| |
| |
SCOPE OF POLICY
This Policy has been written by the Code Compliance Monitoring Committee (“CCMC”) to comply with its obligations under the Privacy Amendment (Private Sector) Act 2001 (Cth) (“the Act”).
The Policy and Guidance Notes are to be read with the National Privacy Principles (“NPPs”) contained in the Act. The NPPs are published on the Privacy Commissioner’s website, www.privacy.gov.au.
The document sets out the obligations of CCMC with respect to protection of personal information. It is the policy of CCMC to comply with each of the National Privacy Principles set out in the Privacy Act 1988. The Guidance Notes, which follow each principle, set out the manner in which CCMC will comply with the principles.
OBJECTIVE
This policy is intended to ensure that the privacy of individuals is protected in the collection, use, disclosure and storage of personal information by CCMC.
SCOPE OF GUIDANCE NOTES TO POLICY
The Guidance Notes do not form part of the Policy but are intended to set out the approach of CCMC to the Principles in the context of its functions and activities. Where relevant, the Guidance Notes draw on the Privacy Commissioner’s Guidelines to the National Privacy Principles (September 2001) (“Commissioner’s Guidelines”) and to other material published by the Privacy Commissioner. These Guidance notes are intended to discuss the Privacy Commissioner’s Guidelines and other publications in the context of CCMC and Code of Banking Practice (“Code”) compliance.
FUNCTIONS AND ACTIVITIES OF CCMC
The role of the Code Compliance Monitoring Committee is to:
| (a) |
monitor compliance with the Code by subscribing banks; |
| (b) |
investigate and make a determination on whether a subscribing bank has breached the Code; and |
| (c) |
monitor any other aspects of the Code that are referred to the CCMC by the Australian Bankers’ Association (“ABA”). |
The CCMC accepts written complaints from people in relation to breaches of the Code. A written complaint, which falls within the jurisdiction of the CCMC, is sent to the relevant bank to give it an opportunity to address the allegation of a breach. After receiving the bank’s response, the CCMC will investigate and reach a determination as to whether the Code has been breached.
Before lodging a written complaint, an individual can contact the Executive Officer of the CCMC by phone. The Executive Officer may provide information to individuals about the functions and activities of CCMC and its jurisdiction and information about other entities that may assist the individual. Individuals who contact the Executive Officer by telephone are not required to disclose their identity, but are asked to provide non identifying information such as their postcode for statistical purposes.
All collection, use and disclosure of personal information by the CCMC will be done for the purpose of Code monitoring and complaint investigation.
1. COLLECTION
| 1.1 |
CCMC will only collect personal information about an individual where the information is necessary for one or more of its functions or activities. |
| 1.2 |
CCMC will collect personal information about an individual only by lawful and fair means and not in an unreasonably intrusive way. |
| 1.3 |
At or before the time (or, if that is not reasonably practicable, as soon as practicable after) CCMC collects personal information about an individual from the individual, CCMC will take reasonable steps to ensure that the individual is aware of: |
| |
| (a) |
the identity of CCMC and how to contact it; and |
| (b) |
the fact that he or she is able to gain access to the information; and |
| (c) |
the purposes for which the information is collected; and |
| (d) |
the organisations (or the types of organisations) to which CCMC usually discloses information of that kind; and |
| (e) |
any law that requires the particular information to be collected; and |
| (f) |
the main consequences (if any) for the individual if all or part of the information is not provided. |
|
| 1.4 |
If it is reasonable and practicable to do so, CCMC will collect personal information about an individual only from that individual. |
| 1.5 |
If CCMC collects personal information about an individual from someone else, it will take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual. |
Guidance Notes
Collection will be necessary
Personal information about an individual collected from banks and complainants will be collected for the primary purpose of investigating alleged Code breaches and monitoring Code compliance.
Collection will be fair and lawful
CCMC will collect information in the following ways
| • |
In writing, from the complainant or his or her representative and the bank; |
| • |
Orally, in telephone or face to face conversations with the complainant and the bank; and |
| • |
From third parties who can assist by providing information, provided the complainant has previously been made aware of this course of action and given the opportunity to object to CCMC contacting third parties. |
CCMC will not accept personal information obtained by any person in any way which is unlawful.
Informing individuals about CCMC when collecting directly
CCMC will provide the information required in subclause 1.3 of the NPPs to individuals by:
| (a) |
Including that information in a privacy statement on the CCMC web-site and in information brochures; |
| (b) |
Providing it on request when contact is made with the CCMC; and |
| (c) |
When CCMC receives a written complaint, CCMC will write to the complainant enclosing a copy of an information brochure. |
Given the purpose and activities of CCMC, it can be assumed that, before writing with a complaint, most complainants will be aware that CCMC will use the personal information they disclose when CCMC seeks to investigate their complaint and that may require disclosure to the relevant bank about which they are complaining. However before sending personal information to the bank, the CCMC will obtain the customer’s authority. In addition, banks provide information to individuals about CCMC in their publications and by making Code related publications available.
Collecting directly from the individual
Each assessment of the reasonableness and practicability of collecting information directly from the individual will be made having regard to the NPPs, the Commissioner’s Guidelines and the particular facts comprising the complaint.
The primary person about whom information is collected will be the complainant and his/her representative.
Sometimes CCMC receives a complaint that necessarily concerns information about a third party who has no interest or involvement in the complaint itself. The information is usually sent unsolicited by the complainant. By accepting the information, CCMC is taken to have collected it under the NPPs.
Examples of such cases include, but are not limited to, the following:
| • |
Joint account holders – where only one account holder is in dispute with the bank, but investigation of the complaint requires access to and consideration of transactions, authorities or other aspects of the joint account; |
| • |
Complaints about securities such as guarantees or third party mortgages, where the person offering security is in dispute with the bank, but the borrower is not. In such cases, CCMC may need to consider the lending or conduct of the primary account in order to investigate the complaint. |
In many of these kinds of cases it will not be reasonable or practicable for CCMC to collect the personal information directly from the individual concerned because:
| (a) |
To do so would disclose the fact that a complaint has been made to CCMC and thereby breach the privacy of the complainant; |
| (b) |
Disclosure may have adverse consequences for the complainant including pressure not to pursue their legal rights including their right to access CCMC and, in some cases, the threat of physical or emotional harm; |
| (c) |
CCMC may not have contact details for the third party and may have to incur considerable costs to locate him or her; |
| (d) |
In some circumstances, such as where allegations of misconduct are made in relation to the third party, it would not be practicable to collect the relevant and potentially incriminating information from that third party. |
It is accepted practice for schemes such as CCMC to collect and use available information, including third party personal information to carry out its primary function of monitoring and investigating bank compliance with the Code.
In the case of a joint account, where one account holder makes a complaint but the other does not, CCMC may first ask the complainant to seek the consent of the other account holder to CCMC obtaining account information from the relevant bank. If the complainant cannot or will not do so, CCMC will determine whether there is any impediment to investigating the complaint.
Generally, CCMC will take the view that a joint account holder would expect that information about their joint account would be collected and used by CCMC in the course of an investigation of a complaint about the account.
Similarly, where a complaint concerns information about a party (other than the complainant) to a transaction, such as a guarantor, CCMC will generally assume that a reasonable third party would expect that information about the account or transaction would be collected by CCMC in the course of an investigation of a complaint about the account or the transaction.
CCMC does not make determinations that affect the legal rights and obligations of third parties. CCMC’s determinations are only binding on banks that have adopted the Code. Correspondence in the course of an investigation and determinations are confidential as between the parties.
Where CCMC collects personal information about a third party it will take reasonable steps to ensure that the third party is or has been made aware of the matters listed in subclause 1.3 of the NPPs.
CCMC will not contact third parties directly to inform them that it holds information about them because to do so would breach the confidentiality of complainants and may, in some cases, pose a threat to the life and health of the complainant. For these reasons, CCMC has determined that it is not reasonable or practicable for CCMC to inform the third party of the matters set out in subparagraph 1.3.
However, where information about a third party is provided by the complainant or the bank, CCMC will do the following:
| • |
The Executive Officer will review the information received and determine whether the information about the third party is personal information; |
| • |
If the information about the third party is personal information, the Executive Officer will assess it to determine whether it is necessary to understand or resolve the complaint; |
| • |
If the Executive Officer determines that the complaint can be handled without the information, it will be deleted from the written complaint; |
| • |
If the Executive Officer considers that the information can be de-identified, then the Executive Officer will take steps to remove all information that identifies who the third party is, before using the information; |
| • |
If the Executive Officer considers that the third party information is necessary in the resolution of the complaint, the Executive Officer may ask the complainant or bank to advise the other person that the information has been provided and why; or |
| • |
If the Executive Officer determines that it is not reasonable for the complainant or bank to advise the other person that the information has been provided and why, no steps will be taken. Such a determination may be reached in cases where the third party is alleged to have acted unlawfully, where it is apparent that there is conflict between the complainant and the third party or where disclosure of the complaint to the third party would exacerbate the complaint or cause a potential threat to the safety of an individual. |
Information about any person is used by the CCMC only for the purpose of monitoring and investigating bank compliance with the Code.
2. USE AND DISCLOSURE
2.1 CCMC will not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:
| (a) |
both of the following apply: |
| |
| (i) |
the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; and |
| (ii) |
the individual would reasonably expect CCMC to use or disclose the information for the secondary purpose; or |
|
| (b) |
the individual has consented to the use or disclosure; or |
| (c) |
CCMC reasonably believes that the use or disclosure is necessary to lessen or prevent: |
| |
| (i) |
a serious and imminent threat to an individual’s life, health or safety; or |
| (ii) |
a serious threat to public health or public safety; or |
|
| (d) |
CCMC has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or |
| (e) |
the use or disclosure is required or authorised by or under law. |
Guidance Notes
CCMC will use personal information about an individual it collects for its primary purpose of monitoring and investigating bank compliance with the Code.
For that primary purpose CCMC may use personal information about an individual to investigate a complaint and make a determination. In the course of so doing CCMC may disclose personal information about an individual to the complainant or to the relevant bank.
The CCMC does not envisage that it would use or disclose personal information for purposes other than the primary purpose in many instances. However, any such secondary uses will be limited to those permitted under the NPPs.
Personal information will be de-identified before being used for the purpose of reporting to stakeholders, the public and the Government about our activities and as such will not be personal information.
Third parties seeking information about a complaint
From time to time, CCMC is contacted by persons who claim to represent a complainant and who seek information about the progress of a complaint. These people include members of parliament, legal and financial advisers, friends and family members. CCMC makes no assessment about the intentions of any such person in seeking information.
However, the CCMC will not discuss any aspect of a complaint with any person other than the complainant unless the complainant has authorised CCMC to do so. The CCMC does not regard a person to whom correspondence has been merely been copied by the complainant as authorisation to discuss the complaint or receive information about the progress of the complaint.
3. DATA QUALITY
3. CCMC will take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
Guidance Notes
CCMC will take reasonable steps to make sure that the personal information about individuals collected, used or disclosed is accurate, complete and up to date at the time the information is collected, used or disclosed, as the case may be.
Where a complainant or bank notifies CCMC of undisputed changes to personal details held by the CCMC about an individual, or errors in CCMC’s records, CCMC will make the necessary changes as soon as practicable.
CCMC’s case management system has been designed to ensure that, in respect of all open cases, a future date is nominated for review of the progress of the case and/or for further action by CCMC. In this way, CCMC will be able to ensure that any new information, such as changes to addresses or other relevant information, are acted upon and that CCMC’s records are updated.
4. DATA SECURITY
| 4.1 |
CCMC will take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. |
| 4.2 |
CCMC will take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under NPP 2. |
Guidance Notes
CCMC premises and information systems are controlled by electronic security.
CCMC will make staff aware of privacy obligations by training and by providing guidance notes and contracted staff are required to give confidentiality undertakings in respect of any personal information they access.
The CCMC and the Executive Officer have access to files and electronic records concerning complaints in order to deal with queries and comments from complainants and their banks.
Bank files obtained by CCMC during the course of an investigation are stored securely in a lockable, fireproof cabinet.
CCMC will take reasonable steps to destroy or permanently de-identify personal information about individuals if it is no longer needed for any purpose for which the information may be used or disclosed under NPP 2. It is CCMC’s policy to destroy physical files 7 years after closure of the file. CCMC will remove electronic records from its system 10 years after closure of the file.
5. OPENNESS
| 5.1 |
CCMC will set out in a document clearly expressed policies on its management of personal information. CCMC will make the document available to anyone who asks for it. |
| 5.2 |
On request by a person, CCMC will take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information. |
Guidance Notes
This document is intended to fulfil CCMC’s obligations under NPP 5.
CCMC’s policy is available to anyone who asks for it orally or in writing. The document will be published on CCMC’s website and will be available from the reception area of CCMC’s premises.
On request by any person, CCMC will take reasonable steps to let the person know, generally, what sort of information CCMC holds, for what purposes, and how CCMC collects, holds, uses and discloses that information.
6. ACCESS AND CORRECTION
| 6.1 |
If CCMC holds information about an individual, it will provide the individual with access to the information on request by the individual, except to the extent that: |
| (a) |
in the case of personal information other than health information—providing access would pose a serious and imminent threat to the life or health of any individual; or |
| (b) |
in the case of health information—providing access would pose a serious threat to the life or health of any individual; or |
| (c) |
providing access would have an unreasonable impact upon the privacy of other individuals; or |
| (d) |
the request for access is frivolous or vexatious; or |
| (e) |
the information relates to existing or anticipated legal proceedings between CCMC and the individual, and the information would not be accessible by the process of discovery in those proceedings; or |
| (f) |
providing access would reveal the intentions of CCMC in relation to negotiations with the individual in such a way as to prejudice those negotiations; or |
| (g) |
providing access would be unlawful; or |
| (h) |
denying access is required or authorised by or under law; or |
| (i) |
providing access would be likely to prejudice an investigation of possible unlawful activity; or |
| (j) |
providing access would be likely to prejudice: |
| |
| (i) |
the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or |
| (ii) |
the enforcement of laws relating to the confiscation of the proceeds of crime; or |
| (iii) |
the protection of the public revenue; or |
| (iv) |
the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or |
| (v) |
the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders; |
|
| |
by or on behalf of an enforcement body; or |
| (k) |
an enforcement body performing a lawful security function asks CCMC not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia. |
| 6.2 |
However, where providing access would reveal evaluative information generated within CCMC in connection with a commercially sensitive decision-making process, CCMC may give the individual an explanation for the commercially sensitive decision rather than direct access to the information. |
| 6.3 |
If CCMC is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), CCMC will, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties. |
| 6.4 |
If CCMC charges for providing access to personal information, those charges: |
| |
(a) will not be excessive; and
(b) will not apply to lodging a request for access. |
| 6.5 |
If CCMC holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, CCMC will take reasonable steps to correct the information so that it is accurate, complete and up-to-date.
|
| 6.6 |
If the individual and CCMC disagree about whether the information is accurate, complete and up-to-date, and the individual asks CCMC to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, CCMC will take reasonable steps to do so. |
| 6.7 |
CCMC will provide reasons for denial of access or a refusal to correct personal information. |
Guidance Notes
If CCMC holds personal information about an individual it will provide the individual with access to the information on request by the individual, except where one or more of the exceptions in subclause 6.1 of the NPPs applies.
In particular, CCMC will not provide access where to do so would have an unreasonable impact on the privacy of other individuals.
If an individual is able to establish that personal information held by CCMC about that individual is not accurate, complete and up-to-date, CCMC will take reasonable steps to correct the information so that it is accurate, complete and up-to-date.
If there is disagreement CCMC will take reasonable steps to associate with the information a statement from the complainant claiming that the information is not accurate, complete or up-to-date if the individual asks CCMC to do so.
CCMC will provide written reasons for denial of access or a refusal to correct personal information.
Although the NPPs make provision for CCMC to charge for providing access to information, it is CCMC’s current policy to provide access free of charge.
Any individual who wishes to gain access to information held by CCMC should contact:
The Executive Officer
Code Compliance Monitoring Committee
PO Box 14240 Melbourne City Mail Centre
Melbourne VIC 3001
Telephone: 1300 78 08 08
Facsimile: (03) 9649 7122
The individual should provide as much information as possible to assist the Executive Officer in determining where the relevant information is held. This includes file numbers, the name of the complainant, the name of the bank and/or relevant dates.
7. IDENTIFIERS
| 7.1 |
CCMC will not adopt as its own identifier of an individual an identifier of the individual that has been assigned by: |
| (a) |
an agency; or |
| (b) |
an agent of an agency acting in its capacity as agent; or |
| (c) |
a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract. |
| 7.2 |
CCMC will not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless: |
| (a) |
the use or disclosure is necessary for CCMC to fulfil its obligations to the agency; or |
| (b) |
one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure. |
Guidance Notes
In the above clause “identifier” includes a number assigned by CCMC to an individual to identify uniquely the individual for the purposes of CCMC's operations. CCMC identifies complaints by numbers which are allocated in numerical order, according to the time that the complaint is first received and processed.
Individuals are not assigned any identifying number or code by CCMC. Where an individual makes more than one complaint to CCMC, each complaint will have a separate number.
An individual’s name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier.
8. ANONYMITY
| 8. |
Wherever it is lawful and practicable, individuals will have the option of not identifying themselves when entering transactions with CCMC. |
Guidance Notes
If an anonymous complaint to the CCMC contains a sufficient level of detail to enable the bank to respond to, then the CCMC can deal with the complaint in the same way as if the complainant was known. If there is not sufficient information, the complaint cannot be acted on or investigated.
Callers to the Executive Officer with a general inquiry not related to a specific case before the CCMC will not be required to identify themselves. However they will be asked for general information such as a postcode, so that the CCMC can report on and assess the general profile of callers, such as the geographical spread of callers.
9. TRANSBORDER DATA FLOWS
| 9. |
CCMC may transfer personal information about an individual to someone (other than CCMC or the individual) who is in a foreign country only if: |
| (a) |
CCMC reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or |
| (b) |
the individual consents to the transfer; or |
| (c) |
the transfer is necessary for the performance of a contract between the individual and CCMC, or for the implementation of pre-contractual measures taken in response to the individual’s request; or |
| (d) |
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between CCMC and a third party; or |
| (e) |
all of the following apply: |
| |
| (i) |
the transfer is for the benefit of the individual; |
| (ii) |
it is impracticable to obtain the consent of the individual to that transfer; |
| (iii) |
if it were practicable to obtain such consent, the individual would be likely to give it; or |
|
| (f) |
CCMC has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles. |
Guidance Notes
The jurisdiction of the CCMC does not extend to overseas banks. As such, it is not envisaged that CCMC will transfer personal information about an individual to someone in a foreign country, other than the individual him or herself.
10. SENSITIVE INFORMATION
10.1 CCMC will not collect sensitive information about an individual unless:
| (a) |
the individual has consented; or |
| (b) |
the collection is required by law; or |
| (c) |
the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns: |
| |
| (i) |
is physically or legally incapable of giving consent to the collection; or |
| (ii) |
physically cannot communicate consent to the collection; or |
|
| (d) |
the collection is necessary for the establishment, exercise or defence of a legal or equitable claim. |
Guidance Notes
For the purposes of the Privacy Act, “sensitive information” is defined as information about an individual’s:
| (a) |
Racial or ethnic origin; |
| (b) |
Political opinions; |
| (c) |
Membership of a political association; |
| (d) |
Religious beliefs; |
| (e) |
Philosophical beliefs; |
| (f) |
Membership of a professional or trade association; |
| (g) |
Membership of a trade union; |
| (h) |
Sexual preferences or practices; |
| (i) |
Criminal record; or |
| (j) |
Health. |
Wherever practicable, CCMC will seek the consent of any individual about whom sensitive information is collected. Collection of sensitive information will be limited to that which is necessary for dealing with a complaint made to CCMC.
An example of where sensitive information may be collected and used, would be where a complainant complains about a bank’s actions in calling in a loan or closing an account. A complainant might, for example, provide details of health problems or imprisonment of the complainant or a family member, which impacted on the complainant’s ability to service the account. The purpose of providing the information would be presumably to ask the CCMC to review the bank’s actions in light of the Code and have regard to this and other information.
Similarly, when a claim of maladministration in lending is made, the mental and physical health and other personal circumstances of the complainant and others may be highly relevant to the question of whether the bank has acted appropriately.
Where a complainant provides sensitive information about him or herself to CCMC, consent to the collection and use of such information will be assumed.
Where a complainant or a bank provides sensitive information about another person, CCMC will ask the complainant or bank to seek the consent of the third party, if to do so would not compromise the health, safety or privacy of the complainant or another person.
Where a complainant advises CCMC that a medical practitioner, counsellor or similar can provide supporting information, CCMC will ask the complainant to seek and provide the information in writing.
In the absence of consent, the CCMC may collect and use sensitive personal information about an individual in order to investigate a legal and/or equitable claim made by or on behalf of a complainant against a bank. |
| |
| |
|
|
