Application of the credit reporting provisions

53.5 This part of the chapter answers the following questions. What information is covered by the credit reporting provisions? To whom do the provisions apply?

Information covered by the provisions

53.6 A number of terms define the scope of the regulatory framework for credit reporting in the Privacy Act. The most important of these are ‘personal information’, ‘credit information file’ and ‘credit report’. What follows is a discussion of the respective meanings and interrelationship of these terms.

53.7 The Act, principally in Part IIIA,[5] regulates the use and disclosure of ‘personal information’ for credit reporting purposes. ‘Personal information’ is defined to mean

information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.[6]

53.8 An individual’s personal information may be collated by a credit reporting business to create a ‘credit information file’. In relation to an individual, this means

any record that contains information relating to the individual and is kept by a credit reporting agency in the course of carrying on a credit reporting business (whether or not the record is a copy of the whole or part of, or was prepared using, a record kept by another credit reporting agency or any other person).[7]

53.9 The credit information file in turn may be used to create a ‘credit report’. It is in this form that an individual’s personal information may pass from the person collecting the information (the credit reporting agency) to the person wishing to use the information (the credit provider).[8] The term ‘credit report’ is defined as

any record or information, whether in a written, oral or other form, that:

(a) is being or has been prepared by a credit reporting agency; and

(b) has any bearing on an individual’s:

(i) eligibility to be provided with credit; or

(ii) history in relation to credit; or

(iii) capacity to repay credit; and

(c) is used, has been used or has the capacity to be used for the purpose of serving as a factor in establishing an individual’s eligibility for credit.[9]

53.10 Section 18N applies to a third category of personal information contained in ‘reports’, a term which covers a much broader spectrum of documents than is encompassed by the term ‘credit report’. Section 18N(9) states that ‘report’ means:

(a) a credit report; or

(b) … any other record or information, whether in a written, oral or other form, that has any bearing on an individual’s credit worthiness, credit standing, credit history or credit capacity;

but does not include a credit report or any other record or information in which the only personal information relating to individuals is publicly available information.

Persons within the ambit of the provisions

53.11 There are four main categories of person affected by Part IIIA of the Privacy Act. These are: individuals; credit reporting agencies; credit providers; and third parties who provide personal information to credit reporting agencies.


53.12 An individual whose personal information forms the basis of a credit information file may be affected by a credit report—especially in terms of the individual’s application for credit. The Act stipulates that an individual must be ‘a natural person’ and that the definition of ‘credit’ does not include ‘commercial credit’.[10]

53.13 This means that a corporation, for instance, cannot claim the protection of the credit reporting provisions in its own right. Commercial credit information only is regulated by the Act indirectly—where, for example, it is used to assess an application for consumer credit.[11]

Credit reporting agencies

53.14 The collection of personal information, its collation in credit information files and the disclosure of this information to credit providers only may be performed by a ‘credit reporting agency’.[12] Section 11A provides that this term has two elements: a credit reporting agency must be a corporation and it must carry on a credit reporting business.

53.15 The requirement that a credit reporting agency must be a corporation is subject to a qualification. If the entity in question is engaged in wholly intra-state trade or commerce, and it is not engaged in banking or insurance (other than state banking or state insurance), then it is not regulated by Part IIIA.[13]

53.16 Section 6(1) of the Act defines the second element of a credit reporting agency—namely, that the agency carry on a ‘credit reporting business’—as being:

a business or undertaking (other than a business or undertaking of a kind in respect of which regulations made for the purposes of subsection (5C) are in force) that involves the preparation or maintenance of records containing personal information relating to individuals (other than records in which the only personal information relating to individuals is publicly available information), for the purpose of, or for purposes that include as the dominant purpose the purpose of, providing to other persons (whether for profit or reward or otherwise) information on an individual’s:

(a) eligibility to be provided with credit; or

(b) history in relation to credit; or

(c) capacity to repay credit;

whether or not the information is provided or intended to be provided for the purposes of assessing applications for credit.

53.17 This second element remains subject to some exemptions. Information concerning an individual’s commercial transactions is excluded.[14] Also, the regulations may exempt certain businesses from being considered credit reporting businesses for the purposes of the Act.[15] To date, however, no such regulations have been made.

Credit providers

53.18 In general, credit reporting agencies only may disclose information in credit information files to ‘credit providers’. Credit providers, in turn, may use credit reports only for certain purposes—notably, in assessing a person’s application for credit.

53.19 There is a finite list of categories of entities considered credit providers for the purposes of Part IIIA. This list does not include, for instance, real estate agents, debt collectors, employers and general insurers, and therefore they are not permitted to obtain credit reports.[16] Under the Act, the following are considered ‘credit providers’:

  • a bank;[17]

  • a corporation, or an entity that is neither a corporation nor a government agency, that provides loans or issues credit cards as a substantial part of its business, or is carrying on a retail business;[18]

  • an entity that provides loans (including by issuing credit cards), provided the Privacy Commissioner has made a determination in respect of such a class of entity;[19]

  • a government agency that provides loans and is determined by the Privacy Commissioner to be a credit provider for the purposes of the Act;[20]

  • a person who carries on a business involved in securitisation or managing loans that are subject to securitisation;[21] and

  • an agent of a credit provider while the agent is carrying on a task necessary for the processing of a loan application, or managing a loan or account with the credit provider.[22]

53.20 The regulations also can exempt a corporation that would otherwise be considered a credit provider from being so regarded for the purposes of the Act.[23] To date, no such regulations have been made.

Persons providing personal information to credit reporting agencies

53.21 Finally, the credit reporting provisions also apply to a person, X, who provides personal information about another person, Y, to a third person, Z, carrying on a credit reporting business. Subject to certain constitutional limitations discussed later in this chapter, s 18D states that X must not give personal information about Y to Z unless Z is a corporation. Personal information is taken to be ‘given’ for the purposes of s 18D if the person to whom the information is given (ie, Z) ‘is likely to use the information in the course of carrying on a credit reporting business’.[24]

[5] Note that other parts of the Act also relate to credit reporting. For instance, Part V deals with investigations by the Privacy Commissioner into alleged breaches of, among other things, the credit reporting rules.

[6]Privacy Act 1988 (Cth) s 6(1). The definition of ‘personal information’ is discussed in detail in Ch 6.

[7] Ibid s 6(1).

[8] The meanings of ‘credit reporting agency’ and ‘credit provider’ are discussed below.

[9]Privacy Act 1988 (Cth) s 6(1).

[10] Ibid s 6(1).

[11] Ibid s 18L(4).

[12] Ibid s 18C.

[13] See Ibid s 18C(2). This qualification is discussed in detail later in this chapter.

[14] Ibid s 6(5A).

[15] Ibid s 6(5C).

[16] Office of the Privacy Commissioner, Credit Reporting: Key Requirements of Part IIIA <www.privacy> at 24 August 2007.

[17]Privacy Act 1988 (Cth) s 11B(1)(a). The term ‘bank’ is defined in s 6(1) to mean: (a) the Reserve Bank of Australia; or (b) a body corporate that is an authorised deposit-taking institution for the purposes of the Banking Act 1959 (Cth); or (c) a person who carries on ‘State banking’ within the meaning of s 51(xiii) of the Constitution.

[18]Privacy Act 1988 (Cth) s 11B(1)(b), (c).

[19] Ibid s 11B(1)(b)(v). These determinations are discussed further in Ch 54.

[20] Ibid s 11B(1)(d). Indigenous Business Australia is the only entity deemed to be a credit provider under this provision: Privacy Commissioner, Credit Provider Determination No 2006–5 (Indigenous Business Australia), 25 October 2006.

[21]Privacy Act 1988 (Cth) s 11B(4A), (4B).

[22] Ibid s 11B(5). The Act makes clear that ‘the management of a loan’ in subsection (5) does not include action taken to recover overdue loan repayments: s 11B(7).

[23] Ibid s 11B(2).

[24] Ibid s 18D(5).