The acting Australian Information Commissioner and acting Privacy Commissioner has announced that they have approved a variation of the registered Privacy (Credit Reporting) Code 2014 Version 1.2. The variations are proposed to commence on 1 July 2018.

The variation was approved following an application by the Australian Retail Credit Association (ARCA).

The CR Code is a mandatory code that binds credit providers and credit reporting bodies. A breach of the CR Code is a breach of the Privacy Act.

In summary, the variation amends:

• the definition of ‘month’ for the purposes of reporting repayment history information (RHI) (para 1.2(g)(i));
• certain categories in the definition of the ‘maximum amount of credit available’ (para 6.2(b));
• the definition of ‘the day credit is terminated or otherwise ceases to be in force’ (para 6.2(c)–(e));
• the application of a ‘grace period’ to the disclosure of RHI (para 8.2(c));
• notification requirements, providing that notices under s 21D of the Privacy Act may be sent to an individual’s last known address, which may include an electronic address (para 9.3(d));
• the timing of issuing a notice under section 21D of the Privacy Act (para 9.3(f));
• the prohibition on a credit reporting body developing a ‘tool’ to facilitate a credit provider’s direct marketing, to extend to a ‘service’ (para 18.1(b));
• certain mechanisms for correcting information (para 20.9(b)).