The type of personal information we collect and hold
Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable. It includes sensitive information. We will ask for a broad range of personal information which is necessary for our functions or activities.
We will generally ask for the following types of personal information:
- Name, address and contact details;
- Date of birth;
- Gender; and/or
- Employment information
- Marital status/family details or circumstance;
- Tax file number
We may also collect sensitive information such as information or opinion about your:
- Racial or ethnic origin;
- Membership of a political, professional or trade association (or union)
- Religious beliefs or affiliations; and/or
- Criminal history
If we are not able to collect personal information about you we may not be able to provide you with the products, services or assistance you require. The collection, use or disclosure of your personal information is needed to provide these.
Ways we collect your personal information
We collect your personal information:
Directly from you;
- By using written forms;
- Through contact over the telephone, mobile or other messaging technology;
- Via the internet, including websites and social media and/or
- In person to person contact
- From publicly available sources of information; and/or
- From other persons or organisations (including related and third parties)
We will collect your personal information during the information life cycle, on an adhoc or a recurrent basis using the above methods. For example, we will collect personal information when you acquire a product or service from us, when you make changes to that product, when you make a claim or exercise a right under the product or service or when you need to complain.
Collection of personal information
We collect your personal information so we can:
- Identify you and conduct appropriate checks;
- Understand your requirements and provide you with a product or service;
- Manage, train and develop our employees and representatives;
- Manage complaints and disputes, and report to dispute resolution bodies; and
- Get a better understanding of you, your needs, your behaviours and how you interact with us, so we can engage in product and service research, development and business strategy including managing the delivery of our services and products via the ways we communicate with you.
Sometimes we are required to collect your personal information to satisfy specific legal obligations.
Use and disclosure
We use and disclose your personal information for the purposes we collected it. Please refer to “Collection of personal information” section to understand what these purposes may be.
We will use and disclose your personal information for a secondary purpose related to a purpose for which we collected it, where you would reasonably expect us to use or disclose your personal information for that secondary purpose. In the case of sensitive information, any secondary use or disclosure will be directly related to the purpose of collection.
There will be other instances when we may use and disclose your personal information including where:
- You have expressly or impliedly consented to the use or disclosure;
- We reasonably believe that the use or disclosure is reasonably necessary for an enforcement activity conducted by or on behalf of an enforcement body; or
- We are required or authorised by law to disclose your personal information, for example, to a court in response to a subpoena, or the Australian Taxation Office, Centrelink, and the Australian Transaction Reports and Analysis Centre (AUSTRAC)
We will send your personal information overseas and collect personal information from overseas. Instances when we will do this include:
- When you have asked us to do so or we have your consent;
- When we are authorised or required by law or a court/tribunal to do so;
- When we have outsourced a business activity or function to an overseas service provider; and
- Certain electronic transactions.
We will disclose personal information overseas but only to the extent it is necessary to perform our functions or activities. In order to engage in our business activities and functions we will disclose your personal information to and collect your personal information from people and organisations (‘parties’) in a number of countries.
Parties to whom we disclose and collect your personal information
As detailed in the “Ways we collect your personal information” section there are a range of parties to whom we disclose your personal information and collect personal information from – that are not you. These may be parties related to Capital S.M.A.R.T or third parties.
Some examples of the parties to whom we may disclose your personal information to and collect personal information from are:
- customer, product, business or strategic research and development organisations
- a third party with whom we have contracted to provide financial services/product, administrative or other business services – for examples
- information technology providers
- administration or business management services, consultancy firms, auditors and business management consultants;
- marketing agencies and other marketing service providers
- print/mail/digital service providers; and
- imaging and document management services
- data warehouses, strategic learning organisations, data partners, analytic consultants;
- social media and other virtual communities and networks where people create, share or exchange information;
- publicly available sources of information;
- clubs, associations, member loyalty or reward program providers and other industry relevant organisations;
- any intermediaries, including your agent, advisor, a broker, a representative or person acting on your behalf, other Australian Financial Services Licensees or our representatives, advisers and our agents;
- a third party claimant or witnesses in a claim;
- accounting or financial professionals and advisers;
- an employee, trustee or custodian associated with membership of a superannuation fund, investment/managed fund or life insurance policy;
- government, statutory or regulatory bodies and enforcement bodies;
- policy or product holders or others who are authorised or noted on the policy as having a legal interesting, including where you are an insured person but not the policy or product holder;
- in the case of a relationship with a corporate partner such as a bank or a credit union, the corporate partner and any new incoming insurer;
- The Australian Financial Complaints Authority or any other external dispute resolution body;
- Insurers, insurance investigators and claims or insurance reference services, loss assessors;
- Credit reporting agencies
- Legal and any other professional advisers or consultants;
- Hospitals, medical/health or wellbeing professionals;
- Debt collection agencies, your guarantors, organisations involved in valuing, surveying or registering a security property, or which otherwise have an interest in such property, purchases of a debt portfolios; and
- any other organisation or person where you have asked them to provide your personal information to us or asked us to obtain personal information from them, (e.g. your parent)
Security of your personal information
We hold your personal information in:
- Computer systems;
- Electronic databases;
- Digital records; and
- In hard copy or paper files
These storage mechanisms may be managed in a number of ways. They may be managed or administered internally by Capital S.M.A.R.T or they could be managed by a third party storage provider with whom Capital S.M.A.R.T has a contractual relationship and be either managed locally and/or overseas.
We will take all reasonable steps to protect your personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. The ways we do this include:
- Limiting physical access to our premises;
- Restricting electronic and physical access to personal information we hold;
- Having in place stand-by-systems and information backups to deal with major business interruptions;
- Maintaining technology security products;
- Requiring any third-party providers to have acceptable security measures to keep your personal information secure; and
- Destroying or de-identifying personal information pursuant to the law and our record retention policies.
We maintain industry standard technology and procedures in respect of our information management and provision of online services. Capital S.M.A.R.T has an ongoing program of review and enhancement of its security measures. The reviews and updates address such matters as security and information management policies, processes and procedures, and technology reviews such as software, virus protection and fire wall settings. Capital S.M.A.R.T’s systems and information technology infrastructure are regularly audited both by internal and external experts and regulatory bodies as required.
Email transmissions to Capital S.M.A.R.T are not necessarily secure. If you have any concern about the security of the contents of your email or any other transaction over the internet, then you should consider contacting us by other means.
Capital S.M.A.R.T trains its employees and representatives in their privacy obligations, applies confidentiality obligations and provides authorised persons with user identifiers, passwords or other access codes to control access to your personal information.
Our websites rely on “cookies” to provide a number of services to you. A cookie is a piece of data that a website sends to your browser and which is then stored on your computer or other internet enabled device. Cookies are generally one of two types, a session cookie or a persistent cookie. A session cookie is a temporary cookie that is placed on the device and remains until you leave one of our websites. A persistent cookie will remain on your device for a period of time or duration specified in the cookie despite you leaving our websites.
Anonymity and pseudonymity
The Australian privacy regime provides the option of not identifying yourself, or of using a pseudonym unless we are required or authorised by law or a court/tribunal to identify you, or it is impracticable to deal with your anonymously or by a pseudonym.
Access and correction of personal information
You have the right to request access to personal information we hold about you. We are able to deny access to some or all of your personal information in specified circumstances. We will provide reasons for any refusal in writing.
If you would like to request access to the personal information we hold about you please contact us by using the relevant Access or Correction contact in Capital S.M.A.RT as we may be able to provide you this information within our normal business processes. If not, the staff member will be able to commence the privacy access request process for you which may require you to complete a privacy access request form. These requests may incur a fee and you will be advised of an estimated fee and the payment options at the time of written acknowledgement. This is usually provided to you within 5 business days.
Our response to your request will usually be completed within 30 days of the request. If we require further time we will contact you in writing to advise of this and provide our reasons for the further time that is required.
We rely on the accuracy of the personal information we hold about to provide our products and services to you. You have the right to request us to correct ay inaccurate, out-of-date, incomplete, irrelevant or misleading personal information. We will take such steps that are reasonable in
circumstances with regard to the purpose for which your personal information is held to make a correction. We may refuse to correct your personal information and will provide reasons for refusal in writing. If we refuse to correct your personal information you have the right to associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. We will take such steps that are reasonable in the circumstances to associate that statement with all records containing the relevant information.
If you have a complaint about how we collect, hold, use or disclose your personal information or a privacy related issue such as refusal to provide access or correction, please use our complaints process so that we can help. It is important to follow the complaint handling process in order to resolve your complaint effectively and efficiently.
Step 1 – Let us know
If you would like to make a complaint, please let us know by contacting the relevant department as they may be able to resolve the complaint for you. If not, the staff member will refer you to a Manager or their delegate and they will attempt to resolve the complaint. A response is usually provided to you within 5 business days.
Step 2 – Seek review by an external service
If any issue has not been resolved to your satisfaction, you can lodge a complaint with the Office of the Australian Information Commissioner.
Complaints must be made in writing
Office of the Australian
GPO Box 5218
Sydney NSW 2001
T: 1300 363 992
Changes and getting a copy of the Policy