Ensuring that we manage your personal information securely and consistently with the Privacy Act is a top priority for all of us at Citi in Australia, which includes Citigroup Pty Limited, Citibank NA (Sydney Branch), Diners Club Pty Limited and any other Citi entity registered in Australia. This policy is intended to help you understand how we manage the personal information that we collect about you, how you can seek access to and correction of that information and, if necessary, how you can make a complaint relating to our handling of that information. Unless stated otherwise, this policy is relevant to the personal information of both our current and former customers, as well as other individuals we may deal with (for example, guarantors, directors and shareholders relating to our customers or individuals we deal with in other capacities as part of our business).
For information about our management of your credit-related information, please see our Credit Reporting Policy which contains information about credit reporting, including the credit reporting bodies with which we may share your credit information.
The nature of the personal information we collect and hold, and where it comes from, will vary according to the circumstances in which we are dealing with you (for example, if you are a customer, according to the specific product or service we are providing). This information may include:
- information we collect from you, or persons acting on your behalf, on applications or other documentation or communications, such as your name, residential and business addresses, telephone numbers, email and other electronic addresses, occupation, employment details, assets, expenses, income, dependents and details about your business dealings and other events in your life;
- information about your transactions and products with us, our affiliates, or third parties, such as account balances, payment history, credit history and details about account activity and product use;
- sensitive information, including health information (for example, health information you provide to us when you acquire insurance products or make a hardship application in connection with a loan);
- government identifiers such as your tax file number, ABN, Medicare card number, passport number or pension card number (for example, to verify your identity at the time you request a product or service);
- other details relating to your relationship with us, including if we deal with you in a capacity other than a customer (for example, information about agreements or other arrangements or transactions you may have with us).
We usually collect your personal information directly from you. However, sometimes we may need to collect personal information about you from third parties for the purposes described below. The circumstances in which we may need to do this include, for example, where we need information from a third party to assist us to process an application (such as to verify information you have provided or to assess your circumstances) or to assist us to locate or communicate with you.
We may hold your personal information in physical form or in electronic form on our systems or the systems of our service providers.
The personal information we hold about you is protected by physical, electronic, and procedural safeguards and we also require our service providers that hold and process such information on our behalf to follow appropriate standards of security and confidentiality.
In order to satisfy our legal obligations we may need to retain your information even after a transaction has come to an end (subject to our obligations under the Privacy Act).
We train people who work for us on how to handle personal information appropriately and we restrict access to what is necessary for specific job functions.
We will only collect, hold, use and disclose your personal information as reasonably necessary for our business purposes and as permitted by law. These purposes may include:
- processing a product application or service request (including verifying a person's identity for these purposes);
- managing our products and services or other relationships and arrangements, including processing receipts, payments and invoices;
- evaluating and monitoring credit worthiness;
- detecting and preventing fraud and other risks to us and our customers and assessing insurance risks and claims;
- responding to inquiries about applications, accounts or other products, services or arrangements;
- understanding our customers' needs and offering products and services to meet those needs;
- researching and developing our products and services and maintaining and developing our systems and infrastructure (including undertaking testing);
- undertaking securitisation activities and other activities relating to funding and capital requirements;
- allowing our affiliates and selected companies to promote their products and services to customers;
- assessing, processing and investigating insurance risks or claims;
- dealing with complaints;
- meeting legal and regulatory requirements. Various Australian and international laws may expressly require us to collect/and or disclose your personal information, or we may need to do so in order to be able to comply with other obligations under those laws. Such laws include the National Consumer Credit Protection Act (for example, to comply with responsible lending requirements), the Anti-Money Laundering and Counter-Terrorism Financing Act (for example, to comply with identity verification requirements), the Personal Property Securities Act and State and Territory real property and security interests laws (for example, to register and search for security interests), the Banking Act, the Financial Sector (Collection of Data) Act, the Corporations Act and other regulatory legislation (for example, requiring us to maintain client and transaction records, to provide information relating to your deposits and loans to APRA for prudential and monitoring purposes and to make reports and provide other information to regulators such as ASIC) and the Taxation Administration Act, the Income Tax Assessment Act and other taxation laws (for example, to comply with information requests issued by the Commissioner of Taxation);
- enforcing our rights, including undertaking debt collection activities and legal proceedings.
In common with many organisations, we obtain services from other Citi entities and external service providers, some of which may be located outside Australia, and your information may be provided to them for this purpose. We may also need to disclose your personal information to other Citi entities and to third parties for the purposes listed above.
Third parties to whom we disclose your personal information may include:
- our related Citi companies in Australia and overseas;
- administrative services providers, such as mailing houses, printers and call centre operators;
- legal, settlement and valuation service providers;
- data processing and market research service providers;
- regulatory bodies in Australia and overseas;
- financial and other advisors;
- participants in financial and payment systems, such as other banks, credit providers, clearing entities and credit card associations;
- insurers, assessors and underwriters;
- brokers and other distributors;
- your guarantors and security providers;
- debt collectors;
- providers of loyalty incentives, rewards and other benefits in connection with a Citi account or service;
- organisations wishing to acquire an interest in any part of our business from time to time; and
- credit reporting bodies and other information providers.
Some of these recipients may be located outside Australia. It is not reasonably practicable to list all of the countries to which your information may be disclosed from time to time but it is likely that such countries will include Singapore, India, Malaysia, the Philippines and the United States of America.
You are entitled under the Privacy Act to access personal information we hold about you, please contact our Privacy Officer. To contact the Citi Privacy Officer please see our contact details below.
Given the range and diversity of Citi's operations in Australia, to help us locate and provide the information you request, we would ask that you be reasonably specific about the information you require.
We will need to validate the identity of anyone making an access request, to ensure that we do not provide your information to anyone who does not have the right to that information.
If you are seeking information on another person's behalf, we will require written authorisation from that Individual.
Gaining access to your personal information is subject to some exceptions allowed by law. Factors affecting a right to access include where:
- we reasonably believe that access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety;
- access would have an unreasonable impact on the privacy of others;
- the request for access is frivolous or vexatious;
- the information relates to a commercially sensitive decision making process;
- access would be unlawful;
- denying access is required or authorised by or under an Australian law or a court/tribunal order;
- access would prejudice enforcement activities or the taking of appropriate action in relation to unlawful activity or serious misconduct;
- the information relates to existing or anticipated legal proceedings between you and Citi and would not be accessible by the process of discovery; or
- the information would prejudice negotiations with you.
There is no charge for making an access request but an administration fee may apply for providing access in accordance with your request. Your request will usually receive a response within 30 days.
We take all reasonable precautions to ensure that the personal information we collect, use and disclose is accurate, complete and up-to-date and relevant. However, if you believe that this is not the case in relation to any personal information we hold about you, you have the right under the Privacy Act to request that we correct that information. If you would like to do so please contact the Citi Privacy Officer using the contact details below.
If we do not agree with a request to correct information we hold in relation to you we will give you notice in writing as to our reasons and the mechanisms available to you to complain about our decision. You may also request us to associate a statement with that information to the effect that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading so that it is apparent to users of the information.
If you are seeking to correct information on another person's behalf, we will require written authorisation from that Individual.
If you have reason to believe that we have not complied with our obligations under the Privacy Act in relation to your personal information, we urge you to raise this with our Customer Advocacy Unit. There are three ways you can lodge your complaint:
Mail your written complaint to: Citigroup Pty Limited Customer Advocacy Unit GPO Box 204, Sydney NSW 2001
Email us at any time email@example.com.
We will investigate all complaints and respond to you as soon as practicable. If we find a complaint justified, we will resolve it. If necessary, we will change policies and procedures to maintain our high standards of performance, service and customer care.
If you are not happy with the way your privacy-related complaint is being handled, you can also contact the Citi Privacy Officer using the contact details below.
Citi Privacy Officer GPO Box 204, Sydney NSW 2001
Please do not include account numbers or other sensitive data in emails, since it may not be secure.
Email us at any time firstname.lastname@example.org
Please do not include account numbers or other sensitive data in emails, since it may not be secure.