(1) If a credit provider holds credit eligibility information about an individual, the provider must, on request by an access seeker in relation to the information, give the access seeker access to the information.
Exceptions to access
(2) Despite subsection (1), the credit provider is not required to give the access seeker access to the credit eligibility information to the extent that:
(a) giving access would be unlawful; or
(b) denying access is required or authorised by or under an Australian law or a court/tribunal order; or
(c) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Dealing with requests for access
(3) The credit provider must respond to the request within a reasonable period after the request is made.
Means of access
(4) If the credit provider gives access to the credit eligibility information, the access must be given in the manner set out in the registered CR code.
(5) If the credit provider is an agency, the provider must not charge the access seeker for the making of the request or for giving access to the information.
(6) If a credit provider is an organisation or small business operator, any charge by the provider for giving access to the information must not be excessive and must not apply to the making of the request.
Refusal to give access
(7) If the provider refuses to give access to the information because of subsection (2), the provider must give the access seeker a written notice that:
(a) sets out the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and
(b) states that, if the access seeker is not satisfied with the response to the request, the access seeker may:
(i) access a recognised external dispute resolution scheme of which the provider is a member; or
(ii) make a complaint to the Commissioner under Part V.
Interaction with the Australian Privacy Principles
(8) If a credit provider is an APP entity, Australian Privacy Principle 12 does not apply to the provider in relation to credit eligibility information.