Privacy Policy

Purpose

Angle Finance is committed to safeguarding the privacy of customers, guarantors, directors, contractors, employees and website visitors. This Privacy Policy:

  • supports compliance with the Privacy Act 1988 (Cth) (including the Australian Privacy Principles) and the Notifiable Data Breaches (NDB) scheme;
  • supports compliance with credit reporting obligations under Part IIIA and the Credit Reporting Privacy Code; and
  • provides practical guidance for staff who collect, use, disclose, store or access personal information.

This policy must be read with Angle Finance’s information security policies, data breach response plan, record retention requirements, and procedures issued by Risk/Compliance.

Privacy Officer: Sarah-Jane Loriot (or current appointee)
Contact: enquiries@anglefinance.com.au

Scope

This policy applies to all Angle Finance personnel, including employees, contractors and consultants, and covers personal information handled in any format (electronic, paper, audio recordings, images).

Key definitions

Personal Information has the meaning in the Privacy Act.

Credit-related personal information / Credit Information has the meaning in Part IIIA of the Privacy Act and includes credit reports and repayment history information.

Sensitive Information has the meaning in the Privacy Act.

Roles and responsibilities

  • All staff must handle personal information in accordance with this policy and report incidents immediately.
  • Privacy Officer oversees privacy compliance, training, incident management and responses to access/correction/complaints.
  • Business owners must ensure vendors are onboarded with appropriate contracts and controls prior to access to personal information.

What personal information we handle

Angle Finance may handle personal information including:

  • identity and contact details;
  • copies/images of identity documents (e.g., driver licence, passport, Medicare card) and associated data;
  • financial and employment information relevant to finance assessment and administration;
  • identity verification results, including DVS outcomes obtained via information match service providers (e.g., Equifax, GreenID or successors);
  • fraud and risk indicators; and
  • credit-related personal information, including credit reports and repayment history information.

Staff must apply heightened care to high-risk information, particularly identification documents and credit reports.

Collection principles (APP 3 and APP 5)

We must only collect personal information where:

  • it is reasonably necessary for Angle Finance’s functions/activities, or required/authorised by law (including AML/CTF obligations);
  • it is collected by lawful and fair means; and
  • an appropriate APP 5 Collection Notice is provided at or before collection, or as soon as practicable.

Collection notices:
Where collection occurs outside the online portal (e.g., phone calls, follow-ups, dealer interactions), staff must ensure the individual has been given an appropriate collection notice or must seek guidance from the Privacy Officer. Third parties collecting on our behalf must be contractually required to provide a compliant notice.

Use and disclosure principles (APP 6)

Personal information must be used/disclosed only:

  • for the purpose for which it was collected; or
  • for a related secondary purpose the individual would reasonably expect (or with consent); or
  • as required/authorised by law.

If you propose a new use or disclosure (including analytics, new vendors, new offshore access, or new marketing campaigns), contact the Privacy Officer before proceeding.

AML/CTF and identity verification (including DVS)

Angle Finance collects and verifies identity information to comply with the AML/CTF Act and Rules and to support fraud detection, prevention and investigation.

DVS use:

Where DVS is used (via Equifax, GreenID or successors), staff must ensure:

  • information submitted is limited to what is required for the check;
  • DVS is used only for legitimate business purposes (identity verification / fraud prevention / compliance);
  • outputs are stored in approved systems only; and
  • access is restricted to staff with a business need.

We are required to comply with the DVS Access Policy and Staff must ensure that they understand the DVS Access Policy before using the DVS. Any breaches relating to our connection and/or use of the DVS must be reported to the Privacy Officer. The Privacy Officer is responsible for notifying the OAIC of any breaches.

Fraud monitoring and retention of identification documents

Angle Finance retains copies/images of identification documents and identity verification outcomes as they directly support ongoing fraud monitoring, prevention and investigation, dispute management and enforcement.

Baseline retention:

Unless otherwise directed by Legal/Risk/Compliance, retain relevant customer/guarantor application and identity records for:

  • the life of the loan (or relevant relationship) plus 7 years, subject to legal requirements, fraud risk considerations and applicable limitation periods.

Staff must not delete or destroy records outside approved retention/destruction processes.

Credit reporting (Part IIIA / CR Code)

Credit-related personal information is subject to heightened handling obligations.

If you handle or access credit reports, repayment history information, default information or serious credit infringement information, you must:

  • access only on a need-to-know basis;
  • store only in approved secure systems;
  • disclose only as permitted by Part IIIA/CR Code and approved procedures; and
  • refer uncertainties to the Privacy Officer.

Automated decisions

We may in some instances use a computer program to make a decision relating to providing credit. The kinds of personal information used in the operation of such computer programs may include:

  • identity and contact details;
  • copies/images of identity documents (e.g., driver licence, passport, Medicare card) and associated data;
  • financial and employment information relevant to finance assessment and administration;
  • identity verification results, including DVS outcomes obtained via information match service providers (e.g., Equifax, GreenID or successors);
  • fraud and risk indicators; and
  • credit-related personal information, including credit reports and repayment history information.

Overseas access and disclosure (APP 8)

Overseas access/disclosure can occur through vendors and operational support functions (including in the Philippines).

No overseas disclosure or overseas access by a new vendor may occur unless:

  • a contract is in place with appropriate privacy and security obligations; and
  • Risk/Compliance and the Privacy Officer have approved the arrangement, including assessment of required “reasonable steps” under APP 8.

Security controls (APP 11)

Angle Finance must take reasonable steps to protect personal information from misuse, interference and loss, and unauthorised access, modification or disclosure, including:

  • role-based access controls and least privilege;
  • secure storage and encryption where appropriate;
  • secure transmission methods;
  • logging/monitoring for systems holding identity documents and credit reports;
  • secure disposal processes for paper records; and
  • vendor due diligence and contractual controls.

Staff must immediately notify the Privacy Officer if they become aware of any suspected or actual unauthorised access, disclosure, loss or misuse.

Notifiable Data Breaches (NDB) scheme

Angle Finance must assess suspected incidents promptly to determine whether an eligible data breach has occurred and whether OAIC and affected individuals must be notified.

Staff must:

  • report suspected incidents immediately to the Privacy Officer (and IT Security where applicable); and
  • not contact the OAIC or affected individuals unless directed by the Privacy Officer or General Counsel.

Access and correction requests (APP 12 and APP 13)

All access/correction requests must be referred to the Privacy Officer. Staff must not release personal information externally without authorisation from the Privacy Officer or General Counsel.

Privacy complaints

All privacy complaints must be referred to the Privacy Officer and managed under the internal dispute resolution process. Staff must not respond substantively unless authorised.

Training, review and compliance

Staff must complete required privacy training and comply with this policy. Breaches may result in disciplinary action and/or contractual consequences.

This policy will be reviewed periodically and updated as required.