1.2 Privacy Act 1988 and APPs
The Privacy Act 1988 (Act) regulates the handling of “personal information” about individuals by entities such as the Trustee. This includes the collection, use, storage and disclosure of personal information.
“Personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable. The information or opinion does not need to be recorded in a material form and does not need to be true for it to be considered personal information.
“Personal information” also includes “sensitive information”, which includes information or opinion (that is also personal information) about an individual’s:
- racial or ethnic origin;
- political opinions;
- membership of a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- membership of a trade union;
- sexual preferences or practices; or
- criminal record; and
- health information about an individual.
The Act was amended to introduce 13 Australian Privacy Principles (APPs) from 12 March 2014, which replaces the National Privacy Principles (NPPs), and Information Privacy Principles. These will apply to organisations, and Australian, ACT and Norfolk Island government agencies.
The text of the 13 APPs from Schedule 1 of the Privacy Amendment (Enhancing Privacy protection) Act 2012 amends the Privacy Act 1988.
2. Australian Privacy Principles
2.1 APP 1 – Open and transparent management of personal information
(a) the kind of information that the Trustee collects and holds (see section 2.3);
(b) how the Trustee collects and holds personal information (see sections 2.4, 2.5 and 2.11);
(c) the purposes for which the Trustee collects, holds, uses and discloses personal information (see sections 2.6 and 2.9);
(d) how an individual may access personal information about the individual that is held by the Trustee and seek the correction of such information (see sections 2.12 and 2.13);
(e) how an individual may complain about a breach of the APPs, or a registered APP code (if any) that binds the Trustee, and how the Trustee will deal with such a complaint (see section 3);
(f) whether the Trustee is likely to disclose personal information to overseas recipients (see section 2.8); and
(g) if the Trustee is likely to disclose personal information to overseas recipients – the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy (see section 2.8).
2.2 APP 2 – Anonymity and pseudonymity
Individuals have the option of not identifying themselves or of using a pseudonym where it is lawful and practicable to do so, for example when making a general enquiry about the Fund.
However, while the Trustee understands its obligations in respect of this APP, superannuation legislation and Anti-money Laundering legislation generally requires the Trustee to identify members and their beneficiaries when providing their superannuation benefits.
The Trustee is aware that an individual who is not a member may make an enquiry about the Fund by choosing to remain anonymous or use a pseudonym.
2.3 APP 3 – Collection of solicited personal information
The Trustee collects, holds and uses personal information about each Fund member only to the extent that it is reasonably necessary for the performance of its role as Trustee of the Fund and the proper management of the Fund.
Typically, the personal information the Trustee collects may include:
- contact details
- date of birth
- email address
- bank account details (if a member requests a direct debit or payment of a pension into a nominated account)
- Tax File Number (TFN) (if a member has chosen to provide it)
- employment details such as occupation, hours worked, employment status
- superannuation details such as member numbers, beneficiaries, investment choices and dates for membership commencement
- information collected from the Trustees website and mobile app, including geographic location, IP addresses, website page views, number of visits and performance of the website or app
- any other relevant information the Trustee may require to provide members with products and services.
Personal information may also be collected when a member deals with the Fund over the telephone, enters a competition, promotion or completes a survey.
The Trustee might also collect health information in connection with the insurance benefits provided through the Fund.
Collecting information over the Internet: Cookies
When a member visits our website, our server attaches a small data file known as a ‘cookie’ to their hard drive. This enables us to analyse usage patterns on our site in order to tailor it to our users' needs.
Cookies are safe. They cannot be used to deliver a virus. Cookies only identify a member’s computer to our servers when they visit our website.
Most web browsers are set to accept cookies. If a member doesn’t wish to accept cookies they can refuse the transfer of cookies to their computer's hard drive by adjusting their Internet browser. This may however, restrict some of the functionality of the Fund’s website or mobile app if cookies are disabled.
Cookies in and of themselves do not personally identify a member, although they do identify their browser. The cookies simply operate as a unique identifier, which help us to know what our users find interesting and useful on our website. We will link this information back to other information that members and non-members have provided to us. We do not store any information inside cookies.
Our websites contain links to other third party websites that may hold and manage personal information different to our practices. Members should consult the other sites' privacy policies as we have no control over information that is submitted, or collected by, these third parties.
2.4 APP 4 – Dealing with unsolicited personal information
If the Trustee receives personal information which it did not solicit and which it could have collected in the ordinary course of business, it will comply with its obligations under the APPs about handling that information.
If the Trustee receives personal information which it did not solicit and which it could not have been collected by the Trustee in its ordinary course of business or was not contained in a Commonwealth record, then the Trustee will ensure that the personal information is no longer personal information (i.e. by effectively de-identifying it) as soon as practicable, if lawful and reasonable to do so.
2.5 APP 5 – Notification of the collection of personal information
The Trustee usually collects the personal information it holds either directly from the member or from their employer.
However, in some circumstances the Trustee or its insurer may obtain information from external parties such as health care professionals (for example if a member makes an insurance claim). The Trustee will notify the member of the personal information collected from someone other than the member to ensure that the individual is aware of the matter. The Trustee will only collect health information about members with their consent.
If a member decides not to provide the Trustee with the information needed, or not allow their employer to provide the Trustee with that information, then:
it may prevent the Trustee from contacting the member; or
the Trustee may not be able to provide the member with superannuation benefits through the Fund.
Where the member decides not to provide their health information, then:
this may limit the level of death or disability benefits that the member is able to access through the Fund; or
it may prevent any insurance claim a member makes from being settled.
If a member chooses not to provide their TFN to the Trustee, then:
additional tax may be taken out of the member’s account, as required by law.
2.6 APP 6 – Use or disclosure of personal information
The personal information collected by the Trustee is required to maintain the Fund’s records in a format that identifies each member. Complete and accurate records are essential to the proper management of the Fund and to enable the Trustee to provide members with superannuation benefits and keep member’s up to date on other products and services available to them through the Fund.
Information about a member’s potential beneficiaries is only used in the event of their death to facilitate the appropriate distribution of any benefits payable.
The Trustee uses the health information it holds about a member to enable it to obtain death or disability insurance cover from the Fund’s insurer or to process a member’s death or disability claim.
The records are kept both electronically and in hard copy.
In undertaking the services it provides to members, the Trustee outsources certain functions to other organisations.
For this purpose a member’s personal information may, as required, be transferred to or handled by:
- the Fund’s auditors and actuaries;
- the Trustee’s insurance brokers and insurers who provide death and disability cover for Fund members;
- the Trustee’s IT service providers, including web hosting companies, web and software application developers;
- government bodies such as the Australian Prudential Regulation Authority, the Australian Securities & Investments Commission, the Australian Taxation Office and AUSTRAC;
- the Trustee’s data matching and information provider who provides identification check’s against member’s information;
- other fund trustees or administrators (in cases where a member transfers or rolls over their account);
- the Trustee’s legal and other professional advisers; and
- other third party providers, including document storage, market research and technology companies, printing and collating companies.
If a member has lodged a claim for insurance and the claim is declined and the member either takes legal action or complains to the Superannuation Complaints Tribunal (SCT), the Trustee must provide their personal details and information about the member’s health to the Fund’s legal representatives, the insurer, officers of the SCT or court officials.
If a member provides personal details and identification documents for the purpose of data and identity verification, the Trustee’s data matching and information provider will use the information for this purpose and conduct an information match and identification check via the use of their third party system.
If a member transfers to another superannuation fund, their personal information may be transferred to that fund.
Further, an employer may be provided with an individual’s personal information where this is necessary for the Trustee to provide benefits to the member. A member’s personal information will not be used or disclosed for any other purpose than that stated above without an individual’s consent, except where this is deemed necessary to satisfy any applicable law, regulatory process, contractual obligations or Government requests.
Where the member has consented, the Trustee may provide a member’s personal information to a financial adviser.
2.7 APP 7 – Direct Marketing
The Trustee may use personal information for the purpose of directly marketing the Fund’s products and services to members. This may include, the Trustee contacting members to be involved in surveys and other research activities. The objective of direct marketing is to ensure that the Trustee reviews member satisfaction and the effectiveness of the Fund’s products and services. The Trustee may also conduct a number of marketing campaigns throughout the year to advise members of other products or services.
The Trustee may use third parties to carry out its marketing activities. If a member does not wish for their information to be shared with third parties for marketing purposes or would like to opt out of receiving marketing information, this can be done at any time by contacting the Fund on 1300 658 776.
2.8 APP 8 – Cross border disclosure of personal information
The Trustee may disclose personal information to service providers outside Australia and the information is only provided to enable the service provider to provide the Fund’s products and services. The Trustee takes reasonable steps to ensure all personal information shared with overseas providers are safeguarded and comply with Australian Privacy Laws.
Currently, personal information is accessed overseas in the Philippines by the Fund’s insurer – OnePath, for insurance administration services. There are contractual arrangements in place to ensure the information is protected and the Australian Privacy Principles are complied with.
Personal information is also shared with the Trustee’s marketing research and technology provider located in the United States.
2.9 APP 9 – Adoption, use or disclosure of government related identifiers
The Trustee requests members to provide their TFN.
The Trustee restricts access to records containing members’ TFNs to staff who need to handle this information under taxation, personal assistance or superannuation law. In addition, in respect to TFNs, the Trustee:
- maintains appropriate building security to prevent unauthorised entry to premises;
- regularly trains staff around the security awareness practices and procedures in relation to TFNs;
- applies policies on who can access and use records containing TFNs;
- requires staff to securely store all files containing TFNs after use;
- availability of audit trails to detect unauthorised access or misuse; and
- implements access controls for authorised users.
Application forms submitted by members are scanned into the Superannuation Administration System and stored. The physical application forms are securely shredded on site at regular intervals.
When TFNs are no longer required the Trustee takes all reasonable and practicable steps to de-identify or destroy the information in a secure manner. Alternatively, where that is not practicable reasonable steps are taken to protect the information from misuse or unauthorised disclosure.
2.10 APP 10 – Quality of personal information
The Trustee takes reasonable steps, to correct a member’s personal information to ensure that, having regard to the purpose for which it was held, it is accurate, up-to-date, complete, relevant and not misleading.
The Trustee also asks members to inform it of any changes to their personal information.
2.11 APP 11 – Security of personal information
The Trustee has approved policies relating to information security.
The Trustee takes reasonable steps to protect personal information from:
- misuse, interference and loss; and
- unauthorised access modification or disclosure.
The Trustee is bound by legal obligations of confidentiality. The Trustee does not sell or rent out any of the information it holds about its members or their beneficiaries and it protects the security of that information in accordance with regulatory requirements and industry practice.
The Trustee has strict security measures in place and the staff who handle any personal information have the necessary training and knowledge to protect this information from unauthorised access or misuse.
A member’s details are scanned and recorded in the Fund’s Superannuation Administration System. After a reasonable period of time, the physical documents are destroyed securely on site. Access to a member’s information is strictly restricted to staff that require the information to administer member accounts and provide information and services to members.
The Trustee has in place the following safeguards for the security of personal information as follows:
- appropriate building security to prevent unauthorised entry to premises;
- paper based records are destroyed securely on site within a reasonable period of time;
- implementation of a clean desk policy;
- audit trails to record any unauthorised access;
- all Fund staff must undergo a thorough security check prior to their employment;
- login and password controls;
- segregation of duties;
- secure file transfer for files containing confidential information (e.g. Accellion); and
- staff awareness training and IT security training.
- Website and Internet access
- Members of the Fund can access their account online by using their login and unique password. The traffic between the Fund’s website and the member’s browser is encrypted.
Personal information is entered by members and prospective members on the Fund’s website to attend seminars hosted by the Fund. The personal details are stored securely in a database with the website service provider.
2.12 APP 12 – Access to personal information
A member can access their own personal information by contacting the Fund on 1300 658 776.
There are some circumstances in which the Fund is entitled to deny a member access to information. These include circumstances where such information is used in confidential Trustee decisions or in a commercially sensitive decision-making process, where the privacy of others may be breached if the information was accessed or where the law requires or authorises such access to be denied.
The Trustee’s Privacy Officer will respond to a member’s request for access to information within a reasonable period and will advise the member if their request for information is refused and the reason why.
The Trustee may charge a reasonable fee for the provision of the requested information but the charge must not be excessive.
2.13 APP 13 – Correction of personal information
A member can request to correct their own personal information by contacting the Fund on 1300 658 776.
The Trustee will respond to a member’s correction request within a reasonable period of time. The Trustee will endeavour to respond to requests within 30 days.
If the Trustee has provided incorrect information to any other organisation the Trustee will also take reasonable steps to notify the other organisation that the individual had requested a correction.
There will be no charge for the correction of personal information.
In order to keep member information as current as possible, the Trustee asks that members advise it of any changes to their personal details.
3. Enquiries and complaints
If an individual is concerned about a possible interference with their privacy or a breach of the APPs, including a refusal by the Trustee to provide requested information, or the failure by the Trustee to correct personal information the individual should contact the Trustee’s Privacy Officer on the details listed below.
For more information on how you can protect your privacy and the safety and security of your personal information see Safety and Security.
4. Privacy Officer’s contact details
Head of Risk and Compliance
33 Burwood Road, BURWOOD NSW 2134
PO Box 656, BURWOOD NSW 1805
(02) 9715 0000 or 1300 658 776
(02) 9715 0091
If an individual’s concerns are not satisfactorily resolved within a reasonable period of time, the matter can be referred to the Privacy Commissioner, who can be contacted at The Office of the Australian Information Commissioner on:
Telephone: 1300 363 992
Email: firstname.lastname@example.org or
Write: GPO Box 5218, Sydney NSW 2001.
This Policy will be reviewed by the Trustee at least once every three years or earlier in response to changes in the business or legislative requirements.
Dated 31 May 2017