Credit Reporting Privacy Code

The Credit Reporting Privacy Code was issued in December 2004 as delegated legislation under the Privacy Act 2003. The Code applies directly to credit reporters, but will still have indirect effects on credit providers.


Credit information is often held in large amounts and is rarely gathered directly from those to whom it relates. Until now, there have been relatively few formal controls over the type and amount of information held and its use. People have had no real opportunity to verify data before it is stored.

The Code aims to improve the accuracy of credit reporting, by making the process more transparent and providing people with control over the way in which their personal information is handled. Credit agencies have had to abide by the Privacy Act since 1993, but now they will also be obliged to follow this new code, which sets out more specific requirements.

The Code comes into force on 1 April 2006 (except for clauses 7 and 8, which commence on 1 April 2005, allowing individuals free access to information held about them by credit reporters, and requiring credit reporters to have a complaints procedure in operation).

It applies directly to credit reporters, being entities that collect credit and personal information and sell it to third parties. Credit providers are affected indirectly as businesses involved in providing credit to individuals.


The Code provides:

  • free access by individuals to their own credit reports from 1 April 2005
  • the introduction of time limits for how long credit information can be held on a credit file
  • steps to ensure people know what happens to their personal information when they apply for a loan or make a credit purchase
  • a plain language summary of rights
  • obligations on credit reporters to maintain high standards in all aspects of their work
  • new complaints processes
  • rules governing who can access the information and what they can do with it, and
  • improved standards of reporting accuracy through:
    • requiring businesses supplying information for credit reports to ensure it is accurate and updated as necessary
    • requiring credit reporters to maintain an audit programme that may make subscribers subject to spot checks on the reliability of information they have supplied
    • requiring credit reporters to flag disputed records while they are being checked, and
    • requirements to ensure that information about one individual is not wrongly attributed to another.

Implications for Credit Providers

From 1 April 2006 , the Code will apply indirectly to credit providers by way of subscriber agreements between credit reporters and credit providers, whereby a credit reporter agrees by written contract to supply the subscriber with access to credit information.

The provisions regarding subscriber agreements are found in schedule 3 of the Code. All subscriber agreements must include a number of obligations on the credit providers, including steps to safeguard accurate maintenance and security of personal information.

You can find a copy of the Code online at


The content of this document is necessarily general and readers should seek specific advice on particular matters and not rely solely on this document.
If you would like further information on any of the topics in this document, please contact the writer or your usual Auld Brewer Mazengarb & McEwen adviser.
Return to previous page Print