This Policy is intended to ensure that the privacy of individuals is protected in the collection, use, disclosure and storage of personal information by Commonwealth Superannuation Corporation (CSC). CSC [ABN 48 882 817 243, RSE L0001397, AFSL 238069] is responsible for the privacy, confidentiality and security of personal information received by it in the course of its operations. Personal information is protected and kept confidential in accordance with federal legislation, including the Privacy Act 1988 and the Australian Privacy Principles under that Act. CSC is trustee of or administers 11 superannuation schemes, providing superannuation services to current and former Australian government employees and members of the Australian Defence Force (ADF).
CSC is trustee of five regulated public sector and military schemes:
- Commonwealth Superannuation Scheme (CSS)
- Public Sector Superannuation Scheme (PSS)
- Military Superannuation and Benefits Scheme (MilitarySuper)
- Public Sector Superannuation accumulation plan (PSSap)
- Australian Defence Force Superannuation Scheme (ADF Super).
CSC administers six exempt public sector and military schemes:
- 1922 Scheme
- Defence Forces Retirement Benefits Scheme (DFRB)
- Defence Force Retirement and Death Benefits Scheme (DFRDB)
- Papua New Guinea Scheme
- Defence Force (Superannuation) (Productivity Benefit) Determination (the DFSPB)
- Australian Defence Force Cover.
CSC's primary function is to manage and invest the funds of the schemes in the best interests of all members and in accordance with the provisions of the various acts and deeds that govern the schemes. CSC's statutory functions are set out in the Governance of Australian Government Superannuation Schemes Act 2011 and scheme legislation and deeds. CSC, as the trustee of the CSS, PSS, MilitarySuper, PSSap and ADF Super is also required to comply with, for example, the Superannuation Industry (Supervision) Act 1993 and regulations, the Corporations Act 2001 and regulations, tax legislation and regulations, and the Anti-Money Laundering & Counter Terrorism Financing Act 2006.
What is personal information?
In general terms, the Privacy Act regulates how personal information about an individual is collected and handled. Personal information’ is information or an opinion about an identified individual or an individual who is reasonably identifiable:
- whether the information or opinion is true or not, or
- whether the information or opinion is recorded in a material form or not.
Personal information includes information such as:
- your name or address
- bank account details and credit card information
- internet clickstream
- cookies data, or
- information about your opinions.
The thirteen APPs in Schedule 1 of the Privacy Act regulate how agencies (including CSC) can:
- store, or
- your personal information.
Under the Telecommunications (Interception and Access) Act 1979, certain telecommunications data (metadata) is taken to be personal information for the purposes of the Privacy Act. Metadata includes, but is not limited to, information about the sources and destinations of communications, and the location of equipment or the line used in connection with a communication.
What is sensitive information?
Sensitive information includes information or an opinion concerning an individual’s health, or other personal attributes such as racial or ethnic origin, religious beliefs and membership of political or trade associations.
What personal information is collected, held, used and disclosed by CSC?
The type of personal information that is collected, held, used and disclosed by CSC includes information about superannuation contributions, name and address details, date of birth, salary, employment details, beneficiary details, medical information and contact details.
Sensitive information is collected where consent has been provided and the information is reasonably necessary for one or more of CSC's functions or activities. Sensitive information can also be collected where the collection of information is required or authorised by or under an Australian law or a court/tribunal order.
CSC may also collect identifying data about member activities or interactions with CSC’s online applications, including but not limited to the collection of user locations, number and frequency of access attempts, number, type and frequency of member transactions and pages visited.
How does CSC collect information?
CSC may collect your personal information where we are authorised or required by law, where you have consented, or where the information is reasonably necessary for, or directly related to, our functions or activities. Sensitive information is primarily provided to CSC through Australian government employers.
Information is collected directly via email, correspondence, telephone, or gained indirectly through the website. Sensitive information is more likely to be collected, held, used and disclosed in circumstances where an insurance or legal claim is being decided or contested, where a reconsideration of a decision is sought either internally or through the Australian Financial Complaints Authority (AFCA).
Sensitive information is primarily provided to CSC through external service providers, such as scheme administrators, employers, insurers or by external dispute resolution bodies (such as the AFCA), when dealing with claims or complaints.
How does CSC store and protect information?
CSC and its service providers take reasonable steps to protect your personal information against misuse, loss, unauthorised access, modification or disclosure.
These steps include:
- Access to personal information is on a need to know basis, by authorised personnel
- Our premises have secure access
- Storage and data security systems and protections are regularly updated and audited.
CSC stores and holds your information in hard copy format and/or electronically on site and with third party storage providers, including on servers of third parties within Australia. CSC has agreements with its storage providers to keep all personal information they store secure, using appropriate security methods.
All records are handled and stored in accordance with the Australian Government Protective Security Policy Framework. When no longer required, personal information is destroyed in a secure manner, or archived or deleted in accordance with our obligations under the Privacy Act and Archives Act 1983.
CSC may combine personal information we receive about you with other information we hold about you. This includes information received from third parties such as employers.
Personal information is collected, held, used and disclosed as required or authorised by law, for the purpose of managing the superannuation schemes. This includes the management of superannuation investments, providing superannuation products, services and information to members, administration of the superannuation schemes and payment of benefits, conducting market research and product development in the interests of scheme members.
CSC may also collect, hold, use and disclose information to and from a complaints authority or tribunal where required. CSC is required, if requested in accordance with the requirements of the Family Law Act 1975, to provide information about a member’s interest in a superannuation fund to their spouse or a person who intends to enter into an agreement with the member about splitting their superannuation interests in the event of marriage breakdown. The request must be in a form prescribed by law. The law prevents us from telling the member about any such request.
Disclosure to and from third parties
Personal information is primarily provided to CSC directly or through your employer or other external service providers:
MASAPL, AIA, Guideway, AFCA, OAIC and the Ombudsman may pass on personal information to CSC for the purpose of managing the superannuation schemes and member accounts, and providing superannuation and dispute resolution services to members.
Personal information is provided to these service providers or to CSC directly from the member themselves, a third party associated with the member such as an adviser or family member under a power of attorney (consent is obtained from the member in these circumstances) or through an eligible employer.
Disclosure for market research
CSC may conduct research to find out what you think about a range of issues including the services we deliver. The results of this research helps CSC improve the services it provides to members. CSC contracts with external companies to conduct this research. Where the research is related to our services, we may provide your contact details to those companies. If we do disclose your contact details, the company is contractually required to keep your information secure.
Results of market research activities do not reveal the identity of participants or link the feedback or comments provided to them. Participation in market research will not affect the services you receive from CSC. A decision not to participate in market research will not affect the services CSC provides to you. CSC will not release your personal information to any person unless the law requires it or your permission is given.
You have the right to opt-out of market research communications. You may elect to opt-out of market research communications by contacting us.
Is CSC likely to disclose personal information to overseas recipients?
CSC does not disclose personal information to overseas recipients. Where permitted by law, CSC's scheme administrators may disclose personal information for the international transfer of superannuation benefits. For members with relevant transferred funds, the information disclosed may include their name, date of birth, principal address and national insurance number (or unique tax reference).
CSC takes all reasonable steps to ensure that the overseas recipients of your personal information do not breach the privacy obligations relating to your personal information.
Collection of information via website activity
When our website is visited, certain information is collected to allow us to change and improve our websites and online services. Typically, this information consists of:
- what pages are visited
- what day and time they are visited
- how often the site is visited, and
- what browsers are used.
When using the online services provided by CSC or MASAPL, all information passing between a personal computer and the secure section of our website is encrypted to enhance its security. While we endeavour to provide a secure environment, there are inherent security risks associated with communicating over the internet. We provide alternative means of communication including direct contact via telephone or facsimile.
Collection of personal information concerning children
CSC collects personal information concerning children for the purposes of assessing eligibility to receive a benefit. Information is collected, held, used and disclosed in accordance with this policy.
Accessing and correcting your information
CSC takes steps to ensure that the personal information we collect is accurate, up to date and complete. These steps include maintaining and updating personal information when we are advised by individuals that their personal information has changed, and at other times as necessary.
Under the Privacy Act you have the right to ask for access to personal information that we hold about, and ask that we correct that personal information. You can ask for access or correction by contacting us and we must respond within 30 days. If you ask, we must give you access to your personal information, and take responsible steps to correct it if we consider it is incorrect, unless there is a law that allows or requires us not to.
Depending on superannuation scheme membership, members who wish to correct information on their account should contact us.
Staff, job applicants and contractors
Your personal information is protected by law, including the Privacy Act and Australian Privacy Principles, and is collected by CSC to determine your suitability for an advertised vacancy. Your application for employment cannot be considered without the collection of this personal information. Personal information can only be accessed by relevant CSC staff and recruitment service providers, which may include CSC’s recruitment team, the People team and selection committee members who are conducting the selection process. Relevant information may also be disclosed to previous employers or other agencies or persons as part of a pre-employment check. The check establishes your identity, eligibility and suitability for employment.
Personal information is stored in a cloud based service that is based in Australia and will not be stored overseas. If you are deemed suitable and placed in a talent pool, your information may be used for subsequent recruitment processes if a suitable position becomes available.
If you consider that CSC has interfered with your privacy, you should first make a complaint to CSC by emailing the Privacy Team. Please allow an adequate opportunity for the complaint to be dealt with by CSC, generally giving 30 days for a response. Upon receipt of your complaint, CSC will:
- gather the facts relevant to the complaint
- investigate the issues raised and consider how your request regarding outcomes can be met
- communicate our response to you in person and in writing, and invite you to reply to our response
- identify any systemic issues raised and possible responses, and
- record your complaint and outcome.
These steps will be taken in accordance with the OAIC checklist for addressing privacy complaints.
How to make a complaint to the OAIC
If you are not satisfied with CSC’s response to your complaint, you may make a complaint to the OAIC. Where appropriate, the Commissioner can make preliminary enquiries into the matter, investigate and/or attempt to resolve the complaint by conciliation.
In some circumstances, the Commissioner may decline to investigate complaints. If a complaint is not resolved, the Commissioner may make a determination about whether an interference with privacy has occurred.
More information about the Commissioner’s privacy complaint handling process can be found here.
Post: Office of the Australian Information Commissioner
GPO Box 5218
SYDNEY NSW 2001
Telephone: 1300 363 992