Call your BDM or a
Bluestone specialist on
additional information on our approach to the collection, handling and disclosure of information obtained
from credit reporting bodies (CRBs) and certain other consumer credit-related personal information.
For the purposes of this policy, “Bluestone”, “we”, “our”
or “us” means Bluestone Group Pty Limited (ACN 091 201 357), Bluestone Servicing Pty Limited (ACN 122 698 328) and any related bodies corporate.
We understand how important it is to protect our customers’ personal information. It is important to us that you are confident that any personal information
we collect from you or received by us will be treated with appropriate respect. This document sets out our privacy commitment to our customers (referred to as “you”)
Any personal information we collect about you will only be used for the purposes indicated in this Policy or as allowed under the law. Our commitment in respect of personal information is to abide by the APPs for the protection of personal information, as set out in the Privacy Act and any other relevant law. The APPs regulate the way in which organisations like us can collect, use, keep secure and disclose your personal information.
When we refer to personal information, we mean information or an opinion that can reasonably identify you, whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.
Credit information is a sub-set of personal information and is information that is used to assess your eligibility to be provided with finance. It may include any finance that you have outstanding, your repayment history in respect of those loans, and any defaults. Usually, credit information is exchanged between credit and finance providers and CRBs. When we refer to credit reporting information, we mean credit information or information derived by a CRB. When we refer to credit eligibility information, we mean credit information we obtain about you from a CRB or that we derive from that information. These terms may be confusing but they are as defined by the Privacy Act. See more on “credit eligibility information” below.
We may collect personal information in a number of different situations, including when you:
Where it is reasonable and practical we will only collect your personal information from you directly. We may also collect information about you from third parties including referrers (e.g. brokers and mortgage originators) and contractors who supply services to us. As authorised by you, we may also collect personal
information from a publicly maintained record or from other individuals or companies.
We may collect (as well as use, hold and disclose) personal information about you for these purposes (Primary Purpose):
transaction, and to create assessments and ratings of your creditworthiness (such as a credit score);
or an organisation Bluestone is affiliated with or represents (including consumer credit insurance);
We may also collect (and use) your personal information for the purpose of establishing a customer loyalty program.
If you do not want to provide us with your personal information, we may not be able to arrange or provide credit to you or provide other services. We also may not be able to verify your identity or protect against fraud.
Your IP address is used to identify your computer whenever you use the internet. We may need to collect your IP address so you can interact with various parts of our websites.
We may use remarketing tools like Google AdWords. These tools are used to tailor our marketing, for example by only displaying advertisements that are relevant to you or that better suit your needs.
When you visit our website after seeing one of our advertisements on a third party site, the advertising company may collect information on how you use our website. This may include whether you start or complete our enquiry form, and which website pages you view.
We keep the information you provide when you send us a completed online enquiry. We will then be able to use that information to provide you with our services as required.
We abide by the 13 APPs as outlined below:
Our ongoing practices and policies are documented in this Policy to enable us to manage your personal
information in an open and transparent way. This Policy contains specific information, including the kinds of personal information we collect, how you may complain about a breach of the APPs, and whether we are likely to disclose information to overseas recipients. We will provide you with a copy of this Policy free of charge at any time if one is requested.
If it is ever practicable to do so, we will provide you with the option not to identify yourself or to use a pseudonym (a fake name) when dealing with us. However, given the nature of our services, other laws that regulate banking and financial services (including Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/ CTF Act)) and our contractual obligations to third parties, these options are mostly not available to you.
As explained above, we collect personal information from you for the Primary Purpose.
Examples of personal information we collect for the Primary Purpose includes the following:
Unless it is unreasonable or impracticable to do so, we will only collect your personal information directly from you during the course of our business relationship. We will only do so by lawful and fair means. If you contact us (for example, through our website), we may keep a record of that contact and information you provided during that contact.
Occasionally, we may collect personal information about you from other sources including public sources, referring parties and information brokers. For example, we may collect such information from a CRB or referring party during the process of assisting you in securing financial arrangements. This could be from public registers (when checking the security you are offering), from your employer (to confirm details of your employment), or from your landlord (to confirm details of your residence and rental payment).
Some of the personal information we collect from or about you is collected to meet our obligations under the National Consumer Credit Protection Act 2009 (Cth) and the AML/ CTF Act.
In addition to the above, we may collect the following kinds of credit information and exchange this information with CRBs and other entities (This is sometimes called positive credit reporting). See APP8 on “cross-border disclosures” for more on these “Exchange Entities”.
is entered into, the terms and conditions of the finance, the maximum amount of finance available, and the day on which the finance was terminated.
repayments on time. See more under “repayment history information” below.
a CRB default information about you and your consumer credit contract is varied or replaced, a statement about this.
We exchange this credit information for the purposes of assessing your application for finance and ability to manage that finance.
This credit information may be held by us in electronic form on our secure servers and/or in paper form. We may use cloud storage to store the credit information we hold about you.
When we obtain credit information from a CRB about you, we may also seek publicly available information and information about any serious credit infringement (for example, fraud) that you may have committed.
We may disclose your credit information to overseas entities that provide support functions to us – see APP6 on “use and disclosure of personal information” and APP8 on “cross-border disclosures”.
Sensitive information is any information about your racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record or health information.
We may seek and collect sensitive information about you but only if that sensitive information relates directly to our ability to arrange or provide credit to you or manage the credit provided to you.
Sometimes people share information (including sensitive information) with us that we have not sought out. This could be through using our website, making a general enquiry, requesting us to resolve a dispute or requesting us to assess a hardship application. We may also receive unsolicited personal information about you (including sensitive information) by mistake. If we receive such information about you, we will determine whether we would have been permitted to collect the information under APP3 and for the Primary Purpose. If yes, then all the following items (that is, APP5 to APP13) will apply
to that information. If no and the information is not contained in a Commonwealth record, then we will destroy or de-identify it as soon as practicable, but only if it is lawful and reasonable to do so.
Often, it is not possible for us to neatly unbundle this information then destroy or de-identify only certain sections or parts of it, and we may need to store this information for future use, such as to help resolve disputes between us or assess future applications
by you. We have many security safeguards in place to protect your information from interference, misuse, loss, unauthorised access, modification or disclosure. See more under APP11 on “security of personal information” below.
At or before the time of collecting your personal information, we will take reasonable steps to ensure you are aware of the purposes for which your information is collected and the organisations to which this type of information is usually disclosed to. For example, we outline this in the privacy consent form we ask you to sign and also in this Policy is which available on our website.
We will also take reasonable steps to ensure you are aware of the access, correction and complaints
processes. This is also outlined in the privacy consent form you sign as well as in this Policy.
We are committed to treating your personal information as confidential. Other than for the Primary Purpose,
we will only use or disclose your personal information if:
or misconduct of a serious nature, that relates to our functions or activities;
If we choose to disclose consumer credit liability information to a CRB for consumer credit provided to you, we will, once that credit is terminated or otherwise ceases to be in force, disclose this to the CRB within
45 days of that date.
We may use, disclose and exchange personal information with the following types of entities (Exchange Entities), some of which may be located overseas – see APP8 on “cross-border disclosures”.
approval or management of your loan (for example, if a complaint is lodged about any mortgage broker or lender who dealt with your loan).
Before we disclose any of your personal information to another entity, we will take all reasonable steps to satisfy ourselves that the entity has a commitment to protecting your personal information at least equal to our commitment or you have consented to us making the disclosure.
We may verify your identity using information held by a CRB. To do this, we may disclose your personal
information such as your name, date of birth and address to the CRB to obtain an assessment of whether that personal information matches information held by the CRB. The CRB may give us a report on that assessment
and to do so may use personal information about you and other individuals in their files. Alternative means of verifying your identity are available on request. If we
are unable to verify your identity using information held by a CRB, we will provide you with a notice and give you the opportunity to contact the CRB to update your information held by them.
The law requires us to advise you of “notifiable matters” in relation to how we may use your credit information. You may request to have these notifiable matters (and this Policy) provided to you in an alternative form, such as a soft copy.
We exchange your credit information with CRBs. We use the credit information that we exchange with the CRBs to assess your creditworthiness, assess your application for finance and ability to manage that finance. If you
fail to meet your payment obligations in relation to any finance that we have provided or arranged, or you have committed a serious credit infringement, we may disclose this information to a CRB.
You have the right to request access to the credit information that we hold about you and make a request for us to correct that credit information if needed.
This is explained below.
Sometimes, your credit information will be used by CRBs for “pre-screening” credit offers on the request of other credit providers. You can contact the CRB at any time to request that your credit information is not used in this way.
You may contact the CRB to advise them that you believe that you may have been a victim of fraud. For 21 days after the CRB receives your notification, the CRB must not use or disclose that credit information. You can contact any of the following CRBs for more information:
Dun & Bradstreet (Australia) Pty Ltd
www.dnb.com.au or 1300 734 806
www.experian.com.au or 1300 783 684
Veda Advantage Ltd
We may use or disclose your personal information (other than sensitive information) for the Primary Purpose, including for direct marketing, but only if you have not made a request not to participate in direct marketing (such as by contacting us to opt out). If the direct marketing is by email or SMS, you may also use the unsubscribe function. We will not charge you for making a request to opt out, and we will give effect to your request within a reasonable period.
Other than by email and SMS, we may also conduct direct marketing activities via telephone, mail or any other electronic means. We may also market
to you through third party channels (such as social networking sites).
We may use or disclose your personal information (other than sensitive information) for direct marketing under circumstances where you would reasonably expect us to use or disclose the personal information for direct marketing.
We will obtain your consent before using or disclosing sensitive information for the purpose of direct marketing.
We do not disclose your personal information to any third party for the purpose of allowing them to market their products or services to you.
We may exchange your personal information with Exchange Entities, some of which may be located overseas. This includes New Zealand, the Philippines, the United Kingdom, Ireland and the United States. While these entities will often be subject to confidentiality
or privacy obligations, they may not always follow the particular requirements of Australian privacy laws.
We may store your information in cloud or other types of networked or electronic storage. As electronic or
networked storage can be accessed from various countries via an internet connection, it is not always practicable to know in which country your information may be held.
If your information is stored in this way, disclosures may occur in countries other than those listed.
Overseas organisations may be required to disclose information we share with them under a foreign law. We are not responsible for such disclosure.
We will not share any of your credit information with a CRB unless it has a business operation in Australia. We are not likely to share credit eligibility information (that is, credit information we obtain about you from a CRB or that we derive from that information) with organisations unless they have business operations in Australia. (See more under “credit eligibility information” below.) We are likely to share other credit information about you with
organisations outside Australia. A list of countries in which those overseas organisations are located is set out above.
We do not adopt a government related identifier (such as your tax file number or driver’s licence number) as a means of identifying you.
We do not use or disclose your government related identifier unless:
misconduct of a serious nature, that relates to our functions or activities;
We will take reasonable steps to ensure that your personal information is accurate, up-to-date, complete, relevant and not misleading (collectively referred to as “accurate” below). We request that you contact us at any time to update, change or correct your personal information if you think the information we have is
not accurate. See APP13 on “correction of personal information”. We will generally rely on you to ensure the information we hold about you is accurate, up-to- date or complete.
We may store your personal information in paper and electronic form. We have a range of technical, administrative and other security safeguards to protect your personal information from interference, misuse, loss, unauthorised access, modification or disclosure, including:
If we store your personal information physically or electronically with third party data storage providers, we will use contractual arrangements to ensure those providers take appropriate measures to protect your information and restrict the uses of that information.
We will usually destroy personal information that is held in paper and electronic form seven years after our relationship with the individual ends (unless that information is contained in a Commonwealth record, or we have to retain it by or under an Australian law or a court/tribunal order). We will do this by shredding
paper copies and deleting electronic records containing personal information or permanently de-identifying the individuals within those records.
Sometimes it is impossible or impractical to completely isolate your information and completely remove all traces of the information, and we may store your information for future use, such as to help resolve disputes between us or assess future applications by you. The same security safeguards will be in place to protect your information.
You may request access to the personal information we hold about you. We will need to verify your identity before allowing access.
When you request access to your personal information, we will conduct a search on our database. This search will also indicate if there are any paper records that contain personal information.
We will give access in the manner you have requested if it is reasonable to do so. We may charge you a fee for our cost of retrieving and supplying the information. If we do, the fee will not be excessive and will not apply to the making of the request.
We will respond to your request within a reasonable period. Depending on the type of request that you make, we may respond to your request immediately, otherwise we usually respond to you within seven days of receiving your request. We may need to contact other entities to properly investigate your request.
If we refuse to give access or we cannot give access in the manner you have requested, access may be given through the use of a mutually agreed intermediary.
In addition to the above, regarding a request to access credit information, we will:
You may request us to correct personal information we hold about you. We will respond to your request within a reasonable period. We will take reasonable steps to correct your personal information to ensure that, having regard to a purpose for which it is held, it is accurate,
We may need to consult with other entities as part of our investigation. Where reasonable, and after our investigation, we will provide you with details about whether we have corrected your personal information within 30 days.
If there is disagreement as to whether your information is accurate, at your request we will take reasonable steps to associate with the information a statement claiming that the information is not accurate. We will not charge you for making the request, for correcting the information
or for associating a statement with the information.
If we correct personal information about you that has been previously disclosed to another APP entity, we will take reasonable steps to notify the other APP entity of the correction.
If we decide not to make a correction, we will provide reasons for the refusal and information on how you can complain about the refusal.
The most efficient way for you to make a correction request is to send it to the organisation that made the mistake.
If we are able to correct your information, we will let you know within five business days of deciding to do this. We will also let the relevant third parties know as well as any others you tell us about. If there are any instances where we cannot do this, then we will let you know in writing.
If we are unable to correct your information, we will explain why in writing within five business days of making this decision. If you have any concerns, you can access our external dispute resolution scheme or make a complaint to the Office of the Australian Information Commissioner (OAIC).
If we agree to correct your information, we will do so within 30 days from when you asked us, or a longer period that’s been agreed by you.
If we cannot make corrections within 30 days or the agreed time frame, we will explain why and let you know when we expect to resolve the matter, ask you to agree
in writing to give us more time, and let you know you can complain to our external dispute resolution scheme or the OAIC. See more under “complaints” below.
Repayment history information, or RHI, is information about whether you have made or missed a consumer credit payment. As part of the reforms to the Privacy Act, new kinds of credit-related personal information can be collected about you. This includes whether you have made or missed a consumer credit payment. This new type of information is called “repayment history information”.
RHI is information about whether you have met your consumer credit payment obligations. Consumer credit
is credit that is intended to be used primarily for personal, family or household purposes.
RHI includes information about whether you have made a payment on time or whether you have missed a payment. The grace period we allow for an overdue payment is five days. If you only pay part of the amount owing, you are taken to have missed a payment.
RHI includes the day on which a payment is due, and if you made a payment after that day, the date on which you paid. Therefore, RHI can include both positive and negative information about your credit history.
RHI does not include the amount of any missed payment
— only the fact that you have made or missed a payment.
RHI can include information about any consumer credit payments that you make, or fail to make, to a credit provider that holds an Australian Credit Licence. This means that RHI will usually reflect made or missed payments on a loan or credit card.
We may collect RHI about you in relation to payments falling due on or after 1 December 2012. We can disclose this information to CRBs from 12 March 2014.
We may use or disclose RHI about you to help service you such as to determine your eligibility to be provided with credit.
We do not disclose RHI about that credit more frequently than once each month.
Credit eligibility information is credit information we obtain about you from a CRB or that we derive from that information. (This is different from credit reporting information, which means credit information or information derived by a CRB.)
The law places limits on use and disclosure of credit eligibility information by “credit providers” (as defined by the Privacy Act, which includes Bluestone).
We may use the credit eligibility information we hold about you:
If we obtained your credit eligibility information for consumer credit related purposes, then it can be used for:
related to the provision or management of that commercial credit;
In addition to the above, we are permitted to disclose credit eligibility information about you under the following circumstances.
Regarding other credit providers: We can disclose your credit eligibility information to other credit providers:
Regarding guarantees: We can disclose your credit eligibility information if we have provided credit to you or you have applied for credit, the disclosure is for considering whether to act as a guarantor or to offer property as security for the credit, the guarantor has an Australian link, and you expressly consent to the disclosure (this usually means if you have signed our consent form).
Regarding mortgage insurers: We can disclose your credit eligibility information if the disclosure is to a mortgage insurer with an Australian link for lenders mortgage insurance purposes or any purpose arising under a contract for lenders mortgage insurance.
Regarding debt collectors: We can disclose your credit eligibility information if the debt collector carries on
a business that involves the collection of debts on behalf of others, disclosure is for the primary purpose of collecting overdue payments to either consumer credit or commercial credit, and the disclosure is
of identification information, court proceedings information, or personal solvency information.
Regarding other recipients: We can disclose your credit eligibility information if the disclosure is to any of these recipients that have an Australian link – a
government agency, small business or other organisation subject to the APPs, or a professional legal or financial adviser of the entity. The recipient may use your credit eligibility information for exercising the rights associated with, or considering whether to, accept an assignment
of debt, accept a debt owed to us as security for credit provided to us, or purchase an interest in us or a related body corporate.
If we disclose your credit eligibility information to an entity with no Australian link, we will take reasonable steps to ensure the overseas entity does not use or disclose your credit eligibility information other than in accordance with Australian legislation and ensure the overseas entity does not breach the APPs.
If your application for consumer credit has been refused by us on the basis of your or your guarantor’s information held by a CRB, the law requires us to, within a reasonable time after refusing the application, to give written notice of the refusal, state that the refusal was wholly or partially based on that information held by the CRB, and if the information is about you (as opposed to the guarantor), then state the name and contact details of the CRB.
If information from a CRB obtained in the previous 90 days forms part of the basis for the refusal, the law also requires us to provide written notice within 10 business days of the date of the refusal decision. We will keep a record of the notice. The notice will explain your right to access (and how to access) your credit reporting information free of charge during the 90 days following the notice, that it is important that you be proactive in
checking the accuracy of the credit reporting information the CRB holds about you, state we rely upon information from a number of sources to make our decision (including information provide by you such as the security of your employment), and how you can access and correct the credit eligibility information we hold (as detailed in this Policy).
The law requires us to give you notice if we intend to list default information with a CRB. Firstly, we will give you a “section 6Q notice” regarding default information, informing you of the overdue payment and requesting that you pay the overdue amount. Default information
relates to information about an overdue payment of over
$150 in relation to consumer credit if you are 60 days overdue in making the payment.
30 days after providing the section 6Q notice, we will then give you a “section 21D notice”. It will state our intention to disclose, after 14 days of the notice, the overdue amount specified in the notice (taking into consideration any payments made) to the CRB. We cannot make this disclosure if 3 months has lapsed after the section 21D notice.
If an overdue payment is made, we will take reasonable steps to disclose the payment information to the CBR within 3 business days.
We will not disclose an overdue payment in relation to consumer credit to a CRB as default information if you have made a hardship request and we are processing that request, or 14 days has lapsed after we have notified you of the decision.
If you have any queries about this policy or if you would like to access or correct your personal information, please contact us on one of the options below:
(02) 8115 5000 or 13 BLUE
PO Box 1136, QVB Post Shop, NSW, 1230.
If you would like further advice regarding your privacy rights, you can contact the OAIC by: email at firstname.lastname@example.org or by phone on 1300 363 992.
If you believe that our privacy standards do not meet the level set by the 13 APPs or have a complaint about our handling of your personal information, please contact us on one of the options below:
(02) 8115 5000 or 13 BLUE
PO Box 1136, QVB Post Shop, NSW, 1230.
We will endeavour to investigate and advise you of the outcome of your complaint as soon as possible.
We have in place Internal Dispute Resolution (IDR) procedures. We will follow this procedure in handling your complaint. We will provide our customers with a copy of our IDR procedures free of charge if one is requested.
If you are not satisfied with the outcome, you may lodge a complaint with the Australian Financial Complaints Authority (AFCA). AFCA provides fair and independent financial services complaint resolution that is free to consumers.
Mail: Australian Financial Complaints Authority GPO Box 3, Melbourne VIC 3001
If you are still not satisfied, you can complain to the OAIC using the details provided above.
We recognise that the improper use or disclosure of personal information may pose a risk of financial, reputational or other harm to the affected person.
There are potentially significant costs to Bluestone if we do not meet our obligations to protect or maintain your personal information. Breaches (such as sending a communication that contains personal information to the wrong recipient) may result in fines, damage to our reputation and loss of trust from our customers.
Security is a basic element of information privacy. We are committed to preventing Breaches, and we have a range of technical, administrative and other security
safeguards in place to protect your personal information from interference, misuse, loss, unauthorised access, modification or disclosure (which we have outlined under APP11 on “security of personal information” above).
We will deal with Breaches in an appropriate and timely manner. There may be internal and external actions that need to be taken. In taking any action, we will be guided by these steps as suggested by the OAIC on responding to a Breach (whether it is actual or suspected):
Step 1: Contain the Breach and do a preliminary assessment
Step 2: Evaluate the risks associated with the Breach
Step 3: Notification
Step 4: Prevent future Breaches
A copy of the OAIC’s “Data Breach Notification –
a guide to handling personal information security breaches” can be accessed at: http://www.oaic.gov.au/privacy/privacy-resources/ privacy-guides/data-breach-notification-a-guide-to- handling-personal-information-security-breaches.
For example, a Bluestone Staff who has identified a Breach or any suspicious activity will, as soon as
practicable, escalate to the relevant team for assessment and evaluation. They will first determine whether any notification to the affected individual or regulator is necessary, then conduct an assessment to identify measures that could be taken to reduce the likelihood of a future breach.
We will review this Policy periodically. We will amend this Policy as the need arises, such as to reflect emerging legislative and technological developments, industry practice and market expectations.
If we do so, we will notify you by posting an updated version on our website.
This policy was last updated in January 2023.