- Purposes for collection
- How we collect information
- Use of personal information
- Disclosure of personal information
- Storage and security of information
- Quality, access and correction
Purposes for collection
We only collect personal information that is reasonably necessary for, or directly related to, one or more of our functions or activities under the legislation we administer. For further information, see the laws we administer.
We collect personal information from individuals or their authorised representatives.
In some circumstances we may collect personal information about individuals from third parties in the course of:
- preparing or receiving reports of suspected misconduct
- carrying out our compliance or investigation activities
- carrying out our registration, licensing and other statutory functions
- receiving other documents (such as tender documents that contain personal information about individuals)
- recruiting our employees and contractors.
The APPs place a general obligation on Australian Government agencies to inform individuals when they collect personal information about them from third parties. We only collect personal information from third parties where:
- the individual consents
- we are required or authorised to collect the personal information from third parties by law
- it would not be reasonable or practicable for the individual to know that we have collected their personal information (because, for example, it could jeopardise an investigation of a report of suspected misconduct).
We only use personal information for the purpose for which it was collected, unless one of the following applies:
- we obtain the individual's consent to use the personal information for a different purpose
- the individual would reasonably expect us to use the personal information for a different but related purpose (and if the personal information is sensitive information, that the purpose is directly related to the collection purpose)
- we are required or authorised by law to use the information (for example, by a court order or subpoena)
- we reasonably believe that the use is necessary for our enforcement activities (such as to gather intelligence or take enforcement action).
We are required or authorised to collect, use or disclose personal information by a variety of laws which include the:
- ASIC Act
- Corporations Act
- ASIC Supervisory Cost Recovery Levy Act 2017
- ASIC Supervisory Cost Recovery Levy (Collection) Act 2017
- Business Names Registration Act 2011
- Insurance Contracts Act 1984
- Superannuation Industry (Supervision) Act 1993
- Retirement Savings Accounts Act 1997
- Life Insurance Act 1995
- National Consumer Credit Protection Act 2009.
If we collect personal information in the course of carrying out one of our functions (for example, receiving a report of suspected misconduct or when carrying out an investigation), and the information is relevant to another of our regulatory functions (for example, an application for a licence or for another investigation that we are conducting), we will, in general, use that personal information for that other purpose.
The types of bodies or persons to which we usually disclose personal information collected by us include the following:
- lawyers and other service providers who we engage to assist us with our functions
- other law enforcement agencies (such as the Australian Federal Police)
- other government agencies (such as the Australian Taxation Office)
- the Australian Securities Exchange
- courts and tribunals
- foreign regulators (for further details of our arrangements with foreign regulators, see International activities)
- the public, if the personal information is required to be published in a register that can be searched by the public, in the Government gazette or on our website
- parliamentary committees exercising their oversight functions
- applicants under the Freedom of Information Act 1982 (FOI Act)
- referees and former employers to verify qualifications and experience when assessing certain applications
- the Australian Government Security Vetting Agency or any other vetting providers that we engage to conduct security or vetting assessments on our behalf.
We only disclose personal information for the purpose for which it was collected, or for another purpose, if one of the following applies:
- the individual has consented to the disclosure
- the individual would reasonably expect us to disclose the personal information because it relates to the primary purpose for which it was collected (or if it is sensitive information, that it is directly related)
- we are required or authorised by law to disclose
- we reasonably believe the disclosure is necessary for our enforcement activities, or for the enforcement activities of other Commonwealth, state or territory agencies.
- from time to time, we may disclose your personal information to an overseas body or recipient. The specific country we disclose to will depend on the particular matter and may include the United States, Hong Kong, New Zealand, the United Kingdom and Singapore. We will not disclose your information outside of Australia without your express or implied consent, or we will disclose as otherwise permitted by APP 8 – Cross-border disclosure of personal information.
We store personal information in electronic systems and paper files.
We take steps to protect the personal information we hold against loss, unauthorised access, use, modification or disclosure, and against other misuse. These steps include password protection and access privileges for accessing our IT systems, securing paper files in locked cabinets, and physical access restrictions.
If a data breach occurs and personal information that we hold about you is subject to unauthorised loss, use or disclosure, we will respond in accordance with the Privacy Act.
The Privacy Act requires us to notify you, the Office of the Australian Information Commissioner and any other relevant agencies of any unauthorised access or disclosure of your personal information which would be likely to result in serious harm to you or any affected individuals.
If we reasonably suspect that there has been such unauthorised access or disclosure, we will carry out an expeditious assessment to determine if it is an ‘eligible data breach’ and take all reasonable steps to contain the unauthorised access or disclosure. We will complete our review within 30 days of becoming aware of the potential personal information breach.
Note: See section 26WE of the Privacy Act for the definition of an ‘eligible data breach’.
When no longer required, we destroy personal information in accordance with ASIC’s Record Disposal Authority as approved by the National Archives of Australia or as part of normal administrative practice.
We will take reasonable steps to ensure that the personal information we hold about you is accurate, up to date, relevant and complete, including when it is used or disclosed.
The Privacy Act allows you to seek access to your personal information and request that we correct your personal information where that information is inaccurate, out of date, incomplete, irrelevant or misleading. The FOI Act also sets out the process by which you can access, change or annotate documents we hold that contain your personal information.
We are permitted to refuse your request to access or correct your personal information where there are valid reasons under the Privacy Act, the FOI Act or other applicable law. If we refuse to provide access or correct personal information about you, we will notify you of our reasons and advise you of how you may seek a review. Generally, your application for access will be dealt with and processed within 30 days from the date that we receive it (unless the FOI Act would otherwise extend the timeframe to allow for consultations and submissions).
You can obtain further information about how to request access or a correction to your personal information by emailing us at firstname.lastname@example.org or writing to us:
Commission Counsel (Privacy Team)
Australian Securities and Investments Commission
GPO Box 9827
Brisbane QLD 4001
If you believe that we have breached the APPs, you can submit a complaint online or write to us:
Complaints Officer (Privacy)
Australian Securities and Investments Commission
GPO Box 9827
Brisbane QLD 4001
When you browse our website, our service provider logs the following information for statistical purposes—your server address, top level domain name (for example, .com, .gov, .au, .uk), the date and time of your visit, the pages accessed, the documents downloaded, the previous site visited and the type of browser used.
We do not identify users or their browsing activities except in the event of an investigation where a law enforcement agency may be entitled to inspect the service provider’s logs.
If you make an online payment by credit card, we will collect information such as your email address, name and credit card details to enable us to process your payment, and we will provide you with a payment receipt.
In addition to web service logs, we use Google Analytics (including the Advertising Features) and Google Tag Manager, which are web analysis services provided by Google Inc. ('Google').
All the information we collect using Google Analytics and Google Tag Manager is for internal purposes only. We cannot identify individuals based on the data we collect and we won't publish any of it on our website.
By using this website, you consent to Google processing data about you in the manner and for the purposes set out above.
We will record your email address only if you send us a message or enter it on a form. It will only be used for the purpose for which you provide it, and will not be added to a mailing list unless you request that this be done. We will not disclose it without your consent, unless required by law.
To subscribe or login to some parts of our website, you must provide either a valid email address or a specific user name and password. These details will only be used for the purpose for which you have provided them and will not be added to any other mailing lists unless you specifically ask us to. Email mailing list addresses are stored on a separate server and can be accessed by authorised staff only. Your email address will not be disclosed without your consent, unless required by law.
When we send you a newsletter that you have subscribed to we have access to data about whether you opened that newsletter and clicked links.
We keep a record of any search terms you use if you're searching our website, but we don't associate that information with other information that we collect. We use these search terms to identify what people are looking for on our website and to improve the services that we provide.
We might include links to other sites and we use social media sites, for example, Facebook, YouTube, and Twitter, to make it easy to share information. These other sites might use web measurement tools, customisation technologies and persistent cookies to inform the service they provide to their users. We are not responsible for the privacy practices or the content of other websites, and we do not use, maintain or share personal information that is collected by other websites.
We want your feedback so we can improve the services our website provides.
If you have any comments on the technical operations, functionality or usability of the pages of our website, please email email@example.com. You can use a pseudonym, or you do not have to identify yourself, when you email us to provide us with site feedback.