Privacy Policy

1. Introduction

This Privacy Policy is in place to enable the Government Employees Superannuation Board (GESB) to appropriately manage personal information on behalf of our members. This policy serves to outline the importance of protecting the privacy of our members and implementing practices and procedures that enable us to deal with members’ enquiries in an open and transparent manner. This policy outlines the way that we handle information in compliance with:

• The Privacy Act 1988 (Cth)
• The Data Protection Act 2018 (UK)
• The European Union General Data Protection Regulation (EU) 2016/679 (GDPR)
• The Privacy Amendment (Notifiable Data Breaches) Act 2017
• The Consumer Data Rights (CDR) legislation consisting of Part IVD of the Competition and Consumer Act 2010 (Cth) and the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) (CDR Rules)
• The Privacy and Responsible Information Sharing Act 2024

2. Scope

This policy operates in conjunction with the privacy elements of our GESB Code of Conduct, Information Management Policy and Information Systems Usage Policy.

We are obliged to provide some personal information about a member under the Family Law Act 1975 (Cth) to third parties in relation to superannuation split payments. The State Superannuation Regulations 2001 (WA) (Reg 224G) enable us to provide any further information our Board considers reasonably necessary to understand the superannuation interest.

While we are not legally required to comply with the Privacy Act 1988 (Cth), as a matter of good business practice we have aligned this Privacy Policy which incorporates the spirit of the Australian Privacy Principles and Privacy (Tax File Number) Rule 2015 (TFN Rule) issued by that legislation. We align with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth) and the Australian Government Agencies Privacy Code.

The GDPR gives rights to individuals who are residents in the European Union (EU) or the United Kingdom (UK), and creates obligations on the part of organisations that hold and process their information. We process members’ information in accordance with the GDPR.

CDR legislation governs how open banking (a system that allows consumers to share their banking data with third parties that have been accredited by the Australian Competition and Consumer Commission) operates in Australia. In accordance with the CDR insights model provided in CDR legislation, GESB will receive CDR insights from an unrestricted Accredited Data Recipient (unrestricted Accredited Data Recipient (ADR)), which will be handed over to our Fund Administrator via secure application programming interfaces.

3. The types of data we collect about members

We will only collect personal information which is necessary for the purposes of carrying out our functions. The personal information we collect about our members may include:

• Name
• Date of birth
• Tax file number
• Employment details
• Contact details
• Financial information
• Gender
• Details of beneficiaries
• Other information necessary to provide products and services to members
• Other information members may make publicly available online (including, but not limited to, information on social media platforms)
• Information from member dealings with our websites, products, services, content and advertising, including location, geo-location information, device identification, computer and network information, page view data, site traffic, advertising information, IP address and web logging data

We may also collect sensitive personal information. This will generally be limited to information about health but may include other sensitive personal information, and will normally be collected with members’ express consent.

4. How we collect members’ information

Notification of collection of information

We usually collect information directly from our members, but will sometimes collect information, pursuant to its requirements and its legal obligations, from the following other parties:

• Employer, former employer, and salary package provider
• The Australian Taxation Office
• Other superannuation providers
• Other State Government agencies
• Medical practitioners or medical advisors
• Unrestricted ADRs

If we collect information about a member from a third party, we will take steps to notify the member about the purposes of the collection of information, and the existence of this Privacy Policy and any associated rights of the member.

Personal information

We can only collect and use members’ personal information if we have a valid lawful reason to do so, and the information is collected for a specified legitimate purpose. These lawful and legitimate reasons are either:

• Legal obligations: we process members’ information to ensure that GESB complies with relevant laws and regulations
• Public interest: we process information in order to properly administer the fund, the administration of the fund being in the public interest and in the exercise of official authority vested in GESB

Sensitive information

We do not process sensitive information relating to members’ health, ethnicity, religious or political beliefs unless it is strictly necessary. When we do, it is limited to specific circumstances (typically in respect of insurance claims), and always in accordance with one or more of the following:

• Obligations and rights: we process sensitive information in order to comply with our statutory obligations and rights in the field of employment, social security, and social protection law in so far as it is authorised by law
• Assessing medical capacity: we process sensitive information in order to assess the employment and working capacity of a member in order to manage the administration of the superannuation funds and related insurance policies
• Substantial public interest: as we are a not-for-profit statutory authority responsible for the administration of superannuation funds and related insurance policies, it can be in the public interest for us to collect and process members’ sensitive information

Unsolicited information

If we receive information which we did not seek or request from a member, the information will be destroyed (provided it is lawful to do so) unless the information could have been collected by us, or it is contained in a Commonwealth record. If the information is not destroyed, it will be dealt with as if it were received in the normal course of business.

5. What we do with members’ information

Legitimate activity

We will only use members’ information for legitimate reasons necessary for one or more of our functions or activities, including:

• Managing, administering, investing, and paying or transferring superannuation benefits
• Establishing and verifying identity
• Assessing eligibility for insurance cover and benefits
• Providing notices and statements
• Complying with regulatory or other legal requirements including reporting obligations
• Managing and resolving complaints
• For any other specific, explicit, and legitimate purpose compatible with the primary reason for the collection of the information, or as required by law, for example under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)

Marketing

We may occasionally use the personal information we collect to notify  members about important changes at GESB and products and services. Members can contact us on 13 43 72 if they do not wish to receive these notices.

6. Who we share members’ information with

We may share members’ information with other organisations consistent with the purposes for which GESB uses and processes the information as described in this policy. This includes, for example, where we are required by law to provide information to other entities, and the sharing of information with our contracted service providers. Where we use service providers, we require sufficient guarantees that they implement appropriate measures to comply with the applicable privacy laws, including GDPR.

To comply with our regulatory obligations and cooperate with authorities, we may disclose information to the relevant authorities, for example, to counter terrorism and prevent money laundering.

In some cases, we may share members’ information with external parties, including:

• Australian Government bodies, including, but not limited to:
  • The Australian Taxation Office
  • The Australian Competition and Consumer Commission
  • Australian Financial Complaints Authority
• Western Australian Government bodies, including, but not limited to:
  • The Ombudsman
  • The Public Trustee
  • Corruption and Crime Commission
  • The Department of Treasury
• Australian judicial/investigative authorities
  • Australian Securities and Investments Commission
  • Australian Prudential Regulation Authority
  • Austrac
  • Lawyers
  • State Solicitors Office
• Third party service providers
  • Actuary
  • Insurer
  • Fund Administrator
  • Unrestricted ADRs

Cross border disclosure

In accordance with specific legislation, we may disclose members’ information to a foreign fund or regulator.

We will take reasonable steps to ensure that any recipient of information outside of Australia has appropriate controls over its handling of information. Exceptions to this include:

• If disclosure is required pursuant to Australian law or a court/tribunal order
• If disclosure is required under an international agreement to which Australia is a party
• If the member agrees to such disclosure

Outsourcing

We may disclose personal information when outsourcing services or functions. We will obtain assurance from all external service providers that they have systems and policies in place to comply with Australian privacy laws and the GDPR.

Where we use cloud computing services to facilitate the transfer of member information from one provider to another, requirements for safeguarding member privacy will be taken into account when drawing up the agreement. We will include in any agreement with other providers that any cloud computing services used have in place adequate security arrangements to protect all information stored in these services.

Insurance

We may disclose members’ information relevant to the provision of insurance products, to the insurer underwriting the group policies (Insurer) which issues and underwrites the insurance products under the relevant schemes.

7. Members’ rights

Right to access and rectification

Subject to the Freedom of Information Act 1992 (WA), members may access their personal information and receive a copy of that information. If we are satisfied that information we hold about a member is inaccurate, out of date, incomplete, irrelevant, or misleading, or a member has requested correction of their information, we will take such steps as are reasonable to correct it. We will also ensure that any third parties with whom the data has been shared also have the information corrected.

Right to anonymity

Members will have the option of not identifying themselves, or of using a pseudonym, when dealing with GESB, except where it is not practicable. Individuals seeking information about their account will need to be identified before we are able to disclose any specific information.

Right to erasure

In certain circumstances, members have the right to request that the information we hold be erased. If we refuse this request, we will write to the member providing an explanation. We are required by law to keep certain information that we hold about members for a period of time after the member ceases to participate in a scheme administered by us. Once this period expires, we will take the necessary steps to destroy the information securely.

Right to restrict processing

Members may in certain circumstances request that we only process the members’ information in limited circumstances. These include if the member believes:

• The information is inaccurate
• The information is being processed unlawfully
• We no longer need the information

Right to data portability

A member may request that we transfer the information we hold about that member to another person or organisation.

Right to object to processing

In certain circumstances, members may object to GESB processing information. Members cannot object to processing if it is required by law.

Right to object to automated decisions

Members have the right to object to automated decision making and can ask that a person at GESB reviews a decision.

Right to complain

Members have the right to complain about how their information is being handled. If members are unhappy with how their complaint is handled, they can escalate the complaints to the Data Protection Officer/Privacy Officer. Members can also contact the data protection authority in their country.

Complaints about our responsibilities under our Privacy Policy or the GDPR should be directed to the Privacy Officer/Data Protection Officer.

8. Members’ duty to provide information

There is certain information that GESB must know about members so that we can commence and execute our duties as administrator of superannuation and pension schemes and fulfil our associated legislative and contractual duties. There is also information that we are legally obliged to collect. Without this information, we may not be able to administer accounts for our members or perform certain activities.

9. How we protect members’ information

We have taken reasonable steps to implement practices, procedures, and systems to integrate data protection into our activities. This includes, for example, enhancing our internal privacy capability by providing necessary training to staff.

We apply an internal framework of policies and minimum standards across all of our business to keep members’ information safe. These policies and standards are periodically updated to keep them in line with regulations and market developments. More specifically, and in accordance with the law, we continually take appropriate governance and technical measures to ensure the confidentiality and integrity of members’ personal information and the way it’s processed.

Our website uses standard security protocols to protect personal information that members disclose in using our Member Online service and for employers to disclose in using our Employer Online services. We will alert members if they follow a link to our Insurer’s website, that they are leaving our secure site. Members should check the privacy policy of the new site before entering any personal information.

Prior to performing processing which is likely to result in a high risk to the rights and freedoms of our members, we will perform a written privacy impact assessment (PIA¹) of the envisaged processing operation on the security and protection of that data and undertake a threshold assessment if new or changed ways of handling personal information is envisaged.

10. How long we keep members’ information

We will keep members’ information for as long as required and in accordance with the State Records Act 2000 (WA).

11. Data breaches

Where a data breach contrary to GDPR is detected, we must report the data breach to a supervisory authority no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of any of our members. Where the data breach is likely to result in a high risk to the rights and freedoms of any members, we must communicate the breach to any affected members without delay.

All data breaches are to be reported as an incident in accordance with GESB’s Compliance Program relating to incident and risk management.

12. Data Protection Officer/Privacy Officer/Privacy Champion

GESB’s Privacy Officer monitors and advises on compliance with the laws, including for example APPs and the GDPR.

13. Collection of electronic information

Our website and Member Online service use persistent cookies that enable us to enhance members’ experience of the services or functions offered. They cannot be used to access members’ accounts or personal details. We will make no attempt to identify members’ or their browsing activities unless we are permitted to do so by law.

GESB has entered into an arrangement with an unrestricted ADR to receive CDR insights (insights based on CDR data) that allow members to verify their bank account details if they provide their consent through Member Online.

Unrestricted ADRs and the technologies used for Member Online can only facilitate the collection or verification of information and cannot extract or store any information. All member data is hosted, managed and stored within the security confinements and business rules of our Fund Administrator.

GESB will request our members to share the name of their financial institution as well as their account name, account number and account type. No other information is required for the process.

This will enhance our fraud protection controls to ensure nominated bank accounts are in the name of our member. This step will minimise and even remove the risk of an unauthorised release of member funds to a fraudulent bank account holder.

1 A PIA is a systematic assessment that identifies the impact that a project might have on the privacy of individuals, and sets out recommendations for managing, minimising, or eliminating that impact.