We are bound by the Australian Privacy Principles under the Privacy Act 1988 (Cth) (Privacy Act). We are also bound by Division 3 of Part IIIA of the Privacy Act, which regulates the handling of credit information, credit eligibility information and related information by credit providers.
1. Key types of information
"Personal information" means information or an opinion about an individual who is identified, or who can reasonably be identified, from the information. Although we try to make sure that all information we hold is accurate, "personal information" also includes any inaccurate information about the individual.
"Credit eligibility information" means information that has been obtained from a credit reporting body, or that has been derived from that information, that is about an individual's credit worthiness.
"Credit information" means personal information that includes the following:
- information about an individual, such as their name and address, that we may use to identify that individual;
- information about an individual's current or terminated consumer credit accounts and, from 12 March 2014, an individual's repayment history;
- the type and amount of credit applied for in any previous consumer or commercial credit applications to any credit provider, where that credit provider has requested information;
- information about an individual from a credit reporting body;
- information about consumer credit payments overdue for at least 60 days and for which collection action has started;
- advice that payments that were previously notified to a credit reporting body as overdue are no longer overdue;
- information about new credit arrangements an individual may have made with a credit provider, in relation to consumer credit currently or previously held, to deal with any defaults or serious credit infringements by that individual;
- information about court judgments which relate to credit that an individual has obtained or applied for;
- information about an individual on the National Personal Insolvency Index;
- publicly available information about an individual's credit worthiness; and
- an opinion of a credit provider that an individual has committed a serious credit infringement of credit provided by that credit provider.
"Credit-related information" means credit information, credit eligibility information and related information.
We will only collect personal information (including credit information) directly from you, unless you have provided your consent. This information will generally come from what you provide in your application for one of our products or services, and from supporting documentation.
We only ask for personal information relevant to our business relationship with you. When you first apply to become a customer, or apply for one of our products or services, we may request:
- identifying information such as your name, address, date of birth and contact details;
- your tax file number;
- for credit products, information about your financial position such as your income, expenses, assets and liabilities, employment details, and any (other) credit arrangements; and
- your reasons for applying for a product or service.
We may also need to collect personal information (including credit-related information) about you from third parties. For example, when assessing an application for credit from you, we may collect personal information from your employer, other credit providers and third party service providers including credit reporting bodies. Credit reporting bodies collect credit information about individuals which they provide as credit reports to credit providers and others in the credit industry to assist them in managing credit risk, collecting debts and other activities. You can ask a credit reporting body, through contact details on their website, not to use or disclose your personal information if you believe on reasonable grounds that you have been or are likely to be a victim of fraud, including identity fraud.
We may use your personal information (including credit-related information) for the purpose of providing products and services to you and managing our business. This may vary depending on which products and services you have applied for and which member of the Group you are dealing with. This may include:
- assessing and processing your application our products and services;
- executing your instructions;
- ongoing servicing of our relationship with you;
- charging and billing;
- uses required or authorised by law;
- protecting you and us from error or fraud;
- research and development;
- collecting overdue payments due under our credit products;
- managing our rights and obligations regarding external payment systems; or
- direct marketing.
We do not use or disclose your personal information (including credit-related information) for a purpose other than:
- a purpose you would reasonably expect;
- a purpose required or permitted by law; or
- a purpose otherwise disclosed to you to which you have consented.
We may disclose your personal information (including credit-related information) to other organisations that provide services that assist us in supplying or administering the products and services we offer.
Organisations to which we will usually disclose your personal information include:
- our related companies;
- external organisations that are our assignees, agents or contractors;
- external service providers to us, such as:
- those we use to verify your identity;
- administration service platforms;
- fund managers;
- payment systems operators;
- our computer bureau (Data Action Pty Ltd);
- printing and mailing houses;
- fraud prevention service providers; and
- research consultants;
- our professional advisers, such as accountants, lawyers and auditors;
- your representative, for example, lawyer, conveyancer, mortgage broker, financial adviser, accountant, stockbroker or attorney, as authorised by you.
Organisations to which we may disclose your personal information include:
- insurers and re-insurers, where insurance is provided in connection with our services to you;
- superannuation funds, where superannuation services are provided to you;
- loyalty and affinity program partners;
- those involved in a transfer of all or part of our assets or business;
- other financial institutions, for example, when you apply for a loan from another credit provider and you agree to us providing information;
- credit reporting bodies, including disclosing that you are in default under a credit agreement or commit a serious credit infringement, if that is the case;
- lenders' mortgage insurers, where relevant to credit we have provided;
- debt collecting agencies, if you have not repaid a loan as required;
- state or territory authorities, or PEXA (the national electronic property exchange), that give assistance to facilitate the provision of home loans to individuals;
- certain entities that have bought or otherwise obtained an interest in your credit product, or that are considering doing so, and their professional advisers;
- if required or authorised by law, government and regulatory authorities (eg the Australian Taxation Office, the Courts under subpoena, our auditors, and regulators such as APRA, ASIC and AUSTRAC);or
- other organisations for which you have provided your consent.
We may also disclose your information:
- if in the public interest to do so (eg if a crime, fraud, or misdeed is committed or is suspected, disclosure to a law enforcement body may be justified); or
- if in our interest to do so (eg disclosure to a Court in the event of legal action to which we are a party).
However, we will never sell any of your personal information to any other organisation.
We will take reasonable steps to ensure that these organisations are bound by sufficient confidentiality and privacy obligations with respect to the protection of your personal information.
4.1 Disclosure outside of Australia
From time to time we may use service providers or other third parties which operate or hold data outside of Australia. This may result in your personal information being stored overseas. These parties are selected specifically to assist in enabling us to provide products or services to you, in particular information technology solutions. At present our arrangements include providers based in the United States of America and the Netherlands1. Where this occurs we ensure that appropriate data handling and security arrangements are in place to protect your data.
5. Sensitive information
Where it is necessary to do so, we may collect personal information about you that is sensitive. Sensitive information includes information about an individual's health, and membership of a professional or trade association.
Unless we are required or permitted by law to collect that information, we will obtain your consent.
6. Refusal of credit applications
We may refuse an application for consumer credit made by you individually or with other applicants. Our refusal may be based on credit eligibility information obtained from a credit reporting body about you, another applicant or another person proposed as guarantor. In that case, we will give you written notice that the application has been refused on the basis of that information. We will tell you the name and contact details of the relevant credit reporting body and other relevant information.
We take all reasonable steps to ensure that your personal information (including credit-related information), collected through our website or otherwise and subsequently held by us, is protected from:
- misuse, interference and loss; and
- unauthorised access, disclosure or modification.
We ask you to keep your passwords and personal identification numbers safe, in accordance with our suggestions.
When we no longer require your personal information (including when we are no longer required by law to keep records relating to you), we take reasonable steps to ensure that it is destroyed or de-identified.
When you browse our website or mobile app services you will do so anonymously. Personal information, such as your name, address, telephone number or email address, is not collected. We use ‘cookies’ to collect information about how our website is used. ‘Cookies’ give users a unique, random ID by storing small text files onto a user’s computer with their web browser. They enable a website to track a user’s activities.
You may change the settings on your browser to reject cookies. However, doing so might prevent you from accessing the secured pages of our website and those of other websites.
8.2 Information Collected
Our website and mobile app offer a number of interactive facilities including tools such as calculators, as well as online surveys, communication and application forms.
If you visit an unsecure area of the website (ie an area where you are not required to log on) to read, browse or download information, our system will record the date and time of your visit to our site, the pages viewed and any information downloaded. However, our systems will not record any personally identifiable information.
If you use any of the tools such as our calculators, we generally do not capture any personally identifiable information that you may enter when using these tools. However, we may aggregate this information to provide us with insights into how to provide better services to you.
Instances where we will retain your personal details:
- When a tool or application allows you to suspend or save your progress and retrieve the details at a later time, such as our Car Loan, Personal Loan and Home Loan applications. In this case the information is stored on our systems so that you may resume your application, or your application may be retrieved by us.
- When you use our live chat service on our website or mobile app, we will store the email address and phone number (if you have provided it) for a period of time to allow us to contact you outside of the live chat environment if you require us to do so.
- If you decide to complete an online application form or online survey, the information that you enter into the online form or survey will be collected by us once you submit your online application or survey to allow us to contact you about your application.
When we receive emails, we will retain the content of the email and our response to you.
Your email address will only be used or disclosed for the purpose for which it was provided. It will not be added to any mailing lists or used for any other purpose without your consent.
Email itself is an unsecure medium. Therefore, when emailing us, you should be aware that, when transmitted, the data may be visible while in transit. When advising us of personal information, secure options should be used such as our Secure Inbox within our Internet Banking service.
8.4 Mobile App
8.4.1 Our security practices
We are committed to providing safe mobile banking services. All use of our mobile banking application and transactions through the mobile app are encrypted. Encryption protects any personal information you send to us through our mobile banking service. Only authorised Beyond Bank Australia employees or agents can gain access to this information.
Banking transaction and balance alerts can be established via our mobile banking app. These alerts can only be established by you and the secure detail of the alert can only be viewed when you are logged into mobile banking. Your mobile device will, however, receive push notifications from our systems through its operating system’s notification facility indicating to you that an alert has been produced and is ready to be viewed through mobile banking. These push notifications will not present personal information.
8.4.3 Location based services
We use your current location to determine the closest bank branch, ATM, access point or other services that we consider may be of benefit to you, when you allow us to do so via a setting on your mobile device. This information is only used while determining the standard bank services closest to you and we do not store this information.
8.5 Website Security
We use information security standards applicable to banking to establish secure connections with you and to limit access to databases containing personal information to authorised personnel only. When we capture your personal information it is passed through our secure server using SSL and/or TLS encryption technology to ensure it is protected when transmitted over the internet. However, we cannot guarantee that any information transmitted via the internet by us, or you, is entirely secure.
8.6 Links on our website
Where you access a third party website from our website, cookie information about your preferences or other information you have provided about yourself may be shared between us and the third party. You cannot be identified from the information that is shared. However, if you can be identified from this information, we will seek your consent before sharing such information.
8.7 Advertising and Tracking
We use an advertising company to deliver our online advertising where banner advertisements are placed on Third Party websites.
When you view our advertisements on a third party website, the advertising company uses 'cookies' to collect information such as:
- The server your computer is logged on to;
- Your browser type;
- Your device type;
- The date and time of your visit; and
- The performance of their marketing efforts.
When you click on one of our advertisements that appears on another website, the advertising company will collect information on how you utilise our website (eg which pages of our website you view) and whether you complete an online application. In addition, we also use other service providers, known as tracking companies, to collect information on how you use our website.
The advertising company and tracking companies use the information they collect to perform statistical analyses of aggregate user behaviour, but those analyses are not based on personal information. We use those analyses to measure advertising effectiveness and relative consumer interest in the various areas of our website. As a general rule, no personal information is collected by the companies in this process. If, however, any information is automatically collected, these companies are required under their arrangements with us to maintain the privacy and confidentiality of that personal information.
We may disclose the information collected by a company, in an aggregate form only, to third parties including advertisers or potential advertisers.
We utilise third party software to create heat maps of our website pages. Heat maps are aggregations of data regarding which parts of our website people view and what links they click on. This information can be used to optimise the information we provide via our website and how we link pages, with the aim of creating a better experience for visitors. The software does not collect personal information about you but does create a cookie that allows the software to detect whether you are a first time or return visitor.
8.8 More Than Money Website
We will respond to your request for access within a reasonable time. If we refuse to give you access to any of your personal information, we will provide you with reasons for the refusal and the relevant provisions of the Privacy Act that we rely on to refuse access. You can contact our Privacy Officer if you would like to challenge our decision to refuse access.
We may recover the reasonable costs that we incur for responding to your request for access to your personal information.
We may use your personal information, including your contact details, to provide you with information about products and services, including those of third parties, and competitions or promotions which we consider may be of interest to you.
We may also provide your details to third party organisations with which we have arrangements for marketing products and services to our customers.
11.1 Opting Out
You may opt out at any time if you no longer wish to receive marketing information or do not wish to receive marketing information through a particular channel, such as email. In order to do so, simply contact us and let us know that you no longer want us to send you marketing materials or disclose your information to other organisations for marketing purposes. You can also 'unsubscribe' from our email marketing messages, which always include an unsubscribe option.
To help us reach the right people with direct marketing for our credit products or services, we may ask a credit reporting body to "pre-screen" a list of potential recipients of our direct marketing against our eligibility criteria to remove recipients who do not meet those criteria. The credit reporting body cannot use information about your existing loans or repayment history in carrying out its pre-screening and it must destroy its pre-screening assessment once it has given us, or a contractor acting on our behalf, the list of eligible recipients. If you do not want your credit information used for pre-screening by a credit reporting body that holds credit information about you, you can opt-out by informing that credit reporting body. The credit reporting body we use is Equifax, whose contact details are available on their website (www.equifax.com.au).
13. Questions and complaints
Once a complaint has been lodged, the Privacy Officer will respond to you as soon as possible. We will aim to deal with your complaint at the source of your complaint.
If you are still not satisfied, you can contact external bodies that deal with privacy complaints. These are the Financial Ombudsman Scheme which is our external dispute resolution scheme, the Federal Privacy Commissioner or, in the case of insurance-related privacy complaints, the Australian Prudential Regulation Authority. Any of these bodies may forward your complaint to another external dispute resolution body if it considers the complaint would be better handled by that other body.
- Financial Ombudsman Service Post: GPO Box 3, Melbourne VIC 3001
Telephone: 1800 367 287 Website: www.fos.org.au
- Federal Privacy Commissioner Post: GPO Box 5218 Sydney NSW 2001
Telephone: 1300 363 992 Website: www.oaic.gov.au
- Australian Prudential Regulation Authority Post: GPO Box 9836, Sydney NSW 2001
Telephone: 1300 55 88 49 Website: www.apra.gov.au
14. Privacy Officer
Our Privacy Officer's contact details are:
Beyond Bank Australia
GPO Box 1430 Adelaide SA 5001
In the first instance, all privacy queries or complaints are handled by our
Member Advocate Officer
Beyond Bank Australia
GPO Box 1430 Adelaide SA 5001
Telephone: 13 25 85
15 Provision of Information to Third Party Organisations
From time to time the Group may be required to provide details of the personal information of its customers or staff to a third party under an alliance, or contractual or other arrangement. Whenever personal information is being provided by the Group to a third party, it is imperative that this information is handled in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
Staff must ensure that any arrangement with a third party which requires the provision of customer or staff personal information contains a suitable privacy clause. The clause must specify that the third party must comply with the Privacy Act 1988 (Cth) and Australian Privacy Principles when dealing with any personal information provided by the Group. In instances where a third party is not bound by the Privacy Act 1988 (Cth) and Australian Privacy Principles, the clause must specify that the third party must comply with the Privacy Act 1988 (Cth) and Australian Privacy Principles as though they were bound by them.
Note that the wording of any arrangement and the clauses contained therein must receive legal signoff by the Group’s General Legal Counsel.
Upon the expiration or cancellation of any alliance or contractual or other arrangement with a third party, written confirmation must be sought to confirm that any personal information provided by the Group has been returned, destroyed or permanently de-identified. This is required to ensure compliance with APP11.2 as the personal information is no longer required by the third party.
16. Unsolicited Personal Information
Where personal information is received but was not requested in relation to any application or process in providing products and services to a customer, under APP4 an assessment must be undertaken to determine whether, if the information had been requested, it could have been lawfully collected.
If the personal information could not have been collected then, as soon as practicable but only if it is lawful and reasonable to do so, the information must be destroyed or de-identified.
17. Cross Border Disclosure
Where customers’ personal information is to be disclosed to a third party via an alliance or contract, the Group must determine whether that information will be disclosed to overseas recipients. If the recipient is overseas then reasonable steps must be taken to ensure that the overseas recipient does not breach the Australian Privacy Principles.
Note that the wording of any arrangement and the clauses contained therein must receive legal signoff by the Group’s General Legal Counsel to ensure compliance with APP8.
18. Access to and Correction of Personal Information
Where personal information held about a customer is believed to be inaccurate, out-of-date, incomplete, irrelevant or misleading; or the individual requests the entity to correct the information; processes must be in place to take reasonable steps to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.
The Group must ensure that processes are in place to respond to requests by individuals for access or correction of their personal information within 30 days, in accordance with APP 12 &13. This includes processes to notify the customer why any request has been refused and appropriate process to follow for complaints.
19. Reporting Breaches
All staff are required to report any breaches, or likely breaches of the Privacy Act 1988 (Cth) or the Australian Privacy Principles to the Governance Risk and Compliance Department. The full details of a breach must be reported using either the complaints register within CRM or the Incident Reporting system on the Risk and Compliance intranet site.
If the breach is the result of a compromise of data2, immediate action should be taken to mitigate, assess and report the breach to the appropriate people. The process undertaken will follow the guidelines contained in the Office of the Australian Information Commissioner’s Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth).
1Disclosure in this country is limited to disputed transactions and chargebacks relating to eftpos.
2Data breach is defined as electronically-stored personal information that has been lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.