About this policy
Version 3 - Effective from 30 December 2024
This policy provides information about how Police & Nurses Limited ABN 69 087 651 876 (Bank, we, us or our), manages data under the Consumer Data Right (CDR). References in this policy to data (including accessing, sharing and correcting data) apply specifically to data in the context of the CDR, as described in this policy below.
Please refer to our Privacy Policy for information on how we collect, use, hold and disclose your personal information more generally in accordance with applicable privacy laws. Some of your CDR data is personal information, and where this is the case, we will handle it in accordance with our Privacy Policy as well as in the manner set out in this policy.
This CDR Policy sets out:
- What is the Consumer Data Right?
- What is a Data Holder?
- What is a Data Recipient?
- What types of CDR data will the Bank hold?
- How to access our CDR product data
- How to access your CDR data
- Can I request to share my Voluntary Consumer data?
- How is CDR data held?
- What purposes will CDR data be used for?
- Will my CDR data be used for Direct Marketing?
- Will CDR data be disclosed to the Bank’s service providers?
- Events we will tell you about
- How long does consent last?
- What happens to redundant CDR data?
- How to correct your CDR Data
- Complaint Handling
- How will we resolve your complaint?
- How to make a CDR related consumer complaint
What is the Consumer Data Right?
The CDR gives you the right to share your data between accredited providers. It is an opt-in service (where you can choose to use the service) that makes it easier for you to:
- compare banking products and services; and
- access new and improved banking services.
If you choose to use CDR, your CDR data is transferred using automated data technology. The data transfer is between the providers, for example us and another accredited bank, and the standards regulating how data is transferred are set by the Australian Government.
We accept requests for access to consumer data and product data that is mandated by law (‘required data’).
We do not accept requests for access to additional types of consumer or product data.
What is a Data Holder?
A Data Holder is a business that holds consumer data. Under the CDR Rules, a Data Holder must transfer the data to an accredited Data Recipient if and when you request it.
What is a Data Recipient?
A Data Recipient is a business accredited by the Australian Competition and Consumer Commission (ACCC) to receive consumer data to provide a product or service.
What types of CDR data will the Bank hold?
We hold the following classes of CDR data:
- Individual consumer data (name, occupation and contact details)
- Business consumer data (organisation profile and contact details)
- Account name, type of account and balance
- Account number and features (including interest rates, fees and discounts)
- Account balance and details
- Transactions details including dates, descriptions and amounts
- Direct debits and scheduled payments
- Saved payees
- Information about our products and services, such as information about our product pricing, eligibility criteria, fees, terms and conditions, availability and performance of our products or service offerings.
We will refer to CDR data we hold about you as your CDR data and we will refer to information about our products and services as our CDR product data. Our CDR product data is general in nature and, therefore, does not relate or apply to any identifiable individual or business.
How to access our CDR product data
A request to access our CDR product data can be made by any member of the public or an organisation and you do not have to be a member of the Bank to do so.
Requests to access our CDR product data can be made using our product data request service.
How to access your CDR data
You can access your data by authorising us to share it with data recipients who have been ‘accredited’ under the CDR regime to receive consumer data. We can only share your data with organisations that have been accredited, and if you are eligible to make a sharing request under the CDR regime.
You will be provided access to a Consumer Dashboard via Internet Banking or Mobile devices that provides you with the functionality to:
- authorise us to share your data with Data Recipients who have been ‘accredited’ under the CDR regime to receive the consumer data. We can only share your data if you are eligible to make a sharing request under the CDR regime and the proposed Data Recipient is ‘accredited’ under the CDR regime;
- generate a one-time passcode for authorisation when you wish to share your data with a Data Recipient;
- receive sharing requests denials and how to find out more about the denial;
- view sharing history;
- pre-authorise sharing account details you hold jointly with others; and
- withdraw your consent and ask us to cease sharing.
For example, if you are applying for a loan at another financial institution who is accredited Data Recipient and they wish to obtain details regarding your account with us, instead of providing them with a copy of your statement, you can authorise us to share your data with them. There is no fee for accessing or data sharing requests.
You may also request from us access to copies of the following data holder records:
- authorisations given by you to disclose your CDR data, including amendments to any such authorisations;
- withdrawals of authorisations given by you to disclose your CDR data;
- disclosures of CDR data made by the data holder in response to consumer data requests made by you or on your behalf, and
- CDR complaint data relating to you.
Where you make a request for your CDR data, we will provide the relevant copies of your records as soon as practicable, and no later than 10 business days after receiving the request.
Our Privacy Policy sets out further information on how you may seek access to the personal information comprised in your CDR data.
Can I request to share my Voluntary Consumer data?
No, we will only share CDR data as required by CDR law, this means 'voluntary data' will not be shared by us.
How is CDR data held?
We store data securely in Australia, as outlined in our BCU Privacy Policy and in accordance with legal requirements, and we will delete your CDR data once you withdraw your consent, or your consent expires.
What purposes will CDR data be used for?
We will only disclose your CDR data to accredited Data Recipients in accordance with the CDR regime and only when you authorise us to do so.
Will my CDR data be used for Direct Marketing?
We may with your express consent use the CDR data shared with us to market to you products and services in accordance with the CDRs Safeguard policy:
- Information about upgraded or alternative goods or services to the existing goods or services.
- An offer to renew existing goods or services when they expire.
- Information about the benefits of existing goods or services.
You may opt In/Out of the use of your Open Banking data for marketing purposes at any point within mymo. This optional Direct Marketing consent will only apply to the Open Banking data that you have consented to share with PNL group.
Open Banking Direct Marketing will not apply if you have opted out of receiving marketing material by advising PNL that you do not wish to receive this. If you wish to participate you will need to contact us to update your direct marketing preferences.
Will CDR data be disclosed to the Bank’s service providers?
We may need to disclose your CDR data to our third-party service providers to provide us with the CDR-related services described below.
Third parties service providers that we use to provide CDR data sharing services are:
- Frollo - provides the platform for the “Personal Financial Wellbeing” tools and application, which includes, but is not limited to: Transactions Categorisation, Enrichment, Personalisation, Tags & Search; Budgeting & Planning; Bill Tracker; Goals and Challenges; Financial Wellbeing Score, etc.
The types of CDR data that we may disclose to our third party service providers includes customer data, account data and transaction data.
We will not otherwise disclose your CDR data to any party that is not accredited under the CDR regime.
Overseas disclosure of your CDR data
We will not disclose your CDR data to accredited persons outside Australia, unless you specifically ask us to share your data with an overseas recipient that is accredited under the CDR regime.
Events we will tell you about
We will give you notice via the Consumer Dashboard as soon as practicable if any of the following events occur.
- When you give your consent to the Bank collecting and using your CDR data.
- When you withdraw any consent referred to above.
- Collection of your CDR data.
- Ongoing notification requirements relating to your consent.
We will give you notice via appropriate methods if any of the following events occur.
- Responses to a consumer correction request.
See section below titled ‘How to correct your CDR data’ for further details. - Eligible data breaches.
We and our service providers employ stringent up-to-date information security practices to protect your personal information. Your CDR data may also contain your personal information. In the event there is an ‘eligible data breach’ relating to your personal information we will notify you in accordance with Australian privacy legislation. An eligible data breach occurs when there is unauthorised access to, unauthorised disclosure of, or a loss of, your personal information that we hold, and that event is likely to result in serious harm to you.
How long does consent to use your CDR data last for? What happens if you withdraw consent to collect and use your CDR data?
Your consent to use your CDR data expires after 12 months after it has been provided, unless you withdraw it earlier.
If you provide consent to share your CDR data, you can withdraw this consent at any time using the available methods provided by our service. We will action a request from you to withdraw consent as soon as possible but, in any event, within two business days of receiving the request. You will receive confirmation of consent removal.
If you withdraw your consent for us to collect and use your CDR data, this will mean that any third parties that you have previously authorised to access your CDR data, will no longer have access to your CDR data. This has the potential to impact on any services or credit you may be seeking to obtain.
What happens to redundant CDR data?
Under the CDR regime, the Bank has obligations to destroy, delete or de-identify any redundant CDR data that it holds, for example, after your CDR data has been provided to an Data Recipient, in accordance with your consent.
When data is no longer required, or you withdraw your consent to share, or your consent expires, it will be deleted. We ensure the data is deleted using best industry practices and with all expected security controls applied.
How to correct your CDR data?
We take all reasonable steps to ensure that the information we collect, use or disclose is accurate, complete and up to-date. You have the right to request us to correct your CDR data if it is inaccurate, out-of-date or incomplete.
If you have identified an error with your CDR data, you can seek correction by notifying staff in branch, or by calling us on 1300 228 228 or emailing us at any time at mail@bcu.com.au.
We will acknowledge receipt of your request as soon as practicable and aim to correct any agreed errors with your consumer data within 10 business days of receipt of your request. As soon as practicable after that date, we will send you a written response confirming how we have dealt with your request, which will include our reasons for not correcting the data (if relevant) and details of the complaint process available to you to escalate the matter if you are not satisfied with our response.
Our Privacy Policy sets out further information on how you may seek correction of your personal information that is comprised in your CDR data.
We encourage you to advise us as soon as there is a change to your contact details, such as your phone number or address. We will deal with your request to correct your information in a reasonable time. If your request to correct your information relates to information which has been provided to us by a Credit Reference Bureau (CRB) or another credit provider, we may need to consult with them about your request. We will correct information, where we decide to do so, within 30 days of your request, or longer if you agree.
Complaint Handling
When you make a complaint to us, we will:
- resolve your complaint on the spot, if possible;
- acknowledge your complaint within 1 working day (in writing or by telephone) and make sure we understand the issues;
- give you our name, and contact details so that you can follow up if you want to;
- do everything we can to fix the problem;
- investigate your complaint, and where necessary, we’ll consult with other credit providers or credit reporting bodies about your complaint;
- keep you informed of our progress;
- keep a record of your complaint; and
- provide a final response within 30 days.
If we are unable to provide a final response to your complaint within 30 days, we will:
- inform you of the reasons for the delay; and
- advise of your right to complain to the relevant external dispute resolution scheme.
How will we resolve your complaint?
The possible resolutions available to you will depend on the nature of your complaint. When attempting to resolve your complaint, we may consider the following possible options, but not limited to:
- an explanation of the circumstances giving rise to the complaint;
- an apology;
- correcting incorrect or out-of-date records;
- deleting or destroying incorrect records;
- provision of assistance and support;
- a goodwill or compensation payment; and
- undertaking to set in place improvements to systems, procedures or products.
How to make a CDR related consumer complaint
Step 1 – Contact us: If you have a complaint about how we manage your CDR data, you can make a complaint by notifying staff in branch, completing the online form on our websites, or by calling us on 1300 228 228 or emailing us at any time at mail@bcu.com.au.
To make a complaint, you will need to provide your customer details (member number), contact details and the nature of your complaint. It will also be useful if you can provide details of the outcome you desire to satisfactorily resolve your complaint.
Step 2 – Member Advocate: Sometimes, a complaint is complex or requires a more detailed investigation than your local branch or a Member Services Consultant is able to provide. If this is the case, your complaint may be referred to our Member Advocate for specialist assistance.
If you have tried to resolve your complaint at your branch or through the general enquiries team and are not satisfied with the outcome, you may also contact our Member Advocate by:
- Phone: Call us on 13 25 77 and request to speak with our Member Advocate
- Mail: Member Advocate Reply Paid 8609, Perth BC WA 6849
- Email: member.engagement@pnbank.com.au
- Fax: (08) 9219 7474
Step 3 – External review: If you are not satisfied with our response, or how we have handled your complaint, you can contact:
- our Member Advocate
- the Australian Financial Complaints Authority (AFCA), our external dispute resolution scheme, or the Office of the Australian Information Commissioner.
Australian Financial Complaints Authority
GPO Box 3
Melbourne VIC 3001
1800 931 678
info@afca.org.au
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
1300 363 992
Either of these entities may forward your complaint to another external dispute resolution body if they consider that the complaint would be better handled by that other body.
Handy hint: You can print or save a copy of this document as a PDF using your browser print function.