ASIC Privacy Policy - summary
This summary privacy policy provides you with a short overview of how ASIC handles personal information. ASIC's Privacy Policy was issued on 5 September 2024.
This page contains:
See also:
Our personal information handling practices
Purposes for collection
We only collect personal information that is reasonably necessary for, or directly related to, one or more of our functions or activities under the legislation we administer. For further information, see the laws we administer.
How we collect information
We collect personal information from individuals or their authorised representatives.
In some circumstances we may collect personal information about individuals from third parties in the course of:
- preparing or receiving reports of suspected misconduct
- carrying out our compliance or investigation activities
- carrying out our registration, licensing and other statutory functions
- receiving other documents (such as tender documents that contain personal information about individuals), and
- recruiting our employees and contractors.
The APPs place a general obligation on Australian Government agencies to inform individuals when they collect personal information about them from third parties. We only collect personal information from third parties where:
- the individual consents
- we are required or authorised to collect the personal information from third parties by law, or
- it would not be reasonable or practicable for the individual to know that we have collected their personal information (because, for example, it could jeopardise an investigation of a report of suspected misconduct).
Use of personal information
We only use personal information for the purpose for which it was collected, unless one of the following applies:
- we obtain the individual's consent to use the personal information for a different purpose
- the individual would reasonably expect us to use the personal information for a different but related purpose (and if the personal information is sensitive information, that the purpose is directly related to the collection purpose)
- we are required or authorised by law to use the information (for example, by a court order or subpoena)
- a permitted general situation exists – including where we reasonably believe that using the information is necessary to:
- lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety
- take appropriate action to correct suspected unlawful activities or serious misconduct in relation to our functions and activities, or
- establish a legal or equitable claim, or
- we reasonably believe that the use is necessary for our enforcement activities (such as to gather intelligence or take enforcement action).
We are required or authorised to collect, use or disclose personal information by a variety of laws which include the:
- Australian Securities and Investments Commission Act 2001
- Corporations Act 2001
- ASIC Supervisory Cost Recovery Levy Act 2017
- ASIC Supervisory Cost Recovery Levy (Collection) Act 2017
- Business Names Registration Act 2011
- Insurance Contracts Act 1984
- Superannuation Industry (Supervision) Act 1993
- Retirement Savings Accounts Act 1997
- Life Insurance Act 1995, and
- National Consumer Credit Protection Act 2009.
If we collect personal information in the course of carrying out one of our functions (for example, receiving a report of suspected misconduct or when carrying out an investigation), and the information is relevant to another of our regulatory functions (for example, an application for a licence or for another investigation that we are conducting), we will, in general, use that personal information for that other purpose.
Disclosure of personal information
The types of bodies or persons to which we usually disclose personal information collected by us include the following:
- lawyers and other service providers who we engage to assist us with our functions
- other law enforcement agencies (such as the Australian Federal Police)
- other government agencies (such as the Australian Taxation Office)
- the Australian Securities Exchange
- members of committees convened to consider liquidator registration and disciplinary matters and Financial Services and Credit Panels
- courts and tribunals
- foreign regulators (for further details of our arrangements with foreign regulators, see International activities)
- the public, if the personal information is required to be published in a register that can be searched by the public, in the Government gazette or on our website
- parliamentary committees exercising their oversight functions
- applicants under the Freedom of Information Act 1982 (FOI Act)
- referees and former employers to verify qualifications and experience when assessing certain applications, and
- the Australian Government Security Vetting Agency or any other vetting providers that we engage to conduct security or vetting assessments on our behalf.
We only disclose personal information for the purpose for which it was collected, or for another purpose, if one of the following applies:
- the individual has consented to the disclosure
- the individual would reasonably expect us to disclose the personal information because it relates to the primary purpose for which it was collected (or if it is sensitive information, that it is directly related)
- we are required or authorised by law to disclose the information
- a permitted general situation exists – including where we reasonably believe that using the information is necessary to:
- lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety
- take appropriate action to correct suspected unlawful activities or serious misconduct in relation to our functions and activities, or
- establish a legal or equitable claim, or
- we reasonably believe the disclosure is necessary for our enforcement activities, or for the enforcement activities of other Commonwealth, state or territory agencies.
From time to time, we may disclose your personal information to an overseas body or recipient. The specific country we disclose to will depend on the particular matter and may include the United States, Hong Kong, New Zealand, the United Kingdom and Singapore. We will not disclose your information outside of Australia without your express or implied consent, unless otherwise permitted by APP 8 – Cross-border disclosure of personal information.
Storage and security of information
We store personal information in electronic systems, including those provided by contracted cloud service providers such as Amazon Web Services, and paper files.
We take steps to protect the personal information we hold against loss, unauthorised access, use, modification or disclosure, and against other misuse. These steps include password protection and access privileges for accessing our IT systems, securing paper files in locked cabinets, and physical access restrictions.
If a data breach occurs and personal information that we hold about you is subject to unauthorised loss, use or disclosure, we will respond in accordance with the Privacy Act 1988 (Privacy Act).
The Privacy Act requires us to notify you, the Office of the Australian Information Commissioner and any other relevant agencies of any unauthorised access or disclosure of your personal information which would be likely to result in serious harm to you or any affected individuals.
If we reasonably suspect that there has been such unauthorised access or disclosure, we will carry out an expeditious assessment to determine if it is an ‘eligible data breach’ and take all reasonable steps to contain the unauthorised access or disclosure. We will complete our review within 30 days of becoming aware of the potential personal information breach.
Note: See section 26WE of the Privacy Act for the definition of an ‘eligible data breach’.
When no longer required, we destroy personal information in accordance with ASIC’s Record Disposal Authority as approved by the National Archives of Australia or as part of normal administrative practice.
Quality, access and correction
We will take reasonable steps to ensure that the personal information we hold about you is accurate, up to date, relevant and complete, including when it is used or disclosed.
The Privacy Act allows you to seek access to your personal information and request that we correct your personal information where that information is inaccurate, out of date, incomplete, irrelevant or misleading. The FOI Act also sets out the process by which you can access, change or annotate documents we hold that contain your personal information.
We are permitted to refuse your request to access or correct your personal information where there are valid reasons under the Privacy Act, the FOI Act or other applicable law. If we refuse to provide access or correct personal information about you, we will notify you of our reasons and advise you of how you may seek a review. Generally, your application for access will be dealt with and processed within 30 days from the date that we receive it (unless the FOI Act would otherwise extend the timeframe to allow for consultations and submissions).
You can obtain further information about how to request access or a correction to your personal information by emailing us at privacy@asic.gov.au or writing to us:
Privacy Team, Legal Services
Australian Securities and Investments Commission
GPO Box 9827
Melbourne VIC 3001
Complaints
If you believe that we have breached the APPs, you can submit a complaint online or write to us:
Complaints Officer (Privacy)
Australian Securities and Investments Commission
GPO Box 9827
Melbourne VIC 3001
Visiting our website and social media pages
Overview
When you browse our website, our service provider logs the following information for statistical purposes: your server address, top level domain name (for example, .com, .gov, .au, .uk), the date and time of your visit, the pages accessed, the documents downloaded, the previous site visited and the type of browser used.
We do not identify users or their browsing activities except in the event of an investigation where a law enforcement agency may be entitled to inspect the service provider’s logs.
We may use cookies on our website to help us carry out online surveys. Cookies are small pieces of information exchanged between your web browser and a website server. Where we use an external survey provider, that provider could use cookies on their website. If this is the case, you will be directed to information on the provider’s website explaining their use of cookies.
If you make an online payment by credit card, we will collect information such as your email address, name and credit card details to enable us to process your payment, and we will provide you with a payment receipt.
When you communicate with us through our social media pages, such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas. You should consult their privacy policy for further information.
Google Analytics and Google Tag Manager
In addition to web service logs, we use Google Analytics (including Google Analytics Advertising Features) and Google Tag Manager, which are web analysis services provided by Google Inc. ('Google').
All the information we collect using Google Analytics and Google Tag Manager is for internal purposes only. We cannot identify individuals based on the data we collect and we will not publish any of it on our website.
Reports obtained from Google Analytics are used to improve the efficiency and usability of the ASIC website. Google Analytics uses cookies to help analyse how users use our website. The information generated by the cookie about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Advertising Features is a function within Google Analytics to get more advanced information about our users, such as user demographics, user interests, and frequency of visits. For more information on how Google uses the data collected, read Google's Privacy Policy and the Google Analytics Terms of Service. To opt out and prevent your data from being collected by Google Analytics, you can download Google's opt out add-on.
Google Tag Manager enables us to combine codes on different areas of the website and collect data in ways that we cannot do with Google Analytics. For more information on how Google uses the data collected, read Google's Privacy Policy.
By using our website, you consent to Google processing data about you in the manner and for the purposes set out above.
Email addresses
We will record your email address only if you send us a message or enter it on a form. It will only be used or disclosed in accordance with our obligations under the Privacy Act, and will not be added to a mailing list unless you request that this be done.
Subscriptions or logins
To subscribe or login to some parts of our website, you must provide either a valid email address or a specific username and password. These details will only be used or disclosed in accordance with our obligations under the Privacy Act and will not be added to any other mailing lists unless you specifically ask us to. Email mailing list addresses are stored on a separate server and can be accessed by authorised staff only.
Electronic newsletters
When we send you an electronic newsletter that you have subscribed to we have access to data about whether you opened that newsletter and clicked on links.
Searches
We keep a record of any search terms you use if you're searching our website, but we don't associate that information with other information that we collect. We use these search terms to identify what people are looking for on our website and to improve the services that we provide.
Links to other websites
We might include links to other sites, including social media sites (e.g. Facebook, YouTube, and Twitter), to make it easy to share information. These other sites might use web measurement tools, customisation technologies and persistent cookies to inform the service they provide to their users. We are not responsible for the privacy practices or the content of other websites, and we do not use, maintain or share personal information that is collected by other websites.