top of page

Policy Management

Privacy Policy

 

At White Rose Loan Processing (White Rose LP), we are committed to protecting your privacy and the privacy of your clients by the Privacy Act 1988 (Cth) and Privacy Amendment Act 2012 (Cth). This Privacy Policy describes our current policies and practices concerning handling and using personal information.

From time to time, we may review and update this Privacy Policy, including considering new laws, regulations and technology. All personal information held by us will be governed by our most recent Privacy Policy, posted on our website at: www.whiteroselp.com.au

Throughout this Privacy Policy, "White Rose LP" refers to the business services provided by White Rose Loan Processing (also referred to as "we", "us", or "our").

 

Collection of personal information

  • In providing services to our customers, we may collect relevant and necessary personal information to perform the tasks we are engaged in.

  • For example, as a service provider, we are subject to requirements to obtain and hold detailed information which personally identifies you and/or contains information about you (“personal information”). In addition, to provide you with a comprehensive service, we need to obtain certain personal information about you or your clients. 

  • All our employees are located in Australia only.

 

The kinds of information we collect

  • This information may include personal information such as date of birth, marital status, address and other contact information, financial information such as pay slips, bank statements, and information concerning assets and liabilities such as property titles and mortgages.

  • We may also obtain information from third parties such as credit agencies as directed by our clients.

 

How we collect information

  • In most cases, our client will provide us with the information we are required to collect or process, as they will have obtained it previously from their customer. We may also obtain information from third-party sources such as credit agencies when authorised to do so.

  • We may also contact an individual directly to obtain information on behalf of our client or a financial institution where it is appropriate and lawful to do so.

  • Before collecting information, we will confirm that our client has obtained consent from the individual to provide us with the information and/or to obtain it on their behalf (by way of a signed form) or by confirming contractually that they have done so.

  • Where we receive unnecessary information or information in error, the information is removed, and the sender is notified.

  • Where we receive required information but also contain unnecessary personal information (for example, a tax file number on a payslip), this information is removed or redacted.

 

How we hold and protect your information

  • We keep personal information only for as long as is reasonably necessary for the purpose for which it was collected or to comply with any applicable legal or ethical reporting or document retention requirements. In general, we do not retain personal information – information is protected, stored and processed in online systems to which our client has provided access.

  • We will strive to maintain the privacy of this data on our part. Still, we encourage our clients to ensure best practices and the highest level of online security for personal logins when using these software packages.

  • Any information we may store is solely to provide a service to our client; for example, processing applications for financial products such as home loans, customer service or administration support - is done securely and is deleted once processing is completed. All information is stored and/or transmitted securely.

  • We have a clean desk policy, and information is not printed in hard copy.

 

Use of Personal Information

  • We do not sell, trade, or rent your personal or your customer’s personal information to others.

  • We do not use or disclose an individual’s personal data for any purpose other than the purpose for which it was collected. We will not use the data collected for any other purpose without obtaining the individual’s consent, except where we are required or authorised to do so by law.

  • Where we are required in the course of our duties to provide an individual’s personal information to a third party, we will first ensure that they conform to the Privacy Act 1988 (“Privacy Act”), for example, by reviewing their privacy policy.

 

Disclosure of Personal Information

  • Unless otherwise required by law, we will not disclose personal information for any purpose other than for which it was collected without first obtaining the individual’s consent.

  • Where we are required in the course of our duties to disclose information to another party in Australia, we will first endeavour to establish that the organisation complies with the Privacy Act.

 

Access to Personal Information

  • By calling +61 447 239 705 and providing enough information to allow us to identify you, we will disclose to you the personal information we hold about you. We will also correct, amend, or delete any personal information that we agree is inaccurate.

  • You may complain about a breach of the Australian Privacy Principles by contacting us on our website (whiteroselp.com.au). We will respond to such requests within 30 days of receiving the individual’s enquiry.

  • At the individual’s request (or where it is otherwise appropriate to do so), we will provide any updated information to the provider of that information (e.g., our client).

 

Complaints Procedure

  • Suppose an individual has a complaint regarding how we have managed their personal information, a request for information or a request to update information. In that case, they may, in the first instance, contact us on our website.

  • Otherwise, they may request that we attend dispute resolution and may also choose to refer the complaint to the Office of the Australian Information Commissioner – OAIC.

 

Direct Marketing

  • We will not use personal information for direct marketing purposes.

 

Government Related Identifiers

  • We may receive documentation relating to an individual which contains government-related identifiers.

  • Specifically, we may receive the following, which for example, may be required as part of the proof of identity or proof of income in processing an application for a financial product such as a home or investment loan:

    • Tax File Number

    • Drivers Licence Number

    • Medicare Number

    • Passport Number

  • Where this information is not required to be retained, it will be removed or redacted.

 

Your Consent

  • By asking us to assist with your loan processing, customer service and administration support, you consent to the collection, use and disclosures to recipients of the personal information you provided for the purposes described above.

Data Security Policy

 

We are committed to protecting your data at White Rose Loan Processing (White Rose LP). This Data Security Policy outlines behaviours expected of our employees and its purpose to protect information handled and processed by White Rose LP staff.

From time to time, we may review and update this Data Security Policy, including considering new laws, regulations and technology. All personal information held by us will be governed by our most recent Data Security Policy, posted on our website at: www.whiteroselp.com.au

Throughout this Data Security Policy, "White Rose LP" refers to the business services provided by White Rose Loan Processing (also referred to as "we", "us", or "our").

 

Purpose

  • White Rose LP must restrict access to confidential and sensitive data to protect it from being lost or compromised to avoid adversely impacting our customers, incurring penalties for non-compliance and damaging our reputation. At the same time, we must ensure users can access data as required to work effectively.

  • It is not anticipated that this policy can eliminate all malicious data theft. Rather, its primary objective is to increase user awareness and avoid accidental loss scenarios, so it outlines the requirements for data breach prevention.

 

Our Employees

  • In selecting our staff, we will take all reasonable care to ensure adequate security background, understanding of our processes and policies, operational training and supervision.• All staff must sign the Privacy Agreement to maintain private client information.

  • Individual client information will only be known to the Director and an employee responsible for entering data into systems.

  • All employees will receive Data Protection and Privacy Laws training during their induction.

 

Principles

  • Our clients shall provide White Rose LP with access to the information they need to carry out their responsibilities as effectively and efficiently as possible.

 

General

  • Each user shall be identified by a unique user ID so that individuals can be held accountable for their actions.

  • The use of shared identities is permitted only where they are suitable, such as training accounts or service accounts.

  • Each user shall read this data security policy and sign a statement that they understand the access conditions.

  • Records of user access may be used to provide evidence for security incident investigations.

  • Access shall be granted based on the principle of least privilege, which means that each program and user will be granted the fewest privileges necessary to complete their tasks.


Access Control Authorisation

  • Risk evaluation will be based on threats relevant to information handled by White Rose LP.

  • Appropriate infrastructure and systems will be used, with the staff receiving adequate training to mitigate information security risks.

  • Access to our client’s Information Computing Technology (ICT) systems will be given through the provision of a unique user account and complex password. Our client provides User Accounts based on records within their IT department.

  • Role-based access control (RBAC) will be used to secure access to all file share-based resources in Active Directory domains (Google Drive, Microsoft OneDrive, Dropbox etc.)

 

Network Access

  • All White Rose LP employees shall be given network access by business access control procedures and the least-privilege principle.

  • All White Rose LP employees shall only authenticate using the VPN authentication mechanism.

  • Segregation of networks shall be implemented as recommended by the company's network security research.  Network administrators shall appropriately group information services, users and information systems to achieve the required segregation.

  • Network routing controls shall be implemented to support the access control policy.

 

Electronic File Storage

  • We don’t hold paper copies of any client files.

  • We use GoogleDrive, Microsoft OneNote or Dropbox for Business in our clients’ data storage and Microsoft 365 for all email services. All client files are encrypted in storage and transfer.

  • Sync Files stored in a workstation are encrypted.

  • We will often rename the client file to a standard naming convention, identifying the document and its receipt/processing date.

  • Upon client request or once the client information is processed and files attached/passed to the client, we will remove all client data from our storage systems.

  • We will ensure all data files that might be stored on the hard drive are erased when removing the redundant computer systems.

  • We do not use portable storage devices.

 

User Responsibilities

  • All computer platforms and networks we operate are subject to username and password protection.

  • All users must lock their screens whenever they leave their desks to reduce the risk of unauthorised access.

  • All users must keep their passwords confidential and not share them. All passwords are a minimum of ten characters in length and contain at least one of each: a capital letter, a lower case letter, a number and a special symbol.

  • Each workstation has a screen saver that requires a password re-entry after being idle for 5 minutes.

 

Application and Information Access

  • Users shall be granted access to the data and applications required for their job roles.

  • All users shall access sensitive data and systems only if there is a business need to do so, and they have approval from higher management.

  • Sensitive systems shall be physically or logically isolated to restrict access to authorised personnel only.

 

Access to Personal or Sensitive information

  • Access to data classified as ‘Personal or ‘Sensitive’ shall be limited to authorised persons whose job responsibilities require it, as determined by the Data Security Policy or higher management.

  • The responsibility to implement access restrictions lies with our client’s IT department.

 

Ownership and Responsibilities

  • Data owners are employees who have primary responsibility for maintaining information that they own (our clients).

  • Information Security Administrator is an employee designated by our client who provides administrative support for implementing, overseeing and coordinating security procedures and systems concerning specific information resources.

  • Users include everyone with access to information resources, such as our clients and White Rose LP employees.

Incident Reporting & Investigation

  • Any data security or security incidents breaches are reported to the Director/Founder and the affected client.

  • Any data security or security incidents breaches are investigated to prevent future breaches of future incidents.

 

Enforcement

  • Any user found violating this policy is subject to disciplinary action, up to and including termination of employment.

bottom of page