Skip to content

When Do Credit Reporting Bodies Need to Comply With the Privacy Act?

A small business does not typically need to comply with the Australian Privacy Principles (APPs) unless it has an annual turnover of $3 million or less and satisfies one of the criteria contained in the Privacy Act 1988 (Cth) (the Act). However, even though they may be small businesses, credit reporting bodies and credit providers do have obligations under the Act and the APPs. Below, we set out their legal responsibilities regarding personal information and privacy.

Credit and the Privacy Act  

The Privacy Act regulates the collection, use and disclosure – but not the management – of consumer credit information. Credit refers to a contract, arrangement or understanding under which a person must pay another a debt owed, including hire purchase agreements.

The Act defines credit information as personal information (and not sensitive information) that includes:

  • Identification information about a person; or
  • Information about a person’s consumer credit liability; or
  • Information about a person’s repayment history; or
  • An individual’s default information; or
  • A person’s payment information; or
  • A credit provider’s opinion that the individual has committed a serious credit infringement.

A core function of credit information is to permit an evaluation of a person’s creditworthiness – that is, their eligibility to receive consumer credit, their credit history and capacity to repay.

Small Business and Credit Reporting

A small business, which is also a credit reporting business, is not exempt from complying with the Act or the APPs. Credit reporting businesses collect, use or disclose personal information for the purpose of providing an entity with information about a person’s creditworthiness. The definition excludes firms that share information with a related company, or those prescribed in the Privacy Regulation 2013 (Cth).

Division 2 of the Act details the responsibilities of a credit reporting body and how their manage, collect and deal with credit information, as well as: 

  • When a credit reporting body can disclose information; 
  • Obligations regarding accuracy of information;
  • How individuals can access their information;
  • Correcting credit information;
  • Retention periods for the information; and
  • When a business must destroy the information.

This Division specifically applies to how credit reporting bodies manage the following:

  • Credit reporting information;
  • Credit provider derived information;
  • De-identified credit reporting information; and
  • Pre-screening assessment.

Although the APPs do not apply to this type of information, they can if the credit provider handles other types of personal information alongside credit reporting information.

Continue reading this article below the form
Loading form

Credit Providers

A small business is also a credit provider if it meets the following requirements:

  • Carries on a business and a substantial part of that business is providing credit; and
  • Carries on a retail business and in the course of business issues credit cards to individuals in connection with the sale of goods or supply of services; and
  • Carries on a business that involves providing credit and is prescribed by Privacy Regulation 2013 (Cth).

A small business that is also a credit provider must also comply with its obligations under Division 3 of the Act. Division 3 outlines the responsibilities of credit providers regarding collecting, using and disclosing credit information. Credit providers must, like credit reporting bodies and all APP entities, handle the information transparently and openly. The Act prescribes the following:

  • How a credit provider must collect credit information:
  • Providing access to data in certain circumstances; and
  • Which circumstances the information can be corrected.

A small business operator that is also a credit provider must comply with all its obligations under Part IIIA of the Act. Division 3 of Part IIIA specifically applies to credit providers and their handling of credit information, credit eligibility information, and credit reporting body derived information.

Unlike Division 2, this Division does operate instead of the APP concerning this information.

If a small business and credit provider is an APP entity, Division 3 will apply in addition to their APP obligations. However, if a small business and credit provider qualifies as a small business operator under the Act, it does not also need to comply with the APPs.

Credit Reporting Code

If a small business is a credit reporting body or credit provider, it must familiarise itself with the Privacy (Credit Reporting) Code 2014 (the Code). The Code clarifies and can supplement the obligations in Part IIIA of the Act and binds credit providers and credit reporting bodies. If a business breaches the Code, it also breaches the Act.

Key Takeaways

Small business operators should understand whether they are considered a credit reporting body or credit provider under the Act. If they are, they will have obligations under the Act, the APPs and the Credit Code. These obligations will apply even though the Act exempts small businesses with an annual turnover of less than $3 million from complying. If you have any questions or need any assistance complying with your privacy regulations, get in touch with our commercial lawyers on 1300 544 755

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Carole Hemingway

Carole Hemingway

Read all articles by Carole

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards