The Australian Financial Crimes Exchange Limited (AFCX, we, us or our) operates as a not-for-profit company, and its shareholders are Australia and New Zealand Banking Group Limited, Commonwealth Bank of Australia, National Australia Bank Limited and Westpac Banking Corporation. We take your privacy seriously and will take reasonable steps to ensure the personal information we collect, use, hold or disclose is done so in accordance with the Privacy Act 1988 and the Australian Privacy Principles. This policy sets out how we manage personal information.
In addition to the Privacy Act and Privacy Principles, individuals located in the European Union (EU) may also have rights under EU-based rules known as the General Data Protection Regulation (GDPR). The GDPR has harmonised the data privacy laws of each individual EU country, giving additional rights to individuals located in the EU and more obligations to organisations holding their personal information.
What is personal information?
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not, and whether the information is recorded in a material form or not.
AFCX’s core function is to assist in the prevention, identification and investigation of, and response to, financial crime affecting our members, their customers and the Australian public. AFCX provides an information and intelligence sharing service that aims to:
- ensure governance, security and risk mitigation measures are applied to the sharing of financial crime data, including fraud and fraud-related information and intelligence;
- foster collaborative intelligence sharing to reduce financial fraud and cyber crime;
- facilitate more timely intelligence sharing with the introduction of real-time payments under the New Payments Platform program; and
- to provide greater protection to the Australian public by strengthening Australia’s stand on financial and cyber crime.
We maintain a database of financial crime, including fraud, scam and fraud-related information which, to the extent to which it is relevant to achieving our objectives, is accessible by participating organisations, being subscribers of the Company’s services.
What kinds of personal information we collect
Consistent with the provision of our services, the types of personal information we may collect and hold include an individual’s name, address, telephone number, date of birth, email address, credit card or account information, and transaction/event information and details.
If you require further information about the legitimate interest legal basis under the GDPR, please refer to www.ico.org.uk.
Why we collect your personal information
In accordance with our aim of assisting in the detection, prevention and investigation of financial crime, including fraud and/or cyber crime, we collect personal information directly from Australian-based companies and other parties and hold, use and disclose it in the provision of our services and for purposes connected to those services.
The purposes for which we collect, hold, use and disclose information include:
- the detection, prevention and investigation of financial crime including fraud and cybercrime;
- the provision and dissemination of information to and between third party members including Australian financial institutions, organisations and, in some circumstances, government enforcement agencies, law enforcement and authorities;
- conducting our business, for example providing services to our members; and for our internal administrative, research, planning, and product development.
Sometimes we may disclose your personal information to outside organisations who help us deliver or support the provision of our services, or who provide services similar to those provided by us. For example, our agents, contractors, contracted service providers and like-minded bodies.
We won’t use or disclose your personal information for any secondary purpose, unless:
- that secondary purpose is related to the primary purpose for which we collect that information and you would reasonably expect the disclosure in the circumstances; or
- you have given your consent.
How we collect and hold information
Typically, we collect and hold personal information which is provided to us by our members and other organisations and bodies. Ordinarily, we don’t collect information directly from individuals. If we deal directly with individuals, we will collect and hold personal information you provide us through our website, by email or over the phone. For example, when you send an email to us or give us information over the phone, we may retain this in order to respond to your inquiry and/or for the provision of our services for members. Personal information is held only for as long as the information remains relevant to the purpose for which it was collected.
How we make sure your personal information is protected
We take appropriate security measures to protect against unauthorised access to or unauthorised alteration of your personal information. These include IT security measures in respect of information held electronically and physical security measures for any hard copy personal information we hold.
Access and correction
We will take all reasonable steps to ensure any personal data we collect, use or disclose is up to date and accurate. If you believe personal information that we may hold about you is not up to date or accurate, you may ask us to correct it. You may ask us to provide you with details of the personal information we hold about you, and copies of that information.
Where relevant, you may have the following rights under the GDPR:
- right of access – the right to access the personal information that we hold or process about you;
- right to rectification – the right to update, correct or amend the personal information that we hold or process about you;
- right to erasure – the right to request removal of personal information that we hold about you;
- right to restrict – the right to request that further processing of your personal information is restricted;
- right to object – the right to object to your personal information being used for direct marketing purposes;
- right to data portability – the right to request a copy of your personal data in electronic format;
- right not to be subject to a decision made solely by automated processing. The AFCX uses automated processing, but it does not make decisions about individuals, including only on this basis.
We will respond to your request and, unless we are not required to do so under any relevant legislation, attempt to provide you with the data within 45 days of receipt of your request.
We may refuse any request you make under this Policy, but if we do provide you with copies of the information you have requested, we may charge you a reasonable fee to cover the administrative costs of providing you with that information.
Please direct all requests, including for access and correction to email@example.com. This policy will be maintained on the website and a copy in a particular format can be requested by contacting us at firstname.lastname@example.org.
We are unlikely to disclose personal information to overseas entities. However, if we do, it will be to fraud reporting agencies and entities that assist with the identification and prevention of financial crime and organisations established to identify, investigate and/or prevent any fraud, suspected fraud, crime, suspected crime or misconduct of a serious nature. We will take reasonable steps to ensure those overseas entities comply with the Australian Privacy Principles or equivalent privacy legislation in the relevant country.
Notifiable Data Breaches
From February 2018, the Privacy Act includes a new Notifiable Data Breaches (NDB) scheme which requires us to notify affected persons and the Office of the Australian Information Commissioner (OAIC) of any data breaches that is likely to result in serious harm to affected individuals. There are exceptions where notification is not required.
If we believe there has been a data breach that impacts your personal information and creates a likely risk of serious harm, we will notify you and/or the subscriber who provided your information to us and the OAIC as soon as practicable in accordance with our obligations. If you believe that any personal information that we hold about you has been impacted by a data breach, you may contact us at email@example.com.
Changes to this policy
If you consider a breach of the Australian Privacy laws or your rights in relation to privacy has occurred, please direct your complaint to firstname.lastname@example.org. We will respond within 30 days of receipt of your complaint and will attempt to resolve it. If you do not consider our response satisfactory, you may complain to the Office of the Australian Information Commissioner (OAIC). Information on how to make a complaint to the OAIC is available on its website: www.oaic.gov.au, or you may also call the OAIC Enquiries Line on 1300 363 992.
If the GDPR applies to you, the UK data protection authority is Information Commissioner’s Office Wycliffe House, Wilmslow, Cheshire SK9 5AF, UK (www.ico.org.uk). For other European jurisdictions, please refer to the European Commission website for details of the relevant data protection authority.