Privacy (Credit Related Research) Rule 2014 (Cth)
I, Timothy Pilgrim, Privacy Commissioner, make this Rule under section 20M(3) of the
Dated: 1 May 2014
[Signed]
Timothy Pilgrim
Privacy Commissioner
This Rule is the
This Rule commences on the day it is registered on the Federal Register of Legislative Instruments.
This Rule applies for the purposes of section 20M of the Privacy Actwhich prohibits a credit reporting body from using or disclosing de-identified credit reporting information (s 20M(1)). Sections 20M(2)–(3) provide that this prohibition does not apply if the use or disclosure is for the purpose of conducting research in relation to credit and the credit reporting body complies with rules made by the Commissioner by legislative instrument.
(1) Unless this Rule states otherwise, any word or expression used in this Rule which is defined in the Privacy Act, has the same meaning as in that Act.
(2) In this Rule:
The following expressions are defined in Section 6(1) of the Privacy Act: Australian law; Australian link; Commissioner; court/tribunal order; credit; credit reporting body; credit reporting information; entity; personal information
A credit reporting body may use or disclose credit reporting information if:
(a) the credit reporting information has been de-identified,
(b) the use and/or disclosure of the credit reporting information is for the purpose of conducting research in relation to credit, and
(c) the purpose for conducting the research in relation to credit is a permitted purpose as described in section 6 of this Rule.
A credit reporting body may only use or disclose de-identified information for the purposes of conducting research in relation to credit for:
(a) the assessment or management of current, and development of new, credit services, or
(b) developing methodologies to combat fraud, anti-money laundering, counter terrorism financing and other unlawful activity involving credit, or
(c) assisting responsible lending obligations and other consumer protections, or
(d) any other purpose for the general benefit of the public.
(1) When de-identifying credit reporting information, a credit reporting body must:
(a) assess the risk of re-identification of the credit reporting information either by itself or by the recipients of the de-identified information,
(b) use that risk assessment to determine the de-identification technique or techniques appropriate to the circumstances, and
(c) take such steps as are reasonable in the circumstances to ensure the de-identified information cannot be re-identified.
(2) If a credit reporting body de-identifies credit reporting information, the credit reporting body must:
(a) not re-identify or attempt to re-identify the de-identified information, and
(b) destroy the information if it is re-identified unintentionally.
(3) Sub-section 7(2)(a) does not apply if the re-identification of de-identified I information is required by Australian law or a court/tribunal order.
(1) A credit reporting body must only disclose de-identified information for a permitted purpose if the entity receiving the information has an Australian link.
(2) Before disclosing de-identified information, a credit reporting body must take such steps as are reasonable in the circumstances to ensure the entity receiving the information:
(a) does not re-identify or attempt to re-identify the de-identified information,
(b) destroys the information if it is re-identified unintentionally, and
(c) does not disclose the de-identified information to any other entity.
(3) Sub-section 8(2)(c) does not apply to Aggregated results.
A credit reporting body must include a statement in its policy on the management of de-identified information, in accordance with s 20B(3), that de-identified information is used or disclosed by that credit reporting body for the purpose of conducting research in relation to credit.
0
0
0