This document sets out Arnott Capital’s commitment in respect of personal information that we hold about our investors and clients (“clients”) and what we do with that information. Our overarching objective is to ensure protection of all client personal information at all times.
Any personal information we collect about our clients will only be used for the purposes we have collected it, or as allowed under the relevant law. Our commitment in respect of personal information is to abide by the Australian Privacy Principles for the protection of personal information, as set out in the Privacy Act and any other relevant law.
When we refer to personal information, we mean information from which our client’s identity is reasonably apparent. The personal information we hold about our clients may also include credit information. The kinds of personal information we may collect about our clients include their name, date of birth, address, account details, occupation, and any other information we may need to identify our clients.
Credit information is information which is used to assess our client’s creditworthiness. Registration information is the information a client provides in the course of registering for financial service or product. Registration information may include name, email address, address details, gender, and date of birth. It includes additional information which our clients provide in the course of that relationship.
Why we collect personal information
We may collect personal information during an investment application process or as part of a new client due diligence/verification process in order to comply with any relevant laws and regulations including:
- Anti-Money Laundering and Counter Terrorism Financing Act 2006;
- The Privacy Act 1988;
- The Corporations Act 2001;
- Any requirements or regulations under our Australian Financial Services License; and
- Any other requirements by regulators including ASIC.
We also confirm our obligation under Schedule 3 of the Privacy Act on National Privacy Principals – Collection which states “that an organisation must not collect personal information unless the information is necessary for one or more of its functions or activities”.
- To other organisations that are involved in managing or administering our client’s investment such as third-party suppliers (Fund Administrators and Custodians);
- As required or authorised by or under law such as under the Anti-Money or Laundering and Counter Terrorism Financing Act 2006. This accords with principle 11 of the Privacy Act.
Updating personal information
During the course of our relationship with our clients, we may ask our clients to inform us if any of their personal information has changed. We will generally rely on our clients to ensure the information we hold about our clients is accurate or complete.
Client access to, and updating, personal information
We will provide our clients with access to the personal information we hold about them. Our clients may request access to any of the personal information that we hold about them at any time. This accords with principle 6 of the Privacy Act.
Using Government identifiers
Safety and security of stored information
We will take reasonable steps to protect our client’s personal information by storing it in a secure environment. We may store our client’s personal information in paper and/or electronic form. We will also take reasonable steps to protect any personal information from misuse, loss and unauthorised access, modification or disclosure and this accords with principle 4 of the Privacy Act.
Using online services
When our clients access and interact with our website or online services, we may collect certain information about those visits. For example, in order to permit connection to our services, our servers may receive and record information about computer, device, and browser, including potentially IP address, browser type and other software or hardware information. If our clients access our services from a mobile or other device, we may collect a unique device identifier assigned to that device, geolocation data, or other transactional information from that device. Technologies may also be used to collect and store information such as pages our clients have visited, content viewed, search queries run, and advertisements viewed in relation to our client’s usage of our services and other websites they have visited.
Information disclosure for merger or sale of business
If we sell all or part of our business or makes a sale or transfer of our assets or are otherwise involved in a merger or transfer of all or a material part of our business, we may transfer or disclose our client information to the party/parties involved in the transaction as part of that transaction and as part of any due diligence processes which take place in contemplation of a potential transaction.
Information disclosure for investor due diligence
Potential clients when performing operational due diligence on Arnott Capital may in the course of their diligence have access to our client list (but not their personal information) but we will require them to be bound by confidentiality.
Data breach response plan
On 1 September 2017, ASIC published its Corporate Plan which identified data security and privacy as one of its key challenges and areas to focus over the next 12 months. Specifically, ASIC is focused on how an organisation ensures the security of the data, including personal information that it manages.
Why data breach notification is good privacy practice
Notifying clients when a data breach involves their personal information supports good privacy practice, for the following reasons:
- Notification as a reasonable security safeguard – As part of the obligation to keep personal information secure, notification may, in some circumstances, be a reasonable step in the protection of personal information from misuse, interference and loss, and from unauthorized access, modification or disclosure.
- Notification as openness about privacy practices – Being open and transparent with clients about how personal information may be handled is recognized as a fundamental privacy principle. Part of being open about the handling of personal information may include telling clients when something goes wrong and explaining what has been done to try to avoid or remedy any actual or potential harm.
- Notification as restoring control over personal information – Where personal information has been compromised, notification can be essential in helping clients to regain control of that information. For example, where a client’s identity details have been stolen, once notified, the client can take steps to regain control of their identity information by changing passwords or account numbers, or requesting the reissue of identifiers.
- Notification as a means of rebuilding public trust – Notification can be a way of demonstrating to the public that Arnott Capital takes the security of personal information seriously, and is working to protect affected clients from the harms that could result from a data breach. Clients may be reassured to know that Arnott Capital’s data breach response plan includes notifying them, the OAIC and relevant third parties.
Notification in appropriate circumstances is considered by Arnott Capital a good privacy practice, and in the interest of maintaining a community in which privacy is valued and respected.
Dealing with security breaches of client’s data and information
Cyber security breaches
If there has been a cyber security attack for example from, databases containing client information being “hacked” into or otherwise illegally accessed by individuals outside of Arnott Capital that results in the client’s data either being lost or compromised, please refer to the “Incident Response Procedure” as detailed below.
Cyber Security Incident Response Procedure:
In the event of a cyber security attack, the following procedures should typically be followed by Arnott Capital:
- The Directors, Board and Compliance Team members are promptly notified by either the Compliance Manager or an Executive Director and the Incident Response process is activated.
- The Compliance Manager immediately engages either the IT Consultant or the Cyber Security Consultant to implement a Remediation Plan.
- The IT Consultant or the Cyber Security Consultant makes a recommendation to Arnott Capital about the activation of the disaster recovery plan and the physical relocation of full-time staff to home or other temporary offices and the availability and accessibility of its remote access services.
- The Compliance Manager briefs its Cyber Security Insurer about the cyber security attack and initiate a claim under its policy for all claimable financial/other losses.
- Depending on the severity of the cyber security attack, the Compliance Manager will notify as soon as reasonably practicable the following parties: external stakeholders including its key third party service providers, the impacted clients, ASIC, OAIC and other regulators where appropriate.
- The Compliance Manager will also confirm that all Arnott Capital’s regulatory, AFSL and contractual reporting and other obligations are fully met during and after the attack.
- The Compliance Manager will maintain a register of cyber security attacks, the remediation plan, the financial and other impact and the insurance claims process.
Non-Cyber security breaches
If there has been a non-cyber security breach that results in the client’s data either being lost or compromised, for example from:
- Lost or stolen laptops, removable storage devices, or paper records containing client information;
- Hard disk drives and other digital storage media;
- Employees accessing or disclosing client information outside the requirements or authorisation of their employment;
- Paper records stolen from insecure recycling or garbage bins;
- Arnott Capital mistakenly providing client information to the person or
- party, for example by sending details out to the wrong physical or email address; and
- An individual deceiving Arnott Capital into improperly releasing the personal information of another person or client
Depending on the severity of the breach and the timeliness/adequacy of the remediation plan, the following procedures should typically be followed by Arnott Capital:
- The Directors, Board and compliance team members are promptly notified by either the Compliance Manager or an Executive Director and the Incident Response process is activated.
- Depending on the severity of the breach, the Compliance Manager will notify as soon as reasonably practicable the following parties: external stakeholders including its key third party service providers, the impacted clients, ASIC, OAIC and other regulators where appropriate.
- The Compliance Manager will also confirm that all of Arnott Capital’s regulatory, AFSL and contractual reporting and other obligations are fully met during and after the attack.
- The Compliance Manager will maintain a register of client data breaches or losses, the remediation plan, the financial and other impact and the insurance claims process.