The Credit Reporting Privacy Code contains detailed, prescriptive rules that credit providers must follow. When these rules are breached — such as failing to send proper notices or listing inaccurate information — the resulting credit file entries may be removable, regardless of whether the underlying debt was valid.
What is the Credit Reporting Privacy Code?
The Credit Reporting Privacy Code (commonly called the "CR Code") is a legally binding code of practice registered under Part IIIA of the Privacy Act 1988. It provides the detailed rules that govern credit reporting in Australia.
While the Privacy Act sets out the broad framework for credit reporting, the CR Code gets into the specifics — exactly what notices must be sent, what timeframes must be followed, what information can be listed, and how disputes must be handled.
The current version is CR Code Version 3.0, which came into effect on 1 July 2024. This version introduced several important changes including expanded hardship provisions and enhanced requirements around financial abuse.
The CR Code is not just a set of guidelines — it has the force of law. Credit providers and credit reporting bodies are legally bound by its requirements. Breaches can be investigated by the Office of the Australian Information Commissioner (OAIC) and may result in enforcement action.
Who Must Comply with the CR Code?
The CR Code applies to three main types of organisations:
1. Credit Reporting Bodies (CRBs)
These are the organisations that hold your credit report. In Australia, the three main CRBs are:
- Equifax (formerly Veda)
- Experian
- illion (formerly Dun & Bradstreet)
2. Credit Providers (CPs)
Any organisation that provides credit is bound by the CR Code. This includes:
- Banks and financial institutions
- Credit unions and building societies
- Buy-now-pay-later providers (Afterpay, Zip, etc.)
- Telecommunications companies (for post-paid services)
- Utility providers (electricity, gas, water)
- Car finance and equipment finance companies
- Personal loan providers
3. Other Organisations
Certain other entities that access or use credit information, such as mortgage brokers, debt collectors, and insurers (in limited circumstances).
What Information Can Be Listed on Your Credit Report?
The CR Code strictly defines what information can appear on your credit report. Credit providers cannot list whatever they want — they can only list the specific categories of information permitted by the Code.
| Type of Information | Description | Retention Period |
|---|---|---|
| Identification Information | Name, date of birth, current and previous addresses, driver's licence number, employer | Ongoing (while account exists) |
| Consumer Credit Liability | Type of credit account, credit provider name, account open date, credit limit, account close date | 2 years after account closure |
| Repayment History | Monthly record of whether payments were made on time (0-6 rating scale) | 2 years |
| Credit Enquiries | Record of when a credit provider accessed your report for credit assessment | 5 years |
| Defaults | Overdue debts of $150+ that are 60+ days overdue where notice requirements met | 5 years from listing date |
| Serious Credit Infringements | Fraudulent debts or debts where debtor cannot be located | 7 years from listing date |
| Court Judgments | Court orders relating to credit | 5 years from judgment date |
| Bankruptcy/Insolvency | Bankruptcy, debt agreements, personal insolvency agreements | Various (5-7 years depending on type) |
The Rules for Listing Defaults
One of the most important sections of the CR Code deals with defaults. These are the listings that typically cause the most damage to your credit score and ability to get finance. The Code sets out strict requirements that must all be met before a default can be validly listed.
Mandatory Requirements for Default Listings
- Minimum Amount: The overdue amount must be at least $150
- Minimum Overdue Period: The payment must be at least 60 days overdue
- Written Notice: A Section 21D notice must be sent to your last known address
- 14-Day Waiting Period: At least 14 days must pass after the notice is sent
- Accuracy: All details (amount, date, creditor) must be accurate
- No Payment Arrangement: You must not have entered a payment arrangement that is being honoured
The Section 21D Notice
Before a credit provider can list a default, they must send you a written notice under Section 21D of the Privacy Act. This notice must:
- Be in writing (email may be acceptable if you've agreed to electronic communications)
- State that the credit provider intends to disclose information about the overdue payment to a credit reporting body
- Include details of the overdue payment
- Be sent to your last known address
One of the most common CR Code breaches we see is failure to send the Section 21D notice, or sending it to the wrong address. If this happened in your case, the default listing may be invalid and removable — even if you genuinely owed the money.
Your Rights Under the CR Code
The CR Code gives you several important rights regarding your credit information:
Right to Access
You can request a free copy of your credit report from each CRB every 3 months, or within 90 days of being refused credit. CRBs must provide your report within 10 business days.
Right to Correction
If information on your credit report is inaccurate, out-of-date, incomplete, irrelevant, or misleading, you can request correction. The CR Code sets strict timeframes:
Initial Response (5 Business Days)
The CRB or credit provider must acknowledge your correction request within 5 business days.
Consultation (30 Days)
If the CRB needs to consult with the credit provider, they have 30 days from the consultation request.
Decision (30 Days Total)
The overall timeframe for resolving a correction request is 30 days from when you lodged it.
Notification of Outcome
You must be notified of the decision in writing, including reasons if your request was refused.
Right to Complain
If you're not satisfied with how a correction request was handled, you can:
- Lodge a complaint with the CRB or credit provider's internal dispute resolution (IDR) process
- Escalate to the Australian Financial Complaints Authority (AFCA) if the organisation is an AFCA member
- Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)
Financial Hardship Provisions
The CR Code Version 3.0 strengthened protections for people experiencing financial hardship. Key provisions include:
Hardship Protections
- Hardship Arrangements: If you enter a formal hardship arrangement with a credit provider, they may be required to report this differently on your credit file
- Financial Abuse: The CR Code now includes specific provisions for victims of financial abuse, potentially allowing removal of listings that resulted from coerced debt
- Variation of Reporting: CRBs can vary how information is reported in genuine hardship situations
- Disaster Provisions: Special provisions apply during declared disasters (natural disasters, pandemics, etc.)
Common CR Code Breaches That Can Lead to Removal
In our experience helping thousands of Australians with credit repair, these are the most common CR Code breaches we identify:
1. Failure to Send Section 21D Notice
The credit provider didn't send the required written notice before listing the default, or sent it to the wrong address.
2. Insufficient Waiting Period
The credit provider listed the default before the required 14 days had passed after sending notice.
3. Listing Below Threshold
The debt was below $150 when listed, or wasn't at least 60 days overdue.
4. Inaccurate Information
The amount, date, account number, or other details are incorrect.
5. Failure to Update
The credit provider failed to update the listing when circumstances changed (e.g., when the debt was paid).
6. Failure to Investigate Corrections
The CRB or credit provider didn't properly investigate a correction request within required timeframes.
7. Listing After Payment Arrangement
A default was listed after you entered a payment arrangement that was being honoured.
At Australian Credit Solutions, we don't just look at whether you owed the money — we examine whether every step of the CR Code was followed correctly. This technical approach is why we achieve a 98% success rate on the cases we accept.
How We Use the CR Code to Remove Listings
Our credit repair process is built on a deep understanding of the CR Code requirements. Here's how we approach each case:
Complete Credit File Review
We obtain your full credit files from all three CRBs and analyse every listing for potential CR Code breaches.
Evidence Request
We request evidence from credit providers to prove they complied with all CR Code requirements.
Breach Identification
Our legal team analyses the evidence to identify specific CR Code breaches that can form the basis of a dispute.
Formal Dispute
We lodge formal correction requests citing specific CR Code provisions that were breached, backed by evidence.
Escalation if Needed
If the initial dispute is unsuccessful, we escalate to AFCA or the OAIC with a detailed submission.
What to Do If You Think the CR Code Was Breached
If you believe a listing on your credit file may have been made in breach of the CR Code:
- Get Your Credit Reports: Request free copies from all three CRBs to see exactly what's listed
- Request Compliance Evidence: Ask the credit provider for copies of notices they sent and evidence of compliance
- Document Everything: Keep records of all communications, including dates and who you spoke with
- Lodge a Formal Dispute: Submit a written correction request citing specific CR Code provisions
- Consider Professional Help: The CR Code is technical and complex — professional assistance can significantly improve your chances of success