Privacy Policy

Effective 1 November 2018

People First is the way we do business

At Heritage, we do things a little differently to the big banks. We are owned by our customers, not shareholders, so our focus is always on putting People first rather than maximising profits. In everything we do, we put People first.

Privacy background

Heritage Bank Limited ABN 32 087 652 024, Australian Financial Services Licence and Australian Credit Licence 240984 (also referred to as “Heritage”, “we”, “our” or “us” in this Privacy Policy) values the ongoing trust you place in us and considers the protection and maintenance of your personal information to be of the utmost importance. When handling your personal information we are bound by the Australian Privacy Principles in the Privacy Act 1988. We are also bound by Division 3 of Part IIIA of the Privacy Act and the Credit Reporting Privacy Code (CR Code), which regulates the handling of credit information, credit eligibility information and related information by credit providers, like us and the credit reporting bodies (CRBs) we use such as:

  • Equifax Pty Ltd (
  • Dun & Bradstreet (Australia) Pty Ltd trading as illion Australia (
  • Experian Australia Pty Ltd (

This Privacy Policy outlines how we deal with your personal information (including credit- related information), as well as our legal obligations and rights as to that information. We reserve the right to change our Privacy Policy at any time and will notify you by posting an updated version on our website. For information on the privacy policies of CRBs refer to their respective websites.

We may tell you more about how we handle your information for example when you complete an application form, receive terms and conditions or a Product Disclosure Statement. When you receive this information, please consider it carefully. If we agree with you to use or disclose any of your personal information in ways which differ to those stated in this Privacy Policy, the provisions of that agreement will prevail to the extent of any inconsistency.

What personal information do we collect?

Personal information is information or opinion about you that may identify you or by which your identity may be reasonably determined. The types of personal information that Heritage collects and holds may include the following information about customers, potential customers, and associated persons (such as guarantors) which is relevant to our relationship with that person.

  • general information such as an individual’s name, contact details (including postal address, email address and telephone numbers ) date of birth, financial details such as income, savings and lending history and expenses or tax file number, gender, marital status and the reason a person might be applying for a financial product from us.
  • “sensitive information” such as information about an individual’s health, religious beliefs, race or ethnic origin. If there are circumstances where we need to collect or disclose sensitive information we will ask for your consent (unless required or permitted by law).
  • information we record about an individual during our relationship with them including about their transactions, the products they hold and the services we provide to them.
  • “credit information” which includes identification information, employment history, consumer credit liability information, repayment history information, credit enquiry, type of credit sought, default information, court proceedings and personal insolvency information, publicly available information that relates to the individual’s credit worthiness and information about a serious credit infringement. We will hold all of this information about an applicant for credit, a guarantor, or related person (for example, a director of a company which has applied for credit).
  • “credit eligibility information” which means information that has been obtained from a CRB (e.g. a consumer credit report), or personal information that has been derived from that information, that is about an individual’s consumer credit worthiness. The kind of information we might derive from an individual’s consumer credit report includes a credit assessment relating to the individual, an unsuitability assessment, relating to the individual and any internal credit scores.
Why do we collect your personal information?

We will only ask for personal information (including credit information and credit eligibility information) relevant to our business relationship with you and we will tell you why we are asking for it when we collect it. If you do not provide some of your personal information, we may not be able to provide you with some of our products or services or we may be required to restrict operation of a financial product.

Personal information may be collected from you:

  • to check your eligibility for or to provide you or some related person (for example, a person you are acting as guarantor for, or a company you are a director of) with financial products or services;
  • (unless you ask us not to) to send you information about products or services offered by Heritage or those provided by third parties that based on the information we have about you may be of interest;
  • to assist you with your enquiries or concerns;
  • to verify your identity and undertake customer due diligence;

 for research, training, product development, risk assessment, risk modelling, fraud detection and marketing requirements; and

for any other purpose required or authorised by law.

If you have a credit facility with us or are a guarantor we may also collect your information for the purpose of collecting overdue payments relating to credit you owe or a guarantee you have given and for our internal management purposes related to credit provided.

We may also ask for your personal information because we are obliged to collect it under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, which requires us to ask you for information to check your identity (for instance, by referring to your driver’s licence, birth certificate or passport).

The National Consumer Credit Protection Act 2009 also requires us to make reasonable enquiries when you apply for credit or a credit limit increase.

We may collect your TFN in order to calculate our withholding obligations as authorised by the Taxation Administration Act 1953 and the Income Tax Assessment Act 1936. You are not required to provide your TFN, however if you do not, we may be required to withhold amounts from you and remit them to the Australian Taxation Office.

How do we collect your personal information?

We collect most personal information directly from you. We may do this when you apply to become a customer, complete an application for one of our products and services, deal with us over the telephone, communicate by post or electronically (such as via email or SMS), through mobile or tablet applications, using our internet banking services, or visiting our website or one of our branches (including our community branches).

We may monitor and/or preserve telephone calls, postal or email transmissions for the purpose of staff training, quality assurance, security reasons, to verify statements made and to assist with our dispute resolution process.

The technology “cookies” may be used to collect statistical information on our website or online banking. Cookies may also be used for other purposes which help us further enhance our service such as collecting preferences, geographical information and to auto populate. You are able to use your browser settings to manage cookies including preventing the acceptance of some or all cookies. For more information on adjusting browser settings and system requirements please see our website If personal information about you is collected by third parties on any website you have accessed through our websites, we may also collect or have access to that information as part of our arrangement with those third parties.

Sometimes, such as where we need to verify your identity, undertake customer due diligence, prevent or detect money laundering or terrorist financing and where we are required or authorised by law we may need to obtain personal information (including credit information and credit eligibility information) about you from a third party. These parties may include banks, financial advisers, family members, your employer, medical practitioners, CRBs, government authorities and publicly available sources of information.

You may not be a customer of ours but you may interact with or through us for some other reason for example, as a claimant under our insured’s policy, a witness in an accident or a spouse or family member of a customer, entering a competition or commenting via social media. We will collect, use and disclose your personal information in accordance with this Privacy Policy and any Privacy Statement you may receive when you interact with us.

How do we store and protect your personal information?

We store your personal information (including credit information and credit eligibility information) in a number of ways including:

  • in computer systems or databases including cloud storage;
  • in hard copy or paper files; and
  • in telephone recordings.

This may include storage on our behalf by trusted third party service providers.

The security of your personal information is important to us and we take all reasonable precautions to protect it from misuse, interference and loss, and from unauthorised access, modification or disclosure. Some of the ways we do this are:

  • confidentiality requirements of our employees
  • document storage security policies
  • returning documents to you or destroying data when no longer required in a secure manner or by de-identifying
  • security measures including passwords for access to our systems
  • only giving access to personal information to a person who is verified to be able toreceive that information
  • having confidential face-to-face discussions between you and us in a secure environment
  • control of access to our buildings, and
  • electronic security systems, such as firewalls, virus software and data encryption on

our websites.

Additional information about the security systems we employ is available at

Whilst we take all reasonable measures, no data transmission over the internet can be guaranteed to be totally secure.

To assist us we expect you to take appropriate steps to ensure security of your information including keeping your access passwords confidential, destroying any documentation we send to you containing your access passwords and logging out properly when you leave your computer.

Do we disclose your personal information to third parties?

We may disclose your personal information (including credit information and credit eligibility information) to third parties where they help us with our business, or you consent to do so. Where your personal information is disclosed to third parties, we will seek to ensure that the information is held, used or disclosed consistently with the Australian Privacy Principles in Part IIIA of the Privacy Act 1988 and the CR Code.

Types of third parties include:

  • parties involved in providing, managing or administering your products or services and assisting us with our business such as third party suppliers, printers, bulk mail services, statement production providers, market research companies, authorised representatives and our legal, tax, audit and accountancy advisers;
  • parties maintaining, reviewing and developing our business systems, procedures and infrastructure including updating and maintaining our data, testing or upgrading our computer systems;
  • alliance partners, for example, where you have a co-branded product such as the Heritage Visa credit card of in relation to products and services offered that may be of

interest to you;

  • advisers or agents which may include lawyers, mortgage brokers, real estate agents, financial advisers, insurance companies, executors, administrators, trustees or attorneys;
  • CRBs, debt collecting agencies, document verification services, your guarantors, organisations involved in valuing, surveying, insuring or registering a security property;
  • lenders mortgage insurers (if insurance is required because the amount you borrow exceeds a certain percentage of the property’s value as insured by Heritage);
  • parties involved in what is known as “securitisation”, under which we sell a pool of home loans. These third parties include trustees of securitisation arrangements, lenders motgage insurers, investors and their advisers;
  • other financial institutions, merchants and payment organisations; and
  • The Australian Financial Complaints Authority (AFCA).We may also disclose your personal information (including credit information and credit eligibility information) to third parties in circumstances where:

we must fulfill our legal obligations (for example, disclosure to Australian (and international) enforcement bodies such as the Australian Securities and Investments Commission (ASIC), the Australian Taxation Office (ATO), the Australian Transaction Reports and Analysis Centre (AUSTRAC), Centrelink or the Courts) or where you are under 16 or have special needs we may share your information with your parent, legal guardian or any person appointed to manage your affairs;

it is in the public interest (that is, to protect our interests or where we have a duty to the public to disclose, or where it is necessary in proceedings before a court or tribunal) and where a crime or fraud is committed or is suspected; or

it can be reasonably inferred from the circumstances that you consent to your personal information being disclosed to a third party.

Your personal information may be sent outside Australia where, for example:

  • you have requested or consented that we send your personal information;
  • we outsource a function or service to an overseas contractor with whom we have a contractual arrangement; and
  • it is necessary to investigate or facilitate a transaction on your behalf.

We will not send your personal information outside Australia unless it is authorised by law and we are satisfied that the recipient of the personal information has adequate data protection arrangements in place. Overseas organisations may be required to disclose information we share with them under a foreign law. In those instances, we will not be

responsible for that disclosure.

The countries to which we are likely to disclose your personal information include New Zealand, Singapore, India, China, United Kingdom, Japan, France, Phillipines, Canada, Germany, the Netherlands and the US.

How can you access, update or correct your personal information?

If you would like to access, update or request a correction to your personal information you can do so using any of the methods listed under “How to contact us”.

You may request access to your personal information (including credit information and credit eligibility information) at any time. Prior to providing you with access to your information we may require you to establish your identity. We are able to deny access to some or all of your personal information in specified circumstances but will provide the reasons in writing. In some cases we may charge a fee to access personal information for example when it has been archived, but we will advise you first.

It is important that you advise us as soon as possible if there is a change to your personal information that needs updating. If you have new contact details (such as postal address, email address or telephone numbers) you should let us know immediately. You may request that we correct any personal information (including credit information and credit eligibility information) we hold about you at any time. If your request relates to credit related information provided by others, we may need to consult with credit reporting bodies or other credit providers.

Do you have any complaints, concerns, or questions about our Privacy Policy?

Should you have any concerns, require further information or wish to make a complaint regarding the handling of your personal information you can let us know using any of the methods listed under “How to contact us”.

Complaints regarding privacy are referred directly to Heritage’s Privacy Officer and are dealt with in accordance with our Internal Customer Disputes Resolution Process. Information about this process can be found on our website at or by contacting us.

We will acknowledge your complaint and keep your informed of its progress. Any specific credit reporting breaches or complaints will be acknowledged within 7 days of receipt and unless there are exceptional circumstances these investigations will be resolved within 30 days of receiving your complaint.

When the dispute resolution process has been concluded, if we have been unable to resolve your complaint to your satisfaction, you may request an independent review by the Australian Financial Complaints Authority (AFCA).

Australian Financial Complaints Authority GPO Box 3
Melbourne VIC 3001
Ph: 1800 931 678

Website: Email: [email protected]

You may also obtain further information about privacy or refer a privacy complaint by contacting:

The Office of the Australian Information Commissioner GPO Box 5218
Sydney NSW 2001
Ph: 1300 363 992

Email: [email protected]

How to contact us

In Person:

at one of our branches


The Privacy Officer Heritage Bank Limited PO Box 190 Toowoomba

QLD 4350


13 14 22


[email protected] or [email protected] or go to our website and click on “contact us” then use

the “feedback/enquiries”