Australian Financial Complaints Authority

1800 931 678

Members 1300 56 55 62

info@afca.org.au

GPO Box 3 Melbourne VIC 3001

About AFCA

Apply for membership

Rules consultation

Funding consultation

Letting your customers know about AFCA

1800 931 678

Members 1300 56 55 62

info@afca.org.au

GPO Box 3 Melbourne VIC 3001

Contents

1. INTRODUCTION

1.1 Purpose of the policy

1.2 Scope of the policy

1.3 Policy statement

2. POLICY

3. PROCEDURES

3.1 Openness

3.2 Anonymity and Pseudonymity

3.3 Dealing with unsolicited personal information

3.4 Collection of solicited personal and sensitive information

3.4.1 Notification of the collection of personal information

3.4.2 Information about third parties to disputes

3.5 Use or disclosure of personal information

3.5.1 Use of personal information for a primary purpose

3.5.2 Use of personal information for a secondary purpose

3.5.3 Third parties seeking information about a dispute

3.5.4 Direct marketing

3.5.5 Cross-border disclosure of personal information

3.5.6 Adoption, use or disclosure of government related identifiers

3.6 Quality of personal information

3.7 Security of personal information

3.8 Access to personal information

3.8.1 Dealing with requests for access

3.9 Correction of personal information

3.9.1 Notification of correction to third parties

3.9.2 Refusal to correct information

3.9.3 Request to associate a statement

3.9.4 Dealing with requests

3.10 Breach of privacy by AFCA

4. SUPPORTING INFORMATION

4.1 Definitions

1. INTRODUCTION

1.1 Purpose of the policy

This Policy is intended to ensure that the privacy of individuals is protected in the collection, use, disclosure and storage of personal information by AFCA.

1.2 Scope of the policy

This policy applies to all AFCA employees.

Activities covered by this policy include, but are not limited to:

  • The collection of an individual's personal information;
  • The primary uses of personal information;
  • The secondary uses of personal information; and
  • The disclosure of personal information.

1.3 Policy statement

The Privacy Policy and Procedures are intended to ensure that AFCA operates to high standards of governance and complies with relevant laws.

This Privacy Policy will ensure that AFCA:

  • collects, uses and disseminates personal information in a manner that is in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
  • responds appropriately to requests in relation to an individual's personal information; and
  • responds appropriately to any breach of its privacy obligations.

2. POLICY

AFCA is committed to the following policy principles which are aligned with the APPs:

Consideration of personal information privacy

  • Open and transparent management of personal information (APP 1) - AFCA will be open and transparent about how it collects, uses and disseminates personal information.
  • Anonymity and pseudonymity (APP 2) - General enquiries made to AFCA will not require the person making the enquiry to identify themselves.

Collection of personal information

  • Collection of solicited personal information (APP 3) - AFCA will collect personal information in a fair and lawful manner.
  • Dealing with unsolicited personal information (APP 4) - AFCA will return, de-identify or destroy personal information that it could not have fairly or lawfully collected.
  • Notification of the collection of personal information (APP 5) - AFCA will, where practicable, notify relevant individuals of the collection of their personal information in a timely manner.

Dealing with personal information

  • Use or disclosure of personal information (APP 6) - AFCA will use and disclose personal information only in accordance with the Privacy Act 1988 (Cth) and the APPs.
  • Direct marketing (APP 7) - AFCA will not use or disclose personal information for the purpose of direct marketing, unless permitted to do so by the APPs.
  • Cross-border disclosure of personal information (APP 8) - AFCA will only disclose personal information to overseas recipients with prior authority of the individual concerned.
  • Adoption, use or disclosure of government related identifiers (APP 9) - AFCA will not adopt, use or disclose a government related identifier of an individual.

Integrity of personal information

  • Quality of personal information (APP 10) - AFCA will endeavour to ensure, to the extent practicable, that the personal information that AFCA collects, uses and discloses is accurate, up to date and complete.
  • Security of personal information (APP 11) - AFCA will take such steps as are reasonable in the circumstances to protect the personal information about an individual.

Access to, and correction of, personal information

  • Access to personal information (APP 12) - AFCA will, on request by the relevant individual, give the individual access to personal information held by AFCA, except in particular circumstances.
  • Correction of personal information (APP 13) - AFCA will, as is reasonable in the circumstances, correct that information to ensure that the information is accurate, up to date, complete, relevant and not misleading.

3. PROCEDURES

3.1 Openness

  • AFCA will manage personal information in an open and transparent way in accordance with
  • A person may:
    • access their personal information held by AFCA;
    • request correction of their personal information held by AFCA;
    • complain about a breach of the APPs by AFCA, by directing their complaint to any member of AFCA staff or the Privacy Manager;
  • in accordance with this Policy.

3.2 Anonymity and Pseudonymity

  • When dealing with AFCA, individuals have the option, where it is practicable, of not identifying themselves, or of using a pseudonym.
  • Callers will not be required to identify themselves unless they wish to lodge a dispute or request access to their personal information.

3.3 Dealing with unsolicited personal information

AFCA will return, destroy or de-identify unsolicited personal information that it could not have lawfully collected under the APPs as soon as practicable.

3.4 Collection of solicited personal and sensitive information

  • It is a permitted general situation for alternative dispute resolution schemes such as AFCA to collect and use available information, including relevant third party personal information, to carry out their primary function of dispute resolution.
  • AFCA will try to ensure that Applicants have provided explicit consent to the collection and distribution of their personal information:
    • in the case of a written or online lodgement, through completing a dispute form; and
    • in the case of a telephone lodgement, through reading, and having the Applicant acknowledge, the Telephone Authority Statement.

These consents will be recorded in AFCA's case management system through the case actions 'Authority Statement' (where the telephone authority statement has been read) and 'Authority Form' (where a physical declaration has been made).

  • AFCA will only collect personal information that is reasonably necessary for, or directly related to, one of AFCA's functions or activities. Given the service AFCA provides, it is assumed that most consumers will be aware that when they lodge a dispute, AFCA will use the personal information provided to assist in resolving the dispute and that this will require providing that information to the relevant Financial Services Provider (FSP).
  • AFCA will inform FSPs and Applicants, via correspondence, publications and the website, that only information that is relevant to the dispute should be sent to AFCA.
  • AFCA will only collect sensitive information about an individual with their consent and where the information is reasonably necessary for one or more of AFCA's functions or a lawful exception under the APPs applies.
  • AFCA will only collect information by lawful and fair means and will generally do so in the following ways:
    • From the Applicant [1] or FSP:
      • In writing; or
      • Orally, via telephone or face to face conversations; and
    • From third parties who can assist by providing relevant written documentation or electronic media.

3.4.1 Notification of the collection of personal information

When AFCA collects personal information about an individual, we will, to the extent necessary, notify the individual of AFCA's privacy policy by:

  • Referencing the privacy policy in the dispute form and information brochures;
  • Publishing the privacy policy on the AFCA website; and
  • Providing a copy of the privacy policy on request.

3.4.2 Information about third parties to disputes

  • Each party will be asked to keep information concerning third parties to only what is relevant and necessary for the resolution of the dispute.
  • When information about a third party who has no direct involvement in the dispute at AFCA is necessary for the resolution of the dispute, it may not be reasonable or practicable for AFCA to collect the personal information directly from the individual concerned. This may be because to do so:
    • would breach the privacy of the Applicant;
    • may cause adverse consequences for the Applicant;
    • may be impractical due to a lack of contact details for the third party and the cost to locate the third party may be considerable; or
    • may incriminate the third party.
  • It is a permitted general situation for alternative dispute resolution schemes such as AFCA to collect and use available information, including relevant third party personal information, to carry out their primary function of dispute resolution.
  • Where unnecessary or irrelevant information about a third party is provided by the Applicant or the FSP, AFCA will return, delete or de-identify that information.
  • If the third party information is necessary in the resolution of the dispute, AFCA has determined that it is not reasonable or practicable for AFCA to inform the third party of the matters directly. However, in appropriate circumstances, AFCA may ask the provider of the information to advise the third party that the information has been provided to AFCA and give their reasons for doing so.

3.5 Use or disclosure of personal information

3.5.1 Use of personal information for a primary purpose

  • AFCA will only use and disclose personal information about an individual for the purpose of:
    • Resolving disputes under the Terms of Reference; or
    • Fulfilling our obligations in respect of systemic issues, serious misconduct or monitoring of compliance with industry codes of practice;

unless we are permitted to use the information for a secondary purpose.

    • In doing so, the Terms of Reference require AFCA to keep confidential all information pertaining to a dispute that is provided to AFCA except in particular circumstances. [2]
    • Where necessary, AFCA may need to disclose personal information to other persons in order to investigate and resolve a dispute, such as a dispute involving joint account holders or multiple beneficiaries. In these circumstances, it may be necessary
      • to notify the second Applicant that a dispute has been lodged at AFCA; and
      • to disclose personal information about one Applicant to the joint Applicant in order to resolve the dispute.
    • AFCA may also disclose personal information to a third party in order to seek expert advice on the dispute, such as a handwriting expert advising on a dispute involving allegations of forgery. Any experts contractually engaged by AFCA will be bound by confidentiality requirements.
    • Personal information will be de-identified before being used for the purpose of reporting to stakeholders, the public and the Government about our activities and as such will cease to be personal information.

    3.5.2 Use of personal information for a secondary purpose

    • Valid secondary purposes include:
      • Development of a wide public awareness of the benefits and services of AFCA;
      • Protection, promotion and advancement of dispute resolution procedures and standards, including monitoring compliance with Industry Codes of Practice;
      • Consultation and maintenance of relations with relevant stakeholders, including Federal, State and Local governments and regulatory agencies;
      • Compilation and distribution of statistical and other data of interest, as well as distribution of information to stakeholders on matters and questions affecting, or of interest to, the financial services industry; and
      • Maintenance of effective lines of communication with stakeholders, including communication of the results of the AFCA EDR scheme and related matters.
    • Personal information will only be used for a secondary purpose where:
      • the individual would reasonably expect AFCA to use or disclose the information for the secondary purpose and the secondary purpose is:
        • if the information is sensitive information—directly related to the primary purpose; or
        • if the information is not sensitive information—related to the primary purpose; or
      • the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
      • A Permitted General Situation exists, specifically where the collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process.

    3.5.3 Third parties seeking information about a dispute

    • AFCA may be contacted by persons who claim to represent an Applicant and who seek information about the progress of a dispute. These might include members of parliament, legal and financial advisers, friends and family members.
    • AFCA makes no assessment about the intentions of any such person in seeking information, but will not discuss any aspect of a dispute with any person other than the complainant unless the Applicant has specifically authorised AFCA to do so via the dispute form or other direct written communication.

    3.5.4 Direct marketing

    • If AFCA holds personal information about an individual, AFCA will not use or disclose the information for the purpose of direct marketing [3], unless one of the exceptions under the APPs applies.
    • Prior to engaging in any direct marketing exercise, the relevant project manager must contact the Privacy Manager for advice about what is, and is not, permissible.
    • In the event that AFCA does use or disclose personal information for the purpose of direct marketing, we will:
      • allow an individual to request not to receive direct marketing communications (also known as 'opting out'); and
      • comply with that request.

    3.5.5 Cross-border disclosure of personal information

    AFCA will only disclose personal information to overseas recipients with prior authority of the individual concerned.

    3.5.6 Adoption, use or disclosure of government related identifiers

    AFCA will not adopt, use or disclose a government related identifier of an individual.

    3.6 Quality of personal information

    • AFCA will take reasonable steps to ensure that the personal information that AFCA collects, uses and discloses is accurate, up to date and complete.
    • Where a person notifies AFCA of changes to their personal details held by AFCA, or errors in AFCA's records, AFCA will make the necessary changes as soon as practicable and, in any event, within two business days of the request being made.

    3.7 Security of personal information

    • AFCA will take reasonable steps to protect the personal information about an individual from:
      • misuse, interference and loss; and
      • unauthorised access, modification or disclosure.
    • If AFCA holds personal information about an individual and:
      • no longer needs the information for any purpose for which the information may be used or disclosed;
      • the information is not contained in a Commonwealth record; and
      • is not required by or under an Australian law, or a court/tribunal order, to retain the information;
    • AFCA will take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.
    • AFCA will destroy physical files on a date seven years after the last action was conducted on the file.

    3.8 Access to personal information

    When requested to by the relevant individual, AFCA will provide the individual with a copy of the personal information held by AFCA, except where:

    • AFCA reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety;
    • giving access would have an unreasonable impact on the privacy of other individuals;
    • the request for access is frivolous or vexatious;
    • the information relates to existing or anticipated legal proceedings between AFCA and the individual, and would not be accessible by the process of discovery in those proceedings;
    • giving access would reveal the intentions of AFCA in relation to negotiations with the individual in such a way as to prejudice those negotiations;
    • giving access would be unlawful;
    • denying access is required or authorised by or under an Australian law or a court/ tribunal order;
    • both of the following apply:
      • AFCA has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to AFCA's functions or activities has been, is being or may be engaged in; and
      • giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
      • giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
      • giving access would reveal evaluative information generated within AFCA in connection with a commercially sensitive decision-making process.

    3.8.1 Dealing with requests for access

    • The Privacy Manager will:
      • respond to a request for access to the personal information within five business days of the request being made by either:
        • providing the information; or
        • explaining the timeframe and manner in which the information will be provided; and
      • give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.
    • If the Privacy Manager refuses to give access to the personal information, he or she will give the individual a written notice that sets out the reasons for the refusal and provide:
      • the option to make a formal complaint about the refusal via the AFCA Complaints and Feedback Procedure; and
      • any other relevant matters
    • unless where, having regard to the grounds for the refusal, it would be unreasonable to provide reasons.
    • Any individual who:
      • wishes to gain access to information held by AFCA; or
      • believes that information held by AFCA is not accurate, complete or up-to-date
    • should initially contact the member of staff dealing with their dispute, but may contact the Privacy Manager directly.
    • To assist AFCA in responding to the request, the individual should provide as much information as possible to assist AFCA in determining where the relevant information is held, including their name, dispute number(s), the name of the FSP and/or relevant dates.

    3.9 Correction of personal information

    If:

    • AFCA holds personal information about an individual; and
    • either:
      • AFCA is satisfied that the information is inaccurate, out of date, incomplete, irrelevant or misleading; or
      • the individual requests the entity to correct the information;

    AFCA will correct that information to ensure that the information is accurate, up to date, complete, relevant and not misleading.

    3.9.1 Notification of correction to third parties

    If:

    • AFCA corrects personal information about an individual that AFCA previously disclosed to another entity; and
    • the individual requests AFCA to notify the other entity of the correction;

    AFCA will notify the other entity, unless it is unreasonable or unlawful to do so.

    3.9.2 Refusal to correct information

    If AFCA refuses to correct the personal information as requested by the individual, AFCA will provide a written notice to the individual that sets out:

    • the reasons for the refusal except to the extent that it would be unreasonable to do so;
    • the mechanisms available to complain about the refusal; and
    • any other matter prescribed by the regulations.

    3.9.3 Request to associate a statement

    If:

    • AFCA refuses to correct the personal information as requested by the individual; and
    • the individual requests AFCA to include a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading with the information;

    AFCA will take reasonable steps to associate the statement with the information in such a way that will make the statement apparent to users of the information.

    3.9.4 Dealing with requests

    If a request is made for the correction of personal information, AFCA will:

    • respond within two business days after the request is made; and
    • will not charge the individual for:
      • the making of the request;
      • correcting the personal information; or
      • associating the statement with the personal information.

    3.10 Breach of privacy by AFCA

    • AFCA takes its obligations in the handling of personal information very seriously.
    • Where AFCA has provided personal information to an unauthorised party (the breach), whether the breach is identified internally or by an external party, the AFCA member of staff who is first made aware of the breach will advise his or her line manager and the Privacy Manager immediately so that they can support and lead the response process.
    • Whilst AFCA cannot compel the party to return or delete the documentation all reasonable efforts to retrieve the material will be made. AFCA will first telephone the receiving party and request the documentation be destroyed and confirmation of the destruction provided, preferably in writing.
    • If original information has been provided, AFCA will request that the information is returned and will provide a stamped, envelope addressed to AFCA for the return of the documentation.
    • If the material is not returned, or confirmed as deleted or destroyed, within 7 days a follow up call, or letter if the party is not able to be reached by phone, will be made.
    • Simultaneously, AFCA will advise the party whose personal information has been disclosed (the affected party) about the breach and formally apologise. Once the breach has been resolved, AFCA will again contact the affected party and advise on the outcome of the breach response actions.
    • Any complaint lodged by the affected party will be handled in accordance with our Complaints and Feedback process.
    • The relevant line manager and Privacy Manager will consider whether any systemic change or training is needed to prevent possible future breaches.

    4. SUPPORTING INFORMATION

    4.1 Definitions

    Term

    Definition

    Personal Information

    any 'information or an opinion about an identified individual, or an individual who is reasonably identifiable:

    • whether the information or opinion is true or not; and
    • whether the information or opinion is recorded in a material form or not' (s 6(1)).

    Common examples are an individual's name, signature, address, telephone number, date of birth, medical records, bank account details, employment details and commentary or opinion about a person.

    Permitted General Situation

    There are seven permitted general situations:

    • lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety
    • taking appropriate action in relation to suspected unlawful activity or serious misconduct
    • locating a person reported as missing
    • asserting a legal or equitable claim
    • conducting an alternative dispute resolution process
    • performing diplomatic or consular functions – this permitted general situation only applies to agencies
    • conducting specified Defence Force activities

    Privacy Manager

    Nicolas Crowhurst, Company Secretary
    Telephone: (03) 8623 2005
    Email: privacy@afca.org.au

    Sensitive Information

    A subset of personal information defined as:

    • information or an opinion (that is also personal information) about an individual's:
    • racial or ethnic origin
    • political opinions
    • membership of a political association
    • religious beliefs or affiliations
    • philosophical beliefs
    • membership of a professional or trade association
    • membership of a trade union
    • sexual orientation or practices, or
    • criminal record
    • health information about an individual
    • genetic information (that is not otherwise health information)
    • biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or
    • biometric templates.

    Information may be sensitive information where it unambiguously implies one of these matters.

    Sensitive information is generally afforded a higher level of privacy protection under the APPs than other personal information.

     


     

    [1] Or his or her properly appointed agent or representative

    [2] Paragraph 13.4

    [3] Direct marketing is the use or disclosure of personal information to communicate directly with an individual to promote goods and services.