eftpos Group and related entities
The eftpos group (“eftpos Group”) consists of the parent company, eftpos Payments Australia Limited (ABN 37 136 180 366) and its related entities, Digital Wallet Pty Ltd (ABN 93 624 272 475 AFSL 515270) (trading as “Beem It”) and eftpos Digital Identity Pty Ltd (ABN 80 648 970 101) (offering the connectID solution).
eftpos Payments Australia Limited (ABN 37 136 180 366)
eftpos Payments Australia Limited (ABN 37 136 180 366) (eftpos) operates the eftpos payment system, which is both a debit card payment system and a prepaid card payment system.
“eftpos” is a debit payment system and prepaid card system, which governs and facilitates electronic payment transactions in Australia.
eftpos is trusted by consumers and merchants as a secure, convenient and efficient method of payment. As the Australian domestic debit payment system and prepaid card payment system, eftpos does not have premises outside of Australia, does not provide products or services to persons outside Australia and does not track the behaviours of persons outside Australia in a way that seeks to identify those persons to us. eftpos does interact with counterparties and suppliers outside Australia, including in Europe, the United States of America and across Asia. Those interactions include use of, predominantly, counterparty and supplier employee names and email addresses for business purposes on terms governed by agreements with those counterparties and suppliers.
Digital Wallet Pty Ltd (ABN 93 624 272 475 AFSL 515270) trading as Beem It
eftpos Digital Identity (ABN 80 648 970 101) (offering the connectID solution and referred to in this policy as connectID)
connectID is a 100% owned subsidiary of eftpos and is a digital identity broker or exchange service that makes it easy to share, store and receive your digital identity information online. connectID does not collect personal information (as defined in the Privacy Act) about the individuals whose digital identity information is transmitted using the service but does log digital identity sharing messages between users of the connectID digital identity solution.
Privacy Impact Assessment (PIA) Register
Ref. Dated August 2021 detailed description
PIA eftpos connectID - Privacy Impact Assessment Report v1, including updates on the recommendations from initial draft PIA, July 2021.
Privacy: Transparency Report
Any enforcement body or other entity (including Government and private entities) are required to follow applicable laws and statutes when requesting personal information and data from connectID.
Report Period: 1 July 2021 - 30 June 2022
No requests received.
What personal information do we collect
The personal information we collect differs according to our interaction with you. The categories of interaction and the types of personal information collected and held by us may include:
For recruitment related activities:
- Name, address, date of birth, resume, references, skills and experience information, as well as identity- verification and reference check information;
For business interactions (excluding use by you of the Beem It app):
- Contact information such as your name, company you work for, business address, fixed line or mobile phone number, email address and social media contact information. In the case of sole trader suppliers, we will also collect billing and bank account details. We do interact with counterparties and suppliers outside Australia, including in Europe, the United Kingdom, the United States of America and across Asia. Those interactions use the personal information listed here for business purposes on terms governed by agreements with those suppliers.
For employees of any eftpos group entity using the tools and service providers sourced by eftpos:
- for the calculation and placement of insurances - your name, email address, mobile phone number, gender, age, address and salary information.
- For internal business processes and tools eg project and matter management, risk management, training, performance management in the ordinary course of business – name, user name, mobile phone number, gender, age, address, email address, employment history and related records, superannuation records, tax information including tax file number according to legal requirements, premises surveillance logs and your equipment and tool utilisation transaction history, reports and logs
- For business interaction purposes and BCP in the ordinary course of business – name, user name, email address, mobile phone number
- For finance and payroll, human resource and employee assistance programs in the ordinary course of business - in addition to the above, and only as relevant to the tool use with appropriate access controls and security measures - payroll-related information (base pay and on-costs), address, bank details, personal email address, expense claims, leave details and performance information.
For certification authority services:
- Identification information such as your name, date of birth and place of work and copy of driver’s licence;
For payment processing and provisioning payment products or enabling payment channels:
- Information required for payment processing, such as eftpos transaction and loyalty program information – this is not personal information about cardholders but may identify a sole trader merchant;
- Your name, address and mobile phone number, device ID, location details as well as card details at the time of provisioning a card for mobile payments – this information is deleted as soon as practicable after provisioning, save for the tokenised card and device ID details which are de-identified;
- Payment recipient name, address, mobile phone number, BSB and Account Number and Date of Birth and Place of Birth for person to person payments using eftpos withdrawal and deposit messages;
- User verification for card not present transactions, device ID and other device specific data and geolocation data at the time of use, as well as the card number.
For disputes and chargebacks administration:
- Your name, address and the disputed transaction details.
For entry by you into competitions promoted by eftpos:
- your name, email address, fixed line or mobile phone number, gender, age, transaction receipt information and, for winners, addresses.
Occasionally, we may collect personal information about other individuals from you (e.g. member/vendor employee contact details). If so, we rely on you to inform those individuals that you are providing their personal information to us and to advise them that they can view this policy via our website to see how we handle their information (refer to our contact details below).
How we collect personal information
We collect personal information in a number of ways, including:
- directly from you (if it is reasonable and practicable to do so) for example, when you provide information by phone, in application forms or other agreements, or when you submit your personal details through our group entity websites (eg. for marketing campaigns, certification authority services or complaints) or, for business contact information, through the project management tool used by us in conjunction with our service providers;
- from third parties, in circumstances where it is unreasonable or impractical to collect the information directly from you, for example, from our members (which are banks and retailers and their aggregator service providers) and from other entities that provide payment processing, disputes and chargeback handling and related services for the purposes of the eftpos payment system, including loyalty and data enrichment;
- from publicly available sources of information, such as business social media services;
- when you visit our websites (refer below for details on information collected through use of our websites); and
- for employees of any eftpos group entity, from you, other employees, from your publicly available information, employment activities and from financial management or other business-related management tools used by us in conjunction with our service providers or in the ordinary course of business.
How we use your personal information
Your personal information may be used for any of the following (in addition to specific uses notified to you in a separate privacy collection statement provided at or about the time of collection):
- verification of your identity (eg. for certification authority services or for marketing competition winners);
- providing you or, where you work for an eftpos Member or participant entity or partner counterparty, your employing entity with documents and information relevant to your or your entity’s participation in any of the eftpos payment system, the Beem It app or the connectID digital identity scheme;
- providing you with information about or delivery of our products or services or such services ancillary to or necessary for those products or services (including in accordance with marketing campaigns);
- providing you with information promoting our products and services if you choose to receive that information and for marketing campaigns, you have expressly informed us of your desire to receive such information;
- payment processing services, product provisioning, loyalty program support, administration of our business, business analysis, dispute resolution, to prevent or minimise fraud or meet any legal obligations imposed on us;
- statistical or other analysis or similar research purposes, whether or not for product development;
- maintenance and development of our business systems and infrastructure, including monitoring performance, testing and upgrading of these systems;
- for employees:
- enabling calculation and placement of insurances;
- providing risk management, financial management, human resource management, training support, performance management, and employee assistance programs in the ordinary course of business, (each a Purpose).
connectID does not retain in a record the digital identity information that passes through the connectID broker solution. However, connectID does retain the metadata related to such information message exchanges for the purposes required under legislation applicable to digital identity services and to verify that an exchange of identity information has occurred. (Note: Metadata is data providing information about one or more aspects of data, such as basic information about data which can make tracking and working with specific data easier. An example includes the means of creation of the data. While this will include a description of the nature of the identity information exchanged IT DOES NOT INCLUDE THE IDENTITY DATA ITSELF and it is not possible to identify an individual based on the connectID exchange transaction logs alone). Users of the connectID digital identity broker service may use your personal information which is passed through the service for various purposes. Please refer to the websites of your authorised identity service provider (eg bank, utility provider, government entity etc) and authorised relying party (anyone you have authorised to seek access to your personal information from your identity service provider) for their privacy policies which will explain how they handle your personal information.
If we receive personal information about you that we did not ask for, then we will take reasonable steps, in a reasonable time after receiving the information, to determine whether the information is required for any legitimate business purpose involving you and if not, to lawfully destroy the information.
Your privacy and personal information is important to us and we will do each of the following:
- take reasonable steps to ensure the personal information that we collect, use or disclose is accurate, complete and up-to-date and relevant to the use or disclosure;
- facilitate anonymity or pseudonymity where possible, unless it is impractical in the circumstances;
- take reasonable steps to protect your personal information from misuse, loss and unauthorised access, modification or disclosure. This includes physical and logical security measures such as premises, infrastructure and database access restrictions, de-identification of data where possible and encryption of data in transit and at rest;
- take reasonable steps to destroy or permanently de-identify personal information if we no longer need it for any legitimate business purpose.
When we disclose your information
We will disclose your information:
- where you have consented to that disclosure, including where you have authorised a third party to seek information about you for the provision by them of products and services to you;
- for a Purpose to our service providers, including:
- website hosting in Australia in respect of “cookie” information;
- database hosting in Australia, the United States of America, the United Kingdom and The Netherlands;
- product and application testing in Australia and Taiwan;
- payment processing service providers located in Australia and the United States of America and dispute and chargeback service providers in The Netherlands and the United Kingdom;
- project collaboration with our counterparties and suppliers in Australia, Germany and the United States of America;
- identity and reference checks in Australia and to a prospective employee’s country of origin;
- internal business process database hosting and support services (eg finance, expense management and payroll tools) in Canada, India, Philippines, in the countries of the European Union (e.g., France, Spain, Italy, and Romania)
- website hosting in Australia in respect of “cookie” information;
- website hosting in Australia in respect of “cookie” information;
We have entered into agreements with each of these entities which require compliance with the Privacy Act 1988 (C’th) and include provisions designed to give your personal information at least the same level of protection as we provide;
- for a Purpose to:
- eftpos payment system members (which are banks, independent acquirers and retailers and their aggregator service providers), as necessary, to enable us to provide any of our products or services to you or answer enquiries and administer governance activities related to our rules.
- participants in the digital identity broker solution for the purposes you have authorised them to seek or provide your personal information.
These entities are also bound by the Privacy Act 1988 (C’th) and have their own privacy policies, and will observe these when using your personal information;
- where we are required or authorised to do so by law, including in response to a lawful request by any government, regulatory body or enforcement agency;
- where it is necessary in order to investigate an unlawful activity;
- where it is necessary to prevent a serious and imminent threat to a person's life, health or safety, or to public health or safety;
- from time to time, we may inform you that your information including personal information, has been shared between eftpos Group entities for the same primary purpose for which it was disclosed to the eftpos Group entity, primarily for day-to-day business and operational purposes, and we will seek your consent to any secondary purposes; and
- if required to entities involved in connection with a corporate merger, consolidation, restructuring, the sale of substantially all of our interests and/or assets, or other corporate change requiring the transfer of assets, including during the course of any due diligence process, to the purchaser or surviving entity.
Trans-Border Data flow
It is possible that the overseas entities which we share your personal information with may not be subject to foreign laws that provide the same level of protection of information as in Australia or may not be subject to any privacy obligations. Overseas entities may be required or compelled to disclose your personal information to a third party such as an overseas authority. You may not be able to seek redress in the overseas jurisdiction against the overseas entity. If we ask and you consent to us disclosing your personal information to an overseas entity and that overseas entity breaches the Australian Privacy Principles, we will not be accountable for that breach under the Privacy Act and you will not be able to seek redress in respect of that breach under the Privacy Act. Therefore, if we transfer or provide access to your personal information to a recipient outside Australia, we will impose, and review compliance with, obligations on that recipient to comply with the Privacy Act 1988 (C’th) and include provisions designed to give at least the same level of protection for your personal information as we provide.
Information collected from any eftpos Group entity website
We collect information about the websites and the services, including the number of visitors, when the visits occur, how many pages are viewed and navigation patterns. We may also collect and store your Internet Protocol (IP) address. We get this information from 'cookies', which are a website tool commonly used to identify website users' computers. In these circumstances, it is impractical for us to collect the information directly from you. Knowing this information allows us to ensure that the information and services available through the website are relevant. We may use this information to obtain statistical information, which helps us evaluate and enhance the website. We may also send session numbers and keys as cookies to ensure that your connection, when using our online services, is kept as secure as possible.
It is the eftpos Group’s policy not to sell or pass on any information recorded about your visit to the website for commercial purposes unrelated to any Purpose, unless we have your express consent.
If you decline to provide us with certain personal information when requested (for example, refusing cookies in your browser), the website may not operate optimally or at all.
We also use your IP address to help diagnose problems with and to administer our website. No attempt is made to link any IP address with any individuals that visit the site.
Where our website contains links to other sites, we are not responsible for the information handling practices or content of these external sites. We also maintain several email lists to keep you informed about areas of specific interest. You may request to join our mailing lists by signing up through our website or by contacting us. You may also unsubscribe from any email list at any time.
Any personal information collected from emails to the whistleblower contact address on our website is used for purposes required by law in respect of those emails, our published Whistleblower Policy and for statistical purposes.
We do not sell, rent, loan, trade, or lease any addresses or other information on our lists, or any other personal information that we may collect or hold, to anyone, unless you have provided express consent.
Access to your personal information
You can request access to the personal information we hold in a record about you. Your request must be in writing and include proof of identity. We may charge a fee for the staff time and any expenses incurred to respond to your request and provide the requested information to you. If it is not possible for us to provide you with access as requested, we will tell you why.
If you think that any personal information we hold about you is not accurate, complete and up-to-date, you may ask us to amend your details. We will take reasonable steps to amend your personal information as you direct, unless we reasonably consider that your information is already accurate, complete and up-to-date, in which case we will tell you why.
If you are not satisfied with our response to your complaint, you can refer the matter to:
Director of Complaints,
Office of the Australian Information Commissioner,
Level 3, 175 Pitt Street,
GPO Box 5218,
Sydney NSW 2001.
Telephone: 1300 363 992
Facsimile: +61 2 9284 9666
You can contact us by writing to us at Level 11, 45 Clarence St, Sydney NSW 2000 or by email at email@example.com or by contacting us at (02) 8270 1800 and asking for the Privacy Officer.
Approved by the eftpos Board of Directors on: 29 April 2021