What information can a credit provider share about me with other companies?

In Plain English

Credit providers in Australia can share certain information about your credit history with credit reporting bodies (CRBs). This includes things like your name, contact details, the types of credit accounts you have, how much you owe, and your repayment history. They can also share this information with other credit providers in certain situations, such as when you apply for credit with them, or if you're having trouble making payments.

There are strict rules about what information can be shared and who it can be shared with, designed to protect your privacy. For example, credit providers need to have a policy about how they manage your credit information, and they need to tell you if they're likely to share your information with companies overseas. You also have the right to access your credit information and ask for corrections if anything is wrong.

The Consumer Data Right (CDR) also allows you to share your data with accredited third parties, giving you more control over your information and potentially leading to better financial products and services.

Detailed Explanation

The Privacy Act 1988 and the Privacy (Credit Reporting) Code 2025 govern how credit providers handle credit information. Key aspects include:

• Types of Information: Credit providers can disclose "credit information," "credit eligibility information," and "CRB derived information" (Privacy Act 1988, s 21, 21A). "Credit information" includes identification information, consumer credit liability information, repayment history, information requests, and the type and amount of credit sought (Privacy Act 1988, s 6N).
• Credit Reporting Bodies (CRBs): Credit providers can disclose credit information to CRBs, subject to certain conditions. This includes being a member of a recognized external dispute resolution scheme and ensuring the individual is at least 18 years old (Privacy Act 1988, s 21D). The National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021 mandates that certain large ADIs (Authorised Deposit-taking Institutions) supply credit information to eligible CRBs.
• Permitted CP Disclosures: Credit providers can disclose credit eligibility information to other credit providers with the individual's express consent (Privacy Act 1988, s 21J). Other permitted disclosures include disclosures to agents, in securitization arrangements, or when both credit providers have mortgage credit secured by the same property (Privacy Act 1988, s 21J). They can also disclose to potential guarantors with the individual's consent (Privacy Act 1988, s 21K).
• Overseas Disclosure: Credit providers must disclose in their policy whether they are likely to disclose credit information to entities without an Australian link and, if so, the countries where those entities are likely located (Privacy Act 1988, s 21B).
• Disclosure to Debt Collectors: Before disclosing credit eligibility information to debt collectors without an Australian link, credit providers must take reasonable steps to ensure they do not breach the Australian Privacy Principles (Privacy Act 1988, s 21NA).
• Consumer Data Right (CDR): The Consumer Data Right (Non-Bank Lenders) Designation 2022 and related rules (Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021, Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, Competition and Consumer (Consumer Data Right) Rules 2020) allow consumers to authorize accredited third parties to access their data. This excludes certain credit reporting information to reduce overlap with the Privacy Act 1988 (Consumer Data Right (Non-Bank Lenders) Designation 2022). The CDR includes strong privacy and security protections (Consumer Data Right (Non-Bank Lenders) Designation 2022).
• Credit Related Research: The Privacy (Credit Related Research) Rule 2024 sets out the conditions under which a CRB may use or disclose de-identified credit reporting information to conduct research in relation to credit.
• Victims of Fraud: Individuals who believe they are victims of fraud can request a ban period, during which credit reporting information cannot be used or disclosed (Privacy (Credit Reporting) Code 2025, s 17).
• Access and Correction: Individuals have the right to access their credit reporting information and seek corrections (Privacy Act 1988, s 21B; Privacy (Credit Reporting) Code 2025, s 16). Access must be provided without charge in certain circumstances, such as after a credit application refusal (Privacy (Credit Reporting) Code 2025, s 16).
• Notification Requirements: Credit providers must notify individuals about the CRB they are likely to disclose information to and other matters outlined in the CR code (Privacy Act 1988, s 21C; Privacy (Credit Reporting) Code 2025, s 4).
• Refusal of Credit: If a credit provider refuses an application based on credit reporting information, they must provide a written notice explaining the individual's right to access their credit reporting information (Privacy (Credit Reporting) Code 2025, s 15).