“This document outlines the Privacy (‘Policy’) of Managed Accounts Holdings Ltd
ACN 128316441 Limited and all related entities (Collectively referred to as ‘Group’ or ‘MGP’).
MGP and its subsidiaries are committed to protecting the privacy of all clients and personal (and
sensitive) information we collect when doing business and are committed to ensuring we uphold
both the rules and intent of the Privacy requirements.
As part of this commitment and as a mechanism to ensure compliance with the Privacy Act 1988
(Cth) (Privacy Act) and Privacy Amendment (Notifiable Data Breaches) Act 2017 (Privacy Amendment
This Policy sets out our practices with respect to the collection and management of personal and
sensitive information in all areas, and has been developed under the Australian Privacy Principles
(APPs) (established under the Privacy Act) which provides the standards, rights and obligations for
the handling, holding, accessing and correction of personal (including sensitive) information.
This Policy also sets out our practices with respect to Data Breaches and has been developed under
the Notifiable Data Breaches (NDB) scheme (established under the Privacy Amendment Act) which
outlines MGP’s data breach notification obligations when a data breach is likely to result in serious
harm to any individuals whose personal information is involved in the breach.
What is personal information?
Personal information is defined in law as “information or an opinion about an identified individual or
an individual who is reasonably identifiable, whether the information or opinion is true or not, and
whether the information or opinion is recorded in material form or not”. Examples include an
individual's name, address, contact number and email address.
Special provisions apply to the collection of personal information which is sensitive information.
Sensitive information includes, for example, information about a person's health, membership of a
professional or trade association.
What personal information do we collect?
We may collect and hold personal information for the purposes of managing our business, providing
products and services, in administering products and services, and making information available
about other products and services.
The financial products and services provided by us include both direct to client services and services
provided through financial advisers and fund managers.
The information we collect directly from clients, financial advisers, fund managers, and other AFS
Licensees, may include name and contact information (including email address), residential and or
postal address, date of birth, tax file number (TFN), occupation, employer, bank account details,
financial information, data required for anti-money laundering counter-terrorism financing
purposes; and any other information required to administer the products and services we provide
(including information required by law).
Much of this information is collected using online facilities or through ongoing communications.
There may be specific circumstances in which we will ask for sensitive information. We will only
collect sensitive information where we have consent to the collection of the information and it is
reasonably necessary for us to administer your business or employment with us.
The sensitive information we may collect may include:
- details of dependents,
- personal health information
- income information
- marital status; and
- membership of professional associations and trade unions.
How do we collect and hold personal information?
When we collect personal information directly from an individual, we take reasonable steps at, or
before the time of collection to ensure that the individual is aware of certain key matters, such as:
- the details of the entity collecting the personal information;
the purposes for which we are collecting the information (including for example where
required by law);
the organisations (or types of organisations) to which we would normally disclose
information of that kind;
- the main consequences if all or some of the personal information is not collected;
the fact that an individual can access the information and how to contact us to either access
or correct their personal information;
the fact that an individual may complain about the handling of their personal information if
they believe it is has not been handled in accordance with the Privacy Act, and how the MGP
will deal with the complaint.
We will not collect any personal or sensitive information about you except where you have
knowingly provided that information to us or we believe you have authorised a third party to
provide that information to us.
We will collect personal information directly from an individual where it is reasonable and
practicable to do so. Where we collect information from a third party such as financial advisers, fund
manager, or another AFS Licensee, we will still take reasonable steps to ensure that an individual is
made aware of same information set out above.
You are not required to give us the information that we request, however if you choose not to
provide the information we ask for, or the information you give us is not complete or accurate, this
may for example, prevent or delay the processing of your business, affect your eligibility for specified
products, or it may prevent us from contacting you. It may also (in certain circumstances) impact on
the taxation treatment of an account with us.
We take reasonable steps to ensure that the personal information that we collect, use and disclose is
accurate, complete and up to date. We advise clients to keep their information up to date and
provide mechanisms for them to do so.
We take reasonable steps to protect the personal information and sensitive information that we
hold from misuse and loss and from unauthorised access, modification or disclosure by using
security procedures and up to date technology. Account information is password and security
protected and all instructions are verified before they are processed.
Personal information is stored on secured systems, and within our corporate technology
infrastructure. Data is backed up regularly and is stored to ensure both the availability and security
of the backup information.
Any personal information sent to external locations is secured with encryption.
We may disclose personal information to the following when undertaking our business:
- internally to our staff and related bodies corporate;
professional advisers nominated by clients;
financial institutions, where necessary, to allow us to establish accounts or other banking
- a financial institution;
any organisations or professional advisers involved in providing, managing or administering
our products or services such as auditors, accountants, lawyers, custodians, external dispute
resolution services, insurers, investment managers or mail houses, within normal business
medical practitioners and other relevant professionals, as appropriate;
your personal representative, or any other person who may be entitled to receive a death
benefit, or any person contacted to assist us to process that benefit;
- support services;
any fund (administrator or MGP) to which a superannuation benefit is to be transferred or
rolled over; and
- where otherwise required or authorised by law.
We will also disclose your personal information if you give us your consent.
If other organisations provide support services to us, they are required to appropriately safeguard
the privacy of the personal information provided to them.
Where personal information collected is no longer needed for any purpose that is permitted by the
Privacy Act, we can delete, destroy or permanently de-identify the personal information as required.
Use of Commonwealth Government Identifiers
We do not use Commonwealth government identifiers (Identifiers) as our own identifier of
individuals or accounts. We will only use or disclose Identifiers in the circumstances permitted by the
Purposes of collection
We will only collect personal information from an individual or third party which is reasonably
necessary to provide our products or services (primary purpose). We collect personal information for
the following primary purposes, including:
processing applications and other transactions for products and services offered by us and
providing information and communications to members and other account holders,
for the operation of products and services offered by us and our clients, or to comply with
the requirements of the Corporations Act 2001 (Cth) or any licensing or other regulatory
requirements or obligations;
to record and maintain member and investor details necessary for providing the services
offered by us and our clients;
establishing accounts or other banking facilities on an individual's behalf with third party
financial institutions and administering an individual's accounts or other banking facilities;
communicating with clients, including for the purposes of direct marketing communications
(where permitted by law);
conducting our internal business operations, including meeting any relevant regulatory or
as agent, collecting information to enable our clients and counterparties to comply with
Anti-Money Laundering and Counter-Terrorism Financing Law; and
assessing applications for employment.
Individuals can request not to receive direct marketing communications by following the opt-out
method provided within our communication.
Personal (and/or sensitive) information may also be disclosed where for example it is required by
law, or a permitted general or health situation exists in relation to the use or disclosure. This may
include for example situations in which the entity reasonably believes that the disclosure of personal
information is necessary to lessen or prevent a serious threat to the life, health or safety of an
individual or that of the public.
Accessing your personal information or making a complaint
Any individual about whom we hold personal information, can contact us to access and correct their
personal information. We may charge a reasonable fee to cover our costs.
We will take all reasonable steps to provide access to or amend any personal information that is
incorrect. If we are unable to correct your personal information, or give you access to the
information, we will advise you with an explanation in writing.
If you believe that we have not dealt with your personal information in accordance with this Policy
or the APPs, you may make a complaint to us.
You can contact us to either access or correct personal information, or complain about any breach of
the APPs by writing to the Privacy Officer at:
The Risk and Compliance Department
PO Box R1197,
ROYAL EXCHANGE NSW 1225
We will acknowledge a complaint in writing within 7 days of receipt, and process and respond to
your complaint within 30 days. If we cannot resolve your complaint within 30 days of receipt, we will
contact you with an explanation and see permission for an extension of time.
If (after 30 days) you are not satisfied with our response, you may raise your concerns with the
Office of the Australian Information Commissioner:
Phone: 1300 363 992
Fax: +61 2 9284 9666
Mail: GPO Box 5218, Sydney NSW 2001 or GPO Box 2999, Canberra ACT 2601.
Disclosing personal information
Some of our third party contractors and service providers may perform certain services for MGP. As
a result, personal information collected by us may be disclosed to a third party recipient.
We take reasonable steps to ensure these recipients comply with the APPs by implementing
contractual arrangements with MGP as service providers to ensure the personal information is
appropriately safeguarded and to ensure that our service providers comply with the APPs.
Notifiable Data Breaches
We are required to notify individuals at risk of serious harm and the Australian Information
Commissioner (the Commissioner) about ‘eligible data breaches’.
An eligible data breach arises when the following three criteria are satisfied:
there is unauthorised access to or unauthorised disclosure of personal information, or a loss
of personal information, that MGP holds
- this is likely to result in serious harm to one or more individuals, and
- MGP has not been able to prevent the likely risk of serious harm with remedial action.
In circumstances where it is not clear if a suspected data breach meets these criteria we will take all
reasonable steps to conduct an assessment within 30 calendar days after the day they became
aware of the grounds (or information) that caused it to suspect an eligible data breach.
There are some exceptions to the notification requirements, which relate to:
eligible data breaches of other entities
enforcement related activities
inconsistency with secrecy provisions
declarations by the Commissioner.
Examples of a data breach include when:
a device containing customers’ personal information is lost or stolen
- a database containing personal information is hacked
- personal information is mistakenly provided to the wrong person.
MGP’s data breach response approach will guide staff on the steps they are required to undertake
following a data breach. Firstly, any suspected data breach of any magnitude should be immediately
advised to the Head of Risk Management, Compliance and legal and/or the CEO as soon as any
breach is suspected [whether or not confirmed] with a view of containing the breach to prevent any
further compromise of personal information.
We will then assess the data breach by gathering the facts and evaluating the risks, including
potential harm to affected individuals and, where possible, taking action to remediate any risk of
harm. Where serious harm cannot be mitigated through remedial action, we will notify the
individuals at risk of serious harm and provide a statement to the Commissioner as soon as
The statement and/or notification about an eligible data breach will include:
the identity and contact details of MGP
a description of the eligible data breach
the kind or kinds of information involved in the eligible data breach
- what steps MGP recommends that individuals take in response to the eligible data breach
If it is not practicable to notify the individuals at risk of serious harm, we must publish a copy of the
statement prepared for the Commissioner on our website, and take reasonable steps to bring its
contents to the attention of individuals at risk of serious harm.
If a single eligible data breach applies to multiple entities, only one entity [MGP] needs to notify the
Commissioner and any individuals at risk of serious harm. It is up to the CEO to decide which entity
notifies, however the entity with the most direct relationship with the individuals at risk of serious
harm should generally undertake the notification.