This Statement is in two parts.
Part A addresses our handling of personal information and business confidential information in the course of our business of provision of the payee validation service described at www.eftsure.com.au (the eftsure Service), including use of our internet site to log-in to the eftsure Service.
Part B is general terms that apply to everything that eftsure does.
We will comply with this Statement.
In relation to ‘personal information’ ‘about individuals’, we will also comply with Privacy Laws.
Privacy Laws are the Privacy Act 1988 (C’th), including the Australian Privacy Principles (APPs), and other Australian federal, state and territory privacy and data protection laws, mandatory codes and other mandatory requirements.
Some eftsure customers are agencies or other organisations that are regulated by privacy and data protection statutes of Australian States and Territories. We will ensure that eftsure’s handling of ‘personal information’ about individuals, as entrusted to us by entities regulated by those statutes, also complies with those Privacy Laws.
We will not reduce commitments in this Statement as to our privacy, confidentiality and information security processes, practices and standards.
We may modify or amend other provisions of this Statement from time to time. We will display a notice at www.eftsure.com.au stating when any such revisions have been made.
1 The eftsure Terms and our ongoing compliance
The eftsure Service is as described at www.eftsure.com.au. That description may be changed or updated from time to time by eftsure.
This Statement should be read together with the terms of provision of the eftsure Service (eftsure Terms), which may either be as available at www.eftsure.com.au, or as we and you agree in a written contract, as applicable.
If you are a customer or prospective customer for the eftsure Service you should also read the eftsure Terms. The eftsure Terms set out other important terms on which we provide the eftsure Service to our customers.
2 About this Statement in relation to the eftsure Service
This Part A:
sets out how we collect, use and disclose personal information entrusted to us by our customers or otherwise collected and used by us;
sets out how we collect, use and disclose other personal information that we collect or that is entrusted to us;
states our confidentiality commitments to each customer that entrusts us with recipient names and account numbers for verification. These commitments are:
(1) eftsure will maintain business confidentiality and will only disclose information that an eftsure customer deals with particular persons and entities to the limited extent that disclosure is necessary in the course of verification of a payee’s details on behalf of that eftsure customer, or otherwise at the request, or with express consent, of that customer.
(2) eftsure will only use and disclose payee names and account details for the purpose, and then only in the ways, described in this Statement.
Most of the information that eftsure customers provide to eftsure and that eftsure collects in order to verify payee details is not personal information about individuals. Information about businesses is generally not regulated by Privacy Laws. However, some business information about individuals may also be personal information about individuals.
Eftsure’s data handling processes and systems for collection and handling of payee information are designed for privacy, confidentiality and information security by default and design, and to minimise handling of information about payees. Eftsure handles confidential customer information about payee businesses by applying the same privacy, confidentiality
and information security standards as we apply to our handling of personal information about individuals.
We retain and use details about completed verifications, including failed verifications, only for the purposes and in the ways described in this Statement.
3 Why do payers use the eftsure Service?
The eftsure Service supports some of Australia’s leading businesses by significantly increasing the likelihood that that payments by them go to the right bank account of intended recipients.
Australian inter-bank payment systems do not enable automated checking of payee names against the payee name associated with a bank account. These systems treat the payee name as an information field for recording on account statements, but not a required field for verification or verification of payee name against the name recorded in the recipient bank’s system as the holder of the bank account specified in the payment record. Accordingly, funds may be (inadvertently or through fraud) deposited into an account that is unrelated to the nominated recipient.
The eftsure Service enables an eftsure customer that is a prospective payer to confirm that a payee’s bank account details as proposed to be used by the payer appear to be correct.
eftsure does this either through direct verification or check against previous verifications conducted by eftsure. This substantially reduces possibility of error or fraud.
The eftsure Service provides assurance to:
our customers, being payers proposing to make direct payments to bank accounts of Australian recipients, that the payment should be received and credited by the recipient bank to the correct recipient and that this recipient holds a bank account with the details as verified by us; and
prospective payment recipients, that the business making a payment to that recipient has the correct recipient name and that this recipient name is associated with the correct account details.
The eftsure Service therefore:
reduces risk of adverse consequences that otherwise are likely to arise from operator error or inconsistencies in transcription of payee details from invoices or other source material into payee details as held in accounts payable systems;
reduces opportunities for fraud that otherwise may arise through bank account details being deliberately associated with payee names that are not the holders of those bank accounts;
improves relationships between our customers and their suppliers and other prospective payees, by ensuring that verification happens once and then through a courteous, confidential and trustworthy procedure that includes a proper audit trail;
improves banking relationships, by reducing possibilities of misdirected or incorrectly credited payments;
reduces credit risk. Most banks do not accept contractual responsibility to reimburse their customers for unrecoverable payments that had been credited to a destination account number as notified by their customer where the destination account number is not the intended payee, regardless of whether the intended payee details as entered in the information field of the payment request matched the name of the holder of the destination account number.
4 How is information relating to payees handled by eftsure?
The eftsure Service verifies names, email and other contact and account details and account numbers of prospective payees, as provided by customers for checking.
Verifications are undertaken by one of a number of ways, including enquiry made by eftsure of prospective recipients, cross-verification using records of previous verifications that eftsure has conducted in relation to the proposed recipient, and cross-verification by matching multiple requests made by multiple customers.
Upon request by an eftsure customer (as made through the eftsure Service in relation to a proposed payee), the eftsure Service checks the verification status of that proposed payee. If the prospective payee is not then already verified, eftsure attempts to conduct a verification by enquiry of the prospective payee. Following verification, the eftsure Service as provided that eftsure customer flags the verification result for that particular payee.
Some of eftsure customers make payments to the same payees: for example, the Australian Taxation Office, Australian Post, airlines, electricity and telecommunications service providers, office supply companies and courier companies and so on. eftsure seeks to avoid multiple contacts of the same prospective payee to confirm the same details. Upon receiving a request from a customer for verification of a prospective payee and bank account, eftsure may conduct cross-verification, using records of payee details as formerly verified by us or by matching multiple requests made by multiple customers. If there is a cross-verification match in relation to a prospective payee, we may elect not make a further verification enquiry of the prospective payee. If there is no cross-verification match, we will undertake the verification process described above.
Our verification process depends upon confirmation by a prospective payee of their bank account details or cross-verification as above described. If a prospective payee does not elect to confirm their bank account provide details, or cross-verification as above described is not possible, we cannot complete our verification process.
We retain a record of payee details that are verified, and a record of details that we appear incorrect or unverifiable, for disclosure of verification of those details (but not which eftsure customer requested the verification) to an eftsure customer, including any eftsure customer making an enquiry as to the same payee.
The eftsure Service also maintains records as to amounts paid to payees in order to identify and then flag possible duplicate payments or unusual payment amounts and for associated service assurance, billing and administration by eftsure.
We retain, use and disclose records of the identity of businesses with verified account details and of failed verifications only:
for the purposes described above;
for otherwise related secondary purposes such as data analytics and other statistical analysis as to verifications, maintaining an audit trail as to verifications undertaken and the outcome of those verification enquiries, maintaining business records as required by laws, assisting our customers or banks or law enforcement agencies with investigation of any suspected fraud or other serious wrongdoing, as required by law or otherwise as required or authorised by law, including Privacy Laws.
Except as above described we will not otherwise disclose records of the identity of businesses with verified account details and of failed verifications to any third party unless:
(a) that third party is a group company of ours, in which case we will require that group company to only use and disclose such records in accordance with this Statement, as if a reference in this Statement to us was a reference to that group company;
(b) that third party is a sub-contractor engaged to provide services to us. This may include disclosure to contractors outside of Australia and located in countries whose Privacy Laws do not provide a similar or equivalent level or scope of protection of personal information as Australian Privacy Laws. In this case we will obtain contractual commitments by these sub-contractors to only use and disclose such records for the purposes of providing services to us in accordance with this Statement.
We will not use any personal information about an individual for a secondary purpose unless:
(a) for the purposes described above;
(b) an individual would reasonably expect that we would use or disclose the personal information for that secondary purpose and that purpose is related to the primary purposes for which it was given to us;
(c) that individual has consented to the use of that personal information for the secondary purpose; or
(d) the secondary use or purpose is required or permitted under law, such as in connection with the sale of some or all of our business or assets, or the disclosure is
authorised by the Privacy Laws including to lessen or prevent a serious threat to life or health, to protect the personal safety of the public, if authorised or required by law, if we have reason to suspect that unlawful activity has been, is being or may be engaged in, to enforce the law or where necessary to investigate a suspected unlawful activity, or if we have told an individual that personal information about that individual is usually used or disclosed to third parties in this way.
5 Operation of Privacy Laws
(a) The eftsure Service is provided to assure payers that their payments will go to the correct recipient and prospective payees that payments due to them will be properly credited to their nominated account. eftsure considers that this is a use of payee information reasonably within the contemplation of prospective payees.
(b) As service provider to our customers, we expect upon each customer that entrusts us with proposed recipient names and account numbers and other data, including personal information, to provide any notices and obtain any consents as may be required or desirable to enable the customer to disclose that data, including personal information, to us, so that we may provide the eftsure service in accordance with this Statement and with Privacy Laws.
(c) APP 3.6 provides that an APP entity must collect personal information about an individual only from that particular relevant individual unless it is unreasonable or impracticable for the entity to collect personal information only from the individual. Whether it is ‘unreasonable or impracticable’ to collect personal information only from the individual concerned depend on the circumstances of the particular case, including whether the individual would reasonably expect personal information about them to be collected directly from them or from another source, the sensitivity of the personal information being collected, any privacy risk if the information is collected from another source, and the time and cost involved of collecting directly from the individual. It is not reasonable or practicable for eftsure to verify that each individual in relation to whom personal information (not being sensitive information) is provided to us by a customer is aware that personal information will be provided by that business to eftsure.
6 Access to and correction of personal information
(a) Where we collect personal information from an individual directly, we take steps to ensure that the personal information we collect, use and disclose is accurate, up to date and complete. These steps include maintaining and updating any personal information when we are advised by an individual that their information has changed.
(b) Where we collect personal information about an individual from a third party, we rely on that third party to ensure that information it collects is accurate, up to date and complete, subject however to the verification procedures which are at the core of the eftsure service as above described.
(c) An individual may request access to personal information about that individual that is held by us. Subject to any permitted exception under the Privacy Laws, we shall give that individual access to that personal information.
(d) If an individual notifies us that personal information about that individual as held by us is not accurate, we will take reasonable steps to correct that information. To the extent that we have received any personal information indirectly (for example, from a business for which we act as sub-contractor), we may notify that business that it has received a request from an individual to access or correct the personal information it has provided to us.
(e) If you require access to your personal information, please contact www.eftsure.com.au/contact-us.html. Before we provide you with access to your personal information we will require some proof of identity.
(f) For most requests, your information will be provided free of charge, however, we may charge a reasonable fee if your request requires a substantial effort on our part.
(g) If we refuse to provide you with access to the information, we will provide you with reasons for the refusal and inform you of any exceptions relied upon under the APPs (unless it would be unreasonable to do so).
(h) We take reasonable steps to ensure that your personal information is accurate, complete, and up-to-date whenever we collect or use it. If the personal information we hold about you is inaccurate, incomplete, irrelevant or out-of-date, please contact us and we will take reasonable steps to either correct this information, or if necessary, discuss alternative action with you.
7 Retention of personal information
We retain personal information after we have used the personal information for the purposes for which we collected or received it.
If we retain such personal information, it will only be used for the following purposes:
(a) as required by or under Australian law, or a court / tribunal order;
(b) as required for professional indemnity insurance; and
(c) in accordance with our back-up archive policy.
When no longer required, eftsure uses its best endeavours to ensure that all such information will be destroyed in a secure manner and in a reasonable time frame.
8 How we hold and secure your information
The security of your personal and confidential business information is important to us.
We take appropriate industry recognised steps to prevent personal and confidential business information we hold from misuse, interference or loss, and from unauthorised access, modification or disclosure. This protection includes the use of technologies and processes such as access control procedures, network firewalls, encryption and physical security.
9 How to contact us
(a) If an individual:
(i) would like to access or inquire about any personal information we hold about that individual;
(ii) has a query in relation to this Statement; or
(iii) would like to make a complaint about out handling of an individual’s personal information,
please contact us using the details below.
A: Level 6/122 Walker Street
North Sydney NSW 2060
T: 1300 985 976
(b) If you wish to make a complaint about an alleged breach of the Privacy Laws, we ask that you send us your complaint in writing to the email address listed above. We endeavour to respond to complaints within a reasonable period (usually 30 days). If you are not satisfied with our response, you may make a complaint to the Office of the Australian Information Commissioner by phoning 1300 363 992 or by email at email@example.com.
This Statement was last updated on 9 December 2020.