The Law Handbook 2024

1108 Section 12: Government and the individual provider’s website. Contact information for the main Australian credit-reporting bodies is provided in ‘Contacts’ at the end of this chapter. A credit provider or credit-reporting body that refuses an individual’s request to access credit- related information must give the individual a notice setting out their reasons for the refusal and how the individual can complain about this refusal. Correcting credit-related information An individual has the right to seek the correction of their credit-related information. Credit providers and credit-reporting bodies must correct information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, within 30 days of receiving a correction request from an individual (or a longer period agreed to by the individual in writing). A credit provider or credit-reporting body is required to deal with a correction request themselves; they cannot refer the request to another credit provider or credit-reporting body. A credit provider or credit-reporting body is required to consult another credit provider or credit-reporting body (if necessary) to determine whether the relevant information is inaccurate, out-of-date, incomplete, irrelevant or misleading. To meet their obligations to correct information, credit providers and credit-reporting bodies must take reasonable steps to ensure that any derived information (e.g. credit scores or ratings) reflects the corrections. Individuals have additional rights about their credit default information. For example, an individual can request a credit-reporting body to destroy any default information where the limitation period for recovery of the debt (generally six years) has expired. Credit providers and credit-reporting bodies must notify an individual of their decision about a correction request, generally within five days of the decision. If a request is refused, they must provide the reasons for the refusal. Making a complaint An individual can make a complaint about how credit providers and credit-reporting bodies have handled their information or dealt with their requests. First, an individual should complain to the relevant credit provider or credit-reporting body. Second, if the individual is not satisfied with the outcome, they can complain to an external dispute resolution ( EDR ) scheme of which the credit provider or the credit-reporting body is a member. Credit providers and credit-reporting bodies can advise whether they are a member of the EDR scheme on request. However, if a complaint relates to a decision about access to, or correction of, personal information, an individual can first complain to an EDR scheme. Since November 2018, the EDR scheme recognised by the Information Commissioner for the financial services sector has been the Australian Financial Complaints Authority. Complaints about credit providers that are not financial service providers may be made to another EDR provider (if applicable) or to the OAIC directly. If a person is not satisfied with the EDR outcome, they may complain to the Information Commissioner. More information about the credit-reporting regime is available on OAIC’s website (www.oaic. gov.au/privacy) . Also, the Australian Retail Credit Association maintains an information website (www. creditsmart.org.au) to help consumers understand the effects of the PA 1988 on credit reporting. Privacy protection in Australia: Other Commonwealth legislation and guidelines Overview In addition to the PA 1988, other Commonwealth laws and guidelines deal with information privacy. These laws include legislation relating to tax file numbers, medical research, electronic health records, Pharmaceutical Benefits Scheme and Medicare, spent criminal convictions, registered personal property security interests, telecommunications, and the consumer data right (see ‘Consumer Data Right’, below). Freedom of Information Act 1982 As stated under APP 12, federal public sector agencies provide access to personal information through the FoI Act (Cth). However, section 41 of the FoI Act (Cth) exempts agencies from providing access to personal information if the disclosure involves an unreasonable disclosure of personal information