Effective Date: 1 June 2017
This Policy applies to Associated Foreign Exchange Australia Pty Ltd (ACN 119 392 586) (referred to as ‘AFEX’, ‘we’, ‘our’, ‘us’) and extends to and covers all of its operations and functions. The word ‘individual’ refers to all persons whose personal information we collect, use or disclose.
This Policy outlines AFEX’s obligations to manage and protect personal information. AFEX is bound by the Australian Privacy Principles ('APPs'), the Credit Reporting Privacy Code (‘the Code’) and the Privacy Act 1988 (Cth) ('Privacy Act'). This Policy also outlines AFEX’s practices, procedures and systems that ensure compliance with the Privacy Act, APPs and the Code, including procedures in relation to the following:
- use and disclosure of personal information (Section 9)
- use and disclosure of credit information (Section 10)
- sending information overseas (Section 11)
- management of personal information (Section 12)
- direct marketing (Section 13)
- correction of personal information (Section 14)
- access to personal information (Section 15)
- complaints handling (Section 19)
In this Policy ‘anti-money laundering legislation’ means Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth) and any regulations, rules or other instruments made under that Act, as amended from time to time.
‘Credit information’ includes information that we have obtained from Third Parties, including individuals, other credit providers and credit reporting bodies (‘CRBs’).
‘On-Line System’ means any electronic system or interface provided by AFEX to its clients for the purpose of place trading orders and payment management.
‘Personal information’ means information or an opinion about an identified individual, or an individual who is reasonably identifiable.
‘Sensitive information’ is a subset of personal information that includes information relating to a person's racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, sexual preferences, criminal record, and health information.
‘Third Parties’ means clients, suppliers, sub-contractors, agents or people having a commercial relationship with AFEX.
- WHAT KINDS OF PERSONAL INFORMATION DO WE COLLECT AND HOLD?
We may collect and hold the following kinds of personal information about individuals:
- phone numbers
- email addresses
- bank account details
- identification information including drivers’ licence, Medicare and passport details
- shareholdings and company officeholder roles
- criminal history
- the types of payments and services generally used by the individual
- credit information, which may include:
- credit liability information, such as the name of the entity that provided the individual with credit, the date of the credit was provided and the maximum amount of credit made available;
- information about the individual’s repayment history, such as whether the individual was late in making a monthly repayment and when repayments were due;
- the type and amount of credit sought in an application;
- whether the individual is 60 days or more overdue in making a repayment of $150 or more;
- whether the individual has repaid overdue payments;
- information about new credit arrangements the individual has entered into as a result of defaulting in repayments;
- information about court judgements against the individual in relation to credit that has been provided to the individual;
- publicly available information that relates to the individual’s credit worthiness;
- information recorded in the National Personal Insolvency Index about the individual;
- our opinion as to whether the individual has committed a serious credit infringement in relation to credit provided by us;
- any other personal information that may impact our assessment of the individual’s credit worthiness
- any other information that is relevant to the services that we provide
- HOW WE COLLECT PERSONAL INFORMATION
We generally collect personal information directly from the individual. For example, your personal information will be collected when you open an account with us, visit our website, or send us correspondence.
AFEX will not collect sensitive information unless the individual has consented or an exemption under the APPs applies. These exceptions include if the collection is required or authorised by law or necessary to take appropriate action in relation to suspected unlawful activity or serious misconduct.
If the personal information we request is not provided, we may not be able to process an individual’s application for an account, or provide individuals with the benefit of our services, or meet an individual’s needs appropriately.
- HOW WE MANAGE YOUR PERSONAL INFORMATION
We manage personal information using customer relationship management software. The data from this software program is stored securely in our own internal company servers in a client database. For more information about how we safeguard your personal information see section 12 below.
If we hold personal information about an individual, and AFEX no longer needs the information, we will take reasonable steps to destroy or de-identify the personal information. We will only keep your personal information for as long as we need your information for the purposes listed in sections 7 and 10 below, unless we are required by an Australian law or a court/tribunal order to retain the information.
AFEX does not give individuals the option of dealing with AFEX anonymously, or under a pseudonym, because to do so would breach AFEX’s obligations under the anti-money laundering legislation.
- UNSOLICITED PERSONAL INFORMATION
We may receive personal information about individuals we have not requested. If we receive unsolicited personal information, we will decide whether the information is reasonably necessary for our activities and could have been collected under the APPs. If we would not have been able to collect the information, we will destroy or de-identify the information.
- ABOUT WHOM DO WE COLLECT PERSONAL INFORMATION?
We may collect and hold personal information about the following individuals:
- current and potential clients;
- service providers or suppliers;
- prospective employees, employees and contractors; and
- other Third Parties with whom we come into contact.
- WHY DOES AFEX COLLECT AND HOLD PERSONAL INFORMATION?
AFEX collects and holds personal information for the following purposes:
- to assist in providing services to our clients, including international payment and foreign exchange services;
- to arrange direct debit services for our clients;
- to assess applications by individuals to open accounts;
- to comply with AFEX’s obligations under anti-money laundering legislation;
- to consider an individual’s request for a product or service;
- to assess any applications by an individual for credit;
- managing credit provided to a client, or collecting payments that are overdue;
- to provide clients with information about a product or service;
- to protect our business and other clients from fraudulent or unlawful activity;
- to conduct our business and perform other management and administration tasks;
- to consider any concerns or complaints clients may have;
- manage any legal actions involving AFEX;
- to comply with relevant laws, regulations and other legal obligations; and
- to help us improve the products and services offered to clients, and to enhance our overall business.
- HOW MIGHT WE USE AND DISCLOSE PERSONAL INFORMATION?
We ‘use’ personal information when we handle and manage that information within AFEX. We ‘disclose’ personal information when we release that information from our effective control.
AFEX may use and disclose personal information (excluding credit information) for the primary purposes for which it is collected, for reasonably expected secondary purposes which are related to the primary purpose, and in other circumstances authorised by the Privacy Act or otherwise by law. For information on how we might use and disclose credit information, see section 10 below.
Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose (unless the individual provides consent to use or disclose the information for another purpose), or where certain other limited circumstances apply (e.g. where required by law).
We will only use government identifiers (e.g. passport and drivers licence details) if is reasonably necessary for us to identify the individual for the purposes of providing our services, or engaging in any of our other functions or activities. We will generally only use identifiers to comply with our legal obligations under anti-money laundering legislation to identify our clients.
We use and disclose personal information, excluding credit information, for the purposes outlined in section 7 above.
- TO WHOM MIGHT WE DISCLOSE PERSONAL INFORMATION?
We may disclose personal information (excluding credit information) to:
- a related entity of AFEX;
- an agent, contractor or service provider we engage to carry out our functions and activities, such as our lawyers, accountants, debt collectors or other advisors;
- organisations involved in a transfer or sale of all or part of our assets or business;
- organisations involved in managing our payments, payment merchants and other financial institutions such as banks;
- regulatory bodies, government agencies, law enforcement bodies and courts; and
- anyone to whom we are required by law to disclose it; and
- anyone else to whom the individual authorises us to disclose it.
We also collect personal information from these organisations and individuals, and deal with that information in accordance with this Policy.
We engage other people to perform services for us, which may involve that person handling personal information we hold. In these situations, we prohibit that person from using personal information about the individual except for the specific purpose for which we supply it. We prohibit that person from using your information for the purposes of direct marketing their products or services.
- HOW MIGHT WE USE AND DISCLOSE CREDIT INFORMATION?
In relation to credit information held by us, we will only use your credit information for the following purposes:
- assessing an application by your for credit;
- collecting payments that are overdue in relation to credit provided by us to you; and
- internal management purposes that are directly related to the provision or management of credit to you.
We will only disclose your credit information for one of the purposes listed above, and if the recipient is one of the following:
- a related body corporate;
- a person who will be processing your application for credit;
- a person who manages credit provided by us for use in managing that credit;
- another credit provider if we believe you have committed a serious credit infringement, or you have consented to the disclosure;
- to a person considering whether to offer property as security and you have expressly consented to the disclosure;
- a debt collector (only if disclosure is for the primary purpose of collecting an overdue debt); or
- a CRB.
- SENDING INFORMATION OVERSEAS
We may disclose your personal information, excluding credit information, to financial institutions located overseas for the purposes of providing our services to you, including executing international payments, derivatives and foreign exchange contracts. We will not disclose information relating to your eligibility for credit to these financial institutions. We will only provide the personal information reasonably necessary to complete the transaction. The financial institutions may be located in any of the following countries:
Belgium, Canada, Denmark, Fiji, France, French Polynesia, Germany, Hong Kong, Indonesia, Ireland, Israel, Italy, Japan, Germany, Malta, Mexico, Netherlands, New Zealand, Norway, Singapore, South Africa, Spain, Sweden, Switzerland, Thailand, United Kingdom, United States of America.
We may disclose your personal information, including credit information, to a related body corporate of AFEX in any of these countries. The information will generally only be provided to a related body corporate of AFEX for the purposes of detecting and avoiding fraudulent activity. We will not disclose credit information to a related body corporate unless we have taken reasonable steps to ensure the recipient does not breach the Privacy Act, the APPs or the Code.
We will not disclose personal information to an overseas recipient unless:
- we have taken reasonable steps to ensure the recipient does not breach the Privacy Act, the APPs and the Code;
- the recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that is substantially similar to the way the APPs protect the information; or
- we have obtained your informed consent to disclose the information prior to any disclosure.
- MANAGEMENT AND SECURITY OF PERSONAL INFORMATION
The APPs require us to take all reasonable steps to protect the security of personal information, including credit information. AFEX personnel are required to respect the confidentiality of personal information and the privacy of individuals.
AFEX takes reasonable steps to protect personal information held from misuse and loss and from unauthorised access, modification or disclosure, for example by use of physical security and restricted access to electronic records. All personal information contained in hard copy documents held by AFEX is stored in locked cabinets. Physical access to the hard copy documents is restricted through measures such as security clearances and limiting access to a ‘need-to-know’ basis.
All personal information stored on AFEX’s computer system is backed up regularly and back-up copies are held in a secure location. All data is stored securely in our own internal company servers. In relation to our client database and On-Line System, we apply the following guidelines:
- data ownership is clearly defined within AFEX, that is, each person who has access to personal information has the required level of access;
- the length and content of passwords are governed by our IT policy, and automatically enforced through our IT systems to ensure that they are of an appropriate length, and not likely to be easily guessed;
- we utilise procedures which change an employee’s access capabilities when he or she is assigned to a new position;
- employees have restricted access to sections of the system which include the marketing database and personnel files;
- the system automatically logs all unauthorised access attempts. AFEX will review these logs when necessary;
- the system automatically limits the amount of personal information appearing on any one screen;
- unauthorised employees are barred from updating and editing personal information;
- certain fields are masked to bar unauthorised employees;
- all personal computers which contain personal information are secured, physically and electronically;
- data sent from our clients to our IT network is encrypted. In addition, data sent by AFEX personnel who are logged in remotely to the network is also encrypted. Data travelling only within the AFEX IT network is done via private (i.e. non-public) communication lines, and is therefore not encrypted;
- print reporting of data containing personal information is limited;
- AFEX’s IT policy mandates destruction of personal information when it is no longer required, and provides procedures and controls for the disposal of confidential output and when confidential data is disseminated to authorised individuals; and
- all personal information contained on magnetic disks is overwritten when the information is no longer required. Hard drives containing personal information that is no longer required to be kept are removed from computers that are no longer in use and are physically destroyed.
- DIRECT MARKETING
AFEX does not use or disclose personal information we collect from individuals for the purpose of direct marketing unless:
- the personal information does not include sensitive information or credit information; and
- the individual would reasonably expect us to use or disclose the information for the purpose of direct marketing; and
- we provide a simple way of opting out of direct marketing; and
- the individual has not requested to opt out of receiving direct marketing from us.
If the individual would not reasonably expect AFEX to use or disclose their personal information for the purpose of direct marketing, AFEX may still use or disclose the information (unless it is sensitive information or credit information) for the purpose of direct marketing if:
- either the individual has consented to the use or disclosure of the information for direct marketing or it is impracticable to obtain that consent; and
- AFEX provides a simple way of opting out of direct marketing; and
- in each direct marketing communication, AFEX includes a prominent statement that the individual may make a request to opt out of direct marketing or otherwise draws the individual's attention to the fact that he or she may make such a request; and
- the individual has not already requested to opt-out of direct marketing from AFEX.
We do not disclose personal information we collect to Third Parties for the purpose of allowing them to direct market their products and services.
We do not use or disclose sensitive information or credit information for direct marketing purposes. AFEX notes that you have the right to request to opt out of direct marketing and we must give effect to the request within a reasonable period of time.
- HOW DO WE KEEP PERSONAL INFORMATION ACCURATE AND UP-TO-DATE?
AFEX takes reasonable steps to ensure that the personal information, including credit information, it collects, uses and discloses is relevant, accurate, complete and up-to-date. We ensure that personal information is collected and recorded in a consistent format, and new information is promptly added to our client database.
We may also remind you from time to time to update your personal information, or contact you to verify your personal information.
We encourage individuals to contact us in order to update any personal information we hold about them. If we correct information that has previously been disclosed to another entity, we will notify the other entity within a reasonable period of the correction. Where we are satisfied information is inaccurate, we will take reasonable steps to correct the information within 30 days, unless you agree otherwise. We do not charge individuals for correcting the information.
- ACCESS TO YOUR PERSONAL INFORMATION
Subject to the exceptions set out in the Privacy Act, individuals may gain access to the personal information, including credit information, which AFEX holds about them by contacting the AFEX Privacy Officer. We will provide access within 30 days of your request. If we refuse to provide the information, we will provide reasons for the refusal and inform the individual of any exceptions relied upon under the Privacy Act.
An individual’s request for access to his or her personal information will be dealt with by allowing the individual to look at his or her personal information at the offices of AFEX. We will require identity verification and specification of what information is required. An administrative fee for reasonable search and photocopying costs may be charged for providing access. We will advise the likely cost in advance whenever practicable.
- UPDATES TO THIS POLICY
This Policy will be reviewed from time to time to take account of new laws and technology, changes to our operations and practices and the changing business environment.
- PRIVACY TRAINING
- NON-COMPLIANCE AND DISCIPLINARY ACTIONS
- COMPLAINTS HANDLING
AFEX has an effective complaints handling process in place to manage privacy-related complaints. Complaints will generally be handled according to AFEX’s Complaints Policy, which you can obtain free of charge by contacting us and requesting a copy.
All complaints will initially be handled and investigated internally. We will investigate your complaint promptly. We will try to resolve your complaint quickly and fairly.
You can make a complaint to AFEX about the treatment or handling of your personal information, including credit information, by lodging a complaint with the Privacy Officer.
If you are unsatisfied with our response to your complaint, you can contact the Financial Ombudsman Service for an independent review. You can make a complaint by visiting the Financial Ombudsman Service website at www.fos.org.au.
- CONTRACTUAL ARRANGEMENTS WITH THIRD PARTIES
Third Parties will be required to implement policies in relation to the management of an individual’s personal information in accordance with the Privacy Act. These policies include:
- regulating the collection, use and disclosure of personal and sensitive information;
- de-identifying the personal and sensitive information wherever possible;
- ensuring that the personal and sensitive information is kept securely, protected from loss or misuse, with access to it only by authorised employees or agents of the Third Parties; and
- ensuring that the personal and sensitive information is only disclosed to organisations which are approved by AFEX.
- PRIVACY AUDITS
AFEX will conduct periodic privacy audits in order to ensure that it is continuing to comply with its obligations under the Privacy Act, the Code and the APPs.
By telephoning: 02 9268 7600
By emailing: firstname.lastname@example.org
By writing to: Compliance Department
Associated Foreign Exchange Australia Pty Ltd
Level 38, 2 Park Street
Sydney NSW 2000
- WHAT IF I AM NOT SATISFIED WITH THE RESPONSE?
If you are not satisfied with the result of your complaint to AFEX you can also refer your complaint to the Australian Information Commissioner.
You can contact the Office of the Australian Information Commissioner in the following ways:
By visiting: www.oaic.gov.au
By telephoning: 1300 363 992
By emailing: email@example.com
By writing to: Office of the Australian Information Commissioner
GPO Box 5218, Sydney NSW 1042