This Policy is intended to ensure that the privacy of individuals is protected in the collection, use, disclosure and storage of personal information by AFCA.
This policy applies to all AFCA employees.
Activities covered by this policy include, but are not limited to:
- The collection of an individual’s personal information;
- The primary uses of personal information; and
- The secondary uses of personal information.
Breach of this policy may amount to serious misconduct by an employee.
- collects, uses and disseminates personal information in a manner that is in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) and any relevant other legislation including without limitation the Health Privacy Principles under the Health Records Act 2001 (Victoria) and the Health Records and Information Privacy Act 2002 (NSW);
- responds appropriately to requests in relation to an individual’s personal information; and
- responds appropriately to any breach of its privacy obligations.
2.1 Functions and activities of AFCA and the primary purpose of its collection of personal information
The role of AFCA is to assist consumers and small businesses resolve complaints that they have with financial firms that are AFCA members. We are impartial and independent.
AFCA collects personal information for the primary purpose of providing an independent complaint resolution service and for other purposes referred to in this policy. In order to provide the independent complaint resolution service effectively, personal information collected by AFCA will be handled and stored in accordance with this policy.
A complaint which falls within the jurisdiction of AFCA will normally be referred to the relevant member/s to provide them with an opportunity to resolve the complaint.
If a complaint does not resolve by agreement between the parties, we will decide an appropriate outcome, including awarding compensation for losses suffered or substituting a trustee’s decision in the case of a superannuation complaint where a complaint is determined in favour of a consumer or small business.
AFCA provides information to consumers and small businesses about the functions and activities of AFCA, its jurisdiction and information about other entities which may assist.
AFCA also collects personal information in relation to employment applications, and collects, uses and discloses personal information subject to the terms of this policy.
AFCA is committed to the following policy principles which are aligned with the APPs:
AFCA will be open and transparent about how it collects, uses and disseminates personal information.
General enquiries made to AFCA will not require the person making the enquiry to identify themselves.
AFCA will collect personal information in a fair and lawful manner.
AFCA will return, de-identify or destroy personal information that it could not have fairly or lawfully collected.
AFCA will, where practicable, notify relevant individuals of the collection of their personal information in a timely manner.
AFCA will use and disclose personal information only in accordance with the Privacy Act 1988 (Cth), the APPs and our statutory obligations in respect of handling certain types of information.
AFCA will not use or disclose personal information for the purpose of direct marketing, unless permitted to do so by the APPs.
AFCA will only disclose personal information to overseas recipients with prior authority of the individual concerned.
AFCA will not adopt, use or disclose a government related identifier of an individual.
AFCA will endeavour to ensure, to the extent practicable, that the personal information that AFCA collects, uses and discloses is accurate, up to date and complete.
AFCA will take such steps as are reasonable in the circumstances to protect the personal information about an individual.
AFCA will, on request by the relevant individual, give the individual access to personal information held by AFCA, except in particular circumstances.
AFCA will, as is reasonable in the circumstances, correct personal information it has collected to ensure that the information is accurate, up to date, complete, relevant and not misleading.
in accordance with this Policy.
- As the successor to the Financial Ombudsman Service Limited and the Credit and Investments Ombudsman Limited, AFCA also holds information collected by those organisations. AFCA also holds information on a small number of complaint files transferred from the Superannuation Complaints Tribunal (SCT).
- A person may:
- access their personal information held by AFCA;
- request correction of their personal information held by AFCA;
- complain about a breach of the APPs by AFCA, by directing their complaint to any member of AFCA staff or the Privacy Manager;
- When dealing with AFCA, individuals have the option, where it is practicable, of not identifying themselves, or of using a pseudonym.
- Callers will not be required to identify themselves unless they wish to lodge a complaint or request access to their personal information.
- AFCA will return, destroy or de-identify unsolicited personal information that it could not have lawfully collected under the APPs as soon as practicable.
- It is accepted practice for alternative complaint resolution schemes such as AFCA to collect and use available information, including relevant third party personal information, to carry out their primary function of complaint resolution. This is also a ‘permitted general situation’ as defined by s16A of the Privacy Act 1988.
- AFCA will ensure that Complainants have provided explicit consent to the collection and distribution of their personal information:
- in the case of a written or online lodgement, through completing a Complaint Form; and
- in the case of a telephone lodgement, through reading, and having the Complainant acknowledge, the Telephone Authority Statement.
- These consents will be recorded in AFCA’s case management system through the case actions ‘Authority Statement’ (where the telephone authority statement has been read) and the Authority within the AFCA Complaint Form (where a physical declaration has been made).
- AFCA will only collect personal information that is reasonably necessary for, or directly related to, one of AFCA’s functions or activities. Given the service AFCA provides, it is assumed that most consumers will be aware that when they lodge a complaint, AFCA will use the personal information provided to assist in resolving the complaint and that this will require providing that information to the relevant Financial Firm (FF).
- AFCA will inform FFs and Complainants, via correspondence, publications and the website, that only information that is relevant to the complaint should be sent to AFCA.
- AFCA will only collect sensitive information about an individual with their consent and where the information is reasonably necessary for one or more of AFCA’s functions or a lawful exception under the APPs applies.
- AFCA will only collect information by lawful and fair means and will generally do so in the following ways:
- From the Complainant or FF:
- In writing; or
- Orally, via telephone or face to face conversations; and
- From third parties who can assist by providing relevant written documentation or electronic media.
- From the Complainant or FF:
- Each party will be asked to keep information concerning third parties to only what is relevant and necessary for the resolution of the complaint.
- When information about a third party who has no direct involvement in a complaint at AFCA is necessary for the resolution of the complaint, it may not be reasonable or practicable for AFCA to collect the personal information directly from the individual concerned. This may be because to do so:
- would breach the privacy of the Complainant;
- may cause adverse consequences for the Complainant;
- may be impractical due to a lack of contact details for the third party and the cost to locate the third party may be considerable; or
- may incriminate the third party.
- It is accepted practice for alternative complaint resolution schemes such as AFCA to collect and use available information, including relevant third party personal information, to carry out their primary function of complaint resolution.
- In addition, in certain circumstances, AFCA has the power to compel the provision of information or the attendance of third-parties. These statutory powers are exercised on behalf of AFCA by duly authorised members of staff and in accordance with approved guidelines.
- Where unnecessary or irrelevant information about a third party is provided by the Complainant or the FF, AFCA will return, delete or de-identify that information.
- If the third-party information is necessary in the resolution of a complaint, AFCA has determined that it is not reasonable or practicable for AFCA to inform the third party of the matters directly. However, in appropriate circumstances, AFCA may ask the provider of the information to advise the third party that the information has been provided to AFCA and give their reasons for doing so.
unless we are permitted to use the information for a secondary purpose.
It is a strict liability offence for staff if they breach this obligation.
- AFCA will only use and disclose personal information about an individual for the purpose of:
- Fulfilling one or more of our objectives as set out in AFCA’s Constitution;
- Resolving complaints under AFCA’s Rules; or
- Fulfilling our obligations in respect of systemic issues, serious contraventions or monitoring of compliance with industry codes of practice.
- AFCA’s Rules require us to keep confidential all information relating to a Complaint that is provided to AFCA, except in particular circumstances, as set out in the AFCA Rules or relevant legislation.
- Where necessary, AFCA may need to disclose personal information to other persons in order to investigate and resolve a complaint, such as a complaint involving joint account holders or multiple beneficiaries. In these circumstances, it may be necessary:
- to notify another Complainant that a complaint has been lodged at AFCA; and
- to disclose personal information about one Complainant to the joint Complainant in order to resolve the complaint.
- AFCA may also disclose personal information to a third party in order to seek expert advice on the complaint, such as a handwriting expert advising on a complaint involving allegations of forgery. Any experts or consultants contractually engaged by AFCA will be bound by confidentiality requirements.
- Personal information collected by AFCA will be stored electronically and securely on AFCA’s systems that may be managed or provided by a third party who is contracted to AFCA. This policy applies to the personal information which is stored on third party systems.
- Personal information will be de-identified before being used for the purpose of reporting to stakeholders, the public and the Government about our activities and as such will cease to be personal information.
- AFCA staff must not make a record of, or disclose to any person, court or investigating authority, any information or document acquired under AFCA’s statutory powers for a superannuation complaint. Exceptions to this general rule are set out below.
- This includes AFCA’s information obtained under a statutory notice and information obtained in a compulsory conciliation conference.
- AFCA can obtain and use this information for complaint resolution purposes, but information obtained for this purpose under a compulsory power will be recorded as such on AFCA’s case management system and will only be disclosed internally for AFCA complaint resolution purposes. This allows for the efficient transfer of information between AFCA staff to resolve the superannuation complaint. Information obtained under a statutory notice may also be referenced in a determination if it has been exchanged between the parties and relied on by the AFCA Decision Maker, because complaint resolution includes issuing a determination.
- Any disclosure outside of AFCA by a staff member is prohibited unless:
- it is to a regulator or other permitted body;
- it is to a party to the complaint and the person who provided the information consents in writing; or
- the disclosure is made in a way that does not enable the identification of the parties to a complaint.
A.11.4 of AFCA’s Rules notes that certain regulators or government agencies, including ASIC and the ATO, may provide AFCA with protected information from time to time. Where this occurs, AFCA is required to take all reasonable steps to maintain the protected nature of that information.
- Valid use of personal information for secondary purposes includes:
- Development of a wide public awareness of the benefits and services of AFCA;
- Protection, promotion and advancement of complaint resolution procedures and standards, including monitoring compliance with Industry Codes of Practice;
- Consultation and maintenance of relations with relevant stakeholders, including Federal, State and Local governments and regulatory agencies;
- Compilation and distribution of statistical and other data of interest, as well as distribution of information to stakeholders on matters and questions affecting, or of interest to, the financial services industry; and
- Maintenance of effective lines of communication with stakeholders, including communication of the results of the AFCA EDR scheme and related matters.
- Personal information will only be used for a secondary purpose where:
- the individual would reasonably expect AFCA to use or disclose the information for the secondary purpose and the secondary purpose is:
- if the information is sensitive information—directly related to the primary purpose; or
- if the information is not sensitive information—related to the primary purpose; or
- the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
- A Permitted General Situation exists, specifically where the collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative complaint resolution process.
- the individual would reasonably expect AFCA to use or disclose the information for the secondary purpose and the secondary purpose is:
- AFCA may be contacted by persons who states that they represent a Complainant and who seek information about the progress of a complaint. These might include members of parliament, legal and financial advisers, friends and family members.
- AFCA makes no assessment about the intentions of any such person in seeking information, but will not discuss any aspect of a complaint with any person other than the complainant unless the Complainant has specifically authorised AFCA to do so via the Complaint Form or other direct written communication.
- If AFCA holds personal information about an individual, AFCA will not use or disclose the information for the purpose of direct marketing, unless one of the exceptions under the APPs applies.
- Prior to engaging in any direct marketing exercise, the relevant AFCA manager must contact the Privacy Manager for advice about what is, and is not, permissible.
- In the event that AFCA does use or disclose personal information for the purpose of direct marketing, we will:
- allow an individual to request not to receive direct marketing communications (also known as ‘opting out’); and
- comply with that request.
- AFCA will only disclose personal information to overseas recipients with prior authority of the individual concerned.
- AFCA will not adopt, use or disclose a government related identifier of an individual.
- AFCA will take reasonable steps to ensure that the personal information that AFCA collects, uses and discloses is accurate, up to date and complete.
- Where a person notifies AFCA of changes to their personal details held by AFCA, or errors in AFCA’s records, AFCA will make the necessary changes as soon as possible and within a reasonable period after the request has been made. This will normally be within a maximum period of 30 days.
AFCA will take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.
- AFCA will take reasonable steps to protect the personal information about an individual from:
- misuse, interference and loss; and
- unauthorised access, modification or disclosure.
- If AFCA holds personal information about an individual and:
- no longer needs the information for any purpose for which the information may be used or disclosed;
- the information is not contained in a Commonwealth record; and
- is not required by or under an Australian law, or a court/tribunal order, to retain the information;
- The nature of the independent complaint resolution services provided by AFCA requires it to retain personal information collected for internal use but not disclosure, for reference, archival and other purposes.
- AFCA will:
- Store electronic confidential and personal information securely on its servers and systems
- Secure physical confidential and personal information in lockable cabinets when not in use; and
- destroy physical files on a date seven years after the last action was conducted on a file.
- When requested to by a relevant individual, AFCA will provide the individual with a copy of the personal information held by AFCA, except where:
- AFCA reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety;
- giving access would have an unreasonable impact on the privacy of other individuals;
- the request for access is frivolous or vexatious;
- the information relates to existing or anticipated legal proceedings between AFCA and the individual, and would not be accessible by the process of discovery in those proceedings;
- giving access would reveal the intentions of AFCA in relation to negotiations with the individual in such a way as to prejudice those negotiations;
- giving access would be unlawful;
- denying access is required or authorised by or under an Australian law or a court/ tribunal order;
- both of the following apply:
- AFCA has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to AFCA’s functions or activities has been, is being or may be engaged in; and
- giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
- giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
- The Privacy Manager or other relevant staff member will:
- confirm receipt of a request for access to personal information as soon as possible after it has been made, normally within 5 business days.
- Within a reasonable period after a request has been made and as soon as practicable after the request and any relevant file/files and records have been reviewed, we will provide the information.
Access will be given to the information in the manner requested by the individual, if it is reasonable and practicable to do so.
unless where, having regard to the grounds for the refusal, it would be unreasonable to provide reasons.
should initially contact the member of staff dealing with their complaint but may also contact the Privacy Manager directly.
- If the Privacy Manager refuses to give access to the personal information, he or she will give the individual a written notice that sets out the reasons for the refusal and provide:
- the option to make a formal service complaint about the refusal via the AFCA Complaints and Feedback Procedure; and
- any other relevant matters,
- Any individual who:
- wishes to gain access to information held by AFCA; or
- believes that information held by AFCA is not accurate, complete or up-to-date
- To assist AFCA in responding to the request, an individual should provide as much information as possible to assist AFCA in determining where the relevant information is held, including their name, complaint number(s), the name of the FF and/or relevant dates.
AFCA will correct that information to ensure that the information is accurate, up to date, complete, relevant and not misleading.
- AFCA holds personal information about an individual; and
- AFCA is satisfied that the information is inaccurate, out of date, incomplete, irrelevant or misleading; or
- the individual requests the entity to correct the information;
AFCA will notify the other entity, unless it is unreasonable or unlawful to do so.
- AFCA corrects personal information about an individual that AFCA previously disclosed to another entity; and
- the individual requests AFCA to notify the other entity of the correction;
- If AFCA refuses to correct the personal information as requested by the individual, AFCA will provide a written notice to the individual that sets out:
- the reasons for the refusal except to the extent that it would be unreasonable to do so;
- the mechanisms available to complain about the refusal; and
- any other matter prescribed by the regulations.
AFCA will take reasonable steps to associate the statement with the information in such a way that will make the statement apparent to users of the information.
- AFCA refuses to correct the personal information as requested by the individual; and
- the individual requests AFCA to include a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading with the information;
- If a request is made for the correction of personal information, we will:
- make the necessary changes as soon as possible and within a reasonable period after the request has been made. This will normally be within a maximum period of 30 days; and
- not charge the individual for:
- the making of the request;
- correcting the personal information; or
- associating the statement with the personal information.
- AFCA takes its privacy obligations in the handling of personal and other information very seriously.
- Where AFCA has provided personal information to an unauthorised party (the breach), whether the breach is identified internally or by an external party, the AFCA member of staff who is first made aware of the breach should:
- Advise his or her line manager and the Privacy Manager immediately so that they can support and lead the response process and take appropriate action.
- When a privacy breach occurs, the Privacy Manager will record the issue in the Privacy Database as an immediate priority, and within one business day.
- Whilst AFCA cannot compel a party to return or delete documentation or information it has been incorrectly sent, all reasonable efforts to retrieve the material will be made. AFCA will first telephone the receiving party and request the documentation be destroyed and confirmation of the destruction provided, preferably in writing.
- If original information has been provided, AFCA will request that the information is returned and will provide a stamped, envelope addressed to AFCA for the return of the documentation.
- If the material is not returned, or confirmed as deleted or destroyed, within seven days a follow up call, or letter if the party is not able to be reached by phone, will be made.
- Simultaneously, AFCA will advise the party whose personal information has been disclosed (the affected party) about the breach and formally apologise. Once the breach has been resolved, AFCA will again contact the affected party and advise on the outcome of the breach response actions.
- Any complaint lodged by the affected party should be handled in accordance with our Service Complaints and Feedback process.
- The relevant line manager and Privacy Manager will consider whether any systemic change or training is needed to prevent possible future breaches.
Any ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:
Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details and commentary or opinion about a person.
Permitted General Situation
There are seven permitted general situations:
T 1800 931 678
Post: AFCA Privacy Manager
A subset of personal information defined as:
Information may be sensitive information where it unambiguously implies one of these matters.
Sensitive information is generally afforded a higher level of privacy protection under the APPs than other personal information.