“This document outlines the Privacy (‘Policy’) of Managed Accounts Holdings Ltd ACN 128316441 Limited and all related entities (Collectively referred to as ‘Group’ or ‘MGP’).
MGP and its subsidiaries are committed to protecting the privacy of all clients and personal (and sensitive) information we collect when doing business and are committed to ensuring we uphold both the rules and intent of the Privacy requirements.
This Policy sets out our practices with respect to the collection and management of personal and sensitive information in all areas, and has been developed under the Australian Privacy Principles (APPs) (established under the Privacy Act) which provides the standards, rights and obligations for the handling, holding, accessing and correction of personal (including sensitive) information.
This Policy also sets out our practices with respect to Data Breaches and has been developed under the Notifiable Data Breaches (NDB) scheme (established under the Privacy Amendment Act) which outlines MGP’s data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.
Personal information is defined in law as “information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in material form or not”. Examples include an individual’s name, address, contact number and email address.
Special provisions apply to the collection of personal information which is sensitive information. Sensitive information includes, for example, information about a person’s health, membership of a professional or trade association.
We may collect and hold personal information for the purposes of managing our business, providing products and services, in administering products and services, and making information available about other products and services.
The financial products and services provided by us include both direct to client services and services provided through financial advisers and fund managers.
The information we collect directly from clients, financial advisers, fund managers, and other AFS Licensees, may include name and contact information (including email address), residential and or postal address, date of birth, tax file number (TFN), occupation, employer, bank account details, financial information, data required for anti-money laundering counter-terrorism financing purposes; and any other information required to administer the products and services we provide (including information required by law).
Much of this information is collected using online facilities or through ongoing communications.
There may be specific circumstances in which we will ask for sensitive information. We will only collect sensitive information where we have consent to the collection of the information and it is reasonably necessary for us to administer your business or employment with us.
The sensitive information we may collect may include:
When we collect personal information directly from an individual, we take reasonable steps at, or before the time of collection to ensure that the individual is aware of certain key matters, such as:
We will not collect any personal or sensitive information about you except where you have knowingly provided that information to us or we believe you have authorised a third party to provide that information to us.
We will collect personal information directly from an individual where it is reasonable and practicable to do so. Where we collect information from a third party such as financial advisers, fund manager, or another AFS Licensee, we will still take reasonable steps to ensure that an individual is made aware of same information set out above.
You are not required to give us the information that we request, however if you choose not to provide the information we ask for, or the information you give us is not complete or accurate, this may for example, prevent or delay the processing of your business, affect your eligibility for specified products, or it may prevent us from contacting you. It may also (in certain circumstances) impact on the taxation treatment of an account with us.
We take reasonable steps to ensure that the personal information that we collect, use and disclose is accurate, complete and up to date. We advise clients to keep their information up to date and provide mechanisms for them to do so.
We take reasonable steps to protect the personal information and sensitive information that we hold from misuse and loss and from unauthorised access, modification or disclosure by using security procedures and up to date technology. Account information is password and security protected and all instructions are verified before they are processed.
Personal information is stored on secured systems, and within our corporate technology infrastructure. Data is backed up regularly and is stored to ensure both the availability and security of the backup information.
Any personal information sent to external locations is secured with encryption.
We may disclose personal information to the following when undertaking our business:
We will also disclose your personal information if you give us your consent.
If other organisations provide support services to us, they are required to appropriately safeguard the privacy of the personal information provided to them.
Where personal information collected is no longer needed for any purpose that is permitted by the Privacy Act, we can delete, destroy or permanently de-identify the personal information as required.
We do not use Commonwealth government identifiers (Identifiers) as our own identifier of individuals or accounts. We will only use or disclose Identifiers in the circumstances permitted by the Privacy Act.
We will only collect personal information from an individual or third party which is reasonably necessary to provide our products or services (primary purpose). We collect personal information for the following primary purposes, including:
Individuals can request not to receive direct marketing communications by following the opt-out method provided within our communication.
Personal (and/or sensitive) information may also be disclosed where for example it is required by law, or a permitted general or health situation exists in relation to the use or disclosure. This may include for example situations in which the entity reasonably believes that the disclosure of personal information is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or that of the public.
Any individual about whom we hold personal information, can contact us to access and correct their personal information. We may charge a reasonable fee to cover our costs.
We will take all reasonable steps to provide access to or amend any personal information that is incorrect. If we are unable to correct your personal information, or give you access to the information, we will advise you with an explanation in writing.
If you believe that we have not dealt with your personal information in accordance with this Policy or the APPs, you may make a complaint to us.
You can contact us to either access or correct personal information, or complain about any breach of the APPs by writing to the Privacy Officer at:
We will acknowledge a complaint in writing within 7 days of receipt, and process and respond to your complaint within 30 days. If we cannot resolve your complaint within 30 days of receipt, we will contact you with an explanation and see permission for an extension of time.
If (after 30 days) you are not satisfied with our response, you may raise your concerns with the Office of the Australian Information Commissioner:
Phone: 1300 363 992
Email: [email protected]
Fax: +61 2 9284 9666
Mail: GPO Box 5218, Sydney NSW 2001 or GPO Box 2999, Canberra ACT 2601.
Some of our third party contractors and service providers may perform certain services for MGP. As a result, personal information collected by us may be disclosed to a third party recipient.
We take reasonable steps to ensure these recipients comply with the APPs by implementing contractual arrangements with MGP as service providers to ensure the personal information is appropriately safeguarded and to ensure that our service providers comply with the APPs.
We are required to notify individuals at risk of serious harm and the Australian Information Commissioner (the Commissioner) about ‘eligible data breaches’.
An eligible data breach arises when the following three criteria are satisfied:
In circumstances where it is not clear if a suspected data breach meets these criteria we will take all reasonable steps to conduct an assessment within 30 calendar days after the day they became aware of the grounds (or information) that caused it to suspect an eligible data breach.
There are some exceptions to the notification requirements, which relate to:
Examples of a data breach include when:
MGP’s data breach response approach will guide staff on the steps they are required to undertake following a data breach. Firstly, any suspected data breach of any magnitude should be immediately advised to the Head of Risk Management, Compliance and legal and/or the CEO as soon as any breach is suspected [whether or not confirmed] with a view of containing the breach to prevent any further compromise of personal information.
We will then assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm. Where serious harm cannot be mitigated through remedial action, we will notify the individuals at risk of serious harm and provide a statement to the Commissioner as soon as practicable.
The statement and/or notification about an eligible data breach will include:
If it is not practicable to notify the individuals at risk of serious harm, we must publish a copy of the statement prepared for the Commissioner on our website, and take reasonable steps to bring its contents to the attention of individuals at risk of serious harm.
If a single eligible data breach applies to multiple entities, only one entity [MGP] needs to notify the Commissioner and any individuals at risk of serious harm. It is up to the CEO to decide which entity notifies, however the entity with the most direct relationship with the individuals at risk of serious harm should generally undertake the notification.