How Reward Gateway complies with the Australian Privacy Principles

This document explains at a high level how we comply with the Australian Privacy Principles. 

1. Open and transparent management of personal information

We display detailed Privacy Notices at all times on our programmes in the footer which contains the kind of personal information collected and held by us, for how long and for what purpose and how members can exercise their rights and get in touch with us. 

2. Anonymity and pseudonymity

It is impractical for members to use our services without identifying themselves, therefore we do not allow anonymity. Members are free to use pseudonyms if their employer supports this. 

3. Collection of solicited personal information

We will only ask for and process personal information that is necessary for the services we provide. We do not collect, handle, process or store ‘sensitive information’ as defined in the Australian Privacy Principles.

4. Dealing with unsolicited personal information

We don’t deal with much unsolicited information, but our general rule is to erase the information if we are able to. 

5. Notification of the collection of personal information

We use our Privacy Notices to explain how and why we collect personal information throughout our websites. The Privacy Notice is always visible in the footer of all our pages. If we make a considerable change, we will inform members via on-site alerts upon login. 

6. Use or disclosure of personal information

We will only use information for the purposes it’s collected for, which are listed in our Privacy Notices. We only disclose personal information when it’s absolutely necessary for the service we provide. 

7. Direct marketing

We send direct marketing emails to registered members who use our SmartSpending product if they have opted in. These emails contain ‘one click’ unsubscribe links and members can also manage their communication preferences within their account while logged in. 

8. Cross-border disclosure of personal information

We use service providers based in the United Kingdom, European Union and United States of America. We take all steps necessary to ensure that personal information is treated securely and privately. We will not share personal information to any third party or country that cannot guarantee at least equivalent protection to the Australian Privacy Act. You can find more information at rg.co/agreements 

9. Adoption, use or disclosure of government related identifiers

We do not collect, handle, process or store ‘government related identifiers’ as defined in the Australian Privacy Principles. 

10. Quality of personal information

Most of the data we hold on members comes from our customers Human Resource Information Systems (HRIS) and therefore should already be accurate. We prompt our customers to regularly provide membership updates to capture starters, leavers and any changes of members information.

Members can update their details directly through their Profile, or by getting in touch with our support teams. 

11. Security of personal information

Reward Gateway has put Security at the forefront of our business since its founding in 2006 and have maintained our ISO27001 compliance since 2009.

We have a full time team of Information Security professionals with qualifications including CISSP, PCI ISA and ISO27001 Internal Auditor. 

We apply Centre for Internet Security (CIS) hardening baselines to all assets and perform threat analysis using Microsoft's STRIDE framework. 

Our Vulnerability Management Programme scans all assets monthly, and we have contracts with forensic incident response firms on standby. 

We publish twice-yearly penetration test reports, copies of our policies and procedures and much more in our Security Pack

12. Access to personal information

We have self-service tools available to members to request a copy of all data relating to them in human or machine readable formats. You can read about that on the relevant article. We also accept requests for this information through any of our support channels. 

13. Correction of personal information

Most of the data we hold on individuals is sourced from employers Human Resource Information Systems (HRIS) and therefore is usually already accurate. We advise most members to go to their Human Resources department to get any information fixed at source, and the changes will come through on the next regular update. Members can also manually update their information - or request us to do so on their behalf - through their Account.