Debt collection agencies: privacy compliance when tracing and collecting

Debt collection agencies are heavy users of third-party data. Tracing activities, credit checks, and asset searches all involve collecting personal information from sources other than the debtor.

Common data sources

Debt collectors typically access:

• Credit bureau data (Centrix, Equifax, illion) for credit history and contact details
• PPSR for asset searches
• Companies Office for company associations
• Electoral rolls and phone directories for tracing
• Vehicle registries for asset identification

IPP3A for debt collectors

When a debt collector traces a debtor using third-party data, IPP3A requires notification. However, there is an exception where notification would prejudice the ability to collect the debt (under the "prejudice to the maintenance of the law" or similar exceptions).

This exception is not automatic. Collectors must assess whether notification would actually prejudice collection in each case and document their reasoning.

Best practice

• Assess each lookup: would notifying the debtor actually prejudice your ability to collect?

• If not, notify. Many routine lookups (e.g., confirming a known address) would not be prejudiced by notification.

• Document the exception relied upon for each lookup where notification is withheld.

• Use DEIS to record the pathway — including the exception reasoning — for every lookup.