Privacy policy

1. Introduction

This privacy policy is in place to enable the Government Employees Superannuation Board (GESB) to appropriately manage privacy and information matters on behalf of our members. This policy serves to outline the importance of protecting the privacy of our GESB members and implementing practices and procedures that enable us to deal with members’ enquiries in an open and transparent manner. This policy outlines the way that we handle information in compliance with the Privacy Act 1988 (Cth), the Data Protection Act 2018 (UK), and the European Union General Data Protection Regulation (EU) 2016/679 (GDPR).

2. Scope

This policy operates in conjunction with the privacy elements of our GESB Code of Conduct, Information Management Policy and Information Systems Usage Policy.

We are obliged to provide some personal information about a member under the Family Law Act 1975 (Cth) to third parties in relation to superannuation split payments. The State Superannuation Regulations 2001 (WA) (Reg 224G) enable us to provide any further information our Board considers reasonably necessary to understand the superannuation interest.

While we are not legally required to comply with the Privacy Act 1988 (Cth), as a matter of good business practice we have adopted this privacy policy which incorporates the spirit of the Australian Privacy Principles and Privacy (Tax File Number) Rule 2015 (TFN Rule) prescribed by that legislation. We have also adopted the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth) and the Australian Government Agencies Privacy Code.

The GDPR gives individuals who are resident in the European Union (EU) or the United Kingdom (UK) rights, and creates obligations on the part of organisations that hold and process their information. We process members’ information in accordance with the GDPR.

3. The types of data we collect about members

We will only collect personal information which is necessary for the purposes of carrying out our functions. The personal information we collect about our members may include:

• Name
• Date of birth
• Tax file number
• Employment details
• Contact details
• Financial information
• Gender
• Details of beneficiaries
• Other information necessary to provide products and services to members
• Other information members may make publically available online (including, but not limited to, information on social media platforms)
• Information from member dealings with our websites, products, services, content and advertising, including location, geo-location information, device identification, computer and network information, page view data, site traffic, advertising information, IP address and web logging data

We may also collect sensitive personal information. This will generally be limited to information about health but may include other sensitive personal information, and will normally be collected with members’ express consent.

4. How we collect members’ information

Notification of collection of information

We usually collect information directly from our members, but will sometimes collect information, pursuant to its requirements and its legal obligations, from the following other parties:

• Employer, former employer, and salary package provider
• The Australian Taxation Office
• Other superannuation providers
• Other State Government agencies
• Medical practitioners or medical advisors

If we collect information about a member from a third party, we will take steps to notify the member about the purposes of the collection of information, and the existence of this privacy policy and any associated rights that the member has.

Personal information

We can only collect and use members’ personal information if we have a valid lawful reason to do so, and the information is collected for a specified legitimate purpose. These lawful and legitimate reasons are either:

• Legal obligations: we process members’ information to ensure that GESB complies with relevant laws and regulations
• Public interest: we process information in order to properly administer the fund, the administration of the fund being in the public interest and in the exercise of official authority vested in GESB

Sensitive information

We do not process sensitive information relating to members’ health, ethnicity, religious or political beliefs unless it is strictly necessary. When we do, it is limited to specific circumstances (typically in respect of insurance claims), and always in accordance with one of the following:

• Obligations and rights: we process sensitive information in order to comply with our statutory obligations and rights in the field of employment, social security, and social protection law in so far as it is authorised by law
• Assessing medical capacity: we process sensitive information in order to assess the employment and working capacity of a member in order to manage the administration of the superannuation funds and related insurance policies
• Substantial public interest: as we are a not for profit statutory authority responsible for the administration of superannuation funds and related insurance policies, it is in the public interest for us to collect and process members’ sensitive information

Unsolicited information

If we receive information which we did not seek or request from a member, the information will be destroyed (provided it is lawful to do so) unless the information could have been collected by us, or it is contained in a Commonwealth record. If the information is not destroyed, it will be dealt with as if it were received in the normal course of business.

5. What we do with members’ information

Legitimate activity

We will only use members’ information for legitimate reasons necessary for one or more of our functions or activities, including:

• Managing, administering, investing, and paying or transferring superannuation benefits
• Establishing and verifying identity
• Assessing eligibility for insurance cover and benefits
• Providing notices and statements
• Complying with regulatory or other legal requirements including reporting obligations
• Managing and resolving complaints
• For any other specific, explicit, and legitimate purpose compatible with the primary reason for the collection of the information, or as required by law

Marketing

We may occasionally use the personal information we collect to notify  members about important changes at GESB and products and services. Members can contact us on 13 43 72 if they do not wish to receive these notices.

6. Who we share members’ information with

We may share members’ information with other organisations consistent with the purposes for which GESB uses and processes the information as described in this policy. This includes, for example, where we are required by law to provide information to other entities, and the sharing of information with our contracted service providers. Where we use service providers, we require sufficient guarantees that they implement appropriate measures to comply with the applicable privacy laws, including GDPR.

To comply with our regulatory obligations and cooperate with authorities, we may disclose information to the relevant authorities, for example, to counter terrorism and prevent money laundering.

In some cases, we may share members’ information with external parties, including:

• Australian Commonwealth Government bodies, including, but not limited to:
  • The Australian Taxation Office
  • The Australian Competition and Consumer Commission
  • Australian Financial Complaints Authority
• Western Australian Government bodies, including, but not limited to:
  • The Ombudsman
  • The Public Trustee
  • Corruption and Crime Commission
  • The Department of Treasury
• Australian judicial/investigative authorities
  • Actuary
  • Insurer
  • Fund Administrator
  • Australian Securities and Investments Commission
  • Australian Prudential Regulation Authority
  • Austrac
  • Lawyers
  • State Solicitors Office

Cross border disclosure

In accordance with specific legislation, we may disclose members’ information to a foreign fund or regulator.

We will take reasonable steps to ensure that any recipient of information outside of Australia has appropriate controls over its handling of information. Exceptions to this include:

• If disclosure is required pursuant to Australian law or a court/tribunal order
• If disclosure is required under an international agreement to which Australia is a party
• If the member agrees to such disclosure

Outsourcing

We may disclose personal information when outsourcing services or functions. We will obtain assurance from all external service providers that they have systems and policies in place to comply with Australian privacy laws and the GDPR.

Where we use cloud computing services to facilitate the transfer of member information from one provider to another, requirements for safeguarding member privacy will be taken into account when drawing up the agreement. We will include in any agreement with other providers that any cloud computing services used have in place adequate security arrangements to protect all information stored in these services.

Insurance

We may disclose members’ information relevant to the provision of insurance products, to the insurer underwriting the group policies (Insurer) which issues and underwrites the insurance products under the relevant schemes.

7. Members’ rights

Right to access and rectification

Subject to the Freedom of Information Act 1992 (WA), members may access their personal information and receive a copy of that information. If we are satisfied that information we hold about a member is inaccurate, out of date, incomplete, irrelevant, or misleading, or a member has requested correction of their information, we will take such steps as are reasonable to correct it. We will also ensure that any third parties with whom the data has been shared also have the information corrected.

Right to anonymity

Members will have the option of not identifying themselves, or of using a pseudonym, when dealing with GESB, except where it is not practicable. Individuals seeking information about their account will need to be identified before we are able to disclose any specific information.

Right to erasure

In certain circumstances, members have the right to request that the information we hold be erased. If we refuse this request, we will write to the member providing an explanation. We are required by law to keep certain information that we hold about members for a period of time after the member ceases to participate in a scheme administered by us. Once this period expires, we will take the necessary steps to destroy the information securely.

Right to restrict processing

Members may in certain circumstances request that we only process the members’ information in limited circumstances. These include if the member believes:

• The information is inaccurate
• The information is being processed unlawfully
• We no longer need the information

Right to data portability

A member may request that we transfer the information we hold about that member to another person or organisation.

Right to object to processing

In certain circumstances, members may object to GESB processing information. Members cannot object to processing if it is required by law.

Right to object to automated decisions

Members have the right to object to automated decision making and can ask that a person at GESB reviews a decision.

Right to complain

Members have the right to complain about how their information is being handled. If members are unhappy with how their complaint is handled, they can escalate the complaints to the Data Protection Officer/Privacy Officer. Members can also contact the data protection authority in their country.

Complaints about our responsibilities under the Privacy Act or the GDPR should be directed to the Privacy Officer/Data Protection Officer.

8. Members’ duty to provide information

There is certain information that GESB must know about members so that we can commence and execute our duties as administrator of superannuation and pension schemes and fulfil our associated legislative and contractual duties. There is also information that we are legally obliged to collect. Without this information, we may not be able to administer accounts for our members or perform certain activities.

9. How we protect members’ information

We have taken reasonable steps to implement practices, procedures, and systems demonstrating that we have taken steps to integrate data protection into our activities. This includes, for example, enhancing our internal privacy capability by providing necessary training to staff.

We apply an internal framework of policies and minimum standards across all of our business to keep members’ information safe. These policies and standards are periodically updated to keep them in line with regulations and market developments. More specifically, and in accordance with the law, we continually take appropriate technical and organisational measures (policies and procedures, IT security) to ensure the confidentiality and integrity of members’ personal information and the way it’s processed.

Our website uses standard security protocols to protect personal information that members disclose in using our Member Online and Employer Online services. We will alert members if they follow a link to our Insurer’s website, that they are leaving our secure site. Members should check the privacy policy of the new site before entering any personal information.

Prior to performing processing which is likely to result in a high risk to the rights and freedoms of our members, we will perform a written privacy impact assessment (PIA) of the envisaged processing operation on the security and protection of that data.

10. How long we keep members’ information

We will keep members’ information for as long as we are required to do so in accordance with the State Records Act 2000 (WA).

11. Data breaches

Where a data breach contrary to GDPR is detected, we must report the data breach to a supervisory authority no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of any of our members. Where the data breach is likely to result in a high risk to the rights and freedoms of any members, we must communicate the breach to any affected members without delay.

All data breaches are to be reported as an incident in accordance with GESB’s Compliance Program relating to incident and risk management.

12. Data Protection Officer/Privacy Officer/Privacy Champion

We will appoint an officer to act as Data Protection Officer/Privacy Officer. We will also select a member of the executive or management to act as a Privacy Champion.

13. Collection of electronic information

Our website and Member Online service use persistent cookies that enable us to enhance members’ experience of the services or functions offered. They cannot be used to access members’ accounts or personal details. We will make no attempt to identify members’ or their browsing activities unless we are permitted to do so by law.