1.1 Purpose of the policy
This Policy is intended to ensure that the privacy of individuals is protected in the collection, use, disclosure and storage of personal information by FOS.
1.2 Scope of the policy
This Policy has been written by the FOS to comply with its obligations under the Privacy Act 1998 (Cth) (the Act) and the Australian Privacy Principles (APPs).
The document sets out the obligations of FOS with respect to its obligations when dealing with personal information. The Notes following any principle set out details of the manner in which FOS will comply with the principles.
1.3 Contents of this policy (Section 2)
- Functions and Activities of FOS
- Anonymity and Pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use or disclosure of government related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information
The role of FOS is to provide an accessible, independent dispute resolution service to individual and small businesses.
A dispute which falls within the jurisdiction of FOS may be referred to the relevant member to give it an opportunity to resolve the dispute.
If the member and the Applicant do not resolve the dispute, FOS may investigate and reach a determination as to how the dispute should be resolved, or refer the dispute to a FOS panel and/or adjudicator.
In addition, FOS offers a telephone information service (Enquiries Area) to provide information to individuals about the functions and activities of FOS, its jurisdiction and information about other entities which may assist the individual.
2.2.1 FOS will manage personal information in an open and transparent way.
2.2.3 FOS collects personal information from Applicants and financial services providers for the purpose of resolving disputes. A person may access their personal information held by FOS in accordance with this Policy.
2.2.4 If an individual wishes to complain about a breach of the APPs by FOS, they must firstly direct their complaint to any member of FOS staff or the Privacy Manager. The contact details for the FOS Privacy Manager can be found at the end of this document.
2.2.5 A complaint about a breach of privacy must be in writing.
2.2.6 The individual making a privacy complaint must give FOS 30 days to respond to the complaint.
2.2.7 If after FOS has responded to the complaint the individual who has made the privacy complaint to FOS is not satisfied with the outcome of their complaint they are entitled to take their complaint to the Office of the Australian Information Commissioner (OAIC). The contact details for the OAIC can be found at www.oaic.gov.au .
2.3.1 Individuals may have the option where it is practicable of not identifying themselves, or of using a pseudonym, when dealing with FOS.
As it is not practical for FOS to consider or process anonymous disputes, individuals wishing to bring a dispute to FOS for resolution will be required to identify themselves. Callers to our Enquiries Area with a general inquiry not related to a specific case will not be required to identify themselves, although they may be asked for a postcode so that FOS can report on and assess the geographical spread of callers.
2.4.1 FOS will only collect personal information that is reasonably necessary for, or directly related to, one of FOS’s functions or activities, including resolving Applicant’s disputes.
2.4.2 FOS will only collect sensitive information about an individual with their consent and the information is reasonably necessary for one or more of FOS’s functions or a lawful exception under the APPs applies.
2.4.3 FOS will only collect personal information by lawful and fair means.
2.5.1 If FOS receives unsolicited personal information then FOS will determine whether or not it could have collected the information under APP 3.
2.5.2 If FOS determines that it could not have collected the personal information then it will, as soon as practicable, destroy the information or ensure that the information is de-identified.
2.5.3 If FOS could have collected the personal information under APP 3, then APPs 5 to 13 will apply in relation to the information as if FOS had collected the information under APP 3.
2.6.2 The matters for the purposes of subclause 5.1 include:
a) the identity and contact details of FOS;
b) the purposes for which FOS collects the personal information;
FOS will provide the information required in the APPs to individuals by:
- Including that information in a privacy statement on the FOS website and in information brochures; and
- Providing a copy of this policy on request.
It is accepted practice for alternative dispute resolution schemes such as FOS to collect and use available information, including third party personal information to carry out their primary function of dispute resolution.
FOS will collect information in the following ways:
- In writing, from the Applicant or his or her representative and the member;
- Orally, in telephone or face to face conversations with the Applicant and the member; and
- From third parties who can assist by providing information.
FOS will not accept personal information obtained by any person in any way which is unlawful or improper.
Given the purpose and activities of FOS, it can be assumed that, before bringing a dispute, most complainants will be aware that FOS will use the personal information they disclose when FOS seeks to resolve their dispute and that will require disclosure to the relevant member about which they are complaining.
In FOS’s publications and website, FOS will inform members and Applicants that they should only send information that is relevant to the dispute between them and keep to a minimum information concerning third parties.
Information about third parties to disputes
Sometimes FOS receives a dispute that necessarily concerns information about a third party, who has no direct involvement in the dispute at FOS. In many of these kinds of cases it will not be reasonable or practicable for FOS to collect the personal information directly from the individual concerned because:
a) To do so would disclose the fact that a dispute has been brought to FOS and thereby breach the privacy of the Applicant;
b) Disclosure may have adverse consequences for the Applicant including pressure not to pursue their legal rights including their right to access FOS and, in some cases, the threat of physical or emotional harm;
c) FOS may not have contact details for the third party and may have to incur considerable costs to locate him or her;
d) In some circumstances, such as where allegations of fraud or forgery are made in relation to the third party, it would not be practicable to collect the relevant and potentially incriminating information from that third party.
It is accepted practice for alternative dispute resolution schemes such as FOS to collect and use available information, including third party personal information, to carry out their primary function of dispute resolution.
Where FOS collects personal information about a person other than an Applicant it will take reasonable steps to ensure that the third party is or has been made aware of the matters listed above if it is practicable. However FOS will not contact third parties directly to inform them that it holds information about them because to do so would breach the confidentiality of Applicants and may, in some cases, pose a threat to the life and health of the complainant. For these reasons, FOS has determined that it is not reasonable or practicable for FOS to inform the third party of the matters set out above.
However, where information about a third party is provided by the Applicant or the member, FOS will, to the extent practicable, return to the Applicant, delete or de-identify information about third parties:
If FOS considers that the third party information is necessary in the resolution of the dispute, FOS may ask the Applicant or member to advise the other person that the information has been provided and why.
2.7 Use or disclosure of personal information
2.7.1 FOS will only use and disclose personal information about an individual for the primary purpose for which it was collected unless a secondary purpose in accordance with the APPs applies.
2.7.2 The use or disclosure of personal information about an individual for a secondary purpose may apply for the reasons set out under the APPs, including if:
a) the individual would reasonably expect FOS to use or disclose the information for the secondary purpose and the secondary purpose is:
i. if the information is sensitive information—directly related to the primary purpose; or
ii. if the information is not sensitive information—related to the primary purpose; or
b) the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
c) a permitted general situation exists in relation to the use or disclosure of the information by FOS. A permitted general situation includes where the collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process.
FOS respects the confidentiality of information provided by and about individuals and treats all such information as confidential between the individual and the member.
FOS will use personal information about an individual for its primary purpose of dispute resolution. In the course of so doing FOS may disclose personal information to the individual, to the relevant member, FOS panel and/or adjudicator.
FOS may, where considered necessary, disclose personal information to other persons in order to investigate and determine a dispute. For example, where more than one person has received the same financial service or product, such as joint account holders, it may be necessary to disclose personal information to the other person in order to resolve the dispute, including the fact that a dispute has been lodged at FOS. A further example is where forgery is claimed, an opinion may be sought from a handwriting expert.
FOS may use or disclose personal information about an individual for the purpose of investigating and reporting to relevant persons or authorities (such as the Australian Securities & Investments Commission). In many cases it would be expected that any information provided to relevant persons or authorities for reporting purposes would not include personal information but rather de-identified information.
Personal information will be de-identified before being used for the purpose of reporting to stakeholders, the public and the Government about our activities and as such will not be personal information.
Third parties seeking information about a dispute
From time to time, FOS is contacted by persons who claim to represent an Applicant and who seek information about the progress of a dispute. These people include members of parliament, legal and financial advisers, friends and family members. FOS makes no assessment about the intentions of any such person in seeking information.
However, FOS will not discuss any aspect of a dispute with any person other than the complainant unless the Applicant has authorised FOS to do so.
2.8.1 If FOS holds personal information about an individual, FOS will not use or disclose the information for the purpose of direct marketing unless one of the exceptions under the APPs applies.
2.9.1 FOS is not likely to disclose personal information to overseas recipients.
2.9.2 FOS will only disclose personal information to overseas recipients with prior authority of the individual concerned.
The jurisdiction of the FOS does not extend to overseas entities. Where a particular case requires information about an individual to be transferred outside Australia, the individual’s prior authority will be sought by FOS.
2.10.1 FOS will not adopt a government related identifier of an individual as its own identifier.
2.10.2 FOS will not use or disclose a government related identifier unless it is in accordance with the APPs.
FOS assigns numbers to dispute files. Applicants are not assigned any identifying number or code by FOS.
2.11.1 FOS will take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that FOS collects is accurate, up to date and complete.
2.11.2 FOS will take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that FOS uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
Where an Applicant or member notifies FOS of undisputed changes to personal details held by the FOS about an individual, or errors in FOS’s records, FOS will make the necessary changes as soon as practicable.
2.12.1 FOS will take such steps as are reasonable in the circumstances to protect the personal information about an individual
a) from misuse, interference and loss; and
b) from unauthorised access, modification or disclosure.
a) FOS holds personal information about an individual; and
b) FOS no longer needs the information for any purpose for which the information may be used or disclosed; and
c) the information is not contained in a Commonwealth record; and
d) FOS is not required by or under an Australian law, or a court/tribunal order, to retain the information;
FOS will take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.
FOS premises and information systems are controlled by electronic security.
Staff have access to files and electronic records relating to disputes in order to deal with those disputes. FOS will make staff aware of privacy obligations by training. Contracted staff are required to give confidentiality undertakings in respect of any personal information they access.
It is FOS’s policy to destroy physical files seven years after closure of the file.
2.13.1 If FOS holds personal information about an individual, FOS will, on request by the individual, give the individual access to the information.
2.13.2 FOS may not provide the individual access to the personal information to the extent that:
a) FOS reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
b) giving access would have an unreasonable impact on the privacy of other individuals; or
c) the request for access is frivolous or vexatious; or
d) the information relates to existing or anticipated legal proceedings between FOS and the individual, and would not be accessible
by the process of discovery in those proceedings; or
e) giving access would reveal the intentions of FOS in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
f) giving access would be unlawful; or
g) denying access is required or authorised by or under an Australian law or a court/ tribunal order; or
h) both of the following apply:
i. the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and
ii. giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
iii. giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
i) giving access would reveal evaluative information generated within FOS in connection with a commercially sensitive decision-making process.
Dealing with requests for access
2.13.3 FOS will:
a) respond to the request for access to the personal information within a reasonable period after the request is made; and
b) give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.
2.13.4 If FOS refuses to give access to the personal information FOS will give the individual a written notice that sets out the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and provide:
a) the mechanisms available to complain about the refusal; and
b) any other matter prescribed by the regulations.
2.13.5 If FOS refuses to give access to the personal information because the information would reveal evaluative information generated within FOS in connection with a commercially sensitive decision-making process, the reasons for the refusal may include an explanation for the commercially sensitive decision.
2.13.6 Any individual who wishes to gain access to information held by FOS should contact the FOS member of staff dealing with their dispute or the Privacy Manager. The contact details for the FOS Privacy Manager can be found at the end of this document.
The individual should provide as much information as possible to assist FOS in determining where the relevant information is held. This includes file numbers, the name of the Applicant, the name of the FOS member and/or relevant dates.
An individual who believes that information held by FOS is not accurate, complete or up-to-date should contact their Case Officer, Case Manager or the Privacy Manager.
2.14 Correction of personal information
a) FOS holds personal information about an individual; and
i. FOS is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or
ii. the individual requests the entity to correct the information;
FOS must take such steps (if any) as are reasonable in the circumstances to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading.
Application for correction of personal information
2.14.2 An individual wanting to correct personal information held by FOS on the basis that the information is incorrect or not up to date should contact the FOS staff member dealing with their dispute or the FOS Privacy Manager. The Privacy Manager’s contact details are set out at the end of this document.
Notification of correction to third parties
a) FOS corrects personal information about an individual that FOS previously disclosed to another entity; and
b) the individual requests FOS to notify the other entity of the correction;
FOS must take such steps (if any) as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so.
Refusal to correct information
2.14.4 If FOS refuses to correct the personal information as requested by the individual, FOS must give the individual a written notice that sets out:
a) the reasons for the refusal except to the extent that it would be unreasonable to do so; and
b) the mechanisms available to complain about the refusal; and
c) any other matter prescribed by the regulations.
Request to associate a statement
a) FOS refuses to correct the personal information as requested by the individual; and
b) the individual requests the entity to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading;
FOS must take such steps as are reasonable in the circumstances to associate the statement in such a way that will make the statement apparent to users of the information.
Dealing with requests
2.14.6 If a request is made as per above, FOS will respond within a reasonable period after the request is made and will not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information (as the case may be).
FOS Privacy Manager contact details:
The Privacy Manager
Financial Ombudsman Service
GPO Box 3
MELBOURNE VIC 3001
Telephone: 1300 78 08 08