Your Privacy and our Credit Reporting Policy
RESPECTING YOUR PRIVACY
Who we are
We are Medfin Australia Pty Ltd ABN 89 070 811 148 ACL 391697 (Medfin), a subsidiary of National Australia Bank Ltd ABN 12 004 044 937 (NAB) which together with Medfin and all of its other subsidiaries is referred to in this policy as the NAB Group.
You can contact us by:
What personal information do we collect and hold?
The types of information that we collect and hold about you could include:
- identification information such as your name, postal or email address, telephone numbers, and date of birth;
- other contact details such as social media handles;
- financial details such as your tax file number;
- health and biometric information (e.g. fingerprints, voice patterns) where permitted;
- your location or activity including IP address and whether you’ve accessed third party sites;
- credit information such as details relating to credit history, credit capacity, and eligibility for credit (‘credit worthiness’) – see our Credit Reporting Policy; and
- other information we think is necessary.
Over the course of our relationship with you, we may collect and hold additional personal information about you, including transactional information, account or policy information, complaint or enquiries about your product or service.
If you have general enquiry type questions, you can choose to do this anonymously or use a pseudonym. We might not always be able to interact with you this way however as we are often governed by strict regulations that require us to know who we’re dealing with.
What sensitive information do we collect?
Sometimes we need to collect sensitive information^about you. This could include information about your health or reasons relating to hardship. Unless required by law, we will only collect sensitive information with your consent.
When the law authorises or requires us to collect information
We may collect information about you because we are required or authorised by law to collect it. There are laws that affect financial institutions, including company and tax law, which require us to collect personal information. For example, we require personal information to verify your identity under Commonwealth Anti-Money Laundering law.
What do we collect via your online activity?
If you start but don’t submit an online form we can contact you using any of the contact details you’ve supplied or other contact details we have for you to offer help (unless the use is anonymous).
We also know that some customers like to engage with us through social media channels. We may collect information about you when you interact with us through these channels. For all confidential matters, please interact with us via private messaging or secure channels.
How do we collect your personal information?
How we collect and hold your information
There are many ways we seek information from you. We might collect your information when you fill out a form with us, when you’ve given us a call, used our websites. In addition, when you use our website or mobile applications we may collect information about your IP address, location or activity. We also find using electronic means, such as email or SMS, a convenient way to communicate with you and to verify your details, including doing e-verification of identity (e-Know Your Customer). However we’ll never ask you for your security details in this way – if you are ever unsure, just contact us. We will try to collect personal information directly from you unless it’s unreasonable or impracticable. For this reason, it’s important that you keep your contact details up-to-date.
For more about how we collect and hold credit information, see our Credit Reporting Policy.
How we collect your information from other sources
Sometimes we collect information about you from other sources. We may collect information about you that is publicly available (for example from public registers or social media) or made available by third parties. For instance, we do this where:
- we distribute or arrange products on behalf of others, including our business partners;
- we can’t get hold of you and need to update your contact details;
- we need information from third parties about an application you make through us;
- we need information for fraud prevention purposes;
- we are checking the security you are offering;
- we can learn insight about your financial needs, such as through property information;
- we have consented to third parties sharing it with us, such as organisations we have loyalty programs with or we sponsor;
- at your request, we exchange information with your legal or financial advisers or other representatives.
We may use or disclose information about you in order to combine the information that we hold with information collected from or held by external sources. We do this in order to enable the development of customer insights about you so that we can serve you better. This includes being able to better understand your preferences and interests, personalise your experience, enhance the products and services you receive, and to tell you about products and services that may be of interest to you.
Where those insights are provided to others, such insights are based on aggregated information and do not contain any information that identifies you. We may also use service providers to undertake the process of creating these consumer insights.
What if you don’t want to provide us with your personal information?
If you don’t provide your personal information to us, we may not be able to:
- provide you with the product or service you want;
- manage or administer your product or service;
- personalise your experience with us;
- verify your identity or protect against fraud; or
- let you know about other products or services that might better meet your financial, e-commerce and lifestyle needs.
What do we do when we get information we didn’t ask for?
Where we receive unsolicited information, we will check whether that information is reasonably necessary for our functions or activities. If it is, we’ll handle this information the same way we do with other information we seek from you. If not, we’ll ensure we do the right thing and destroy or de-identify it.
When will we notify you that we have received your information?
When we receive personal information from you, we’ll take reasonable steps to notify you how and why we collected your information, who we may disclose it to and outline how you can access it, seek correction of it or make a complaint.
Where we collect your personal information from third parties we will take reasonable steps to notify you of the circumstances of that collection. We recommend our customers regularly review our website to review updates to this policy and our Privacy Notification (www.medfin.com.au/privacy-notification).
How do we take care of your personal information?
We store information in different ways, including in paper and electronic form. The security of your personal information is important to us and we take reasonable steps to protect it from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Some of the ways we do this are:
- confidentiality requirements and privacy training of our employees;
- document storage security policies;
- security measures to control access to our systems and premises;
- only giving access to personal information to a person who is verified to be able to receive that information;
- ensuring third parties meet our privacy obligations; and
- electronic security systems, such as firewalls and data encryption on our websites.
We can store personal information physically or electronically with third party data storage providers. Where we do this, we use contractual arrangements to ensure those providers take appropriate measures to protect that information and restrict the uses to which they can put that information.
What happens when we no longer need your information?
We’ll only keep your information for as long as we require it for our purposes. We’re also required to keep some of your information for certain periods of time under law, such as the Corporations Act, the Anti-Money Laundering & Counter-Terrorism Financing Act, and the Financial Transaction Reports Act, for example. When we no longer require your information, we’ll ensure that your information is destroyed or de-identified.
How we use your personal information
What are the main reasons we collect, hold and use your information?
Because we offer a range of services and products, collecting your personal information allows us to provide you with the products and services you’ve asked for.
This means we can use your information to:
- provide you with information about products and services, including financial help guidance and advice;
- consider your request for products and services, including your eligibility;
- process your application and provide you with products and services; and
- administer products and services which includes answering your requests and complaints, varying products and services, conducting market research, taking any required legal action in relation to our accounts and managing our relevant product portfolios.
Can we use your information for marketing our products and services?
We may use or disclose your personal information to let you know about products and services that we believe may be of interest to you, including products and services from our related companies or from those we distribute products on their behalf. We will not do this if you tell us not to.
Such marketing activities may be via email, telephone, SMS, iM, mail, or any other electronic means, including targeted advertising through NAB Group or other websites.
We may also market our products to you through third party channels (such as social networking sites), or via other companies who assist us to market our products and services. We may use de-identified data to disclose to online advertisers that allow us to place communications in the media most relevant to you.
Where we market to prospective customers, we are happy to let them know how we obtained their information and will provide easy to follow opt-outs.
With your consent, we may disclose your personal information to third parties such as brokers or agents, or for the purpose of connecting you with other businesses or customers. You can ask us not to do this at any time.
Yes, You Can Opt-Out
You can let us know at any time if you no longer wish to receive direct marketing offers (see ‘Contact Us’). We will process your request as soon as practicable.
Where you have subscribed to something specific (like to hear from one of our sponsored organisations) then these subscriptions will be managed separately. If you no longer wish to receive these emails, click the unsubscribe link included in the footer of our emails.
We know that you may prefer to receive some types of messages over others, so where possible we will offer you a choice.
You can always update your preferences at any time.
What are the other ways we use your information?
We’ve just told you some of the main reasons why we collect your information, so here’s some more insight into the ways we use your personal information including:
- identifying you or verifying your authority to act on behalf of a customer;
- telling you about other products or services that may be of interest to you, or running competitions and other promotions (this can be via email, telephone, SMS, iM, mail, or any other electronic means including via social networking forums), unless you tell us not to;
- identifying opportunities to improve our service to you and improving our service to you;
- determining whether a beneficiary will be paid a benefit;
- assisting in arrangements with other organisations (such as loyalty program partners) in relation to a product or service we make available to you;
- allowing us to run our business and perform administrative and operational tasks (such as training staff, risk management; developing and marketing products and services, undertaking planning, research and statistical analysis; and systems development and testing);
- preventing, detecting or investigating any fraud or crime, or any suspected fraud or crime;
- as required by law, regulation or codes binding us; and
- for any purpose for which you have given your consent.
For more on additional ways we use credit information, see our Credit Reporting Policy.
Who do we share your personal information with?
To make sure we can meet your specific needs and for the purposes described in ‘How we use your personal information’, we sometimes need to share your personal information with others. We may share your information with other organisations for any purposes for which we use your information.
Sharing with the NAB Group
We may share your personal information with other NAB Group members. This could depend on the product or service you have applied for and the NAB Group member you are dealing with but will not differ from those purposes outlined above. Where appropriate we integrate the information we hold across the NAB Group to provide us with a complete understanding of your product holdings and your needs.
Sharing with third parties
We may disclose your personal information to third parties outside of the Group, including:
- those involved in providing, managing or administering your product or service;
- authorised representatives of the NAB Group who sell products or services on our behalf;
- credit reporting bodies or other approved third parties who are authorised to assess the validity of identification information;
- insurance, investment, superannuation and managed funds organisations, and their advisers and service provider;
- medical professionals, medical facilities or health authorities who verify any health information you may provide;
- real-estate agents, valuers and insurers (including lenders’ mortgage insurers and title insurers), re-insurers, claim assessors and investigators;
- brokers or referrers who refer your application or business to us;
- other financial institutions, such as banks, as well as guarantors and prospective guarantors of your facility;
- organisations involved in debt collecting, including purchasers of debt;
- fraud reporting agencies (including organisations that assist with fraud investigations and organisations established to identify, investigate and/or prevent any fraud, suspected fraud, crime, suspected crime, or misconduct of a serious nature);
- service providers that assist with fraud detection and prevention;
- organisations involved in surveying or registering a security property or which otherwise have an interest in such property;
- organisations we sponsor and loyalty program partners, including organisations the NAB Group has an arrangement with to jointly offer products or has an alliance with to share information for marketing purposes;
- companies we arrange or distribute products for, such as insurance products;
- rating agencies to the extent necessary to allow the rating agency to rate particular investments;
- any party involved in securitising your facility, including the Reserve Bank of Australia (sometimes this information is de-identified), re-insurers and underwriters, loan servicers, trust managers, trustees and security trustees;
- service providers that maintain, review and develop our business systems, procedures and technology infrastructure, including testing or upgrading our computer systems;
- payments systems organisations including merchants, payment organisations and organisations that produce cards, cheque books or statements for us;
- our joint venture partners that conduct business with us;
- organisations involved in a corporate re-organisation or transfer of NAB Group assets or business;
- organisations that assist with our product planning, analytics, research and development;
- mailing houses and telemarketing agencies and media organisations who assist us to communicate with you, including media or social networking sites;
- other organisations involved in our normal business practices, including our agents and contractors, as well as our accountants, auditors or lawyers and other external advisers (e.g. consultants and any independent customer advocates);
- government or regulatory bodies (including the Australian Securities and Investment Commission and the Australian Tax Office) as required or authorised by law (in some instances these bodies may share it with relevant foreign authorities); and
- where you’ve given your consent or at your request to your representatives, advisors or third party advertiser through Medfin website classifieds.
Sharing outside of Australia
We run our business in Australia and overseas. We may need to share some of your information (including credit information) with organisations outside Australia.
Sometimes, we may need to ask you before this happens. You can view a list of the countries in which those overseas organisations are located at www.nab.com.au/privacy/ overseas-countries-list/
We may store your information in cloud or other types of networked or electronic systems. As electronic or networked systems can be accessed from various countries via an internet connection, it’s not always practicable to know in which country your information may be held. If your information is stored in this way, disclosures may occur in countries other than those listed.
Overseas organisations may be required to disclose information we share with them under a foreign law. In those instances, we will not be responsible for that disclosure.
How do you access your personal information?
We‘ll always give you access to your personal information unless there are certain legal reasons why we can’t. You can ask us to access your personal information by calling Medfin on 1300 728 718. In some cases we may be able to deal with your request over the phone. See Medfin/Contact Us if you would like a copy of the form to be sent out to you.
We will give you access to your information in the form if you want it where it’s reasonable and practical (such as a copy of a phone call you may have had with us – we can put it on a disk for you). We may charge you a small fee to cover our costs when giving you access, but we’ll always check with you first. You can find the schedule of fees explained on the access form.
If we can’t give you access, we will tell you why in writing. If you have concerns, you can complain. See ‘Medfin/Contact Us’.
For more on accessing credit eligibility information, see our Credit Reporting Policy.
How do you correct your personal information?
Contact us if you think there is something wrong with the information we hold about you.
If you are worried that we have given incorrect information to others, you can ask us to tell them about the correction. We’ll try and help where we can – if we can’t, then we’ll let you know in writing.
For more on correcting credit information, see our Credit Reporting Policy.
How do you make a complaint?
If you have a complaint about how we handle your personal information, we want to hear from you. You are always welcome to contact us. We are committed to resolving your complaint and doing the right thing by our customers. Most complaints are resolved quickly, and you should hear from us within five business days (see ‘Contact Us’).
If you still feel your issue hasn’t been resolved to your satisfaction, then you can escalate your privacy concern (see ‘Contact details for escalating complaints’). If your complaint relates to credit information, see also our Credit Reporting Policy.
Contact details for escalating complaints
Need more help?
Australian Financial Complaints Authority (AFCA)
- Online : afca.org.au
- Email : firstname.lastname@example.org
- Telephone : 1800 931 678 (free call)
- In writing to : Australian Financial Complaints Authority, GPO Box 3, Melbourne, VIC 3001
Office of the Australian Information Commissioner
- Online: www.oaic.gov.au/privacy
- Phone: 1300 363 992
- Email : email@example.com
We care about what you think. Please contact us if you have any questions or comments about our privacy policies and procedures. We welcome your feedback.
You can contact us by:
This Policy may change from time to time. Please visit our website regularly as we will let you know of any changes to this Policy by posting a notification on our website. In addition, over the course of our relationship with you, we may tell you more about how we handle your information. This could be when you complete an application or form, or receive important disclosure documents from us, such as terms and conditions.
We recommend that you review these statements too as they may have more specific detail for your particular product holdings.
^Sensitive information is information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices, criminal record, health information, genetic or biometric information.
CREDIT REPORTING POLICY
About these credit reporting provisions
This policy only applies when Medfin collects your credit information.
What types of credit information do we collect and hold?
When we’re checking your credit worthiness and at other times, we might collect information about you from and give it to credit reporting bodies. This information can include:
ID information: a record of your name(s) (including an alias or previous name), date of birth, gender, current or last known address and previous two addresses, name of current or last known employer and drivers’ licence number.
Information request: a record of a lender asking a credit reporting body for information in relation to a credit application, including the type and amount of credit applied for.
Default information: a record of your consumer credit payments being overdue.
Serious credit infringement: a record of when a lender reasonably believes that there has been a fraud relating to your consumer credit or that you have avoided paying your consumer credit payments and the credit provider can’t find you.
Personal insolvency information: a record relating to your bankruptcy or your entry into a debt agreement or personal insolvency agreement.
Court proceedings information: an Australian court judgment relating to your credit.
Publicly available information: a record relating to your activities in Australia and your credit worthiness.
Consumer credit liability information: certain details relating to your consumer credit, such as the name of the credit provider, whether the credit provider has an Australian Credit Licence, the type of consumer credit, the day on which the consumer credit was entered into and terminated, the maximum amount of credit available and certain repayment terms and conditions.
Repayment history information: a record of whether or not you’ve made monthly consumer credit payments and when they were paid.
Financial Hardship Information: (On and from 1 July 2022) information about whether you were provided with a permanent or temporary arrangement due to hardship and, if so, whether you met the requirements of such an arrangement.
Payment information: If a lender gave a credit reporting body default information about you and the overdue amount is paid, a statement that the payment has been made.
New arrangement information: If a lender gave a credit reporting body default information about you and your consumer credit contract is varied or replaced, a statement about this.
We base some things on the information we get from credit reporting bodies, such as:
- our summaries of what the credit reporting bodies tell us; and
- credit scores: a credit score is a calculation that lets us know how likely a credit applicant will repay credit we may make available to them.
Information that we get from a credit reporting body or information we derive from such information is known as credit eligibility information.
How we collect and hold your credit information
- credit reporting bodies and other credit providers;
- your co-loan applicants or co-borrowers, as well as your guarantors/proposed guarantors;
- your employer, accountant, real estate agent or other referees;
- your agents and other representatives like your referrers, brokers, solicitors, conveyancers and settlement agents;
- organisations that help us to process credit applications such as mortgage managers;
- organisations that check the security you are offering such as valuers;
- organisations involved in the securitisation of our loans such as loan servicers, trust managers, trustees and security trustees;
- organisations providing lenders mortgage insurance and title insurance to us or our related lenders;
- bodies that issue identification documents to help us check your identity; and
- our service providers involved in helping us to provide credit or to administer credit products, including our debt collectors and our legal advisers.
How we use your credit information
- enable a mortgage insurer or title insurer to assess the risk of providing insurance to us or to address our contractual arrangements with the insurer;
- assess whether to accept a guarantor or the risk of a guarantor being unable to meet their obligations;
- consider hardship requests; and
- assess whether to securitise loans and to arrange the securitising of loans.
Sharing your information with Credit Reporting bodies
We may disclose information about you to a credit reporting body if you are applying for credit or you have obtained credit from us or if you guarantee or are considering guaranteeing the obligations of another person to us or you are a director of a company that is loan applicant or borrower or guarantor.
This may include information about the date you opened (and closed) a credit account, the account type, the credit limit, your repayment history, any temporary or permanent payment arrangements (from 1 July 2022) and details relating to any defaults or serious credit infringements.
When we give your information to a credit reporting body, it may be included in reports that the credit reporting body gives other organisations (such as other lenders) to help them assess your credit worthiness.
Some of that information may reflect adversely on your credit worthiness, for example, if you fail to make payments or if you commit a serious credit infringement (like obtaining credit by fraud). That sort of information may affect your ability to get credit from other lenders.
We will not share any of your credit information with a credit reporting body, unless it has a business operation in Australia. We are not likely to share credit eligibility information (that is, credit information we obtain about you from a credit reporting body or that we derive from that information) with organisations unless they have business operations in Australia. However, in the event Medfin seeks assistance from a related company to manage defaulting loans, we may need as a consequence to disclose credit eligibility information to the Bank of New Zealand, located in New Zealand. We are likely to share other credit information about you with organisations outside Australia. A list of countries in which those overseas organisations are located is set out at www.nab.com.au/privacy/overseas-countries-list/.
How to access your credit eligibility information
Where you request access to credit information about you that we’ve got from credit reporting bodies (or based on that information), we will:
- provide you access to the information within 30 days (unless unusual circumstances apply); and
- ask you to check with credit reporting bodies what information they hold about you.
This is to ensure it is accurate and up-to-date.
If we can’t give you access, we will tell you why in writing. If your concerns haven’t been resolved to your satisfaction, you can lodge a complaint with the Australian Financial Complaints Authority (AFCA) or with the Office of the Australian Information Commissioner. Contact details are provided below.
Correcting your credit information
Whether we made the mistake or someone else made it, we are required to help you correct the information within 30 days. If we can’t make a correction in that timeframe, we will ask you for extra time. We also might need to talk to others in order to process your request. The most efficient way for you to make a correction request is to ask the organisation which made the mistake.
Whether we’re able to correct the information or not, we’ll let you know within five business days of deciding to do this. If we can’t we will provide reasons. We’ll also let the relevant third parties know as well as any others you tell us about. If there are any instances where we can’t do this, then we’ll let you know in writing. If your concerns haven’t been resolved to your satisfaction, you can lodge a complaint with the Australian Financial Complaints Authority (AFCA) or with the Office of the Australian Information Commissioner. Contact details are given below.
What about complaints relating to credit information?
We will let you know how we will deal with your complaint within seven days.
If we can’t fix things within 30 days, we’ll let you know why and how long we think it will take. We will also ask you for an extension of time to fix the matter. If you have any concerns, you may complain to AFCA or the Office of the Australian Information Commissioner.
If your complaint relates to how we handled your access and correction requests you may take your complaint directly to AFCA or the Office of the Australian Information Commissioner. You are not required to let us try to fix it first.
Contact details for Credit Reporting Bodies
As outlined above, when we’re checking your credit worthiness and at other times, we might collect information about you from and give it to one or more credit reporting bodies. The contact details of the credit reporting bodies we use are outlined below. Each credit reporting body has a credit reporting policy about how they handle your information. You can obtain copies of these policies at their websites.
- Online: www.illion.com.au
- Illion’s credit reporting policy is set out at www.illion.com.au/illion-credit-reporting-policy-australia/
- Phone : 1300 734 806
- Email : firstname.lastname@example.org
- Online : www.experian.com.au
- Experian’s credit reporting policy is set out at www.experian.com.au/privacy-policy-terms-conditions
- Phone : 1300 783 684
- Mail : Consumer Support Team – Experian Australia Credit Services, PO Box 1969, North Sydney NSW 2060
- Online : www.equifax.com.au
- Equifax credit reporting policy is set out at www.equifax.com.au/credit-reporting-policy
- Phone: 13 83 32
Contact credit reporting bodies if you think you have been the victim of a fraud
If you believe that you have been or are likely to be the victim of fraud (including identity fraud), you can request a credit reporting body not to use or disclose the information they hold about you. If you do this, the credit reporting body mustn’t use or disclose the information during an initial 21 day period without your consent (unless the use or disclosure is required by law). This is known as a ban period.
If, after the initial 21 day ban period, the credit reporting body believes on reasonable grounds that you continue to be or are likely to be the victim of fraud, the credit reporting body must extend the ban period as they think reasonable in the circumstances. The credit reporting body must give you a written notice of the extension.
Contact credit reporting bodies if you don’t want your information used by them for direct marketing/pre-screening purposes
Credit reporting bodies can use the personal information about you that they collect for a pre-screening assessment at the request of a credit provider unless you ask them not to. A pre-screening assessment is an assessment of individuals to see if they satisfy particular eligibility requirements of a credit provider to receive direct marketing. You have the right to contact a credit reporting body to say that you don’t want your information used in pre-screening assessments. If you do this, the credit reporting body must not use your information for that purpose.
Last reviewed June 2022.