When a creditor refers a debt to an external collection agency or lists a default with a credit bureau, they are disclosing personal information about the debtor. The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) govern how that information can be collected, used, and disclosed. Understanding these obligations is important both for compliance and for ensuring that the recovery process is not derailed by a privacy complaint.
Who the Privacy Act applies to
The Privacy Act applies to Australian Government agencies and to private sector organisations with an annual turnover of more than $3 million. Importantly, it also applies to small businesses in certain circumstances — including businesses that trade in personal information, businesses related to a larger organisation, and health service providers. From 2026, the Privacy Act is being amended to broaden its application significantly, and pending legislative changes may extend coverage to all businesses. Creditors should not assume they are exempt based on turnover alone.
What you can disclose to a recovery agent
Under APP 6, an organisation may use or disclose personal information for a secondary purpose (one other than the primary purpose for which it was collected) only if the secondary purpose is directly related to the primary purpose, or if the individual would reasonably expect the disclosure, or if an exception applies.
The relevant exception for debt recovery is the "related secondary purpose" exception and, in practice, the "enforcement body" exemption where applicable. Most creditors address this by including disclosure authority in their credit application, terms of trade, or privacy policy — a statement that personal information may be disclosed to third parties for the purposes of recovering outstanding amounts.
What you should include in your credit application
To maximise your ability to use personal information in recovery without a privacy complaint, your credit application or privacy notice should state that you may:
- Disclose personal information to credit reporting bodies
- Disclose personal information to debt collection agencies acting on your behalf
- Use personal information to contact the individual about overdue accounts
- Report payment default information to a commercial credit reporting body
Consumer credit reporting vs commercial credit reporting
Consumer credit reporting — where a default is listed on an individual's consumer credit file held by Equifax, Experian, or Illion — is regulated by Part IIIA of the Privacy Act and involves specific procedures including notification requirements and dispute resolution obligations. Commercial credit reporting (listing a business default with a bureau like CreditorWatch) has fewer statutory requirements, though the APPs still apply to the extent that individuals' information is involved.
Contact Merion if you want to understand how privacy obligations apply to your specific recovery processes — we work within compliant frameworks for all collection activity.