The company recognises the Office of the Australian Information Commissioner’s concerns that websites be easy to read, accessible and transparent, include appropriate privacy information and provide directions as to where to obtain further information. Confusing and irrelevant content is to be avoided.
The company recognises Clause 4.2 of the Credit Reporting Privacy Code , which provides an approved opportunity for credit provider and/or lessor disclosures of information, collected by way of a website and required under Sub- sections 21C(1) and (3)(a) of the Privacy Act 1988 as amended, to a credit reporting body. This for the various uses and attracting the various rights for the consumer and/or lessee, in accordance with Clause 4.1 (a) to (f) of the Credit Reporting Privacy Code.
These disclosures are included in the company’s Credit Information (Privacy) Management Policy (Tab 8), which is on the company’s website and the communications information content is listed in the Company’s Credit Reporting Data Management Policy (Tab 10) .
Consumer utilisation of website
From time to time, the company’s website may facilitate consumers completing credit and/or lease applications, questionnaires, forms and the like.
Collection and use of information
The company only collects information from potential and actual consumers which is reasonably necessary, directly or indirectly, for the conduct of the company’s credit provision activities.
Information from suspended and saved on -line applications
If the consumer suspend s or save s any online application, form, questionnaire or the like, the information the consumer has entered prior to that suspension and/or saving will be available to and retained by the company, as well as being available for the consumer to retrieve when the consumer resumes completing the online application or other activity. The company’s Credit Information (Privacy) Management Policy also applies to this information.
The company does not ask for, store, use or disclose sensitive information.
Information and third parties
From time to time, the company’s website may contain links to the websites of third party entities. If as consumer has accessed such a third party website, via the company ‘s website, the consumer may have provided information to that third party entity. If they have chosen to provide information, access to that information may also be provided to the company by that thir d party entity, subject to an agreement between the two companies to share the information.
When viewing the company’s website, or the third party company’s website, from time to time “cookies” and “web beacons” may be used to collect information. This information may include information concerning any or all of the following:
- the date and time of the consumer’s visit
- the consumer’s IP address
- what pages the consumer view ed
- the completion of the online application, form, or questionnaire
- marke ting campaign information
- the server the consumer’s computer is logged onto and
- the type of browser used by the consumer.
What happens to this information?
In accordance with the company’s Credit Information (Privacy) Management Policy, the company takes reasonable steps to keep the information obtained secure and to store, use and disclose such information only in accordance with that policy. This includes the above listed information and any information included on completed and submitted applications, forms, questionnaires and the like.
The above listed information will not be used for any third party company marketing, but the company may use the information to advise the consumer of continuing and new products and services, from time to time.
The above listed information is not provided to overseas based companies for any purpose other than possible storage and review of information, for the company’s purposes only.
The above listed information may be used to assist the company in providing the consumer with any service or product, at the time of a particular visit to the company’s website or thereafter, which may or may not be the service or product that initially prompted the consumer to visit the website .
Use of the information collected by the use of a cookie or web beacon.
- the allocation of a unique nu mber to the consumer’s internet browser
- the collection of statistics concerning visits to the company’s website and the pages viewed
- the customisation of the website to suit the consumer and/or particular potential customer groups
- to identify whether or not the consumer has accessed a third party company website via th is company ‘s website
- for security purposes and
- for the development and/or offering of the company’s products and services that appear relevant to the consumer.
From the Privacy Commissioner’s investigation reports, the company notes that website security is an ongoing obligation and that Australian Privacy Principle 11 applies to website security management . The Office of Australian Information Commissioner’s statement, on 6 March 2014, has been noted by the company, in that the company’s policy is to continue to take reasonable steps to protect information held in digital storage.
To that end, the company utilises ICT security measures relevant to the need to protect all Internet interactions. Security steps used by the company can include:
- ensuring the latest versions of security software are in use
- ensuring that web browsers, including “add- ons” or “plug -ins” are up to date
- ensuring that data is scanned before it is opened, to prevent the download of malicious content
- encryption of sensitive information
- filtering of web traffic to prevent harmful content from reaching users’ systems
- maintaining an intrusion detection system
- regularly analysing event logs
- penetrat ion testing to discover security weaknesses
- ensuring that personal information is only accessed by authorised people
- using multi -factor authentication to obtain access
- ensuri ng that personal or sensitive information, not intended for public release, is not stored on a public website
- disabling directory browsing when configuring web servers
- requiring strong passwords or pass phrases and
- locking user out after a specified number of failed log- ins.
While the company recognises that it may not be liable when a third party intentionally exploits the company’s reasonable security measures and gains unauthorised access, the company’s defence must be able to demonstrate that previous reasonable steps had been undertaken to prevent such a cyber attack.
The company’s policy is to review /update information security measures each day and to maintain information security measures that respond to the changing landscape.