I, Carly Kind, Privacy Commissioner, make this Rule under section 20M(3) of the Privacy Act 1988.

 

Dated: 9 July 2024

 

 

[Signed]

 

 

Carly Kind
Australian Privacy Commissioner
 

 

1          Name of Rule

This Rule is the Privacy (Credit Related Research) Rule 2024.

 

2          Commencement

This Rule commences on the day it is registered on the Federal Register of Legislation.

 

3          Purpose

This Rule applies for the purposes of section 20M of the Privacy Act which prohibits a credit reporting body from using or disclosing de-identified credit reporting information (s 20M(1)).  Sections 20M(2)–(3) provide that this prohibition does not apply if the use or disclosure is for the purpose of conducting research in relation to credit and the credit reporting body complies with rules made by the Commissioner by legislative instrument.


4               Definitions

(1)    Unless this Rule states otherwise, any word or expression used in this Rule which is defined in the Privacy Act, has the same meaning as in that Act.

(2)    In this Rule:

Aggregated results means the results of de-identified credit reporting information research analysis which does not include the individual elements of the de-identified credit reporting information and cannot readily be disaggregated to extract or re-identify that de-identified credit reporting information

De-identified information means credit reporting information that is no longer about an identifiable individual or an individual who is reasonably identifiable

Privacy Act means the Privacy Act 1988

Rule means the Privacy (Credit Related Research) Rule 2024

Note: The following expressions are defined in Section 6(1) of the Privacy Act: Australian law; Australian link; Commissioner; court/tribunal order; credit; credit reporting body; credit reporting information; entity; personal information

 

5          Schedules

Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.


6          Conducting research in relation to credit

A credit reporting body may use or disclose credit reporting information if:

(a)    the credit reporting information has been de-identified,

(b)    the use and/or disclosure of the credit reporting information is for the purpose of conducting research in relation to credit, and

(c)    the purpose for conducting the research in relation to credit is a permitted purpose as described in section 7 of this Rule.

 

7          Permitted purposes of conducting research

A credit reporting body may only use or disclose de-identified information for the purposes of conducting research in relation to credit for:

(a)    the assessment or management of current, and development of new, credit services, or

(b)    developing methodologies to combat fraud, anti-money laundering, counter terrorism financing and other unlawful activity involving credit, or

(c)    assisting responsible lending obligations and other consumer protections, or

(d)    any other purpose for the general benefit of the public.

 

8          De-identification of credit reporting information

(1)    When de-identifying credit reporting information, a credit reporting body must:

(a)    assess the risk of re-identification of the credit reporting information either by itself or by the recipients of the de-identified information,

(b)    use that risk assessment to determine the de-identification technique or techniques appropriate to the circumstances, and

(c)    take such steps as are reasonable in the circumstances to ensure the de-identified information cannot be re-identified.

(2)    If a credit reporting body de-identifies credit reporting information, the credit reporting body must:

(a)    not re-identify or attempt to re-identify the de-identified information, and

(b)    destroy the information if it is re-identified unintentionally.

(3)    Sub-section 8(2)(a) does not apply if the re-identification of de-identified information is required by Australian law or a court/tribunal order.


9               Disclosure of de-identified information

(1)    A credit reporting body must only disclose de-identified information for a permitted purpose if the entity receiving the information has an Australian link.

(2)    Before disclosing de-identified information, a credit reporting body must take such steps as are reasonable in the circumstances to ensure the entity receiving the information:

(a)    does not re-identify or attempt to re-identify the de-identified information,

(b)    destroys the information if it is re-identified unintentionally, and

(c)    does not disclose the de-identified information to any other entity.

(3)    Sub-section 9(2)(c) does not apply to Aggregated results.

 

10           Openness

A credit reporting body must include a statement in its policy on the management of de-identified information, in accordance with s 20B(3), that de-identified information is used or disclosed by that credit reporting body for the purpose of conducting research in relation to credit.


Privacy (Credit Related Research) Rule 2014

1       The whole of the instrument

Repeal the instrument.