Content of credit information files

53.22 A credit information file may contain information that is ‘reasonably necessary to identify the individual’.[25] Under s 18E(3), the Privacy Commissioner may determine ‘the kinds of information that are … reasonably necessary to be included in an individual’s credit information file in order to identify the individual’. Any such determination is said to be a ‘disallowable instrument’, which means that it must be tabled in the Australian Parliament and is then subject to disallowance.[26] In 1991, the Privacy Commissioner determined that the following kinds of information are ‘reasonably necessary’ to identify the individual:

i. full name, including any known aliases; sex; and date of birth;

ii. a maximum of three addresses consisting of a current or last known address and two immediately previous addresses;

iii. name of current or last known employer; and

iv. driver’s licence number.[27]

53.23 The Act does not state that information purporting to identify an individual must be verified in any particular way or be of any particular standard before it is included in a credit information file. This may be relevant to such issues as identity theft.

53.24 As well as information reasonably necessary to identify the individual, s 18E provides an exhaustive list of the other categories of personal information that may be included in a credit information file. Anything that constitutes personal information, but is not included in this list, may not be included in a credit information file. The Act allows a credit reporting agency to hold personal information in an individual’s credit information file only for a finite period, the length of which depends on the nature of the information in question. After this period has elapsed, the agency must delete the relevant information within one month.[28]

53.25 In summary, information may be included in a credit information file if it is a record of:

  • a credit provider having sought a credit report in connection with an application for consumer or commercial credit, provided the record also states the amount of credit sought;[29]
  • a credit provider having sought a credit report for the purpose of assessing the risk in purchasing, or undertaking credit enhancement of, a loan by means of securitisation;[30]
  • a mortgage or trade insurer having sought a credit report in connection with the provision of mortgage or trade insurance to a credit provider;[31]
  • a credit provider having sought a credit report in connection with the individual having offered to act as guarantor for a loan;[32]
  • a credit provider being a current credit provider in relation to the individual;[33]
  • credit provided by a credit provider to an individual, where the individual is at least 60 days overdue in making a payment on that credit and the credit provider has taken steps to recover some or all of the credit outstanding;[34]
  • a cheque for $100 or more that has been dishonoured twice;[35]
  • a court judgment or bankruptcy order made against the individual;[36]
  • a credit provider’s opinion that the individual has committed a specific serious credit infringement;[37]
  • an overdue payment to a credit provider by a person acting as guarantor to a borrower, provided the following conditions are met: the credit provider is not prevented by law from bringing proceedings to recover the overdue amount; the credit provider has given the guarantor notice of the borrower’s default; 60 days have elapsed since the notice was given; and the credit provider has taken steps to recover the overdue payment from the guarantor;[38] and
  • a note or annotation to be made to the individual’s existing credit information file, pursuant to ss 18J(2), 18F(4) or 18K(5).[39]

53.26 Certain types of personal information must never be included in an individual’s credit information file. That is, information recording an individual’s:

  • political, social or religious beliefs or affiliations;
  • criminal record;
  • medical history or physical handicaps;
  • race, ethnic origins or national origins;
  • sexual preferences or practices; or
  • lifestyle, character or reputation.[40]

53.27 If a credit report contains personal information that does not fall within the permitted categories, a credit provider who holds the report must not use this personal information, and must not use the report at all until the relevant information has been deleted.[41] A breach of this requirement constitutes a credit reporting infringement.[42] In this situation, an individual may complain to the Privacy Commissioner that the credit provider has committed an interference with the individual’s privacy.[43] The Privacy Commissioner then may carry out an investigation and issue a determination in accordance with Part V of the Act.[44]

[25] Ibid s 18E(1)(a).

[26] Ibid s 18E(4)–(6). Note that s 18E(6) of the Privacy Act refers to s 46A of the Acts Interpretation Act 1901 (Cth). However, the latter provision has been repealed. Section 6(d)(i) of the Legislative Instruments Act 2003 (Cth) provides that an instrument said to be a disallowable instrument for the purposes of s 46A of the Acts Interpretation Act should be considered a legislative instrument for the purposes of the Legislative Instruments Act.

[27] Privacy Commissioner, Determination under the Privacy Act 1988: 1991 No 2 (s 18E(3)): Concerning Identifying Particulars Permitted to be Included in a Credit Information File, 11 September 1991.

[28]Privacy Act 1988 (Cth) s 18F(1).

[29] Ibid s 18E(1)(b)(i). The information may be kept for a maximum of five years after the relevant credit report was sought: s 18F(2)(a).

[30] Ibid s 18E(1)(b)(ia). The information may be kept for a maximum of five years after the relevant credit report was sought: s 18F(2)(a).

[31] Ibid s 18E(1)(b)(ii), (iii). The information may be kept for a maximum of five years after the relevant credit report was sought: s 18F(2)(a).

[32] Ibid s 18E(1)(b)(iv). The information may be kept for a maximum of five years after the relevant credit report was sought: s 18F(2)(a).

[33] Ibid s 18E(1)(b)(v). The information may be kept for a maximum of 14 days after the credit reporting agency is notified that the credit provider is no longer the individual’s credit provider: s 18F(2)(b).

[34] Ibid s 18E(1)(b)(vi). The information may be kept for a maximum of five years after the credit reporting agency was informed of the overdue payment concerned: s 18F(2)(c).

[35] Ibid s 18E(1)(b)(vii). The information may be kept for a maximum of five years after the second dishonouring of the cheque: s 18F(2)(d).

[36] Ibid s 18E(1)(b)(viii), (ix). A record of judgment may be kept for a maximum of five years after the judgment was made: s 18F(2)(e). A record of a bankruptcy order may be kept for a maximum of seven years after the order was made: s 18F(2)(f).

[37] Ibid s 18E(1)(b)(x). The information may be kept for a maximum of seven years after the information was included in the credit information file: s 18F(2)(g).

[38] Ibid s 18E(1)(ba). The information may be kept for a maximum of five years after the credit reporting agency was informed of the overdue payment: s 18F(2A).

[39] Ibid s 18E(1)(c), (d); see also s 18E(7). Note that s 18J(2) obliges a credit reporting agency to include a statement of the correction, deletion or addition sought by an individual to his or her credit information file, where the agency has not made the relevant change; s 18F(4) requires a credit reporting agency, when appropriately informed, to include a note saying that the individual is no longer overdue in making a payment; and s 18K(5) requires a credit reporting agency to include a note on a person’s credit information file when it has disclosed personal information from the file.

[40] Ibid s 18E(2).

[41] Ibid s 18L(3).

[42] A breach of a provision of Part IIIA is a ‘credit reporting infringement’: Ibid s 6(1).

[43] See Ibid ss 13(d), 36(1).

[44] The Privacy Commissioner’s complaint-handling processes are discussed in Ch 49.