22 December 2012

Credit Reporting Code

The national Privacy Commissioner has written to the Australian Retail Credit Association (ARCA) with a formal request for ARCA to develop a code of practice about credit reporting - a CR code - by 19 April 2013 and to apply to have that CR code registered under the amended Privacy Act 1988 (Cth).

The Commissioner's request is authorised under s 26P in Schedule 3 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).

ARCA can seek an extension of the development period. It must ensure that it meets the requirements of s 26Q of the Act, including making a draft of the CR code publicly available, inviting the public to make submissions to ARCA on the draft within a specified period (of at least 28 days) and giving consideration to any submissions made within the specified period.

Under s 26N(1) of the Act a CR code is a written code of practice about credit reporting.  Section 26N(2) provides that the CR code must:
• set out how one or more of the provisions of Part IIIA of the Privacy Act are to be applied or complied with
• make provision for, or in relation to matters required or permitted by Part IIIA to be provided for by the registered CR code
• bind all credit reporting bodies
• specify the credit providers that are bound by the CR code, or a way of determining which credit providers are bound
• specify any other entities subject to Part IIIA that are bound by the CR code, or a way of determining which of those entities are bound. 
Under s 26N(3)  the CR code may also:
• impose additional requirements to those imposed by Part IIIA, so long as the additional requirements are not contrary to, or inconsistent with, that Part
• deal with the internal handling of complaints
• provide for the reporting to the Commissioner about complaints
• deal with any other relevant matters. 
Under s 26N(4) of the Privacy Act, a CR code may be expressed to apply differently in relation to:
• classes of entities that are subject to Part IIIA
• specified classes of credit information, credit reporting information or credit eligibility information
• specified classes of activities of entities that are subject to Part IIIA. 
Under s 26L of the Act, an entity bound by the registered CR code must not do an act, or engage in a practice, that breaches the code.

A breach of the registered code by an entity bound by that code will be an interference with privacy under s 13(2)(b) of the Act, which may be the subject of a complaint by an individual under s 36 of the Act or an ' own initiative' investigation by the Commissioner under s 40(2) of the Act.