Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.
Open and transparent management of personal information.
We manage personal information, including credit information, in an open and transparent manner.
We have appointed a Privacy Compliance Officer, who will deal with any queries regarding access to or correction of personal information, including credit information, or any privacy-related complaints. We ensure all our employees are trained at regular intervals to ensure they understand our obligations under the Privacy Act, including the Australian Privacy Principles.
Anonymity and pseudonymity
Generally we are not able to deal with customers who do not wish to identify themselves. However, where possible and appropriate we will provide information of a general nature to unidentified individuals.
TYPES OF PERSONAL INFORMATION WE COLLECT
The types of personal information that we collect depends on our relationship with the individual. In respect of loan applicants, we generally collect personal information about individuals who are loan applicants at different stages and in different ways. In particular, during the application for a loan we usually collect personal information from the applicant’s broker or other representative. Later, during the credit approval process, we collect personal information from other lenders, credit providers and CRBs. After the loan has been approved, we may collect additional personal information directly from the loan applicant (who would then be our client).
In respect of applicants for novated leases, we generally collect personal information about individual applicants from the applicant, their employer and salary packaging companies. Later, during the credit approval process, we collect personal information from other lenders, credit providers and CRBs.
If we are not able to collect the information sought, we may be unable to process an application for a loan or a novated lease, or we may be limited in the other services or assistance we can offer to the applicant or client.
In some circumstances we are also required to collect information in accordance with laws that apply to our business:
- the National Consumer Credit Protection Act 2009 (Cth), which requires us to obtain information to assess applicants’ requirements, objectives and suitability relating to a loan;
- the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), which requires us to collect personal information about applicants when verifying their identities; and
- the Personal Property Securities Act 2009 (Cth), under which we may need to collect personal information about an individual to record a security interest on the Personal Property Securities Register.
Information from brokers and authorized representatives:
At the application stage, we obtain a broad range of personal information from the authorised representative or broker of loan applicants, which is necessary to enable us to consider each applicant’s eligibility for a loan and the administration of the loan. That personal information includes:
- name, address and contact details;
- previous addresses;
- date of birth;
- drivers licence number;
- name of an individual’s current employer and other employment (PAYG/Self-employed) information;
- profession, occupation or job title;
- marital status/family details and circumstances;
- bank details;
- property addresses and title searches;
- how the asset we are financing will be used.
Information from other lenders, credit providers and CRBs:
In the course of processing loan applications, we collect personal information from a range of other entities including other lenders, credit providers and CRBs. That personal information may include:
- credit liability information regarding existing finance;
- name of the credit provider
- the type of finance;
- how long the finance has been held;
- the terms and conditions of the finance;
- the maximum amount of finance available;
- repayment history information which is information about whether the applicant makes their repayments on time. This may include default information concerning a payment owed by the applicant as a borrower or as a guarantor in connection with credit that remains overdue for more than 60 days;
- information about the type and amount of finance that the applicant is applying for;
- default and payment information;
- information about the credit worthiness, credit standing, credit history or credit capacity of the applicant;
- a statement that an information request has been made about the applicant by a credit provider, mortgage insurer or trade insurer;
- personal insolvency information about the applicant. This may include information relating to whether the applicant is a bankrupt or subject to a debt agreement proposal or a debt agreement or a personal insolvency agreement executed by the applicant;
- new arrangement information about the applicant (for example, where a debt that the applicant owes has been varied because it was overdue);
- an opinion by a credit provider that the applicant has committed a serious credit infringement in relation to consumer credit provided by the credit provider to the applicant; and
- court proceedings information.
If we obtain credit-related information about an applicant from a CRB, we may derive information from it that has a bearing on the applicant’s credit-worthiness or could be used in establishing the applicant’s eligibility for credit. This may include information such as credit scores and assessments which we generate from the information that we receive.
Information directly from the applicant or client:
Once the applicant has settled their loan and become our client, we may also collect personal information in certain instances such as where the client is experiencing difficulties and seeking assistance in servicing the loan. We may also collect the personal information that clients provide to us directly through our websites or indirectly through use of our websites or online presence, or through our client representatives or client surveys. Depending on the circumstances, that personal information includes:
- bank detail amendments;
- updated financial details (income, expenses, liabilities and assets);
- health information;
- family disruption (separation, divorce, family violence or financial abuse by partner);
- information about the death of a relative; and
- criminal history.
At the application stage, we obtain a broad range of personal information about the applicant which is necessary to enable us to consider each applicant’s eligibility for a novated lease and the administration of the novated lease. We obtain all or almost all that personal information from the applicant’s employer and other parties such as salary packaging companies who are assisting the applicant to apply for a novate lease. The personal information that we obtain from third parties includes:
- name, address and contact details;
- drivers licence number;
- name of the applicant’s current employer and other employment;
- employment-related information such as your profession, occupation or job title, employer and payroll information;
- vehicle-related information such as your driving speeds, patterns and locations, fuel fills and purposes of travel; and
- criminal history.
Less commonly, we may obtain personal information from the applicant directly in the course of verifying, completing or updating the personal information obtained from the other sources.
HOW WE COLLECT PERSONAL INFORMATION
Generally, we collect personal information from:
- the broker or authorized representative of the applicant;
- other lenders, credit providers and CRBs;
- the Applicant, including via application forms and contacts by telephone, mail, email or our website;
- co-applicants of the applicant;
- in respect of novated leases, the applicant’s employer and other parties such as salary packaging companies who are assisting the applicant to apply for a novate lease;
- publicly available sources such as news articles, social media and public registers in order to verify personal information about applicants, including verifying qualifications and memberships of professions, trade associations industry bodies and other; and
- employers, accountants, landlords, guarantors, financial advisers or government authorities with whom the applicant has had dealings, and other persons or organisations authorised by the applicant.
We may log IP addresses (that is, the electronic addresses of computers connected to the internet) to analyse trends, administer the website, track users movements, and gather broad demographic information.
PURPOSES FOR CollectING, HOLDING, USING and disclosing personal information
We collect, hold, use and disclose personal information for the following purposes:
- arranging and assessing an application for credit;
- to assess an applicant’s creditworthiness in order to provide credit or to provide products and services to applicants on credit terms;
- understanding our applicant’s requirements;
- obtaining loan assessments and credit reports;
- checking that the information we collect and hold about loan applicants is accurate, complete and current;
- managing credit;
- assisting us to manage, train and develop our employees and representatives;
- managing complaints and disputes;
- providing individuals with the products or services they have requested;
- managing our relationship with individuals;
- protecting individuals and ourselves from error or fraud;
- complying with regulatory requirements;
- assisting clients to avoid defaulting on credit obligations;
- administering and managing credit arrangements and recording security interests on the Personal Property Securities Register;
- providing products and services to individuals and sending communications requested by an individual;
- answering enquiries and providing information or advice about existing and new products or services;
- providing clients with access to protected areas of our website;
- assessing the performance of our website and improving the operation of our website;
- conducting business processing functions including providing personal information to our related bodies corporate, contractors, service providers or other third parties;
- the administrative, marketing (including direct marketing), planning, product or service development, quality control and research purposes of us and our contractors and service providers;
- updating our records and keeping individuals’ contact details up to date;
- complying with any law, rule, regulation, lawful and binding determination, decision or direction of a regulator, or in co-operation with any governmental authority of any country.
We also collect, hold, use and disclose personal information to verify the identity of our applicants and the authenticity of their identification documents. The identification documents may include drivers licences, passports, or birth or marriage certificates. We may disclose personal information to organisations and government agencies providing verification services such as OCR Labs, the Department of Home Affairs and the state and territory registrars of births, deaths and marriages as well as corresponding agencies in New Zealand. The verification service may also involve the collection of a live photograph of an applicant (generally to be taken by the applicant with their mobile phone camera) and the applicant’s location. The verification service usually involves providing personal information to the organisation or agency and asking for a confirmation about whether the information provided by the applicant matches the relevant records. The verification service may involve the use of third party systems and services.
We collect, hold, use and disclose credit-related information for the following purposes for some of the same purposes as those above and, in addition:
- to enable us to develop, administer and manage our services and businesses;
- manage the products we provide, as well as clients’ accounts with us;
- to engage a CRB to conduct a credit and reference check;
- to assess and monitor individuals’ creditworthiness;
- for billing purposes and collection of debts;
- to provide information to CRBs as permitted by law;
- to advise credit providers of the status of clients’ agreements with us, in circumstances where clients are in default with credit providers;
- to enforce our rights when a client is in breach, including debt recovery and other enforcement.
DISCLOSURE OF PERSONAL INFORMATION
We may disclose an individual’s personal information to:
- brokers, authorised representatives, guarantors and co-applicants of applicants;
- our related bodies corporate, contractors or service providers for the purposes of operation of our website or our business, fulfilling requests by individuals, and to otherwise provide products and services to individuals including web hosting providers, IT systems administrators, mailing houses, couriers, payment processors, data entry service providers, electronic network administrators, debt collectors and professional advisors such as accountants, lawyers, business advisors and consultants;
- suppliers and other third parties with whom we have commercial relationships, for business, marketing, and related purposes;
- insurers and financiers of credit products or other products that we have supplied to you;
- financiers and rating agencies for the purpose of the funding, refinancing, sale or securitization associated due diligence and review of the products and related services provided to you;
- third parties including government agencies or toll road operators where required or allowed by law or court or tribunal order or in order to register or to protect our interests or to deal with infringements;
- data warehouses, strategic learning organisations, data partners and analytic services and consultants who assist us with our business;
- organisations that assist us with funding for loans;
- other third parties that provide services to us (or to individuals on our behalf). These may include debt collectors, credit management agencies and other third parties that process applications for credit made to us;
- organisations involved in valuing, registering a security property, or which otherwise have an interest in such property, purchasers of debt portfolios;
- organisations and government agencies as required or authorised by law;
- CBRs as described in more detail below;
- our related companies;
- other credit providers which provide, or are considering providing, credit to individuals; and
- any organisation for any authorised purpose with an individual’s express consent.
We may combine or share any information that we collect with information collected by any of our related bodies corporate.
Disclosing information to CRBs
Under the Privacy Act, credit providers can disclose certain information about an individual’s credit history to CRBs (credit reporting bodies). The CRB with which we generally exchange information is Equifax Pty Ltd (who can be contacted at telephone 13 8332, or at https://www.equifax.com.au/).
We exchange information with CRBs for the purposes of obtaining a credit report about individuals or to allow the CRB to maintain a credit information file about individuals. We participate in credit reporting so that we are able to obtain information to make better and more informed decisions about providing credit to parties. The Privacy Act restricts the purpose for which credit providers can access and use information that is held by CRBs.
We may disclose the following credit-related information about clients’ credit to CRBs:
- that we provide credit to a client;
- the type of credit hold by a client;
- the amount of credit provided to a client;
- the terms and conditions of a client’s credit; and
- when a client’s credit account is opened and closed.
We may also disclose how a client repays their credit. If a client fails to make repayments on their credit or a client defaults on their obligations or commits a serious credit infringement, we may report this information to a CRB. Equally, we will inform a CRB if a client makes repayments on time or if a client has corrected a default. The CRB may include the information in reports provided to credit providers to assist them to assess an individual’s credit worthiness.
rights under the Privacy Act in relation to credit-related information
Individuals are entitled to:
- opt out of direct marketing pre-screenings: CRBs often use credit information to assist credit providers to market their products and services. If an individual does not want the CRB to use their credit information in this manner, the Privacy Act gives the individual the right to request to be excluded from being contacted;
- request non-disclosure where they believe they have been, or are likely, a victim of fraud: if an individual believes that they are a victim of fraud, or are likely to be a victim of fraud, then they are entitled, under the Privacy Act, to request that the CRB not use or disclose any of the individual’s credit information;
- obtain the CRB's policy about the management of credit-related information by contacting the CRB; and
- access credit-related information that we hold about an individual, to request us to correct the information, and to make a complaint to us. Please see below for more details.
We notify individuals at the time of collecting their personal information that their personal information will be used by us and any companies within our group for the purposes of direct marketing. These direct marketing communications may be sent in various forms, including mail, SMS, fax and email. Applicants and clients consent to us sending them those direct marketing communications by any of those methods.
In all our direct marketing communications we will provide a prominent statement about how an individual can elect not to receive direct marketing. If the direct marketing communication is an email we will provide an ‘unsubscribe’ function within the email.
We will keep appropriate records to ensure those individuals that have made ‘opt-out’ requests not to receive direct marketing communications do not receive them. We do not apply a fee to unsubscribe from direct marketing communications.
We do not sell personal information.
Cross-border disclosure of personal information
Except in respect of the verification of identification documents issued by government agencies in New Zealand, we do not disclose personal information overseas.
Quality of personal information
We rely on individuals to help us to ensure that their personal information is accurate, up-to-date and complete.
If we become aware that personal information is inaccurate, out-of-date or incomplete, such as when mail is returned, we will update our systems accordingly.
Security of personal information
All personal information held by us is stored on secure servers in Australia. We use a variety of technical and organisational security techniques, including encryption and authentication, to help with the protection and maintain the availability, security and integrity of individuals’ personal information.
We are committed to protecting individuals’ information through the following measures:
- restricting access to personal information to only those who need to use it for the relevant purpose;
- transferring personal information only in encrypted form;
- preventing unauthorised access to IT systems by using firewalls;
- continuous monitoring of IT systems to detect and stop misuse of personal information;
- holding personal information and credit information on secure IT systems. All IT systems are appropriately updated with passwords, virus scanning software and firewalls when needed; and
- ensuring that any paper records are only accessible to employees and others as they are needed.
Any paper records are held within an office that is locked and security protected at night.
Access to personal and credit information
Individuals may request to access any personal or credit information that we hold about them. If an individual wishes to access the personal information we hold about them, they may contact us using the contact details provided below. Before we provide individuals with access to their personal information we may require some proof of identity. When contacting us to request access to or correction of any personal information we hold about an individual, we ask that they provide us with as much detail as they can about the information in question as this will help us to retrieve it.
We will not charge an individual for requesting access to their personal or credit information.
When an individual requests access to their personal or credit information we will conduct a search of our customer relationship database. This search will also indicate if there are any paper records that contain personal information.
We will not give access to the personal information that we hold about an individual where it is unreasonable or impracticable to provide access, or in other circumstances permitted by law such as where the request would be likely to have an unreasonable impact on the privacy of others.
When we receive a request for access we will respond to the individual acknowledging the request with 7 days.
After we have investigated the request for assess we will advise the individual what personal or credit information we hold and provide details of that personal information.
We will comply with all reasonable requests by an individual to provide details of the personal information or credit that we hold in the requested format within 30 days of receiving the request.
If we do not provide access to the information we will provide written reasons setting out why we do not believe we need to provide access. We will also advise the individual they can access our internal dispute resolution procedures and details of a recognised external dispute resolution scheme of which we are a member if they are dissatisfied with a decision not to provide access to personal information.
Correction of personal or credit information
Individuals have the right to request us to correct the personal information we hold about them. If we hold personal or credit information about an individual and we are reasonably satisfied (having regarding to the purpose of any personal information) that the information is inaccurate, out of date, incomplete, irrelevant or misleading, or we receive a request to correct the information, we will take reasonable steps to correct the information.
If we correct personal or credit information that we have previously disclosed, we will take reasonable steps to notify the entity to which we disclosed the information of the correction.
We may not always make amendments to an individual’s personal or credit information. When we do not make requested corrections, we will provide reasons for our refusal to make the correction and provide details of our internal dispute resolution procedures and details of a recognised external dispute resolution scheme of which we are a member.
If, after notifying the individual of our refusal to correct personal information, the individual requests us to issue a statement on the record that contains the personal information; we take reasonable steps to do so. We are not required to issue a statement next to any credit information we may hold about the individual.
If an individual believes that their privacy has been breached or that we have not complied with any of our obligations relating to their credit-related information, please contact our Privacy Officer using the contact information below and provide details of the incident so that we can investigate it.
We request that complaints about breaches of privacy be made in writing, so we can be sure about the details of the complaint. Our Privacy Officer deals with privacy complaints and any complaints should be directed to our Privacy Officer using the contact details below. We will attempt to confirm as appropriate and necessary with the individual their understanding of the conduct relevant to the complaint and what they expect as an outcome. We will inform them whether we will conduct an investigation, the name, title, and contact details of the investigating officer and the estimated completion date for the investigation process.
After we have completed our enquiries, we will contact the individual, usually in writing, to advise the outcome and invite a response to our conclusions about the complaint. If we receive a response from the individual, we will assess it and advise if we have changed our view. If the complaint remains unresolved, the individual may refer the matter to the Office of the Australian Information Commissioner (the ‘OAIC’).
The contact details for the OAIC are:
The Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
Phone: 1300 363 992
The Privacy Officer
Metro Finance Pty Limited
35 Clarence Street,
Sydney NSW 2000
Alternatively, individuals can email us at firstname.lastname@example.org or call us on 1300 362 627.