Full transparency about how we keep your data private.
1. Introduction and Definitions
1.1. This Policy applies to ACC Directorate (ABN 65 004 617 467), ACS Financial Pty Ltd (ACN 062448 122), ACS Mutual Limited (ACN 162 909 346) and ACS Capital Nominees Pty Ltd (ACN147 971 739), in whatever capacity (as trustee and/or in their own right), and any subsidiary companies (ACS Group, we, us, our).
1.2. This Policy (which is available on request and published on our website at http://stpa.acsfinancial.com.au/privacy-policy extends to and covers all operations and functions of the ACS Group in Australia. At ACS Group, we are committed to ensuring the confidentiality and security of the personal information supplied to us by individuals.
This Policy outlines ACS Group’s practices, procedures and systems that ensure compliance
with the Australian Privacy Principles, including the following procedures:
- ACS Group Privacy Statements;
- direct marketing (opt-out procedure) (section 8);
- sending information overseas (section 9);
- security procedure (section 10);
- procedure to correct personal information (section 12);
- access to information procedure (section 13); and
- disputes/complaints handling procedure (section 18).
1.3. ACS Group is bound by the Australian Privacy Principles (APPs), contained in the Privacy Act 1988 (C’th) (Privacy Act).
1.5. Personal information is information or an opinion relating to an individual, which can be used to identify that individual. Some personal information, which we collect, is sensitive information.
1.6. In this Policy:
- ‘Disclosing’ information means providing information to persons outside ACS Group;
- ‘Individual’ means any persons whose personal information we collect, use or disclose.
- ‘Personal information’ means information or an opinion relating to an individual, which can be used to identify that individual;
- ‘Privacy Officer’ means the contact person of the ACS Group (who is the Compliance Officer – see section 22) for questions or complaints regarding ACS Group’s handling of personal information;
- ‘Sensitive information’ is personal information that includes information relating to a person's racial or ethnic origin, political opinions, religion or affiliation, trade union or other professional or trade association membership, sexual preferences and criminal record, and also includes health information or financial details about an individual, including bank account details and credit history; and
- ‘Use’ of information means use of information within the ACS Group. ACS Group is bound by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 and the Privacy Amendment (Notifiable Bata Breaches) Act 2017.
2. What kind of personal information do we collect and hold?
2.1. We collect and hold the following kinds of personal information about individuals:
- date of birth
- phone numbers
- email addresses
- bank account details and other financial information
- drivers’ licence details
- tax file number
- any other information that is relevant to the services that we provide.
2.2. The personal information may also include information about the form of identification used in relation to an individual that is a party to a transaction (required by law in some instances), and information about a transaction in relation to an individual, including details of the amounts paid in or out of an individual’s account as well as delivery instructions.
2.3. The personal information may also include:
- employment details, employment history, qualifications and training history, family commitments and social security eligibility; and
- details of the individual’s current financial circumstances; and
- details of the individual’s driving record.What kind of personal information do we collect out in this Policy. In some circumstances we may be provided with personal information about an individual from somebody else, for example: a referral from another person, or if we are given information by your employer if you or they use our products or services, or from information that is publically available on websites, or from third party experts where they have obtained your consent to provide your personal information to other parties. The prior examples are not exhaustive.
3. How we collect personal information
3.1. We generally collect personal information directly from the individual. For example, personal information will be collected when an individual completes an application, questionnaire or form to use our services, telephones or makes face to face contact with us, visits our website, or sends us correspondence.
3.2. Sometimes we may collect personal information about the individual from a third party. When we are provided with personal information from a third party, we will take reasonable steps to ensure that the individual is or has been made aware of the matters set out in this Policy.
In some circumstances we may be provided with personal information about an individual from somebody else, for example: a referral from another person, or if we are given information by your employer if you or they use our products or services, or from information that is publically available on websites, or from third party experts where they have obtained your consent to provide your personal information to other parties. The prior examples are not exhaustive.
3.3. The ACS Group will not collect sensitive information unless the individual has consented or an exemption under the APPs applies. These exceptions include if the collection is required or authorised by law or necessary to take appropriate action in relation to suspected unlawful activity or serious misconduct.
3.4. Our ability to provide individuals with our services is sometimes dependent on us obtaining certain personal information about the individual. If the personal information we request is not provided, we may not be able to provide customers with the benefit of our services, or meet an individual’s needs appropriately.
3.5. ACS Group does not give individuals the option of dealing with them anonymously, or under\ a pseudonym. This is because it is impossible for ACS Group to provide its services to individuals who are not identified, and may contravene other laws.
4. Why do we collect and hold personal information?
4.1. ACS Group collects personal information for the following purposes:
4.1.1. to conduct our business of providing insurance broking and mutual protection services, premium funding services, vehicle finance broking services, commercial credit services, investment management services and advice, superannuation
trustee and business development services, and other services to our clients;
4.1.2. to enter into contracts with contractors, sub-contractors, authorised
representatives, vendors, service providers or other third parties (consultants) to
conduct our business;
4.1.3. to assess applications by individuals to provide them with our services;
4.1.4. to provide an individual with information about a product or service and invite an
individual to marketing events;
4.1.5. to protect our business and other customers from fraudulent or unlawful activity;
4.1.6. to conduct our business and perform other management and administration tasks;
4.1.7. to comply with our legal obligations; and
4.1.8. to help us manage and enhance our services.
5. About whom do we collect personal information?
5.1. The type of information we may collect and hold includes (but is not limited to) personal
5.1.2. third parties;
5.1.3. prospective employees, employees, and contractors; and
5.1.4. other people with whom we come into contact.
6. Unsolicited personal information
6.1. ACS Group employees are required to notify the Compliance Officer of all unsolicited
personal information received by them.
6.2. If we receive unsolicited personal information, the Compliance Officer will determine,
within a reasonable period of time, whether we could have collected the information
ourselves, in accordance with this Policy. If this Policy does not authorise the collection of
the unsolicited personal information, then the Compliance Officer will destroy that
7. How might we use and disclose personal information?
7.1. We may use and disclose personal information for the primary purposes for which it is
collected, and also for reasonably expected secondary purposes which are related to the
primary purpose and in other circumstances authorised by the Privacy Act 1988.
7.2. We use and disclose personal information for the purposes outlined in section 4 above.
Sensitive information will be used and disclosed only for the purpose for which it was
provided or a directly related secondary purpose, unless the individual agrees otherwise, or
where certain other limited circumstances apply (eg, where required by law).
7.3. We may engage other people to perform services for us which may involve that person
handling personal information we hold. In these situations, we prohibit that person from
using personal information about you except for the specific purpose for which we supply
it. We prohibit that person from using your information for the purposes of direct
marketing their products or services.
7.4. We may disclose personal and/or sensitive information to:
7.4.1. a related entity of ACS Group;
7.4.2. an agent, contractor or service provider we engage to carry out our functions and
activities, such as our lawyers, accountants, electronic identity verification services,
credit reporting bureaus (for the purpose of obtaining credit reports), debt
collectors or other advisors;
7.4.3. organisations involved in a transfer or sale of all or part of our assets or business;
7.4.4. organisations involved in managing our payments, payment merchants and other
financial institutions such as banks;
7.4.5. organisations involved in a transfer or sale of all or part of our assets or business;
7.4.6. organisations involved in managing our corporate risk and funding functions (eg
7.4.7. regulatory bodies, government agencies, law enforcement bodies and courts; and
7.4.8. anyone else to whom the individual authorises us to disclose it or as required by
7.5. We also collect personal and/or sensitive information from these organisations and
individuals, and deal with that information in accordance with this Policy.
7.6. In relation to credit providers, credit reporting agencies or any other such person or agency
affecting credit, an individual can contact our Compliance Officer to request website and
contact details for any credit provider or agency who has given and/or received personal
and/or sensitive information to and/or from the ACS Group relating to that individual, so
information about the management of personal and/or sensitive information and make a
request to access, correct or not disclose the information held.
8. Direct marketing
8.1. We do not use personal information for the purposes of direct marketing unless:
8.1.1. the personal information does not include sensitive information; and
8.1.2. the individual would reasonably expect ACS Group to use or disclose the
information for the purpose of direct marketing; and
8.1.3. ACS Group provides a simple way of opting out of direct marketing; and
8.1.4. the individual has not requested to opt out of receiving direct marketing from ACS
Group (or others).
8.2. If ACS Group collects personal information from an individual who would not reasonably
expect ACS Group to use or disclose the information for the purpose of direct marketing, or
collects personal information from someone other than the individual, ACS Group may use
or disclose that information (other than sensitive information) for the purpose of direct
8.2.1. either the individual has consented to the use or disclosure of the information for
direct marketing or it is impracticable to obtain that consent; and
8.2.2. ACS Group provides a simple way of opting out of direct marketing; and
8.2.3. in each direct marketing communication, ACS Group includes a prominent
statement that the individual may make a request to opt out of direct marketing or
otherwise draws the individual's attention to the fact that he or she may make
such a request; and
8.2.4. the individual has not already requested to opt-out of direct marketing from ACS
8.3. ACS Group notes that individuals have the right to request to opt out of direct marketing
and ACS Group must give effect to the request within a reasonable period of time.
8.4. Individuals may also request that ACS Group provides them with the source of their
information. If such a request is made, ACS Group must notify the individual of its source
without any charge within a reasonable period of time, unless it is impracticable or
unreasonable to do so.
9. Sending information overseas
9.1. We may disclose personal information to external service providers that are located outside
Australia in some circumstances. These recipients may be located in the following
9.1.1. United Kingdom; and/or
9.2. We will not send personal information to recipients outside of Australia without:
9.2.1. taking reasonable steps to ensure that the recipient does not breach the Privacy
Act, or the APPs;
9.2.2. ensuring the recipient is subject to an information privacy scheme similar to the
Privacy Act; or
9.2.3. the individual has consented to the disclosure.
10. Management of personal information
10.1. The APPs require us to take all reasonable steps to protect the security of personal
information. Our personnel are required to respect the confidentiality of personal
information and the privacy of individuals. We will seek to ensure that individuals’ personal
information is protected from misuse, loss, unauthorised access, modification or
10.2. We take reasonable steps to protect personal information held from misuse and loss and
from unauthorised access, modification or disclosure, for example by use of physical
security (locked filing systems and key-pass entry to building).
In relation to our computer-based information, we apply the following guidelines:
• data ownership is clearly defined within ACS Group policies and procedures, and
contracts as required;
• passwords are routinely checked;
• we change employees’ access capabilities when they are assigned to a new position;
• employees have restricted access to certain sections of the system;
• the system automatically logs and reviews all unauthorised access attempts;
• the system automatically limits the amount of personal information appearing on
any one screen/page;
• unauthorised employees are barred from updating and editing personal information;
• all computers which contain personal information are secured, physically and
• data is encrypted during transmission over the network;
• print reporting of data containing personal information is limited;
• ACS Group has created procedures for the disposal of personal information; and
• personal information is deleted to the extent possible when the information is no
10.3. ACS Group performs all employment procedures, including application and termination
processes, in a confidential manner. All individual job attributes, such as classification
information and salaries, are confidential. .
10.4. In the event that an individual ceases to be a client of ours, the individual’s personal
information will be kept for a period of 7 years in accordance with legislative requirements,
after which the information will be destroyed. Where we no longer require the personal
information for a permitted purpose under the APPs, we will take reasonable steps to
11.1. We will not use identifiers assigned by the Government, such as a tax file number,
Medicare number or provider number, for our own file recording purposes, unless one of
the exemptions in the Privacy Act applies.
12. How do we keep personal information accurate and up-to-date?
12.1. We take reasonable steps to ensure that the personal information we collect, use and
disclose is relevant, accurate, complete and up-to-date.
12.2. We encourage individuals to contact us in order to update any personal information we
hold about them. Our contact details are set out at the end of this Policy. If we correct
information that has previously been disclosed to another entity, ACS Group will notify the
other entity of the changes within a reasonable period of the correction, unless it is
impracticable or unlawful to do so. ACS Group responds to requests to amend personal
information within 30 days unless otherwise agreed, and does not charge individuals for
correcting the information.
13. Access to personal information
13.1. Subject to the exceptions set out in the Privacy Act, individuals may gain access to the
personal information which we hold about them by contacting our Compliance Officer. If
we refuse to provide the information, we will provide reasons for the refusal. We will
endeavour to respond to any request for access within 30 days of the request.
13.2. When an individual requests access to their personal information, which includes
evaluative information created by ACS Group in connection with a commercially sensitive
decision making process (as defined in APP 12.3(j)), a representative of ACS Group will
meet the individual personally (where this is possible), and explain the evaluative
information to the individual, without giving them a copy of it.
13.3. We will require identity verification and for an individual to specify what information is
required. An administrative fee for search and photocopying costs may be charged for
providing access. We will advise the likely cost in advance.
14. Updates to this Policy
14.1. This Policy is dated 22February 2018 and will be reviewed from time to time to take
account of new laws and technology, changes to our operations and practices and the
changing business environment. Changes are approved by the board and management of
the relevant ACS Group entity.
15.1. It is the responsibility of ACS Group management to inform employees and other relevant
15.2. The Compliance Officer will notify the Executive Management of any privacy-related
complaints, and other privacy issues.
16. Privacy Training
16.1. All new employees are provided with timely and appropriate access to ACS Group’s Privacy
Policy. All employees must be provided with opportunities to attend Privacy awareness
training which covers ACS Group’s obligations under the Privacy Act and the APPs. ACS
Group staff must ensure that they understand the Privacy-related issues that could
adversely affect ACS Group members and their clients if not properly adhered to.
17. Non-compliance and disciplinary actions
17.1. Any ACS Group employee or relevant third party that identifies, knows about or suspects a
privacy breach must immediately report the matter to the Compliance Officer. Failure by
18. Disputes/Incidents/Complaints Handling
18.1. ACS Group has effective disputes/incidents/complaints handling processes in place to
manage privacy risks and issues. The complaints handling procedures are set out in the
‘ACS Financial Dispute Handling Policy and Procedure’ and the ‘ACS Mutual Complaints
Policy’. The disputes/incidents/complaints handling processes involve:
18.1.1. identifying (and addressing) any individual/systemic/ongoing compliance
18.1.2. increasing consumer confidence in ACS Group’s privacy procedures; and
18.1.3. helping to build and preserve ACS Group’s reputation and business.
18.2. Individuals can make a complaint by writing to the Compliance Officer. The Complaints
Process is published on our website at http://www.acsfinancial.com.au/customersupport/.
19. Contractual arrangements with third parties
19.1. We ensure that all contractual arrangements with third parties adequately address privacy
policies in relation to the management of personal information in accordance with the
19.2.1. regulating the collection, use and disclosure of personal information;
19.2.2. de-identifying personal information wherever possible;
19.2.3. ensuring that personal information is kept securely, protected from loss or misuse,
with access to it only by authorised employees or agents of the related
19.2.4. ensuring that personal information is only disclosed to organisations which are
approved by us.
19.3. The third parties specifically agree only to use personal information for the purposes
consented to by ACS Group or by the individual concerned.
20. Privacy Audits
20.1. ACS Group conducts periodic privacy audits in order to ascertain whether it has complied
with its obligations under the Privacy Act, including:
20.1.1. what sort of personal and/or sensitive information is collected and held;
20.1.2. how that information is collected;
20.1.3. what the reasons are for collection of that information;
20.1.4. where and how that information is stored;
20.1.5. how that information is secured;
20.1.6. who has access to that information;
20.1.7. whether that information is shared with anyone;
20.1.8. whether the intended use of collection is communicated; and
20.1.9. whether that information is current and necessary.
21.1. We collect personal information from our web site (www.acsfinancial.com.au) when we
receive emails and online forms.
21.2. Our website contains links to other websites whose operator may or may not adhere to a
to identify an individual’s browser.
not identify the individual – they simply allow us to track usage patterns so that we can
measure the level of interest in various areas of our site.
21.4. We may also use third parties to analyse traffic at our website, which may involve the use
of cookies. Information collected through such analysis is anonymous. Our website privacy
statement can be accessed at http://www.acsfinancial.com.au/customer-support/ .
22.1. If you have any questions about privacy-related issues please contact the ACS Group
ACS Group Compliance Officer
ACS Financial Pty Ltd
Level 1, 917 Riversdale Road, Surrey Hills Victoria 3127
1800 646 777
If you are not satisfied with the result of your complaint to ACS Group you can also refer
your complaint to the Office of the Australian Information Commissioner.
You can contact the Office of the Australian Information Commissioner:
• by telephoning - 1300 363 992
• by writing to - Director of Complaints, Office of the Australian Information
Commissioner, GPO Box 5218, SYDNEY NSW 2001
• by emailing - firstname.lastname@example.org