From this month, credit reporting agencies will be responsible for ensuring that anyone receiving de-identified credit reporting information handles the information appropriately.Changes to the Privacy Act taking effect on March 12 include a ban on credit reporting agencies using or disclosing de-identified credit reporting information, except where the information is to be used to conduct research in relation to credit.The Office of the Australian Information Commissioner has the power to make rules covering such disclosure. The rules may cover the type of information that can be disclosed, what type of research complies and how the research is to be conducted.The OAIC has issued a draft rule and a consultation paper on the changes.There are two types of credit reporting information: information that is disclosed by the credit provider; and information the credit reporting agency gathers itself. The OAIC said it would limit the type of information that could be disclosed for research purposes.In the consultation paper it proposes that, to comply, the purpose of the research must be one of the following: conducting statistical modelling and data analytics relating to credit; the assessment of current credit services and the development of new credit services; and developing methodologies to combat fraud, money laundering and other unlawful activity involving credit.When de-identifying credit reporting information, a credit reporting agency must assess the risk of "re-identification" and use that risk assessment to determine an appropriate de-identification technique.Before disclosing information, the credit reporting agency must ensure that the recipient would not attempt to re-identify the information and would not disclose the information to any other entity.The OAIC has called for comment by March 21.