Privacy Act & Credit Reporting Code

Legislative Framework

The Privacy Act 1988 (Privacy Act) regulates how personal information is handled. The Privacy Act defines personal information as: Information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.

Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.

The Privacy Act includes thirteen Australian Privacy Principles (APPs), which apply to some private sector organisations, as well as most Australian and Norfolk Island Government agencies. These are collectively referred to as ‘APP entities’.

In addition to generally regulating how ‘APP entities’ deal with individual’s personal information, the Privacy Act also specifically regulates the consumer credit reporting system (under Part IIIA of the Privacy Act), tax file numbers, and health and medical research.

Legislation

• Australian Privacy Principles

  The Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act, outline how organisations should handle, use and manage personal information. They apply to most government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’).

• Privacy Regulations 2025

  The Privacy Regulation 2025 provides additional and supporting information in relation to provisions of the Privacy Act, including setting out some definitions that relate to consumer credit reporting.

• Privacy (Credit Reporting) Code 2025

  The Privacy (Credit Reporting) Code 2025 is a mandatory code that provides operational guidance for the credit reporting sections of the Privacy Act, ensuring the law can be easily understood and applied to business operations.  

• Part IIIA of the Privacy Act - Credit Reporting

  The law that sets out the rules relating to credit reporting for consumer credit is in "Part IIIA" of the Privacy Act. This Part includes rules relating to the types of personal information that credit providers can disclose to a credit reporting body, the purpose of the information being included in an individual's credit report, what entities can handle that information, and the purposes for which that information may be handled.

Research and Guides of Interest

• RG 209 Credit licensing

  Responsible lending conduct is a guide for credit licensees, credit applicants and unlicensed carried over instrument lenders (unlicensed COI lenders). It sets out ASIC’s expectations for meeting the responsible lending obligations in the National Consumer Credit Protection Act 2009.

• RG 165 Licensing

  Internal and external dispute resolution. This guide explains what AFS licensees, unlicensed product issuers, unlicensed secondary sellers, credit licensees, credit representatives, unlicensed carried over instrument lenders (unlicensed COI lenders) and securitisation bodies must do to have a dispute resolution system in place that meets ASIC’s requirements.

• Senate Standing Committee on Legal and Constitutional Affairs Inquiry into the Privacy Amendment (Enhancing Privacy Protection) Bill 2012

  In June 2012 the Senate referred the bills to implement comprehensive credit reporting in Australia for a major parliamentary inquiry. The submissions to the inquiry, inquiry report and the government’s written response to the inquiry are useful background reading to the credit reporting reforms occurring in Australia.

• Australian Privacy Amendment Legislation

  In June 2010 this Senate committee commenced an inquiry into the proposed changes to the Privacy Act (the Privacy Amendment Legislation). This Inquiry was one of several that examined the proposal for comprehensive credit reporting in Australia. 

• For Your Information: Australian Privacy Law and Practice (ALRC Report 108)

  ALRC Report 108 (tabled August 2008) represents the culmination of a 28-month inquiry into the extent to which the Privacy Act 1988 (Cth) and related laws continue to provide an effective framework for the protection of privacy in Australia.

  ​This Inquiry resulted in a three-volume report, containing 74 chapters and 295 recommendations for reform.

• Productivity Commission: Data Availability and Use

  The Productivity Commission conducted a major review into the role of data access and use in the Australian economy, including the use of comprehensive credit reporting information.

Productivity Commission

The Productivity Commission conducted a major review into the role of data access and use in the Australian economy, including the use of comprehensive credit reporting information.