NZ: Credit Reporting Privacy Code 2004
|
|
| Regulator |
Privacy Commissioner |
| Jurisdiction |
NZ |
| Status |
live |
| Applicability |
Platform |
The Credit Reporting Privacy Code 2004 is issued by the NZ Privacy Commissioner under the Privacy
Act 2020. It governs the collection, use, disclosure, and retention of credit information about
individuals by credit reporters and credit providers. It applies whenever the bank obtains a credit
report from a bureau (e.g., Centrix, Equifax NZ) or submits credit information to a bureau.
Key obligations: individuals must consent before a bureau enquiry is made; bureau data may only be
used for credit assessment purposes; adverse bureau findings must be disclosed to the applicant
before a credit decision is made; individuals have the right to access and correct their credit
information; credit defaults may be listed only after following prescribed notification steps;
retention periods are capped (payment defaults — 5 years, judgments — 7 years from registration).
Compliance register
This register maps every material obligation under the Code to the platform control or institutional
process that satisfies it. It is the static traceability layer for the Totara compliance report.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Entirely outside platform scope — legal, compliance, or HR function. |
| N/A |
Not applicable to this deployment. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Planned — not yet built |
| ❌ |
Uncontrolled gap — no module attributed |
Part 1 — Credit enquiries and bureau access
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Rule 4 |
Obtain individual's consent before making a bureau credit enquiry |
📊 Evidenced |
REP-010 |
MOD-128 (LOG) — consent record captured at credit application with enquiry request and bureau reference; consent must be obtained in the application flow before bureau call is made |
🔨 |
| Rule 4 |
Use bureau credit information only for the permitted purpose (credit assessment) for which it was obtained |
🤖 Automated |
REP-010 |
MOD-128 (LOG) — bureau data is written to a purpose-restricted data store; access is scoped to credit assessment workflow only, enforced at data layer |
🔨 |
| Rule 8 |
Disclose adverse bureau findings to the applicant before making a credit decision that relies on them |
🤖 Automated |
REP-010, CON-004 |
MOD-128 (AUTO) — adverse bureau findings are included in the responsible lending assessment disclosure delivered to the applicant via MOD-050 before credit decision is finalised |
🔨 |
| Rule 11 |
Retain bureau enquiry records for no longer than permitted period |
🤖 Automated |
REP-010 |
MOD-128 (LOG) — all bureau enquiry records logged with timestamp; retention schedules enforced by platform data lifecycle policy |
🔨 |
Part 2 — Credit reporting submissions
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Rule 5 |
Submit accurate and current credit information to bureaus |
🤖 Automated |
REP-010 |
MOD-059 (AUTO) — automates credit information submissions to NZ bureaus; data sourced from the authoritative ledger and loan servicing system to ensure accuracy |
🔨 |
| Rule 5 |
Notify the individual before listing a default (prescribed steps: demand letter, 30-day notice period) |
📊 Evidenced |
REP-010 |
MOD-059 (LOG) — default listing workflow includes notification step tracking; compliance officer reviews notification completion before listing is submitted |
🔨 |
| Rule 5 |
Correct inaccurate credit information on bureau within 5 business days of becoming aware |
🤖 Automated |
REP-010 |
MOD-059 (AUTO) — correction submissions automated once inaccuracy is confirmed; dispute resolution workflow in MOD-059 |
🔨 |
| Rule 7 |
Comply with retention and deletion rules (defaults: max 5 years; judgments: max 7 years from registration) |
🤖 Automated |
REP-010 |
MOD-059 (AUTO) — bureau submission records include expiry dates aligned to Code retention caps; automated correction/deletion requests submitted at expiry |
🔨 |
Part 3 — Individual access and correction rights
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Rule 6 |
Provide individuals with access to their credit information held by the bank within 20 working days |
🤖 Automated |
REP-010, PRI-001 |
MOD-148 (AUTO) — DSAR workflow handles credit information access requests within statutory timeframe; SLA auto-tracked and escalated |
🔨 |
| Rule 6 |
Correct credit information held by the bank within 20 working days of a correction request |
📊 Evidenced |
REP-010 |
MOD-148 (LOG) — correction request logged and tracked; compliance officer action required to update underlying data; correction confirmed in case record |
🔨 |
| Obligation |
Owner |
Platform evidence input |
| Negotiate and maintain bureau data supply agreements (membership of bureau schemes) |
Chief Compliance Officer / Legal |
MOD-059 provides the submission data; contract management is institutional |
| Handle Privacy Commissioner complaints and disputes relating to credit reporting |
Chief Compliance Officer |
MOD-128 and MOD-059 logs provide the evidence base for any complaint response |
| Train staff on credit reporting obligations and consent requirements |
Chief Compliance Officer / Chief People Officer |
Platform enforces the consent capture; staff training on the Code is institutional |
Coverage summary
| Area |
Total obligations |
🤖 Automated |
📊 Evidenced |
🏛 Institutional |
N/A |
| Credit enquiries |
4 |
3 (75%) |
1 |
0 |
0 |
| Credit reporting submissions |
4 |
3 (75%) |
1 |
0 |
0 |
| Access and correction rights |
2 |
1 (50%) |
1 |
0 |
0 |
| Total |
10 |
7 (70%) |
3 (30%) |
0 (0%) |
0 (0%) |
All 10 platform obligations have attributed controls. All attributed modules are currently
build_status: Not started.
| Policy |
Title |
| REP-010 |
Credit reporting & bureau submission |
| PRI-001 |
Privacy & Personal Information Policy |
| PRI-003 |
Privacy Incident & Breach Notification Policy |
Official documentation
Policies referencing this standard
- REP-010 — Credit reporting & bureau submission
Compiled 2026-05-22 from source/entities/regulations/nz-credit-reporting-privacy-code.yaml