National Consumer Credit Protection Act 2009

CHAPTER 3 - RESPONSIBLE LENDING CONDUCT  

PART 3-2CA - LICENSEES SUPPLYING CREDIT INFORMATION TO CREDIT REPORTING BODIES ETC.  

Division 2 - Supplying credit information to credit reporting bodies etc.  

Subdivision B - Ongoing supplies of credit information  

SECTION 133CV   EXCEPTION IF CREDIT REPORTING BODY NOT COMPLYING WITH INFORMATION SECURITY REQUIREMENTS  

133CV(1)    
Subsection 133CU(1) does not apply, and is taken never to have applied, to a licensee for a credit reporting body if:

(a)    the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988 :

(i) on the trigger day referred to in that subsection; and

(ii) on the last day of the 45-day period starting on the trigger day; and

(b)    the licensee continues to hold that belief after that 45-day period; and

(c)    the licensee satisfies subsection (2) of this section.

Note 1:

Paragraph (b) means that, if the licensee ceases to hold that belief after that 45-day period, this exception will cease to apply and the supply requirement in subsection 133CU(1) will apply.

Note 2:

A person who wishes to rely on this subsection bears an evidential burden in relation to the matters in this subsection (see subsection (3) of this section and subsection 13.3(3) of the Criminal Code ).

133CV(2)    
The licensee satisfies this subsection if:

(a)    the licensee prepares a written notice:

(i) stating that the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988 on the trigger day; and

(ii) setting out the licensee ' s reasons for that belief; and

(iii) stating that the body may try to convince the licensee otherwise; and

(b)    the licensee gives that notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the trigger day; and

(c)    the licensee prepares a written notice (the final notice ):

(i) stating that the licensee reasonably believes that the body is not complying with section 20Q of the Privacy Act 1988 on the last day of that 45-day period; and

(ii) setting out the licensee ' s reasons for that belief; and

(d)    the licensee gives the final notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the last day of that 45-day period.

133CV(3)    
A licensee who wishes to rely on subsection (1) in proceedings for a declaration of contravention or a pecuniary penalty order bears an evidential burden in relation to the matters in that subsection.

133CV(4)    
Subsection 21U(2) of the Privacy Act 1988 does not require a licensee to give a credit reporting body notice of a correction of certain information if:

(a)    subsection (1) of this section is providing the licensee with an exception from a requirement under subsection 133CU(1) of this Act; and

(b)    that requirement is to supply the corrected information to the body;

unless the reason under subsection 21U(1) of the Privacy Act 1988 for the correction is that the information is inaccurate, and it was inaccurate when earlier supplied to the body under this Division.