NATIONAL CONSUMER CREDIT PROTECTION ACT 2009 - SECT 133CS Exception if credit reporting body not complying with information security requirements

NATIONAL CONSUMER CREDIT PROTECTION ACT 2009 - SECT 133CS

  (1)   Subsection   133CR(1) or (3) does not apply, and is taken never to have applied, to a licensee for a credit reporting body if:

  (a)   the licensee reasonably believes that the body is not complying with section   20Q of the Privacy Act 1988 :

  (i)   on the 1   July referred to in that subsection; and

  (ii)   on the last day of the 90 - day period starting on that 1   July; and

  (b)   in the case of subsection   133CR(3)--the licensee continues to hold that belief after that 90 - day period; and

  (c)   the licensee satisfies subsection   (2) of this section.

Note 1:   Paragraph   (b) means that, if the licensee ceases to hold that belief after the 90 - day period starting on the 1   July in subsection   133CR(3), this exception will cease to apply and the supply requirement in subsection   133CR(3) will apply.

Note 2:   A person who wishes to rely on this subsection bears an evidential burden in relation to the matters in this subsection   (see subsection   (3) of this section and subsection   13.3(3) of the Criminal Code ).

  (2)   The licensee satisfies this subsection if:

  (a)   the licensee prepares a written notice:

  (i)   stating that the licensee reasonably believes that the credit reporting body is not complying with section   20Q of the Privacy Act 1988 on that 1   July; and

  (ii)   setting out the licensee's reasons for that belief; and

  (iii)   stating that the body may try to convince the licensee otherwise, but that in the case of subsection   133CR(1) the body will need to do so before the end of the 90 - day period starting on that 1   July; and

  (b)   the licensee gives that notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after that 1   July; and

  (c)   the licensee prepares a written notice (the final notice ):

  (i)   stating that the licensee reasonably believes that the body is not complying with section   20Q of the Privacy Act 1988 on the last day of that 90 - day period; and

  (ii)   setting out the licensee's reasons for that belief; and

  (d)   the licensee gives the final notice to the body, and a copy to the Information Commissioner and ASIC, within 7 days after the last day of that 90 - day period.

  (3)   A licensee who wishes to rely on subsection   (1) in proceedings for a declaration of contravention or a pecuniary penalty order bears an evidential burden in relation to the matters in that subsection.