The following is a high level summary of the National Privacy Principles (NPP) for this broker.

1. An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.

2. An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

3. At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

4. If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

5. If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in clause 3 above except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

Use and Retention of Personal Information

Personal information must only be used or disclosed for:

• the primary purpose for which it was collected;
• a directly related secondary purpose; or
• purposes to which the individual has consented.

What amounts to a secondary purpose will always be unclear, and so it is desirable to obtain consent for any anticipated use of the information. In the context of the mortgage industry this will include disclosure of the information to:

• funders;
• lenders mortgage insurers;
• valuers;
• credit card issuers;
• statement printing houses;
• potential and actual assignees of the loans or an originator’s business;
• direct marketing and cross marketing; and
• other business associates and contractors.

Other Privacy Principles
Mortgage industry participants must ensure they comply with each of the following principles. In particular, note the need for data security and the development of a Privacy Policy.

DATA QUALITY.
The organisation must take reasonable steps to ensure that the personal information is accurate, complete and up to date.

DATA SECURITY.
The organisation must take reasonable steps to protect the personal information from misuse, loss, unauthorised access, modification, or disclosure, and it must be de-identified or destroyed once it is no longer required for any purpose for which it can be used or disclosed.

OPENNESS.

The organisation must set out its policies on the management of personal information in a Privacy Policy document that is made available to anyone who requests it. Upon request, the organisation must tell an individual the kind of information it holds, the purposes for which it is held and how it collects,
holds, uses and discloses that information.

ACCESS AND CORRECTION.

Upon request, an organisation must take reasonable steps to ensure the information it holds is accurate, complete and up to date and to correct it where necessary.

IDENTIFIERS.
An organisation cannot adopt, use or disclose an identifier, which has been assigned to that individual by a Commonwealth government agency.

ANONYMITY.
Wherever lawful and practicable, individuals must have the option of not identifying themselves.

TRANSBORDER DATA FLOWS.
An organisation in Australia may only transfer personal information to a foreign country if therecipient has appropriate privacy protection measures in place.

SENSITIVE INFORMATION.
Organisations are subject to special restrictions in the collection and handling of sensitive information, including health information.