Skip to content

Privacy

Contents

1. INTRODUCTION

1.1 Purpose of the policy
1.2 Scope of the policy
1.3 Policy statement

2. POLICY

3. PROCEDURES

3.1 Openness
3.2 Anonymity and Pseudonymity
3.3 Dealing with unsolicited personal information
3.4 Collection of solicited personal and sensitive information

3.4.1 Notification of the collection of personal information
3.4.2 Information about third parties to disputes

3.5 Use or disclosure of personal information

3.5.1 Use of personal information for a primary purpose
3.5.2 Use of personal information for a secondary purpose
3.5.3 Third parties seeking information about a dispute
3.5.4 Direct marketing
3.5.5 Cross-border disclosure of personal information
3.5.6 Adoption, use or disclosure of government related identifiers

3.6 Quality of personal information
3.7 Security of personal information
3.8 Access to personal information

3.8.1 Dealing with requests for access

3.9 Correction of personal information

3.9.1 Notification of correction to third parties
3.9.2 Refusal to correct information
3.9.3 Request to associate a statement
3.9.4 Dealing with requests

3.10 Breach of privacy by FOS

4. SUPPORTING INFORMATION

4.1 Definitions
 

1. INTRODUCTION


1.1 Purpose of the policy

This Policy is intended to ensure that the privacy of individuals is protected in the collection, use, disclosure and storage of personal information by FOS.

1.2 Scope of the policy

This policy applies to all FOS employees.

Activities covered by this policy include, but are not limited to:

  • The collection of an individual’s personal information;
  • The primary uses of personal information;
  • The secondary uses of personal information; and
  • The disclosure of personal information.
     

1.3 Policy statement

The Privacy Policy and Procedures are intended to ensure that FOS operates to high standards of governance and complies with relevant laws.

This Privacy Policy will ensure that FOS:

  • collects, uses and disseminates personal information in a manner that is in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
  • responds appropriately to requests in relation to an individual’s personal information; and
  • responds appropriately to any breach of its privacy obligations.
     

2. POLICY

FOS is committed to the following policy principles which are aligned with the APPs:

Consideration of personal information privacy

  • Open and transparent management of personal information (APP 1) - FOS will be open and transparent about how it collects, uses and disseminates personal information.
  • Anonymity and pseudonymity (APP 2) - General enquiries made to FOS will not require the person making the enquiry to identify themselves.

Collection of personal information

  • Collection of solicited personal information (APP 3) - FOS will collect personal information in a fair and lawful manner.
  • Dealing with unsolicited personal information (APP 4) - FOS will return, de-identify or destroy personal information that it could not have fairly or lawfully collected.
  • Notification of the collection of personal information (APP 5) - FOS will, where practicable, notify relevant individuals of the collection of their personal information in a timely manner.

Dealing with personal information

  • Use or disclosure of personal information (APP 6) - FOS will use and disclose personal information only in accordance with the Privacy Act 1988 (Cth) and the APPs.
  • Direct marketing (APP 7) - FOS will not use or disclose personal information for the purpose of direct marketing, unless permitted to do so by the APPs.
  • Cross-border disclosure of personal information (APP 8) - FOS will only disclose personal information to overseas recipients with prior authority of the individual concerned.
  • Adoption, use or disclosure of government related identifiers (APP 9) - FOS will not adopt, use or disclose a government related identifier of an individual.

Integrity of personal information

  • Quality of personal information (APP 10) - FOS will endeavour to ensure, to the extent practicable, that the personal information that FOS collects, uses and discloses is accurate, up to date and complete.
  • Security of personal information (APP 11) - FOS will take such steps as are reasonable in the circumstances to protect the personal information about an individual.

Access to, and correction of, personal information

  • Access to personal information (APP 12) - FOS will, on request by the relevant individual, give the individual access to personal information held by FOS, except in particular circumstances.
  • Correction of personal information (APP 13) - FOS will, as is reasonable in the circumstances, correct that information to ensure that the information is accurate, up to date, complete, relevant and not misleading.

3. PROCEDURES


3.1 Openness

  • FOS will manage personal information in an open and transparent way in accordance with
  • A person may:
    • access their personal information held by FOS;
    • request correction of their personal information held by FOS;
    • complain about a breach of the APPs by FOS, by directing their complaint to any member of FOS staff or the Privacy Manager;

in accordance with this Policy.

3.2 Anonymity and Pseudonymity

  • When dealing with FOS, individuals have the option, where it is practicable, of not identifying themselves, or of using a pseudonym.
  • Callers will not be required to identify themselves unless they wish to lodge a dispute or request access to their personal information.

3.3 Dealing with unsolicited personal information

FOS will return, destroy or de-identify unsolicited personal information that it could not have lawfully collected under the APPs as soon as practicable.

3.4 Collection of solicited personal and sensitive information

  • It is a permitted general situation for alternative dispute resolution schemes such as FOS to collect and use available information, including relevant third party personal information, to carry out their primary function of dispute resolution.
  • FOS will try to ensure that Applicants have provided explicit consent to the collection and distribution of their personal information:
    • in the case of a written or online lodgement, through completing a dispute form; and
    • in the case of a telephone lodgement, through reading, and having the Applicant acknowledge, the Telephone Authority Statement.

These consents will be recorded in FOS's case management system through the case actions 'Authority Statement' (where the telephone authority statement has been read) and 'Authority Form' (where a physical declaration has been made).

  • FOS will only collect personal information that is reasonably necessary for, or directly related to, one of FOS’s functions or activities. Given the service FOS provides, it is assumed that most consumers will be aware that when they lodge a dispute, FOS will use the personal information provided to assist in resolving the dispute and that this will require providing that information to the relevant Financial Services Provider (FSP).
  • FOS will inform FSPs and Applicants, via correspondence, publications and the website, that only information that is relevant to the dispute should be sent to FOS.
  • FOS will only collect sensitive information about an individual with their consent and where the information is reasonably necessary for one or more of FOS’s functions or a lawful exception under the APPs applies.
  • FOS will only collect information by lawful and fair means and will generally do so in the following ways:
    • From the Applicant[1] or FSP:
      • In writing; or
      • Orally, via telephone or face to face conversations; and
    • From third parties who can assist by providing relevant written documentation or electronic media. 

3.4.1 Notification of the collection of personal information

When FOS collects personal information about an individual, we will, to the extent necessary, notify the individual of FOS’s privacy policy by:

  • Referencing the privacy policy in the dispute form and information brochures;
  • Publishing the privacy policy on the FOS website; and
  • Providing a copy of the privacy policy on request.

3.4.2 Information about third parties to disputes

  • Each party will be asked to keep information concerning third parties to only what is relevant and necessary for the resolution of the dispute.
  • When information about a third party who has no direct involvement in the dispute at FOS is necessary for the resolution of the dispute, it may not be reasonable or practicable for FOS to collect the personal information directly from the individual concerned. This may be because to do so:
    • would breach the privacy of the Applicant;
    • may cause adverse consequences for the Applicant;
    • may be impractical due to a lack of contact details for the third party and the cost to locate the third party may be considerable; or
    • may incriminate the third party.
  • It is a permitted general situation for alternative dispute resolution schemes such as FOS to collect and use available information, including relevant third party personal information, to carry out their primary function of dispute resolution.
  • Where unnecessary or irrelevant information about a third party is provided by the Applicant or the FSP, FOS will return, delete or de-identify that information.
  • If the third party information is necessary in the resolution of the dispute, FOS has determined that it is not reasonable or practicable for FOS to inform the third party of the matters directly. However, in appropriate circumstances, FOS may ask the provider of the information to advise the third party that the information has been provided to FOS and give their reasons for doing so.

3.5 Use or disclosure of personal information

3.5.1 Use of personal information for a primary purpose

  • FOS will only use and disclose personal information about an individual for the purpose of:
    • Resolving disputes under the Terms of Reference; or
    • Fulfilling our obligations in respect of systemic issues, serious misconduct or monitoring of compliance with industry codes of practice;

unless we are permitted to use the information for a secondary purpose.

  • In doing so, the Terms of Reference require FOS to keep confidential all information pertaining to a dispute that is provided to FOS except in particular circumstances.[2]
  • Where necessary, FOS may need to disclose personal information to other persons in order to investigate and resolve a dispute, such as a dispute involving joint account holders or multiple beneficiaries. In these circumstances, it may be necessary
    • to notify the second Applicant that a dispute has been lodged at FOS; and
    • to disclose personal information about one Applicant to the joint Applicant in order to resolve the dispute.
  • FOS may also disclose personal information to a third party in order to seek expert advice on the dispute, such as a handwriting expert advising on a dispute involving allegations of forgery. Any experts contractually engaged by FOS will be bound by confidentiality requirements.
  • Personal information will be de-identified before being used for the purpose of reporting to stakeholders, the public and the Government about our activities and as such will cease to be personal information.

3.5.2 Use of personal information for a secondary purpose

  • Valid secondary purposes include:
    • Development of a wide public awareness of the benefits and services of FOS;
    • Protection, promotion and advancement of dispute resolution procedures and standards, including monitoring compliance with Industry Codes of Practice;
    • Consultation and maintenance of relations with relevant stakeholders, including Federal, State and Local governments and regulatory agencies;
    • Compilation and distribution of statistical and other data of interest, as well as distribution of information to stakeholders on matters and questions affecting, or of interest to, the financial services industry; and
    • Maintenance of effective lines of communication with stakeholders, including communication of the results of the FOS EDR scheme and related matters.
  • Personal information will only be used for a secondary purpose where:
    • the individual would reasonably expect FOS to use or disclose the information for the secondary purpose and the secondary purpose is:
      • if the information is sensitive information—directly related to the primary purpose; or
      • if the information is not sensitive information—related to the primary purpose; or
    • the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
    • A Permitted General Situation exists, specifically where the collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process.

3.5.3 Third parties seeking information about a dispute

  • FOS may be contacted by persons who claim to represent an Applicant and who seek information about the progress of a dispute. These might include members of parliament, legal and financial advisers, friends and family members.

  • FOS makes no assessment about the intentions of any such person in seeking information, but will not discuss any aspect of a dispute with any person other than the complainant unless the Applicant has specifically authorised FOS to do so via the dispute form or other direct written communication.

3.5.4 Direct marketing

  • If FOS holds personal information about an individual, FOS will not use or disclose the information for the purpose of direct marketing[3], unless one of the exceptions under the APPs applies.
  • Prior to engaging in any direct marketing exercise, the relevant project manager must contact the Privacy Manager for advice about what is, and is not, permissible.
  • In the event that FOS does use or disclose personal information for the purpose of direct marketing, we will:
    • allow an individual to request not to receive direct marketing communications (also known as ‘opting out’); and
    • comply with that request.

3.5.5 Cross-border disclosure of personal information

FOS will only disclose personal information to overseas recipients with prior authority of the individual concerned.

3.5.6 Adoption, use or disclosure of government related identifiers

FOS will not adopt, use or disclose a government related identifier of an individual.

3.6 Quality of personal information

  • FOS will take reasonable steps to ensure that the personal information that FOS collects, uses and discloses is accurate, up to date and complete.
  • Where a person notifies FOS of changes to their personal details held by FOS, or errors in FOS’s records, FOS will make the necessary changes as soon as practicable and, in any event, within two business days of the request being made.

3.7 Security of personal information

  • FOS will take reasonable steps to protect the personal information about an individual from:
    • misuse, interference and loss; and
    • unauthorised access, modification or disclosure.
  • If FOS holds personal information about an individual and:
    • no longer needs the information for any purpose for which the information may be used or disclosed;
    • the information is not contained in a Commonwealth record; and
    • is not required by or under an Australian law, or a court/tribunal order, to retain the information;

FOS will take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.

FOS will destroy physical files on a date seven years after the last action was conducted on the file.

3.8 Access to personal information

When requested to by the relevant individual, FOS will provide the individual with a copy of the personal information held by FOS, except where:

  • FOS reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety;
  • giving access would have an unreasonable impact on the privacy of other individuals;
  • the request for access is frivolous or vexatious;
  • the information relates to existing or anticipated legal proceedings between FOS and the individual, and would not be accessible by the process of discovery in those proceedings;
  • giving access would reveal the intentions of FOS in relation to negotiations with the individual in such a way as to prejudice those negotiations;
  • giving access would be unlawful;
  • denying access is required or authorised by or under an Australian law or a court/ tribunal order;
  • both of the following apply:
    • FOS has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to FOS’s functions or activities has been, is being or may be engaged in; and
    • giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
    • giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
    • giving access would reveal evaluative information generated within FOS in connection with a commercially sensitive decision-making process.

3.8.1 Dealing with requests for access

  • The Privacy Manager will:
    • respond to a request for access to the personal information within five business days of the request being made by either:
      • providing the information; or
      • explaining the timeframe and manner in which the information will be provided; and
    • give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.
  • If the Privacy Manager refuses to give access to the personal information, he or she will give the individual a written notice that sets out the reasons for the refusal and provide:
    • the option to make a formal complaint about the refusal via the FOS Complaints and Feedback Procedure; and
    • any other relevant matters

unless where, having regard to the grounds for the refusal, it would be unreasonable to provide reasons.

  • Any individual who:
    • wishes to gain access to information held by FOS; or
    • believes that information held by FOS is not accurate, complete or up-to-date

should initially contact the member of staff dealing with their dispute, but may contact the Privacy Manager directly.

  • To assist FOS in responding to the request, the individual should provide as much information as possible to assist FOS in determining where the relevant information is held, including their name, dispute number(s), the name of the FSP and/or relevant dates.

3.9 Correction of personal information

If:

  • FOS holds personal information about an individual; and
  • either:
    • FOS is satisfied that the information is inaccurate, out of date, incomplete, irrelevant or misleading; or
    • the individual requests the entity to correct the information;

FOS will correct that information to ensure that the information is accurate, up to date, complete, relevant and not misleading.

3.9.1 Notification of correction to third parties

If:

  • FOS corrects personal information about an individual that FOS previously disclosed to another entity; and
  • the individual requests FOS to notify the other entity of the correction;

FOS will notify the other entity, unless it is unreasonable or unlawful to do so.

3.9.2 Refusal to correct information

If FOS refuses to correct the personal information as requested by the individual, FOS will provide a written notice to the individual that sets out:

  • the reasons for the refusal except to the extent that it would be unreasonable to do so;
  • the mechanisms available to complain about the refusal; and
  • any other matter prescribed by the regulations.

3.9.3 Request to associate a statement

If:

  • FOS refuses to correct the personal information as requested by the individual; and
  • the individual requests FOS to include a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading with the information;

FOS will take reasonable steps to associate the statement with the information in such a way that will make the statement apparent to users of the information.

3.9.4 Dealing with requests

If a request is made for the correction of personal information, FOS will:

  • respond within two business days after the request is made; and
  • will not charge the individual for:
    • the making of the request;
    • correcting the personal information; or
    • associating the statement with the personal information.

3.10 Breach of privacy by FOS

  • FOS takes its obligations in the handling of personal information very seriously.
  • Where FOS has provided personal information to an unauthorised party (the breach), whether the breach is identified internally or by an external party, the FOS member of staff who is first made aware of the breach will advise his or her line manager and the Privacy Manager immediately so that they can support and lead the response process.
  • Whilst FOS cannot compel the party to return or delete the documentation all reasonable efforts to retrieve the material will be made. FOS will first telephone the receiving party and request the documentation be destroyed and confirmation of the destruction provided, preferably in writing.
  • If original information has been provided, FOS will request that the information is returned and will provide a stamped, envelope addressed to FOS for the return of the documentation.
  • If the material is not returned, or confirmed as deleted or destroyed, within 7 days a follow up call, or letter if the party is not able to be reached by phone, will be made.
  • Simultaneously, FOS will advise the party whose personal information has been disclosed (the affected party) about the breach and formally apologise. Once the breach has been resolved, FOS will again contact the affected party and advise on the outcome of the breach response actions.
  • Any complaint lodged by the affected party will be handled in accordance with our Complaints and Feedback process.
  • The relevant line manager and Privacy Manager will consider whether any systemic change or training is needed to prevent possible future breaches.

4. SUPPORTING INFORMATION


4.1 Definitions

Term Definition

Personal Information

any ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not’ (s 6(1)).

Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details and commentary or opinion about a person.

Permitted General Situation

There are seven permitted general situations:

  • lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety
  • taking appropriate action in relation to suspected unlawful activity or serious misconduct
  • locating a person reported as missing
  • asserting a legal or equitable claim
  • conducting an alternative dispute resolution process
  • performing diplomatic or consular functions – this permitted general situation only applies to agencies
  • conducting specified Defence Force activities

Privacy Manager

Nicolas Crowhurst, Company Secretary
Telephone: (03) 8623 2005
Email: privacy@fos.org.au 

 

Term Definition

Sensitive Information

A subset of personal information defined as:

  • information or an opinion (that is also personal information) about an individual’s:
  • racial or ethnic origin
  • political opinions
  • membership of a political association
  • religious beliefs or affiliations
  • philosophical beliefs
  • membership of a professional or trade association
  • membership of a trade union
  • sexual orientation or practices, or
  • criminal record
  • health information about an individual
  • genetic information (that is not otherwise health information)
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or
  • biometric templates.

Information may be sensitive information where it unambiguously implies one of these matters.

Sensitive information is generally afforded a higher level of privacy protection under the APPs than other personal information.


[1] Or his or her properly appointed agent or representative
[2] Paragraph 13.4
[3] Direct marketing is the use or disclosure of personal information to communicate directly with an individual to promote goods and services.