GU Privacy Policy

This information, “Privacy Policy”, explains how we comply with applicable privacy requirements and sets out minimum standards for how we deal with personal information collected and used by the nib Group to maintain individual privacy, including maintaining confidentiality and ensuring security. We may occasionally update this information. You should read this in conjunction with any specific privacy policies for our different businesses and locations, available on their websites, or in privacy notices provided to you based on your relationship with us.

In this Privacy Policy, “we, our, us or nib Group” means nib holdings limited, ABN 51 125 633 856 and its related entities in the nib Group of companies in Australia and other countries including, in the case of the European Economic Area (EEA), nib Travel Services Europe Limited and nib Travel Services IrelandLimited, in the UK, nib Travel Services Europe (UK Branch) and in New Zealand, nib nz limited.

nib Group’s system for complying with applicable privacy requirements includes:

• our commitment to be responsible with your information and treat it with care;

• our adherence to privacyrequirements, including privacy laws, contractual agreements, and our policies and standards;

• our resources allocated to privacy and data protection, including our technology systems and services;

• our procedures to prevent and respond to any data breach, including where required, timely notification to the relevant privacy commissioner and affected individuals as soon as practicable after becoming aware of a breach; and

• our people and the training and education we undertake.

In the event of any conflict between the English language version of this Privacy Policy and other language versions, the English language version will prevail.

The businesses operated by the nib Group of companies provide a range of services, including health, life and travel insurance, health services (including telehealth and treatment purchases if recommended by a health practitioner), National Disability Insurance Scheme (NDIS) plan management and support coordination services, and provide information in relation to health care and health care providers, disability services and other services.

1.1.The types of information we may collect

The types of personal information we collect will depend on your relationship with us, such as whether you are a customer of the nib Group (nib Group Member), website or app user, job applicant, employee (in applicable jurisdictions), a health service provider or another third party (such as a financial adviser or an existing or potential business partner). If you are a nib Group Member, the types of personal information we collect will further depend on the type of product or service (including the type of policy) we may provide to you.

When you deal with us, we may collect personal information about or relating to you such as:

your name, contact details, gender and other information about your circumstances and preferences including health related information such as your diet, lifestyle, demographic factors, medical history and predicted health outcomes;

other information including financial information (such as your salary for certain life insurance products), government related identifiers, residency, travel visa and employment details, employment and income information, professional accreditations, bank account and credit card details, information about your use of our products, services, websites and mobile applications, and in some cases, your biometric information (such as your voiceprint or fingerprint);

where disability services are applicable, information such as details of your disability, physical or mental health and support requirements, identification numbers associated with you, details of your guardian/nominee or support coordinator including names, addresses and contact details; details of your nominated service providers and bank account details for payment of invoices. For more detailed information on how we manage personal information related to disability services provided through our nib Thrive business, please refer to the nib Thrive Privacy Policy, opens in a new tab;

if you hold nib securities, information relating to you and your security holding; and

details about your interactions with us, like phone calls and emails, as well as information about your use of our website or applications using cookies or other digital tracking technology.

1.2.Who we collect this information from

We collect personal information directly from you in several ways, including when you:

• visit our website, apps, or social media pages;

• become one of our representatives or business partners;

• create a nib account;

• apply to receive or use our products and services;

• lodge an insurance claim or where one is lodged on your behalf;

• are employed by us or apply for a role with us;

• visit our premises, and are recorded through surveillance devices, such as security cameras or CCTV installed at our offices;

• In some cases, we may collect personal information about you from other individuals or organisations when it is not reasonable or practical to collect it directly from you, when you have authorised us to do so, or where permitted by law. Where applicable, we will inform you of the specific source. You authorise us to collect information about you from: your travel insurer when you take out an applicable travel insurance policy with us;

• your healthcare providers, such as your general practitioner, specialist doctor, or the hospital involved in your care in connection with your application, claim or membership with nib;

• the recruitment agency involved in your application or employment process with nib;

• persons or organisations legally acting on your behalf, such as:

  • your next of kin, nominated representative, legal guardian or other person acting under a power of attorney; and

  • persons who have arranged insurance cover from nib for or with you (please see section 1.3 below for more detail);

• persons or organisations assisting or representing us, or representatives of those persons or organisations, such as:

• recruitment or vetting agencies; and

• our Authorised Representatives or Distributors (e.g. for travel insurance).

• emergency assistance providers (e.g. for travel insurance);

• analytics service providers that generate insights about you on our behalf; and

• publicly available sources, such as internet search engines or social networking services.

When we collect your personal information, we ensure that we use personal information for the purposes set out in this Privacy Policy. For example, this may be to enable us to contact you about your insurance policy, to process an insurance claim, or, with your consent, to offer our products and services to you or for any other purpose permitted under the law. Information collected from third parties is managed in accordance with this policy.

We may also collect personal information from you about others such as parents and guardians, carers or authorised representatives of third parties.

If you are a recognised health care provider, we may collect your personal information from databases and directories to support our business processes, including to ensure claims are dealt with efficiently, to investigate complaints or to conduct fraud-prevention checks.

Like many companies, we use technology and tools that tell us when a computer or device has visited or accessed our content, including information such as server address or IP address. Those tools include services from search engines and other companies that help us to tailor our products and services to better suit our nib Group Members and potential nib Group Members. Search engines provide facilities to allow you to indicate your preferences in relation to the use of those tools in connection with computers and other devices controlled or used by you. Our mobile applications may also collect precise location information from your device if you consent to the collection of this information, and we will always respect your preferences including if you choose to withdraw your consent at any time.

1.3.Insurance policies with more than one insured person or purchased on behalf of another person

If you have a Couples or Family health insurance policy with us, or hold a policy that has been taken out on your behalf, we may collect your information from the policyholder or person or employer who took out the policy on your behalf. The policyholder will also have access to all the information on the policy, including those of their partner and any dependants.

If you have a travel insurance policy that names more than one adult on your Certificate of Insurance, or where your policy has been taken out by another person on your behalf, we may collect information from them about you.

If you have a life insurance policy that has been taken out by another person (i.e. your employer) on your behalf, we may collect information from them about you.

As a policyholder or person providing information about a nib Group Member or person, we expect, and will reasonably assume, that:

• you have obtained their consent to give nib their personal information, and for us to use that information as set out in this Privacy Policy and as otherwise permitted by law;

• you have told them you have provided their personal information to nib;

• you have made them aware of the information set out in this Privacy Policy and informed them of how they can access nib’s Privacy Policy (e.g., by using the contact information linked in section 2.3 below); and

• you have told them they are entitled to request access to, and correction of, their information by contacting us.

For health insurance, if a policyholder lodges a claim on your behalf, or for travel insurance, if a co-insured adult lodges a claim on your behalf, we act in reliance on the above representations given by that person. Unless you tell us otherwise when we notify you of the claim lodgement, we assume you have given your consent to the policyholder or co-insured to provide all the information we need to process your claim.

In relation to disability services we provide that may involve authorised representatives, such as if a family member or support coordinator acts on your behalf, we rely on representations made on your behalf. If you ask us to assist with management in relation to these services, we will ask you to provide your consent to share your personal information with third parties.

For life insurance, if a beneficiary of your policy (or their representative) lodges a claim on your behalf, we act in reliance on the above representations given by that person.

1.4.If you do not provide us with your personal information

You may choose not to provide us with your personal information. There are some circumstances where you can deal with us anonymously or use a pseudonym, such as if you are seeking general information about our products or services rather than a customised individual quote. Where we do not have your personal information (or personal information of an insured person, a participant of special services, a person requesting assistance or accessing products/services), or if you have withdrawn consent (when consent is the primary legal basis for handling your information), we may not be able to contact you, process your requests or employment application, or provide our services to you including providing insurance or other assistance, processing an insurance claim or paying invoices.

2.1. How nib uses your personal information

Generally, we use your personal information for our business and activities, and in our efforts to expand and improve our business. Examples include:

• to identify you, and respond to and process your requests for information and provide you with a product or service;

• to provide access to member platforms, including the nib App and the Online Member Account;

• to determine your eligibility to provide or receive a nib Group health, life, living or related product or service, or a travel insurance service, including to determine any existing medical conditions, and to manage our relationship with you including where relevant, providing you with a quote or managing insurance related and other services being provided by or to you;

• to communicate with you and to administer and provide insurance services, including health management programs, emergency assistance, and other benefits or services included as part of the product or service we provide to you;

• to manage your and our rights and obligations (and those of insured persons) in relation to insurance services, including dealing with you or an insured person in connection with an insurance quote, policy, or claim;

• to provide support coordination and NDIS plan management in relation to disability services, including payment of invoices;

• to recommend updates to insurance policies to ensure adequate coverage for services beneficial to you;

• to administer promotional programmes and scholarships, such as exclusive nib Group Member offers, competitions or university research scholarships sponsored by nib, when you have provided consent as part of your application;

• to conduct business processing functions including providing personal information to our related bodies corporate, contractors, service providers, underwriting partners or other third parties including those making referrals to us and to our strategic, distribution and “white label partners” who market and sell our products and services to their customers under their own brand;

• to prepare internal reports and conduct market research for the purposes of improving our products, services and internal operations, including to improve our online services, manage our servers and websites, and to collect and analyse statistical information;

• to provide you with advice or information relating to your membership, policy or product needs, including insurance needs;

• to manage complaints and disputes, and report to dispute resolutionbodies;

• to operate programs and forums in different media in which you are able to share information, including your personal information, with us and publicly (on the terms applicable);

• to manage, train and develop our employees, business systems, and representatives;

• for a business or professional relationship we may have with you;

• if you apply for employment with us, to consider your application;

• to carry out credit checks, credit reporting and other background checks; for debt recovery purposes; 

• where you are a health service provider or emergency assistance provider, to manage our relationship with you and your relationship with our nib Group Members, which may include engaging agents to perform this function on nib’s behalf. Other ways nib may use personal information of health service providers includes for billing purposes, investigating and resolving nib Group Member or regulator enquiries and complaints, and creating and providing access to directory services and costs information to nib Group Members and other thirdparties;

• to analyse data and generate insights to help us better understand your needs, preferences, or health risks. This may include de-identified data, or identified data where permitted by law, including with your consent where required;

• to provide health services related to telehealth (including treatments recommended by a clinician) offered by Midnight Health Pty Ltd, enabling our nib Group Members to access video or phone consultations with Australian based clinicians;

• to provide services utilising voice commands or recordings to assist nib Group Members to assess nib’s products or services such as locating healthcare professionals using voice commands, or where you have given consent to assist in verifying your identity (such as using your voiceprint with nib’s voice-based bot, or your fingerprint to access our facilities);

• to comply with our legal obligations, and to detect and prevent fraudulent activity in our business;

• to assist government departments in the delivery of national schemes, such as the Pacific Australia Labour Mobility (PALM) Scheme and the National Disability Insurance Scheme (NDIS);

• to amend records to remove personal information;

• to improve the contents of, and the services we provide through, our websites and mobile applications; and

• for other everyday business purposes that involve use of personal information.

The above examples are a non-exhaustive overview only of how we may collect and use your personal information, and more detail may be provided to you in a separate privacy notice when you contact us or, where relevant, in a separate contractual arrangement with you.

2.2.Legal basis for using your information

We ensure that we have an appropriate legal basis to deal with your personal information in these ways, including:

• where you have provided your consent (such as when you provide your consent to receive marketing messages);

• where it is necessary for us to use your personal information in order to enter into or perform a contract (such as to send you a Product Disclosure Statement and Quotation in response to your product inquiry, to provide you with disability services under a signed agreement with you, or if we need to handle an insurance claim), or to protect your vital interests (such as to provide emergency medical assistance under a travel insurance policy you hold with us);

• where the applicable law permits us or requires us to, including when we have a legal or regulatory obligation that we must comply with or it is in the substantial public interest (such as to prevent fraud or money laundering) or we need to use your personal information to establish, exercise or defend legal rights (such as debt recovery) or whenever courts are acting in their judicial capacity; and

• where we need to use your personal information for our legitimate business interests (such as managing our business operations, developing and improving the products and services we offer, company restructure or selling part of our business), and when we do so, we will consider your rights and interests in accordance with applicable law.

2.3.Direct marketing and personalisation

We may use your personal information to send you direct marketing communications and to personalise your experience with us. Examples include:

• to provide personalised health information, support and services, including invitations to programs and services designed to help you understand, manage and improve your health and wellbeing;

• to send you offers, invitations, and updates about products, services and nib Group Member benefits, from us or from our trusted third-party partners, that we believe may be of interest to you; and

• to improve your experience on our website, social media channels, and to help us improve or develop the products and services we offer to you and other nib Group Members.

We will only use your personal information for direct marketing and personalisation if we have a legal basis for doing so. If we use your personal information to contact you and you would prefer us not to, or if you indicate a preference for a method of communication, please let us know and we will respect your preference. Please let us know by using the unsubscribe facility provided or contact nib using the contact information at the end of this policy or via the method below:

Australian Residents Health Insurance

https://my.nib.com.au/login, opens in a new tab

New Zealand Residents – Life and Health Insurance

https://health.nib.co.nz/contact-us, opens in a new tab

nib Travel Insurance

https://nibtravelinsurance.com.au/contact, opens in a new tab

Iman Australia Health Plansand International Workers & Students

https://my.nib.com.au/login, opens in a new tab

World Nomads

https://pp.worldnomads.com/contact-us, opens in a new tab

Travel Insurance Direct

https://travelinsurancedirect.com.au/customer-contact, opens in a new tab

nib Thrive

https://nib.com.au/thrive/contact-us, opens in a new tab

OrbitProtect

https://orbitprotect.com/contact-us/, opens in a new tab

Honeysuckle Health

https://honeysucklehealth.com.au, opens in a new tab

Midnight Health

https://midnight.health/, opens in a new tab

When your choice is to continue to deal with us and in circumstances where you have been provided a functional unsubscribe facility and have not unsubscribed, we take it that you agree to and consent to us using your personal information, providing we follow the approach we explain in this Privacy Policy and comply with the law.

Personal information is retained during the time we need it for the identified purposes, to the extent necessary for purposes reasonably related to those identified purposes (for example, resolving disputes) or as required by law.

3.1.Who we disclose your personal information to

In using and storing your personal information, we may pass on your personal information, including outside the country of collection:

• to third parties, like our consultants, agents, contractors and service providers, and those that act as data controllers, processors or analysts, information technology providers, auditors or external advisers;

• to others who may be involved in yourcare, or in respect of disability services, the provision of support to you;

• to any intermediaries, including your agent, adviser, broker, representative or person acting on your behalf;

• to your employer or group administrator if you are an international workers member (such as an IMAN member or if you are part of the PALM scheme) or member of a workplace or association insurance plan, in order to administer that plan or where determined necessary or reasonable to do so, including in connection with any suspected unlawful activity associated with your insurance cover;

• to other insurers, reinsurers, insurance investigators and claims or insurance reference services, brokers, loss assessors, financiers;

• if you hold a travel insurance policy with us, to banks, foreign currency providers, goods replacement suppliers, transport and accommodation providers, travel agents and consultants, medical or health service providers or practitioners, emergency assistance providers, security providers, witnesses, translators or any other third parties involved in the processing, investigation or settling of a claim; 

• if you are an authorised representative or a supplier of the nib Group, to credit providers or credit reporting agencies;

• to other companies in the nib Group, including those located in Australia, New Zealand, the Republic of Ireland, United Kingdom, the United States, the Philippines, Brazil and the CaymanIslands;

• to any of our nib Group strategic, distribution and white label partners where authorised or required;

• where relevant, to a potential or actual third party purchaser of our business or assets;

• where relevant, to local registration boards and professional and industry bodies and associations, or to external dispute resolution bodies or other third parties involved in the management and resolution of complaints;

• to debt collection agencies and other parties that assist with debt recovery;

• for legal or safety reasons or other special circumstances, such as in order to comply with a legal or regulatory obligation to protect your vital interests;

• where we have a legitimate purpose (such as to manage our business operations or to conduct data analytics to improve our offerings);

• to any person authorised by you, or to others you have nominated, to access information in connection with an insurance policy you hold with us;

• to other persons who are insured on your policy to confirm, for example, that full disclosure has been made to us, or to ensure that the policyholder or person managing a claim has details of claims made on the policy, including any personal information used to make a claim determination; and

• in additional ways the applicable law permits us, or that you may also agreeto.

We may also disclose to third parties information from which information identifying individuals has been removed (such as aggregated, anonymous or pseudonymised information) so that your identity is not ascertainable. This includes sharing data analytics results.

3.2.We may disclose your personal information overseas

When we pass on, transfer or share your personal information in this way, we take steps to ensure it is treated in the same way that we would treat it, and that an adequate level of protection is in place in accordance with relevant privacy and data protection laws.

For example, if your personal information is collected in the EEA (European Economic Area) and we (or third parties acting on our behalf) transfer personal information that we collect about you to countries outside of the EEA (such as when we need to collect or share this information with nib’s parent company located in Australia), your personal information may be subject to both Australian and European privacy requirements, and the steps that we take to protect your personal information include obtaining contractual commitments to comply with applicable privacy requirements (referred to under European data protection laws as “Standard Contractual Clauses”). If we transfer personal information from inside the UK to third countries outside the UK which have not been certified by the UK as having an adequate level of protection, steps we take to protect your personal information may include having an International Data Transfer Agreement in place, or using “Standard Contractual Clauses” with UK addendum. Depending on the circumstances of the particular transfer, other steps we might take include transferringpersonal information to companies in the United States which are certified in accordance with the Data Privacy Framework (in the case of EU-US transfers of personal data).

Where you are covered by one of our Australian or New Zealand international students or visitors’ health insurance policies, we may disclose your personal information to overseas recipients who will generally be located in your original country of residence from where you are departing to Australia or New Zealand. This ensures that your health insurance coverage meets both the requirements of your visa and your health insurance needs while you are in Australia and New Zealand.

Some businesses within the nib Group (e.g., our travel insurance businesses) have relationships with insurers and other entities overseas. The countries in which these recipients may be located will vary from time to time, but may include the United Kingdom, the United States, Canada, Malta, Denmark, and Brazil. In addition, some businesses in the nib Group may have relationships with overseas service providers (including in China) to help manage information technology needs. The types of information we disclose depends on your relationship with us and may include identifiable information associated with your insurance policy or other services you've engaged with, including claims and health information.

We may also disclose your personal information to health service providers and others we have business arrangements with overseas as necessary to enable them to offer their products and services to you, such as where you are covered by a travel insurance policy and require appropriate medical treatment and services while overseas (and if we do so, we will ensure we meet applicable data protection requirements, such as explicit consent, or protection of the vital interests of a data subject). We do our best to keep our records of your personal information up to date and accurate, and to delete or amend personal information that is no longer needed and we will use secure methods to destroy or permanently de-identify it when it is no longer required for any purpose under this Privacy Policy or otherwise in accordance with applicable laws and regulations. These steps apply regardless of whether the personal information is stored in physical or electronic form.

We use various systems and services including technical measures to safeguard the personal information we store, as part of our business systems and processes. We take steps to protect your personal information from misuse, interference or loss and unauthorised access, modification and disclosure with appropriate safeguards and security measures. This includes in storage and when we transfer or share it, such as across borders, to ensure compliance with international data protection standards relevant to our travel, overseas student and worker health insurance policies.

All our staff are trained to understand privacy and data protection requirements. We also conduct Privacy Impact Assessments on new systems and processes, to ensure we are adhering with privacy requirements and putting the right protections in place when making changes. We have teams and programmes in place to check our protections are working and remain up to date, including our protections to prevent and detect cyber threats. We are regularly audited to provide an independent assessment of our protection measures and help us to continue to maintain standards of personal information management and protection.

While we take steps to protect your personal information when you send it to us, you should keep in mind that no internet transmission is ever completely secure or error-free. If you provide any personal information to us via our online services (including email or a web-based service through a portal), or if we provide information to you or others by these means, the privacy, security and integrity of any data transfer over the internet cannot be guaranteed. When you share information with us (such as over the internet, or sending us an email), it is at your own risk as factors beyond our control include the security of the device and/or program you use to communicate with us, and steps you take to protect your login details and password. If you reasonably believe that there has been unauthorised use or disclosure of your personal information, please contact us (see below).

Our website may contain links or references to other websites or social media platforms not subject to this Privacy Policy. You should check their own privacy policies before providing your personal information.

5.1.nib Group

You may wish to contact nib Group to access your personal information, to seek to correct it, delete it, to make a complaint about privacy (and under applicable privacy laws you may have rights of access to and correction of your personal information) or to manage your communication preferences. Our privacy email contact address for our Group Privacy Officer is [email protected], opens in a new tab and further contact details for nib Group are set out below.

nib holdings Limited 22 Honeysuckle Drive

Newcastle NSW 2300 AUSTRALIA

Phone: 13 14 63 (within Australia)

+61 2 4914 1100 (outside Australia) Attention: Group Privacy Officer

You can also contact your local nib entity. We will respond to your request for access to personal information we hold about you within the timeframes required by applicable laws and/or as soon as we reasonably can, including notifying you if we are unable to provide access (such as when we no longer hold the information) or if we are permitted by applicable law to refuse access.

Generally, we do not impose any charge for a request for access, but where permitted to do so by applicable law, we may charge you a reasonable fee for the retrieval costs associated with providing you with access.

You must keep us informed of any changes to your information, like your contact details or address, to ensure your details remain up-to-date.

For complaints about privacy, we will establish in consultation with you a reasonable process for seeking to resolve your complaint, including time frames provided by applicable laws.

5.2.European Economic Area (EEA) and United Kingdom

If you are located in the European Economic Area (EEA) and require further information about how we deal with your personal data under EEA data protection laws, please contact us at:

nib Travel Services Ireland Limited / nib Travel Services Europe Limited City Quarter Building

Lapps Quay, Cork, IRELAND. [email protected], opens in a new tab

Under EU laws, additional rights may also be available to you about the way we handle your personal data, including the right to complain to your local supervisory authority:

Data Protection Commission 21 Fitzwilliam Square

South Dublin 2 D02RD28 IRELAND

https://dataprotection.ie, opens in a new tab

[email protected], opens in a new tab

If you are located in the United Kingdom and are not satisfied with our or your insurer’s response, or believe we or your insurer are not processing data in accordance with the law, you can complain to your local Data Protection Commissioner:

• Information Commissioners Office

• Wycliffe House

• Water Lane

• Wilmslow

• Cheshire

• SK9 5AF

Other rights which may be available to you under UK and EU laws include:

right to access your personal data (you have the right to request a copy of your personal data that we hold about you, and please see further above);

right to rectification (as noted, if you believe that the information we hold about you is inaccurate or incomplete, please let us know so that we can rectify any gap or inaccuracy);

right to erasure, or right to be forgotten (in certain circumstances, you have the right to request that we erase your personal data, such as if your personal data is no longer necessary for the purpose of original collection);

right to restriction of processing (in certain circumstances, you have the right to request that we restrict the processing of your personal data, and please see further above for example in relation to how you may opt out of our marketing communications);

right to data portability (in certain circumstances, you can request that personal data we hold about you be transmitted directly to another organisation);

right to object (you may have the right to object to our processing of your personal data, such as in relation to direct marketing communications and your right to opt out as outlined above, or to otherwise object unless we establish that we have legitimate grounds for the processing which outweigh your privacy rights);and

rights relating to automated decision making (you have the right to ask us to not be subject to a decision based solely on automated processing including profiling which produces legal effects or other similar significant effects concerning you).

5.3.nib Securities

If you hold nib securities, we have outsourced nib holdings Limited’s share registry function to Computershare Investor Services Pty Limited, which has its own privacy policy. For more information about how Computershare deals with personal information, or to make a complaint about Computershare’s handling of your personal information in your capacity as a security holder, please refer to its privacy policy at https://computershare.com/au, opens in a new tab contacting Computershare (telephone: 1800 804 985, or by email [email protected]).