Purposes for collection
We only collect personal information that is reasonably necessary for, or directly related to, one or more of our functions or activities under the legislation we administer. For further information, see The laws we administers.
The purposes for which we collect personal information include the following:
- to handle reports of misconduct lodged with us, monitor compliance with the laws we administer, and identify, investigate and take enforcement action in relation to contraventions of those laws
- to assist us to fulfil our statutory obligations such as administering registration and licensing regimes, granting relief from regulatory requirements, and dealing with unclaimed property
- to enable us to consult with stakeholders and consider and determine policy
- to cooperate with foreign regulators and law enforcement agencies
- to deal with and assess complaints about our conduct
- to manage our employees, contractors and service providers
- to enable users to access our online tools and systems
- to enable us to provide subscription services to people who have chosen to take part in those services.
How we collect information
We collect personal information from individuals, or their authorised representatives.
In some circumstances we may collect personal information about individuals from third parties. These include:
- personal information collected from third parties about individuals who are the subject of reports of misconduct made to us
- personal information collected from third parties about individuals in the course of our compliance or investigation activities.
- information provided to us in the course of our registration, licensing and other statutory functions may contain personal information about individuals
- other documents provided to us, such as tender documents and curriculum vitaes, may contain personal information about individuals.
The Australian Privacy Principles place a general obligation on Australian Government agencies to inform individuals when they collect personal information about them from third parties. However, in many cases where we collect information from third parties, we do not inform the individuals because one of the following exceptions applies:
- we expect that the individual would have consented to us collecting the information
- we are required or authorised to collect the personal information from third parties by law
- it would not be reasonable for the individual to know that we have collected the information because, for example, it may relate to the investigation of a report of misconduct.
The Australian Privacy Principles require Australian Government agencies to allow individuals the option of not identifying themselves, or using a pseudonym when dealing with the agency when it is lawful and practicable to do so.
We generally provide individuals with the option of not identifying themselves or using a pseudonym. However, on many occasions we will not be able to do this. Examples include:
- we will need your name and address in order to register a business name to you or to grant you an Australian financial services license
- in order to gain protection under the Corporations Act 2001 whistleblowers must provide us with their name.
Consequences of not providing information
If we ask an individual to voluntarily provide personal information to us there are no punitive consequences if they do not provide any or all of the information to us. However, there may be other consequences, for example:
- they may not being able to make the most of our services
- an application for a licence may not be able to be processed
- we may not be able to properly investigate or resolve a report of misconduct made by the individual
- we may issue a compulsory notice seeking the information.
If we compel someone to provide personal information to us (e.g. under section 33 of the Australian Securities and Investments Commission Act 2001), or they are required to provide personal information to us in compliance with another statutory obligation, they may commit an offence or be subject to a penalty if they fail to provide all or any of the personal information to us. If we issue a compulsory notice to an individual, we will inform them of the offences and penalties for a failure to comply with that notice.
We only use personal information which we have collected for the purpose for which it was collected unless one of the following applies:
- the individual consents to us using, or would reasonably expect us to use, the information for a different purpose
- we are required or authorised by law to use the information
- we reasonably believe that the use or disclosure is necessary for our enforcement activities.
We are required or authorised to collect, use or disclose personal information by or under a variety of laws. They include the following:
- Australian Securities and Investments Commission Act 2001
- Corporations Act 2001
- Business Names Registration Act 2011
- Insurance Contracts Act 1984
- Superannuation Industry (Supervision) Act 1993
- Retirement Savings Accounts Act 1997
- Life Insurance Act 1995
- National Consumer Credit Protection Act 2009
- Market Integrity Rules.
The types of bodies or persons to which we usually disclose personal information collected by us include the following:
- lawyers and other service providers who we engage to assist us with our functions
- other law enforcement agencies (such as the Australian Federal Police)
- other government agencies (such as the Australian Taxation Office)
- the Australian Securities Exchange
- courts and tribunals
- foreign regulators (for further details of our arrangements with foreign regulators see International activities)
- the public, if the personal information is required to be published in a register that can be searched by the public, in the gazette or on our website
- parliamentary committees exercising their oversight functions
- applicants under the Freedom of Information Act 1982.
We only disclose personal information for the purpose for which it was collected, or for another purpose if one of the following applies:
- the individual has consented
- the individual would reasonably expect us to disclose the personal information
- we are required or authorised by law
- we reasonably believe the use or disclosure is necessary for our or other agencies' enforcement activities.
Storage and security of information
We store personal information in both electronic IT systems as well as paper files.
We take steps to protect the personal information we hold against loss, unauthorised access, use, modification or disclosure, and against other misuse. These steps include password protection and access privileges for accessing our IT systems, securing paper files in locked cabinets and physical access restrictions.
When no longer required, personal information is destroyed in a secure manner after it has met the destruction date identified in a records authority issued by the National Archives of Australia.
Visiting our website
When you browse our website, our service provider logs the following information for statistical purposes - your server address, top level domain name (eg .com, .gov, .au, .uk), the date and time of your visit, the pages accessed, documents downloaded, the previous site visited and the type of browser used.
We do not identify users or their browsing activities except, in the event of an investigation, where a law enforcement agency may be entitled to inspect the service provider's logs.
If you make a payment by credit card online, we will collect information such as your email address, name and credit card details to enable us to process your payment and provide you with a payment receipt.
The Privacy Act allows individuals to seek access to and request correction of records containing their personal information. The Freedom of Information Act 1982 also sets out the process by which you can access, change or annotate records held by us, which contain your personal information.
You can obtain further information about how to request access or changes to the information by contacting the Senior Manager, Administrative Law Team, whose contact details are set out below.
Complaints about breaches of the Australian Privacy Principles by us may be made to the Senior Manager, Administrative Law Team. The Senior Manager may be contacted on 1300 300 630, by email to email@example.com or by writing to
The Senior Manager
Administrative Law Team
Australian Securities and Investments Commission
GPO Box 9827
MELBOURNE VICTORIA 3001