Privacy

2 September 2025

Our commitment to your privacy

Customer Owned Banking Association Limited is committed to protecting your privacy and the confidentiality of your personal information. 

We comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs).

This Privacy Policy describes how we manage personal information that we may collect, hold, use or disclose for the purposes of our functions and activities.

About the Customer Owned Banking Association

Customer Owned Banking Association Limited (“COBA”) ACN 137 780 897 is a company limited by guarantee and is the industry association for the customer owned banking sector. 

COBA represents Australia’s credit unions, mutual banks and building societies who are our member organisations.

COBA was formed to: 

  1. Act as a single voice for mutual financial services providers 
  2. Advocate to influence and improve the regulatory and operating environment for its members 
  3. Support its members with high quality advice and services, and 
  4. Facilitate industry events, liaison and education on relevant topics. 

What is personal information?

Personal information is information or an opinion, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. 

Anonymity and Pseudonymity

Where it is lawful and practicable, you have the option of dealing with us anonymously or using a pseudonym. For example, you may browse our website or make general inquiries about our services without identifying yourself.

However, in many cases, we need to collect your personal information to provide you with the services you request or to comply with legal or regulatory requirements. We will inform you when identification is required.

What information do we collect and hold?

Types of personal information

Personal information that we collect and hold may include:

  • Your name, title, date of birth
  • Address and other contact information
  • Email address and phone numbers
  • Name of the organisation you work for and workplace location
  • Tax file number (where allowed by law to do so)
  • Committee membership, qualifications
  • Information about your opinions, policies, statements and writings 

Sensitive information

Sensitive information is a special category of personal information under the Privacy Act. We will only collect sensitive personal information about you if we have your express or implied consent, if the collection is required or authorised by law, the collection is necessary to prevent or lessen a serios and imminent threat to someone’s health or life, or the collection is necessary for the establishment, exercise or defence of a legal claim. 

Why do we collect, use and hold personal information?

We only collect, use and hold personal information that is reasonably necessary for the performance of our legitimate functions and activities. 

Primary purposes

Generally, we collect use and maintain personal information to: 

  • Enable us to contact our member organisations about matters relating to their membership 
  • Ensure that the services we provide and events we run are relevant to the needs of our members, including carrying out surveys and other research  
  • Represent members and publicise to the community issues of concerns 
  • Advocate on behalf of our members to government agencies and other relevant bodies about matters of concern to our member organisations 
  • Identify, understand and respond to policies, ideas and opinions of our members, and 
  • Communicate with our members and other organisations and individuals in the context of our work as an industry representative organisation. 

How do we collect personal information?

Collection methods

Wherever possible, we will collect personal information directly from you through lawful and fair means. This may include:

  • Written forms and applications
  • Through our website or online services
  • In person at meetings, events or offices
  • Over the telephone
  • Through email or other electronic communications
  • Through the use of cookies and similar technologies on our website 

We may also collect personal information from other sources such as oral sources and correspondence and other written material sent to us, as well as information from publicly available sources such as newspapers, electronic media, records of proceedings and public registers. 

Credit card information

If you purchase a product or service from COBA using a credit card, your credit card information is used to process the payment. Credit card details are not stored and our database only records that you purchased a product or service and how much you paid for it. We will protect the security your credit card details by using SSL encryption technology when processing your payment. 

Collection notices

When we collect personal information directly from you, we will take reasonable steps to notify you (or otherwise ensure you are aware) of:

  • Our identity and contact details
  • The facts and circumstances of collection
  • Whether the collection is required or authorised by law
  • The purposes of collection
  • The consequences if personal information is not collected
  • Our usual disclosures of personal information of the kind collected
  • Information about our Privacy Policy
  • Whether we are likely to disclose the personal information to overseas recipients

Unsolicited Personal Information

If we receive personal information about you that we did not request and that we could not have reasonably collected directly from you, we will:

  1. Determine whether we could have lawfully collected the information through normal means
  2. If we determine we could have lawfully collected the information, we will treat it in the same way as information we deliberately collected
  3. If we determine we could not have lawfully collected the informa.tion, we will securely destroy or de-identify the information as soon as practicable, if it is lawful and reasonable to do so

How do we use and disclose your personal information? 

Primary and secondary purposes

We will use and disclose your personal information for the primary purpose for which it was collected.

We may also use and disclose your personal information for related or ancillary purposes (secondary purposes) where

  • You have consented to the secondary use or disclosure
  • You would reasonably expect us to use or disclose the information for the secondary purpose, which is related to the primary purpose
  • The use or disclosure is required or authorised by law
  • A permitted general situation exists (such as to lessen or prevent a serious threat to life, health or safety)
  • We reasonably believe the use or disclosure is necessary for enforcement related activities

Examples of secondary purposes include:

  • Invoicing
  • Sending invitations to seminars and other events
  • Market research
  • Improving our service and communications

Recipients of your personal information

We may disclose personal information to: 

  • Our member organisations 
  • Those organisations as required or authorised by law (for example, disclosure to Australian (and international) enforcement bodies such as the Australian Securities and Investments Commission (ASIC), the Australian Taxation Office (ATO), the Australian Transaction Reports and Analysis Centre (AUSTRAC), Centrelink or the Courts) 
  • Your representatives, including your legal advisers.  
  • Our representatives, such as our legal, tax, audit and accountancy advisers 
  • Organisations that help identify illegal activities and prevent fraud
  • Service providers such as printers and posting services and organisations involved in the provision and maintenance of our business systems and infrastructure,
  • Parties maintaining, reviewing and developing our business systems, procedures and infrastructure including updating and maintaining our data or upgrading our computer systems; and

Disclosure with consent

We may also disclose your personal information to those organisations where it can be reasonably inferred from the circumstances that you consent to your personal information being disclosed. If you do not wish for your personal information to be disclosed to particular third parties, you should advise us accordingly.

We do not disclose personal information we collect to third parties for the purpose of allowing them to direct market their products and services. 

Where your personal information is disclosed, including to third parties, we will seek to ensure that the information is held, used or disclosed consistently with the Australian Privacy Principles and other applicable laws and codes.

Government Related Identifiers

We will not adopt, use or disclose a government related identifier (such as a Medicare number, passport number or driver’s license number) as our own identifier of an individual unless:

  • The use or disclosure is required or authorised by law
  • The use or disclosure is reasonably necessary for us to verify your identity for our activities or functions
  • The use or disclosure is reasonably necessary to fulfil our obligations to a government agency or authority
  • We have obtained your consent

While we may collect your tax file number (TFN) where authorised by law, we will only do so in accordance with the strict limitations allowed under the Privacy Act and Tax File Number Guidelines.

Quality of Personal Information

We take reasonable steps to ensure that the personal information we collect, use and disclose is accurate, up-to-date, complete and relevant for the purpose for which we collect, use or disclose it.

To help us maintain the accuracy of your personal information, we encourage you to:

  • Let us know if there are any errors in your personal information
  • Keep us up-to-date with changes to your personal information such as your name or address

If we discover that personal information we hold is inaccurate, out-of-date, incomplete, irrelevant or misleading, we will take reasonable steps to correct it.

How do we hold and protect your personal information? 

Security measures

We hold your personal information electronically or in hard copies. This may include storage on our behalf by trusted third party service providers. 

The security of your personal information is important to us and we take all reasonable precautions to protect it from misuse, interference and loss, and from unauthorised access, modification or disclosure. Some of the ways we do this are: 

  • Confidentiality requirements and internal policies for our employees 
  • Security measures including passwords and MFA for access to our systems 
  • Only giving access to personal information to a person who is verified to be able to receive that information 
  • Having confidential face-to-face discussions between you and us in a secure environment 
  • Control of access to our buildings, and 
  • Electronic security systems, such as firewalls, virus software and data encryption on our websites. 

Online security

Whilst we take all reasonable measures, no data transmission over the internet can be guaranteed to be totally secure. We use industry-standard security measures when transmitting information electronically, but we cannot guarantee the security of information you transmit to us over the internet.

Data retention and destruction

COBA will securely destroy or de-identify personal information when we no longer need it for any purpose for which it may be used or disclosed, and we are not required by law or a court/tribunal order to retain it.

We generally retain personal information for as long as required to satisfy legal and regulatory requirements, or for insurance, governance, accountability and compliance purposes.

Data Breach Notification

In the event of a data breach involving your personal information that is likely to result in serious harm, we will:

  1. Conduct a prompt investigation to determine the cause and extent of the breach
  2. Take immediate steps to contain the breach
  3. Assess whether the breach is likely to result in serious harm to any individuals whose information has been compromised
  4. Notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme
  5. Take steps to prevent future breaches

Disclosure to overseas recipients

We may disclose your personal information to an organisation outside Australia where, for example, we outsource a function or service to a third party with whom we have a contractual arrangement. 

If we disclose your personal information outside Australia, we will do so on the basis that your personal information will be used only for the purposes set out in this document.

We will not send your personal information outside Australia unless:

  • It is authorised by law
  • We are satisfied that the recipient of the personal information has adequate data protection arrangements in place that are substantially similar to the APPs
  • You consent to the transfer after being informed that we will not be taking reasonable steps to ensure the overseas recipient does not breach the APPs (if applicable)
  • The disclosure falls within a permitted exception under the Privacy Act

Overseas organisations may be required to disclose information we share with them under a foreign law. In those instances, we will not be responsible for that disclosure. 

The countries to which we are likely to disclose your personal information include the US, UK and Germany.

How can you access and amend your personal information? 

You may request access to your personal information held by COBA at any time. You may also request that your personal information be updated or corrected. 

If we hold information about you that you are legally entitled to access, we will provide you with that information on request within a reasonable period (usually 30 days), if we are able to do so.

We will provide the information in the manner requested where reasonable and practicable. Otherwise, we will provide the information in a suitable manner, which might include by email, mail, or in person.

Exceptions to access

There are some exceptions to our general obligation to give you access to your personal information held by us, for instance:

  • If it would be unlawful for us to do so
  • If your request is frivolous or vexatious
  • If the information is commercially sensitive
  • If the information is relevant to a legal dispute
  • If giving access would have an unreasonable impact on the privacy of others
  • If we have reason to suspect that unlawful activity or misconduct of a serious nature has been, is being or may be engaged in
  • If giving access would be likely to prejudice enforcement related activities
  • If giving access would reveal evaluative information in connection with a commercially sensitive decision-making process

If we refuse to give you access we will:

  • Take reasonable steps to give you access in a way that meets our needs and yours
  • Provide you with written reasons for the refusal within a reasonable period (usually 30 days)
  • Provide you with information about how to complain about the refusal

Correcting your personal information

You may request that your personal information be updated or corrected.

If we are satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading, we will take reasonable steps to correct it within 30 days, or such longer period as agreed with you in writing.

If we correct personal information about you that we have previously disclosed to another entity, we will take reasonable steps to notify that other entity of the correction if you request us to do so.

How to request access or correction

You can request access to your personal information, or that your personal information be updated or corrected, by:

  • Writing to us at the address provided below (see contact details)
  • Emailing us at info@coba.asn.au
  • Calling us on +61 02 8035 8400

We do not currently charge any fees for giving you access to your information.

Marketing Opt-Out

We will not send you any marketing if you tell us not to. You can opt out of receiving marketing communications from us at any time by:

  • Contacting us in person
  • Calling us on +61 02 8035 8400
  • Emailing us at info@coba.asn.au
  • Writing to GPO Box 4686 Sydney NSW 2001
  • Using the unsubscribe function in our marketing emails (if applicable)

We will process your opt-out request as soon as practicable.

Making a complaint

You may make a complaint to us if you consider we have not complied with the relevant provisions of the Australian Privacy Principles (AAPs).

You can complain:

  • In person
  • By calling us on +61 02 8035 8400
  • By email at info@coba.asn.au
  • In writing to Privacy Officer, Customer Owned Banking Association, GPO Box 4686 Sydney NSW 2001

How we handle complaints

We will acknowledge your complaint promptly, either verbally or in writing and do our best to resolve it straight away.

We aim to resolve all complaints within 21 days of receipt of the complaint by COBA, however in some cases it may take up to 30 days. Your complaint may take a little longer to assess if we need more information or if your complaint is complex. In all cases we’ll keep you updated on the progress. 

External complaint resolution

If an issue has not been resolved to your satisfaction, you can lodge a complaint with the Privacy Commissioner by:

Member organisation complaints

We are unable to handle or assist you with a privacy complaint involving a member organisation. If you have a privacy complaint about a member, you should contact them directly. 

Changes to our Privacy Policy

COBA reserves the right to modify and change this Privacy Policy at any time. When we update this Privacy Policy, we will post our updated policy on our website and may use other appropriate means to notify you of significant changes.

Contact us

If you have any questions regarding this Privacy Policy:

Write to: Privacy Officer, Customer Owned Banking Association, GPO Box 4686 Sydney NSW 2001

Telephone: +61 2 8035 8400

Email: info@coba.asn.au

Further information about privacy 

Further information about privacy law and your rights can be found on the Office of the Australian Information Commissioner’s website (www.oaic.gov.au)

Hear it first

Four times a year we’ll send you helpful banking tips and inspiring stories from our members.