Prime Partners recognises the importance of maintaining the confidentiality of individuals’ personal information. Prime Partners also acknowledges its obligations under the Privacy Act 1988 (Cth), as well as various industry codes of practice and other standards that deal with privacy and confidentiality.
This policy sets out Prime Partners’ approach to the handling of individuals’ personal information.
APP means Australian Privacy Principle, as set out in the Privacy Act 1988 (Cth).
Cross-border disclosure means a disclosure of personal information to an entity that is located outside Australia.
Disclosure means, in relation to personal information, a release of that personal information from the effective control of Prime Partners. Storage of personal information in the cloud may or may not constitute disclosure. Where the cloud solution is infrastructure-as-a-service (IAAS), the personal information stays in the effective control of Prime Partners and there is no disclosure. Where the cloud solution is software-as-a-service, a disclosure is likely to have occurred.
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
Sensitive information is a subset of personal information, which is information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, health information, genetic information, biometric information and biometric templates.
Use means, in relation to personal information, any accessing of personal information, including searching records for any reason, using personal information to make a decision or complete a task, or passing a record from one part of Prime Partners to another part.
Employees should only collect personal information about individuals where the collection is reasonably necessary for one or more of Prime Partners’ activities or services.
Types of information collected
Prime Partners collects personal information principally from its clients. Where relevant to current business operations, employees are authorised to collect all types of personal information, including but not limited to:
- contact information, such as full name, email address, postal address and phone numbers
- date of birth
- employment details, including but not limited to job title, salary, training and skills
- financial details, including insurance policies and details
- payment or billing information (including bank account details, credit card details, billing address and invoice details)
- sensitive information that is relevant to the delivery of services by Prime Partners.
Where possible, employees should collect personal information directly from the individual. However, it is permissible to obtain personal information from third parties such as family members, business partners and other service providers (such as financial planners).
If personal information about an individual is collected from a third party and it is unclear that the individual has consented to the disclosure of his or her information to Prime Partners, employees should take reasonable steps to contact the individual and ensure that he or she is aware of the collection. In most cases, this can take place simultaneously with the first use of the information by Prime Partners.
Where Prime Partners collects personal information from an individual, that individual should be provided with a collection notice where practicable. The collection notice should cover as many of the following matters as is reasonably practicable in the circumstances:
- Prime Partners’ name and contact details
- If the personal information was collected from someone other than the individual, details of how it was collected
- Whether the collection is authorised or required by law (if applicable)
- The purposes for which the information is being collected
- The consequences to the individual of not providing the information
- To whom Prime Partners usually discloses that kind of personal information
- Whether Prime Partners is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.
Collection notices should generally be provided at the time the information is collected, by the employee responsible for collecting the information. Where this is not practicable (for example, where information is collected from a third party), the collection notice should be provided at the time of first contact with the individual, by the employee responsible for making that first contact.
In general, employees should attempt to limit the collection of sensitive information from individuals. However, sensitive information may need to be collected in order to deliver services to the individual. Employees should only collect sensitive information from or about an individual if it is necessary to deliver a service to that individual.
It is not generally practicable for individuals to engage with Prime Partners on an anonymous basis, or using a pseudonym. This is to enable Prime Partners to fulfill its own legal obligations with respect to various tax and other government agencies.
Unsolicited personal information
Where an individual provides personal information that has not been solicited by Prime Partners, the employee who receives that information should determine whether it is reasonably necessary for one or more of Prime Partners’ services or activities. If it is not, the information should be destroyed as soon as is practicable.
Use for primary purpose and certain secondary purposes
Employees must only use individuals’ personal information for the primary purpose for which it was collected, a secondary purpose to which the individual has consented, or:
- for a purpose related to the primary purpose of collection, where the individual would reasonably expect the personal information to be used for such a purpose
- where the employee reasonably believes that the use is necessary to prevent or lessen a serious or imminent threat to life, health or safety, or
- where the employee has reason to suspect that unlawful activity has been, or is being, engaged in.
There are other circumstances in which the partners may determine that personal information may be used for legal purposes (for example, in relation to legal claims or dispute resolution). If an employee is unsure as to whether personal information can be used for a specific purpose, the employee should consult with the partners.
Primary purposes (and secondary purposes for which consent is required) should be set out in collection notices and may include:
- preparation of tax returns
- providing tax, structuring, coaching and compliance advice
- providing reminders about upcoming tax and compliance deadlines
- providing information about tax and structuring opportunities
- sending invitations to workshops and events, and
- direct marketing of other services provided by Prime Partners.
Use for direct marketing
Employees may use individuals’ personal information for direct marketing purposes, but only where:
- the direct marketing communication contains a statement that the individual may opt out of receiving that type of communication, and
- the relevant individual has not made such a request.
Individuals who have opted out of direct marketing may still receive administrative emails, such as reminders about upcoming tax and compliance deadlines.
Where an individual provides his or her business contact details (such as a business card), this should be treated as implied consent to be contacted for business purposes, and no additional collection notice is required.
Employees may disclose individuals’ personal information where the disclosure is for the primary purpose for which the information was collected, a secondary purpose to which the individual has consented, or:
- for a purpose related to the primary purpose of collection where the individual would reasonably expect the personal information to be used or disclosed for such a purpose
- where the employee reasonably believes that the disclosure is necessary to lessen a threat to life, health or safety
- where the employee has reason to suspect that unlawful activity has been, or is being, engaged in, or
- where disclosure is required or authorised by law.
- Service providers that assist us in providing services to clients. Such services may include business valuations, bookkeeping, research and development tax advice, auditing of accounts including self-managed super funds, legal advice and other specialist taxation advice, accounting file preparation, data entry into our accounting systems, and dealing with government departments including the ATO
Cloud data storage services
- The Institute of Chartered Accountants, to the extent that it requires access to our clients’ personal information in order to conduct occasional quality reviews, and
- Other accountants engaged by clients (in particular, clients consent to the disclosure of the existence of any unpaid invoices).
Prime Partners may use data hosting facilities or cloud software providers to assist it with providing its services. As a result, personal information provided to Prime Partners may be transferred to, and stored at, a destination outside Australia, including but not limited to the USA and New Zealand.
Personal information may also be processed by third parties operating outside Australia that assist Prime Partners with administration, bookkeeping and other functions. Currently, Prime Partners uses service providers located in the Philippines.
Maintaining security of personal information
Prime Partners will take reasonable steps to help ensure the security of personal information, including by:
- making sure that personal information is accurate, complete and up-to-date
- protecting personal information from misuse, loss, unauthorised access, modificatin or disclosure both physically and through computer security methods, and
- destroying or permanently de-identifying personal information if it is no longer needed for any authorised purpose.
Responding to a data breach
In the event of a data breach, Prime Partners will:
- conduct an investigation quickly and efficiently to determine if the breach is likely to result in serious harm to an affected individual. That assessment will be undertaken with 30 days of becoming aware that there are reasonable grounds to suspect a data breach, and
- determine whether notification to the Office of the Australian Information Commissioner is required.
Access and correction
Individuals are entitled to access any personal information held by Prime Partners about them, except in some exceptional circumstances provided by law. Where an individual requests access to their personal information, employees should verify the individual’s identity (for example, by asking the individual to confirm their name, address and date of birth) and subject to the exceptions described below, should provide the personal information requested.
Prime Partners is not required to provide access to personal information where:
- access would pose a serious threat to life, health or safety
- access would have an unreasonable impact on the privacy of other individuals
- the request is frivolous or vexatious
- denying access is required by law or court order
- access would be unlawful, or
- access may prejudice commercial negotiations, legal proceedings, enforcement activities or appropriate action being taken in respect of suspected unlawful activity or serious misconduct.
Requests for access should generally be responded to within 30 days.
Individuals are entitled to seek to have personal information about them corrected. If an individual makes such a request, employees should generally correct the information. If there is an operational reason the employee does not wish to do so, the employee should seek advice from the partners.
Due to the complexity of Prime Partners’ operations, individuals’ personal information may be stored simultaneously in more than one database or location. Employees must use reasonable endeavours to update all known instances where a request for correction of personal information by an individual is able to be fulfilled.
An individual wishing to make a complaint about any aspect of this policy or any other matter covered by the Australian Privacy Principles should be aware of the complaints mechanism, which is as follows:
- a complaint should firstly be made in writing by email to [email protected] or by post to PO Box 1074, North Sydney NSW 2059
- Prime Partners will endeavour to respond within 30 days
- The complaint may then be taken to an externally recognised dispute resolution scheme (if any), and
- lastly, a complaint may be made to the Australian Information Commissioner.