Privacy and Credit
Effective from November 2021
Privacy and Credit Reporting Policy
Latitude Financial Services Limited (and our related entities) (“Latitude”), 8 Tangihua Street, Auckland Central, Auckland, New Zealand, take our obligations for protecting personal information seriously. We are bound by, and will abide by, the requirements of the Privacy Act 2020.
You may interact with us anonymously or by using a pseudonym if the interaction is general in nature. However, if the interaction is specific to an account or relates to your personal information, we will need to identify you before we can engage in further discussions and correspondence.
What Personal Information do we Collect and Hold
We offer a wide range of products and services and as a result, we collect and hold a range of personal information including 'biometric information' from and about people (particularly people who wish to purchase our products or use our services).
In the process of conducting our businesses, we are likely to collect a broad range of information about our customers, prospective customers, employees, prospective employees, contractors, suppliers, brokers, introducers, agents, service providers and the people who run the businesses we deal with. This information can include such things as contact details, financial information and supporting documentation (including credit history details), identification information including facial biometric data (a photo/a selfie video), transaction history information, billing information, banking details and personal references. In order to satisfy our legal obligations, we may need to retain that information even after a transaction has come to an end (subject to our obligations under the Privacy Act and Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act) or any other applicable Act).
How we Collect Personal Information
Wherever it is possible and practical to do so, we collect personal information directly from the person concerned. For example, we will collect personal information when a person deals with us in person or over the telephone, sends us a letter, e-mail or fax, or gives or sends us a completed form (such as an application form). There may be occasions, however, where we need to collect personal information we require for a particular purpose from a third party. This might occur, for example, where it is important for us to obtain personal information from an independent third party or from a Merchant who you choose to use one of our services or products through.
Why we Collect and Hold Personal Information
We collect this information in order to undertake and complete the many transactions we have with our customers, suppliers, and other parties with whom we do business, to administer the products we provide and to maintain the business relationships we have that enable us to carry on our business. Personal information collected may also be used to:
- provide you with product(s) or service(s),
- verify your identity,
- improve the services and products we provide,
- keeping our customers informed of the products and services we have, which may include using it for direct marketing purposes,
- to meet our legal and regulatory requirements under various legislations such as the Privacy Act 2020, Anti-Money Laundering and Countering Financing of Terrorism Act, Credit Contracts and Consumer Finance Act, any other applicable legislation or regulation.
Other Organisations we Disclose Personal Information to
In providing and managing our products and services, we contract with other businesses and may disclose personal information to them in the process. These organisations provide services to us and may need access to the personal information we hold in order to enable them to perform those services. We require these companies to adhere to our strict confidentiality requirements for handling personal information and also seek to ensure that they adhere to the requirements of the Privacy Act.
We may disclose your personal information to third parties , such as advisors, lawyers, accountants, acquirers (or potential acquirers) of all or any part of our business (including our related entities within the Latitude Group), or resellers who sell our services, or business partners with whom we exchange customer data for the purposes of providing our services to you, including to debt collection agencies for the purposes of collecting debts, or for the purposes of due diligence enquiries or in order to run the business or part of the business acquired.
We will disclose your information to any person authorised by you any other person authorised by the Act or another law (e.g. a law enforcement agency).
Some of the third parties to which we may disclose your personal information may be located outside of New Zealand. Where they are located outside of New Zealand we ensure they will handle your Personal Information in accordance to the Privacy Act.
How to Access and Correct the Personal Information we Hold about you
If you wish to obtain details of your personal information that we hold, please contact using the 'Contact Us' table at the end of this policy. There is no charge to request access to your personal information. Subject to certain grounds, we may refuse access to your data, however, we will advise you the reasons why.
If you wish to request correction to the personal information we hold, we will correct your personal information. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.
To correct your personal information please contact us using the table below. Your request should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting).
We may charge you our reasonable costs of providing to you copies of your personal information or correcting that information.
How you can Make a Complaint regarding your Personal Information
If you believe that we have failed to comply with the Privacy Act, please contact us by using the table below or visiting https://www.gemfinance.co.nz/complaints/ or https://help.genoapay.com/hc/en-nz/requests/new?ticket_form_id=360001435393 and we will then follow our Internal Dispute Resolution process to review your concerns.
If the complaint remains unresolved, you may refer it to Privacy Commissioner who will independently and impartially review and resolve the dispute.
The contact details for the Privacy Commissioner are:
Office of the Privacy Commissioner
PO Box 10094
Phone: 0800 803 909
Fax: 04 474 7595
Your Personal Information and emails
If you send us an e-mail we will store and make use of your name, address and other information about you contained in your e-mail and in any attachments. When you submit feedback or questions via e-mail, it is very important that you do not disclose any details that could be used by others to gain access to your account. This includes private details such as your username, password or card number.
If you receive an e-mail from us, you should only re-transmit, distribute or commercialise the material or information in the e-mail if you are authorised to do so (under the Privacy Act or otherwise).
Your Personal Information on the Web
We do not collect personal information about you when you visit our web sites unless you apply for credit online or register for access to one of our Online Service Centres.
Your Personal Information and Direct Marketing
By providing us with your personal information, you agree to us using that personal information for the purpose of informing you about our products and services, or providing your information to our related entities within the Latitude Group and third parties we have dealings with to market our products and services or to market their products and services to you. If you do not wish to receive marketing materials from us, please complete the opt-out provision on the marketing information sent to you or contact us using the table below. If you choose not to receive any marketing materials from us, you acknowledge you may miss out on special product and service offerings and opportunities.
Tracking Information on the Web
For statistical purposes, we collect information on website activity such as the number of users who visit our websites, the date and time of visits, the number of pages viewed, navigation patterns, what country and what systems users have used to access the site and, when entering one of our websites from another website, the address of that website. This information is obtained through the use of ‘cookies’ (refer below for more information about ‘cookies’).
Our websites may also contain links to other websites. While these links are provided for convenience, if you are navigating these sites please be aware that the information handling practices of the linked websites may differ from ours. While we try to link only to sites that share our high standards and respect for privacy, we are not able to guarantee the privacy practices of other websites.
Protecting your Personal Information
We will take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse. You must take care to protect your personal information. You should also notify us via our contact details listed below as soon as you become aware of any security breaches relating to your account.
Whenever personal information is sent via our website we use high security levels to protect it. These security levels are standard for internet banking and large scale e-commerce sites and involve the use high levels of encryption. The security level of a web page can be viewed by clicking on the internet browser's padlock or key icon.
Your browser can be individually set to accept all cookies, reject all cookies, or notify when a cookie is sent. If cookies are rejected, there may be limits on how our websites can be used.
From time to time we place advertisements on other websites. This may involve installing a cookie on a computer when our advertisement is viewed. This simply allows us to keep track of how many unique visitors we have to our site and from what advertisements they entered.
To evaluate the effectiveness of our website advertising, we may use third parties to collect statistical data. No personal data is collected on these occasions.
Online Service Centres
When you register for access to one of our Online Service Centres (including our mobile app), the information collected is compared with the details we already have stored, such as your name, date of birth and card number, which we have previously collected from you so we can verify that you are the person seeking access to your personal information. If you do not provide the information requested, you will not be able to access the Online Service Centre.
Credit Reporting Policy
The Credit Reporting Privacy Code permits credit providers like Latitude to share information with credit reporting agencies, on an ongoing basis. This means that Latitude may provide credit reporting agencies with certain credit related information about its customers’ accounts, such as:
- type of credit account e.g. credit card
- amount of credit extended (but not current balance)
- status of account e.g. open (including account open date)
- details of credit provider i.e. the lender who provided the credit
- monthly reporting of repayment history e.g. whether an account was paid on time, and
- changes in personal details such as address, contact details, etc.
For further information on comprehensive credit reporting, please see the following website www.privacy.org.nz/privacy-act-2020/codes-of-practice/crpc2020/
Privacy Impact Assessment
The purpose of this document is to provide customers with a high-level overview of the privacy impact assessment completed by Latitude Financial Services Limited (Latitude) while adopting a biometric identity verification tool to on-board new customers. The document highlights how this tool meets Latitude’s needs, enables better customer outcomes while ensuring any privacy impacts have been considered and mitigated by Latitude and APLYiD (third party providing biometric identity verification service). This document may be amended from time to time as technology and user cases evolve.
This report is effective from July 2022
Purpose for collection
Latitude takes its obligations for verifying an applicant against their claimed identity under the AML/ CFT Act 2009 (the Act) very seriously. The Act requires all entities to verify an applicant’s name, date of birth, and address against their claimed identity before forming a relationship with them, either electronically or face-to-face.
Additionally, Latitude may also collect and verify personal information including facial biometric to counter identity fraud and minimise security risk where applicable.
For all failed electronic identity verification (non-biometric check) and fraud identity verification cases, applicants are required to visit a retail partner for a face-to-face verification or provide a selfie photo holding a photo ID document with acceptable certified supporting documents to validate the claimed identity. Latitude also offers an option to complete mandatory AML/Fraud identity verification through the APLYiD (an external software service solution) biometric eIDV tool.
The purpose of biometrics collection is essential to identify and verify the applicants before providing them with credit.
Who do we collect personal information from?
Any credit applicant who is required to be verified under the Act for fraud prevention purposes or applicants who fail the Equifax eIDV check (non-biometric eIDV tool).
The information is collected directly from the applicant, and consent is sought prior to the collection of personal information. Further, the collection is done in accordance with legislative requirements under the Privacy Act.
An applicant can undertake biometric electronic verification evaluation on their smart device through the link provided by Latitude.
What personal information including biometrics is collected?
The applicant fills out the application form to provide their full name, date of birth, address, and links to their government provided identity document. As part of the identity verification process, an image or video selfie of the applicant with the ID document is supplied. The image of the applicant’s face on the driver’s licence or passport is then extracted and matched with the individuals face within the image or video selfie supplied. Based on the matching, an indicative breakdown across segments of the face is generated to demonstrate the degree of identity match. Background sound is also recorded during this process, although customers are not required to record their voice, so no voice biometrics are collected.
Who will personal data be disclosed to?
The APLYiD tool extracts data through the application form, photo or video of the applicant, and identity documents provided to link, and match claimed identity with the applicant across government data sources (such as New Zealand Transport Agency, Department of Internal Affairs) and other public trusted data sources (such as bureaus' databases, comprehensive credit reporting, etc.) available through Centrix and facial recognition. Information is not shared outside NZ and is not used for marketing purposes.
APLYiD : https://www.aplyid.com/nz/privacy-policy
Latitudes Financial Services : https://www.gemfinance.co.nz/privacy/
Retention, storage, and security measures
APLYiD retains and secures uncollected information for maximum seven days period prior to deletion. Data retention is done by Amazon Web Services (AWS) which provides data encryption in transit with HTTPS and SSL to avoid data use or tampering across all services. Further information on APLYiD’s data retention and safety measures can be found: : https://www.aplyid.com/nz/privacy-policy
Once results are available, they are retrieved by a Latitude representative, to download and secure in digital storage. Biometric information is available in pdf format with a photo and converted to a score-based output on biometric parameters. A short selfie video is also captured and stored for the purposes of identity fraud and verification and accessed in situations such as failed fraud verification cases.
Each photo/video requires to be viewed separately to determine identity. It is important to note that for individuals with distinctive facial features such as tattoos and piercings, or those required to wear vestments, head coverings etc for culture reasons, the algorithm is programmed not to classify individuals based on their ancestry or culture and no such biometric data is stored.
Latitude has safety measures in place to protect the sensitivity of biometrics. Amazon Web Services (AWS) are used with data encryption in transit to avoid data use or tampering for data retrieval from the APLYiD database. The data is stored in a digital storage system as per the document retention schedule with security safeguards in place. Only Latitude’s authorised staff can access the stored documents. Latitude has practices, procedures, and systems in place to ensure the protection of personal information we hold and store from unauthorised access, modification, and disclosure.
Access logs are in place which stamps when a file is accessed to ensure access is restricted to authorised staff.
Data Loss Prevention
There are various DLP controls within the Latitude environment to reduce the risk of inadvertent unauthorised disclosure of personal information including biometric information.
Staff are trained on the sensitivity of the information collected, our obligations under Privacy legislation, and also process steps that need to be taken to ensure compliance not onIy with legislative and regulatory obligations, but also with Latitude’s expectations and our control environment.
Access and correction to personal information?
Customers can also correct their personal information on the application before submission in the event that it is incorrectly captured.
AML identity verification process flow chart Identity fraud verification process flow chart