Open Home Loan is committed to providing quality services to you and this policy outlines our ongoing obligations to you in respect of how we manage your Personal Information.
We have adopted the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act). The NPPs govern the way in which we collect, use, disclose, store, secure and dispose of your Personal Information.
A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Australian Information Commissioner at www.aoic.gov.au
Describes the data available for you to share, how to share your data, what we do with the data we collect, and how to make a complaint.
At a glance This policy describes what data will be available for you to share, how to share your Open Home Loan data, what we do with the data we collect, and how to make a complaint. To save a copy of this policy, use the print function of your browser. If you’d like a PDF copy, please email firstname.lastname@example.org. We will send this to you free of charge.
The Consumer Data Right (CDR) was introduced by the Federal Government to provide customers with rights to access specified data that relates to them (CDR data) held by organisations (data holders). It allows customers to authorise the sharing of CDR data to organisations accredited by the ACCC under the Consumer Data Right (accredited data recipients), as well as providers collecting CDR data from, or on behalf of, an accredited recipient. In this policy, both are referred to as an accredited data recipient.
• Where Open Home Loan holds CDR data about you, you can ask us to share that data with other accredited data recipients. In the policy, we refer to this data as your Open Home Loan CDR data.
• Where a third party holds CDR data about you, you can consent for us to collect your data from the third party, so we can provide you with a product, service or feature. In this policy, we refer to this data as your external CDR data.
CDR is jointly regulated by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC). The legislative framework includes the Competition and Consumer Act 2010 and the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR legislation).
Sometimes we update our CDR policy. You can always find the most up-to-date version on our website, and you can ask us to send you a copy of the latest version.
Your Personal Information is stored in a manner that reasonably protects it from misuse and loss and from unauthorized access, modification or disclosure.
When your Personal Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify your Personal Information. However, most of the Personal Information is or will be stored in client files which will be kept by us for a minimum of 7 years.
Your privacy and the security of your information is important to us. We protect your information and aim to be clear and open about what we do with it. We adhere to relevant security and privacy regulatory requirements, and maintain appropriate controls and capabilities to keep your information safe.
As a data holder under the CDR legislation, we are required to make available specific sets of data for sharing. Examples of the type of CDR data we may collect include customer information, product use information and information about a product, such as: •
Name, occupation and contact details
• Account balance and details of products you have with us
• Transaction details
• Direct debits and scheduled payments
• Saved payees
• Information about our products and services
A joint account is automatically enabled for data sharing. This means that any joint account holder is able to set up a data sharing arrangement with an accredited organisation without further approval. Without a data sharing arrangement in place, Open Home Loan will not share data from the joint account (even if it’s enabled for data sharing). Any account holder can stop sharing data from the joint account at any time. For accounts that are enabled, any account holder can disable the joint account from data sharing. When the account is disabled, an account holder won’t be able to set up new data sharing arrangements and any active data sharing arrangements will be paused. If the account is disabled and you want to re-enable it for data sharing, all account holders must agree and approve the request.
If you’d like to raise an issue or complaint, check out the How we deal with complaints section below.
So that we can deliver better products, services and features to you, we use services from third parties called “outsourced service providers” (OSPs). We only use OSPs who have entered into written agreements with us and who have data centres located in Australia. They are not permitted to share or sell any CDR data they collect. They will delete your CDR data (and any data that is derived from your CDR data) once your consent expires or you withdraw your consent (unless they’re legally required or permitted to keep it). Below is a list of our OSPs, including the sort of CDR data we disclose to them, the services they provide us and whether they are accredited:
• Yodlee is an accredited data recipient. We use Yodlee to help us collect CDR data from data holders and manage CDR consents. This means that with your permission, Yodlee may collect customer information, product use information and information about a product on our behalf. Yodlee deletes your CDR data when you stop sharing, and doesn’t use it for any other purpose.
• XAI (a service of Tic:Toc Enterprise) is not an accredited data recipient. We use XAI to help us categorise CDR data, so that we can verify and assess your financial position when you apply for an Open Home Loan product, including assessing your ability to service financial products. In providing these services, XAI may collect customer information, product use information, and information about a product on our behalf. XAI deletes your CDR data after Open Home Loan’s legally required retention period expires, and doesn’t use it for any other purpose.
• Biza is not an accredited data recipient. We use Biza to connect with CDR participants to share Open Home Loan CDR data. Biza may collect Open Home Loan customer information, product use information, and information about a product on our behalf in order to share it with your chosen recipient, and doesn’t use it for any other purpose. Biza doesn’t store any Open Home Loan CDR data and has no access to your CDR data when you stop sharing.
Open Home Loan is accredited by the ACCC under the CDR as a brand of CommBank. You can consent to share your external CDR data with us. You don’t have to share data with us, and we’ll always tell you the specific purpose we’re asking to collect and use your data when we ask for your consent. What data we collect and why Open Home Loan may collect, hold and use your data to assess your financial position for any loan applications you may submit and to facilitate funding your loan account if your application is successful. We may ask for you data, including account balances, transactions and details of products you have with other banks. This data may also be collected and held by another entity that holds it on our behalf (for example our outsourced service providers). Over time, we may introduce more services or features that use data from other organisations. If so, we’ll update this policy with the new information.
You can ask us to stop collecting and using your CDR data anytime in the Open Home Loan App by going to Settings and then Connected Banks. You can also do this on your data holder’s website or app. If you ask us to stop collecting and using your external CDR data, or if your consent expires, we’ll delete the data collected (and any data derived from it, including by our OSPs) generally within 24 hours, unless we’re legally required to keep it. Once the legal retention period expires, any CDR data will be destroyed completely. Remember, if you withdraw your consent, it will affect the service or feature we’ve offered you, as we won’t be able to use your external CDR data.
Open Home Loan does not collect or store your external CDR data directly – we do so using our OSPs. When our OSPs collect your external data, they encrypt it and store it securely in Australia, separate from other data. This ensures your data can only be used for the purpose for which you consented. We don’t share your external CDR data with other parties (including those based overseas). How to correct your external CDR data If any of your external CDR data is incorrect, contact your Open Home Loan lender or email us at email@example.com to investigate the issue.
Within 10 business days, we’ll let you know in writing whether we corrected your Open Home Loan CDR data or if we found it to be accurate, up to date, complete and not misleading. We may instead provide you with a notice of why we thought a correction was unnecessary or inappropriate. There are no fees for this service. You can view your latest external CDR data sharing details anytime in the Open Home Loan App by going to Settings and then Connected Banks. You can also do this on your data holder’s website or app. Whilst we do our part to keep your external CDR data up to date by collecting it regularly, we’re unable to control its accuracy. We’ll investigate your issue, but may refer you to the data holder so you can ask them to correct your data. Once they correct your data and make it available for us to collect, we’ll update it on our side, if your consent is still current.
• When you set up or stop data sharing, and when your data sharing agreement expires (where required).
• Every 90 days if you’re sharing your external CDR data with us.
• In the event of an eligible data breach affecting your CDR data under the Notifiable Data Breach Scheme in the Privacy Act 1988 (Cth).
• If you request we correct your CDR data.
• If our CDR accreditation is surrendered, suspended or revoked.
We want to make things right. If there’s a problem with how we handle your CDR data, it’s important we hear about it so we can make it right. You can tell us what’s wrong by emailing us at firstname.lastname@example.org. We will take your complaint seriously, work with you to address your complaint, and try to find a solution that’s fair and reasonable. Please tell us:
• Your name and your preferred contact details – though you can make an anonymous complaint if you would prefer.
• What your complaint is about, including the way we’ve handled your CDR data, what went wrong and what you’d like us to do.
• Any supporting documentation. What happens after you make a complaint 1. We’ll let you know we’ve received your complaint (generally by the next business day). 2. We’ll assess the information we have and investigate the issue. 3. We’ll work with you to find a fair outcome. The outcome will depend on the nature of the issue or complaint and could include provision of assistance and support or correction of data. 4. If we’re unable to do this within 30 days, we’ll tell you the reason for the delay, give you a data you can expect to hear an outcome, and continue to update you on our progress.
If you’re unhappy with the resolution You can lodge a dispute with the Australian Financial Complaints Authority (AFCA). They provide a fair and independent, free complaint resolution service:
Website: www.afca.org.au Email: email@example.com Phone: 1800 931 678 (free call) Address: GPO Box 3, Melbourne VIC 3001
If your complaint is about your privacy or how we handle your CDR data, you can also contact The Office of the Australian Information Commissioner: Website: www.oaic.gov.au Phone: 1300 363 992 Address: GPO Box 5218, Sydney NSW 2001
We’re here to help. If you have any queries or complaints, please contact us at:Address: 180 Flinders St. Melbourne VIC 3000
Copyright © Open Home Loan 2023