What credit reporting records must credit reporting bodies keep?
Sections 20W and 20X of the Privacy Act (as amended from 12 March 2014) set out the retention periods for particular types of credit and personal insolvency information, ranging from 2 to 7 years.
After the retention periods in section 20W or 20X end, section 20V requires the destruction or de-identification of those records, within 1 month after the retention period for the information ends.
Compliance records
Paragraph 22 of the CR Code requires that each credit provider (CP) maintain adequate records that evidence their compliance with Part IIIA of the Privacy Act, the Regulations and the CR code.
In particular, each CP must maintain the following records:
(a) where credit-related personal information is destroyed to meet obligations under Part IIIA, the Regulations and the CR code (but only if this is possible);
(b) in the case of a CP that receives credit eligibility information disclosed to it by another CP:
(i) the date on which that information was disclosed;
(ii) the CP who disclosed the information;
(iii) a brief description of the type of information disclosed; and
(iv) the evidence relied upon that the consent requirements have been met;
(c) for each disclosure that a CRB or CP makes of credit reporting information or credit eligibility information (as applicable):
(i) the date of the disclosure;
(ii) a brief description of the type of information disclosed;
(iii) the CP, affected information recipient or other person to whom the disclosure was made; and
(iv) evidence that the disclosure was permitted under Part IIIA, the Regulations or the CR code;
(d) records of any consent provided by an individual for the purposes of Part IIIA, the Regulations or the CR code;
(e) in the case of a CP – records of any written notice given to an individual stating that a consumer credit application has been refused within 90 days of disclosure by a CRB to the CP of credit reporting information in relation to that individual; and
(f) records of correspondence and actions taken in relation to:
(i) requests to establish or extend a ban period;
(ii) requests for, or notifications of, corrections;
(iii) complaints;
(iv) pre-screening requests by a CP; and
(v) monitoring and auditing of CPs in accordance with Part IIIA, the Regulations and the CR code.
How long must compliance records be kept?
Records must be retained by credit providers for a minimum period of 5 years from the date on which the record is made.
Audits by credit reporting bodies
In accordance with sections 20N and 20Q of the Privacy Act (as amended from 12 March 2014), there is an obligation on Credit Reporting Bodies in paragraph 23 of the Credit Reporting Privacy Code to ensure that regular audits are conducted by an independent person to determine whether Credit Providers are complying with aspects of their contractual obligations to the CRB focussing on:
(a) how a CP ensures that the credit information that the CP discloses to the CRB is accurate, up-to-date and complete; and
(b) how a CP protects credit reporting information disclosed to the CP by a CRB from misuse, interference or loss, or unauthorised access, modification or disclosure; and
(c) that the CP takes the steps in relation to requests to correct credit-related personal information required by Part IIIA, the Regulations and the CR code.
To comply with their obligations to CRB’s, credit providers must therefore keep records to prove they have satisfied those obligations.
A CP must permit a person, who conducts an audit of a CP as part of the CRB’s auditing program, to have reasonable access to the CP’s records for the purposes of carrying out the audit.
A CP must take reasonable steps to rectify issues identified in the course of an audit undertaken pursuant to the CRB’s auditing program.
All credit providers (not limited to Australian Credit Licensees) must review their record retention procedures accordingly.
25 February 2014: See update here.
