The CREDIT REPORTING module informs credit reporting bodies and tenancy database operators’ about the commonwealth laws and regulations that must be followed when having access to and handling individuals’ personal information as well as laws and regulations which apply in specific states and territories of Australia.
Credit reporting bodies (CRB’s) are organisations that carry on a credit reporting business. The Privacy Act 1988 (Cth) (Privacy Act) defines a credit reporting business as a business that involves collecting, holding, using and disclosing personal information about individuals for the purpose of providing a separate entity with information about the credit-worthiness of an individual.
Tenancy database operators are not CRB’s but they do collect, use and disclose personal information in the course of carrying on their business. The business of a tenancy database operator relates to using the individual’s personal information to assess their worthiness as a prospective tenant.
In most states and territories of Australia the type of information and circumstances under which it can be listed by a tenancy database operator on a tenancy database is restricted. Each state and territory has their own Act regulating the actions of tenancy database operators.
The CREDIT REPORTING module covers the obligations of both Credit Reporting Bodies (CRB’s) and Tenancy Database Operators when dealing with individual’s personal information.
The main compliance source for CRB’s is Pt IIIA of the Privacy Act, which explicitly sets out CRBs’ obligations in relation to personal information including the;
- Collection;
- Use;
- Disclosure;
- Retention;
- Quality control; and
- Corrections
A CRB is also required to adhere to the Australian Privacy Principles (APP) when dealing with some types of personal information but not others. The module covers which types of personal information apply in this regard and which don’t.
Tenancy database operators are also governed by the general provisions of the Privacy Act and must comply with the APPs. In addition tenancy database operators must comply with uniform provisions in the residential tenancy legislation for each state and territory in Australia (except for the Northern Territory) that cover their obligations which are in the areas of;
- Listing information on the database;
- The requirement to give notice of the listing;
- Providing access to the listing;
- Making corrections to the listing;
- Removing any inaccurate or out-of-date information.
The Office of the Australian Information Commissioner (OAIC) is the responsible regulator in relation to the Privacy Act. Credit reporting bodies are encouraged to liaise with the OAIC in relation to privacy issues and, particularly, to report any serious data breach incidents. The module covers the consequences of breaches or incidents of non-compliance of obligations. The OAIC has broad powers which include;
- To conduct investigations such as complaints investigations, data breach investigations and commissioner-initiated investigations;
- Requiring CRBs to produce documents, answer questions or give evidence;
- Making a declaration that an act or practice is an interference with an individual’s privacy and the person or organisation must not continue or repeat that act or practice;
- Making an order that a person or organisation must take specified steps within a specified period to prevent an act or practice being repeated or continued;
- Making an order that a person or organisation must undertake specified acts as redress for loss or damage suffered by individuals;
- Making an order that certain individuals are entitled to a specified amount of compensation for loss or damage arising from conduct that interfered with their privacy;
- Making a declaration that it would be inappropriate to take further action in the matter.
The primary obligation of CRB’s is to have practices, procedures and systems in place which are intended to ensure that they meet all of their obligations. The module covers this primary obligation with reference to;
- The collection of information under authorised circumstances using fair and lawful means;
- Taking steps to ensure the information collected accurate, up-to-date and complete;
- Publishing a credit reporting information management policy online;
- Auditing, testing and/or reviewing systems and agreements which control the quality and security of information;
- Actively correcting or removing any information that is inaccurate, irrelevant, incomplete, or out-of-date;
- Using appropriate methods for assigning identifiers and codes to credit information;
- Using and disclosing information only as authorised by the Privacy Act;
- Keeping information securely stored for its full retention period;
- Irretrievably destroying or de-identifying information at the end of its retention period;
- Having adequate protections for victims of fraud;
- Receiving, processing and responding to requests by individuals to access personal information held about them and providing access in all appropriate cases;
- Receiving, processing and responding to requests by individuals to correct personal information held about them and make corrections in all appropriate cases;
- Having a complaints handling system in place which deals with complaints efficiently (within specified timeframes); and
- Maintaining membership of a recognised external dispute resolution (EDR) scheme.
The CREDIT REPORTING module also covers the obligations of tenancy database operators to have policies, systems and processes in place to ensure that they are compliant with their obligations including;
- That information is only listed on a tenancy database under authorised circumstances about relevant persons;
- Individuals whose information is to be listed are given an opportunity to review and dispute the information;
- Tenancy database information is retained for the appropriate period, and then removed and irretrievably destroyed;
- They have information quality systems in place and clear processes for receiving correction requests;
- They have in place appropriate access, use and disclosure policies that govern the handling of personal information;
- Any specific state or territory-based residential tenancy regulations.
A range of penalties apply under the state uniform residential tenancy laws in relation to breaches of the regulations. The module covers these offences which can attract the following penalties;
- NSW — $2200 (Residential Tenancies Act 2010 (NSW)
- Qld — $5046 Residential Tenancies and Rooming Accommodation Act 2008 (Qld)
- SA — $5000 (Residential Tenancies Act 1995 (SA)
- Tas — $7950 (Residential Tenancy Act 1997 (Tas)
- Vic — $47,571 for a body corporate and $9514 for an individual (Residential Tenancies Act 1997 (Vic)
- WA — $5000 (Residential Tenancies Act 1987 (WA)
The CREDIT REPORTING module is limited to the specific obligations imposed on credit reporting bodies and tenancy database operators. It does not provide general obligations for other types of entities dealing with personal or credit related information.