When you trust us with your personal information, you expect us to protect it and keep it safe
About the Westpac Group
The privacy and security of your personal information is important to us. Earning and maintaining your trust by carefully and respectfully managing your personal information is fundamental to the way we do business.
Westpac Banking Corporation and its related bodies corporate in Australia and overseas (the ‘Westpac Group’) are committed to protecting your privacy.
All of the Westpac Group’s Australian businesses are bound by the Privacy Act 1988 (Cth) (‘Privacy Act’) and must protect your personal information according to that Act and other applicable laws, such as the Spam Act 2007 (Cth) (‘Privacy Laws’). The Westpac Group’s Australian businesses include the Westpac Banking Corporation, Altitude Rewards, Qvalent, Westpac General Insurance Limited, Westpac Lenders Mortgage Insurance Limited, Westpac Life Insurance Services Limited, Westpac Securities Administration Limited and XYLO.
In this policy, “we”, “us” and “our” means all of the Westpac Group’s Australian businesses.
For our customers located in the European Union
From 25 May 2018, the General Data Protection Regulation (GDPR) regulates the processing of personal information under European Union (EU) law. The GDPR aims to protect the information relating to individuals in the EU and harmonise data protection laws across EU Member States.
Our collection, use, disclosure and processing of your personal information is regulated by the GDPR if:
- you interact with our Westpac UK branch;
- we offer products or services to you whilst you are located in the EU; or
- we monitor your behaviour whilst you are located in the EU.
About this policy and your privacy
This policy explains how we can collect, use, hold and disclose your personal information, as well as ensuring the quality, integrity and security of your personal information under applicable Privacy Laws.
The personal information that we collect about you will depend on the products or services that you apply for, or enquire about. If you do not allow us to collect all of the personal information we reasonably request, we may not be able to deliver those products or services to you.
Throughout the life of your product or service, we may also collect and hold additional personal information about you. This could include transaction information or making a record of queries or complaints you make and, if you make an insurance claim, collecting additional information to assess the claim.
Our collection of ‘sensitive information’, a special type of personal information under Privacy Laws, is further restricted to circumstances where we have obtained your express consent and to certain other permitted situations.
Generally, we only collect this sort of information if it is reasonably necessary to provide you with a specific product or service and you expressly consent to our collection. For example, we may collect health information about you to process a claim under an insurance policy or to assess certain claims, including hardship, or we may collect voice biometric information to verify your identity or authorise transactions.
We collect most personal information directly from you whether in person, on the phone or electronically, for example when you interact with a Westpac Group company to:
- apply for, register your interest in, or enquire about a product or service;
- provide us with feedback or make a complaint;
- visit our websites, online banking services or use our mobile or tablet applications; and
- talk to us, or do business with us.
From time to time we collect personal information about you from third parties or organisations. This may arise in circumstances where you have given your consent to do so or where we notify you in our Privacy Notices or Collection Statements, such as when you apply for credit, an insurance product or make an insurance claim. For example, we may collect personal information about you from:
- Westpac Group companies;
- publicly available sources of information, such as public registers;
- your representatives (including your legal adviser, mortgage broker, financial adviser, executor, administrator, guardian, trustee, or attorney);
- your employer (for example, where you become a member of a superannuation fund that is issued by a company (Trustee) within the Westpac Group, we may disclose information we hold about you to the Trustee and/or the Trustee may disclose information it holds about you to your employer, to help them manage the employer plan);
- other organisations, who jointly with us, provide products or services to you or with whom we partner to provide products or services to you;
- service providers, such as companies that provide fraud prevention reports;
- insurers, re-insurers and health care providers; and
- credit reporting bodies.
We may collect information from you electronically, for instance through internet browsing on our websites, online banking services, mobile or tablet applications.
Each time you visit our websites, we may collect information about you which may include personal information (such personal information will be de-identified) and may include the following:
- the date and time of visits;
- the pages viewed and your browsing behaviour;
- how you navigate through the site and interact with pages (including fields completed in forms and applications completed);
- general location information;
- information about the device used to visit our website (including your tablet or mobile device) such as device IDs; and
- IP addresses. Your IP Address is a number that is automatically assigned to the device that you are using by your Internet Service Provider (ISP).
We collect information using cookies when you use our websites, online banking services, mobile or tablet applications. Cookies are small pieces of information stored on your hard drive or in memory. One of the reasons for using cookies is to offer you increased security. They can also record information about your visit to our websites, allowing us to remember you the next time you visit and provide a more meaningful experience.
We may also collect information from third party websites, applications or platforms containing our interactive content or that interface with our own websites and applications.
We may collect personal information about you from social media platforms if you publicly comment but we will never ask you to supply personal information publicly over Facebook, Twitter or any other social media platform that we use. Sometimes we may invite you to send your details to us via private messaging, for example, to answer a question about your account. You may also be invited to share your personal information through secure channels to participate in other activities, such as on-line competitions.
The main reason we collect, use, hold and disclose personal information is to provide you with products and services (including where applicable, third party products and services) and to help us run our business. This includes:
- checking whether you are eligible for the product or service;
- assisting you where online applications are not completed;
- providing the product or service;
- helping manage the product or service;
- helping us develop insights and conduct data analysis to improve the delivery of products, services, enhance our customer relationships and to effectively manage risks; and
- understanding your interests and preferences so we can tailor digital content.
We may use or disclose your information to comply with our legislative or regulatory requirements in any jurisdiction and to prevent fraud, criminal or other activity that may cause you, us or others harm including in relation to products or services.
We are required or authorised to collect:
- certain identification information about you by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1);
- your Tax File Number, if you choose to provide it, by the Income Tax Assessment Act 1936 (Cth);
- if you have applied for credit or provide a guarantee, certain information about your financial position under the National Consumer Credit Protection Act 2009 (Cth), and if you give us a mortgage security, certain identification information under property laws in some states and territories; and
- certain information in relation to your application if you have applied for an insurance as required by the Insurance Contracts Act 1984 (Cth).
Much of the information we hold about you will be stored electronically. We store some of your information in secure data centres that are located in Australia. We also store information in other Westpac Group secure data centres or the data centres of our contracted service providers (including cloud storage providers), and some of these data centres may be located outside Australia. Some information we hold about you will be stored in paper files.
We use a range of physical, electronic and other security measures to protect the security, confidentiality and integrity of the personal information we hold both in Australia and overseas. For example:
- access to our information systems is controlled through identity and access management controls;
- employees and our contracted service providers are bound by internal information security policies and are required to keep information secure;
- all employees are required to complete training about privacy and information security; and
- we regularly monitor and review our compliance with internal policies and industry best practice.
Unfortunately, no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure for example, if you feel that the security of any account you have with us has been compromised, please immediately contact us (see Contact Us below).
We may share your personal information with companies within the Westpac Group.
We may also provide personal information about individuals to organisations outside the Westpac Group who help deliver or support the provision of products and services to you. To protect personal information, we enter into contracts with our service providers and other third parties that require them to comply with applicable Privacy Laws and certain Westpac policies and standards relating to data protection and information security. These contracts, amongst other things, require our service providers to only use the personal information we disclose to them for the specific role we ask them to perform.
Generally, we use contracted service providers to help us in our business activities. For example, they may help us provide you with products and services, deliver technology or other support for our business systems, refer us to new customers, or assist us with marketing and data analysis. These organisations may include:
- our agents, contractors and contracted service providers (for example, mailing houses, technology service providers and cloud storage providers);
- authorised representatives and credit representatives who sell or arrange products and services on our behalf;
- insurers, re-insurers and health care providers;
- payment systems operators (for example, merchants receiving card payments);
- other organisations, who jointly with us, provide products or services to you, or with whom we partner to provide products and services to you;
- other financial services organisations, including banks, superannuation funds, stockbrokers, custodians, fund managers and contracted service providers;
- debt collectors;
- professional advisors such as our financial advisers, legal advisers and auditors;
- your representatives (including your legal adviser, accountant, mortgage broker, financial adviser, executor, administrator, guardian, trustee, or attorney);
- fraud bureaus or other organisations to identify, investigate or prevent fraud or other misconduct;
- external dispute resolution schemes;
- regulatory bodies, government agencies and law enforcement bodies in any jurisdiction; and
- credit reporting bodies.
We may also disclose your personal information to others outside the Westpac Group where:
- we are required or authorised by law or where we have a public duty to do so;
- you may have expressly consented to the disclosure or your consent may be reasonably inferred from the circumstances; or
- we are otherwise permitted to disclose the information under applicable Privacy Laws.
We may disclose your personal information to a recipient located outside Australia. This may include the following:
- Westpac Group companies located in China, Hong Kong, India, Singapore, New Zealand, UK, United States, Fiji and Papua New Guinea;
- our contracted service providers operating overseas, which are likely to be located in New Zealand, United States, India, the Philippines, UK, Malaysia and Brazil;
- organisations operating overseas with whom we partner to provide goods and services to you and who are likely to be located in the United States; and
- for international transactions, such as currency exchanges, we may need to disclose your information to the corresponding international party in order to process the transaction. The countries we disclose your information to will depend on the details of the transaction you ask us to carry out.
When we do disclose and/ or store personal information overseas, we protect that information using the security measures set out above and require overseas recipients to do the same (see How do we hold personal information).
As a trusted service provider we ensure that our data protection and information security controls applying to your personal information in Australia continue to apply in the hand of our affiliates or contracted service providers located overseas.
We may use your personal information to directly offer you products and services we believe may be of interest and value to you but we will not do so if you tell us not to. These products and services may be offered by a member of the Westpac Group or one of its preferred suppliers. We may offer you products and services by various means, including by mail, telephone, email, SMS or other electronic means, such as through social media or targeted advertising through Westpac Group or non-Westpac Group websites or through our online banking service.
When we market products and services to you, we will comply with applicable Privacy Laws to obtain your consent if required.
We may also disclose your personal information to companies outside the Westpac Group who assist us to market products and services to you (see Who do we disclose your information to, and why?). If you do not want to receive direct marketing offers from us or our affiliates or service providers, please contact us using the contact details or opt-out facility provided to you.
Access to and correction of personal information
You can request access to the personal information we hold about you. You can also ask for corrections to be made. To do so, please contact us.
There is no fee for requesting that your personal information is corrected or for us to make corrections. In some limited circumstances, there may be a reasonable charge for giving you access to your personal information. This charge covers such things as locating the information and supplying it to you.
Under Privacy Laws your right to receive access to your personal information, or make corrections to it, is not absolute and exceptions exist. For example, we are not required to give you access to your personal information where giving you access would pose a serious threat to any person’s life, health or safety, or to public health or safety, where giving access would be unlawful, where giving access would have an unreasonable impact on other people’s privacy or where we reasonably conclude your request is frivolous or vexatious.
If we refuse to give you access to or to correct your personal information, we will give you a notice explaining our reasons except where it would be unreasonable to do so. If we refuse your request to correct your personal information, you also have the right to request that a statement be associated with your personal information noting that you disagree with its accuracy.
If we refuse your request to access or correct your personal information, we will also provide you with information on how you can complain about the refusal.
Notifiable Data Breaches
From February 2018, the Privacy Act includes a new Notifiable Data Breaches (NDB) scheme which requires us to notify you and the Office of the Australian Information Commissioner (OAIC) of certain data breaches and recommend steps you can take to limit the impacts of a breach (for example, a password change).
The NDB scheme requires us to notify about a data breach that is likely to result in serious harm to affected individuals. There are exceptions where notification is not required. For example, where we have already taken appropriate remedial action that removes the risk of serious harm to any individuals.
If we believe there has been a data breach that impacts your personal information and creates a likely risk of serious harm, we will notify you and the OAIC as soon as practicable and keep in close contact with you about the nature of the breach, the steps we are taking and what you can do to reduce the impacts to your privacy.
If you believe that any personal information we hold about you has been impacted by a data breach, you can Contact us using the contact details below.
Resolving your privacy concerns and complaints – your rights
If you have a question or complaint about how your personal information is being handled by us, our affiliates or contracted service providers, please contact us first by using the contact details provided below.
We will acknowledge your complaint as soon as we can after receipt of your complaint. We will let you know if we need any further information from you to resolve your complaint.
We aim to resolve complaints as quickly as possible. We strive to resolve complaints within five (5) business days but some complaints may take longer to resolve. If your complaint is taking longer, we will let you know what is happening and a date by which you can reasonably expect a response.
If you are unhappy with our response, you can contact our Westpac Group Customer Advocate who can conduct an independent review of your matter. Our Customer Advocate can be contacted at firstname.lastname@example.org.
Raising your issue with our Customer Advocate does not preclude you from raising your issue at any time with external disputes schemes or relevant regulators whose details are set out below.
Under the Privacy Act you may complain to the Office of the Australian Information Commissioner (OAIC) about the way we handle your personal information. Please note the OAIC requires any complaint must first be made to the respondent organisation. The law also allows 30 days for the respondent organisation to deal with the complaint before a person may make a complaint to the OAIC.
The Commissioner can be contacted at:
The Financial Ombudsman Service (FOS) and Australian Financial Complaints Authority can consider certain privacy complaints relating to either the provision of credit or credit reporting information in general.
- Financial Ombudsman Service Australia if lodged before 1 November 2018:
- Australian Financial Complaints Authority if lodged on or after 1 November 2018:
You can contact us in the following ways:
- over the phone on 1300 130 467 – call centres are open 8am – 8pm, 7 days a week from anywhere in Australia;
- in person – at any branch;
- online at westpac.com.au – using our secure feedback form to provide feedback, share your suggestions, provide a complaint or compliment; or
- write to us – at Reply Paid 5265, Sydney NSW 2001.
XYLO customers can contact us by:
- calling 1300 XYLO FX (1300 995 639);
- emailing customercare@XYLO.com.au; or
- visiting our website xylo.com.au.
Note to our shareholders
Summary of Important Recent Changes to this policy
|Section||Summary of Important Recent Changes|
|For our customers located in the European Union||Inclusion of how we manage personal information that we do not request directly or indirectly|
|Personal information about third parties||Inclusion of how we manage personal information that we do not request directly or indirectly|
|For what purposes do we collect, hold, use and disclose personal information?||Inclusion of further purposes for which we collect, hold, use and disclose information and how we may de-indentify personal information which we have collected|
|How do we hold and protect your personal information?||Inclusion of how we hold and protect personal information|
|Who do we disclose your personal information to, and why?||Inclusion of other parties with whom we disclose personal information to, and why|
|Do we disclose personal information overseas?||Update to recipients located outside Australia that we may disclose personal information to|
|Notifiable Data Breaches||Inclusion of new Notifiable Data Breaches (NDB) scheme|
|Resolving our privacy concerns and complaints - your rights||Update of information with respect to resolving your privacy concerns and complaints|