Phone: 0438 437 894
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:Whether the information or opinion is true or not; andWhether the information or opinion is recorded in a material form or not.
APP 2 sets out a new requirement that an organisation provide individuals with the option of dealing with it using a pseudonym. This obligation is in addition to the existing requirement that organisations provide individuals with the option of dealing with them anonymously.Both requirements are subject to certain limited exceptions, including where it is impracticable for the organisation to deal with an individual who has not identified themselves, or where the law or a court/tribunal order requires or authorises the organisation to deal with individuals who have identified themselves.As InterPrac and its entities deal primarily with clients in financial services, it is unlikely that it would be practical for services to be provided to those clients without them having identified themselves. Further, in most situations companies within the InterPrac group will be required under theterms of the Anti-Money Laundering and Counter-terrorism Financing Act 2006 (Cth) (AML/CTF Act) to appropriately identify clients.
APP 3 outlines when and how an organisation may collect personal and sensitive information that it solicits from an individual or another entity.An organisation must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the organisation’s functions or activities.APP 3 clarifies that, unless an exception applies, sensitive information must only be collected with an individual’s consent if the collection is also reasonably necessary for one or more of the organisation’s functions or activities.An organisation must only collect personal information from the individual, unless it is unreasonable or impracticable to do so.InterPrac is required to collect only information that is reasonably necessary for one or more of its functions. To meet legislative requirements it is envisaged that InterPrac will be required to collect the information needed to comply and store that information including Tax File No’s and personal medical information.Where personal information is required to be obtained from clients in order for them to be provided services from entities within InterPrac, those entities must consent to the collection of their personal information.InterPrac entities may be provided with personal information collected from clients of nonrelated entities for the purpose of providing the services offered by InterPrac entities. The information collected from 3rd parties is collected and used only for the purpose of the specific service and is not disclosed or used for any other purpose.A collection notice statement relating to this will be required on the websites of the entities recorded.
APP 4 creates new obligations in relation to the receipt of personal information which is not solicited.Where an organisation receives unsolicited personal information, it must determine whether it would have been permitted to collect the information under APP 3. If so, APPs 5 to 13 will apply to that information.If the information could not have been collected under APP 3, and the information is not contained in a Commonwealth record, the organisation must destroy or de-identify that information as soon as practicable, but only if it is lawful and reasonable to do so. InterPrac entities in receipt of information detailed above should review whether that information could have been necessary or obtained under APP3 and if not then take action to destroy or de-identify that information if it is lawful and reasonable to do so. (for example documents of a personal nature (photos letters emails) accidently included in other information provided).
APP 6 outlines the circumstances in which an organisation may use or disclose the personal information that it holds about an individual.APP 6 generally reflects the NPP 2 use and disclosure obligations. In addition, APP 6 introduces a limited number of new exceptions to the general requirement that an organisation only uses or discloses personal information for the purpose for which the information was collected.These exceptions include where the use or disclosure is reasonably necessary:to assist in locating a missing personto establish, exercise or defend a legal or equitable claim, orfor the purposes of a confidential alternative dispute resolution.Entities of InterPrac if approached for the disclosure of personal information outside its normal business practices (including those above) then approval should be sought from the Privacy Officer.
The use and disclosure of personal information for direct marketing is now addressed in a discrete privacy principle (rather than as an exception in NPP 2).Generally, organisations may only use or disclose personal information for direct marketing purposes where the individual has either consented to their personal information being used for direct marketing, or has a reasonable expectation that their personal information will be used for this purpose, and conditions relating to opt-out mechanisms are met.APP 7.5 permits contracted service providers for Commonwealth contracts to use or disclose personal information for the purpose of direct marketing if certain conditions are met. Entities of InterPrac must have direct marketing approved by the licensee and for the purposes of this policy any marketing material that is explicitly provided for clients, e.g monthly magazines should provide those clients with the easy ability to opt-out.Clients of InterPrac can elect to opt-out of receiving direct marketing materials by contacting their adviser or to the Privacy Officer at InterPrac.
APP 8 and a new s 16C introduce an accountability approach to organisations’ cross-border disclosures of personal information.Before an organisation discloses personal information to an overseas recipient, the organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to that information. In some circumstances an act done, or a practice engaged in, by the overseas recipient that would breach the APPs, is taken to be a breach of the APPs by the organisation. There are a number of exceptions to these requirements.Other than in the circumstances outlined in APP1 or financial products and services approved by InterPrac, entities of InterPrac shall seek approval from the Privacy Officer prior to establishing arrangements that would see personal information transferred out of Australia without the clients’ prior approval. (e.g utilising an overseas based accounting organisation to provide work).
APP 9 prohibits an organisation from adopting, using or disclosing a government related identifier unless an exception applies. APP 9 generally retains the same exceptions as NPP 7, with some additions and amendments.InterPrac entities shall not use for example a tax file number as a client reference for filing purposes.
Under APP 10, an organisation must take reasonable steps to ensure the personal information it collects is accurate, up-to-date and complete (as required by NPP 3).In relation to use and disclosure, the quality requirements differ from NPP 3. For uses and disclosures, the personal information must be relevant, as well as, accurate, up-to-date and complete, having regard to the purpose of the use or disclosure.InterPrac entities are required to update information held on a regular basis and should not rely on out of date information.
APP 11 requires an organisation to take reasonable steps to protect the personal information it holds from interference, in addition to misuse and loss, and unauthorised access, modification and disclosure (as required by NPP 4.1).All InterPrac entities must take reasonable steps to ensure that data is securely stored including password protection on computer files and confidential destruction of paper records.APP 11 requires InterPrac entities to take reasonable steps to destroy or de-identify personal information if the organisation no longer needs it for any authorised purpose. Under APP 11 there are two exceptions to this requirement:the personal information is contained in a Commonwealth record, orthe organisation is required by or under an Australian law or a court/tribunal order to retain the information.
The APPs separate the access and correction requirements into two separate principles. Like NPP 6, APP 12 requires an organisation to give an individual access to the personal information that it holds about that individual, unless an exception applies. The exceptions are substantially similar to the exceptions in NPP 6.There is a new requirement for organisations to respond to requests for access within a reasonable period. In addition, organisations must give access in the manner requested by the individual if it is reasonable to do so. If an organisation decides not to give an individual access, it must generally provide written reasons for the refusal and the mechanisms available to complain about the refusal.If an organisation charges an individual for giving access to the individual’s personal information, the charge must not be excessive, and must not apply to the making of the request.
APP 13 introduces some new obligations in relation to for correcting personal information, which differ from those in NPP 6. The APPs remove the NPP 6 requirement for an individual to establish that their personal information is inaccurate, incomplete or is not up-to-date and should be corrected.APP 13 now requires an organisation to take reasonable steps to correct personal information to ensure that, having regard to a purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading, if either:the organisation is satisfied that it needs to be corrected, oran individual requests that their personal information be corrected.Organisations generally need to notify other APP entities that have been provided with the personal information of any correction, if that notification is requested by the individual. APP 13 contains similar provisions to NPP 6 in relation to associating a statement with the personal information if the organisation refuses to correct the information and the individual requests a statement to be associated.An organisation must also respond to a correction request or a request to associate a statement by the individual within a reasonable period after the request is made, and must not charge the individual for making the request, for correcting the personal information, or for associating the statement with the personal information.When refusing an individual’s correction request, an organisation must generally provide the individual with written reasons for the refusal and notify them of available complaint mechanisms.
If a client believes that a breach of the APPs has occurred they can direct their complaint to the Privacy Officer.The relevant contact details are:Privacy Officer InterPrac Pty Ltd Level 3 29-33 Palmerston Cres South Melbourne Vic 3204 Tel 1800 700 666 Email email@example.comIf a client is not satisfied with the outcome of their complaint they may lodge a complaint with the Office of the Australian Information Commissioner (OAIC). Further information is available on the OAIC’s website at www.oaic.gov.au.
Non-compliance with this Policy may result in disciplinary action including the termination of a relationship with InterPrac if the breach is considered serious.If you are uncertain about this policy then contact the Privacy Officer on 1800 700 666.