Part IIIA of the Privacy Act provides safeguards for individuals in relation to consumer credit reporting. In particular, Part IIIA governs the handling of credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers. The Act ensures that the use of this information is restricted to assessing applications for credit lodged with a credit provider and other legitimate activities involved with giving credit. Commercial credit information is not regulated by Part IIIA of the Privacy Act, however it is regulated by the National Privacy Principles where a credit reporting agency is bound by them.

Key requirements of Part IIIA

The Key requirements of Part IIIA include:

• Strict limits on the type of information which can be held on a person's credit information file by a credit reporting agency. There are also limits on how long the information can be held on file.
• Limits on who can obtain access to your credit file held by a credit reporting agency. Generally only credit providers may obtain access and only for specified purposes. Real estate agents, debt collectors, employers and general insurers are barred from obtaining access.
• Limits on the purposes for which a credit provider can use a credit report obtained from a credit reporting agency. These include:
  • to assess an application for consumer credit or commercial credit (but they must seek consent if they are using your consumer credit report to assess an application for commercial credit, or using your commercial report to assess an application for consumer credit)
  • to assess whether to accept a person as guarantor for a loan applied for by someone else
  • to collect overdue payments

• Prohibition on disclosure by credit providers of credit worthiness information about an individual, including a credit report received from a credit reporting agency, except in specified circumstances. These include:

  • where the disclosure is to another credit provider and the individual has given consent
  • to a mortgage insurer
  • to a debt collector (but credit providers can only give limited information contained in or derived from a credit report issued by a credit reporting agency)
• Rights of access and correction for individuals in relation to their own personal information contained in credit reports held by credit reporting agencies and credit providers.

Proposed changes to Part IIIA and the Credit Reporting Code of Conduct

In October 2009, the Australian Government released its first stage response to the Australian Law Reform Commission's Report 108; For Your Information - Australian Privacy Law and Practice (2008).  The response is available here. 

The Government's response includes proposed changes to Part IIIA of the Privacy Act and proposals for a revised, binding credit code under the Privacy Act.  The new code is to be developed by industry, in consultation with consumer groups and regulators, and subject to final approval by the Information Commissioner.   See the Office’s Law reform and Credit and finance pages for more information.

 These Privacy Act reforms are separate to the new national consumer credit regime, which includes new registration, licensing and consumer protection requirements and is overseen by the Australian Securities and Investments Commission (ASIC). ASIC’s credit page has more information on the national consumer credit regime.  

Back to Top

Credit Provider Determinations

The Privacy Commissioner has issued a number of credit provider determinations in accordance with the Act. These determinations allow certain organisations and government agencies access to the credit reporting system for particular purposes.  Determinations no longer in force can be found in the Publications Archive. Determinations in force are:

• Credit Provider Determination No. 2011-1 (Assignees)
• Credit Provider Determination No. 2011-2 (Classes of Credit Providers)
• Credit Provider Determination No. 2011-3 (Indigenous Business Australia)

Review of Credit Provider Determinations (2011)

For information about this review see: http://www.oaic.gov.au/news/consultations.html#review_credit_determinations

Review of Credit Provider Determinations (2006)

• Report on the Review of the Credit Provider Determinations (Assignees and Classes of Credit Providers)

• To access submissions made to this review, contact the Office

Review of Credit Determinations Consultation Paper No. 1 (Assignees and Classes of Credit Provider)
• Review of Credit Determinations Consultation Paper No. 2 (Indigenous Business Australia)

Credit Reporting Determinations

The Privacy Commissioner has issued a number of credit reporting determinations in accordance with the Act.  Determinations no longer in force can be found in the Publications Archive.  Determinations in force deal with:

Identifying particulars permitted to be included in a credit information file:

• Credit Reporting Determination: 1991,2 s18E(3) - concerning identifying particulars permitted to be included in a credit information file:

Back to Top

Credit Information Audits

The Privacy Commissioner has power to audit credit information files and credit reports held by credit reporting agencies and credit providers pursuant to section 28A(1)(g) of the Act. For more information on auditing please visit the Audit section.

Credit Information Audit Process - PDF

Credit Information Audit Manual - PDF

Back to Top

Credit Reporting Fact Sheets (1996)

Back to Top