(1) If a credit reporting body holds credit reporting information, the body must take such steps as are reasonable in the circumstances to protect the information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.
(2) Without limiting subsection (1), a credit reporting body must:
(a) enter into agreements with credit providers that require the providers to protect credit reporting information that is disclosed to them under this Division:
(i) from misuse, interference and loss; and
(ii) from unauthorised access, modification or disclosure; and
(b) ensure that regular audits are conducted by an independent person to determine whether those agreements are being complied with; and
(c) identify and deal with suspected breaches of those agreements.