The NEW ZEALAND CREDIT REPORTING module informs credit reporting bodies about the laws that govern regulation of credit reporting in New Zealand. A credit reporting body means any entity that is carrying on a business of relaying information or reporting information that is relevant to the assessment of the creditworthiness of an individual.
The NEW ZEALAND CREDIT REPORTING module covers the obligations of credit reporters in New Zealand to handle information in a way that respects and protects the privacy of the individuals to whom that information relates. The primary obligations of credit reporters are imposed by;
- the Privacy Act 1993 (NZ) (the Privacy Act); and
- the Credit Reporting Privacy Code 2004 (NZ) (the Code).
The module covers the set of 12 information privacy principles (IPPs) outlined in the Privacy Act which relate to personal information and its collection, use, disclosure, storage, quality and accuracy, access, correction, retention, and connection to unique identifiers. Additionally the module also covers the code which contains the Credit Reporting Privacy Rules (the Rules) and how they intersect with the Privacy Act.
The concept of personal information encompasses any information about an identifiable individual. The module covers the many different forms that the information can take as well as how the definition of credit information is narrower in scope than the definition of personal information. Credit reporters are required to identify all the different types of personal information they have access to and ensure that their policies and procedures adequately cover the differences in handling each type of information.
In some instances the code prescribes specific measures and controls that the credit reporter must put in place to ensure compliance. The module advises credit reporters about putting these specific measures in place as well as guidelines on complying with all of the obligations under the legislation and code, including how to;
- Develop a robust privacy culture within the organisation;
- Ensure there are persons within the agency who have a depth of knowledge and take responsibility for facilitating compliance;
- Display strong leadership and governance on credit reporting privacy matters;
- Establish policies and processes that govern how credit information is handled from collection or receipt to destruction.
The 12 Information Privacy Principle (IPP’s) which are covered by the module are;
- The purpose of collection of information;
- The source of the information;
- Collection of credit information from an individual;
- Manner of collection of credit information;
- Storage and security;
- Access to credit information;
- Correction of credit information;
- Accuracy of credit information;
- Retention of credit information;
- Limits on use of credit information;
- Limits on disclosure of credit information;
- Unique identifiers.
As well as the Privacy Act and the code, the module also covers various other acts that impact on the credit reporting sector, including;
- Contract and Commercial Law Act 2017 (NZ);
- Human Rights Act 1993 (NZ);
- Companies Act 1993 (NZ);
- Insolvency Act 2006 (NZ);
- Limited Partnerships Act 2008 (NZ); and
- Personal Property Securities Act 1999 (NZ).
The Privacy Commissioner (the Commissioner) is responsible for regulation of the credit reporting sector and the complaints process. The module covers the authority of the commissioner and the obligations of the credit reporter when dealing with the commissioner, including processes for;
- Providing reasonable assistance during investigations;
- Providing documents and information when requested;
- Designating a complaint handler;
- Submitting an annual assurance report to the Commissioner each financial year; and
- Establishing and maintaining a complaints process framework.
Credit Reporters must co-operate with the commissioner. The module comprehensively covers the consequences of failing to comply with the commissioner. The possible penalties can include;
- Financial penalties; and
- Imprisonment.
The module also covers possible penalties to be applied to a credit provider in the event of a successful complaint, which include;
- A declaration that the agency has interfered with the privacy of an individual;
- An order restraining the agency from causing or permitting others to engage in interfering conduct;
- An order to pay up to $350,000 in damages, and / or
- An order that the agency perform certain acts in reparation.
The NEW ZEALAND CREDIT REPORTING module is limited to the specific obligations imposed on credit reporting bodies. It does not provide information on general obligations for other types of entities dealing with personal or credit related information.