FOS has been asked by the Office of the Australian Information Commissioner to distribute a letter to all credit providers that participate in the Australian credit reporting system. FOS is advised that the letter is intended to encourage credit providers to engage with credit reporting bodies in relation to credit reporting bodies’ auditing obligations imposed by Part IIIA of the Privacy Act 1988, and to address any concerns held by providers that the audit results will be conveyed to the OAIC for the purpose of regulatory enforcement.
Credit providers (as opposed to credit reporting bodies) need to understand, and comply with, their obligations under the Privacy Act 1988 and the Privacy (Credit Reporting) Code when it comes to:
- allowing credit reporting bodies to appoint independent auditors of the credit provider’s procedures for dealing with credit information; and
- assisting with compliance by credit reporting bodies of obligations to monitor and audit the quality and security of credit reporting information (e.g. permitting the auditors’ reasonable access to records, rectifying any issues identified by an audit etc.).
It should be noted that the obligations on credit providers and credit reporting bodies are complimentary, so the OAIC has noted in the letter that credit providers who assist credit reporting bodies in the ways listed above will be in a better position to meet their own obligations under the legislation and Code.
The OAIC letter can be found here.