Do I Need A Credit Reporting Policy For My Business? (2026 Updated)

byRowan Gardoce5 January 202510 min read

Contents

What Is A Credit Reporting Policy (And How Is It Different From A Privacy Policy)?
When Do You Actually Need A Credit Reporting Policy?
- What If You Only Deal With Businesses (B2B)?
- What If You Don’t Use A Credit Agency, But You Still Assess Payment Risk?
What Laws Apply To Credit Reporting In New Zealand?
- 1) Privacy Act 2020
- 2) Credit Reporting Privacy Code 2020
What Should A Credit Reporting Policy Include?
How Do I Put A Credit Reporting Policy In Place Without Overcomplicating It?
Key Takeaways

If your business offers credit, invoices customers, runs subscriptions, or checks customers’ ability to pay before you provide goods or services, you’re probably dealing with “credit information” in some form.

And once you’re dealing with credit information, the big question becomes: do you need a credit reporting policy?

This 2026 update reflects the current privacy and credit reporting expectations in New Zealand, particularly the way businesses collect, use, disclose and secure personal information under the Privacy Act 2020 and the Credit Reporting Privacy Code 2020.

Let’s break down when a credit reporting policy is required, when it’s simply a smart risk-management move, and what you should include so you’re protecting your business from day one.

What Is A Credit Reporting Policy (And How Is It Different From A Privacy Policy)?

A credit reporting policy is a document that explains how your business handles credit information about individuals.

In plain terms, it’s about being transparent with people when you:

use credit reporting agencies (like Centrix, Equifax or Illion);
collect information to assess whether someone is likely to pay you;
report a default or payment issue (if you’re entitled to do so); or
obtain a credit report as part of your onboarding or ongoing account management.

A lot of business owners assume a credit reporting policy is the same as a privacy policy. They’re related, but not identical.

A privacy policy is broader: it explains how you handle personal information generally across your business (customers, website visitors, suppliers, and sometimes staff).
A credit reporting policy is narrower and more specific: it focuses on the rules around credit information and credit reporting processes.

Some businesses combine this information into one larger privacy policy. Others have a standalone policy. What’s right for you depends on what you do and how you manage credit risk.

If your business already has a Privacy Policy but it doesn’t clearly cover credit reporting, that can leave you exposed (and can create a trust issue with customers).

When Do You Actually Need A Credit Reporting Policy?

You’re more likely to need a credit reporting policy if you’re doing any of the following with individual customers (not just companies):

checking credit reports before approving an account, finance, payment plan, or subscription;
sharing customer payment behaviour with a credit reporting agency;
using credit reporting data to decide whether to continue supplying goods/services on credit;
engaging debt collectors who may list or rely on credit reporting information; or
operating a platform or service where creditworthiness is part of the customer onboarding process.

Even if you don’t think of yourself as a “credit provider”, you can still get pulled into credit reporting issues. For example:

A trade business offering “pay in 30 days” accounts to consumers.
A clinic or service provider offering payment plans.
A subscription business that continues supply while payments are overdue.
A property-related business checking a customer’s ability to pay before committing resources.

What If You Only Deal With Businesses (B2B)?

If your customers are companies, you may still do credit checks, but privacy law concerns generally intensify when you’re collecting information about an individual (for example, sole traders, guarantors, or directors named in a personal capacity).

Also, many small businesses in New Zealand blur the line: a “business customer” might actually be a sole trader using their personal details for an account. In that case, you’re dealing with personal information, and your obligations kick in.

What If You Don’t Use A Credit Agency, But You Still Assess Payment Risk?

You might not pull a formal credit report, but you may still collect information to assess risk (like employment details, bank statements, income information, identity documents, or payment history). That’s still personal information under the Privacy Act 2020, and it still needs careful handling.

Where that information is financial or could significantly affect someone’s access to goods/services, you should take transparency and security seriously.

What Laws Apply To Credit Reporting In New Zealand?

When you’re dealing with credit reporting, there are two main legal frameworks you should have on your radar.

1) Privacy Act 2020

The Privacy Act 2020 applies to almost every business in New Zealand that collects, holds, uses or discloses personal information.

Some key themes in the Privacy Act (in everyday language) include:

only collect personal information if you genuinely need it;
be clear and upfront about what you’re collecting and why;
store personal information securely and restrict access;
don’t use the information for unrelated purposes unless you have a lawful basis;
give people rights to access and request correction of their information; and
have good processes for responding to privacy incidents and complaints.

Credit-related information often falls into the category of higher-risk data. If you’re handling things like income, debts, repayment issues, identity documents, or default history, you’re likely dealing with sensitive personal information (or information that should be treated as sensitive), meaning your compliance and security settings need to be stronger.

2) Credit Reporting Privacy Code 2020

The Credit Reporting Privacy Code 2020 sits alongside the Privacy Act and sets specific rules for credit reporting information.

Not every business is automatically a “credit reporter” under the Code, but many businesses interact with credit reporters or participate in systems that rely on the Code.

Because the Code is technical and fact-specific, it’s worth getting legal advice on whether your exact model triggers particular obligations.

If you’re already using credit reporting agencies (or you’re about to), having a clear, accurate policy is one of the easiest ways to show you’re taking compliance seriously.

What Should A Credit Reporting Policy Include?

A good credit reporting policy is more than a box-ticking exercise. Done properly, it sets expectations with customers and acts as a “playbook” for your team, especially when payment issues or disputes come up.

While every business is different, most credit reporting policies should cover the following areas.

What Credit Information You Collect And Hold

Be clear about the categories of information you handle. Depending on your business, this could include:

identity details (name, date of birth, contact details);
account details and payment history;
credit applications and eligibility assessments;
default information (for example, overdue balances);
verification documents (like proof of address); and
credit reports you obtain from credit reporting agencies.

Why You Collect Credit Information

Spell out the purposes, such as:

assessing whether to offer credit terms or a payment plan;
managing your accounts and collections process;
recovering outstanding debts;
preventing fraud; and
meeting legal and regulatory obligations.

This matters because privacy law is built around “purpose limitation” - if you collect information for one reason, you generally shouldn’t use it for an unrelated reason later.

Who You Disclose Credit Information To

This is one of the most important parts. If you share or disclose information to others, you should say so.

Common disclosure recipients include:

credit reporting agencies (where relevant);
debt collection providers;
payment processing providers;
IT/cloud storage providers; and
professional advisers (for example, legal or accounting support) where necessary.

If your business model involves monetising customer information, be very careful. There’s a difference between using third-party service providers to operate your business and trading in personal information (which raises high compliance and reputational risks).

How People Can Access And Correct Their Credit Information

Individuals generally have the right to request access to their personal information and request corrections if it’s wrong.

Your policy should explain:

how a person can make an access/correction request;
how you verify identity before releasing information; and
how long you typically take to respond.

If customers contact you asking to delete information, it’s important not to promise deletion automatically. In some situations it may be appropriate, but often you’ll need to keep records for legitimate business purposes (like account history, dispute handling, or legal compliance).

It’s also worth understanding concepts people commonly raise like the right to be forgotten, and how that idea interacts with New Zealand privacy principles (which don’t always require deletion in the way people expect).

How You Keep Credit Information Secure

Credit information is valuable - and that makes it a target. Your policy should match your actual security practices, such as:

access controls (who in your team can view credit info);
secure storage and encryption (where appropriate);
staff training on handling sensitive customer data;
retention and disposal practices; and
incident response procedures.

If something goes wrong (for example, unauthorised access, accidental disclosure, or ransomware), you’ll want a clear plan ready to go. Having a data breach response plan helps you move quickly and show you acted responsibly.

How Complaints Are Handled

Your policy should explain how someone can complain if they think you’ve mishandled their information.

This usually includes:

your contact details for privacy/credit questions;
what information you need from the complainant; and
when you’ll respond.

You don’t need to write this like a government agency. Keep it simple, practical and human. The goal is to resolve issues early, before they escalate.

How Do I Put A Credit Reporting Policy In Place Without Overcomplicating It?

When you’re busy running a business, compliance can feel like just another thing on the to-do list. The good news is you can approach this in a straightforward way.

Step 1: Map Your Credit Process

Before you write anything, get clear on what actually happens in your business. Ask:

Do we offer credit terms to individuals?
Do we pull credit reports? If yes, from whom?
Do we disclose defaults or payment issues?
Who internally can see this information?
Where is this information stored (CRM, accounting software, email inboxes)?
Do any contractors handle it (bookkeepers, virtual assistants, debt collectors)?

This “map” helps you avoid a policy that looks good on paper but doesn’t reflect reality (which can create legal risk).

Step 2: Align Your Policy With Your Privacy Documents

Your credit reporting policy should match what you tell customers elsewhere - especially your website and onboarding documents.

For many businesses, a clear Privacy Collection Notice at the point of sign-up (or credit application) is just as important as a longer policy sitting on your website.

Step 3: Make Sure Your Contracts And Terms Back You Up

If you’re offering credit, your customer terms should be consistent with your credit reporting approach. For example, if your terms say you may take steps to recover unpaid amounts, your policy should explain how personal information may be used or disclosed in that process.

This is also where you’ll want to ensure your terms don’t create problems under consumer law. If you’re dealing with consumers, the Fair Trading Act 1986 and the Consumer Guarantees Act 1993 are still relevant to how you market, contract, and enforce payment expectations.

Step 4: Train Your Team (Even If It’s Just Two People)

A policy only works if people follow it.

Make sure anyone handling invoicing, customer onboarding, collections, or support understands:

what they can and can’t say to customers about credit checks or default listing;
how to verify identity before releasing account information; and
how to escalate a privacy complaint or suspected breach.

If you have staff, remember: privacy doesn’t just cover customers. It also covers employee information, so it can be worth having an Employee Privacy Handbook so your internal practices stay consistent across the board.

Step 5: Get It Reviewed Before You Publish Or Implement It

Credit reporting and privacy compliance can be surprisingly technical, and the risk of getting it wrong isn’t just theoretical - it can lead to complaints, investigations, reputational damage, and costly disputes.

Templates usually don’t reflect how your business actually operates, and they can miss key legal points (or include promises you can’t comply with).

If you want a document that’s properly tailored, a Credit Reporting Policy prepared or reviewed by a lawyer is often the simplest “do it once, do it right” approach.

Key Takeaways

A credit reporting policy explains how your business collects, uses, discloses and protects credit information, particularly where credit reporting agencies are involved.
If you offer credit, payment plans, invoicing terms, or conduct credit checks for individuals (including sole traders or guarantors), a credit reporting policy is often necessary or strongly recommended.
In New Zealand, the Privacy Act 2020 applies broadly to personal information handling, and the Credit Reporting Privacy Code 2020 can impose additional, specific requirements in credit reporting contexts.
A strong policy should cover what credit information you collect, why you collect it, who you disclose it to, how people can access/correct it, how you keep it secure, and how complaints are handled.
Credit reporting compliance isn’t just a document exercise - you should map your actual processes, align your customer-facing notices, and make sure your team follows the policy in practice.
Because credit information is high-risk data, it’s worth having your policy reviewed so it reflects your real operations and doesn’t overpromise (or under-protect) your business.

If you’d like help putting the right credit reporting and privacy documents in place, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Rowan GardoceMarketing Coordinator

Rowan is the Marketing Coordinator at Sprintlaw. She is studying law and psychology with a background in insurtech and brand experience, and now helps Sprintlaw help small businesses

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call

Do I Need A Credit Reporting Policy For My Business? (2026 Updated)

byRowan Gardoce5 January 202510 min read

Data & Privacy

Contents

What Is A Credit Reporting Policy (And How Is It Different From A Privacy Policy)?
When Do You Actually Need A Credit Reporting Policy?
- What If You Only Deal With Businesses (B2B)?
- What If You Don’t Use A Credit Agency, But You Still Assess Payment Risk?
What Laws Apply To Credit Reporting In New Zealand?
- 1) Privacy Act 2020
- 2) Credit Reporting Privacy Code 2020
What Should A Credit Reporting Policy Include?
How Do I Put A Credit Reporting Policy In Place Without Overcomplicating It?
Key Takeaways

And once you’re dealing with credit information, the big question becomes: do you need a credit reporting policy?

Let’s break down when a credit reporting policy is required, when it’s simply a smart risk-management move, and what you should include so you’re protecting your business from day one.

What Is A Credit Reporting Policy (And How Is It Different From A Privacy Policy)?

A credit reporting policy is a document that explains how your business handles credit information about individuals.

In plain terms, it’s about being transparent with people when you:

use credit reporting agencies (like Centrix, Equifax or Illion);
collect information to assess whether someone is likely to pay you;
report a default or payment issue (if you’re entitled to do so); or
obtain a credit report as part of your onboarding or ongoing account management.

A lot of business owners assume a credit reporting policy is the same as a privacy policy. They’re related, but not identical.

A privacy policy is broader: it explains how you handle personal information generally across your business (customers, website visitors, suppliers, and sometimes staff).
A credit reporting policy is narrower and more specific: it focuses on the rules around credit information and credit reporting processes.

Some businesses combine this information into one larger privacy policy. Others have a standalone policy. What’s right for you depends on what you do and how you manage credit risk.

If your business already has a Privacy Policy but it doesn’t clearly cover credit reporting, that can leave you exposed (and can create a trust issue with customers).

When Do You Actually Need A Credit Reporting Policy?

You’re more likely to need a credit reporting policy if you’re doing any of the following with individual customers (not just companies):

checking credit reports before approving an account, finance, payment plan, or subscription;
sharing customer payment behaviour with a credit reporting agency;
using credit reporting data to decide whether to continue supplying goods/services on credit;
engaging debt collectors who may list or rely on credit reporting information; or
operating a platform or service where creditworthiness is part of the customer onboarding process.

Even if you don’t think of yourself as a “credit provider”, you can still get pulled into credit reporting issues. For example:

A trade business offering “pay in 30 days” accounts to consumers.
A clinic or service provider offering payment plans.
A subscription business that continues supply while payments are overdue.
A property-related business checking a customer’s ability to pay before committing resources.

What If You Only Deal With Businesses (B2B)?

What If You Don’t Use A Credit Agency, But You Still Assess Payment Risk?

Where that information is financial or could significantly affect someone’s access to goods/services, you should take transparency and security seriously.

What Laws Apply To Credit Reporting In New Zealand?

When you’re dealing with credit reporting, there are two main legal frameworks you should have on your radar.

1) Privacy Act 2020

The Privacy Act 2020 applies to almost every business in New Zealand that collects, holds, uses or discloses personal information.

Some key themes in the Privacy Act (in everyday language) include:

only collect personal information if you genuinely need it;
be clear and upfront about what you’re collecting and why;
store personal information securely and restrict access;
don’t use the information for unrelated purposes unless you have a lawful basis;
give people rights to access and request correction of their information; and
have good processes for responding to privacy incidents and complaints.

2) Credit Reporting Privacy Code 2020

The Credit Reporting Privacy Code 2020 sits alongside the Privacy Act and sets specific rules for credit reporting information.

Not every business is automatically a “credit reporter” under the Code, but many businesses interact with credit reporters or participate in systems that rely on the Code.

Because the Code is technical and fact-specific, it’s worth getting legal advice on whether your exact model triggers particular obligations.

If you’re already using credit reporting agencies (or you’re about to), having a clear, accurate policy is one of the easiest ways to show you’re taking compliance seriously.

What Should A Credit Reporting Policy Include?

While every business is different, most credit reporting policies should cover the following areas.

What Credit Information You Collect And Hold

Be clear about the categories of information you handle. Depending on your business, this could include:

identity details (name, date of birth, contact details);
account details and payment history;
credit applications and eligibility assessments;
default information (for example, overdue balances);
verification documents (like proof of address); and
credit reports you obtain from credit reporting agencies.

Why You Collect Credit Information

Spell out the purposes, such as:

assessing whether to offer credit terms or a payment plan;
managing your accounts and collections process;
recovering outstanding debts;
preventing fraud; and
meeting legal and regulatory obligations.

This matters because privacy law is built around “purpose limitation” - if you collect information for one reason, you generally shouldn’t use it for an unrelated reason later.

Who You Disclose Credit Information To

This is one of the most important parts. If you share or disclose information to others, you should say so.

Common disclosure recipients include:

credit reporting agencies (where relevant);
debt collection providers;
payment processing providers;
IT/cloud storage providers; and
professional advisers (for example, legal or accounting support) where necessary.

How People Can Access And Correct Their Credit Information

Individuals generally have the right to request access to their personal information and request corrections if it’s wrong.

Your policy should explain:

how a person can make an access/correction request;
how you verify identity before releasing information; and
how long you typically take to respond.

How You Keep Credit Information Secure

Credit information is valuable - and that makes it a target. Your policy should match your actual security practices, such as:

access controls (who in your team can view credit info);
secure storage and encryption (where appropriate);
staff training on handling sensitive customer data;
retention and disposal practices; and
incident response procedures.

How Complaints Are Handled

Your policy should explain how someone can complain if they think you’ve mishandled their information.

This usually includes:

your contact details for privacy/credit questions;
what information you need from the complainant; and
when you’ll respond.

You don’t need to write this like a government agency. Keep it simple, practical and human. The goal is to resolve issues early, before they escalate.

How Do I Put A Credit Reporting Policy In Place Without Overcomplicating It?

When you’re busy running a business, compliance can feel like just another thing on the to-do list. The good news is you can approach this in a straightforward way.

Step 1: Map Your Credit Process

Before you write anything, get clear on what actually happens in your business. Ask:

Do we offer credit terms to individuals?
Do we pull credit reports? If yes, from whom?
Do we disclose defaults or payment issues?
Who internally can see this information?
Where is this information stored (CRM, accounting software, email inboxes)?
Do any contractors handle it (bookkeepers, virtual assistants, debt collectors)?

This “map” helps you avoid a policy that looks good on paper but doesn’t reflect reality (which can create legal risk).

Step 2: Align Your Policy With Your Privacy Documents

Your credit reporting policy should match what you tell customers elsewhere - especially your website and onboarding documents.

For many businesses, a clear Privacy Collection Notice at the point of sign-up (or credit application) is just as important as a longer policy sitting on your website.

Step 3: Make Sure Your Contracts And Terms Back You Up

Step 4: Train Your Team (Even If It’s Just Two People)

A policy only works if people follow it.

Make sure anyone handling invoicing, customer onboarding, collections, or support understands:

what they can and can’t say to customers about credit checks or default listing;
how to verify identity before releasing account information; and
how to escalate a privacy complaint or suspected breach.

Step 5: Get It Reviewed Before You Publish Or Implement It

Templates usually don’t reflect how your business actually operates, and they can miss key legal points (or include promises you can’t comply with).

If you want a document that’s properly tailored, a Credit Reporting Policy prepared or reviewed by a lawyer is often the simplest “do it once, do it right” approach.

Key Takeaways

A credit reporting policy explains how your business collects, uses, discloses and protects credit information, particularly where credit reporting agencies are involved.
If you offer credit, payment plans, invoicing terms, or conduct credit checks for individuals (including sole traders or guarantors), a credit reporting policy is often necessary or strongly recommended.
In New Zealand, the Privacy Act 2020 applies broadly to personal information handling, and the Credit Reporting Privacy Code 2020 can impose additional, specific requirements in credit reporting contexts.
A strong policy should cover what credit information you collect, why you collect it, who you disclose it to, how people can access/correct it, how you keep it secure, and how complaints are handled.
Credit reporting compliance isn’t just a document exercise - you should map your actual processes, align your customer-facing notices, and make sure your team follows the policy in practice.
Because credit information is high-risk data, it’s worth having your policy reviewed so it reflects your real operations and doesn’t overpromise (or under-protect) your business.

If you’d like help putting the right credit reporting and privacy documents in place, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Rowan GardoceMarketing Coordinator

Rowan is the Marketing Coordinator at Sprintlaw. She is studying law and psychology with a background in insurtech and brand experience, and now helps Sprintlaw help small businesses

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call