SCOPE OF POLICY
This Policy has been written by the Financial Ombudsman Service Limited (“FOS”) to comply with its obligations under the Privacy Act 1998 (Cth) (“the Act”) and the National Privacy Principles (“NPPs”).
The document sets out the obligations of FOS with respect to protection of personal information. The Notes, which follow each principle, provide details of the manner in which FOS will comply with the principles.
This policy is intended to ensure that the privacy of individuals is protected in the collection, use, disclosure and storage of personal information by FOS.
FUNCTIONS AND ACTIVITIES OF FOS
The role of FOS is to provide an accessible, independent dispute resolution service to individual and small businesses.
A dispute which falls within the jurisdiction of FOS may be referred to the relevant member to give it an opportunity to resolve the dispute. If the member and the complainant do not resolve the dispute,
FOS may investigate and reach a determination as to how the dispute should be resolved, or refer the dispute to an FOS panel and/or adjudicator.
In addition, FOS offers a telephone information service (“Enquiries Area”) to provide information to individuals about the functions and activities of FOS, its jurisdiction and information about other entities which may assist the individual.
1.1 FOS will only collect personal information about an individual where the information is necessary for one or more of its functions or activities.
1.2 FOS will collect personal information about an individual only by lawful and fair means and not in an unreasonably intrusive way.
1.3 At or before the time (or, if that is not reasonably practicable, as soon as practicable after) FOS collects personal information about an individual from the individual, FOS will take reasonable steps to ensure that the individual is aware of:
(a) the identity of FOS and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) the organisations (or the types of organisations) to which FOS usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
1.4 If it is reasonable and practicable to do so, FOS will collect personal information about an individual only from that individual.
1.5 If FOS collects personal information about an individual from someone else, it will take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
Personal information about an individual will be collected for the primary purpose of dispute resolution.
FOS will collect information in the following ways:
FOS will not accept personal information obtained by any person in any way which is unlawful or improper.
FOS will provide the information required in subclause 1.3 of the NPPs to individuals by:
(a) Including that information in a privacy statement on the FOS website and in information brochures; and
(b) Providing a copy of this policy on request.
Given the purpose and activities of FOS, it can be assumed that, before bringing a dispute, most complainants will be aware that FOS will use the personal information they disclose when FOS seeks to resolve their dispute and that will require disclosure to the relevant member about which they are complaining.
In FOS’s publications and website, FOS will inform members and complainants that they should only send information that is relevant to the dispute between them and keep to a minimum information concerning third parties.
Collecting directly from the individual
Each assessment of the reasonableness and practicability of collecting information directly from the individual will be made having regard to the NPPs, Guidelines issued by the Office of the Privacy Commissioner and the particular facts comprising the dispute.
The primary person about whom information is collected will be the complainant. FOS will collect personal information about the complainant as follows:
(a) In the original letter to FOS and subsequent correspondence from and/or conversations with the complainant;
(b) After requesting specific information from the complainant in order to assist an investigation into the dispute;
(c) From the relevant member; and/or
(d) From other persons, as necessary, having first notified the complainant.
Information about third parties to disputes
Sometimes FOS receives a dispute that necessarily concerns information about a third party, who has no direct interest or involvement in the dispute itself. The information is usually sent unsolicited by the complainant. By accepting the information, FOS is taken to have collected it under the NPPs.
Examples of such cases include, but are not limited to, the following:
FOS may need to consider the lending or conduct of the primary account in order to resolve the dispute.
In many of these kinds of cases it will not be reasonable or practicable for FOS to collect the personal information directly from the individual concerned because:
(a) To do so would disclose the fact that a dispute has been brought to FOS and thereby breach the privacy of the complainant;
(b) Disclosure may have adverse consequences for the complainant including pressure not to pursue their legal rights including their right to access FOS and, in some cases, the threat of physical or emotional harm;
(c) FOS may not have contact details for the third party and may have to incur considerable costs to locate him or her;
(d) In some circumstances, such as where allegations of fraud or forgery are made in relation to the third party, it would not be practicable to collect the relevant and potentially incriminating information from that third party.
It is accepted practice for alternative dispute resolution schemes such as FOS to collect and use available information, including third party personal information to carry out their primary function of dispute resolution.
FOS will ask the complainant to seek authority from joint account or policy holders to consideration of the dispute, where possible.
Where FOS collects personal information about a person other than a complainant it will take reasonable steps to ensure that the third party is or has been made aware of the matters listed in subclause 1.3 of the NPPs.
FOS will not contact third parties directly to inform them that it holds information about them because to do so would breach the confidentiality of complainants and may, in some cases, pose a threat to the life and health of the complainant. For these reasons, FOS has determined that it is not reasonable or practicable for FOS to inform the third party of the matters set out in subparagraph 1.3.
However, where information about a third party is provided by the complainant or the member, FOS will, to the extent practicable, return to the complainant, delete or de-identify information about third parties:
If FOS considers that the third party information is necessary in the resolution of the dispute, FOS may ask the complainant or member to advise the other person that the information has been provided and why. If possible, the third party’s consent will be requested and it will be suggested that the third party provide the information him or herself.
Where we determine that it is not reasonable for the complainant or member to advise the other person that the information has been provided and why, no steps will be taken.
2. USE AND DISCLOSURE
2.1 FOS will not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:
(a) both of the following apply:
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; and
(ii) the individual would reasonably expect FOS to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c) FOS reasonably believes that the use or disclosure is necessary to lessen or prevent:
(i) a serious and imminent threat to an individual’s life, health or safety; or
(ii) a serious threat to public health or public safety; or
(d) FOS has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
(e) the use or disclosure is required or authorised by or under law. .
FOS respects the confidentiality of information provided by and about individuals and treats all such information as confidential between the individual and the member.
FOS will use personal information about an individual for its primary purpose of dispute resolution.
In the course of so doing FOS may disclose personal information to the individual, to the relevant member, FOS panel and/or adjudicator.
FOS may, where considered necessary, disclose personal information to other persons in order to investigate and determine a dispute. For example, where more than one person has received the same financial service or product, such as joint account holders, it may be necessary to disclose personal information to the other person in order to resolve the dispute, including the fact that a dispute has been lodged at FOS. A further example is where forgery is claimed, an opinion may be sought from a handwriting expert.
FOS may use or disclose personal information about an individual for the purpose of investigating and reporting to relevant persons or authorities (such as the Australian Securities & Investments Commission). In many cases it would be expected that any information provided to relevant persons or authorities for reporting purposes would not include personal information but rather de-identified information.
Personal information will be de-identified before being used for the purpose of reporting to stakeholders, the public and the Government about our activities and as such will not be personal information.
Third parties seeking information about a dispute
From time to time, FOS is contacted by persons who claim to represent a complainant and who seek information about the progress of a dispute. These people include members of parliament, legal and financial advisers, friends and family members. FOS makes no assessment about the intentions of any such person in seeking information.
However, the Ombudsman and FOS staff will not discuss any aspect of a dispute with any person other than the complainant unless the complainant has authorised FOS to do so.
3. DATA QUALITY
3. FOS will take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up?to?date.
Where a complainant or member notifies FOS of undisputed changes to personal details held by the FOS about an individual, or errors in FOS’s records, FOS will make the necessary changes as soon as practicable.
4. DATA SECURITY
4.1 FOS will take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4.2 FOS will take reasonable steps to destroy or permanently de?identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under NPP 2.
FOS premises and information systems are controlled by electronic security.
Staff have access to files and electronic records concerning disputes in order to deal with those disputes. FOS will make staff aware of privacy obligations by training and contracted staff are required to give confidentiality undertakings in respect of any personal information they access.
It is FOS’s policy to destroy physical files 7 years after closure of the file.
5.1 FOS will set out in a document clearly expressed policies on its management of personal information. FOS will make the document available to anyone who asks for it.
5.2 On request by a person, FOS will take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
This document is intended to fulfil FOS’s obligations under NPP 5.
FOS’s policy is available to anyone who asks for it and will be published on FOS’s website.
6.ACCESS AND CORRECTION
6.1If FOS holds information about an individual, it will provide the individual with access to the information on request by the individual, except to the extent that:
(a) in the case of personal information other than health information—providing access would pose a serious and imminent threat to the life or health of any individual; or
(b) in the case of health information—providing access would pose a serious threat to the life or health of any individual; or
(c) providing access would have an unreasonable impact upon the privacy of other individuals; or
(d) the request for access is frivolous or vexatious; or
(e) the information relates to existing or anticipated legal proceedings between FOS and the individual, and the information would not be accessible by the process of discovery in those proceedings; or
(f) providing access would reveal the intentions of FOS in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
(g) providing access would be unlawful; or
(h) denying access is required or authorised by or under law; or
(i) providing access would be likely to prejudice an investigation of possible unlawful activity; or
(j) providing access would be likely to prejudice:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or
(iii) the protection of the public revenue; or
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;
by or on behalf of an enforcement body; or
(k) an enforcement body performing a lawful security function asks FOS not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.
6.2 However, where providing access would reveal evaluative information generated within FOS in connection with a commercially sensitive decision?making process, FOS may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
6.3 If FOS is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), FOS will, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.
6.4 If FOS charges for providing access to personal information, those charges:
(a) will not be excessive; and
(b) will not apply to lodging a request for access.
6.5 If FOS holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up?to?date, FOS will take reasonable steps to correct the information so that it is accurate, complete and up?to?date.
6.6 If the individual and FOS disagree about whether the information is accurate, complete and up?to?date, and the individual asks FOS to associate with the information a statement claiming that the information is not accurate, complete or up?to?date, FOS will take reasonable steps to do so.
6.7 FOS will provide reasons for denial of access or a refusal to correct personal information.
Any request for access will be handled in accordance with NPP 6.
Although the NPPs make provision for FOS to charge for providing access to information, it is FOS’s current policy to provide access free of charge.
Any individual who wishes to gain access to information held by FOS should contact:
The Privacy Manager
Financial Ombudsman Service
GPO Box 3
MELBOURNE VIC 3001
Telephone: 1300 78 08 08
The individual should provide as much information as possible to assist the Privacy Manager in determining where the relevant information is held. This includes file numbers, the name of the complainant, the name of the member and/or relevant dates.
An individual who believes that information held by FOS is not accurate, complete or up-to-date should contact their Case Officer, Case Manager or the Privacy Manager.
7.1 FOS will not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:
(a)an agency1; or
(b)an agent of an agency acting in its capacity as agent; or
(c)a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.
7.2 FOS will not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:
(a)the use or disclosure is necessary for FOS to fulfil its obligations to the agency; or
(b)one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure.
FOS assigns numbers to dispute files.
Individuals are not assigned any identifying number or code by FOS. Where an individual brings more than one dispute to FOS, each dispute will have a separate number.
8.Wherever it is lawful and practicable, individuals will have the option of not identifying themselves when entering transactions with FOS.
As it is not practical for FOS to consider or process anonymous disputes, individuals wishing to bring a dispute to FOS for resolution will be required to identify themselves.
Callers to our Enquiries Area with a general inquiry not related to a specific case will not be required to identify themselves although they will be asked for a postcode so that FOS can report on and assess the geographical spread of callers.
9. TRANSBORDER DATA FLOWS
9. FOS may transfer personal information about an individual to someone (other than FOS or the individual) who is in a foreign country only if:
(a) FOS reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or
(b) the individual consents to the transfer; or
(c) the transfer is necessary for the performance of a contract between the individual and FOS, or for the implementation of pre?contractual measures taken in response to the individual’s request; or
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between FOS and a third party; or
(e) all of the following apply:
(i) the transfer is for the benefit of the individual;
(ii) it is impracticable to obtain the consent of the individual to that transfer;
(iii) if it were practicable to obtain such consent, the individual would be likely to give it; or
(e) FOS has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.
The jurisdiction of the FOS does not extend to overseas entities. Where a particular case requires information about an individual to be transferred outside Australia, the individual’s prior authority will be sought.
10. SENSITIVE INFORMATION
10.1 FOS will not collect sensitive information about an individual unless:
(a) the individual has consented; or
(b) the collection is required by law; or
(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:
(i) is physically or legally incapable of giving consent to the collection; or
(ii) physically cannot communicate consent to the collection; or
(d) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
For the purposes of the Privacy Act, “sensitive information” is defined as information about an individual’s:
(a) Racial or ethnic origin;
(b) Political opinions;
(c) Membership of a political association;
(d) Religious beliefs;
(e) Philosophical beliefs;
(f) Membership of a professional or trade association;
(g) Membership of a trade union;
(h) Sexual preferences or practices;
(i) Criminal record; or
Wherever practicable, FOS will seek the consent of any individual about whom sensitive information is collected. Collection of sensitive information will be limited to that which is necessary for dealing with a dispute made to FOS.
A complainant might, for example, provide details of health problems or imprisonment of the complainant or a family member, which he or she considers relevant to the dispute.
Where a complainant provides sensitive information about him or herself to FOS, consent to the collection and use of such information will be assumed.
Where a complainant or a member provides sensitive information about another person, FOS will ask the complainant or member to seek the consent of the third party, if to do so would not compromise the health, safety or privacy of the complainant or another person.
Where a complainant advises FOS that a medical practitioner, counsellor or similar can provide supporting information, FOS will ask the complainant to seek and provide the information in writing.
In the absence of consent, the FOS may collect and use sensitive personal information about an individual in order to investigate a legal and/or equitable claim made by or on behalf of a complainant against a member.