What is the difference between privacy policies and credit reporting policies? Does your business require a credit reporting policy, and what are your legal obligations?
Amidst increased concerns of privacy protection and data use, this area of law and commercial compliance is under scrutiny, with consequential legislative reforms on their way. Ensuring that your business appropriately deals with personal information and complies with Privacy Laws is now paramount.
Many businesses do not realise that they meet the criteria to require a credit reporting policy. It is also widely misunderstood what a credit reporting policy is and how it differs from a privacy policy. We break down the differences and your compliance obligations below.
The difference between a privacy policy and credit reporting policy
Under the Privacy Act 1988 and the Australian Privacy Principles (Privacy Laws), businesses are required to adhere to stringent regulations when collecting, using, and disclosing customer or client information. Both privacy policies and credit reporting policies act as blueprints for handling personal information to ensure that the business complies with the Privacy Laws.
A privacy policy provides guidelines and procedures on how a business deals with the personal information of a customer, client, or website user. Personal information is the overarching term for information about an identifiable individual. This encompasses the kind of information you may incidentally collect in the course of your business such as contact details and IP addresses, as well sensitive and credit-related information.
A credit reporting policy outlines specifically how a business deals with credit-related information, which includes information collected or created about a customer or client regarding their consumer credit and history.
When do you need a credit reporting policy?
Whether you require a credit reporting policy is currently dependent on two main factors:
- Whether your business is an Australian Privacy Principal (APP) entity – generally meaning that you generate more than $3 million in revenue each year; and
- You extend credit to your customers on terms more than 7 days.
If your business provides goods or services on a credit account with customers, and it satisfies the requirements of an APP entity under the Privacy Laws, you will require both a privacy policy and a credit reporting policy.
The APP threshold already captures a large volume of commercial businesses, however it is worth noting that anticipated changes to the Privacy Act in 2024 may result in the $3 million revenue threshold for an APP entity being removed. This will mean that more small and medium sized businesses will require these policies.
Your obligations and compliance
Simply having your customers consent to sharing credit-related information on your credit application forms is not enough to satisfy the requirements of the Privacy Laws. The APPs outline specific details and processes related to how you manage credit-related information that you need to make known to your customers.
For businesses that fall under the definition of an APP entity and provide goods or services on credit, establishing robust privacy and credit reporting policies is essential.
Importantly, breaching your obligations under the APPs and Credit Reporting Code is a breach of the Privacy Act. Serious and repeated interferences with privacy can cost you up to $2.5 million for individuals and $50 million for companies facing civil penalties. Comprehensive policies will not only help safeguard your business against complaints, but also ensure compliance with Privacy Laws and regulations.
Whether seeking to understand which policies apply to your business, or requiring advice about best privacy practices, contact our commercial law experts to help you navigate this complex and evolving area of law.
