NPPA and the New Payments Platform
The objects of NPPA are to:
(a) establish and operate the New Payments Platform (NPP) in a manner that promotes the public interest in the NPP by:
(i) ensuring its safe, reliable and efficient operation;
(ii) facilitating fair access to the NPP as mutually owned utility infrastructure;
(iii) ensuring ongoing investment in the NPP to meet the changing needs of financial institutions and users of the Australian payments system.
We work with our members, contracting partners, public regulators and stakeholders and undertake our activities with transparency, fairness, rigour and integrity.
NPPA is bound by the private sector provisions (other than the credit reporting provisions) of the Privacy Act 1988 (Cth) (Privacy Act). Our policy is to comply with those provisions of the Privacy Act. This policy is made in accordance with Australian Privacy Principle 1, and describes NPPA’s policies for handling personal information that we may collect, hold, use or disclose for the purposes of our functions and activities.
What personal information does NPPA collect and hold?
The personal information we collect and hold may include your name, title, business address, other contact details and other information that we consider is reasonably necessary (such as information about your opinions, policies, statements and writings) so we can perform our legitimate functions and activities.
We will not collect sensitive personal information about you unless we have your express or implied consent or if the law otherwise permits it.
Personal information that we collect is stored or held securely by NPPA or in archives maintained by a third party information storage provider.
How is personal information collected?
As well as collecting personal information from you directly or from our members, we collect personal information from oral sources, from correspondence and other written material either sent to us or from publicly available sources of personal information such as newspapers, electronic media, records of proceedings and public registers.
When you visit our website, your domain name is recorded in our logs. This information is used for statistical and web development purposes only. NPPA also collects personal information from this website through receiving subscription applications and emails. NPPA may use external service providers to analyse traffic on this website. Generally, information collected through such analysis is anonymous.
Where we consider that you may not be aware or would not have expected that we had collected personal information about you we will take such steps as are reasonable in the circumstances to let you know that we have collected the personal information, our purpose in collecting it, to whom we would usually disclose the information and whether it is likely that we would disclose the information to overseas recipients including the countries in which those recipients are located if it is practicable for us to specify those countries.
Purposes of collecting, holding, using and disclosing personal information
In general, NPPA will use and disclose your personal information for the following purposes:
- to conduct NPPA’s business;
- to provide NPPA’s services;
- to communicate with you and to facilitate communication between members; and
- to help NPPA manage and enhance its services.
Specific purposes include to enable us to communicate with our members and other organisations and individuals involved in the payments industry.
Disclosure of personal information
We may disclose personal information to:
- our members;
- those organisations as required or authorised by law; and
- external parties such as: your representatives, including your legal advisers;
- our representatives, such as our legal advisers;
- service providers such as printers and posting services and organisations involved in the provision and maintenance of our business systems and infrastructure; and
- those organisations where you have consented.
NPPA works closely with other payments industry representative organisations and associations in other countries. Disclosures may occur outside Australia to overseas recipients in which case we will observe the applicable Australian Privacy Principles. Otherwise, in connection with any specific occasion on which such a disclosure may occur, at or before the time we collected your personal information, it would not be practicable for us to specify the countries in which these recipients are likely to be located.
Where your personal information is disclosed, we will seek to ensure that the information is held, used or disclosed consistently with the applicable Australian Privacy Principles and other applicable privacy laws and codes.
Management of personal information
We will keep your personal information securely, having regard to its nature and source. Arrangements are in place to safeguard the information against unauthorised access, modification, disclosure and interference and from loss and misuse.
We will destroy or permanently de-identify your personal information we are holding when it is no longer needed for the purpose for which we collected it. When we destroy your personal information we will ensure that this is carried out properly and securely.
We train our staff about the requirements of the Privacy Act and the need for compliance with the Privacy Act. Our General Counsel is responsible for NPPA’s overall compliance with the Privacy Act and this policy.
If you would like more information about how we manage your personal information please contact us (see “Contact details” below).
Access to personal information
You may request access to your personal information that we are holding (see “Contact details” below). Before giving you access we may need to establish your identity by sighting some form of identification or asking you some questions.
You may ask us to correct your personal information that we are holding if you believe it is incomplete, inaccurate, irrelevant, out-of-date or misleading. This access is subject to some exceptions allowed by law. For example, we can deny you access where access would:
- be unlawful;
- pose a serious threat to the life, safety or health of an individual or to public health or safety;
- have an unreasonable impact on the privacy of others;
- involve disclosure of a commercially sensitive decision making process;
- prejudice enforcement activities such as criminal proceedings or negotiations with you; or
- reveal certain information relevant to legal dispute resolution proceedings.
We may also deny your request for access if it is frivolous or vexatious.
We will give you reasons if we deny your request.
What about PayID and privacy?
PayID is a secured addressing service operated as part of the NPP. PayID functionality is offered by participating financial institutions to their customers and is designed to provide a number of functional benefits to customers by enabling NPP payments to be simply addressed and easily validated.
If you create a PayID via your financial institution, it will record your personal information in the addressing service. This will include your chosen PayID identifier, your BSB and account number, full legal account name and your name (PayID Information). PayID Information in the addressing service may be used and disclosed as described in the NPP Regulations. Your financial institution will give you information about options for creating a PayID, how you can create your PayID, how it may be used, and how you can make changes to your PayID Information.
NPPA uses a third party which is a global leader in financial messaging and data management, to securely store all PayID Information, and to operate and manage the addressing service in accordance with all relevant data security standards and privacy requirements. NPPA does not have access to personal information in the addressing service. Only financial institutions participating in NPP have access to PayID Information. If you have any questions about how your personal information is collected, stored, used or disclosed as part of the PayID service, you should first contact your financial institution.
Complaints about privacy
If you believe NPPA has breached its obligations under the Privacy Act, you may complain to the General Counsel at NPPA.
Your complaint may be made by mail or email (see “Contact details” below).
We will acknowledge receipt of your complaint within 2 business days and will attend to your complaint and endeavour to resolve it within 14 business days. If, after this, you are not satisfied with the outcome, you are entitled to complain to the Federal Privacy Commissioner.
The office of the Privacy Commissioner can be contacted on 1300 363 992 or go to the Commissioner’s website at https://www.oaic.gov.au/about-us/contact-us/.
We are unable to handle or assist you with a privacy complaint involving a financial institution which is an NPPA member.
If you have a privacy complaint about an NPPA member, you should make your complaint directly to the organisation or financial institution concerned.
NPP Australia Limited
Suite 4, Level 9, 420 George Street
SYDNEY NSW 2000
Need more information?
If you would like more information about privacy and the Privacy Act (including the Australian Privacy Principles), you can access the Privacy Commissioner’s website at https://www.oaic.gov.au/privacy/.