We will manage personal information, including credit information, in an open and transparent manner. In doing so, we ensure that individuals are notified at the time of collecting their personal information:
We have appointed a Privacy Compliance Officer, who will deal with any queries regarding access to or correction of personal information or any privacy related complaints. We ensure all our employees are trained at regular intervals to ensure they understand our obligations under the Privacy Act, including the Australian Privacy Principles.
Generally we are not able to deal with customers who do not wish to identify themselves. However, where possible and appropriate we will provide information of a general nature to unidentified individuals.
We collect personal information for the following purposes:
We may collect sensitive information from individuals if they apply for an insurance related product.
We only collect sensitive information directly from the individual and with the individual’s consent.
We may also collect sensitive information when it has been provided as part of a loan application. Any sensitive information that is collected in this way is only used for the purpose for which it is provided, and is collected with the individual’s consent.
Where possible, we collect personal information directly from the individual.
If we receive unsolicited personal information we will determine whether we could have collected that personal information by lawful and fair means, and whether it is related to one of the purposes of collecting personal information above. We will do this by looking at our relationship with the individual and whether the personal information relates to our relationship with them.
If we could not have collected the personal information by lawful and fair means, or the personal information does not relate to one of our purposes for collecting the personal information, we will destroy the personal information.
When we first collect personal information from an individual we will notify them that we have collected their personal information. We will require individuals to consent to our use and disclosure of their personal information.
This notification will provide the individual with information about:
We notify individuals at the time of collecting their personal information that their personal information will be used by us and any associated businesses for the purposes of direct marketing.
In all our direct marketing communications we will provide a prominent statement about how an individual can elect not to receive direct marketing. If the direct marketing communication is an email we will provide an ‘unsubscribe’ function within the email.
We will keep appropriate records to ensure those individuals that have made requests not to receive direct marketing communications do not receive them. We do not apply a fee to unsubscribe from direct marketing communications.
We do not sell personal information. We do not use sensitive information for the purposes of direct marketing.
If we purchase personal information for the purposes of direct marketing we will conduct appropriate due diligence to ensure appropriate consents from the individuals have been obtained.
We may disclose your information to organizations overseas who are contracted to us for the purposes of audits of loan files to ensure that legislative, regulatory and industry expectations have been met. . We may store your information in cloud or other types of networked or electronic storage.
We may use cloud storage and IT servers that may be located overseas to store the personal information we hold. As electronic or networked storage can be accessed from various countries via an internet connection, it’s not always practicable to know in which country your information may be held
We do not use government related identifiers to identify individuals.
We may receive tax file numbers in the course of assessing an application for credit; however, we do not use or disclose tax file numbers for any purpose.
We rely on individuals to help us to ensure that their personal information is accurate, up-to-date and complete.
If we become aware that personal information is inaccurate, out-of-date or incomplete, such as when mail is returned, we will update our systems accordingly.
We hold personal information on secure IT systems. All IT systems are appropriately updated with passwords, virus scanning software and firewalls when needed.
Any paper records are only accessible to employees and others as they are needed. Any paper records are held within an office that is locked and security protected at night.
We will usually destroy personal information that is held electronically and in paper form seven years after our relationship with the individual ends. We will do this by shredding paper copies and deleting electronic records containing personal information about the individual or permanently de-identifying the individuals within those records.
Individuals may request access to any personal information that we hold about them. We will not charge an individual for requesting access to their personal information.
We will verify the individual’s identity prior to disclosing any personal information.
When an individual requests access to their personal information we will conduct a search of our customer relationship database. This search will also indicate if there are any paper records that contain personal information.
We will not give access to the personal information that we hold about an individual where it is unreasonable or impracticable to provide access, or in circumstances where the request would likely:
When we receive a request for access we will usually respond to the individual with 7 days. Depending on the nature of the request we may be able to provide the personal information at the same time as when the request is made.
If the individual is requesting a large amount of personal information or the request cannot be dealt with immediately, then after we have investigated the request for access we will advise the individual what personal information we hold and provide details of that personal information.
We will comply with all reasonable requests by an individual to provide details of the personal information that we hold in the requested format.
If we do not provide access to the information we will provide written reasons setting out why we do not believe we need to provide access. We will also advise the individual they can access our Internal Dispute Resolution (IDR) and External Dispute Resolution (EDR) schemes if they are dissatisfied with a decision not to provide access to personal information.
If we hold personal information about an individual and we are reasonably satisfied that the information is inaccurate, out of date, incomplete, irrelevant or misleading, or we receive a request to correct the information, we will take reasonable steps to correct the information.
If we correct any personal information that we have previously disclosed, we will take reasonable steps to notify the entity to which we disclosed the information of the correction. We may not always make corrections to an individual’s personal information. When we do not make requested corrections, we will provide reasons for our refusal to make the correction and provide details of our IDR and EDR procedures.
If, after notifying the individual of our refusal to correct personal information, the individual requests us to issue a statement on the record that contains the personal information, we will take reasonable steps to do so.