A small business does not typically need to comply with the Australian Privacy Principles (APPs) unless it has an annual turnover of $3 million or less and satisfies one of the criteria contained in the Privacy Act 1988 (Cth) (the Act). However, even though they may be small businesses, credit reporting bodies and credit providers do have obligations under the Act and the APPs. Below, we set out their legal responsibilities regarding personal information and privacy.
Credit and the Privacy Act
The Privacy Act regulates the collection, use and disclosure – but not the management – of consumer credit information. Credit refers to a contract, arrangement or understanding under which a person must pay another a debt owed, including hire purchase agreements.
The Act defines credit information as personal information (and not sensitive information) that includes:
- Identification information about a person; or
- Information about a person’s consumer credit liability; or
- Information about a person’s repayment history; or
- An individual’s default information; or
- A person’s payment information; or
- A credit provider’s opinion that the individual has committed a serious credit infringement.
A core function of credit information is to permit an evaluation of a person’s creditworthiness – that is, their eligibility to receive consumer credit, their credit history and capacity to repay.
Small Business and Credit Reporting
A small business, which is also a credit reporting business, is not exempt from complying with the Act or the APPs. Credit reporting businesses collect, use or disclose personal information for the purpose of providing an entity with information about a person’s creditworthiness. The definition excludes firms that share information with a related company, or those prescribed in the Privacy Regulation 2013 (Cth).
Division 2 of the Act details the responsibilities of a credit reporting body and how their manage, collect and deal with credit information, as well as:
- When a credit reporting body can disclose information;
- Obligations regarding accuracy of information;
- How individuals can access their information;
- Correcting credit information;
- Retention periods for the information; and
- When a business must destroy the information.
This Division specifically applies to how credit reporting bodies manage the following:
- Credit reporting information;
- Credit provider derived information;
- De-identified credit reporting information; and
- Pre-screening assessment.
Although the APPs do not apply to this type of information, they can if the credit provider handles other types of personal information alongside credit reporting information.
A small business is also a credit provider if it meets the following requirements:
- Carries on a business and a substantial part of that business is providing credit; and
- Carries on a retail business and in the course of business issues credit cards to individuals in connection with the sale of goods or supply of services; and
- Carries on a business that involves providing credit and is prescribed by Privacy Regulation 2013 (Cth).
A small business that is also a credit provider must also comply with its obligations under Division 3 of the Act. Division 3 outlines the responsibilities of credit providers regarding collecting, using and disclosing credit information. Credit providers must, like credit reporting bodies and all APP entities, handle the information transparently and openly. The Act prescribes the following:
- How a credit provider must collect credit information:
- Providing access to data in certain circumstances; and
- Which circumstances the information can be corrected.
A small business operator that is also a credit provider must comply with all its obligations under Part IIIA of the Act. Division 3 of Part IIIA specifically applies to credit providers and their handling of credit information, credit eligibility information, and credit reporting body derived information.
Unlike Division 2, this Division does operate instead of the APP concerning this information.
If a small business and credit provider is an APP entity, Division 3 will apply in addition to their APP obligations. However, if a small business and credit provider qualifies as a small business operator under the Act, it does not also need to comply with the APPs.
Credit Reporting Code
If a small business is a credit reporting body or credit provider, it must familiarise itself with the Privacy (Credit Reporting) Code 2014 (the Code). The Code clarifies and can supplement the obligations in Part IIIA of the Act and binds credit providers and credit reporting bodies. If a business breaches the Code, it also breaches the Act.
Small business operators should understand whether they are considered a credit reporting body or credit provider under the Act. If they are, they will have obligations under the Act, the APPs and the Credit Code. These obligations will apply even though the Act exempts small businesses with an annual turnover of less than $3 million from complying. If you have any questions or need any assistance complying with your privacy regulations, get in touch with our commercial lawyers on 1300 544 755.