Credit Reporting
Contributed by Elizabeth Samra, Consumer Law Centre of the ACT and current to May 2018
In Australia, credit reporting is regulated by:
The consumer credit reporting framework is designed to balance the privacy rights of individuals with the need for credit providers to access information to help them decide whether to offer credit.
There are three main credit reporting bodies in Australia: Equifax, Experian and Illion. Credit reporting bodies collect personal information from credit providers to create and maintain an individual’s credit report.
Only certain types of personal information can be included in a consumer’s credit report (see s 6N
Privacy Act), including:
- Personal details including the customer’s name, address (and past 2 addresses), sex, employment and driver’s licence number;
- Credit applications made;
- Details of joint applicants for credit;
- Current credit providers;
- Details of current loans;
- Repayment history information on loans;
- Accounts in default over 60 days and dates defaults paid;
- Debt agreements and bankruptcies;
- Court judgments;
- Serious credit infringements.
Only credit providers can report information to credit reporting bodies. A “credit provider” is defined to include:
- a bank;
- an organisation that provides credit, if providing credit is a substantial part of the business;
- a retailer that issues credit cards in connection with the sale of goods or services;
- a business that provides credit in relation to the supply of goods or services where the repayment of the amount of credit is deferred for at least seven days (e.g. utilities companies and telecommunication providers);
- a business that provides credit related to hiring, leasing or renting goods where repayment is deferred for at least seven days;
- an assignee of a credit provider (see s 6G Privacy Act).
Real estate agents, general insurance companies and employers are not included in the definition of credit providers
(s 6G(5) Privacy Act).
A default can only be listed on a credit report if:
- 60 days have passed since the default;
- a s 6Q notice under the Privacy Act has been sent informing the individual of the default;
- a s 21D(3) notice under the Privacy Act has been sent informing the individual that they will be default listed;
- the default listing must only be made after 14 days and before 3 months of the section 21D(3) notice; and
- the default has not been fixed before the listing is made.
Only credit providers, potential credit providers, mortgage insurers and the credit reporting body can access an individual’s credit report. The information released must only be used for certain purposes
(s 20E Privacy Act).
Most personal information can only be included on the consumer credit report for between 2 and 7 years, depending on the type of information
(s 20W Privacy Act).
An individual can access credit report by making a request to a credit reporting body. A credit reporting body must provide access to a consumer for free at least once every 12 months, and in certain other circumstances.
An individual can request information that is incorrect to be amended
(s 20T Privacy Act). This could be because the debt was never owed, the default listing procedure was not followed, fraud has occurred, the amount of the debt listed is incorrect or the debt is statute barred.
An individual can make a complaint where they believe the credit provider or CRB has not handled their report in a way consistent with the
Privacy Act. The credit provider/CRB has 30 days to respond to the individual complaint. If it fails to do so within this time or refuses to amend the disputed listing, a complaint can be made to the external dispute resolution scheme of which the CRB is a member. If the matter still has not been resolved satisfactorily, a complaint can be raised at the Office of the Australian Information Commission.
For more information on Credit Reporting, see the Office of the Australian Information Commission’s website at
www.oaic.gov.au.