Privacy Act 1988 Credit Reporting Code of Conduct (Cth)
CREDIT REPORTING: CODE OF CONDUCT
PRIVACY ACT 1988
SECTION 18A
1. Under section 18A of the Privacy Act 1988, I ISSUE the Code of Conduct for credit reporting.
2. This Code of Conduct shall take effect as from 24 September 1991.
Dated 11 September 1991
KEVIN PATRICK O'CONNOR
Privacy Commissioner
PART 1 - CREDIT REPORTING AGENCIES
CREDIT INFORMATION FILES
Permitted contents
1.1 A credit reporting agency recording an enquiry made by a credit provider in
connection with an application for credit may include, within the record of the
enquiry, a general indication of the nature of the credit being sought.
Accuracy of information
1.2 To ensure that personal information included in credit information files and
credit reports is accurate, up-to-date, complete and not misleading, a credit
reporting agency must issue to credit providers or other persons supplying it with
personal information detailed instructions on the types of personal information
permitted to be given to a credit reporting agency.
1.3 To ensure that only permitted information is included in a credit information file,
a credit reporting agency must take the following steps:
(a) Where a credit reporting agency receives information from a credit provider
for creation of, or inclusion in, a credit information file, and it appears to
the credit reporting agency that the information being supplied by the credit
provider may not be permitted to be included in a credit information file,
the credit reporting agency must:
(i) refuse to accept the information; and
(ii) notify the credit provider, in writing, that the inclusion of the
information may be in breach of the Act.
(b) Where a credit reporting agency becomes aware that information supplied
by a credit provider and included in a credit information file appears to be
of a type not permitted to be included in the file, the credit reporting
agency must:
(i) remove the information from the credit information file;
(ii) notify the credit provider in writing that the information may not be
permitted to be included in the file; and
(iii) make a written record of its actions in relation to (i) and (ii) above.
1.4 Where a credit reporting agency:
(a) becomes aware that information supplied by a credit provider relating to an
overdue payment or a serious credit infringement may be inaccurate; and
(b) reasonably believes that other credit information files may contain similar
inaccurate listings,
the credit reporting agency must, as soon as practicable:
(i) notify the credit provider concerned, in writing, that it may have
listed an inaccurate overdue payment or serious credit infringement
against the individual concerned;
(ii) request the credit provider to ascertain whether other individuals’
credit information files may be similarly affected, and to investigate
the accuracy of any overdue payment or serious credit infringement
listings in those other individual files; and
(iii) advise the Privacy Commissioner in writing of the above actions.
1.5 Where a credit reporting agency becomes aware that it has disclosed personal
information from a credit information file, and the personal information relates
to an individual other than the individual who was the subject of the enquiry, the
credit reporting agency must as soon as practicable:
(a) notify the enquirer that personal information was mistakenly provided
about an individual other than the one to whom the enquiry related;
(b) make the necessary amendments to the credit information file which has
been disclosed in error;
(c) advise, in writing, any other persons who had been supplied with the
incorrect personal information within the previous three months; and
(d) review its operations to ensure that recurrence will be minimised.
Access by an individual or his/her agent
1.6 A credit reporting agency must ensure:
(a) information is freely available to individuals, explaining the procedures by
which access to personal credit information files may be obtained; and
(b) adequate facilities are available for responding to requests for access to
credit information files in its possession.
1.7 In meeting an individual's request for access to his or her credit information file,
a credit reporting agency should require such evidence as is reasonable in the
circumstances to satisfy itself as to the identity of the individual.
1.8 A credit reporting agency in receipt of a request by an individual for access to his
or her credit information file must give access within 10 working days of having
received the request for access.
1.9 Where a credit reporting agency refuses to provide an individual's authorised
agent access to the individual's credit information file, the individual may
complain to the Privacy Commissioner, who may order the credit reporting
agency to provide access to the individual's authorised agent.
Fees for access
1.10 A credit reporting agency may not charge a fee for access by an individual to his
or her credit information file unless:
(a) The individual's request for access is the second request for access within a
period of six months; and
(b) there have been no changes made to the individual's credit information file
since the last occasion on which the individual was given access.
1.11 A credit reporting agency may not charge a fee for access by an authorised agent
of an individual unless the agency believes on reasonable grounds that the agent
has requested a copy of the individual's credit information file whilst acting as a
business intermediary between the individual and a credit provider.
1.12 Where a credit reporting agency denies access to an individual or his or her
authorised agent because the individual or the agent has refused to pay the fee,
the agency should advise the individual concerned that he or she may refer the
matter to the Privacy Commissioner.
Inclusion of statements
1.13 Where a credit reporting agency is provided with a statement by an individual of
an amendment sought, and the credit reporting agency considers the statement
unduly long, the credit reporting agency shall, as soon as possible, but in any
event no later than 30 days, refer the statement to the Privacy Commissioner for
a reduction as considered appropriate. In referring the statement, the credit
reporting agency may include a suggested shortened version prepared by the
credit reporting agency for consideration by the Privacy Commissioner. A copy
of the suggested shortened version must at the same time, be given to the
individual concerned.
Notification of amendment to third parties
1.14 Where an amendment has been made to, or a statement has been included in, an
individual's credit information file, and the amended information or the
statement relates to information of a type detailed in any one or more of
subparagraphs (i), (v), (vi), (vii), (viii), (ix) or (x) of paragraph l8E(l)(b) of the
Act, the credit reporting agency must, within 14 days of amending the
information or including the statement:
(a) provide the individual with a copy of the amended credit information file;
(b) advise the individual, in writing, that he or she may nominate any person
who had been given information from the file during the previous three
months, and whom the individual wishes to be notified of the amendment or
of the inclusion of the statement to the file;
(c) notify such persons (if any) of the amendment or inclusion made to the file,
within 30 days of the persons being so nominated to the credit reporting
agency by the individual; and
(d) advise the individual, in writing, of his or her right to complain to the
Privacy Commissioner if dissatisfied with the action taken by the credit
reporting agency.
Disclosure
1.15 Before a credit reporting agency discloses personal information contained in a
credit information file, the credit reporting agency should ensure that the
recipient of the information has been notified of the requirements of the Act
governing limitations on use and disclosure of personal information contained in
credit reports and credit information files.
1.16 A credit reporting agency should include in a credit report a warning to the
effect that overdue payments which were listed prior to 25 February 1992 may
need to be verified by the credit providers which listed the overdue payment in
order to ensure the currency of the listings. This warning is to be given on all
reports for five years after 25 February 1992.
1.17 On each occasion a credit reporting agency discloses personal information
contained in an individual's credit information file, a note of the disclosure must
be included in the file, setting out:
(a) the date on which the information was disclosed;
(b) to whom the information was disclosed; and
(c) where the disclosure related to only a part of the information on the file,
the part that was disclosed.
REPORTS TO PRIVACY COMMISSIONER ON SERIOUS CREDIT INFRINGEMENT LISTINGS
1.18 Credit reporting agencies must maintain annual records, which must be made
available upon request to the Privacy Commissioner, indicating the occurrence of
serious credit infringement listings made by individual credit providers where the
listings had not been previously reported as overdue payments.
PART 2 - CREDIT PROVIDERS
DISCLOSURES TO CREDIT REPORTING AGENCIES
Reporting of unspecified credit limits
2.1 Where a credit provider makes an enquiry to a credit reporting agency in
connection with an application for credit, and the amount of credit sought is
unknown or incapable of being specified, the credit provider may advise the
credit reporting agency that the amount of credit being sought is unspecified.
The credit reporting agency may then record that an unspecified amount of
credit is being sought.
Reporting mistakes as to identity
2.2 Where a credit provider has made an enquiry to a credit reporting agency in
connection with an application for credit, and subsequently becomes aware that
the credit report given by the credit reporting agency related to an individual
other than the one to whom the enquiry related, the credit provider must:
(a) advise the credit reporting agency of the mistake as to identity;
(b) advise any other persons who were given a copy of the credit report, or
information derived from the credit report, of the mistake us to identity and
of the need to destroy the credit report; and
(c) destroy the credit report.
Reporting discharge of credit commitments
2.3 Where a credit provider has informed a credit reporting agency that it was a
current credit provider in relation to an individual, and the credit provider ceases
to be a current credit provider in relation to the individual, the credit provider
must as soon as practicable, but in any event no later than 45 days after ceasing
to be a current credit provider, notify the credit reporting agency that it is no
longer a current credit provider in relation to the individual.
RECTIFYING REPORTING PROCEDURES
2.4 Where a credit provider has been notified by a credit reporting agency in
accordance with paragraph 1.3 that it has given the credit reporting agency
information which the credit reporting agency is not permitted under the Act to
include in an individual's credit information file, the credit provider must take
steps to remedy its reporting procedures to ensure that the requirements of the
Act may be complied with in future.
2.5 Where a credit provider becomes aware that
(a) it has given to a credit reporting agency personal information which was
inaccurate at the time of giving the information, and which may have, or
might, adversely affect the decision to grant credit; or
(b) it has given information of a type not permitted to be included in an
individual's credit information file by a credit reporting agency,
the credit provider must immediately advise the credit reporting agency of the
inaccuracy or the existence of prohibited information.
2.6 Where a credit provider has been notified by a credit reporting agency in
accordance with paragraph 1.4 it shall:
(a) alert the agency to any other individuals’ credit information files that may
be similarly affected, and investigate the accuracy of any overdue payment
or serious credit infringement listings in those other individuals' files; and
(b) within 30 days, advise the Privacy Commissioner in writing of the action the
credit provider has taken to rectify the problem.
REPORTING OVERDUE PAYMENTS
2.7 A credit provider may report an overdue payment to a credit reporting agency:
(a) once 60 days has elapsed since the day on which the payment was due and
payable; and
(b) if the credit provider has sent a written notice to the last known address
which:
(i) advises the individual of the overdue payment and requests payment
of the amount outstanding; or
(ii) in the case of a joint debt where the parties concerned live at separate
addresses and those addresses are known, advises the individuals
against whom the overdue payment is to be recorded and requests
payment of the amount outstanding.
2.8 A credit provider must not give to a credit reporting agency information about
an individual being overdue in making a payment where recovery of the debt by
the credit provider is barred by the statute of limitations.
2.9 A credit provider must not report to a credit reporting agency an overdue
payment listed against a guarantor:
(a) until 60 days has elapsed since the day on which the borrower's payment
was due and payable; and
(b) until steps have been taken to recover either the whole or part of the
amount outstanding from the guarantor, including advising the guarantor,
by notice in writing, of the overdue payment incurred by the borrower.
2.10 Where a credit provider has previously listed with a credit reporting agency an
overdue payment or a serious credit infringement against an individual in respect
of an amount outstanding, and the credit provider subsequently enters into an
arrangement with the individual for the repayment of the outstanding amount,
the credit provider must contact the credit reporting agency to advise that a note
should he included in the individual's credit information file to the effect that an
arrangement has been entered into with the individual for repayment of the
outstanding amount.
REPORTING SERIOUS CREDIT INFRINGEMENTS
2.11 Where a credit provider has reported a joint serious credit infringement in
respect of an amount outstanding, and is subsequently satisfied that one of the
individuals was released from the obligation to repay the outstanding amount by
an order of a court or by legal agreement, the credit provider should advise the
credit reporting agency that the serious credit infringement listing should be
removed from that individuals credit information file.
DISCLOSURE BETWEEN CREDIT PROVIDERS
2.12 Before a credit provider obtains from another credit provider a report about an
individual's consumer credit worthiness, the credit provider obtaining the report
must be satisfied that the individual has given his or her specific written
agreement to the disclosure (unless the report is requested for the purpose of
assessing an application for either consumer credit; or commercial credit that was
at first made orally, in which case the agreement need not be in writing).
2.13 A credit provider which has been requested by another credit provider to disclose
to the latter information about an individual's consumer credit worthiness should
be satisfied that the second credit provider has obtained the individual's specific
agreement to the disclosure. If the individual's specific agreement has not been
obtained, the first credit provider may not, unless it had itself obtained the
individual's specific agreement to the disclosure for the particular purpose,
disclose the personal information to the second credit provider.
2.14 Whenever a credit provider obtains from another credit provider a report about
an individual's consumer credit worthiness, the credit provider requesting the
report shall make a record of;
(a) the date on which the report was obtained;
(b) the name, of the credit provider from whom the report was obtained;
(c) a brief description of the contents of the report; and
(d) where the individual's specific agreement to the disclosure is required, a
note to the effect that the individual's specific agreement to the disclosure
has been furnished.
2.15 Where a credit provider has obtained from another credit provider information
about an individual's credit worthiness, and subsequently becomes aware that the
report given by the other credit provider was mistaken because it related to an
individual other than the one to whom the enquiry related, the first credit
provider must:
(a) advise the second credit provider which gave the report of the mistake as to
identity; and
(b) destroy the report.
2.16 A credit provider which is a bank may not disclose to another bank a 'banker's
opinion’ relating to an individual's consumer credit worthiness, unless that
individual's specific agreement to the disclosure of such information for the
particular purpose has been obtained.
DISCLOSURES TO AGENTS OF INDIVIDUALS
2.17 Where a credit provider has been requested by an agent of an individual to
disclose to the agent personal information relating to the individual's credit
arrangements with the credit provider, the credit provider, should satisfy itself
that the agent is acting under the specific written agreement of the individual
before disclosing the information. Where the credit provider is not satisfied that
a written agreement exists, the credit provider shall request that the agent of the
individual produce evidence of the specific written agreement before making the
disclosure.
2.18 A credit provider may furnish to an individual's authorised agent only
information permitted by the scope of the individual's written agreement.
OTHER DISCLOSURES
2.19 Where a credit provider provides a report about an individual's credit worthiness
to an authorised recipient other than a credit provider, the credit provider
should, to the extent practicable, make a record of the disclosure.
ACCESS BY AN INDIVIDUAL TO A CREDIT REPORT
2.20 A credit provider must ensure that
(a) it has information available to advise individuals about the procedures by
which access can be obtained to credit reports held by the credit provider;
and
(b) adequate facilities are available for responding to requests for access to
credit reports in its possession.
2.21 A credit provider must, when so requested in writing by an individual, attempt to
give that individual access to any of his or, her credit reports which are in the
possession of the credit provider within 10 working days, and in any event, must
give access within 30 calendar days of receipt of the individual's request.
2.22 Where an individual has requested access to a credit report which he or she
believes may be in the possession of a credit provider to whom the individual has
applied for credit, and the credit provider no longer possesses the report, the
credit provider must advise the individual to contact the credit reporting agency
from which a copy of the credit information file may be obtained.
REQUESTS FOR AMENDMENT TO A CREDIT REPORT
2.23 Where a credit provider receives a request from an individual for an amendment
of, or for the inclusion of a statement in, a credit report issued by a credit
reporting agency, the credit provider should, within,10 working days of receipt of
the request:
(a) refer the request to the relevant credit reporting agency, incorporating any
opinion the credit provider has as to the appropriateness of the amendment sought;
(b) inform the individual, in writing, of the referral, including the name and
address of the credit reporting agency; and
(c) include in any credit reports in the possession of the credit provider a note
to the effect that information on the individual's credit report is subject to a
request for amendment by the individual.
PART 3 - DISPUTE SETTLING PROCEDURES RELATING TO
CREDIT REPORTING
GENERAL REQUIREMENTS
3.1 Credit reporting agencies and credit providers must handle credit reporting
disputes in a fair, efficient add timely manner.
3.2 Credit reporting agencies and credit providers must establish procedures to deal
with a request, in writing, by an individual for resolution of a dispute relating to
credit reporting.
3.3 A credit provider should refer to a credit reporting agency for resolution a
dispute between that credit provider and an individual where the dispute
concerns the contents of a credit report issued by the credit reporting agency.
3.4 In referring a dispute to a credit reporting agency, a credit provider must inform
the individual of the referral and must provide the individual with the name and
address of the credit reporting agency.
3.5 Upon receipt, from a credit provider, of a referral of a request for dispute
resolution, a credit reporting agency must handle the request as if the request
had been made directly to the agency by the individual concerned.
3.6 Where a credit reporting agency is unable to clearly establish the nature of the
dispute which has been referred to it for resolution by a credit provider, the
agency may write to the individual concerted asking for further information,
before proceeding with the request.
3.7 Where a credit reporting agency establishes that it is unable to resolve a dispute
it must immediately inform the individual concerned that it is unable to resolve
the dispute and that the individual may complain to the Privacy Commissioner.
AMENDMENT TO A CREDIT INFORMATION FILE OR A CREDIT REPORT
3.8 Where an individual has requested an amendment to personal information
included in a credit information file or credit report, and the credit reporting
agency establishes that an amendment to personal information contained in the
credit information file or credit report is necessary, the credit reporting agency
must, as soon as practicable, but in any event, within 5 working days, amend the
file or report.
3.9 Where a credit reporting agency is informed that an individual is no longer
overdue in making a payment or that the individual contends that he or she is
not overdue in making the payment, the credit reporting agency must, within 5
working days of being so informed, add to the credit information file or credit
report a note to that effect.
INCLUSION OF STATEMENTS
3.10 Where a credit reporting agency does not amend a disputed entry in accordance
with an individual's request, the credit reporting agency must, within 30 days of
having received the individual's request, inform the individual in writing of:
(a) the reason(s) for the requested amendment not having been made;
(b) his or her right, under s.18J(2) of the Privacy Act, to have a statement
included in his or her credit information file or credit report, containing
details of the amendment sought; and
(c) his or her right to complain to the Privacy Commissioner if dissatisfied with
the action of the credit reporting agency.
3.11 Where a credit reporting agency is provided by an individual with a statement
for inclusion in his or her credit information file or credit report, and the credit
reporting agency considers the statement unduly long, the credit reporting agency
may, within 30 days, refer the statement to the privacy Commissioner for a
reduction as considered appropriate.
3.12 In referring the statement, the credit reporting agency may include a suggested
shortened version prepared by the credit reporting agency for consideration by
the Privacy Commissioner. A copy of the suggested shortened version must, at
the same time, be sent to the individual concerned.
3.13 A credit reporting agency must, where so requested by an individual, remove
from his or her credit information file or credit report any statement previously
provided by the individual for inclusion in his or her credit information file or
credit report.
ADVICE OF DISPUTE OUTCOME
3.14 Where an amendment has been made, or a statement provided by the individual
has been included by a credit reporting agency in the individual's credit
information file or credit report, the credit reporting agency shall, within 14 days
of having made the amendment or included the statement:
(a) provide the individual with a copy of the amended credit information file or credit report; and
(b) advise the individual in writing of his or her right to complain to the
Privacy Commissioner if he or she is dissatisfied with the action taken by
the credit reporting agency.
3.15 Where, as a result of a dispute having been resolved, a credit reporting agency
amends information from a credit information file or credit report and that
information is of a type detailed in sub-paragraphs 18E(l)(b)(i), (v), (vi), (vii),
(viii), (ix) or (x) of the Act, the credit reporting agency must, within 14 days of
amending the information:
(a) provide the individual with a copy of the amended credit information file or
credit report;
(b) advise the individual, in writing, that he or she may nominate any person:
(i) to whom information from the credit information file or credit report
had been given during the previous three months; and
(ii) whom the individual wishes to be notified of the changes made to the
file or report;
(c) notify, within 30 days, such persons in writing of the amendment made to
the credit information file or credit report; and
(d) advise the individual in writing of his or her right to complain to the
Privacy Commissioner, if dissatisfied with the action taken by the credit
reporting agency.
OTHER CREDIT REPORTING DISPUTES
3.16 Where a credit reporting agency or a credit provider receives a request in writing
from an individual seeking resolution of a dispute concerning an act or practice
of the credit reporting agency or credit provider in relation to credit reporting,
the credit reporting agency or credit provider should, within 30 days of receipt of
the request:
(a) investigate the matter;
(b) provide the individual with such response, in writing, as considered
appropriate by the credit reporting agency or credit provider; and
(c) advise the individual of his or her right to complain to the Privacy
Commissioner if dissatisfied with the action taken by the credit reporting
agency or credit provider.
INVESTIGATION OF COMPLAINTS BY THE PRIVACY COMMISSIONER
3.17 The Privacy Commissioner may decide not to investigate a complaint about a
credit reporting dispute if the Commissioner considers that:
(a) the dispute should first be dealt with by a credit reporting agency or credit
provider; or
(b) the dispute is being, or has been, dealt with adequately by the credit
reporting agency or credit provider.
3.18 Where the Privacy Commissioner decides not to investigate an individual's
complaint about a credit reporting dispute, the Commissioner shall advise the
individual of the reasons for his or her decision not to investigate the complaint.
PART 4 - OTHER MATTERS
STAFF TRAINING
4.1 Credit reporting agencies, credit providers and others lawfully involved in the
handling of personal information contained in credit information files and credit
reports shall take such steps as are reasonable in the circumstances to inform
those staff whose duties involve handling of personal information included in
credit information files or credit reports of the requirements of the Act and the
Code of Conduct, and in particular:
(a) the circumstances in which personal information included in credit
information files and credit reports may be accessed, used or disclosed;
(b) the procedures to be followed in response to a request by an individual for
access to, or amendment of, personal information included in a credit
information file or credit report;
(c) the procedures for handling disputes relating to credit reporting; and
(d) the circumstances in which personal information relating to an individual's
credit worthiness may be disclosed by a credit provider.
MODIFYING TIME LIMITS
4.2 The time limits set out in Parts 1, 2 and 3 of this Code of Conduct and affecting
acts and practices of credit reporting agencies and credit providers may be varied
with the approval of the Privacy Commissioner where the parties concerned are
unable to comply with the specified time limits due to circumstances such as
technological failures or due to other practical or unforeseen difficulties.
REVIEW OF THE OPERATION OF THE CODE OF CONDUCT
4.3 The Privacy Commissioner shall review the Code of Conduct after 18 months of its operation, and may, following consultation with affected parties, make
amendments to the Code us considered necessary.
TERMS USED IN THIS CODE
4.4 Where a term used in this Code of Conduct is defined in the Privacy Act, the
term has the meaning given to it by the Privacy Act.
0
0
0