If your business offers deferred payment options to your customers for your goods or services, you may have additional obligations under Australian privacy laws and codes. The Privacy Act 1988 (Cth) (the Privacy Act), alongside the Privacy (Credit Reporting) Code 2014 (the CR Code), sets out the requirements for credit providers who offer credit. This article will provide guidance and key considerations for businesses that provide credit, as defined under the Privacy Act.
What is Credit?
Credit is a type of contract or arrangement where:
- payment of a debt owed by one person to another person is deferred; or
- one person incurs a debt to another person and defers payment of the debt.
While it sounds technical, credit simply means whenever you provide goods or services and allow your customers to not pay immediately. You can think of this as a deferred payment plan. It includes hire-purchase arrangements if the customer does not make full payment at the time you provide the hired goods to them. Therefore, if your business enters into hire-purchase arrangements but requires a bond or deposit to be paid upfront, you may not be considered to be providing credit.
What is a Credit Provider?
Common types of credit providers are:
- banks;
- businesses where a large part of their business is the provision of credit; and
- retailers who issue credit cards to customers in connection with the sale of their goods or services.
However, if a business sells, supplies, hires, leases or rents out its goods or services and defers repayment for at least 7 days, that business is also considered a credit provider.
While the obligations also apply to agents of credit providers, they do not apply to real estate agents, general insurers, or employers of individuals.
If your business is not an APP entity but is a credit provider, you are only required to comply with your obligations as a credit provider under the Privacy Act and CR Code, and not the Australian Privacy Principles as well.
Continue reading this article below the formWhat is Credit Information?
“Credit information” refers to personal information that includes:
- identification information about an individual;
- information about an individual’s consumer credit liability;
- information about an individual’s repayment history;
- an individual’s default information;
- an individual’s payment information; or
- a credit provider’s opinion that the individual has committed a serious credit infringement.
“Credit eligibility information” is another form of credit information that may include the credit report or credit assessment score of the individual.

Whether you’re a small business owner or the Chief Financial Officer of an ASX-listed company, one fact remains: your customers need to pay you.
This manual aims to help business owners, financial controllers and credit managers best manage and recover their debt.
Key Documents
Credit Application Form
If you are offering deferred payment for a large sum or for an extended period of time, consider having your customers complete a credit application form. Credit application forms will usually include the following information:
- contact details of the customer;
- bank details and a direct debit authorisation (if you will be direct debiting the customer);
- trade references;
- a personal guarantee (if you are providing credit to another business);
- the credit terms and conditions, including the payment terms, how and when payments are to be made (if any interest is payable on unpaid amounts); and
- actions you may take for late payments.
Credit Information Policy
When providing credit, you must have a credit information policy that clearly sets out how you collect, manage and disclose your customers’ credit information. You can incorporate your credit information policy into your privacy policy.
A thorough credit information policy should include the following details:
- the types of credit information and credit eligibility information that your business collects;
- how your business collects credit information, such as directly or indirectly and from what sources;
- the purposes for collecting credit information;
- how and when your business may disclose an individual’s credit information;
- if you will be disclosing credit information overseas, to which countries you will be disclosing it; and
- information regarding how individuals can access and amend their credit information.
Key Takeaways
It is essential that your business appropriately manages personal information, including credit information, and understands the obligations relating to it. Consumers and lawmakers are increasingly turning their focus to this area, and ensuring you are complying is the only way to avoid potential penalties.
If you need help understanding your obligations as a credit provider, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
If you offer deferred payment for seven days or more, you will be considered a credit provider under the Privacy Act. Therefore, you must comply with the requirements set out for credit providers.
If you are acting as an agent of the credit provider when obtaining credit information, you are still a credit provider. This applies to both the agent and the principal, where the principal provides the credit and you are their agent.
You will be considered a credit provider if the following apply to your hire-purchase agreements:
- you do not require the consumer to make a deposit or pay any kind of bond; and
- payment is deferred for at least seven days.
We appreciate your feedback – your submission has been successfully received.