- how and when we collect personal information and the kinds of personal information we collect;
- how we use and disclose personal information;
- how we keep personal information secure, accurate and up-to-date;
- how an individual can access and correct their personal information;
- how we respond in the instance of a data breach;
- how we will facilitate or resolve a privacy complaint; and
- the fact that your personal information may be disclosed overseas.
1 What is personal information?
1.1 The Privacy Act 1988 (Cth) defines “personal information” to mean any information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.
2 The kinds of personal information collected and held by us
2.1 We collect information from you that we reasonably need for our business functions and activities.
2.2 The types of personal information that we may collect and hold for our activities includes, without limitation, an individual’s name, date of birth, contact details (physical or postal addresses, e-mail address, telephone and fax numbers), financial details, and account details.
3 How we collect and hold personal information
3.1 Collection Generally
3.2 Other Collection Types
(a) We may also collect personal information about you from other sources, such as competitions and also from third parties. Some examples of these alternative collection events are: (i) when we collect personal information about you from third parties; (ii) when we collect personal information about you from forms completed on third party websites and lead providers where that party has notified you or there is a reasonable expectation that collection of your personal information will be disclosed by that party to us or entities similar to us; or (iii) when we collect personal information about you from publically available sources including but not limited to state and federal court registries; ASIC, ITSA and PPSR searches; Australia Post; telephone directories; and social media platforms (such as Facebook, Twitter, Google, Instagram etc).
3.3 Notification of Collection
(a) Generally speaking, we will not tell you when we collect personal information about you, especially: (i) where information is collected from any personal referee you have listed on any application form (including any employment application) with us; (ii) where information is collected from publically available sources as specified in paragraph 3.2(a)(iii). (iii) as otherwise required or authorised by law.
3.4 Unsolicited Personal Information
(a) In the event we collect personal information from you, or a third party, in circumstances where we have not requested or solicited that information (known as unsolicited information), and it is determined by us (in our absolute discretion) that the personal information is not required or it would be unlawful to retain such information, we will destroy the information or ensure that the information is de-identified. (b) In the event that the unsolicited personal information collected is in relation to potential future employment with us, such as your CV, resume or candidacy related information, and it is determined by us (in our absolute discretion) that it may consider you for potential future employment, we may keep the personal information on its human resource records.
3.5 How we hold your Personal Information
(a) Once we collect your personal information, we will either hold it securely and store it on infrastructure owned or controlled by us or with a third party service provider who we have taken reasonable steps to ensure they comply with the Privacy Act 1988 (Cth). We provide some more general information on our security measures in Section 12.
3.6 Cookies and IP addresses
4.2 This Policy will also be made available to you upon your request.
5 Uses and Disclosures of Personal Information
5.1 Use and Disclosure Details
(a) We collect your information for the purposes that are made clear at the time which the information is being collected. At or around the time we collect personal information from you, we will endeavour to provide you with a notice which details how we will use and disclose that specific information. (b) We will take reasonable steps to handle your personal information in accordance with the APP Guidelines, including protecting your personal information from misuse, interference and loss and from unauthorised access, modification or disclosure. (c) We may use or disclose your personal information: (i) for the purposes for which we collected it (and related purposes which would be reasonably expected by you); (ii) for other purposes to which you have consented: and (iii) as otherwise authorised or required by law. (d) We may collect and utilise data for the purposes of aggregated analysis and reporting and guarantee anonymity of the source data, provided any use complies with the Privacy Act 1988 (Cth).
5.2 Use and Disclosure Procedures
5.3 Communications Opt-out
6 Sensitive information
6.1 Sensitive Information Generally
(a) Sensitive information is a subset of personal information. It means information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health information about an individual, genetic information, biometric information that is to be used for the purpose of automated biometric verification or biometric identification or biometric templates.
6.2 Collection and use of Sensitive Information
(a) In general, we attempt to limit the collection of sensitive information we may collect from you, but depending on the uses you make of our products this may not always be possible and we may collect sensitive information from you in order to carry out the services provided to you. (b) The type of sensitive information we may collect about you is dependent on the services provided to you by us will be limited to the purpose(s) for which it is collected. (c) We do not use sensitive information to send you Direct Marketing Communications (as set out in Section 7 below) without your express consent.
(a) We may collect other types of sensitive information where you have consented and agree to the collection of such information. Generally speaking, we will obtain this type of consent from you at (or around) the point in time in which we collect the information.
7 Direct Marketing
7.1 Express informed consent
(a) You give your express and informed consent to us using your personal information to provide you with information and to tell you about our products, services or events or any other direct marketing activity (including third party products, services, and events) which we consider may be of interest to you, whether by post, email, SMS, messaging applications and telephone (Direct Marketing Communications).
7.2 Inferred consent and reasonable expectations of direct marketing
(a) Without limitation to paragraph 7.1, if you have provided inferred or implied consent (e.g. not opting out where an opt-out opportunity has been provided to you) or if it is within your reasonable expectation that we send you Direct Marketing Communications given the transaction or communication you have had with us, then we may also use your personal information for the purpose of sending you Direct Marketing Communications which we consider may be of interest to you.
(a) If at any time you do not wish to receive any further Direct Marketing Communications from us or others under this Section 6, you may ask us not to send you any further information about products and services and not to disclose your information to other organisations for that purpose. You may do this at any time by using the “unsubscribe” facility included in the Direct Marketing Communication or by contacting us via the details set out in paragraph 15.2(a).
8 Google Analytics and Remarketing
8.1 Persistent cookies
(a) We use persistent cookies to enable basic web traffic analysis using Google Analytics which, for example, shows us which areas of our website are popular against those that are not visited often. This allows us to prioritise our enhancements to our website and increase the productivity of our website. We also use persistent cookies in relation to affiliate marketing with web based traffic through affiliate networks.
8.2 Google features
9 Opt-out via Google
10 Anonymity and pseudo-anonymity
10.1 To the extent practicable and reasonable, we will endeavour to provide you with the option of dealing with Us on an anonymous basis or through the use of a pseudonym. However, there may be circumstances in which it is no longer practicable for Us to correspond with you in this manner and your personal information may be required in order to provide you with our products and services or to resolve any issue you may have.
11 Cross Border Disclosure
11.1 Any personal information collected and held by Us may be disclosed to, and held at, a destination outside Australia, where we utilise third party service providers, including but not limited to Google Apps and Gmail, to assist Us with providing our goods and services to you. Personal information may also be processed by staff or by other third parties operating outside Australia who work for us or for one of our suppliers, agents, partners or related companies. Countries where we may disclose your information to include, but are not limited to, New Zealand.
11.2 As we use service providers and platforms which can be accessed from various countries via an Internet connection, it is not always practicable to know where your information may be held. If your information is stored in this way, disclosures may occur in countries other than those listed above.
11.3 In addition we may utilise overseas IT services (including software, platforms and infrastructure), such as data storage facilities or other IT infrastructure. In such cases, we may own or control such overseas infrastructure or we may have entered into contractual arrangements with third party service providers to assist Us with providing our products and services to you.
12 Provision of informed consent
12.2 If you do not agree to the disclosure of your personal information outside Australia by Us, you should (after being informed of the cross border disclosure) tell Us that you do not consent. To do this, either elect not to submit the personal information to Us after being reasonably informed in a collection notification or please contact us via the details set out in paragraph 15.2(a).
13 Data security and quality
13.1 Our Security Generally
(a) We have taken steps to help secure and protect your personal information from unauthorised access, use, disclosure, alteration, or destruction. You will appreciate, however, that we cannot guarantee the security of all transmissions or personal information, especially where human error is involved or malicious activity by a third party. (b) Notwithstanding the above, we will take reasonable steps to: (i) make sure that the personal information we collect, use or disclose is accurate, complete and up to date; (ii) protect your personal information from misuse, loss, unauthorised access, modification or disclosure both physically and through computer security methods; and (iii) destroy or permanently de-identify personal information if it is no longer needed for its purpose of collection.
(a) The accuracy of personal information depends largely on the information you provide to us, so we recommend that you: (i) let us know if there are any errors in your personal information; and (ii) keep us up-to-date with changes to your personal information (such as your name or address).
14 Access to and correction of your personal information
14.1 You are entitled to have access to any personal information relating to you which we hold, except in some exceptional circumstances provided by law (including the Privacy Act 1988 (Cth)). You are also entitled to edit and correct such information if the information is inaccurate, out of date, incomplete, irrelevant or misleading.
14.2 If you would like access to or correct any records of personal information we have about you, you are able to access and update that information (subject to the above) by contacting us via the details set out in paragraph 15.2(a).
15 Resolving Privacy Complaints
15.1 Complaints generally
(a) We have put in place an effective mechanism and procedure to resolve privacy complaints. We will ensure that all complaints are dealt with in a reasonably appropriate timeframe so that any decision (if any decision is required to be made) is made expeditiously and in a manner that does not compromise the integrity or quality of any such decision.
15.2 Contacting Us regarding complaints
(a) If you have any concerns or complaints about the manner in which we have collected, used or disclosed and stored your personal information, please contact us: Telephone: 02 4253 6666 Email: [email protected] Address: 180 Liverpool Rd Ashfield NSW 2131 Please mark your correspondence to the attention of the Privacy Officer.
15.3 Steps we take to resolve a complaint
(a) In order to resolve a complaint, we: (i) will liaise with you to identify and define the nature and cause of the complaint; (ii) may request that you provide the details of the complaint in writing; (iii) will keep you informed of the likely time within which we will respond to your complaint; and (iv) will inform you of the legislative basis (if any) of our decision in resolving such complaint.
15.4 Register of complaints
(a) We will keep a record of the complaint and any action taken in a Register of Complaints.
16 Notifying you of a Data breach
16.1 We are bound by the Notifiable Data Breaches Scheme under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (“the NDB Scheme”).
16.2 Under the NDB Scheme, if your personal information being held by us was involved in an ‘eligible data breach’ you are entitled to be notified of this.
16.3 An ‘eligible data breach’ arises when the following three criteria are satisfied:
(a) There is: (i) Unauthorised access to personal information or (ii) Unauthorised disclosure of personal information; or (iii) A loss of personal information; that an entity holds (b) The data breach is likely to result in serious harm to one or more individuals; and (c) The entity has not been able to prevent the likely risk of serious harm with remedial action.
16.4 Pursuant to the NDB Scheme, we will, in the event of an ‘eligible data breach’ being identified:
(a) Contain a suspected or known breach, where possible, including taking immediate steps to limit any further access or distribution to the affected personal information, or the possible compromise of other information; (b) Assess whether the data breach is likely to result in serious harm to any of the individuals whose information was involved, and; (i) if we have reasonable grounds to believe this is the case, we will notify you; or (ii) if we only have grounds to suspect this is the case, we will conduct an assessment process wherein we will consider whether remedial action is possible. (c) Where possible, take steps to reduce any potential harm to you, including taking action to recover lost information before it is accessed or changing access controls on compromised customer accounts before unauthorised transactions can occur. (d) If, remedial action is successful in making serious harm no longer likely, then we will not notify you. (e) If remedial action is not successful, we will prepare a Statement (“the Statement”) for the Office of the Australian Information Commissioner (“OAIC”) and notify the affected individuals including informing them of the contents of the Statement. (f) If it is not practical to notify all individuals or individuals at risk of serious harm, we will publish the Statement on our website and publicise it. (g) Review the incident and take action to prevent further breaches, including possibly reporting the incident to other relevant bodies and organisations.
17 Consent, Modifications and Updates
17.1 Interaction of this Policy with contracts
18 Credit Information
18.1 Credit information generally
(a) The Privacy Act 1988 (Cth) contains provisions regarding the use and disclosure of credit information, which applies in relation to the provision of both consumer credit and commercial credit. (b) Credit information is personal information that is related to credit that you have applied for or which has been provided to you such as your contact details, information about your credit accounts, and any default and payment information. (c) Credit eligibility information includes the credit information listed above, as well as: (i) information disclosed to us by a credit reporting body; and (ii) information that we derive about you from conducting our own analysis of information reported back to us by a credit reporting body. (d) Credit reporting information is information derived by a credit reporting body from your credit information, which may include an assessment of your credit worthiness and your eligibility for consumer credit.
18.2 Credit information
(a) As we provide terms of payment of accounts which are greater than 7 days, we are considered a credit provider under the Privacy Act 1988 (Cth) in relation to any credit we may provide you (in relation to the payment of your account with us).
18.3 Kinds of credit information Collected and method of Collection
(a) Specific kinds of credit information and credit eligibility information that we collect and hold may include: (i) your identification information, including your name, date of birth, drivers licence details, postal and residential addresses, telephone and facsimile numbers, and email addresses; (ii) information about your financial circumstances required to assess applications for credit, for example, your income, your expenses, your savings and assets and liabilities; (iii) information about credit you might have; (iv) specific financial information, including various account details and superannuation details; (v) details of enquiries made about you by other credit providers or insurers; (vi) opinions from other credit providers as to whether you have committed serious credit infringements; (vii) details about your credit worthiness, for example, other credit you might have or have applied for, information relating to court proceedings, and details from the National Personal Insolvency Index; and (viii) information about your repayment history, and whether you have had any overdue payments or defaults. (b) We collect credit information and credit eligibility information about you if you apply for credit or give a guarantee. We may collect credit information from you if you provide it to us in person, or if you complete a form or application which includes credit information. (c) In the course of operating our business, we may also collect credit information from third parties such as: (i) credit reporting bodies, for example, a credit report; (ii) other credit providers, for example, opinions about your credit worthiness; and (iii) public registers or other publicly available sources of information. (d) If you choose not to give us any credit information requested from you, we may not be able to approve your application for credit, or provide you with any goods or services you have asked it to supply.
18.4 Purposes for which we collect, hold, use and disclose credit information
(a) We will generally collect, hold, use and disclose credit information and credit eligibility information for the following purposes: (i) assessing an application for credit and determining your eligibility for credit; (ii) assessing whether to accept an individual as a guarantor; (iii) ongoing management of your Credit Account, including, where relevant, by providing you notice to avoid defaulting on your obligations; (iv) internal management purposes directly related to the provision or management of credit; (v) collecting payments that are overdue in relation to commercial credit; (vi) investigating whether an individual has or has attempted to fraudulently evade obligations in relation to consumer credit. (b) By providing us with your credit information, or by requesting credit from us, you consent to us collecting, holding, using and disclosing your credit information and credit eligibility information for the above purposes. (c) We may also use or disclose credit information where we are authorised or required by law to do so.
18.5 Storage and Access
(a) We will store any credit information you provide us, or which we obtain about you, with any other personal information we may hold about you. (b) You may request to access or correct your credit information in accordance with the provisions of paragraph 14.2.
(a) Please see paragraph 15.2(a) if you wish to make a complaint in relation to our handling of your credit information.
18.7 Cross border disclosures of information
(a) It is unlikely that any credit information provided by you will be disclosed to non ‘Australian-linked’ entities (as defined by the Privacy Act). We will endeavour to ensure that no credit information is disclosed at any time to non ‘Australian-linked’ entities.