Last week we discussed the requirements for retention and destruction of credit information once the Privacy Act amendments commence on 12 March 2014.
Please note that there are different requirements for credit providers (CPs) and credit reporting bodies(CRBs): sections 20J and 21S apply to CPs. Sections 20D, 20V, 20W, 20X and 20Y apply to CRBs.
New section 21S is the provision relevant to credit reports that have been obtained by a CP from a CRB.
Currently credit providers usually mark a used credit report “no longer current” or “not to be used for future assessment”.
The new obligation under section 21S(2) is to “to destroy the information or to ensure that the information is de-identified” if “…the provider no longer needs the information for any purpose for which the information may be used … and … the provider is not required by or under an Australian law, or a court/tribunal order, to retain the information”.
Subsection 6(1) defines “de-identified” as “personal information is de-identified if the information is no longer about an identifiable individual or an
individual who is reasonably identifiable.”
Paragraph 1.2(g) of the CR Code explains that the obligation to destroy includes an obligation to put the information “beyond use” if it is electronic form.
CPs need to review their procedures for holding credit reports once they have been used for the relevant credit application.
How long they can be retained for depends on the purpose for which they were obtained.
Whether the reports are destroyed or de-identified will depend on whether they are in paper or electronic form.
Failure to comply with section 21S(2) is punishable by a civil penalty of up to 1,000 penalty units ($170,000).