What is our Privacy Policy?

At Heartland, we realise the importance of protecting your personal information whether it comes from you or through other sources. This Privacy Policy describes how we collect, store, and handle personal information, the types of personal information we collect, the purposes for which we use this information, to whom this information is disclosed and how you can communicate with us about your personal information.

In this policy, “we” or “us” refers to Heartland Bank Australia Limited ABN 54 087 651 750, and its related bodies corporate (as that term is defined in the Corporations Act 2001 (Cth) including ASF Custodians Pty Ltd. We may change our Privacy Policy from time to time at our discretion. At any time, the latest version of our Privacy Policy is available from our website at https://www.heartlandbank.com.au/privacy-policy.

What types of personal information do we collect?

Personal information is information about you that identifies you or from which your identity is apparent or can reasonably be worked out. It can include an opinion and does not necessarily need to include your name.

One kind of information that we regularly collect is credit information. Credit information is that part of your information that we use to assess your eligibility for the credit products that we make available.

This can include details of any finance that you have available, your history in repaying credit and other information that credit providers use to assess eligibility. Section 6 below contains further information about credit information.

The kinds of personal information we are allowed to obtain about you, and the manner in which we collect, maintain and protect your personal information, are primarily governed by the Privacy Act and the Australian Privacy Principles (APPs) under that Act.

In addition, before we are able to provide you with financial products or services, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (“AML/CTF Act”) requires us to collect information about you in order to verify your identity. This information may also be provided to a credit reporting body for verification, or to third parties for the purposes of fraud prevention, Anti-Money Laundering and Counter-Terrorism Financing checks as required by law and identify verification. Section 7 below contains further information about the collection and verification of identification information.

The types of personal information we collect about you depends on the circumstances in which the information is collected. Such information may include:

• contact details (such as your name, address, email address and phone numbers);
• photographs of you;
• date of birth and gender;
• current occupation and employment history;
• education, qualifications and training;
• relationship status;
• details of individuals you are (or may be) connected to;
• financial information, such as information about your assets, finances, income, expenses and debit and credit history (including information obtained from credit reporting bodies);
• your tax file number; and/or
• information concerning your use of our products and services.

We also have access to information about your account(s) and transactions. This means we can see how and where you use your account(s). We may use this information to form a view on our other products and services that may benefit you.

We generally do not collect sensitive information about you unless required by applicable laws or rules. Sensitive information includes information in relation to:

• political or religious beliefs;
• race or ethnic origin;
• memberships of unions, trade or professional associations;
• criminal records; and/or
• health information.

If you do provide sensitive information to us for any reason, you consent to us collecting that information and to us using and disclosing that information for the purpose for which you disclosed it to us and as permitted by the Privacy Act and other relevant laws.

In addition to the types of personal information identified above, we may collect personal information as otherwise permitted or required by law.

We will only obtain, use or disclose government generated identifiers (for example, your tax file number) in circumstances where we are legally permitted or obliged to do so.

The scope of your personal information may include many records and documents. Should you require it, we would be happy to explain in greater detail what this information includes. Should you require it, you may also see the personal information we keep about you, subject to certain limitations set out in the Australian Privacy Principles. Please contact us if you require us to give you a further explanation.

How do we collect your personal information?

We collect personal information in a number of ways. The most common ways we collect your personal information are:

• directly from you, including when you request or use any of our products or services;
• from publicly available sources;
• from market research bodies who may have records about you from surveys and questionnaires you may have engaged in;
• from your personal representatives, including your solicitor, accountant and financial adviser;
• from distributors, agents and brokers, including insurance brokers or mortgage brokers you may have had contact with;
• from other credit providers you may have had contact with and credit reporting bodies;
• from Federal, State or Territory government departments and regulatory bodies; and/or
• from other third parties.

We may also collect information about how you use our website and mobile apps. For example, this may include your identity, date and time of your visits, number of visits, the type of products and services you view and how you use our website and mobile apps. We obtain information via our website through 'cookies' and related technologies. The use of cookies helps us monitor the effectiveness of our website and mobile apps.

A ‘cookie’ is a packet of information placed on a user’s computer by a website which is used for record keeping. Cookies are used to monitor traffic on our website, but generally we do not collect personal information from you using cookies.

You can configure your browser to accept or reject cookies, or notify you when cookies are sent. If you disable the use of cookies on your web browser or reject cookies from us then you may not be able to gain access to all of the content or facilities that we offer.

Throughout our website and mobile apps we use the Google Universal Analytics system, Google Play Console and App Store Connect (as applicable) to measure anonymous website and mobile app activity. These services provide us with information about the use, functionality and effectiveness of our website and mobile apps, helping us to understand and optimise user experiences and to also optimise our advertising on, and outside of, our website and mobile apps. We may also use other third party data analytic software in the future and you may request a list of all data analytic software providers that we use from us at any time.

The information we collect from your general use of our websites and mobile apps does not identify you. It is general data regarding the number of visitors/users of our website and mobile apps, and statistics regarding their usage.

However, where you access functions of our website and mobile apps that require you to verify your identity by entering your log-on details and/or a password we will keep a record of that access to monitor and record transactional information within the secure parts of our website and mobile apps. We may store this information for a period of up to 7 years unless we reasonably need to store it for a longer period for example to resolve a complaint that you have made.

We may also monitor and/or record telephone discussions between you and our staff for training purposes and to check the accuracy of our records.

For what purposes do we collect, use and disclose your personal information?

The purposes for which we use and disclose your personal information will depend on the circumstances in which we collect it. Generally, we collect, use and disclose your personal information so that we can:

• establish who you are and assess your creditworthiness;
• assess applications for products and services;
• administer and monitor products or services;
• develop and run our business generally;
• comply with legal obligations and assist government departments and regulatory bodies; and/or
• tell you about other products or services that we think may be of interest to you.

We may also collect, use and disclose your information in other ways where permitted by law.

If you do not agree to give us certain types of personal information, we may be unable to provide you with the products or services you have asked for.

To whom may we give your personal information?

We may disclose your personal information to third parties in connection with the purposes described above. This generally includes disclosure to the following types of third parties:

• our related bodies corporate;
• other persons named in your application for a product or service with us;
• our service providers and contractors, including data storage providers in Australia or overseas;
• other financial and insurance institutions;
• identity verification agencies;
• debt collecting agencies;
• credit reporting bodies;
• government departments & regulatory bodies and issuers or official record holders of identity documents;
• your agents, advisers, referees, executors, administrators, trustees, guardians, beneficiaries (if you are a trustee) or attorneys;
• anyone to whom we consider assigning or transferring any of our rights or obligations; and/or
• other persons where this is permitted by law or to whom you have directed or otherwise permitted us to disclose your personal information to.

Where we disclose your personal information to third parties we will use reasonable endeavours to ensure that such third parties only use your personal information as reasonably required for the purpose we disclosed it to them and in a manner consistent with the Privacy Act. Third parties who access your personal information are required to adhere to appropriate security standards to protect your information from unauthorised access, destruction or loss.

Credit reports

When you apply to us for credit, we may request a credit report about you from a credit reporting body. A credit report contains information about your credit history which assists credit providers to assess your application, verify your identity and manage your accounts. Credit reporting bodies collect and exchange this information with credit providers.

The Privacy Act limits the information that credit providers can disclose about you to credit reporting bodies, as well as the ways in which credit providers can use credit reports. The information we may disclose includes your identification details, any applications for credit you have made, the type and amount of credit you have, any failure to make repayments or defaults and whether you have committed a serious credit infringement (such as fraud). This is information we have collected through your use of our products and services. We may also ask credit reporting bodies to provide us with an overall assessment score of your creditworthiness.

The credit reporting bodies we may share information with are:

• Equifax (equifax.com.au);
• Illion (creditcheck.illion.com.au); and/or
• Experian (experian.com.au).

Contact details and copies of their privacy policies are available on their websites.

We use information from credit reporting bodies to confirm your identity, assess applications for credit, manage our relationship with you and otherwise in order to comply with laws, regulations and codes of practice. This includes sharing your credit information with the entities listed in section 5. We may combine the information from a credit reporting body with other information. Credit providers can ask credit reporting bodies to use your credit-related information to pre-screen you for direct marketing. You can ask a credit reporting body not to do this. You can also ask a credit reporting body to not use or disclose your credit information if you believe you have been, or are likely to be, a victim of fraud. To do this, contact the credit reporting body directly.

Sections 12 and 13 contain details about how you can access or correct any information we hold about you, how you can make a complaint about a data breach and how we will deal with any complaint.

Identity verification

Before we can provide you with financial products or services, we are required to collect information from you to verify your identity. This requirement applies to Australian financial institutions such as Heartland under the AML/CTF Act.

There are two methods we can use to verify your identity: electronic verification or a manual alternate method. Heartland may choose to use either electronic verification or a manual alternate method (or both) depending on the product you are applying for and the identification you have provided to us.

Electronic verification

Under the AML/CTF Act, we can disclose your name, residential address and date of birth to a credit reporting body to assist in verifying your identity. The credit reporting body will then assess whether this information matches (in whole or part) information held in their records and in the records of government departments, an issuer or official record holder of identity documents, or other third parties (if any).

For us to complete electronic verification, you need to:

• be 18 years or over;
• have an Australian residential address;
• hold an acceptable form of identification; and
• consent to your identity being verified in this way.

Manual alternate method

If you cannot or chose not to be electronically verified, we must identify you using a manual alternate method for example by requesting originally certified copies of identifying documents such as your driver's licence, passport or other documents that verify your identity if you do not have a driver’s licence or passport, or your name has been changed.

Does personal information leave Australia?

We may share your information with recipients located overseas, including some of our related bodies corporate or service providers. The countries in which these recipients are located include New Zealand. We take reasonable steps to ensure that these recipients protect your information in the same way that we do (although they may not be subject to Australian laws).

Your information may also be held on our behalf by data storage providers, including cloud-based data storage providers in Australia, New Zealand or elsewhere.

How do we protect your personal information?

We keep hard copy documents in our offices which are protected by building security and other office security measures. The electronic records that we keep are in computer systems that have firewalls, intrusion detection and virus scanning tools to protect against unauthorised access. We also maintain and monitor our online security systems.

Our staff are trained in the proper handling of personal information so that they are aware of the things they must do to protect your personal information. We also seek to ensure that appropriate data handling and security arrangements are in place when we send information overseas or use third parties that handle or store data.

However, the internet is not a secure environment and although care is taken, we cannot guarantee the security of information provided to us or stored or transferred via electronic means. You can help us protect your privacy by observing our security requirements and contacting us immediately if your contact details change. You should keep any usernames, passwords and pin codes secure and confidential at all times, and not disclose them to any other person. Please contact us immediately using the details in Section 14 below if you believe that your username or password may have been disclosed to another person.

Direct marketing

We may use your information to inform you of other products and services that could be of interest to you, including through direct marketing. We may contact you from time to time to tell you about these products and services. If you don’t want to receive direct marketing, you can ask us not to contact you and not to disclose your information to others for that purpose. If you would like to opt out of receiving our marketing, please contact us using the information provided below in Section 14.

We will not use or disclose sensitive information about you for direct marketing purposes unless you have consented to such use or disclosure.

Unsolicited information

Sometimes we receive personal information that we have not asked for, which can include sensitive information. If we receive such information, we will examine whether we are permitted to collect such information and, if we are, we will review the information and handle it in accordance with this Privacy Policy. If we are not able to collect such information and it is not in a government record, then we will destroy or de-identify the information as soon as possible, if it is lawful to do that.

There are occasions where it is difficult to separate sensitive information from other personal information and we may need to store information for future use including for regulatory reasons. Where this is the case, we will still keep the information in accordance with this Privacy Policy.

How can you access and correct your personal information?

If you wish to access the personal information we hold about you, you can contact us using the details in Section 14. We may require that the person requesting access provides suitable identification.

We will provide access to that information in accordance with the Privacy Act, subject to certain exemptions which may apply. Access may not be provided where the information would disclose personal information about someone else, would disclose commercially sensitive matters (including our business operations and decision making processes) or is protected from disclosure by law. If you have requested to see your information and we are not able to disclose it to you, then we will tell you and give you reasons.

We will usually provide your personal information free of charge. However, in some cases we may need to charge you an administration fee (such as when your request requires us to obtain information that is not readily available).

If you think that any personal information we hold is incorrect or out of date, then you can ask us to correct or update it. If your request relates to credit related information provided by others, we may need to consult with credit reporting bodies or other credit providers before being able to correct or update the information. If we disagree the information should be corrected, then we will tell you and give you reasons.

What can you do if you have a privacy issue?

If you have any questions, concerns or complaints about our collection, use or disclosure of personal information, or if you believe that we have not complied with this Privacy Policy or the Privacy Act, you can contact the Privacy Officer using the details in Section 14.

Please provide as much detail as possible in relation to your question, concern or complaint. We take any privacy complaint seriously and it will be assessed by a Privacy Officer with the aim of resolving any issue in a timely and efficient manner. We request that you cooperate with us during this process and provide us with any relevant information that we may need. If your complaint concerns credit related information, then we may need to consult with other organisations, including credit reporting bodies or credit providers.

If you are not satisfied with the outcome of our assessment of your complaint, you may wish to contact the Office of the Australian Information Commissioner or the Australian Financial Complaints Authority.

Contact us

The Privacy Officer
Heartland Bank Australia Limited
PO Box 18134
Collins Street East VIC 8003
By phone – 1300 221 479