This procedure is reviewed every year by National Compliance Manager. In addition, if there is a major compliance breach in this area, the National Compliance Manager shall review the relevant procedure, or engage an external compliance consultant to review the procedure.
InterPrac intends that this policy will apply to all entities of the group and the Privacy Amendment Act states that the APP’s apply to individuals, body corporates, partnerships, unincorporated associations or trusts unless they are a small business operator. A small business operator is defined as a business with an annual turnover of $3,000,000 or less for a financial year unless an exemption applies. Notwithstanding that some advisers may operate a business that would come under the small business exemption, as advisers or agents of InterPrac they will still be obliged to comply with the APPs.
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
APP 1 requires organisations to have ongoing practices and policies in place to ensure that they manage personal information in an open and transparent way.
APP 1 also introduces a positive obligation for organisations to implement practices, procedures and systems that will ensure compliance with the APPs and any registered APP codes.
In accordance with the above requirements, it is the policy of InterPrac that: All persons to whom this policy applies are required to inform themselves of their obligations under the APPs.
InterPrac will provide training as and when required to ensure persons to whom this policy applies are aware of their obligations under the APPs.
All clients of InterPrac are entitled to access their private information upon request. Any complaints in regard to the handling of private information shall be referred to the Privacy Officer (National Compliance Manager).
How InterPrac manages private information will be set out in this policy.
This policy shall be made available on websites operated by InterPrac and its related companies agents and representatives.
On request, clients are to have free access to this policy in any form requested, so long as it is practical to do so.
Members of the InterPrac group may collect and hold personal information such as a person’s name, address, date of birth, income, tax file number (TFN) and such other information that may be required from time to time in order to provide services to clients. This is collected directly from its clients and personal information is held by either companies within the InterPrac group or its advisers and agents.
Any personal information collected by InterPrac is solely for the purpose of providing services to clients and meeting licencing obligations and is not to be used for any other purpose without consent. Any client may seek access to their personal information by contacting the appropriate entity of the InterPrac Group. If a correction is required to that personal information the client may make that amendment by notifying the appropriate entity within the InterPrac Group. If a client is not satisfied with the outcome of their complaint they may lodge a complaint with the Office of the Australian Information Commissioner (OAIC). Further information is available on the OAIC’s website at www.oaic.gov.au.
InterPrac will only disclose personal information of its clients to overseas recipients where such disclosure is required to give effect to the instructions of a client. It is not practical to list all countries to which this applies due to the variety of international financial services available to clients.
APP 2 sets out a new requirement that an organisation provide individuals with the option of dealing with it using a pseudonym. This obligation is in addition to the existing requirement that organisations provide individuals with the option of dealing with them anonymously.
Both requirements are subject to certain limited exceptions, including where it is impracticable for the organisation to deal with an individual who has not identified themselves, or where the law or a court/tribunal order requires or authorises the organisation to deal with individuals who have identified themselves.
As InterPrac and its entities deal primarily with clients in financial services, it is unlikely that it would be practical for services to be provided to those clients without them having identified themselves. Further, in most situations companies within the InterPrac group will be required under theterms of the Anti-Money Laundering and Counter-terrorism Financing Act 2006 (Cth) (AML/CTF Act) to appropriately identify clients.
APP 3 outlines when and how an organisation may collect personal and sensitive information that it solicits from an individual or another entity.
An organisation must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the organisation’s functions or activities.
APP 3 clarifies that, unless an exception applies, sensitive information must only be collected with an individual’s consent if the collection is also reasonably necessary for one or more of the organisation’s functions or activities.
An organisation must only collect personal information from the individual, unless it is unreasonable or impracticable to do so.
InterPrac is required to collect only information that is reasonably necessary for one or more of its functions. To meet legislative requirements it is envisaged that InterPrac will be required to collect the information needed to comply and store that information including Tax File No’s and personal medical information.
Where personal information is required to be obtained from clients in order for them to be provided services from entities within InterPrac, those entities must consent to the collection of their personal information.
InterPrac entities may be provided with personal information collected from clients of nonrelated entities for the purpose of providing the services offered by InterPrac entities. The information collected from 3rd parties is collected and used only for the purpose of the specific service and is not disclosed or used for any other purpose.
A collection notice statement relating to this will be required on the websites of the entities recorded.
APP 4 creates new obligations in relation to the receipt of personal information which is not solicited.
Where an organisation receives unsolicited personal information, it must determine whether it would have been permitted to collect the information under APP 3. If so, APPs 5 to 13 will apply to that information.
If the information could not have been collected under APP 3, and the information is not contained in a Commonwealth record, the organisation must destroy or de-identify that information as soon as practicable, but only if it is lawful and reasonable to do so. InterPrac entities in receipt of information detailed above should review whether that information could have been necessary or obtained under APP3 and if not then take action to destroy or de-identify that information if it is lawful and reasonable to do so. (for example documents of a personal nature (photos letters emails) accidently included in other information provided).
APP 5 specifies certain matters about which an organisation must generally make an individual aware, at the time, or as soon as practicable after, the organisation collects their personal information.
In addition to the matters listed in NPP 1.3, APP 5 requires organisations to notify individuals about the access, correction and complaints processes in their APP privacy policies, and also the location of any likely overseas recipients of individuals’ information.
In the event that entities of InterPrac utilise 3rd parties to collect information then they are obliged under this policy to provide the above information.
A collection notification statement as outlined in 1.7 above will be included on the NTAA Corporate and SMSF Engine Pty Ltd website pages.
APP 6 outlines the circumstances in which an organisation may use or disclose the personal information that it holds about an individual.
APP 6 generally reflects the NPP 2 use and disclosure obligations. In addition, APP 6 introduces a limited number of new exceptions to the general requirement that an organisation only uses or discloses personal information for the purpose for which the information was collected.
These exceptions include where the use or disclosure is reasonably necessary:
Entities of InterPrac if approached for the disclosure of personal information outside its normal business practices (including those above) then approval should be sought from the Privacy Officer.
The use and disclosure of personal information for direct marketing is now addressed in a discrete privacy principle (rather than as an exception in NPP 2).
Generally, organisations may only use or disclose personal information for direct marketing purposes where the individual has either consented to their personal information being used for direct marketing, or has a reasonable expectation that their personal information will be used for this purpose, and conditions relating to opt-out mechanisms are met.
APP 7.5 permits contracted service providers for Commonwealth contracts to use or disclose personal information for the purpose of direct marketing if certain conditions are met. Entities of InterPrac must have direct marketing approved by the licensee and for the purposes of this policy any marketing material that is explicitly provided for clients, e.g monthly magazines should provide those clients with the easy ability to opt-out.
Clients of InterPrac can elect to opt-out of receiving direct marketing materials by contacting their adviser or to the Privacy Officer at InterPrac.
APP 8 and a new s 16C introduce an accountability approach to organisations’ cross-border disclosures of personal information.
Before an organisation discloses personal information to an overseas recipient, the organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to that information. In some circumstances an act done, or a practice engaged in, by the overseas recipient that would breach the APPs, is taken to be a breach of the APPs by the organisation. There are a number of exceptions to these requirements.
Other than in the circumstances outlined in APP1 or financial products and services approved by InterPrac, entities of InterPrac shall seek approval from the Privacy Officer prior to establishing arrangements that would see personal information transferred out of Australia without the clients’ prior approval. (e.g utilising an overseas based accounting organisation to provide work).
APP 9 prohibits an organisation from adopting, using or disclosing a government related identifier unless an exception applies. APP 9 generally retains the same exceptions as NPP 7, with some additions and amendments.
InterPrac entities shall not use for example a tax file number as a client reference for filing purposes.
Under APP 10, an organisation must take reasonable steps to ensure the personal information it collects is accurate, up-to-date and complete (as required by NPP 3).
In relation to use and disclosure, the quality requirements differ from NPP 3. For uses and disclosures, the personal information must be relevant, as well as, accurate, up-to-date and complete, having regard to the purpose of the use or disclosure.
InterPrac entities are required to update information held on a regular basis and should not rely on out of date information.
APP 11 requires an organisation to take reasonable steps to protect the personal information it holds from interference, in addition to misuse and loss, and unauthorised access, modification and disclosure (as required by NPP 4.1).
All InterPrac entities must take reasonable steps to ensure that data is securely stored including password protection on computer files and confidential destruction of paper records.
APP 11 requires InterPrac entities to take reasonable steps to destroy or de-identify personal information if the organisation no longer needs it for any authorised purpose. Under APP 11 there are two exceptions to this requirement:
The APPs separate the access and correction requirements into two separate principles. Like NPP 6, APP 12 requires an organisation to give an individual access to the personal information that it holds about that individual, unless an exception applies. The exceptions are substantially similar to the exceptions in NPP 6.
There is a new requirement for organisations to respond to requests for access within a reasonable period. In addition, organisations must give access in the manner requested by the individual if it is reasonable to do so. If an organisation decides not to give an individual access, it must generally provide written reasons for the refusal and the mechanisms available to complain about the refusal.
If an organisation charges an individual for giving access to the individual’s personal information, the charge must not be excessive, and must not apply to the making of the request.
APP 13 introduces some new obligations in relation to for correcting personal information, which differ from those in NPP 6. The APPs remove the NPP 6 requirement for an individual to establish that their personal information is inaccurate, incomplete or is not up-to-date and should be corrected.
APP 13 now requires an organisation to take reasonable steps to correct personal information to ensure that, having regard to a purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading, if either:
Organisations generally need to notify other APP entities that have been provided with the personal information of any correction, if that notification is requested by the individual. APP 13 contains similar provisions to NPP 6 in relation to associating a statement with the personal information if the organisation refuses to correct the information and the individual requests a statement to be associated.
An organisation must also respond to a correction request or a request to associate a statement by the individual within a reasonable period after the request is made, and must not charge the individual for making the request, for correcting the personal information, or for associating the statement with the personal information.
When refusing an individual’s correction request, an organisation must generally provide the individual with written reasons for the refusal and notify them of available complaint mechanisms.
If a client believes that a breach of the APPs has occurred they can direct their complaint to the Privacy Officer.
The relevant contact details are:
Privacy Officer InterPrac Pty Ltd Level 8, 525 Flinders Street Melbourne, VIC, 3000 Tel 1800 700 666 Email firstname.lastname@example.org
If a client is not satisfied with the outcome of their complaint they may lodge a complaint with the Office of the Australian Information Commissioner (OAIC). Further information is available on the OAIC’s website at www.oaic.gov.au.
Non-compliance with this Policy may result in disciplinary action including the termination of a relationship with InterPrac if the breach is considered serious.
If you are uncertain about this policy then contact the Privacy Officer on 1800 700 666.