A Individual may complain about a breach of a provision of this Part etc.
Complaint
(1) An individual may complain to a credit reporting body about an act or practice engaged in by the body that may be a breach of either of the following provisions in relation to the individual:
(a) a provision of this Part (other than section 20R or 20T );
(b) a provision of the registered CR code (other than a provision that relates to that section).
Note: A complaint about a breach of section 20R or 20T , or a provision of the registered CR code that relates to that section, may be made to the Commissioner under Part V.
(2) An individual may complain to a credit provider about an act or practice engaged in by the provider that may be a breach of either of the following provisions in relation to the individual:
(a) a provision of this Part (other than section 21T or 21V );
(b) a provision of the registered CR code (other than a provision that relates to that section) if it binds the credit provider.
Note: A complaint about a breach of section 21T or 21V , or a provision of the registered CR code that relates to that section, may be made to the Commissioner under Part V.
Nature of complaint
(3) If an individual makes a complaint, the individual must specify the nature of the complaint.
(4) The complaint may relate to personal information that has been destroyed or de - identified.
No charge
(5) The credit reporting body or credit provider must not charge the individual for the making of the complaint or for dealing with the complaint.
(1) If an individual makes a complaint under section 23A , the respondent for the complaint:
(a) must, within 7 days after the complaint is made, give the individual a written notice that:
(i) acknowledges the making of the complaint; and
(ii) sets out how the respondent will deal with the complaint; and
(b) must investigate the complaint.
Consultation about the complaint
(2) If the respondent for the complaint considers that it is necessary to consult a credit reporting body or credit provider about the complaint, the respondent must consult the body or provider.
(3) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
Decision about the complaint
(4) After investigating the complaint, the respondent must, within the period referred to in subsection ( 5), make a decision about the complaint and give the individual a written notice that:
(a) sets out the decision; and
(b) states that, if the individual is not satisfied with the decision, the individual may:
(i) access a recognised external dispute resolution scheme of which the respondent is a member; or
(ii) make a complaint to the Commissioner under Part V.
(5) The period for the purposes of subsection ( 4) is:
(a) the period of 30 days that starts on the day on which the complaint is made; or
(b) such longer period as the individual has agreed to in writing.
23C Notification requirements relating to correction complaints
(1) This section applies if an individual makes a complaint under section 23A about an act or practice that may breach section 20S or 21U (which deal with the correction of personal information by credit reporting bodies and credit providers).
Notification of complaint etc.
(2) If:
(a) the respondent for the complaint is a credit reporting body; and
(b) the complaint relates to credit information or credit eligibility information that a credit provider holds;
the respondent must, in writing:
(c) notify the provider of the making of the complaint as soon as practicable after it is made; and
(d) notify the provider of the making of a decision about the complaint under subsection 23B (4) as soon as practicable after it is made.
(3) If:
(a) the respondent for the complaint is a credit provider; and
(b) the complaint relates to:
(i) credit reporting information that a credit reporting body holds; or
(ii) credit information or credit eligibility information that another credit provider holds;
the respondent must, in writing:
(c) notify the body or other provider (as the case may be) of the making of the complaint as soon as practicable after it is made; and
(d) notify the body or other provider (as the case may be) of the making of a decision about the complaint under subsection 23B (4) as soon as practicable after it is made.
Notification of recipients of disclosed information
(4) If:
(a) a credit reporting body discloses credit reporting information to which the complaint relates under Division 2 of this Part; and
(b) at the time of the disclosure, a decision about the complaint under subsection 23B (4) has not been made;
the body must, at that time, notify in writing the recipient of the information of the complaint.
(5) If:
(a) a credit provider discloses personal information to which the complaint relates under Division 3 of this Part or under the Australian Privacy Principles; and
(b) at the time of the disclosure, a decision about the complaint under subsection 23B (4) has not been made;
the provider must, at that time, notify in writing the recipient of the information of the complaint.
Exceptions
(6) Subsection ( 2), (3), (4) or (5) does not apply if:
(a) it is impracticable for the credit reporting body or credit provider to give the notification under that subsection; or
(b) the credit reporting body or credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notification under that subsection.
Division 6 -- Unauthorised obtaining of credit reporting information etc.
24 Obtaining credit reporting information from a credit reporting body
Offences
(1) An entity commits an offence if:
(a) the entity obtains credit reporting information; and
(b) the information is obtained from a credit reporting body; and
(c) the entity is not:
(i) an entity to which the body is permitted to disclose the information under Division 2 of this Part; or
(ii) an access seeker for the information.
Penalty: 200 penalty units.
(2) An entity commits an offence if:
(a) the entity obtains credit reporting information; and
(b) the information is obtained from a credit reporting body; and
(c) the information is obtained by false pretence.
Penalty: 200 penalty units.
Civil penalties
(3) An entity must not obtain credit reporting information from a credit reporting body if the entity is not:
(a) an entity to which the body is permitted to disclose the information under Division 2 of this Part; or
(b) an access seeker for the information.
Civil penalty: 2,000 penalty units.
(4) An entity must not obtain, by false pretence, credit reporting information from a credit reporting body.
Civil penalty: 2,000 penalty units.
24A Obtaining credit eligibility information from a credit provider
Offences
(1) An entity commits an offence if:
(a) the entity obtains credit eligibility information; and
(b) the information is obtained from a credit provider; and
(c) the entity is not:
(i) an entity to which the provider is permitted to disclose the information under Division 3 of this Part; or
(ii) an access seeker for the information.
Penalty: 200 penalty units.
(2) An entity commits an offence if:
(a) the entity obtains credit eligibility information; and
(b) the information is obtained from a credit provider; and
(c) the information is obtained by false pretence.
Penalty: 200 penalty units.
Civil penalties
(3) An entity must not obtain credit eligibility information from a credit provider if the entity is not:
(a) an entity to which the provider is permitted to disclose the information under Division 3 of this Part; or
(b) an access seeker for the information.
Civil penalty: 2,000 penalty units.
(4) An entity must not obtain, by false pretence, credit eligibility information from a credit provider.
Civil penalty: 2,000 penalty units.
(1) The Federal Court or the Federal Magistrates Court may order an entity to compensate a person for loss or damage (including injury to the person's feelings or humiliation) suffered by the person if:
(a) either:
(i) a civil penalty order has been made against the entity for a contravention of a civil penalty provision (other than section 13G); or
(ii) the entity is found guilty of an offence against this Part; and
(b) that loss or damage resulted from the contravention or commission of the offence.
The order must specify the amount of compensation.
(2) The court may make the order only if:
(a) the person applies for an order under this section; and
(b) the application is made within 6 years of the day the cause of action that relates to the contravention or commission of the offence accrued.
(3) If the court makes the order, the amount of compensation specified in the order that is to be paid to the person may be recovered as a debt due to the person.
25A Other orders to compensate loss or damage
(1) This section applies if:
(a) either:
(i) a civil penalty order has been made against an entity for a contravention of a civil penalty provision (other than section 13G); or
(ii) an entity is found guilty of an offence against this Part; and
(b) a person has suffered, or is likely to suffer, loss or damage (including injury to the person's feelings or humiliation) as a result of the contravention or commission of the offence.
(2) The Federal Court or the Federal Magistrates Court may make such order as the Court considers appropriate against the entity to:
(a) compensate the person, in whole or in part, for that loss or damage; or
(b) prevent or reduce that loss or damage suffered, or likely to be suffered, by the person.
(3) Without limiting subsection ( 2), examples of orders the court may make include:
(a) an order directing the entity to perform any reasonable act, or carry out any reasonable course of conduct, to redress the loss or damage suffered by the person; and
(b) an order directing the entity to pay the person a specified amount to reimburse the person for expenses reasonably incurred by the person in connection with the contravention or commission of the offence; and
(c) an order directing the defendant to pay to the person the amount of loss or damage the plaintiff suffered.
(4) The court may make the order only if:
(a) the person applies for an order under this section; and
(b) the application is made within 6 years of the day the cause of action that relates to the contravention or commission of the offence accrued.
(5) If the court makes an order that the entity pay an amount to the person, the person may recover the amount as a debt due to the person.
73 Subsections 30(3) and (4)
Omit "credit reporting agency" (wherever occurring), substitute "credit reporting body".
74 Subsection 49(4) ( paragraph ( a) of the definition of credit reporting offence )
Omit "18C(4), 18D(4), 18K(4), 18L(2), 18N(2), 18R(2) or 18S(3) or section 18T", substitute " 20P (1), 21R (1) or (2), 24 (1) or (2) or 24A (1) or (2)".
75 Subsection 68(1)
Omit "credit reporting agency", substitute "credit reporting body".