Use of personal information
Warrington Scott appreciates that a client may be concerned about the confidentiality of personal information that is collected from them in order to provide financial and insurance services, and advice.
Accordingly Warrington Scott:
- only request personal information that is specifically required in order to provide a service;
- only request personal information from the client and will not seek to collect information elsewhere without express permission from the client;
- only use the information for the express purpose for which it was collected;
- only hold and transmit personal information if its security can be assured;
- not provide any personal information to a third party without the client’s express permission, unless required by law;
- ensure that all staff and consultants, who have access to personal information, sign and adhere to a confidentiality agreement as part of their conditions of employment;
- allow clients to opt‑out of the provision of the receipt of information (eg newsletters);
- allow clients to nominate how we communicate with them for material that contains their personal information;
- upon request, provide the client with access to the personal information held about them;
- provide a Complaints Policy to deal with any privacy-related complaints.
What personal information Warrington Scott collects
The personal information about a client that Warrington Scott may need to collect will depend on the type of services and products that the client makes use of and the requirements of external services and/or product providers that they utilise. Requests for such information (by external product providers in particular) will typically be contained in application forms. The information required may include, but not be limited to: client’s name, address, email, mobile or phone number, age, current investments, future financial goals and health related information (essential for insurance purposes).
In addition, in accordance with the Anti-Money Laundering (AML) and Counter Terrorism Financing (CTF) Act 2006 (AML/CTF Act), Warrington Scott is required to undertake identification procedures before implementing any financial transaction on the client’s behalf. For identification, we will ask the client to provide one (or more) forms of identification, preferably photo identification.
Warrington Scott records incoming and outgoing telephone conversations and client meetings for verification purpose. If a client does not wish to have his/her conversation recorded, then they are advised to notify Warrington Scott at the beginning of the conversation.
Use and disclosure of personal information
Any personal information Warrington Scott collects from the client may be made available to, or used by, the client’s adviser, a staff member or an external product provider carrying out a function on Warrington Scott’s behalf.
Warrington Scott will use the information collected:
- to provide advice, information, services or product recommendations to a client;
- to process insurance claims on a client’s behalf; and
- for any other purpose required or authorised by law.
In addition, Warrington Scott will only disclose personal information to third parties carrying out functions on its behalf, with the client’s permission and on a confidential basis.
Security of personal information
Warrington Scott takes all reasonable steps to preserve the security of the personal information it collects. All stored client information is protected from unauthorised access through the use of secure passwords and user log-ons and secure storage procedures, and use of a secure destruction service for discarded documents.
Accessing and updating client personal information
Warrington Scott takes all reasonable steps to ensure that the personal information which we collect, use and disclose is accurate, complete and up-to-date.
Clients are able to access and update their personal information by contacting Warrington Scott on 02 9386 5968.
Data breach procedure
Responding to a data breach
There is no single method of responding to a data breach but the response should be as quick as possible to nullify or mitigate further breaches or potential harm. Each breach must be dealt with on a case‑by‑case basis by undertaking an assessment of the risks involved and using this to decide the appropriate course of action.
The Director, with advice from the Compliance Manager, will be responsible for and manage the process but may delegate tasks to staff.
There are four key steps
Step 1 – contain the breach
The Director (or delegate) must take immediate steps to limit access, distribution or possible compromise of data. For example, retrieve lost personal information or change access controls.
Step 2 – assess whether the data breach is likely to result in serious harm
The Director with advice from the Compliance Manager must, within 30 days, assess whether a reasonable person would consider it likely that the unauthorised access or disclosure will result in serious harm to an individual.
Ideally the assessment should be done as quickly as possible with the aim to take remedial action to nullify or mitigate potential harm. The assessment should be documented using the Incident Register or Complaints Register.
Serious harm can include serious physical, psychological, emotional, economic and/or financial harm, as well as serious harm to reputation. To assess if this is likely, Warrington Scott will consider the sensitivity of the information, security measures (such as encryption) and who has obtained the information (if known).
If the data breach is not likely to result in serious harm
If the likelihood of serious harm is avoided by prompt remedial action then the incident may not be notifiable. Warrington Scott should nevertheless review the incident and take action to prevent future breaches. It may also choose to let a client know that their personal information was breached but then promptly contained. Warrington Scott should consider whether an apology is relevant and/ or an explanation about how the breach occurred and how it was managed and contained.
Step 3 – notify
If serious harm to an individual is likely the Director, with assistance from the Compliance Manager, must notify the OAIC and affected individuals expeditiously (The Privacy Amendment (Notable Data Breaches) Act 2017: s 26WL(3)).
For further information see the Office of the Australian Information Commissioner (OAIC) website www.oaic.gov.au
Step 4 – review the incident and prevent/ mitigate future breaches
Steps 1 to 3 should ideally be undertaken either simultaneously or in quick succession. Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.
Review the incident and take action to prevent future breaches. The review can include: developing a prevention plan, updating security, consider changes to relevant policies and procedures, audit and assessment of contracted third-party services (eg IT), staff training.
Warrington Scott should log the matter in the Incident Register or Complaints Register regardless of whether the data breach was notifiable.
How should the OAIC be notified?
Complete the form from the OAIC website www.oaic.gov.au with the following details:
- Warrington Scott’s contact details
- a description of the breach
- the kind(s) of information concerned
- steps take to contain the breach and mitigate harm
- further recommended steps for affected individuals to mitigate harm, if necessary.
How should affected individuals be notified?
Warrington Scott must also notify affected individuals of the eligible data breach (breach) by one of the three options below.
Option 1 – notify all individuals
If it is practicable, Warrington Scott can notify each of the individuals whose personal information was part of the breach (s 26WL(2)(a)).
This option may be the simplest and most appropriate method, if Warrington Scott cannot reasonably assess which particular individuals are at risk of serious harm from the breach that involves personal information about many people.
The benefits of this approach include ensuring that all individuals who might be at risk of serious harm are notified and enabling them to consider whether they need to take any action in response to the breach.
Option 2 – notify only those individuals at risk of serious harm
If it is practicable, Warrington Scott can notify only those individuals who are at risk of serious harm from the breach (s 26WL(2)(b)).
If Warrington Scott identifies that only a particular individual, or a specific subset of individuals, involved in breach is at risk of serious harm, only those individuals need to be notified.
The main benefits of this targeted approach are reducing unnecessary concern or worry to clients and administrative costs.
Option 3 – publish notification
If neither option 1 nor 2 above are practicable, Warrington Scott must:
- publish a copy of the Policy statement on its website, and
- take reasonable steps to publicise the contents of the Policy statement (s26WL(2)(c)).
Warrington Scott will take proactive steps to publicise the substance of the breach to increase the likelihood that the breach will come to the attention of the individuals at risk of serious harm.
Data breaches involving other organisations that hold personal information jointly with Warrington Scott
If more than one entity holds personal information that was compromised in a breach, only one entity needs to notify the OAIC and affected individuals about the breach. For example; more than one entity may hold compromised personal information in a breach due to outsourcing, a joint venture, or shared services arrangements between entities. However, if none of the entities notifies, each of the entities may be found to have breached s 26WL(2), the OAIC suggests that the entity with the most direct relationship with the individuals at risk of serious harm should be responsible for notifying the OAIC.
If another entity notifies the OAIC, Warrington Scott may nevertheless choose to notify its affected clients in order to manage the process.
If there has been a breach by a third party involving information directly supplied to the third party by Warrington Scott, individuals will be notified via one of the above options, and advised of our course of action with that third party.
If a client has any questions, feedback or complaints regarding privacy matters, they should contact the Director at Daniel@ws.net.au or write to the following address:
The Compliance Officer
Warrington Scott Pty Limited
PO Box 1509
BONDI JUNCTION NSW 2022
Privacy Risk Assessment and Management
Privacy risk factors have been identified and these have been included in the Risk Assessment and Management analysis in the Risk Assessment and Management Policy.