INSIGHTS: Privacy and External Dispute Resolution schemes: Limitations for healthcare credit providers

March 5, 2021

Author

Hayley Bowman
Special Counsel

One of the intentions of the Privacy Act 1988 (Cth) (Privacy Act) is to enable an effective credit reporting system while safeguarding the privacy of individuals.

To ensure that credit providers are able to comply with their responsible lending obligations, Part IIIA of the Privacy Act sets out:

  • the types of personal information that credit providers can disclose to credit reporting bodies
  • which entities can handle that information, and
  • the purposes for which that information can be handled.

Importantly, Part IIIA was amended on 12 March 2014 to require that a credit provider must be a member of a recognised External Dispute Resolution (EDR) scheme to be able to disclose an individual’s credit information to a credit reporting body. Currently, there are no EDR schemes which apply to credit providers within the healthcare industry.

Credit providers

The term ‘credit provider’ has a broad meaning and is defined as follows:

  • a bank
  • an organisation or small business operator, if a substantial part of  its business is the supply of credit
  • a retailer that issues a credit card for the sale of goods or services
  • an organisation or small business operator that supplies goods or services where payment is deferred for seven days or more, or
  • an organisation or small business operator that supplies credit for the hiring, leasing or renting of goods.

EDR schemes

There are currently nine recognised EDR schemes that credit providers can join:

  • Australian Financial Complaints Authority
  • Energy & Water Ombudsman (NSW) Limited
  • Energy & Water Ombudsman (SA)
  • Energy & Water Ombudsman Queensland
  • Energy and Water Ombudsman (Victoria) Limited
  • Energy and Water Ombudsman Western Australia
  • Public Transport Ombudsman Limited
  • Telecommunications Industry Ombudsman Limited, and
  • Tolling Customer Ombudsman.

This narrow scope of the currently recognised EDR schemes means that certain credit providers, for example those within the healthcare industry, may not have an EDR scheme that they can join. In such instances, the mandatory EDR membership provision cannot be waived and any disclosure of personal information to a credit reporting agency will be a breach of the Privacy Act.

Credit providers that are unable to join an EDR scheme should not make disclosures to credit reporting bodies unless and until an applicable EDR scheme is introduced.

This article was written by Special Counsel, Hayley Bowman and Solicitor, Yashila De Silva. If you have any questions about the Privacy Act and External Dispute Resolution schemes, please contact Hayley.

Download Commercial Insight

Disclaimer: This information is current as of March 2021. This article does not constitute legal advice and does not give rise to any solicitor/client relationship between Meridian Lawyers and the reader. Professional legal advice should be sought before acting or relying upon the content of this article.