NHFIC is committed to protecting the personal information it holds. NHFIC is an ‘agency’ as defined under the Privacy Act 1988 (Cth) (the Privacy Act). This means we are subject to the Australian Privacy Principles (APPs) in the Privacy Act, which set out standards, rights and obligations for
agencies in relation to handling, holding, accessing and correcting personal information.
Personal information, as defined in the Privacy Act, means any information or an opinion about an identified individual, or an individual who is reasonably identifiable:
a) whether the information or opinion is true or not; and
b) whether the information or opinion is recorded in a material form or not.
NHFIC’s operations are governed by the National Housing Finance and Investment Corporation Act 2018 (Cth) (NHFIC Act) and the Investment Mandate (available via www.nhfic.gov.au).
Under the NHFIC Act, NHFIC’s primary purpose is to improve, directly or indirectly, housing outcomes for Australians.
NHFIC’s functions under the NHFIC Act are:
a) to make loans, investments and grants to improve, directly or indirectly, housing outcomes;
b) to determine terms and conditions for such loans, investments and grants;
c) to provide, to registered community housing providers, business advisory services and other assistance in capacity building;
d) to undertake any other functions conferred on the NHFIC by the NHFIC Act or any other Commonwealth law; and
e) to do anything incidental or conducive to the performance of the above functions.
If you would like further information about the products and services we offer, please contact us at here.
Why we collect personal information
Broadly, we collect personal information to provide the financial products and services we offer and to manage our rights and obligations in relation to those products and services. We may also collect personal information for secondary purposes such as to enable us to develop, establish and administer alliances and other arrangements with other organisations in relation to the promotion and administration of our functions.
We also collect personal information to enable us to:
• develop and identify products and services that may interest you;
• conduct market or client satisfaction research;
• develop, establish and administer alliances and other arrangements with other organisations (including financiers and other insurers) in relation to the promotion, administration and use of our respective products and services;
• facilitate staff recruitment, performance management and professional and personal development; and
• provide assistance to other Commonwealth entities in relation to the operation and administration of financial arrangements and agreements of those Commonwealth entities.
The type of personal information we collect
Financial assistance and related services
We collect personal information for the purposes of providing, in accordance with the provisions of the NHFIC Act, financial assistance and related services, including to community housing providers, States and Territories and local governments. Generally, the type of personal information NHFIC collects includes the name, position, and contact details of individuals forming part of, or working
for, the clients, consultants and contractors that NHFIC is providing financial assistance and related services to (such as individuals within community housing providers, State/ Territory entities and local governments).
We collect personal information about our employees for the purposes of staff recruitment, performance management and professional and personal development, as well as general staff administration functions such as payroll operations.
This personal information may include an employee’s name, address, contact details, date of birth, gender, qualifications, occupation, employment history, next of kin, financial information (including tax file number and banking details), performance agreements and appraisals, conduct, salary and allowances, superannuation details, leave details, references and character checks, and security checks.
Where relevant, we collect and hold some types of sensitive information relating to our employees. This may include personal information about an employee’s racial or ethnic origin, membership of a political association, membership of a professional association, membership of a trade union,
criminal record or health information.
We collect, hold, use and disclose personal information (including sensitive information) about our employees, in a manner consistent with the APPs.
NHFIC contractors and suppliers
We collect personal information about contractors and suppliers we engage to provide goods and services. The information relates to individual contractors and suppliers, and the employees/ specified personnel of entities that are contracted to provide or supply us with goods and services.
The purpose of the information is to enable us to select contractors and suppliers and to effectively manage its services and consultancy arrangements.
This personal information may include name, address, contact details, employer, previous projects undertaken, financial background, references, payment details, security checks and performance assessments.
How we collect personal information
NHFIC collects personal information in the following ways:
• from entities applying to receive financial assistance and related services from us. Such entities will be required to supply us with information so we can assess their eligibility for assistance, and then if assistance is approved, provide that assistance and/or facilitate business advisory
services. Personal information may relate to the entity’s employees, consultants and contractors. Where it is reasonably practicable to do so, we collect this information directly from the individuals concerned;
• from prospective employees as part of our recruitment processes. New employees provide further personal information on joining our organisation, which is added to during the normal course of their employment with us;
• from contractors and suppliers provided as part of our procurement processes. Contractors and suppliers may provide further personal information to us in giving effect to their contract;
• through our representatives, advisers and third parties;
• from credit reporting agencies and from financiers and representatives of the individual to whom the information relates;
• from State and Territory Registrars of Community Housing; and
• from other sources including publicly available records (such as community housing provider or local government websites) and other third parties (such as referees of prospective employees or potential contractors or suppliers).
Depending on the circumstances, reasonable steps will be taken to ensure that the individual concerned is, or has been, made aware of:
• our identity and how to contact us;
• the fact and circumstances of collection;
• whether the collection is required or authorised by or under law;
• the purposes of collection;
• the consequences if personal information is not collected;
• the personal information we collect;
• whether we are likely to disclose personal information to overseas entities, and if practicable, the countries where they are located.
We will only collect sensitive information about an individual if:
• the individual has consented and the information is reasonably necessary for one of more of NHFIC’s functions or activities;
• the collection is required or authorised by or under law;
• it is unreasonable or impracticable to obtain the consent of the individual about whom the information concerns, and the collection is necessary to prevent or lessen a serious threat to the life, health or safety of any individual, or to public health and safety;
• we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being, or may be engaged in, and we reasonably believe that the collection is necessary for us to take appropriate action;
• the collection is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim; and
• the collection is reasonably necessary for the purposes of a confidential alternative dispute resolution process.
We collect personal information (including contact details) as part of our normal communication processes, including:
• when an individual emails a NHFIC employee;
• when an individual telephones NHFIC; and
• when an individual hands a NHFIC employee their business card.
Individuals have the option of not identifying themselves, or using a pseudonym, when dealing with us unless:
• it is impractical for us to deal will someone who is anonymous or has used a pseudonym; or
• we are required or authorised by or under law to deal only with individuals who have identified themselves.
Collection of personal information via our website
Site visit data
When a user looks at our website, our website hosting provider makes a record of their visit and logs the following information for statistical purposes:
• the user's server address;
• the user's top level domain name;
• the date and time of the site visit;
• the pages accessed and documents downloaded;
• the previous site visited; and
• the type of browser used.
This information is collected to facilitate website and system administration.
We do not attempt to identify users or their browsing activities except in the unlikely event of a criminal investigation, for example, if a law enforcement agency has issued a warrant to inspect our hosting provider's logs.
External sites that are linked to or from our website are not under our control and users should view their privacy statements separately.
Using and disclosing personal information
We use and disclose personal information for the primary purpose for which we collect the information (see above). We may also use and disclose personal information we collect for reasonably expected secondary purposes that are directly related (for sensitive information) or related (for other information) to the primary purpose of collection, or otherwise permitted under the Privacy Act. We also use and disclose personal information for secondary purposes (e.g. for promotional opportunities and administration of our functions) that are otherwise permitted under the APPs, including where:
• the individual consents;
• the individual would reasonably expect the use or disclosure and the secondary purpose is related to the primary purpose;
• the use or disclosure is required or authorised by law or court; or
• the use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Permitted exceptions under the Privacy Act include where:
• the individual has consented to a secondary use or disclosure;
• the individual would reasonably expect NHFIC to use or disclose their personal information for the secondary purpose, and that purpose is related to the primary purpose of collection, or in the case of sensitive information, directly related to the primary purpose;
• the secondary purpose is required or authorised by or under law;
• it is unreasonable or impracticable to obtain the consent of the individual about whom the information concerns, and the secondary use or disclosure is necessary to prevent or lessen a serious threat to the life, health or safety of any individual, or to public health and safety;
• the secondary use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim;
• we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being, or may be engaged in, and we reasonably believe that the secondary use or disclosure is necessary for us to take appropriate action;
• the secondary use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process; or
• we reasonably believe that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
The people or entities to whom we may disclose personal information include:
• community housing providers, States, Territories, local governments and other entities NHFIC is providing financial assistance and related services to;
• State/ Territory Registrars of community housing;
• commercial financiers;
• external contractors, suppliers or consultants we engage to assist us perform our functions and duties;
• government agencies and departments;
• insurers; and
• anyone to whom we are required to disclose information by law.
We may disclose personal information to third parties by electronic means, including via the Internet.
Except where you have consented, we limit the use and disclosure of any personal information provided by us to third parties to the purpose for which it was supplied to us and related purposes.
If we provide you with personal information about an individual to assist us to deliver our products or services, you and your representatives must only use it for the purposes for which NHFIC has supplied it. Where relevant, you must meet the requirements of the APPs as they relate to the collection, use, disclosure and handling of personal information on our behalf. You must also ensure
that your agents, employees and contractors meet the above requirements.
Provision of personal information to us
If you provide us with personal information about other individuals, we rely on you to have made them aware:
• that you will or may provide that information to us;
• of the purposes for which we use it;
• of the types of third parties to whom we may disclose it; and
• of how those individuals may obtain access to personal information relating to them.
Where the personal information is sensitive information, we rely on you to have obtained the relevant individual’s consent to the above. If you have not done these things, you must tell us before you provide the relevant information.
Security of your personal information
We use a range of measures to protect any personal information we hold from misuse, interference and loss and to protect it from unauthorised access, modification and disclosure.
We maintain physical security such as locks and security systems over our premises and paper and electronic data stores. We also maintain security over our computer network. For example, we use firewalls (security measures for the Internet) and other security systems such as user identifiers and passwords to control access to computer systems.
We also impose contractual obligations regarding confidentiality and compliance with the Privacy Act on third parties that handle personal information on our behalf.
Data breach occurs when personal information (as defined in section 6 of the Privacy Act) held or controlled by NHFIC is lost or subjected to unauthorised access, modification, use or disclosure or other misuse or interference.
If we become aware of a data breach or possible data breach, we will take action in accordance with NHFIC’s data breach response plan. We will notify the OAIC and affected individuals of any data breaches which meet the criteria for an ‘eligible data breach’ as required by the Notifiable Data Breaches scheme (established under Part IIIC of the Privacy Act).
Security of information transmitted via our website
Accuracy and access
We take reasonable steps to ensure that personal information sought and held by us is accurate,
up-to-date, complete, relevant and not misleading. If an individual is able to establish that information we hold about them is inaccurate, outdated, incomplete, irrelevant or misleading, we will take reasonable steps to amend it. If we disagree with an individual’s view about the correctness of the information, we will provide reasons for our refusal to amend the information and, where requested, take reasonable steps to record a statement on our files that the individual has a contrary view. We will respond to a request for correction within 30 days after the request is made. The response will take the form of either amending the information or notifying our refusal to amend the information.
We will, on request, provide you with access to personal information we hold about you (including so that you can request correction of that information) subject to exceptions permitted by law.
For an individual to access personal information we hold about them, we will require the individual to verify their identity and specify the information they wish to access.
If we do not provide you with access to the personal information being sought or refuse to correct the information we hold we will provide you with reasons for the refusal and details of the mechanisms available to complain about the refusal.
Requests for access to personal information should, in the first instance, be directed to our Privacy Officer using the contact details outlined below.
We will respond to a request access within 30 days. The response will take the form of either giving access or notifying you of our refusal to give access. We will not charge individuals for making a request for access or for providing access to personal information.
Opting out of receiving marketing information
If we send you information about products or services that you do not wish to receive, you can inform us that you wish to opt out of receiving that information by contacting us.
If you have a complaint about the way we have treated your personal information please contact us using the contact details outlined below. We will endeavour to understand and resolve your complaint as soon as possible.
Under the Privacy Act, the Information Commissioner has the power to investigate complaints, or acts or practices that may be a breach of privacy even if there is no complaint. If you make a privacy complaint to us about our practice which you think amounts to an arbitrary or unreasonable interference with your privacy and you do not believe that the matter has been resolved satisfactorily, you should write to the Office of the Australian Information Commissioner (OAIC), preferably using the online Privacy Complaint form. Further information about making a privacy
complaint to the OAIC here.
You are able to make a complaint directly to the OAIC rather than to us. In most cases, however, it is likely that the OAIC would refer you to us, in the first instance, to see if your complaint can be resolved without requiring the involvement of the OAIC.
How to contact us
If you wish to:
• obtain access to or seek correction of your personal information;
• opt out of receiving marketing information;
• lodge a complaint about the way we handle your personal information;
• query how your personal information is collected, used or disclosed; or
you may contact our Privacy Officer during business hours at:
Level 10, 22 Pitt Street
Sydney NSW 2000
Telephone: 1800 549 767
We will respond to your query or complaint as soon as possible and will try to resolve any complaint within 5 working days. If this is not possible, we will contact you within that time to let you know how long we estimate it will take to resolve your complaint.
For more general information on the Privacy Act and the APPs:
• visit the website OAIC website here ; or
• contact the OAIC on 1300 363 992 or at email@example.com.