nib Group and Privacy

This information explains how we comply with applicable privacy requirements and sets out minimum standards for how we deal with personal information collected and used by the nib Group. This information may be updated from time to time, and should be read in the context of any additional specific information such as that provided in privacy policies applicable to specific businesses or local areas as displayed on the relevant website from time to time.

In this privacy policy, "we, our, us or nib Group" means nib holdings limited ABN 51 125 633 856 and its related entities in the nib Group of companies in Australia and other countries.

nib Group's system for complying with applicable privacy requirements includes:

• our commitment to compliance with privacy requirements;
• our policy and approach to privacy, as explained in this information;
• our resources allocated to privacy, including our technology systems and services; and
• our people and the training and education we undertake.

In the event of any conflict between the English language version of this Privacy Policy and other language versions, the English language version will prevail.

Collecting your personal information

The businesses operated by the nib Group of companies provide a range of insurance services, including in relation to health and travel, and provide information in relation to health care and health care providers, and other services.

When you deal with us, we may collect personal information about you such as your name, your contact details, gender and other information about your circumstances and preferences including about your health or medical history, visa and employment details, bank account and credit card details, government related identifiers, and if you hold nib securities, information relating to you and your security holding.

We collect this information when we ask you for it and you provide it, including when you join our nib reward programs, or if an insurance claim is lodged by you or on your behalf. We may also collect information about you from third parties, such as your doctor or treating hospital, if it is not reasonable or practicable to collect the information from you. This may also include other people or organisations who might be representing you, including a person who takes out an insurance policy on your behalf or under which you are covered, or any person assisting or representing us.

We may also collect your personal information from publicly available sources or social networking services to enable us to contact you and offer our products and services to you, and in doing so we comply with all requirements, including providing a facility to allow you to indicate your preferences in relation to contact. We may also collect personal information about others such as parents and guardians, carers or authorised representatives of third parties.

Where we do not have your personal information (or personal information of an insured person or person requesting assistance), we are not able to contact you, process your requests or employment application, or provide our services to you including providing insurance or other assistance, or processing an insurance claim.

We may also collect personal information from databases and directories, if you are a recognised health care provider. Like many companies, we use technology and tools that tell us when a computer or device has visited or accessed our content. Those tools include services from search engines and other companies that help us to tailor our products and services to better suit our customers and potential customers. Search engines provide facilities to allow you to indicate your preferences in relation to the use of those tools in connection with computers and other devices controlled or used by you. Our mobile applications may also collect precise location information from your device if you consent to the collection of this information.

Using your personal information

Generally, we use your personal information for our business and activities, and in our efforts to expand and improve our business. Examples include:

• to identify you, and respond to and process your requests for information and provide you with a product or service;
• to determine your eligibility for a product or service, and to manage our relationship with you including where relevant, providing you with a quote or managing insurance related and other services being provided to you;
• to administer and provide insurance services, including emergency assistance, and to manage your and our rights and obligations (and those of insured persons) in relation to insurance services, including dealing with you or an insured person in connection with an insurance proposal, policy, or claim;
• to provide you electronically or by post with marketing communications and invitations and offers for products and services including new products or services that we or our third party business partners believe may be of interest to you (and we will provide you with an opportunity to opt out), and to assist in developing new products and services;
• to administer promotional programmes (such as exclusive member offers or competitions) and scholarships;
• to conduct business processing functions including providing personal information to our related bodies corporate, contractors, service providers or other third parties including those making referrals to us and to our strategic, distribution and "whitelabel partners" who market and sell our products and services to their customers under their own brand;
• to improve our website, social media channels and our products and services to you and/or to our customers;
• to provide you with advice relating to your needs, including insurance needs;
• to manage complaints and disputes, and report to dispute resolution bodies;
• to operate programmes and forums in different media in which you are able to share information, including your personal information, with us and publicly (on the Terms applicable);
• to manage, train and develop our employees and representatives;
• for a business or professional relationship we may have with you;
• if you apply for employment with us, to consider your application;
• where you are a health service provider, to create and provide access to directory services to customers and other third parties;
• to amend records to remove personal information; and
• for other everyday business purposes that involve use of personal information.

If we use your personal information to contact you and you would prefer us not to, or if you indicate a preference for a method of communication, please let us know and we will do our best to respect your preference.

When your choice is to continue to deal with us, we take it that you agree to and consent to us using your personal information in these ways, providing we follow the system and approach we explain in this information and comply with the law.

Storing and disclosing your personal information

Personal information is retained during the time we need it for the identified purposes, to the extent necessary for purposes reasonably related to those identified purposes (for example, resolving disputes) or as required by law. In using and storing your personal information, we may pass on your personal information including outside the country of collection:

• to others, like our consultants, agents, contractors and service providers, and those that act as data processors, auditors or external advisers
• to others who may be involved in your care;
• to any intermediaries, including your agent, adviser, broker, representative or person acting on your behalf;
• to your employer or group administrator, if you are a member of a workplace or association insurance plan, in order to administer that plan or where determined necessary or reasonable to do so, including in connection with any suspected unlawful activity associated with your insurance cover;
• to other insurers, reinsurers, insurance investigators and claims or insurance reference services, brokers, loss assessors, financiers;
• to other companies in the nib Group, including those located in Australia, New Zealand, the Republic of Ireland, the United States, the Philippines and the Cayman Islands;
• to any of our nib Group strategic, distribution and whitelabel partners where authorised or required;
• where relevant, to local registration boards and professional and industry bodies and associations, or to external dispute resolution bodies; and
• in additional ways you may also agree to.

When we pass on, transfer or share your personal information in this way, including outside the location where we collect it (e.g. your country, the European Economic Area if your information is collected there, etc), we take steps to ensure it is treated in the same way that we would treat it and that an adequate level of protection can be ensured for your rights in relation to your personal information and data, and where the transfer is otherwise in accordance with relevant privacy and data protection laws.

Some businesses within the nib Group (e.g. our travel insurance businesses) have relationships with insurers and other entities overseas. The countries in which these recipients may be located will vary from time to time, but may include the United Kingdom, the United States, Canada, Denmark, and Brazil. We may also disclose your personal information to health service providers and others we have business arrangements with overseas as necessary to enable them to offer their products and services to you, such as where you are covered by a travel insurance policy and require appropriate medical treatment and services while overseas.

We may also disclose personal information to any person authorised by you, or to others you have nominated in connection with an insurance policy you hold with us. When you acquire an insurance policy with us, you authorise us to share personal information with any co-insureds to confirm, for example, full disclosure has been made to us or to ensure that the policyowner is aware of the details of all benefits and services claimed on the policy.

We do our best to keep our records of your personal information up to date and accurate, and to delete or amend personal information that is no longer needed.

We also share with others and disclose information from which personal information has been removed (including aggregated, anonymous or pseudonymised information) so that no privacy is affected.

We sometimes have to pass on personal information for legal or safety reasons or other special circumstances.

Security

We use various systems and services to safeguard the personal information we store, as part of our business systems and processes. We take steps to protect your personal information from misuse, interference or loss and unauthorised access, modification and disclosure with appropriate safeguards and security measures.

While we take steps to protect your personal information when you send it to us, you should keep in mind that no internet transmission is ever completely secure or error-free. If you provide any personal information to us via our online services (including email), or if we provide information to you by these means, the privacy, security and integrity of any data transfer over the internet cannot be guaranteed. When you share information with us, it is at your own risk. If you reasonably believe that there has been unauthorised use or disclosure of your personal information, please contact us (see below).

This website may contain links or references to other websites not subject to this Privacy Policy. You should check their own privacy policies before providing your personal information.

Contact with nib Group about your personal information

You may wish to contact nib Group to access your personal information, to seek to correct it or to make a complaint about privacy. Our privacy email contact address for our Group Privacy Officer is privacyofficer@nib.com.au and further contact details for nib Group are set out below.

• nib holdings Limited
• 22 Honeysuckle Drive
• Newcastle NSW 2300
• AUSTRALIA
• Phone: 13 14 63 (within Australia)
• +61 2 4914 1100 (outside Australia)
• Attention: Group Privacy Officer

You can also contact your local entity. We will respond to your request for access to personal information we hold about you as soon as we reasonably can, including notifying you if we are unable to provide access (such as when we no longer hold the information) or if we are permitted by law to refuse access.

We do not impose any charge for a request for access, but we may charge you a reasonable fee for our costs associated with providing you with access and retrieval costs.

For complaints about privacy, we will establish in consultation with you a reasonable process, including time frames, for seeking to resolve your complaint.

If you are located in the European Economic Area (EEA) and require further information about how we deal with your personal data under EEA data protection laws, please contact us at:

• First Floor, City Quarter Building
• Lapps Quay, Cork, IRELAND.

If you hold nib securities, we have outsourced nib holding's share registry function to Computershare Investor Services Pty Limited, which has its own privacy policy. For more information about how Computershare deals with personal information, or to make a complaint about Computershare's handling of your personal information in your capacity as a security holder, please refer to its privacy policy at www.computershare.com/au or by contacting Computershare (telephone: 1800 804 985, or by email privacy@computershare.com.au).

Last updated: February 2018