NAB

The policy demonstrates strong transparency with comprehensive scope coverage, specific multi-channel contact details including dedicated phone numbers and postal address, clear version dating, and good structural organization with defined sections and key terms. While it lacks a formal table of contents and glossary section, the overall disclosure quality is clear and specific, meeting most transparency requirements effectively.

Comprehensive and specific purpose disclosures covering primary collection, secondary uses, marketing, AI/analytics, and consent mechanisms with clear opt-out procedures. Strong coverage of APP 6 requirements with detailed purpose statements and granular marketing preferences, though could be slightly more explicit about purpose limitation commitments.

The policy provides adequate disclosures with some specific elements like complaint response timeframes (5 business days) and multiple contact methods, but lacks key accountability measures such as a named privacy officer, specific review schedules, and detailed governance frameworks that would demonstrate comprehensive policy maintenance.

Exceptionally comprehensive and granular data collection disclosures with specific enumeration of data types across all categories (identification, financial, biometric, device, location), clear collection methods, explicit sensitive data handling with consent requirements, and detailed legal basis statements. The specificity exceeds minimum APP requirements with practical examples and consequences clearly articulated.

The claims demonstrate comprehensive and specific third-party sharing disclosures with detailed categories of recipients, specific purposes, named entities (like Experian, Equifax, ASIC, ATO), clear overseas disclosure mechanisms including country lists, contractual privacy obligations for third parties, and multiple consent-based sharing scenarios. While very thorough, it falls short of a perfect score due to some categories remaining somewhat broad despite the overall high level of specificity.

The policy covers multiple security areas including access controls, encryption, employee training, and third-party requirements, but lacks specificity in technical details like encryption algorithms, certification standards, or breach notification procedures. Most disclosures are adequate but remain at a high level without the detailed commitments expected for higher scores.

The policy provides adequate cross-border disclosure with some specific elements (named Bank of New Zealand, external countries list, contractual safeguards) but lacks comprehensive detail on adequacy mechanisms or binding corporate rules, and relies heavily on external references rather than direct specification.

The policy provides comprehensive and specific disclosures covering all key consumer rights areas with clear mechanisms, specific timeframes (5 business days for complaints, 30 days for credit information), detailed contact methods, and proper OAIC escalation information. While very strong overall, it lacks some specificity around general access request timeframes and deletion rights to achieve a perfect score.

The policy discloses several specific AI/ADM uses (fraud detection, personalisation, sentiment analysis) but lacks critical APP 1.4 requirements including opt-out rights for automated decisions, human review availability, and transparency about decision-making logic. Only marketing opt-out is provided, not for the automated decisions themselves.

No children's data provisions found in the policy despite APP 3.5 requirements for additional considerations when collecting personal information from children under 18.