Privacy Amendment Act 1990

No. 116 of 1990

An Act to amend the Privacy Act 1988

[Assented to 24 December 1990]

BE IT ENACTED by the Queen, and the Senate and the House of Representatives of the Commonwealth of Australia, as follows:

Short title etc.

1. (1) This Act may be cited as the Privacy Amendment Act 1990.

(2) In this Act, “Principal Act” means the Privacy Act 19881.

Commencement

2. (1) Subject to subsection (2), the provisions of this Act commence on a day or days to be fixed by Proclamation.

(2) If a provision of this Act does not commence under subsection (1) within the period of 9 months beginning on the day on which this Act receives the Royal Assent, it commences on the first day after the end of that period.

Saving of certain State and Territory laws

3. Section 3 of the Principal Act is amended by inserting “(including such a law relating to credit reporting or the use of information held in connection with credit reporting)” after “privacy of persons”.

4. After section 5 of the Principal Act the following section is inserted in Part I:

Extension to external Territories

“5a. This Act extends to all external Territories.”.

Interpretation

5. Section 6 of the Principal Act is amended:

(a) by omitting from subsection (1) the definition of “financial corporation” and substituting the following definition:

“ ‘financial corporation’ means a financial corporation within the meaning of paragraph 51 (xx) of the Constitution;”;

(b) by inserting in subsection (1) the following definitions:

“ ‘bank’ means:

(a) the Reserve Bank of Australia; or

(b) a bank within the meaning of the Banking Act 1959; or

‘building society’ means a society registered or incorporated as a building society, co-operative housing society or similar society under a law relating to such societies that is in force in a State or Territory;

‘Code of Conduct’ means the Code of Conduct issued under section 18a;

‘commercial credit’ means a loan sought or obtained by a person, other than a loan of a kind referred to in the definition of ‘credit’ in this subsection;

‘credit’ means a loan sought or obtained by an individual from a credit provider in the course of the credit provider carrying on a business or undertaking as a credit provider, being a loan that is intended to be used wholly or primarily for domestic, family or household purposes;

‘credit card’ means any article of a kind commonly known as a credit card, charge card or any similar article intended for use in obtaining cash, goods or services by means of loans, and includes any article of a kind commonly issued by persons carrying on business to customers or prospective customers of those persons for use in obtaining goods or services from those persons by means of loans;

‘credit information file’, in relation to an individual, means any record that contains information relating to the individual and is kept by a credit reporting agency in the course of carrying on a credit reporting business (whether or not the record is a copy of the whole or part of, or was prepared using, a record kept by another credit reporting agency or any other person);

‘credit provider’ has the meaning given by section 11b, and, for the purposes of sections 7 and 8 and Parts III, IV and V, is taken to include a mortgage insurer and a trade insurer;

‘credit report’ means any record or information, whether in a written, oral or other form, that:

(a) is being or has been prepared by a credit reporting agency; and

(b) has any bearing on an individual’s:

(i) eligibility to be provided with credit; or

(ii) history in relation to credit; or

(iii) capacity to repay credit; and

(c) is used, has been used or has the capacity to be used for the purpose of serving as a factor in establishing an individual’s eligibility for credit;

‘credit reporting agency’ has the meaning given by section 11a;

‘credit reporting business’ means a business or undertaking (other than a business or undertaking of a kind in respect of which regulations made for the purposes of subsection (5c) are in force) that involves the preparation or maintenance of records containing personal information relating to individuals (other than records in which the only personal information relating to individuals is publicly available information), for the purpose, or for purposes that include the purpose, of providing to other persons (whether for profit or reward or otherwise) information on an individual’s:

(a) eligibility to be provided with credit; or

(b) history in relation to credit; or

whether or not the information is provided or intended to be provided for the purposes of assessing applications for credit;

‘credit reporting complaint’ means a complaint about an act or practice that, if established, would be an interference with the privacy of the complainant because:

(a) it breached the Code of Conduct; or

(b) it breached a provision of Part IIIa;

‘credit reporting infringement’ means:

(a) a breach of the Code of Conduct; or

(b) a breach of a provision of Part IIIa;

‘credit union’ means a society or other body of persons that is registered or incorporated as a credit union or credit society under a law relating to credit unions or credit societies that is in force in a State or Territory;

‘current credit provider’, in relation to an individual, means a credit provider who has given, to the individual, credit that has not yet been fully repaid or otherwise fully discharged;

‘eligible communications service’ means a postal, telegraphic, telephonic or other like service, within the meaning of paragraph 51 (v) of the Constitution;

‘loan’ means a contract, arrangement or understanding under which a person is permitted to defer payment of a debt, or to incur a debt and defer its payment, and includes:

(a) a hire-purchase agreement; and

(b) such a contract, arrangement or understanding for the hire, lease or renting of goods or services, other than a contract, arrangement or understanding under which:

(i) full payment is made before, or at the same time as, the goods or services are provided; and

(ii) in the case of a hiring, leasing or renting of goods—an amount greater than or equal to the value of the goods is paid as a deposit for the return of the goods:

‘mortgage credit’ means credit provided in connection with the acquisition, maintenance or improvement of real property, being credit in respect of which the real property is security;

‘mortgage insurer’ means a corporation that carries on a business or undertaking (whether for profit, reward or otherwise) that involves providing insurance to credit providers in respect of mortgage credit given by credit providers to other persons;

‘serious credit infringement’ means an act done by a person:

(a) that involves fraudulently obtaining credit, or attempting fraudulently to obtain credit; or

(b) that involves fraudulently evading the person’s obligations in relation to credit, or attempting fraudulently to evade those obligations; or

(c) that a reasonable person would consider indicates an intention, on the part of the first-mentioned person, no longer to comply with the first-mentioned person’s obligations in relation to credit;

‘trade insurer’ means a corporation that carries on a business or undertaking (whether for profit, reward or otherwise) that involves providing insurance to credit providers in respect of commercial credit given by credit providers to other persons;”;

“(3a) For the purposes of this Act, an act or practice breaches the Code of Conduct if, and only if, it is contrary to, or inconsistent with, the Code of Conduct.”;

(d) by inserting after subsection (5) the following subsections:

“(5a) For the purposes of the definition of ‘credit reporting business’ in subsection (1), information concerning commercial transactions engaged in by or on behalf of an individual is not to be taken to be information relating to an individual’s:

(a) eligibility to be provided with credit; or

(b) history in relation to credit; or

“(5b) In considering whether a business or undertaking, carried on by a credit provider that is a corporation, is a credit reporting business within the meaning of this Act, the provision of information by the credit provider to corporations related to it is to be disregarded.

“(5c) The regulations may provide that businesses or undertakings of a specified kind are not credit reporting businesses within the meaning of this Act.”;

(e) by omitting subsection (7) and substituting the following subsection:

“(7) Nothing in this Act prevents a complaint from:

(a) being both a file number complaint and an IPP complaint; or

(b) being both a file number complaint and a credit reporting complaint.”;

(f) by adding at the end the following subsection:

“(8) For the purposes of this Act, the question whether corporations are related to each other is determined in the same manner as the question whether corporations, within the meaning of the Companies Act 1981, are related to each other would be determined under that Act.”.

Acts and practices of agencies etc.

6. Section 7 of the Principal Act is amended:

(a) by omitting from paragraph (1) (a) “or a file number recipient” and substituting “, a file number recipient, a credit reporting agency or a credit provider”;

(b) by inserting after subsection (3) the following subsection:

“(3a) For the purposes of this Act, an act is only to be taken to have been done, and a practice is only to be taken to have been engaged in, by a credit provider that is not a corporation if the act is done, or the practice is engaged in, in the course of, or for the purposes of, banking (other than State banking not extending beyond the limits of the State concerned) carried on by the credit provider.”.

Acts and practices of, and disclosure of information to, staff of agency etc.

7. Section 8 of the Principal Act is amended:

(a) by omitting from paragraph (1) (a) “or file number recipient” and substituting “, file number recipient, credit reporting agency or credit provider”;

(b) by omitting from paragraph (1) (a) “or recipient” and substituting “, recipient, credit reporting agency or credit provider”.

8. After section 11 of the Principal Act the following sections are inserted:

Credit reporting agencies

“11a. For the purposes of this Act, a person is a credit reporting agency if the person is a corporation that carries on a credit reporting business.

Credit providers

“11b. (1) For the purposes of this Act, but subject to subsection (2), a person is a credit provider if the person is:

(a) a bank; or

(b) a corporation (other than an agency):

(i) that is a building society; or

(ii) that is a credit union; or

(iii) a substantial part of whose business or undertaking is the provision of loans (including the provision of loans by issuing credit cards); or

(iv) that carries on a retail business in the course of which it issues credit cards to members of the public in connection with the sale of goods, or the supply of services, by the corporation; or

(v) that:

(a) carries on a business or undertaking involving the provision of loans (including the provision of loans by issuing credit cards); and

(b) is included in a class of corporations determined by the Commissioner to be credit providers for the purposes of this Act; or

(i) who is not a corporation; and

(ii) in relation to whom paragraph (b) would apply if the person were a corporation.

“(2) For the purposes of this Act, a corporation that would, but for this section, be a credit provider is not to be regarded as a credit provider if it is included in a class of corporations declared by the regulations not to be credit providers.

“(3) A determination under sub-subparagraph (1) (b) (v) (b) is to be made by notice in writing published in the Gazette.

“(4) A notice so published is a disallowable instrument for the purposes of section 46a of the Acts Interpretation Act 1901.”.

9. After section 12 of the Principal Act the following section is inserted in Part II:

Act not to apply in relation to State banking or insurance within that State

“12a. Where, but for this section, a provision of this Act:

(a) would have a particular application; and

(b) by virtue of having that application, would be a law with respect to, or with respect to matters including:

(i) State banking not extending beyond the limits of the State concerned; or

(ii) State insurance not extending beyond the limits of the State concerned;

the provision is not to have that application.”.

Interferences with privacy

10. Section 13 of the Principal Act is amended:

(a) by inserting in paragraph (a) “, credit reporting agency or credit provider” after “file number recipient”;

(b) by inserting in paragraph (b) “, credit reporting agency or credit provider” after “agency”;

(d) by adding at the end the following word and paragraph:

“; or (d) in the case of an act or practice engaged in by a credit reporting agency or credit provider (whether or not the credit reporting agency or credit provider is also an agency or file number recipient)—constitutes a credit reporting infringement in relation to personal information that relates to the individual.”.

Guidelines relating to tax file number information

11. Section 17 of the Principal Act is amended by omitting from subsection (3) “Section 48” (first occurring) and substituting “In its application under subsection (2) of this section, section 48”.

12. After section 18 of the Principal Act the following sections are inserted in Part III:

Code of Conduct relating to credit information files and credit reports

“18a. (1) The Commissioner must, by notice published in the Gazette, issue a Code of Conduct concerning:

(a) the collection of personal information for inclusion in individuals’ credit information files; and

(b) the storage of, security of, access to, correction of, use of and disclosure of personal information included in individuals’ credit information files or in credit reports; and

(c) the manner in which credit reporting agencies and credit providers are to handle disputes relating to credit reporting; and

(d) any other activities, engaged in by credit reporting agencies or credit providers, that are connected with credit reporting.

“(2) Before issuing the Code of Conduct, the Commissioner must, to the extent that it is appropriate and practicable to do so, consult with government, commercial, consumer and other relevant bodies and organisations.

“(3) In preparing the Code of Conduct, the Commissioner must have regard to:

(a) the Information Privacy Principles and the provisions of Part IIIa; and

(b) the likely costs to credit reporting agencies and credit providers of complying with the Code of Conduct.

“(4) The Code of Conduct is a disallowable instrument for the purposes of section 46a of the Acts Interpretation Act 1901.

Credit reporting agencies and credit providers to comply with Code of Conduct

“18b. A credit reporting agency or credit provider must not do an act, or engage in a practice, that breaches the Code of Conduct.”.

13. Before Part IV of the Principal Act the following Part is inserted:

“PART IIIA—CREDIT REPORTING

Certain credit reporting only to be undertaken by corporations

“18c. (1) A person must not use an eligible communications service in the course of carrying on a credit reporting business unless the person is a corporation.

“(2) A person must not:

(a) in the course of trade or commerce:

(i) between Australia and places outside Australia; or

(ii) among the States; or

(iii) between a State and a Territory; or

(iv) among the Territories; or

(b) in the course of banking (other than State banking not extending beyond the limits of the State concerned); or

(c) in the course of insurance business (other than insurance business relating to State insurance not extending beyond the limits of the State concerned); or

(d) in a Territory;

carry on a credit reporting business unless the person is a corporation.

“(3) A person must not act on a corporation’s behalf in the course of carrying on a credit reporting business unless the person is a corporation.

“(4) A person who knowingly or recklessly contravenes this section is guilty of an offence punishable, on conviction, by a fine not exceeding $30,000.

Personal information not to be given to certain persons carrying on credit reporting

“18d. (1) A person must not use an eligible communications service to give to a person carrying on a credit reporting business personal information in circumstances to which this section applies unless the last-mentioned person is a corporation.

“(2) A person must not:

(a) in the course of trade or commerce:

(i) between Australia and places outside Australia; or

(ii) among the States; or

(iii) between a State and a Territory; or

(iv) among the Territories; or

(b) in the course of banking (other than State banking not extending beyond the limits of the State concerned); or

(c) in the course of insurance business (other than insurance business relating to State insurance not extending beyond the limits of the State concerned); or

(d) in a Territory;

give to a person carrying on a credit reporting business personal information in circumstances to which this section applies unless the last-mentioned person is a corporation.

“(3) A corporation must not give to a person carrying on a credit reporting business personal information in circumstances to which this section applies unless the last-mentioned person is a corporation.

“(4) A person who knowingly or recklessly contravenes this section is guilty of an offence punishable, on conviction, by a fine not exceeding $12,000.

“(5) For the purposes of this section, personal information is to be taken to be given to a person in circumstances to which this section applies if the person to whom the information is given is likely to use the information in the course of carrying on a credit reporting business.

Permitted contents of credit information files

“18e. (1) A credit reporting agency must not include personal information in an individual’s credit information file unless:

(a) the inclusion of the information in the file is reasonably necessary in order to identify the individual; or

(b) the information is a record of:

(i) both:

(a) a credit provider having sought a credit report in relation to an individual in connection with an application for credit or commercial credit made by the individual to the credit provider; and

(b) the amount of credit or commercial credit sought in the application; or

(ii) a mortgage insurer having sought a credit report in connection with the provision of insurance to a credit provider in respect of mortgage credit given by the credit provider to the individual; or

(iii) a trade insurer having sought a credit report in connection with the provision of insurance to a credit provider in respect of commercial credit given by the credit provider to the individual or another person; or

(iv) a credit provider having sought a credit report in

connection with the individual having offered to act as guarantor in respect of a loan or an application for a loan; or

(v) a credit provider being a current credit provider in relation to the individual; or

(vi) credit provided by a credit provider to an individual, being credit in respect of which:

(a) the individual is at least 60 days overdue in making a payment, including a payment that is wholly or partly a payment of interest; and

(b) the credit provider has taken steps to recover the whole or any part of the amount of credit (including any amounts of interest) outstanding; or

(vii) a cheque, for an amount not less than $100, that:

(a) has been drawn by the individual; and

(b) has twice been presented and dishonoured; or

(viii) court judgments made against the individual; or

(ix) bankruptcy orders made against the individual; or

(x) the opinion of a credit provider that the individual has, in the circumstances specified, committed a serious credit infringement; or

(c) the information is included in a statement provided by the individual under subsection 18j (2) for inclusion in the file; or

(d) the information is included in a note included in the file under subsection 18f (4) or 18k (5).

“(2) A credit reporting agency must not include in an individual’s credit information file personal information recording the individual’s:

(a) political, social or religious beliefs or affiliations; or

(b) criminal record; or

(d) race, ethnic origins or national origins; or

(e) sexual preferences or practices; or

(f) lifestyle, character or reputation.

“(3) The Commissioner may determine, in writing, the kinds of information that are, for the purposes of paragraph (1) (a), reasonably necessary to be included in an individual’s credit information file in order to identify the individual.

“(4) Where the Commissioner so determines, information that is not of a kind so determined is to be taken not to be information that is permitted to be included in an individual’s credit information file under paragraph (1) (a).

“(5) A determination is to be made by notice published in the Gazette.

“(6) A notice so published is a disallowable instrument for the purposes of section 46a of the Acts Interpretation Act 1901.

“(7) A credit reporting agency must not open a credit information file in relation to an individual unless it has information, concerning the individual, to include in the file that is information of a kind referred to in paragraph (1) (b).

“(8) A credit provider must not give to a credit reporting agency personal information relating to an individual if:

(a) a credit reporting agency is prohibited, under subsection (1), from including the information in the individual’s credit information file; or

(b) the credit provider does not have reasonable grounds for believing that the information is correct; or

(c) the credit provider did not, at the time of, or before, acquiring the information, inform the individual that the information might be disclosed to a credit reporting agency.

Deletion of information from credit information files

“18f. (1) A credit reporting agency must delete from an individual’s credit information file maintained by the credit reporting agency any personal information of a kind referred to in paragraph 18e (1) (b) within 1 month after the end of the maximum permissible period for the keeping of personal information of that kind.

“(2) For the purposes of subsection (1), the maximum permissible periods for the keeping of personal information of the kind referred to in paragraph 18e (1) (b) are as follows:

(a) in the case of information of a kind referred to in subparagraph (i), (ii), (iii) or (iv) of that paragraph—the period of 5 years commencing on the day on which the credit report concerned was sought;

(b) in the case of information of a kind referred to in subparagraph (v) of that paragraph—the period of 14 days commencing on the day on which the credit reporting agency is notified under subsection (5) that the credit provider concerned is no longer a current credit provider in relation to the individual concerned;

(c) in the case of information of a kind referred to in subparagraph (vi) of that paragraph—the period of 5 years commencing on the day on which the credit reporting agency was informed of the overdue payment concerned;

(d) in the case of information of a kind referred to in subparagraph (vii) of that paragraph—the period of 5 years commencing on the day on which the second dishonouring of the cheque occurred;

(e) in the case of information of a kind referred to in subparagraph (viii) of that paragraph—the period of 5 years commencing on the day on which the court judgment concerned was made;

(f) in the case of information of a kind referred to in subparagraph (ix) of that paragraph—the period of 7 years commencing on the day on which the bankruptcy order concerned was made;

(g) in the case of information of a kind referred to in subparagraph (x) of that paragraph—the period of 7 years commencing on the day on which the information was included in the credit information file concerned.

“(3) Where:

(a) a credit reporting agency has been given information that an individual is overdue in making a payment in respect of credit provided by a credit provider; and

(b) the individual ceases to be overdue in making the payment or contends that he or she is not overdue in making the payment;

the credit provider must, as soon as practicable, inform the credit reporting agency that the individual has ceased to be overdue in making the payment, or contends that he or she is not overdue in making the payment, as the case may be.

“(4) On being informed that the individual is no longer overdue in making the payment, or that the individual contends that he or she is not overdue in making the payment, the credit reporting agency must include in the individual’s credit information file a note to that effect.

“(5) Where a credit provider ceases to be a current credit provider in relation to an individual, the credit provider must, as soon as practicable, notify that fact to any credit reporting agency that was previously informed that the credit provider was a current credit provider in relation to the individual.

Accuracy and security of credit information files and credit reports

“18g. A credit reporting agency in possession or control of a credit information file, or a credit provider or credit reporting agency in possession or control of a credit report, must:

(a) take reasonable steps to ensure that personal information contained in the file or report is accurate, up-to-date, complete and not misleading; and

(b) ensure that the file or report is protected, by such security safeguards as are reasonable in the circumstances, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and

(c) if it is necessary for the file or report to be given to a person in connection with the provision of a service to the credit reporting agency or credit provider, ensure that everything reasonably within the power of the credit reporting agency or

credit provider is done to prevent unauthorised use or disclosure of personal information contained in the file or report.

Access to credit information files and credit reports

“18h. (1) A credit reporting agency in possession or control of an individual’s credit information file must take reasonable steps to ensure that the individual can obtain access to that file.

“(2) A credit provider, or a credit reporting agency, in possession or control of a credit report containing personal information concerning an individual must take all reasonable steps to ensure that the individual can obtain access to that report.

Alteration of credit information files and credit reports

“18j. (1) A credit reporting agency in possession or control of a credit information file, or a credit provider or credit reporting agency in possession or control of a credit report, must take reasonable steps, by way of making appropriate corrections, deletions and additions, to ensure that the personal information contained in the file or report is accurate, up-to-date, complete and not misleading.

“(2) Where:

(a) a credit reporting agency in possession or control of a credit information file, or a credit provider or credit reporting agency in possession or control of a credit report, does not amend personal information contained in that file or report, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and

(b) the individual requests the credit reporting agency or credit provider to include in that file or report a statement provided by the individual of the correction, deletion or addition sought;

the credit reporting agency or credit provider must take reasonable steps to include the statement in the file or report within 30 days after being requested to do so.

“(3) Where the credit reporting agency or credit provider considers a statement included pursuant to subsection 18j (2) to be of undue length in the circumstances, the credit reporting agency or credit provider may refer the statement to the Commissioner for such reduction as is considered appropriate and, if the statement is altered, the statement as altered is to be included in the file or report.

Limits on disclosure of personal information by credit reporting agencies

“18k. (1) A credit reporting agency in possession or control of an individual’s credit information file must not disclose personal information contained in the file to a person, body or agency (other than the individual) unless:

(a) the information is contained in a credit report given to a credit provider who requested the report for the purpose of assessing an application for credit made by the individual to the credit provider; or

(b) the information is contained in a credit report given to a credit provider who requested the report for the purpose of assessing an application for commercial credit made by a person to the credit provider, and the individual to whom the report relates has specifically agreed, in writing, to the report being given to the credit provider for that purpose; or

(c) the information is contained in a credit report given to a credit provider who requested the report for the purpose of assessing whether to accept the individual as a guarantor in respect of:

(i) a loan provided by the credit provider to a person other than the individual; or

(ii) a loan for which an application has been made by a person other than the individual to the credit provider;

and the first-mentioned individual has specifically agreed, in writing, to the report being given to the credit provider for that purpose; or

(d) the information is contained in a credit report given to a mortgage insurer for the purpose of assessing:

(i) whether to provide insurance to, or the risk of providing insurance to, a credit provider in respect of mortgage credit given by the credit provider to the individual; or

(ii) the risk of the individual defaulting on mortgage credit in respect of which the mortgage insurer has provided insurance to a credit provider; or

(e) the information is contained in a credit report given to a trade insurer for the purpose of assessing:

(i) whether to provide insurance to, or the risk of providing insurance to, a credit provider in respect of commercial credit given by the credit provider to the individual or another person; or

(ii) the risk of a person defaulting on commercial credit in respect of which the trade insurer has provided insurance to a credit provider;

and the individual to whom the report relates has specifically agreed, in writing, to the report being given to the trade insurer for that purpose; or

(f) the credit reporting agency has, at least 30 days before the disclosure, received information of a kind referred to in subparagraph 18e (1) (b) (vi), and the information is contained in a credit report given to a credit provider referred to in the

credit information file as a credit provider who is a current credit provider in relation to the individual; or

(g) the information is contained in a credit report given to a credit provider who requested the report for the purpose of the collection of payments that are overdue in respect of credit provided to the individual by the credit provider; or

(h) the information is contained, in a credit report given to a credit provider who requested the report for the purpose of the collection of payments that are overdue in respect of commercial credit provided to a person by the credit provider, and:

(i) the individual to whom the report relates has specifically agreed, in writing, to the report being given to the credit provider for that purpose; or

(ii) that individual had specifically agreed, in writing, to a credit report relating to the individual being given to the credit provider for the purpose of the credit provider assessing the application that the first-mentioned person made to the credit provider for the provision of the commercial credit concerned; or

(iii) the credit provider provided the commercial credit concerned before the commencement of this section; or

(j) the information is contained in a credit report given to another credit reporting agency; or

(k) the information is contained in a record in which the only personal information relating to individuals is publicly available information; or

(m) the disclosure is required or authorised by or under law; or

(n) the credit reporting agency is satisfied that a credit provider or law enforcement authority believes on reasonable grounds that the individual has committed a serious credit infringement and the information is given to that credit provider or law enforcement authority or to any other credit provider or law enforcement authority.

“(2) A credit reporting agency must not disclose personal information contained in an individual’s credit information file, or in any other record containing information derived from the file, that is in the possession or control of the credit reporting agency if the file or other record contains personal information that the credit reporting agency would be:

(a) prohibited from including in an individual’s credit information file under section 18e; or

(b) required to delete from such a file under section 18f.

“(3) Subsection (2) does not prohibit the credit reporting agency from disclosing personal information that it would be prohibited from

including in an individual’s credit information file under section 18e if:

(a) the credit reporting agency included the information in a credit information file or other record before the commencement of this section; and

(b) the information is information of a kind that the Commissioner has determined, in writing, to be information that the credit reporting agency may disclose without contravening that subsection.

“(4) A credit reporting agency that knowingly or recklessly contravenes subsection (1) or (2) is guilty of an offence punishable, on conviction, by a fine not exceeding $150,000.

“(5) Where a credit reporting agency discloses personal information contained in an individual’s credit information file, it must include in the file a note of that disclosure.

“(6) A credit reporting agency must not include in a credit report given to a credit provider under paragraph (1) (a) any information relating to an individual’s commercial activities.

“(7) A determination under paragraph (3) (b) is to be made by notice published in the Gazette.

“(8) A notice so published is a disallowable instrument for the purposes of section 46a of the Acts Interpretation Act 1901.

Limits on use by credit providers of personal information contained in credit reports etc.

“18l. (1) A credit provider that is or has been in possession or control of a credit report must not use the report or any personal information derived from the report for any purpose other than assessing an application for credit made to the credit provider by the individual concerned unless:

(a) the report was obtained under paragraph 18k (1) (b) and the credit provider uses the report or information for the purpose of assessing an application for commercial credit made by the individual to the credit provider; or

(b) the report was obtained under paragraph 18k (1) (c) and the credit provider uses the report or information for the purpose of assessing whether to accept the individual as a guarantor in respect of:

(i) a loan provided by the credit provider to a person other than the individual; or

(ii) a loan for which an application has been made by a person other than the individual to the credit provider; or

credit provider uses the information for the purpose of assisting the individual to avoid defaulting on his or her credit obligations; or

(d) the credit provider uses the report or information for the purpose of the collection of payments that are overdue in respect of credit provided to the individual by the credit provider; or

(e) use of the report or information for that other purpose is required or authorised by or under law; or

(f) the credit provider believes on reasonable grounds that the individual has committed a serious credit infringement, and the report or information is used in connection with that infringement.

“(2) A credit provider that knowingly or recklessly contravenes subsection (1) is guilty of an offence punishable, on conviction, by a fine not exceeding $150,000.

“(3) A credit provider that is or has been in possession or control of a credit report must not:

(a) use the report unless all personal information concerning individuals that is not information of a kind referred to in subsection 18e (1) has been deleted from the report; or

(b) use any personal information derived from the report if the information is not information of a kind referred to in subsection 18e (1).

“(4) Where a credit provider has received a credit report for the purpose of assessing an application for credit made to the credit provider by an individual, the credit provider must not, in assessing the application, use information that:

(a) concerns the individual’s commercial activities or commercial credit worthiness; and

(b) was obtained from a person or body carrying on a business or undertaking involving the provision of information about the commercial credit worthiness of persons;

unless the individual has specifically agreed, in writing, to the information being obtained by the credit provider for that purpose.

“(5) References in subsection (3) to information that is not information of a kind referred to in subsection 18e (1) do not include references to information the disclosure of which is taken, because of the application of subsection 18k (3), not to be in contravention of subsection 18k (2).

“(6) The Commissioner may determine, in writing, the manner in which information of a kind referred to in subsection (4) may, under that subsection, be used (including the manner in which an individual’s agreement may be obtained for the purposes of that subsection).

“(7) A determination is to be made by notice published in the Gazette.

“(8) A notice so published is a disallowable instrument for the purposes of section 46a of the Acts Interpretation Act 1901.

Information to be given if an individual’s application for credit is refused

“18m. Where a credit provider refuses an application by an individual for credit and the refusal is based wholly or partly on information derived from a credit report given by a credit reporting agency to the credit provider for the purpose of assessing the application, the credit provider must give the individual a written notice:

(a) stating:

(i) that the application has been refused; and

(ii) that the refusal was based wholly or partly, as the case requires, on information derived from a credit report given by a credit reporting agency; and

(iii) the name and address of the credit reporting agency; and

(b) informing the individual of the individual’s right under this Act to obtain access to the individual’s credit information file maintained by the credit reporting agency.

Limits on disclosure by credit providers of personal information contained in reports relating to credit worthiness etc.

“18n. (1) A credit provider that is or has been in possession or control of a report must not disclose the report or any personal information derived from the report to another person for any purpose unless:

(a) the report or information is disclosed to a credit reporting agency for the purpose of being used:

(i) to create a credit information file in relation to the individual concerned; or

(ii) to include information in a credit information file, maintained by the credit reporting agency, in relation to the individual concerned; or

(b) the individual concerned has specifically agreed, in writing, to the disclosure of the report or information to another credit provider for the particular purpose; or

(i) is disclosed to a person or body carrying on a business or undertaking that involves the collection of debts on behalf of others; and

(ii) is disclosed for the purpose of the collection of payments that are overdue in respect of credit provided to the individual concerned by the credit provider; and

(iii) does not contain or include any personal information derived from a credit report, other than:

(a) information of a kind referred to in paragraph 18e (1) (a); and

(b) information of a kind referred to in subparagraph 18e (1) (b) (vi), not being information that relates to an overdue payment in respect of which a note to the effect that the individual is no longer overdue in making the payment has been included, under subsection 18f (4), in the credit information file from which the credit report was prepared; or

(d) where the credit provider is a corporation—the report or information is disclosed to a corporation that is related to the credit provider; or

(e) the report or information is disclosed to a corporation (including the professional legal advisers or professional financial advisers of that corporation) that proposes to use the report or information:

(i) in the process of considering whether to:

(a) accept an assignment of a debt owed to the credit provider; or

(b) accept a debt owed to the credit provider as security for a loan to the credit provider; or

(c) purchase an interest in the credit provider (including, in a case where the credit provider is a corporation, a corporation that is related to the credit provider); or

(ii) in connection with exercising rights arising from any acceptance or purchase of a kind referred to in subparagraph (i); or

(f) the report or information is disclosed to a person who manages loans made by the credit provider, for use in managing those loans; or

(g) disclosure of the report or information to that other person for the particular purpose is required or authorised by or under law; or

(h) the credit provider believes on reasonable grounds that the individual concerned has committed a serious credit infringement and the report or information is given to another credit provider or a law enforcement authority.

“(2) A credit provider that knowingly or recklessly contravenes subsection (1) is guilty of an offence punishable, on conviction, by a fine not exceeding $150,000.

“(3) A credit provider that is or has been in possession or control of a credit report, or a report containing personal information derived from a credit report, must not:

(a) disclose the report to another person unless all personal information concerning individuals that is not information of a kind referred to in subsection 18e (1) has been deleted from the report; or

(b) disclose to another person any personal information derived from the report if the information is not information of a kind referred to in subsection 18e (1).

“(4) References in subsection (3) to information that is not information of a kind referred to in subsection 18e (1) do not include references to information the disclosure of which is taken, because of the application of subsection 18k (3), not to be in contravention of subsection 18k (2).

“(5) The Commissioner may determine, in writing, the manner in which a report or personal information derived from a report may, under subsection (1), be disclosed (including the manner in which an individual’s agreement may be obtained for the purposes of paragraph (1) (b)).

“(6) Where the Commissioner so determines, a report or information that is disclosed in a manner contrary to the determination is to be taken, except for the purposes of subsection (2), to have been disclosed contrary to subsection (1).

“(7) A determination is to be made by notice published in the Gazette.

“(8) A notice so published is a disallowable instrument for the purposes of section 46a of the Acts Interpretation Act 1901.

“(9) In this section, unless the contrary intention appears:

‘report’ means:

(a) a credit report; or

(b) subject to subsection (10), any other record or information, whether in a written, oral or other form, that has any bearing on an individual’s credit worthiness, credit standing, credit history or credit capacity;

but does not include a credit report or any other record or information in which the only personal information relating to individuals is publicly available information.

“(10) For the purposes of the application of this section to a credit provider that is not a corporation, a record or information (other than a credit report) is not taken to be a report for the purposes of this section unless it is being or has been prepared by or for a corporation.

Limits on use or disclosure by mortgage insurers or trade insurers of personal information contained in credit reports

“18p. (1) A mortgage insurer that is or has been in possession or control of a credit report must not use the report or any personal information derived from the report for any purpose other than assessing:

(a) whether to provide insurance to, or the risk of providing insurance to, a credit provider in respect of mortgage credit given by the credit provider to the individual concerned; or

(b) the risk of the individual concerned defaulting on mortgage credit in respect of which the mortgage insurer has provided insurance to a credit provider;

unless use of the report or information for that other purpose is required or authorised by or under law.

“(2) A trade insurer that is or has been in possession or control of a credit report must not use the report or any personal information derived from the report for any purpose other than assessing:

(a) whether to provide insurance to, or the risk of providing insurance to, a credit provider in respect of commercial credit given by the credit provider to another person; or

(b) the risk of a person defaulting on commercial credit in respect of which the trade insurer has provided insurance to a credit provider;

unless use of the report or information for that other purpose is required or authorised by or under law.

“(3) A mortgage insurer or trade insurer that is or has been in possession or control of a credit report must not:

(a) use the report unless all personal information concerning individuals that is not information of a kind referred to in subsection 18e (1) has been deleted from the report; or

(b) use any personal information derived from the report if the information is not information of a kind referred to in subsection 18e (1).

“(5) A mortgage insurer or trade insurer that is or has been in possession or control of a credit report must not disclose the report or any personal information derived from the report to another person for any purpose unless disclosure of the report or information to that other person for that purpose is required or authorised by or under law.

“(6) A mortgage insurer or trade insurer that knowingly or recklessly contravenes subsection (1), (2) or (5) is guilty of an offence punishable, on conviction, by a fine not exceeding $150,000.

Limits on use or disclosure by certain persons of personal information obtained from credit providers

“18q. (1) A corporation that has obtained a report or information under paragraph 18n (1) (d) must not:

(a) use the report or information, or any personal information derived from the report or information, otherwise than for a purpose for which, or in circumstances under which, a credit provider would be permitted under section 18l to use the report or information; or

(b) disclose the report or information, or any personal information derived from the report or information, to another person otherwise than for a purpose for which, or in circumstances under which, a credit provider would be permitted under section 18n to disclose the report or information to another person.

“(2) A corporation that has obtained a report or information under paragraph 18n (1) (e) must not use the report or information, or any personal information derived from the report or information, for any purpose other than:

(a) for use in the process of considering whether to:

(i) accept an assignment of a debt owed to the credit provider from whom the report or information was obtained; or

(ii) accept a debt owed to the credit provider as security for a loan to the credit provider; or

(iii) purchase an interest in the credit provider (including, where the credit provider is a corporation, a corporation that is related to the credit provider); or

(b) for use in connection with exercising rights arising from any acceptance or purchase of a kind referred to in paragraph (a).

“(3) A professional legal adviser or professional financial adviser of a corporation who has obtained a report or information under paragraph 18n (1) (e) must not use the report or information, or any personal information derived from the report or information, for any purpose other than use by the person, in his or her capacity as such a professional legal or financial adviser, in connection with advising the corporation:

(a) whether to accept an assignment of a debt owed to the credit provider from whom the report or information was obtained; or

(b) whether to accept a debt owed to the credit provider as a security for a loan to the credit provider; or

in a case where the credit provider is a corporation, a corporation that is related to the credit provider);

(d) in connection with exercising rights arising from any acceptance or purchase of a kind referred to in paragraph (a), (b) or (c);

unless use of the report or information, or the information so derived, is required or authorised by or under law.

“(4) A person who has obtained a report or information under paragraph 18n (1) (f) must not use the report or information, or any personal information derived from the report or information, for any purpose other than use by the person in managing loans made by the credit provider from whom the person obtained the report or information, unless use of the report or information, or the information so derived, for that other purpose is required or authorised by or under law.

“(5) A person who has obtained a report or information under paragraph 18n (1) (e) or (f) must not disclose the report or information, or any personal information derived from the report or information, to another person unless disclosure of the report or information, or the information so derived, is required or authorised by or under law.

“(6) A person who has obtained a report or information under paragraph 18n (1) (d), (e) or (f) must not:

(a) use the report or information unless all personal information concerning individuals that is not information of a kind referred to in subsection 18e (1) has been deleted from the report or information; or

(b) use any personal information derived from the report or information if the personal information so derived is not information of a kind referred to in subsection 18e (1).

“(7) References in subsection (6) to information that is not information of a kind referred to in subsection 18e (1) do not include references to information the disclosure of which is taken, because of the application of subsection 18k (3), not to be in contravention of subsection 18k (2).

“(8) In spite of anything in this section to the contrary, this section does not impose any obligations on a person in relation to a report or information obtained under paragraph 18n (1) (e) or (f), or in relation to any personal information derived from such a report or information, unless:

(a) the person is a corporation; or

(b) the credit provider from whom the person obtained the report or information is a corporation.

“(9) A person who knowingly or recklessly contravenes subsection (1), (2), (3), (4) or (5) is guilty of an offence punishable, on conviction, by a fine not exceeding $30,000.

False or misleading credit reports

“18r. (1) A credit reporting agency or credit provider must not give to any other person or body (whether or not the other person or body is a credit reporting agency or credit provider) a credit report that contains false or misleading information.

“(2) A credit reporting agency or credit provider that knowingly or recklessly contravenes subsection (1) is guilty of an offence punishable, on conviction, by a fine not exceeding $75,000.

Unauthorised access to credit information files or credit reports

“18s. (1) A person must not obtain access to an individual’s credit information file in the possession or control of a credit reporting agency unless the access is authorised by this Act.

“(2) A person must not obtain access to a credit report in the possession or control of a credit provider or credit reporting agency unless:

(a) the person is given the report in accordance with this Act; or

(b) the access is otherwise authorised by this Act.

“(3) A person who knowingly or recklessly contravenes this section is guilty of an offence punishable, on conviction, by a fine not exceeding $30,000.

Obtaining access to credit information files or credit reports by false pretences

“18t. (1) A person must not, by a false pretence, obtain access to an individual’s credit information file in the possession or control of a credit reporting agency.

Penalty: $30,000.

“(2) A person must not, by a false pretence, obtain access to a credit report in the possession or control of a credit provider or credit reporting agency.

Penalty: $30,000.

Application of section 4b of Crimes Act

“18u. Subsection 4b (3) of the Crimes Act 1914 does not apply in relation to an offence against subsection 18k (4), 18l (2), 18n (2) or 18r (2) or section 18p.

Application of this Part

“18v. (1) Subject to this section, this Part applies in relation to any credit information file, any credit report or any report of a kind referred to in section 18n, in existence on or after the commencement of this section, whether or not it was in existence before that commencement.

“(2) Paragraph 18e (8) (c) does not apply in relation to information acquired by a credit provider before the commencement of this section.

“(3) Section 18f applies in relation to personal information that was, immediately before the commencement of this section, contained in an individual’s credit information file as if the references to the days mentioned in the paragraphs of subsection 18f (2) were all references to the day on which this section commenced.”.

Functions of Commissioner in relation to tax file numbers

14. Section 28 of the Principal Act is amended by omitting from subsection (1) “section 27” and substituting “sections 27 and 28a”.

15. After section 28 of the Principal Act the following section is inserted:

Functions of Commissioner in relation to credit reporting

“28a. (1) In addition to the functions under sections 27 and 28, the Commissioner has the following functions in relation to credit reporting:

(a) to develop the Code of Conduct in consultation with government, commercial, consumer and other relevant bodies and organisations;

(b) to investigate an act or practice of a credit reporting agency or credit provider that may constitute a credit reporting infringement and, where the Commissioner considers it appropriate to do so, to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the investigation;

(i) the Code of Conduct and the provisions of Part IIIa; and

(ii) the objects of those provisions;

(d) to make such determinations as the Commissioner is empowered to make under section 11b or Part IIIa; and

(e) to prepare, and to publish in such manner as the Commissioner considers appropriate, guidelines for the avoidance of acts or practices of a credit reporting agency or credit provider that may or might be interferences with the privacy of individuals;

(f) to provide advice (with or without a request) to a Minister, a credit reporting agency or a credit provider on any matter relevant to the operation of this Act;

(g) to conduct audits of credit information files maintained by credit reporting agencies, and credit reports in the possession, or under the control, of credit providers or credit reporting agencies, for the purpose of ascertaining whether the files or reports are maintained in accordance with the Code of Conduct and the provisions of Part IIIa;

(h) to monitor the security and accuracy of personal information contained in credit information files maintained by credit reporting agencies and in credit reports in the possession, or under the control, of credit providers or credit reporting agencies;

(j) to examine the records of credit reporting agencies and credit providers to ensure that:

(i) credit reporting agencies and credit providers are not using personal information contained in credit information files and credit reports for unauthorised purposes; and

(ii) credit reporting agencies and credit providers are taking adequate measures to prevent the unlawful disclosure of personal information contained in credit information files and credit reports;

(k) for the purpose of promoting the protection of individual privacy, to undertake educational programs on the Commissioner’s own behalf or in co-operation with other persons or authorities on the Commissioner’s behalf;

(m) to do anything incidental or conducive to the performance of any of the preceding functions.

“(2) The Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of his or her functions under subsection (1).”.

Commissioner to have regard to certain matters

16. Section 29 of the Principal Act is amended by omitting paragraph (d) and substituting the following paragraph:

“(d) ensure that his or her directions and guidelines are consistent with:

(i) the Information Privacy Principles; and

(ii) (where applicable) the Code of Conduct and the provisions of Part IIIa.”.

Reports following investigation of act or practice

17. Section 30 of the Principal Act is amended:

(a) by omitting from subsection (3) “or 28 (1) (b) or (c) of an act or practice of an agency or file number recipient” and substituting “, 28 (1) (b) or (c) or 28a (1) (b) of an act or practice of an agency, file number recipient, credit reporting agency or credit provider”;

(b) by omitting paragraph (3) (d) and substituting the following paragraph:

“(d) shall serve a copy of the report on the agency, file number recipient, credit reporting agency or credit

provider concerned and the Minister (if any) responsible for the agency, recipient, credit reporting agency or credit provider; and”;

(c) by omitting from subsection (4) “or file number recipient” (first occurring) and substituting “, file number recipient, credit reporting agency or credit provider”;

(d) by omitting from paragraph (4) (c) “or file number recipient” and substituting “, file number recipient, credit reporting agency or credit provider”;

(e) by omitting from subsection (4) “or recipient” and substituting “, recipient, credit reporting agency or credit provider”.

Report following monitoring of certain activities

18. Section 32 of the Principal Act is amended by omitting “(j), (k) or (m) or 28 (1) (e) or (f)” and substituting “(h), (j), (k) or (m), 28 (1) (e), (f) or (h) or 28a (1) (g), (h), (j) or (k)”.

Investigation under section 40 to cease if certain offences may have been committed

19. Section 49 of the Principal Act is amended:

(a) by inserting in subsection (1) “or a credit reporting offence” after “tax file number offence”;

(b) by omitting subsection (4) and substituting the following subsection:

“(4) In subsection (1):

‘credit reporting offence’ means:

(a) an offence against subsection 18c (4), 18d (4), 18k (4), 18l (2), 18n (2), 18r (2) or 18s (3) or section 18t; or

(b) an offence against section 6, 7 or 7a, or paragraph 86 (1) (a), of the Crimes Act 1914, being an offence that relates to an offence referred to in paragraph (a) of this definition;

‘tax file number offence’ means:

(a) an offence against section 8wa or 8wb of the Taxation Administration Act 1953; or

(b) an offence against section 6, 7 or 7a, or paragraph 86 (1) (a), of the Crimes Act 1914, being an offence that relates to an offence referred to in paragraph (a) of this definition.”.

Determination of the Commissioner

20. Section 52 of the Principal Act is amended by inserting after subsection (3) the following subsection:

“(3a) In a determination under subparagraph (1) (b) (i) or (ii) that concerns a breach of Information Privacy Principle 7 or section 18j, the Commissioner may include an order that:

(a) an agency or respondent make an appropriate correction, deletion or addition to a record, or to a credit information file or credit report, as the case may be; or

(b) an agency or respondent attach to a record, or include in a credit information file or credit report, as the case may be, a statement provided by the complainant of a correction, deletion or addition sought by the complainant.”.

Heading to Division 4

21. The heading to Division 4 of Part V of the Principal Act is amended by adding at the end “or credit reporting”.

Application of Division

22. Section 60 of the Principal Act is amended by adding at the end the following word and paragraph:

“; or (c) it constitutes a credit reporting infringement.”.

Power to enter premises

23. Section 68 of the Principal Act is amended by omitting from subsection (1) “or a file number recipient” and substituting “, a file number recipient, a credit reporting agency or a credit provider”.

24. After section 99 of the Principal Act the following section is inserted:

Conduct of directors, servants and agents

“99a. (1) Where, in proceedings for an offence against this Act, it is necessary to establish the state of mind of a body corporate in relation to particular conduct, it is sufficient to show:

(a) that the conduct was engaged in by a director, servant or agent of the body corporate within the scope of his or her actual or apparent authority; and

(b) that the director, servant or agent had the state of mind.

“(2) Any conduct engaged in on behalf of a body corporate by a director, servant or agent of the body corporate within the scope of his or her actual or apparent authority is to be taken, for the purposes of a prosecution for an offence against this Act, to have been engaged in also by the body corporate unless the body corporate establishes that the body corporate took reasonable precautions and exercised due diligence to avoid the conduct.

“(3) Where, in proceedings for an offence against this Act, it is necessary to establish the state of mind of a person other than a body corporate in relation to particular conduct, it is sufficient to show:

(a) that the conduct was engaged in by a servant or agent of the person within the scope of his or her actual or apparent authority; and

(b) that the servant or agent had the state of mind.

“(4) Any conduct engaged in on behalf of a person other than a body corporate by a servant or agent of a person within the scope of his or her actual or apparent authority is to be taken, for the purposes of a prosecution for an offence against this Act, to have been engaged in also by the first-mentioned person unless the first-mentioned person establishes that the first-mentioned person took reasonable precautions and exercised due diligence to avoid the conduct.

“(5) Where:

(a) a person other than a body corporate is convicted of an offence; and

(b) the person would not have been convicted of the offence if subsections (3) and (4) had not been enacted;

the person is not liable to be punished by imprisonment for that offence.

“(6) A reference in subsection (1) or (3) to the state of mind of a person includes a reference to:

(a) the knowledge, intention, opinion, belief or purpose of the person; and

(b) the person’s reasons for the intention, opinion, belief or purpose.

“(7) A reference in this section to a director of a body corporate includes a reference to a constituent member of a body corporate incorporated for a public purpose by a law of the Commonwealth, of a State or of a Territory.

“(8) A reference in this section to engaging in conduct includes a reference to failing or refusing to engage in conduct.

“(9) A reference in this section to an offence against this Act includes a reference to an offence created by section 5, 6, 7 or 7a, or subsection 86 (1), of the Crimes Act 1914, being an offence that relates to this Act.”.

NOTE

1. No. 119, 1988, as amended. For previous amendments, see Nos. 11 and 75, 1990.

[Minister’s second reading speech made in—

Senate on 16 June 1989

House of Representatives on 4 December 1990]