Respecting your Privacy and the Australian Privacy Principles effective 1 July 2020
Respecting your Privacy and the Australian Privacy Principles
Who are we?
We’, ‘us’ and ‘our’ refer to Finstro Holdings Pty Limited ACN 605 121 364, any wholly-owned subsidiaries of Finstro Holdings Pty Ltd and any related businesses (collectively, “Finstro”).
Our commitment to protect your privacy
The privacy of your personal information is important to us at Finstro. We are committed to respecting your right to privacy and to protecting your personal information.
We recognise that any personal information we collect about you will only be used for the purposes we have collected it for or as allowed under the law. It is important to us that you are confident that any personal information we hold about you will be treated in a way which ensures protection of your personal information.
We are bound by the Australian Privacy Principles (APPs), the Privacy Act 1988, Privacy (Credit Reporting) Code 2014 and any other applicable laws and codes with respect to credit reporting and collection, storage, use and disclosure of personal and financial information.
Personal information we collect and hold
“Personal Information” is information which may be used to identify an individual, including name, age, date of birth, gender, occupation, contact details (e.g. address, phone number, email address), residency status, country of birth, nationality, tax residency, tax file number, information contained in identity documents (e.g. passport number, driver licence number), financial information, information about your use of our products and services, credit related information or other information Finstro considers necessary.
Credit-related information means:
- Credit information, which is information which includes your identity; the type, terms and maximum amount of credit provided to you, including when that credit was provided and when it was repaid; repayment history information, default information (including overdue payments); payment information; Commercial and Consumer credit information from a Credit Reporting Body; Customer Identification by a Credit Reporting Body; financial information; new arrangement information; details of any serious credit infringements; court proceedings information; personal insolvency information and publicly available information; and
- Credit eligibility information, which is credit reporting information supplied to us by a credit reporting body, and any information that we derive from it.
We use your credit-related information to assess your eligibility to be provided with finance. Usually, credit-related information is exchanged between credit and finance providers and credit reporting bodies.
If you are applying for finance or provide a guarantee we may also collect the ages and number of your dependants and cohabitants, the length of time you have resided at your current address, your employment details and proof of earnings and expenses.
When you use our website or mobile applications we may collect information about your location or activity including IP address, telephone number and whether you have accessed third party sites, the date and time of visits, the pages that are viewed, information about the device used and other user location information.
By law, we are required to collect and store this information in accordance with prudent risk management, banking and anti-money laundering and counter terrorism financing legislation.
Why we collect your personal information
We collect personal information for the purposes of assessing your application for finance and managing that finance, establishing your identity, identifying and investigating any fraud or other illegal activities (or any suspected fraud or other illegal activities), contacting you, managing our risk and to comply with our legal obligations. We may also collect your personal information for the purposes of direct marketing and managing our relationship with you. Improvements in technology also enable organisations like ours to collect and use information to get a more integrated view of our customers. From time to time we may offer you other products and services.
Collecting your personal information
We will, if it is reasonable or practicable to do so, collect your personal information directly from you. This may happen when you fill out a product or service application or an administrative form (e.g. a change of address form), or when you give us personal information over the telephone, or through a Finstro organisation’s website.
In certain cases, we may collect your personal information from third parties. For example, we may need to collect personal information from a credit reporting body, your representative (such as a legal adviser), your financial adviser, any publicly available sources of information, or from any of the other organisations identified below under “Using and Disclosing Your Personal Information”. The personal information is securely stored by a third party storage provider.
We will not ask you to supply personal information publicly over Facebook, Twitter, or any other social media platform that we use.
Using and Disclosing your Personal Information
In line with modern business practices common to many financial institutions, and pursuant to your specific needs (such as, for example, where you have a financial adviser) we may disclose your personal information to the organisations described below. Where your personal information is disclosed to another person or organisation, we will take reasonable steps to satisfy ourselves that:
(a) the person or organisation has a commitment to protecting your personal information at least equal to our commitment, or
(b) you have consented to us making the disclosure.
The relevant organisations are those:
- involved in providing, managing or administering your product or service such as third party suppliers, other Finstro organisations, loyalty and reward program partners, printers, posting services, call centres, and our franchisees
- Finstro organisations and related businesses that wish to inform you of their products or services that might better serve your financial, business and lifestyle needs, or to notify you of promotions or other opportunities in which you may be interested, except where you tell us not to
- who are your licensees, brokers and their service providers
- involved in maintaining, reviewing and developing our business systems, procedures and infrastructure including testing or upgrading our computer systems
- where you have provided us consent
- involved in a corporate re-organisation
- involved in a transfer of all or part of the assets or business of a Finstro organisation
- involved in the payments system including financial institutions, merchants and payment organisations (for example to process a claim for mistaken payment)
- organisations that provide products or services used or marketed by us
- involved in product planning and development of our products, services and business generally
- which are your representatives including your legal advisers, finance brokers, mortgage
brokers, guardians, persons holding power of attorney and accountants
- as required or authorised by law, such as under the Anti-Money or Laundering and Counter-Terrorism Financing Act 2006 (Cth) where you have given your consent.
In addition, for Finstro organisations offering:
- Finance products or services – other organisations to which personal information is usually disclosed are card producers, card schemes, credit and fraud reporting agencies (including organisations that assist with fraud investigations and organisations established to identify, investigate and/or prevent any fraud, suspected fraud, crime, suspected crime, or misconduct of a serious nature), debt collection agencies, your guarantors, other borrowers, organisations involved in valuing, surveying, or registering a security property or which otherwise have an interest in such property, purchasers of debt portfolios, claims-related providers, underwriters and re-insurers.
- Trustee or custodial services – other organisations to which personal information is usually disclosed are superannuation and managed funds organisations, their advisers and other organisations involved in our normal business practices.
- Other organisations to which personal information is usually disclosed are fraud detection agencies and other organisations involved in our normal business practices.
Your personal information may also be disclosed to other organisations involved in our normal business practices (such as securitisation) and used in connection with such purposes as outlined above.
We exchange credit-related information for the purposes of assessing your application for finance and managing that finance. If you propose to be a guarantor, one of our checks may involve obtaining a report from a credit report body about you.
This credit-related information may be held by us in electronic form on our secure servers and may also be held in paper form. We may use cloud storage to store the credit-related information we hold about you. The cloud storage and the IT servers may be located outside Australia.
When we obtain credit eligibility information from a credit-reporting body about you, we may also seek publicly available information and information about any serious credit infringement that you may have committed.
The law requires us to advise you of ‘notifiable matters’ in relation to how we may use your credit-related information. You may request to have these notifiable matters (and this policy) provided to you in an alternative form.
We exchange your credit-related information with credit reporting bodies. We use the credit-related information that we exchange with the credit reporting body to confirm your identity, assess your creditworthiness, assess your application for finance or your capacity to be a guarantor and manage your finance.
The information we can exchange includes your identification details, what type of loans you have, how much you have borrowed, whether or not you have met your loan payment obligations and if you have committed a serious credit infringement (such as fraud).
If you fail to meet you credit obligations or commit a serious credit infringement, Finstro may undertake the following:
- Disclose repayment history information to a Credit Reporting Body.
- Issue prescribed notices under Credit Reporting Privacy Code advising payments which have
become overdue more than 60 days.
- Issue prescribed notices under Credit Reporting Privacy Code a payment default has
occurred with Finstro advising a Credit Reporting Body.
- Engage Collections Agencies and or Legal Counsel to collect payments which have become
- Request a Credit Reporting Body not to disclose information about you if you believe you are
a victim of fraud.
You have the right to request access to the credit-related information that we hold about you and make a request for us to correct that credit-related information if needed. Please see the heading ‘Access and correction to your personal and credit-related information’, below.
Sometimes your credit information will be used by credit reporting bodies for the purposes of ‘pre- screening’ credit offers on the request of other credit providers. You can contact the credit reporting body at any time to request that your credit information is not used in this way.
You may contact the credit reporting body to advise them that you believe that you may have been a victim of fraud. For a period of 21 days after the credit reporting body receives your notification the credit reporting body must not use or disclose that credit information. You can contact any of the following credit reporting bodies for more information:
Marketing our products and services
We may use or disclose your personal information to let you know about, and develop, products and services from across Finstro or any company with whom we are associated that may better serve your financial, business and lifestyle needs, or to notify you of promotions or other opportunities in which you may be of interest to you. For example, we may do this after an initial marketing contact.
You can contact us at any time if you no longer wish us to do so (see Contacting Us below). If direct marketing is by email you may also use the unsubscribe function. We will not charge you for giving effect to your request and will take all reasonable steps to meet your request at the earliest possible opportunity.
Keeping your personal information accurate and up to date
We aim to make sure that the personal information we collect, use or disclose is accurate, complete and up-to-date and take reasonable steps to make sure this is the case. In this way we can ensure that we provide you with a better service.
If you believe your personal information is not accurate, not complete or not up to date, please contact us (see Contacting Us below). We will generally rely on you to ensure the information we hold about you is accurate or complete.
Access and correction to your personal and credit information
We will provide you with access to the personal and credit-related information we hold about you. You may request access to any of the personal information we hold about you at any time. We may charge a fee for our costs of retrieving and supplying the information to you.
Depending on the type of request that you make we may respond to your request immediately, otherwise we usually respond to you within seven days of receiving your request. We may need to contact other entities to properly investigate your request.
There may be situations where we are not required to provide you with access to your personal or credit-related information.
Factors affecting a right to access include:
- access would pose a serious threat to the life or health of any individual
- access would have an unreasonable impact on the privacy of others
- a frivolous or vexatious request
- the information relates to a commercially sensitive decision-making process
- access would be unlawful
- access would prejudice enforcement activities relating to criminal activities and other breaches of law, public revenue, a security function or negotiations with you
- legal dispute resolution proceedings
- denying access is required or authorised by or under law
An explanation will be provided to you if we deny you access to the personal or credit-related information we hold about you.
If any of the personal or credit-related information we hold about you is incorrect, inaccurate or out of date you may request that we correct the information by contacting us by one of the methods referred to in the Contacting Us section of this document.
If appropriate we will correct the personal information at the time of the request, otherwise, we will provide an initial response to you within seven days of receiving your request. Where reasonable, and after our investigation, we will provide you with details about whether we have corrected the personal or credit-related information within 30 days.
We may need to consult with other finance providers or credit reporting bodies or entities as part of our investigation.
If we refuse to correct personal or credit-related information we will provide you with our reasons for not correcting the information.
Business without identifying you
In most circumstances it will be necessary for us to identify you in order to successfully do business with you, however, where it is lawful and practicable to do so, we will offer you the opportunity of doing business with us without providing us with personal information, for example, if you make general inquiries about interest rates or current promotional offers.
Protecting your personal information
Records of your personal information are kept in several forms including both paper and electronic form. The security of your personal information is important to us and we take all reasonable precautions to protect it from unauthorised access, modification or disclosure and from loss or misuse. These precautions include:
- confidentiality requirements for our employees
- document storage security policies
- security measures for systems access
- providing a discreet environment for confidential discussions
- only allowing access to personal information where the individual seeking access has satisfied our identification requirements
- access control for our buildings
- the security measures described below under Our Websites.
If Finstro receives any personal information which we did not solicit the information, Finstro will determine whether or not we could have collected the information if we had reasonably solicited the information. If not, we will take reasonable steps to destroy this information.
Mandatory data breach reporting
Finstro is required to comply with the Notifiable Data Breach (NDB) scheme from 22 February 2018.
Our data breach response plan provides the ability to respond quickly to any such breaches and includes:
(a) the steps and actions staff should take in the event of a breach or suspected breach;
(b) reporting lines if staff suspect a data breach;
(c) the recording of data breaches;
(d) means for identifying and addressing anything that contributed to the breach; and
(e) systems for a post-breach review and assessment of the entity’s response to the data breach.
A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuse.
What is an eligible data breach?
An eligible data breach warranting notification will arise when:
(a) there has been unauthorised access to or unauthorised disclosure of personal information; and
(b) access or disclosure would likely result in serious harm to affected individuals.
An eligible data breach can occur irrespective of the number of individuals that are likely to be at a risk of serious harm.
A determination of whether a data breach has or may cause serious harm will be dependent on the following factors:
(a) the sensitivity of the personal information which has been exposed due to the data breach;
(b) whether the information is protected by security measures and the likelihood that any such
security measures could be overcome;
(c) who has or may have obtained or could obtain the information; and
(d) the nature of the harm, for example, whether any affected individuals will suffer financial or
Assessing a suspected data breach
If we suspect that an eligible data breach has occurred, we will take the following steps.
(a) Where possible contain the breach and take remedial action.
(b) Conduct a reasonable and expeditious assessment of the breach to determine whether
notification is required. We will take all reasonable steps to complete our assessment within 30 calendar days after the day it first became aware of the suspected data breach.
(c) Where serious harm can not be mitigated through remedial action, we will notify individuals at risk of serious harm and provide a statement to the OAIC as soon as practicable, but not later
than 30 calendar days from becoming aware of the breach.
If it is not practicable to notify individuals at risk of serious harm, we will publish a copy of the statement prepared for the OAIC on our website, and take reasonable steps to bring its content to the attention of individuals at risk of serious harm.
The Data Breach plan is regularly reviewed and tested by the Compliance Officer
If you are dissatisfied with how we have dealt with your personal information, or you have a complaint about our compliance with the Privacy Act and the Credit Reporting Code, you may contact our complaints officer.
On receipt of a complaint by a company, business or individual, it must relate to an act or practice of Finstro and we must:
- within 7 days after the complaint is made, acknowledge receipt of the complaint
- investigate the matter via the Finstro’s Disputes & Complaints Resolution Policy, decide and advise the company, business or individual within 30 days.
- set out the decision and indicate if you are dissatisfied with Finstro’s response, you can refer the complaint to the Office of Australian Information Commissioner www.oaic.gov.au
Your privacy on the Internet
We take care to ensure that the personal information you give us on our websites and mobile applications are protected, with electronic security systems in place, including the use of firewalls and data encryption. Depending on the Finstro organisation with which you deal, user identifiers, passwords or other access codes may also be used to control access to your personal information. Please refer to the website and mobile applications of those Finstro organisations with which you transact electronically for more information on our website specific privacy and security procedures.
Links to Other Sites
You may be able to access external websites by clicking on links we have provided. Those other websites are not subject to our privacy standards, policies and procedures. You will need to contact or review those websites directly to ascertain their privacy standards, policies and procedures.
Using Government Identifiers
Although in certain circumstances we are required to collect government identifiers such as your Medicare number or drivers licence details, we do not use or disclose this information other than when required or authorised by law, or unless you have voluntarily consented to disclose this information to any third party.
Your sensitive information
Without your consent, we will not collect information about you that reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs or affiliations, membership of a professional or trade association, membership of a trade union, details of health, disability, sexual orientation, or criminal record.
This is subject to some exceptions including when:
- the collection is required by law
- has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to Finstro’s functions or activities has been, is being, or maybe engaged in the information is necessary for the establishment, exercise or defence of a legal claim.
Un-submitted on-line applications
If you start but do not submit an on-line application, Finstro may contact you using any of the contact details you supply, to offer help completing it. If you do not submit the on-line application, the information in it will be kept by Finstro for a period of time before being destroyed.
At Finstro we care about your privacy and your trust is important to us.
Should you have any queries or concerns about your privacy, please provide full details the nature of your concerns by contacting the Finstro Privacy Officer, care of any of the following details:
Phone: 1800 693 467
Fax: +61 2 8458 0704
Post: Privacy Officer, PO Box H173, Australia Square Sydney 1215