Privacy Policy
Purpose
We are committed to protecting privacy and confidentiality in accordance with the Privacy Act 2020 (“Privacy Act”).
Under the Privacy Act 2020, there are 13 information Privacy Principles (IPPs) our business must comply with. When collecting, using and disclosing, and protecting personal information of any description, we must do so in accordance with the IPPs. The IPPs can be summarised as follows:
- Only collect information the business needs.
- Wherever possible, get the personal information directly from the individual.
- Be transparent about what you are going to do with the personal information.
- Be fair about how you get it.
- Keep personal information secure.
- Enable personal information to be accessed by the person it relates to.
- Enable personal information to be corrected if it is incorrect.
- Ensure personal information is correct before you use it.
- Dispose of personal information securely once you no longer need it.
- Only use personal information for the reason it was collected.
- Only share personal information if you have a good reason.
- Only send it overseas if it will be adequately protected.
- Only use unique identifiers when it is clearly allowed.
It is one of our prime responsibilities, that any personal or sensitive information provided to us is not used for any other purpose than that which it is intended and expected. This Privacy Policy describes other Visory policies and practices for collecting, handling, using and disclosing personal information. This policy also deals with how to complain about a breach of the privacy laws and how individuals can access the personal information we hold about them and how to have that information corrected as needed.
Scope
This Privacy Policy sets out how our business collects, uses, discloses and protects the personal information we deal with in a way that complies with the Privacy Act 2020. This Privacy Policy applies to Visory (NZ) Limited and its related bodies corporate (as that term is defined under the Companies Act 1993).
What is personal information?
Personal information is defined in the Privacy Act as information that can identify any individual (a natural person as opposed to a company or other legal entity). Common examples of personal information can include; their name, address, photos of their face, their opinions or views, employment information and financial records.
Visory will not collect any personal information except when the individual has knowingly provided that information to us or authorised a third party to provide that information to us.
Visory may ask for identification information. This information may include but is not limited to name, address, contact details, date of birth, and IRD number.
Visory may collect and hold additional personal information about individuals. This could include transaction information or making a record of queries or complaints an individual makes and, if they make an insurance claim, collecting additional information to assess the claim.
The collection of sensitive information is restricted by the Privacy Act. This includes information about religion, racial or ethnic origin, political opinions, criminal record, and sexual orientation. It also includes health information and biometric information.
Generally, Visory only collects this sort of information if it is necessary to provide a specific product or service and the individual has consented to that collection. For example, we may collect health information about the individual to process a claim under an insurance policy or collect voice biometric information to verify identity or authorise transactions.
What if an individual chooses not to provide some information?
Visory may be unable to provide its services if it does not have all the relevant information it requires to deliver such services, or we may be prevented from complying with our legal obligations. You may also be unable to exercise your legal or contractual rights.
For what purposes does Visory collect, hold, use and disclose personal information?
The main reason Visory collect, use, hold and disclose personal information is to facilitate the provision of its service offerings including where we have Outsourced Provider or third-party agreement) obligations when providing certain services.
This includes:
- checking whether an individual is eligible for the product or service;
- The facilitation of those services or products
- Provide information that you request;
- Provide you with further information about our other products and services
Visory may also use information to comply with legislative or regulatory requirements in any jurisdiction, prevent fraud, crime or other activity that may cause harm in relation to its products or services and to help run the business. Visory may also use information to tell individuals about products or services that it feels may interest them.
We will only use personal information for the purpose for which it was collected. If we need to use personal information for a purpose other than for which it was collected, we will provide information about the new purpose and any additional relevant information prior to using personal information in a new way. This will offer the opportunity to revoke consent to the new use or reapprove.
What service offerings does Visory provide?
Visory understands the importance of a holistic service offering, whereby its clients can see their goals, needs and expectations being met. This approach encompasses:
- KiwiSaver Funds
- Accounting & Bookkeeping
- Business Advisory
How does Visory collect personal information?
Visory collects most of the personal information directly from the individual. This can be done electronically (see section “Does Visory collect personal information electronically?” of this policy for more information).
Visory will not collect any personal information except when the individual has knowingly provided that information to us or authorised a third party to provide that information to us.
Visory also collects personal information about an individual from other areas of its business including sharing information amongst other Visory subsidiaries and related parties or from third party organisations. This may happen without the individual’s direct involvement as authorised through Visory Terms of Business and the Client Services Agreement. For instance, Visory will collect personal information about an individual from:
- publicly available sources of information;
- the individual’s external representatives (including legal adviser, mortgage broker, executor, administrator, guardian, trustee, or attorney);
- the individual’s other Visory representatives (including Accountant, mortgage broker, general insurance broker, business advisory adviser);
- the individual’s employer;
- other outsourced provider organisations, who jointly with Visory, provide products or services to the individual;
- commercial information service providers, such as companies that provide fraud prevention reports; and
- insurers, re-insurers and health care providers
Visory may ask for various kinds of personal information to the extent this information is necessary for us to carry out the activities involved in providing you with products, services and information. The kinds of personal information include, but is not limited to:
- identification information, including but not limited to, name, address, contact details (including phone number, email address and other digital addresses and accounts, date of birth, tax file number as well as information to verify your identity such as drivers licence, birth certificate or passport details;
- financial information, including but not limited to, your assets, liabilities, income, expenses, bank and direct debit details, KiwiSaver, insurance details and other financial details;
- employment information, including but not limited to, NZBN/Company number, occupation, salary, hours of work, employment history dates;
- transactional information of your dealings with us, including in relation to our products and services, making a record of queries or complaints an individual makes and, if they make an insurance claim, collecting additional information to assess the claim;
- insights, responses to surveys such as experiences and information about your activities, interest, and attitudes/views or other feedback expressed;
- your device information such as device ID, geo-location, computer and connection information, statistics on page views, traffic to and from our websites, ad data, IP address and standard web log information;
- any other personal information that may be required in order to facilitate your dealings with us.
What laws require or authorise Visory to collect personal information?
Visory is required or authorised to collect:
- certain identification information about an individual by the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 and Anti-Money Laundering and Countering Financing of Terrorism Act Commencement Order 2011;
- tax residency information by the Tax Administration Act 1994 and Foreign Account Tax Compliance Act (FATCA)
- an individual’s IRD Number, if they choose to provide it, by the Income Tax Act 2007; and
- certain information in relation to the individual’s application if they have applied for insurance as required by the Insurance Law Reform Act 1977.
How does Visory hold personal information?
Visory strives to maintain the relevance, reliability, accuracy, completeness and currency of the personal information we hold and to protect its privacy and security. Much of the information Visory holds about an individual will be stored electronically in secure data centres, which are in Australia, and owned by either Visory or an external service provider(s). This does not include third parties backing up or mirroring their data in overseas jurisdictions. Some historical information Visory holds about an individual will be stored in paper files and these files may be held in secure offsite storage facilities.
Visory use a range of physical and electronic security measures to protect the security of the personal information they hold. For example:
- access to information systems is controlled through identity and access management;
- employees are bound by internal information security policies and are required to keep information secure;
- all employees are required to complete training about information security; and
- regular monitoring and review their compliance with internal policies and industry best practice
Visory take reasonable steps to destroy or permanently de-identify any personal information after it can no longer be used.
We will not use identifiers assigned by the Government, such as a IRD number or insurance provider number, for our own file recording purposes.
Who does Visory disclose personal information to, and why?
Visory may provide personal information about individuals to external organisations. To protect personal information, Visory enter into contracts with their service providers that require them to comply with the Privacy Act. These contracts oblige them to only use the personal information Visory disclose to them for the specific role they ask them to perform.
Generally, Visory disclose personal information to organisations that help them with their business. These may include:
- Visory agents, contractors and external service providers (for example, mailing houses and, technology service providers);
- insurers, re-insurers and health care providers;
- payment systems operators (for example, merchants receiving card payments);
- other organisations, who jointly with Visory, provide products or services to the individual;
- financial services organisations, including banks, superannuation funds, stockbrokers, custodians, fund managers and portfolio service providers;
debt collectors; - Visory legal advisers or auditors;
- An individual’s representatives (including their legal adviser, accountant, mortgage broker, executor, administrator, guardian, trustee, or attorney);
- fraud bureaus or other organisations to identify, investigate or prevent fraud or other misconduct;
- IT Service Providers;
- external dispute resolution schemes; and
- Regulatory bodies, government agencies and law enforcement bodies in any jurisdiction.
- Other companies in the event of a corporate sale, merger, reorganisation, dissolution or similar event
We may also disclose an individual’s personal information to others where:
- Visory are required or authorised by law or where they have a public duty to do so;
- The individual may have expressly consented to the disclosure or the consent may be reasonably inferred from the circumstances; or
- Visory are otherwise permitted to disclose the information under the Privacy Act.
Does Visory disclose personal information overseas?
Visory may disclose an individual’s personal information to a recipient which is located outside New Zealand. This includes:
- Any financial institution which the individual holds an account with overseas where they have given Visory permission to make enquiries on their behalf.
- Other members of the Visory Group that are located outside New Zealand, in some circumstances.
Some encrypted data may be backed up or mirrored in overseas jurisdictions by third parties. We will not send personal information to recipients outside of New Zealand unless:
- we have taken reasonable steps to ensure that the recipient does not breach the Privacy Act, and the Information Privacy Principles;
- the recipient is subject to an information privacy scheme similar to the Privacy Act; or the individual has consented to the disclosure
Does Visory use or disclose personal information for marketing?
Visory will use personal information to offer individuals products and services they believe may interest them but will not do so if the individual tells them not to. Visory may offer individuals products and services by various means, including mail, telephone, email, SMS or other electronic means, such as through social media or targeted advertising through Visory’s website.
Visory may also disclose an individual’s personal information to external companies who assist Visory to market their products and services to the individual, such as a mailing house.
If individuals do not wish to receive marketing offers from Visory, they must expressly request Visory not to do so.
Does Visory collect Personal Information electronically?
Visory will collect information from individuals electronically, for instance through internet browsing, mobile or tablet applications.
Each time an individual visit one of Visory’s websites, Visory collects information about the individual’s use of the website, which may include the following:
- The date and time of visits;
- Which pages are viewed;
- How users navigate through the site and interact with pages (including fields completed in forms and applications completed);
- Location information about users;
- Information about the device used to visit our website; and
Visory uses technology called cookies whenever an individual visit a Visory website. Cookies are small pieces of information stored on the individual’s hard drive or in memory. Cookies can record information about an individual’s visits to the site, allowing it to remember them the next time they visit and provide a more meaningful experience.
One of the reasons for using cookies is to offer individuals increased security. The cookies Visory send to an individual’s computer cannot read their hard drive, obtain any information from their browser or command their computer to perform any action. Cookies are designed so that they cannot be sent to another site or be retrieved by any non-Visory site.
Visory won’t ask individuals to supply personal information publicly over Facebook, Twitter, or any other social media platform that we use. Sometimes Visory may invite individuals to send their details to them via private messaging, for example, to answer a question. Individuals may also be invited to share their personal information through secure channels to participate in other activities, such as competitions.
Access to and correction of personal information
Under the Privacy Act, individuals have a right to seek access to information which we hold about them; although, there are some exceptions to this. They also have the right to ask us to correct information about them which is inaccurate, incomplete or out of date. To do so, they must contact Visory.
We do not charge for receiving a request for access to personal information or for complying with a correction request. We do however reserve the right to charge you for all reasonable costs and outgoings specifically incurred in meeting your request for information. In processing an individual’s request for access to their personal information, a reasonable cost may be charged if they have requested access more than once within twelve months. This charge covers such things as locating the information and supplying it to them.
There are some circumstances in which Visory are not required to give individuals access to their personal information. If Visory refuse to give an individual access to or to correct their personal information, Visory will give them a notice explaining the reasons why, except where it would be unreasonable to do so. If we refuse an individual request to correct their personal information, the individual also has the right to request that a statement be associated with their personal information noting that they disagree with its accuracy.
If Visory refuses an individual’s request to access or correct their personal information, we will also provide them with information on how they can complain about the refusal.
Prevention of access to personal information may be considered a privacy breach under the Act. If the prevention of access breach meets the serious harm threshold, it is a notifiable breach and will have to be reported to the Privacy Commission within the timeframe set out in section 16 below. Please report any potential refusal of personal information to Visory management responsible for privacy.
Reporting privacy breaches
We work hard to keep all personal information safe. However, despite applying strict security measures and following industry standards to protect personal information, there is still a possibility that our security could be breached. If you are aware of a privacy breach, where there is a loss or unauthorised access or disclosure of personal information, whether or not you think it is likely to cause serious harm, you must notify Visory management responsible for privacy as soon as you become aware of the breach. This will allow us to:
- Seek to quickly identify and secure the breach to prevent any further breaches and reduce the harm caused by the breach;
- Assess the nature and severity of the breach, including the type of personal information involved and the risk of harm to affected individuals;
- Advise and involve the appropriate authorities where criminal activity is suspected;
- Where appropriate, notify any individuals who are affected by the breach (where possible, directly);
- Where appropriate, put a notice on our website advising our clients of the breach; and
- Notify the Privacy Commissioner.
All employees receive training to enable them to identify a privacy breach, how to reduce the risk of a privacy breach occurring and how to respond to a privacy breach if one does occur.
We maintain a Breaches Register to record all privacy breaches that occur in our business, whether or not they pose a risk of serious harm or require us to notify any external parties. It is important that you notify the Privacy Officer as soon as you become aware of any privacy breach, so that the breach can be logged on the Breaches Register and any necessary further action can be considered.
When a notifiable breach has been identified, we are required to report this to the Privacy Commission within 72 hours, The 72 hour timeframe does not factor in business days so breaches may have to be reported on weekends or holidays. The timeframe commences when we become aware that a notifiable breach has occurred.
We also may be required to notify any affected individuals or the public depending on the circumstances. Failure to notify affected persons may be a further interference with their privacy under the Act and may result in a complaint.
Please notify Visory management responsible for privacy. These will form the basis for our breach register and provide reporting as required.
Penalties for non-compliance with the privacy act
The penalty for any person committing an offence against the privacy act and is found liable on conviction will be required to pay a fine of no more than $10,000.
Key offenses under the privacy act are:
- Misleading an organisation to obtain unauthorised access to an individual’s personal information, or have the personal information used, altered, or destroyed; and
- Destruction of documentation containing personal information, knowing that access request has been made in respect of that information.
- Hindering the Commissioner without reasonable excuse in exercising their powers.
- Failing to comply with any lawful requirements of the Commissioner or any other person exercising powers under the act.
- Making a false or misleading statement to the Commissioner or any other person exercising powers under the act.
- Misleading an agency or falsely pretending to be an individual, or to be acting under the authority of an individual.
Resolving privacy concerns and complaints
If an individual is concerned about how their personal information is being handled or if they have a complaint about a breach by Visory they must contact Visory.
Visory will acknowledge the complaint as soon as practical after receipt of the individual’s complaint. Visory will let the individual know if they need any further information from the individual to resolve their complaint.
We aim to resolve complaints as quickly as possible. We strive to resolve complaints within five business days however, some complaints can take longer to resolve. If a complaint is taking longer, we will let the individual know what is happening and a date by which they can reasonably expect a response.
If the individual is unhappy with our response, there are other bodies they can go to.
Under the Privacy Act, an individual may complain to the New Zealand Privacy Commissioner about the way Visory handled their personal information.
The Commissioner can be contacted at:
Office of the Privacy Commissioner
P O Box 10-094
The Terrace Wellington, 6143
Phone: 0800 803 909
Email: enquiries@privacy.org.nz
Website: privacy.org.nz
Key Contact
The individual can contact Visory by:
• emailing complaints@visory.com.au
Visory’s can be contacted in relation to privacy concerns by writing to: Visory, Level 23/600 Bourke St, Melbourne VIC 3000, Australia
Changes to the Privacy Policy
We may change the way we handle personal information from time to time for any reason. If so, we will update this Privacy Policy.
Last updated 31 August 2022