ASIC Privacy Policy - complete

Purpose and scope

The purpose of this policy is to provide information about:

• the personal information that the Australian Securities and Investments Commission (ASIC) collects
• how we handle that information, including how we use and disclose it, and
• how you can access your personal information or make a complaint about our handling of the information.

This policy sets out how we comply with our obligations under the Privacy Act 1988 (Privacy Act). We are bound by the Australian Privacy Principles (APPs) which regulate how Australian Government agencies may collect, store, use and disclose personal information, and how individuals may access and correct personal information held about them.

'Personal information' is defined in the Privacy Act as:

information or an opinion about an identified individual, or an individual who is reasonably identifiable:

1. whether the information or opinion is true or not, and
2. whether the information or opinion is recorded in a material form or not.

The Privacy Act only applies to the collection of personal information by us for inclusion in a document, in an electronic device or other device, or in a generally available publication.

The personal information we collect includes:

1. contact details (such as name, address, email and telephone numbers)
2. biographical data (such as date and place of birth, and gender)
3. financial information (such as bank details)
4. occupational and employment histories, and
5. family background and investment information (such as shares held and trades made).

'Sensitive information' is a class of personal information which requires greater protection under the Privacy Act. 'Sensitive information' is defined in the Privacy Act as:

1. information or an opinion about an individual's:
1. racial or ethnic origin
2. political opinions
3. membership of a political association
4. religious beliefs or affiliations
5. philosophical beliefs
6. membership of a professional or trade association
7. membership of a trade union
8. sexual orientation or practices
9. criminal record
   that is also personal information
2. health information about an individual
3. genetic information about an individual that is not otherwise health information
4. biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or
5. biometric templates.

Sensitive information that we collect includes information about:

1. professional memberships
2. criminal records, and
3. racial and ethnic origin.

As well as our obligations under the Privacy Act, we are also required by s127 of the Australian Securities and Investments Commission Act 2001 (ASIC Act) to take all reasonable measures to protect personal information given to us in confidence from unauthorised use or disclosure.

Don't have time to read the policy?

You can read our condensed privacy policy if all you want is a short summary of:

• how we collect, use, disclose and store personal information, and
• how you can contact us if you want to access or correct personal information we hold about you.

Outline of this policy

Section B of this policy explains our general information handling practices, including how to contact us if you want to:

• seek access to or correct your personal information, or
• make a complaint about our handling of personal information.

Sections C–H contain more information about our information handling practices in relation to the following functions of ASIC:

• our handling of reports of suspected misconduct
• our compliance and investigation activities
• our registration, licensing and other statutory functions
• our consultation with stakeholders
• our cooperation with foreign regulators and law enforcement agencies
• our handling of complaints made about our conduct, and
• our engagement of employees and contractors.

Purposes for collection

We only collect personal information that is reasonably necessary for, or directly related to, one or more of our functions or activities under the legislation we administer. For further information, see the laws we administer.

We collect personal information to:

• handle reports of suspected misconduct lodged with us, monitor compliance with the laws we administer, and identify, investigate and take enforcement action in relation to contraventions of those laws
• carry out our statutory obligations (such as administering our registration and licensing functions, granting relief from regulatory requirements and dealing with unclaimed property)
• consult with stakeholders, carry out data analytics, undertake data matching and consider and determine policy frameworks
• cooperate with foreign regulators and law enforcement agencies
• deal with and assess complaints about our conduct
• calculate levies under the industry funding model
• manage our employees, contractors and service providers
• enable users to access our online tools and systems, and
• provide subscription services.

How we collect information

We collect personal information from individuals or their authorised representatives.

In some circumstances we may collect personal information about individuals from third parties in the course of:

• preparing or receiving reports of suspected misconduct
• carrying out our compliance or investigation activities
• carrying out our registration, licensing and other statutory functions
• receiving other documents (such as tender documents that contain personal information about individuals), and
• recruiting our employees and contractors.

The APPs place a general obligation on Australian Government agencies to inform individuals when they collect personal information about them from third parties. We only collect personal information from third parties where:

• the individual consents
• we are required or authorised to collect the personal information from third parties by law, or
• it would not be reasonable or practicable for the individual to know that we have collected their personal information (because, for example, it could jeopardise an investigation of a report of suspected misconduct).

Anonymity

The APPs require Australian Government agencies to allow individuals the option of not identifying themselves or using a pseudonym in their dealings with the agency when it is lawful and practicable to do so - for example, if an individual wanted to make an anonymous complaint.

We generally provide individuals with the option of not identifying themselves or using a pseudonym. However, on many occasions we will not be able to do this - for example, where we need an individual's name and address to register a business name or to grant an Australian financial services licence.

Consequences of not providing personalinformation

If we ask an individual to voluntarily provide personal information to us, usually there is no penalty if they do not do so. However, there may be other consequences, for example:

• they may not make the most of our services
• we may not be able to process an application for a licence or registration
• we may not be able to properly investigate or resolve a report on suspected misconduct made by the individual, or
• we may issue a compulsory notice for the information.

If we compel an individual to provide personal information to us (for example, under s33 of the ASIC Act), or if they are required to provide personal information to us in compliance with another statutory obligation, they may commit an offence or be subject to a penalty if they fail to provide all or any of the personal information to us. If we issue a compulsory notice to an individual, we will inform them of the offences and penalties for a failure to comply with that notice.

Use of personal information

We only use personal information for the purpose for which it was collected, unless one of the following applies:

• we obtain the individual’s consent to use the personal information for a different purpose
• the individual would reasonably expect us to use the personal information for a different but related purpose (and if the personal information is sensitive information, that the purpose is directly related to the collection purpose)
• we are required or authorised by law to use the information (for example, by a court order or subpoena)
• a permitted general situation exists—including where we reasonably believe that using the information is necessary to:
  • lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety
  • take appropriate action to correct suspected unlawful activities or serious misconduct in relation to our functions and activities
  • establish a legal or equitable claim, or
• we reasonably believe that the use is necessary for our enforcement activities (such as to gather intelligence or take enforcement action).

We are required or authorised to collect, use or disclose personal information by a variety of laws which include the:

• Australian Securities and Investments Commission Act 2001 (ASIC Act)
• Corporations Act 2001(Corporations Act)
• ASIC Supervisory Cost Recovery Levy Act 2017
• ASIC Supervisory Cost Recovery Levy (Collection) Act 2017
• Business Names Registration Act 2011
• Insurance Contracts Act 1984
• Superannuation Industry (Supervision) Act 1993
• Retirement Savings Accounts Act 1997
• Life Insurance Act 1995, and
• National Consumer Credit Protection Act 2009.

If we collect personal information in the course of carrying out one of our functions (for example, receiving a report of suspected misconduct or when carrying out an investigation) and the information is relevant to another of our regulatory functions (for example, an application for a licence or for another investigation that we are conducting), we will, in general, use that personal information for that other purpose.

Disclosure to other bodies or persons

The types of bodies or persons to which we usually disclose personal information collected by us include the following:

• lawyers and other service providers who we engage to assist us with our functions
• other enforcement bodies (such as the Australian Federal Police)
• other government agencies (such as the Australian Taxation Office)
• the Australian Securities Exchange
• members of committees convened to consider liquidator registration and disciplinary matters and Financial Services and Credit Panels
• courts and tribunals
• foreign regulators (for further details of our arrangements with foreign regulators, see International activities)
• the public, if the personal information is required to be published in a register that can be searched by the public, in the Government gazette or on our website
• responsible Ministers and parliamentary committees exercising their oversight functions
• applicants under the Freedom of Information Act 1982 (FOI Act)
• referees and former employers to verify qualifications and experience when assessing certain applications, and
• the Australian Government Security Vetting Agency or any other vetting providers that we engage to conduct security or vetting assessments on our behalf.

We only disclose personal information for the purpose for which it was collected, or for another purpose, if one of the following applies:

• the individual has consented to the disclosure
• the individual would reasonably expect us to disclose the personal information because it relates to the primary purpose for which it was collected (or if it is sensitive information, that it is directly related: see Our personal information handling practices: Use of information)
• we are required or authorised by law to disclose the information
• a permitted general situation exists—including where we reasonably believe that using the information is necessary to:
  • lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety
  • take appropriate action to correct suspected unlawful activities or serious misconduct in relation to our functions and activities, or
  • establish a legal or equitable claim, or
• we reasonably believe the disclosure is necessary for our enforcement activities, or for the enforcement activities of other Commonwealth, state or territory agencies.

From time to time, we may disclose personal information to an overseas body or recipient. The specific country we disclose to will depend on the particular matter and may include the United States, Hong Kong, New Zealand, the United Kingdom and Singapore. We will not disclose personal information outside of Australia without an individual’s express or implied consent, unless otherwise permitted by APP 8 Cross-border disclosure of personal information.

Storage and security of information

We store personal information in electronic systems, including those provided by contracted cloud service providers such as Amazon Web Services, and paper files.

We take steps to protect the personal information we hold against loss, unauthorised access, use, modification or disclosure, and against other misuse. These steps include password protection and access privileges for accessing our IT systems, securing paper files in locked cabinets, and physical access restrictions.

If a data breach occurs and personal information that we hold is subject to unauthorised loss, use or disclosure, we will respond in accordance with the Privacy Act.

The Privacy Act requires us to notify affected individuals, the Office of the Australian Information Commissioner and any other relevant agencies of any unauthorised access or disclosure of personal information which would be likely to result in serious harm to any affected individuals.

If we reasonably suspect that there has been such unauthorised access or disclosure, we will carry out an expeditious assessment to determine if it is an 'eligible data breach' and take all reasonable steps to contain the unauthorised access or disclosure. We will complete our review within 30 days of becoming aware of the potential personal information breach.

When no longer required, we destroy personal information in accordance with ASIC’s Record Disposal Authority as approved by the National Archives of Australia or as part of normal administrative practice.

Visiting our website or social media pages

When an individual browses our website, our service provider logs the following information for statistical purposes—their server address, top level domain name (for example, .com, .gov, .au, .uk), the date and time of the visit, the pages accessed, the documents downloaded, the previous site visited and the type of browser used.

We do not identify users or their browsing activities except in the event of an investigation where an enforcement body may be entitled to inspect the service provider’s logs.

We may use cookies on our website to help us carry out online surveys. Cookies are small pieces of information exchanged between a web browser and a website server. Where we use an external survey provider, that provider could use cookies on their website. If this is the case, the user will be directed to information on the provider’s website explaining their use of cookies.

If an online payment is made by credit card, we will collect information such as the user’s email address, name and credit card details to enable us to process the payment and provide a payment receipt.

When an individual communicates with us through our social media pages, such as Facebook or Twitter, the social network provider and its partners may collect and hold their personal information overseas. Their privacy policy should be consulted for further information.

Google Analytics and Google Tag Manager

In addition to web service logs, we use Google Analytics (including Google Analytics Advertising Features) and Google Tag Manager, which are web analysis services provided by Google Inc. (‘Google’).

All the information we collect using Google Analytics and Google Tag Manager is for internal purposes only. We cannot identify individuals based on the data we collect and we will not publish any of it on our website.

Reports obtained from Google Analytics are used to improve the efficiency and usability of the ASIC website. Google Analytics uses cookies to help analyse how users use our website. The information generated by the cookie about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Advertising Features is a function within Google Analytics that enables us to obtain more advanced information about our users, such as user demographics, user interests, and frequency of visits. For more information on how Google uses the data collected, read Google’s Privacy Policy and the Google Analytics Terms of Service. To opt out and prevent your data from being collected by Google Analytics, you can download the Google Analytics opt-out add-on.

Google Tag Manager enables us to combine codes on different areas of the website and collect data in ways that we cannot do with Google Analytics. For more information on how Google uses the data collected, read Google’s Privacy Policy.

By using our website, you consent to Google processing data about you in the manner and for the purposes set out above.

Email addresses

We will record your email address only if you send us a message or enter it on a form. It will only be used or disclosed in accordance with our obligations under the Privacy Act, and will not be added to a mailing list unless you request that this be done.

Subscriptions or logins

To subscribe or login to some parts of our website, you must provide either a valid email address or a specific username and password. These details will only be used or disclosed in accordance with our obligations under the Privacy Act and will not be added to any other mailing lists unless you specifically ask us to. Email mailing list addresses are stored on a separate server and can be accessed by authorised staff only.

Electronic newsletters

When we send you an electronic newsletter that you have subscribed to, we have access to data about whether you opened that newsletter and clicked on links.

Searches

We keep a record of any search terms you use if you are searching our website, but we do not associate that information with other information that we collect. We use these search terms to identify what people are looking for on our website and to improve the services that we provide.

Links to other websites

We might include links to other sites, including social media sites (e.g. Facebook, YouTube and Twitter), to make it easy to share information. These other sites might use web measurement tools, customisation technologies and persistent cookies to inform the service they provide to their users. We are not responsible for the privacy practices or the content of other websites, and we do not use, maintain or share personal information that is collected by other websites.

Quality, access and correction

We will take reasonable steps to ensure that the personal information we hold is accurate, up to date, relevant and complete, including when it is used or disclosed.

The Privacy Act allows an individual to seek access to their personal information and request that we correct their personal information where that information is inaccurate, out of date, incomplete, irrelevant or misleading. The FOI Act also sets out the process by which an individual can access, change or annotate documents we hold that contain their personal information.

We are permitted to refuse a request to access or correct personal information where there are valid reasons under the Privacy Act, the FOI Act or other applicable law. If we refuse to provide access or correct personal information, we will notify the individual of our reasons and advise how they can request a review. Generally, an application under the Privacy Act for access will be acknowledged within 30 days from the date that we receive it.

You can obtain further information about how to request access or a correction to your personal information by emailing us at privacy@asic.gov.au or writing to us at:

Privacy Team, Legal Services
Australian Securities and Investments Commission
GPO Box 9827
Melbourne VIC 3001

Complaints

If you believe that we have breached the APPs, you can submit a complaint online or write to us:

Complaints Officer
Australian Securities and Investments Commission
GPO Box 9827
Melbourne VIC 3001

Purpose

We collect personal information to enable us to:

• receive and investigate reports of misconduct about bodies and persons we regulate
• monitor compliance with the laws we administer
• investigate possible contravention of the laws we administer
• take enforcement action, including bringing court proceedings and preparing briefs to the Commonwealth Director of Public Prosecutions (CDPP), and
• consider applications for immunity from civil penalty or criminal proceedings for a contravention of a provision in Pt 7.10 of the Corporations Act.

Collection

We collect personal information from individuals including:

• individuals who report suspected misconduct
• potential witnesses, and
• individuals who are the subject of reports of suspected misconduct, or our compliance or investigation activities.

The personal information we collect from these individuals may include information about them. However, it may often also include personal information about other individuals. For example, a report of suspected misconduct usually contains personal information about the individual who is the subject of the report.

Where we have collected information about individuals from third parties, we will often be exempt from having to inform the individuals about the collection because it would not be reasonable in the circumstances. For example, if the individual is the subject of an investigation, informing them may prejudice the investigation.

Information may be provided to us voluntarily. There are also a variety of laws which require individuals to provide information to us, including the ASIC Act and the Corporations Act. If we require an individual to provide personal information to us (for example, by serving a notice under the ASIC Act), we will inform the individual of the specific law that authorises or requires the collection.

Use

We use personal information for the purpose for which it was collected. We may also use the information for other purposes as explained in Our personal information handling practices: Use of information. Examples of other purposes include:

• assessing future reports of suspected misconduct
• carrying out future compliance or investigation activity
• reviewing and determining regulatory policy
• carrying out data analytics, and
• monitoring compliance with ASIC’s policies.

Disclosure

The types of bodies or persons to which we usually disclose personal information collected for the purposes of handling reports of suspected misconduct and for our compliance and investigation activities include:

• lawyers and other service providers who we engage to assist us in carrying out our functions
• the CDPP
• courts and tribunals
• other enforcement bodies (such as the Australian Federal Police)
• other government agencies (such as the Australian Taxation Office)
• lawyers acting for persons who are bringing court proceedings related to the information (see s25 and s26 of the ASIC Act), and
• responsible Ministers and parliamentary committees exercising their oversight functions.

Purpose

Our functions include administering a number of registrations and licensing regimes, and maintaining registers of these registrations and licences that can be inspected by the public. The registration and licensing regimes that we administer include:

• Australian companies
• Australian financial services licences
• Australian credit licences
• Australian business names
• registered auditors and liquidators in Australia
• Australian market licences
• Australian clearing and settlement facility licences
• Australian derivative trade repository licences, and
• self-managed superannuation fund auditors in Australia.

We are also required to exercise a number of statutory powers including:

• granting relief to bodies and persons from complying with some requirements imposed on them by law, and
• dealing with claims for unclaimed property held by us.

We collect, use and disclose personal information to assist us in carrying out these functions.

Collection

The law requires that bodies and persons who wish to be registered or licensed by us must provide us with certain information. We collect much of this information through forms which are lodged with us (often online). Applicants for registration and licensing may provide additional information to us voluntarily.

Bodies and persons requesting us to exercise our statutory powers provide information, which may include personal information, to support their applications.

The information provided to us may also contain personal information about other individuals (for example, many company registration forms will contain personal information about the company’s directors). We will often be exempt from the requirement to collect personal information directly from the individual because they have consented to our collection of their information from another party—for example, by authorising a company secretary to provide us with information about their role as a director.

Use

We use personal information for the purpose for which it was collected. We may also use the information for other purposes as explained in Our personal information handling practices: Use of information. Examples of some of the other purposes for which we may use this personal information include:

• assessing future reports of suspected misconduct
• future compliance or investigation activity, and
• reviewing and determining policy.

Disclosure

The law authorises or requires us to make certain information available to the public, including personal information collected in the course of our registration and licensing activities. We do this by maintaining registers that can be inspected by the public, by publishing the material in the Government gazette and by making it available on our website.

We may disclose other personal information to other bodies or persons as explained in Our personal information handling practices: Disclosure to other bodies or persons.

Purpose

We regularly consult with individuals, and the private and public sectors to determine policy.

We collect personal information about these individuals in the course of our consultation activities. This information may include contact details and personal information relating to the conduct of their regulated activities.

Collection

We receive information from bodies and persons who are affected by or are interested in the laws that we administer. We may receive this information in the form of submissions in response to consultation or discussion papers we have issued. We may also receive information through less formal processes, such as meetings.

This information may contain personal information about the individual giving us the information. It may also contain personal information about other individuals. We may not notify these individuals about the collection because it would not be reasonable or practicable in the circumstances.

Use

We use personal information for the purpose of reviewing and determining policy. We may also use the information for other purposes as explained in Our personal information handling practices: Use of information.

Disclosure

We may publish the results of our consultations (for example, by publishing reports). We will not publish personal information collected during consultation without obtaining permission from the individuals.

We may disclose other personal information to other bodies or persons as explained in Our personal information handling practices: Disclosure to other bodies or persons.

Purpose

We receive requests from foreign regulators to assist them in their activities, and we collect information, which may include personal information, in order to respond to these requests. We also receive requests from foreign law enforcement agencies to provide them with information held by us to assist them in their activities.

We also make requests to foreign regulators and law enforcement agencies to obtain information, including personal information, to assist our compliance and enforcement activities. Foreign regulators and law enforcement agencies may also refer information to us if they believe it is relevant to our regulatory functions.

We are a signatory to international cooperation agreements with a number of foreign regulators. For details of these agreements, see International activities.

Collection

When responding to requests for assistance from foreign regulators, we collect personal information from individuals, or their authorised representatives. We are authorised under the Mutual Assistance in Business Regulation Act 1992 to collect this information, which may include personal information.

The material we collect from individuals may include personal information about them. It may also include personal information about other individuals. Where we have collected personal information about individuals from third parties, we may not notify those individuals because it would not be reasonable or practicable in the circumstances. For example, if the individual is the subject of an investigation by the foreign regulator, informing them may prejudice the investigation.

Foreign regulators and law enforcement agencies provide information to us in response to our requests.

Use

We use personal information obtained from foreign regulators and law enforcement agencies for the compliance or investigation purpose for which it was requested, or for other purposes with their consent. We may also use the information for other purposes as explained in Our personal information handling practices: Use of information. Examples of some of the other purposes for which we may use this personal information include:

• assessing future reports of suspected misconduct, and
• future compliance or investigation activity.

Disclosure

We provide personal information we collect in response to requests from foreign regulators to those regulators. We may also disclose personal information held by us to law enforcement agencies in response to requests made by them.

We disclose personal information given to us by foreign regulators and law enforcement agencies where that disclosure is related to the purpose for which it was provided to us, or for other purposes with the consent of the individuals. We may also disclose personal information to other bodies or persons as explained in Our personal information handling practices: Disclosure to other bodies or persons.

The types of bodies or persons to which we usually disclose personal information provided to us by foreign regulators and law enforcement agencies includes:

• lawyers and other service providers who we engage to assist us with these functions
• courts and tribunals
• other enforcement bodies (such as the Australian Federal Police), and
• other government agencies (such as the Australian Prudential Regulation Authority).

Purpose

We collect personal information for the purposes of handling complaints about our conduct.

Collection

The complaints will usually contain personal information about the individual who lodged the complaint. It may also contain personal information about other persons.

We may also collect personal information about individuals from third parties if it is relevant to the complaint.

Use

We use personal information for the purpose of handling the complaint. We may also use the information for other purposes as explained in Our personal information handling practices: Use of information.

Disclosure

We would usually disclose the name of the complainant and the details of the complaint to our staff if any are the subject of the complaint, as we consider the complainant would expect us to do this. However, we will not provide information to our staff if the complainant tells us that they do not want the information disclosed.

If the complainant asks us not to reveal their information, we may not be able to investigate the complaint if we are unable to give our staff sufficient information to be able to respond to the complaint.

We may also disclose personal information to other bodies or persons, as explained in Our personal information handling practices: Use of information.

Purpose

We collect personal information for the purposes of:

• assessing candidates’ suitability for employment
• engaging, managing and supporting team members’ employment or contract
• assessing team members’ ongoing suitability to hold and maintain a security clearance and to access Australian Government official resources, and
• managing conflicts of interest, conducting professional standards investigations or public interest disclosures and conducting investigations into suspected misconduct or breaches of our code of conduct or policies by employees and contractors.

We collect sensitive information from candidates and team members to ensure that we meet our obligations under:

• the Australian Government’s Protective Security Policy Framework in relation to the security of individuals, and
• the ASIC Code of Conduct and our Diversity and Inclusion Policy.

Collection

We collect personal information about our employees and contractors. This information includes:

• name, address and contact details
• information about their identity, such as:
  • date and country of birth
  • passport
  • driver licence details
  • visa details
• information about personal circumstances, such as gender and marital status
• financial information, such as:
  • payment details
  • bank account details
  • information about business and financial interests, including details of their trading in securities, shareholdings and interests in any superannuation funds
• information about education and employment, such as:
  • qualifications
  • applications for employment
  • work history
  • referees’ comments, and
• Government identifiers, such as their tax file number or Australian Business Number.

We may also collect sensitive information, including:

• racial or ethnic background
• health information, such as any medical history, disability or injury
• any criminal record, and
• professional or trade associations.

Generally, we collect personal information directly from candidates and team members or their authorised representatives. At times, we may also collect personal information from third parties, including:

• past and present employers and referees
• other Australian, state or territory government entities in relation to any existing or previous employment and security clearances the candidate or team member held or holds
• agencies (such as the Australian Electoral Commission for information about residential addresses)
• the Department of Home Affairs and the Department of Foreign Affairs and Trade to check any naturalisation and/or citizenship documents and international movements
• other service providers (such as contracted vetting providers, medical practitioners or psychologists) used during the assessment process
• the Australian Federal Police and other enforcement bodies
• the Australian Security Intelligence Organisation (ASIO)
• state and territory registries of births, deaths and marriages
• government agencies which have investigated any suspected breaches of law or Australian Government policy
• financial institutions and financial vetting institutions
• medical practitioners to clarify medical information (with the candidate or team member’s consent)
• other third parties relevant to assessing and monitoring the team member’s ongoing suitability for employment with us and for holding and maintaining a security clearance, or
• educational institutions.

Use

We use the personal information for the purposes set out in paragraph 93. We may also use the personal information to investigate suspected breaches of the law.

Disclosure

We may disclose personal information for the purposes for which we have collected the information. This may include disclosure to the agencies and bodies listed above at paragraph 97.

Limited amounts of a team member’s personal information may be disclosed to overseas recipients if they are required to access foreign government resources. The information that may be disclosed includes their clearance status, full name and date of birth, and position.

Where we are required or authorised by law, we may disclose a team member’s personal information. For example, we may disclose their personal information to:

• an Australian court or tribunal
• a Fair Work Inspector or a permit holder, such as a union official, that may be conducting an investigation into a suspected contravention of the law under the Fair Work Act 2009
• enforcement bodies to investigate a suspected breach of the law or for integrity purposes. We may also disclose to enforcement bodies where we believe that the disclosure is reasonably necessary for the agency, or someone acting on their behalf, to conduct enforcement related activities, or
• a third party where the team member:
  • has consented to us disclosing the information to the third party, or
  • would reasonably expect us to disclose the information for a secondary purpose and that purpose is related or directly related to the purposes for which we have collected the information. For example, we may disclose personal information to a future employer in the context of providing a reference.