The Law Handbook 2024

Chapter 12.2: Privacy and your rights 1105 entity must also communicate the correction to third parties to whom it has previously disclosed the information. If an entity refuses to correct the information, it must explain (in writing) the refusal and how the individual can complain about this refusal. The entity may also have to inform users of the information that the individual believes to be incorrect. For government agencies, APP 13 operates alongside the right to amend or annotate personal information under Part V of the FoI Act (Cth). Data breach notification Since 22 February 2018, all APP entities are required to notify the OAIC, and in most cases any affected individuals, when a data breach occurs and is likely to result in serious harm to the individuals whose personal information is involved in the breach. Some of the bulk cyber-security data breaches that gain traction in media reports are managed under the Notifiable Data Breaches Scheme, depending on whether the entity responsible for the data is subject to the PA 1988. That does not mean that individuals directly affected are precluded from bringing a privacy complaint, or a representative privacy complaint under the representative privacy complaint provisions of the PA 1988. A range of useful resources are available to individuals to manage the risks and impacts of data breaches, particularly identity theft. See for example, the E-Safety Commissioner resources at www.esafety. gov.au/key-issues/staying-safe/identity-theft. For more information about the Notifiable Data Breaches Scheme, see www.oaic.gov.au. Note that under the scheme, organisations (including all state and territory public sector organisations) that are tax file number recipients are also subject to the scheme. Privacy and credit reporting Overview Part IIIA of the PA 1988 regulates the handling of certain types of personal information by credit providers and credit-reporting bodies (as defined in PA 1988). The provisions in Part IIIA are supplemented by the Privacy Regulation 2013 and the CR Code 2014, which is a Code of Practice that relates to credit reporting that is registered under the PA 1988 (together, ‘ credit-reporting regime ’). On 10 March 2022, the Information Commissioner approved a variation to the CR Code 2014, which has resulted in two tranches of amendments: • the CR Code 2014 (Version 2.2) commenced on 22 April 2022; and • the CR Code 2014 (Version 2.3) commenced on 1 July 2022. The CR Code 2014 (Version 2.3) enhances protection for consumers who agree to a financial hardship agreement with their lender, with their repayment history safeguarded through a special payment arrangement. Depending on the specific context, the credit- reporting regime applies to the collection, use or disclosure of credit-related information instead of, or in addition to, the APPs in Part IIIA of the PA 1988. The credit-reporting regime distinguishes between consumer and commercial credit (as defined in the PA 1988). It focuses on the regulation of information that has a bearing on an individual’s credit-worthiness in respect of consumer credit. An example of the functions of the credit- reporting regime is where credit providers (e.g. banks, ‘telcos’ and energy retailers) use information about an individual’s consumer credit- worthiness when they assess an application for a consumer loan, credit card, or the supply of goods on deferred payment terms (e.g. an application for a post-paid mobile phone service). In some instances, a credit provider carrying out a ‘credit check’ before entering into an arrangement to provide credit is mandated by applicable law (including under the National Credit Code, the Telecommunications Consumer Protection Code or the National Energy Retail Rules). In order to participate in the credit-reporting regime, a credit provider must be a member of a recognised external dispute resolution scheme (see ‘Making a complaint’, below). Credit-reporting bodies are permitted to collect, use and disclose credit-related information about individuals. Credit-reporting bodies provide such information on request to credit providers so they can assess applications for consumer credit. These requests are recorded and become part of the credit-related information held by the credit- reporting body.