One of the intentions of the Privacy Act 1988 (Cth) (Privacy Act) is to enable an effective credit reporting system while safeguarding the privacy of individuals.
To ensure that credit providers are able to comply with their responsible lending obligations, Part IIIA of the Privacy Act sets out:
- the types of personal information that credit providers can disclose to credit reporting bodies
- which entities can handle that information, and
- the purposes for which that information can be handled.
Importantly, Part IIIA was amended on 12 March 2014 to require that a credit provider must be a member of a recognised External Dispute Resolution (EDR) scheme to be able to disclose an individual’s credit information to a credit reporting body. Currently, there are no EDR schemes which apply to credit providers within the healthcare industry.
The term ‘credit provider’ has a broad meaning and is defined as follows:
- a bank
- an organisation or small business operator, if a substantial part of its business is the supply of credit
- a retailer that issues a credit card for the sale of goods or services
- an organisation or small business operator that supplies goods or services where payment is deferred for seven days or more, or
- an organisation or small business operator that supplies credit for the hiring, leasing or renting of goods.
There are currently nine recognised EDR schemes that credit providers can join:
- Australian Financial Complaints Authority
- Energy & Water Ombudsman (NSW) Limited
- Energy & Water Ombudsman (SA)
- Energy & Water Ombudsman Queensland
- Energy and Water Ombudsman (Victoria) Limited
- Energy and Water Ombudsman Western Australia
- Public Transport Ombudsman Limited
- Telecommunications Industry Ombudsman Limited, and
- Tolling Customer Ombudsman.
This narrow scope of the currently recognised EDR schemes means that certain credit providers, for example those within the healthcare industry, may not have an EDR scheme that they can join. In such instances, the mandatory EDR membership provision cannot be waived and any disclosure of personal information to a credit reporting agency will be a breach of the Privacy Act.
Credit providers that are unable to join an EDR scheme should not make disclosures to credit reporting bodies unless and until an applicable EDR scheme is introduced.
This article was written by Special Counsel, Hayley Bowman. If you have any questions about the Privacy Act and External Dispute Resolution schemes, please contact Hayley.