Use of personal information

Credit providers

53.41 Section 18L(1) of the Act states the general rule that a credit provider may only use an individual’s credit report, or personal information it derives from the credit report, for the purpose of assessing the individual’s application for credit, or for one of the other permitted purposes for which the report was originally given to the credit provider.[83] If a credit provider intentionally contravenes this provision, it is liable for a fine of up to $150,000.[84]

53.42 The rule in s 18L(1) is subject to the following exceptions, which allow a credit provider to use a credit report:

  • as required or authorised by law;[85]

  • if the credit provider reasonably believes the individual has committed a serious credit infringement, and the information is used in connection with the infringement;[86] or

  • in connection with an individual’s commercial activities or commercial credit worthiness, provided the individual agrees.[87]

Use and disclosure by mortgage and trade insurers

53.43 Mortgage and trade insurers must only use personal information contained in an individual’s credit report only in connection with assessing the risk in providing such insurance to the individual’s credit provider, or as required or authorised by law.[88] They must not disclose personal information from a credit report to any person unless required or authorised by law.[89] If a mortgage or trade insurer ‘knowingly or recklessly’ contravenes any of these provisions, it is liable for a fine of up to $150,000.[90]

Use and disclosure by other persons

53.44 There are specific rules on how other persons may use personal information that they have obtained from a credit provider or credit reporting agency. Any person who intentionally contravenes one of these provisions will be liable for a fine of up to $30,000.[91] The rules are as follows:

  • Where a credit provider discloses information to a related corporation, the related corporation is subject to the use and disclosure limitations that apply to the credit provider. The same rules also apply where a credit report is received by a person who was deemed to be a credit provider because it was engaged in securitisation of a loan, but has since ceased to be a credit provider.[92]

  • Where information is received by a corporation, in connection with its taking on a debt owed to the credit provider, the corporation may use the information only in considering whether to take on the debt. If it takes on the debt, the corporation may use the information in connection with exercising its rights. Similar rules apply to a professional legal adviser or financial adviser in connection with advising the corporation about these matters, or as required or authorised by law.[93]

  • Where information is received by a person who manages loans made by the credit provider, the information only may be used for managing these loans, or as required or authorised by law.[94]

[83] The other permitted purposes are summarised earlier in this chapter.

[84]Privacy Act 1988 (Cth) s 18L(2).

[85] Ibid s 18L(1)(e).

[86] Ibid s 18L(1)(f).

[87] Ibid s 18L(4), (4A). The Privacy Commissioner has a power to determine how this information may be used and how an individual’s consent may be obtained: s 18L(6)–(8). To date, this power has not been exercised.

[88] Ibid s 18P(1), (2). Mortgage insurers also may use such information pursuant to the contract between the mortgage insurer and the credit provider: s 18P(1)(c).

[89] Ibid s 18P(5).

[90] Ibid s 18P(6).

[91] Ibid s 18Q(9).

[92] Ibid s 18Q(1), (6)–(7A).

[93] Ibid s 18Q(2), (3). See also s 18Q(8).

[94] Ibid s 18Q(4). See also s 18Q(8).